E-Voting Ballots May Not Be So Secret; Paper Trail Takes Away Anonymity

from the line-'em-up,-match-'em-up dept

Tue, Aug 21st 2007 6:36am — Mike Masnick

Another day, another security problem with e-voting machines. Obviously, one of the biggest requests from people who were nervous about the security of e-voting machines was that all e-voting machines have a verifiable paper trail. Then, at least, there's a way to recount the votes if there are any questions. Unfortunately, even when the e-voting companies finally do add a paper trail, it seems that they muck up the process. As was noted in the recent security analysis of these machines, many of the problems are because they weren't designed from the ground up with security in mind, but rather have security procedures slapped on as extras.

In this case, some Ohio activists discovered that the paper trail coming from e-voting firm Election Systems and Software (ES&S) happen to have time and date stamps on them. Those ballots are available for anyone to look at, based on election law in Ohio. Also available for anyone to peruse are the voter sign-in logs. With both of those in hand, it's not hard to put together a pretty decent list of who voted for what. You just match up the names in the order they signed in with the timestamp on the ballots.

Of course, rather than responding to this as they should, by admitting it was a bad idea, ES&S sends out their PR people to say it's no big deal. While ES&S is right that it might not always be possible to do an exact match person to person, you can come pretty close -- and that should be seen as a huge concern. Furthermore, as Ed Felten points out, the other e-voting firms aren't much better, and Diebold (or Premiere, or whatever its new name is) appears to be outright ~~lying~~ skirting the truth when it claims that its paper trail doesn't include timestamps (update:: Ed Felten points out that the Diebold ballots don't have a time stamp, but the electronic records do). It's not hard to see how this happened, but the continued denial and stonewalling from the e-voting companies, rather than admitting a mistake was made and explaining how they're going to fix things, really is troubling.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: e-voting, ohio
Companies: diebold, es&s, hart intercivic, sequoia

30 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

RandomThoughts, 21 Aug 2007 @ 6:46am

"many of the problems are because they weren't designed from the ground up with security in mind, but rather have security procedures slapped on as extras."

True, this is pretty much how everything is done. Software runs into this, corporate networks, VoIP networks, they are all thrown out there in a rush to market and then security is considered. Its a heck of a lot harder to secure it after the fact than to build it in, but in the rush to markets, thats what most companies do.
[ link to this | view in thread ]
Ed Felten, 21 Aug 2007 @ 6:48am

slight correction
I think Mike may have misread my blog post.

Diebold's electronic records have timestamps, according to the source code study report from the California top-to-bottom review.

I didn't mean to say that Diebold's paper records have timestamps.
[ link to this | view in thread ]
Joel Coehoorn, 21 Aug 2007 @ 7:05am

At first I didn't think this was a problem. On the one hand you have people who vote straight tickets, and on the other you have people who check every individual race. Plus some people will just be faster at it than others. In the end, there will be a huge discrepancy between the order people signed in and the order in which the ballot was turned in. There's enough uncertainty that you would have a hard time targeting a person and saying with confidence that they voted for or against a candidate.

However, you this doesn't take into account trends or streaks where a group of people all vote the same way at once. In that case, any of the timestamps that may have been swapped will now be swapped with the same vote, and it won't matter that you checked the wrong ballet. And while the natural state would keep this case somewhat less common, two centuries of gerrymandering have resulting in many polling places with high percentages voting one or another in big races. That raises the likelihood of knowing someone's vote considerably.

Even with that, I still think timestamps on the ballots are a good idea. I think the solution to the problem is to stop gerrymandering (like that will ever happen) and have a federal exception to open records laws changing the way ballots are requested to preserve privacy.
[ link to this | view in thread ]
SimonTek (profile), 21 Aug 2007 @ 7:12am

hmm
I keep teasing about building my own voting machine. I think I probably should.
[ link to this | view in thread ]
Overcast, 21 Aug 2007 @ 7:26am

Here's what it should do...

It should generate a random number with perhaps a date stamp, but not a time stamp.

That number should be available on a web site, so you can verify who you voted for as a 'check and balance'.

If done *right* electronic voting could insure fairness, but I don't think that's the agenda of the powers in charge.
[ link to this | view in thread ]
Deez Right Here, 21 Aug 2007 @ 7:44am

Sarcasm
Diebold a major corporation, more beholden to Republicans than any other party; acting without integrity?
Who would have thought that in this GW Bush administration; a company would do something unscrupulous?
I mean to think that code was written in a hurry, rushed out to the public only to be easily manipulted? WOW

Okay sarcasm over..
Give me a break, is anybody really suprprised? I might sound like a hippie, but this should be Open Source man. An agreed upon standard I think might eliminate the mystery and ability for others to secretly exaploit the software. Linux is secure. Why not develop a Linux based os around voting machines? Why not have real hackers murder the code to make it bulletproof. Our next Preseident will also be a half a retard.

