E-Voting Ballots May Not Be So Secret; Paper Trail Takes Away Anonymity
from the line-'em-up,-match-'em-up dept
Another day, another security problem with e-voting machines. Obviously, one of the biggest requests from people who were nervous about the security of e-voting machines was that all e-voting machines have a verifiable paper trail. Then, at least, there's a way to recount the votes if there are any questions. Unfortunately, even when the e-voting companies finally do add a paper trail, it seems that they muck up the process. As was noted in the recent security analysis of these machines, many of the problems are because they weren't designed from the ground up with security in mind, but rather have security procedures slapped on as extras.In this case, some Ohio activists discovered that the paper trail coming from e-voting firm Election Systems and Software (ES&S) happen to have time and date stamps on them. Those ballots are available for anyone to look at, based on election law in Ohio. Also available for anyone to peruse are the voter sign-in logs. With both of those in hand, it's not hard to put together a pretty decent list of who voted for what. You just match up the names in the order they signed in with the timestamp on the ballots.
Of course, rather than responding to this as they should, by admitting it was a bad idea, ES&S sends out their PR people to say it's no big deal. While ES&S is right that it might not always be possible to do an exact match person to person, you can come pretty close -- and that should be seen as a huge concern. Furthermore, as Ed Felten points out, the other e-voting firms aren't much better, and Diebold (or Premiere, or whatever its new name is) appears to be outright
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: e-voting, ohio
Companies: diebold, es&s, hart intercivic, sequoia
Reader Comments
Subscribe: RSS
View by: Time | Thread
True, this is pretty much how everything is done. Software runs into this, corporate networks, VoIP networks, they are all thrown out there in a rush to market and then security is considered. Its a heck of a lot harder to secure it after the fact than to build it in, but in the rush to markets, thats what most companies do.
[ link to this | view in thread ]
slight correction
Diebold's electronic records have timestamps, according to the source code study report from the California top-to-bottom review.
I didn't mean to say that Diebold's paper records have timestamps.
[ link to this | view in thread ]
However, you this doesn't take into account trends or streaks where a group of people all vote the same way at once. In that case, any of the timestamps that may have been swapped will now be swapped with the same vote, and it won't matter that you checked the wrong ballet. And while the natural state would keep this case somewhat less common, two centuries of gerrymandering have resulting in many polling places with high percentages voting one or another in big races. That raises the likelihood of knowing someone's vote considerably.
Even with that, I still think timestamps on the ballots are a good idea. I think the solution to the problem is to stop gerrymandering (like that will ever happen) and have a federal exception to open records laws changing the way ballots are requested to preserve privacy.
[ link to this | view in thread ]
hmm
[ link to this | view in thread ]
It should generate a random number with perhaps a date stamp, but not a time stamp.
That number should be available on a web site, so you can verify who you voted for as a 'check and balance'.
If done *right* electronic voting could insure fairness, but I don't think that's the agenda of the powers in charge.
[ link to this | view in thread ]
Sarcasm
Who would have thought that in this GW Bush administration; a company would do something unscrupulous?
I mean to think that code was written in a hurry, rushed out to the public only to be easily manipulted? WOW
Okay sarcasm over..
Give me a break, is anybody really suprprised? I might sound like a hippie, but this should be Open Source man. An agreed upon standard I think might eliminate the mystery and ability for others to secretly exaploit the software. Linux is secure. Why not develop a Linux based os around voting machines? Why not have real hackers murder the code to make it bulletproof. Our next Preseident will also be a half a retard.
2 cents deposited..
[ link to this | view in thread ]
Sarcasm
Who would have thought that in this GW Bush administration; a company would do something unscrupulous?
I mean to think that code was written in a hurry, rushed out to the public only to be easily manipulted? WOW
Okay sarcasm over..
Give me a break, is anybody really suprprised? I might sound like a hippie, but this should be Open Source man. An agreed upon standard I think might eliminate the mystery and ability for others to secretly exaploit the software. Linux is secure. Why not develop a Linux based os around voting machines? Why not have real hackers murder the code to make it bulletproof. At this rate, our next Preseident will also be a half a retard.
2 cents deposited..
[ link to this | view in thread ]
[ link to this | view in thread ]
The Three Ballot Voting System
Abstract:
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
The auditors want to confirm that the voting was done correctly without fraud. This tends to a desire to capture all possible information is great detail. Techdirt has been advocating a paper trail.
Then there is the open government advocates which want government processes to be as transparent as possible. In Ohio (and it looks like other states do not run into this issue) all documents are public. As an unintended consequent, by putting two documents together you can get a good idea of the voting pattern.
The question is how to reconcile these goals.
[ link to this | view in thread ]
Re:
The problem with any scheme that allows a voter to later verify their own individual vote is that it also enables them to sell their vote, which is illegal, or be subjected to extortion. It works like this:
1. Person agrees to vote a certain way in return for payment or maybe to keep their job or avoid harm to their family.
2. Person votes and takes receipt which could be in the form of a secret number or some other token.
3. Person later uses said receipt to prove how they voted and collect payment or satisfy demands of extortioner.
That's why voter receipts are a bad idea.
[ link to this | view in thread ]
Re: The Three Ballot Voting System
[ link to this | view in thread ]
Security Cameras
[ link to this | view in thread ]
Re: The Three Ballot Voting System
I'm not salmming the idea just want clarification..
[ link to this | view in thread ]
Re: Re: Time to end voter anonymity
The problem with any scheme that allows a voter to later verify their own individual vote is that it also enables them to sell their vote, which is illegal, or be subjected to extortion. It works like this:
1. Person agrees to vote a certain way in return for payment or maybe to keep their job or avoid harm to their family.
2. Person votes and takes receipt which could be in the form of a secret number or some other token.
3. Person later uses said receipt to prove how they voted and collect payment or satisfy demands of extortioner.
That's why voter receipts are a bad idea."