2 cents deposited..
[ link to this | view in thread ]
Deez Right Here, 21 Aug 2007 @ 7:45am

Sarcasm
Diebold a major corporation, more beholden to Republicans than any other party; acting without integrity?
Who would have thought that in this GW Bush administration; a company would do something unscrupulous?
I mean to think that code was written in a hurry, rushed out to the public only to be easily manipulted? WOW

Okay sarcasm over..
Give me a break, is anybody really suprprised? I might sound like a hippie, but this should be Open Source man. An agreed upon standard I think might eliminate the mystery and ability for others to secretly exaploit the software. Linux is secure. Why not develop a Linux based os around voting machines? Why not have real hackers murder the code to make it bulletproof. At this rate, our next Preseident will also be a half a retard.

2 cents deposited..
[ link to this | view in thread ]
Matt Bennett, 21 Aug 2007 @ 7:45am

Ok, but fixing this has got to be the easiest thing in the world. It's like a one line fix. Why bother stone-walling when you can be like "oops, sorry, but we'll have it fixed by tomorrow, we're still in Beta, blah, blah....." ?
[ link to this | view in thread ]
Pandu Rao, 21 Aug 2007 @ 9:20am

The Three Ballot Voting System
Here is a paper from Ron Rivest, the cryptographer: http://theory.csail.mit.edu/~rivest/Rivest-TheThreeBallotVotingSystem.pdf

Abstract:
We present a new paper-based voting method with attractive security properties. Not only can each voter verify that her vote is recorded as she intended, but she gets a “receipt” that she can take home that can be used later to verify that her vote is actually included in the final tally. Her receipt, however, does not allow her to prove to anyone else how she voted.
[ link to this | view in thread ]
Anonymous Coward, 21 Aug 2007 @ 9:27am

Re:
Obviously, it's because no one who matters cares about fixing it. Bloggers can rant all they want to about the real problems surrounding current e-voting technology, but the reality is, that no elected official cares. Most of them are following the party stand (of either party) and are using the flaws of e-voting to cause enough disruption to swing a precinct or district their way, when, if traditional voting methods had been used, it might have gone the other way. The companies aren't going to fix it so long as the politicians are telling them not to.
[ link to this | view in thread ]
Russ Stebbins, 21 Aug 2007 @ 9:28am

This strikes me as less a security concern as an issue of conflicting goals.

The auditors want to confirm that the voting was done correctly without fraud. This tends to a desire to capture all possible information is great detail. Techdirt has been advocating a paper trail.

Then there is the open government advocates which want government processes to be as transparent as possible. In Ohio (and it looks like other states do not run into this issue) all documents are public. As an unintended consequent, by putting two documents together you can get a good idea of the voting pattern.

The question is how to reconcile these goals.
[ link to this | view in thread ]
Anonymous Coward, 21 Aug 2007 @ 10:18am

Re:

Here's what it should do...

It should generate a random number with perhaps a date stamp, but not a time stamp.

That number should be available on a web site, so you can verify who you voted for as a 'check and balance'.

If done *right* electronic voting could insure fairness, but I don't think that's the agenda of the powers in charge.

The problem with any scheme that allows a voter to later verify their own individual vote is that it also enables them to sell their vote, which is illegal, or be subjected to extortion. It works like this:

1. Person agrees to vote a certain way in return for payment or maybe to keep their job or avoid harm to their family.

2. Person votes and takes receipt which could be in the form of a secret number or some other token.

3. Person later uses said receipt to prove how they voted and collect payment or satisfy demands of extortioner.

That's why voter receipts are a bad idea.
[ link to this | view in thread ]
Anonymous Coward, 21 Aug 2007 @ 10:32am

Re: The Three Ballot Voting System

We present a new paper-based voting method with attractive security properties. Not only can each voter verify that her vote is recorded as she intended, but she gets a “receipt” that she can take home that can be used later to verify that her vote is actually included in the final tally. Her receipt, however, does not allow her to prove to anyone else how she voted.
While this was their original intent, the body of the paper admits that in the end they failed in actually making it immune to vote-selling and extortion schemes.
[ link to this | view in thread ]
Tsu Dho Nimh, 21 Aug 2007 @ 10:48am

Security Cameras
It seems that it would also be very easy to match time stamps from hidden "security" cameras in the polling place to time stamps on paper trails to detect how people voted.
[ link to this | view in thread ]
Deez Right Here, 21 Aug 2007 @ 12:53pm

Re: The Three Ballot Voting System
Do we really need another process? I thought the point to go digitial was to eliminate that?
I'm not salmming the idea just want clarification..
[ link to this | view in thread ]
Reed, 21 Aug 2007 @ 12:53pm

Re: Re: Time to end voter anonymity
Anon commented,"
The problem with any scheme that allows a voter to later verify their own individual vote is that it also enables them to sell their vote, which is illegal, or be subjected to extortion. It works like this:

1. Person agrees to vote a certain way in return for payment or maybe to keep their job or avoid harm to their family.

2. Person votes and takes receipt which could be in the form of a secret number or some other token.

3. Person later uses said receipt to prove how they voted and collect payment or satisfy demands of extortioner.

That's why voter receipts are a bad idea."

Reply:

I don't agree with you here. I think voter receipts with verification may be the only true way to put a stop to the majority of voter fraud.

As far as a receipt allowing a voter to sell his vote, I doubt it would matter much. People can already sell their votes if they want and people are bought off all the time for their votes. Thats what politics are about. There are laws in place to handle voter fraud already.

Your argument, although believable, does not mean that a receipt system would inevitably lead to selling of votes and if it did, it would be a hell of a lot easier to prove voter fraud if we used a receipt system.

I will simply not vote until our system can reach a point were I can verify my own vote along with the rest of my fellow citizens to make sure our votes are actually being counted. I would also like the electoral college to be done away with completely but I don't think politicians would be to keen with that idea.
[ link to this | view in thread ]
ranon, 21 Aug 2007 @ 1:20pm

Extremely high error rate
The process to identify the voter from the time stamp will have a very high error rate, even if the list is mismatched by a few voters.

e.g. let us take a 50% sample (for simplicity D,R,D,R,D,R). With a mismatch of 1 voter, the the process will have a 100% error rate and will be useless.

So it seems it is not so much of a problem after all.
[ link to this | view in thread ]
Anonymous Coward, 21 Aug 2007 @ 1:58pm

Re: Re: Re: Time to end voter anonymity

People can already sell their votes if they want and people are bought off all the time for their votes.
You make this claim but you fail to explain how it happens in an anonymous voting system. Do you mean that payments for an illegal and dishonorable enterprise are then based on the honor system? That seems unlikely to me. Please point to some reliable reports of this happening. While you are entitled to your own opinion, you are not entitled to your own set of facts.

Your argument, although believable, does not mean that a receipt system would inevitably lead to selling of votes and if it did, it would be a hell of a lot easier to prove voter fraud if we used a receipt system.
How would voter receipts make it easier to detect vote-selling? Again you make a claim but then don't back it up. Offhand, you comments strike me as being along the lines of a burglar trying to persuade people to leave their keys under their mats and make me question your motives.
[ link to this | view in thread ]
Mike, 21 Aug 2007 @ 2:02pm

Only a problem if sign-in is ordered
I live in MA. I don't recall signing in. I did check in, but that entailed telling the polling volunteer who I was and where I lived so that my name could be checked off in a large book of registered voters.
So my name isn't recorded as having entered the polling place after one person and before someone else. This means that there's no way to use a timestamp on my paper vote record to see how I voted.
[ link to this | view in thread ]
Anonymous Coward, 21 Aug 2007 @ 2:17pm

Re: Extremely high error rate
The process to identify the voter from the time stamp will have a very high error rate, even if the list is mismatched by a few voters
OK, so what are the error rates and probabilities involved here? I am formally trained in such things and would like to see the math behind your assertion.

e.g. let us take a 50% sample (for simplicity D,R,D,R,D,R). With a mismatch of 1 voter, the the process will have a 100% error rate and will be useless.
That's far from any kind of mathematical proof of the general case.

So it seems it is not so much of a problem after all.
If you followed the link and read the article you would find that Moyer and Cropcho seem to have been successful in actually doing it. That seems like a problem to me.
[ link to this | view in thread ]
Anonymous Coward, 21 Aug 2007 @ 2:25pm

Re: Only a problem if sign-in is ordered
So my name isn't recorded as having entered the polling place after one person and before someone else. This means that there's no way to use a timestamp on my paper vote record to see how I voted
Could someone observe you there? If so, couldn't someone observe when you voted and then match that observation to a timestamp?
[ link to this | view in thread ]
Anonymous Coward, 21 Aug 2007 @ 3:50pm

In my district (NJ) you sign the register before you go in the booth to cast your vote. They compare your signature with the one on file.
[ link to this | view in thread ]
Reed, 21 Aug 2007 @ 4:35pm

Re: Re: Re: Re: Time to end voter anonymity
"You make this claim but you fail to explain how it happens in an anonymous voting system"

We live in very different worlds I guess. Our system is of course immune to politicians buying peoples' votes through bribery, tax incentives, proposed legislation, etc. (sarcasm off)

Since peoples' votes are not conducted with a verifiable receipt we are not even sure if their votes are actually counted. This is a no-brainer for me, there is no real anonymity anymore so it should all be done it a completely open fashion.