Reply:
I don't agree with you here. I think voter receipts with verification may be the only true way to put a stop to the majority of voter fraud.
As far as a receipt allowing a voter to sell his vote, I doubt it would matter much. People can already sell their votes if they want and people are bought off all the time for their votes. Thats what politics are about. There are laws in place to handle voter fraud already.
Your argument, although believable, does not mean that a receipt system would inevitably lead to selling of votes and if it did, it would be a hell of a lot easier to prove voter fraud if we used a receipt system.
I will simply not vote until our system can reach a point were I can verify my own vote along with the rest of my fellow citizens to make sure our votes are actually being counted. I would also like the electoral college to be done away with completely but I don't think politicians would be to keen with that idea.
[ link to this | view in thread ]
Extremely high error rate
e.g. let us take a 50% sample (for simplicity D,R,D,R,D,R). With a mismatch of 1 voter, the the process will have a 100% error rate and will be useless.
So it seems it is not so much of a problem after all.
[ link to this | view in thread ]
Re: Re: Re: Time to end voter anonymity
How would voter receipts make it easier to detect vote-selling? Again you make a claim but then don't back it up. Offhand, you comments strike me as being along the lines of a burglar trying to persuade people to leave their keys under their mats and make me question your motives.
[ link to this | view in thread ]
Only a problem if sign-in is ordered
So my name isn't recorded as having entered the polling place after one person and before someone else. This means that there's no way to use a timestamp on my paper vote record to see how I voted.
[ link to this | view in thread ]
Re: Extremely high error rate
That's far from any kind of mathematical proof of the general case.
If you followed the link and read the article you would find that Moyer and Cropcho seem to have been successful in actually doing it. That seems like a problem to me.
[ link to this | view in thread ]
Re: Only a problem if sign-in is ordered
[ link to this | view in thread ]
[ link to this | view in thread ]
Re: Re: Re: Re: Time to end voter anonymity
We live in very different worlds I guess. Our system is of course immune to politicians buying peoples' votes through bribery, tax incentives, proposed legislation, etc. (sarcasm off)
Since peoples' votes are not conducted with a verifiable receipt we are not even sure if their votes are actually counted. This is a no-brainer for me, there is no real anonymity anymore so it should all be done it a completely open fashion.
"How would voter receipts make it easier to detect vote-selling?"
Without a receipt who is to say what you voted for anyhow? It would be evidence and that is part of what criminal cases are built on. If you have a witness saying someone paid you to vote for candidate and there is proof in the form of a receipt then there is a case.
Anonymity served us well for many years but its time has passed in my mind for massive elections. We have to change our practices to account for technology and opening up voting for everyone to monitor is one way we could move forward in the 21st Century.
[ link to this | view in thread ]
Re: Re: Re: Re: Re: Time to end voter anonymity
That's what elections systems with observers, judges, sealed ballot boxes, etc. are all about. You sound like you think that traditional elections are just conducted on some kind of honor system or something which just isn't the truth.
It is illegal to agree to accept payment for your vote whether you actually follow through with it or not, a receipt would make difference. I don't know were got the idea that a receipt is needed. Either that or you're just making more stuff up like you've been doing.
Only if your idea of moving forward in the 21st Century includes an Orwellian voting system where people are afraid to vote freely and elections are shams as a result. No thanks.
[ link to this | view in thread ]
Time stamps not on signature book
I sound like a luddite, but the day we have hand counted paper ballots will be the day we finally get honest elections again.
[ link to this | view in thread ]
Re: Re: Extremely high error rate
That's far from any kind of mathematical proof of the general case.
I am not offering a mathematical proof here. I would leave that to the statisticians. I am just pointing out a likely scenario and how this information is virtually useless.
If you followed the link and read the article you would find that Moyer and Cropcho seem to have been successful in actually doing it. That seems like a problem to me.
I have no doubt that you could get the two lists of voter sign ins and votes with timestamps. However combining it, will not generate any viable data.
[ link to this | view in thread ]
Re: Re: Re: Extremely high error rate
Good idea.
And then there you go again. That didn't take long, did it? Likely? How likely? That involves probability and statistics, something you promised to leave to real statisticians. First you almost admit that you don't know what you're talking about, and then you go spouting off again.
That statement is provably false because in this case it did.
[ link to this | view in thread ]
Re: Re: Re: Re: Extremely high error rate
The scenario (50% democrat and 50% republican) is very likely given the voting distribution in the country. With that you get an 100% error rate, with 1 mismatch. With other scenarios, (with maybe more than 1 mismatch), error rates may be 70% or 80% or more. The data to be viable has to have a low error rate (of the order of a few percentage points). So this explains why the data is not viable. Now is that simple enough for you?
[ link to this | view in thread ]
Re: Re: Re: Re: Re: Extremely high error rate
[ link to this | view in thread ]
Selling votes?
It is NOT illega to get a receipt of how you voted as long as your name and personal identifying info is no on it.
You CAN sell your vote even easier with a write in ballot. Just sign the ballet and take it to the purchaser to fillin the ovals or circles. They then put your pre-signed ballot in the mail and that way they vote for you.
C'mon people wake up! The receipt is a great idea that's why special interests countered it with the bogus claim that it allows you to sell your vote.
By the way how do you buy votes if it is illegal? Run an add on tv saying descrete vote buying? Give me a break! Don't be fooled receipts ensure honesty followed by random surveys.
[ link to this | view in thread ]