"How would voter receipts make it easier to detect vote-selling?"

Without a receipt who is to say what you voted for anyhow? It would be evidence and that is part of what criminal cases are built on. If you have a witness saying someone paid you to vote for candidate and there is proof in the form of a receipt then there is a case.

Anonymity served us well for many years but its time has passed in my mind for massive elections. We have to change our practices to account for technology and opening up voting for everyone to monitor is one way we could move forward in the 21st Century.
[ link to this | view in thread ]
Anonymous Coward, 21 Aug 2007 @ 5:57pm

Re: Re: Re: Re: Re: Time to end voter anonymity

We live in very different worlds I guess. Our system is of course immune to politicians buying peoples' votes through bribery, tax incentives, proposed legislation, etc. (sarcasm off)
Yes, we do live in different worlds: Mine is not imaginary. If you have some examples of US politicians buying anonymous votes then please provide them. Otherwise I believe that you are just trolling or have no idea what vote-buying is about.

Since peoples' votes are not conducted with a verifiable receipt we are not even sure if their votes are actually counted.
That's what elections systems with observers, judges, sealed ballot boxes, etc. are all about. You sound like you think that traditional elections are just conducted on some kind of honor system or something which just isn't the truth.

If you have a witness saying someone paid you to vote for candidate and there is proof in the form of a receipt then there is a case.
It is illegal to agree to accept payment for your vote whether you actually follow through with it or not, a receipt would make difference. I don't know were got the idea that a receipt is needed. Either that or you're just making more stuff up like you've been doing.

We have to change our practices to account for technology and opening up voting for everyone to monitor is one way we could move forward in the 21st Century.
Only if your idea of moving forward in the 21st Century includes an Orwellian voting system where people are afraid to vote freely and elections are shams as a result. No thanks.
[ link to this | view in thread ]
Chris Brudy, 21 Aug 2007 @ 10:37pm

Time stamps not on signature book
An observer would have to time voters walking into the polls, since no one can tell at the end of the day what time any given signature was inked. Anyway, why bother with it when a modestly sophisticated hacker could plant a virus and steal the entire election while appearing to vote.

I sound like a luddite, but the day we have hand counted paper ballots will be the day we finally get honest elections again.
[ link to this | view in thread ]
ranon, 21 Aug 2007 @ 10:47pm

Re: Re: Extremely high error rate
That's far from any kind of mathematical proof of the general case.

I am not offering a mathematical proof here. I would leave that to the statisticians. I am just pointing out a likely scenario and how this information is virtually useless.

If you followed the link and read the article you would find that Moyer and Cropcho seem to have been successful in actually doing it. That seems like a problem to me.

I have no doubt that you could get the two lists of voter sign ins and votes with timestamps. However combining it, will not generate any viable data.

[ link to this | view in thread ]
Anonymous Coward, 22 Aug 2007 @ 11:53am

Re: Re: Re: Extremely high error rate
I am not offering a mathematical proof here.
Obviously. Quit acting like it.

I would leave that to the statisticians.
Good idea.

I am just pointing out a likely scenario and how this information is virtually useless.
And then there you go again. That didn't take long, did it? Likely? How likely? That involves probability and statistics, something you promised to leave to real statisticians. First you almost admit that you don't know what you're talking about, and then you go spouting off again.

I have no doubt that you could get the two lists of voter sign ins and votes with timestamps. However combining it, will not generate any viable data.
That statement is provably false because in this case it did.
[ link to this | view in thread ]
ranon, 22 Aug 2007 @ 1:52pm

Re: Re: Re: Re: Extremely high error rate
And then there you go again. That didn't take long, did it? Likely? How likely? That involves probability and statistics, something you promised to leave to real statisticians. First you almost admit that you don't know what you're talking about, and then you go spouting off again.

The scenario (50% democrat and 50% republican) is very likely given the voting distribution in the country. With that you get an 100% error rate, with 1 mismatch. With other scenarios, (with maybe more than 1 mismatch), error rates may be 70% or 80% or more. The data to be viable has to have a low error rate (of the order of a few percentage points). So this explains why the data is not viable. Now is that simple enough for you?
[ link to this | view in thread ]
Anonymous Coward, 22 Aug 2007 @ 2:54pm

Re: Re: Re: Re: Re: Extremely high error rate
Now is that simple enough for you?
Simple enough to show your continuing ignorance. Go get some formal education in the subject, then come back with the math to back it up. Of course, you won't do that as it would destroy the blissful ignorance in which you live.
[ link to this | view in thread ]
PaulC aka mrbios, 19 May 2008 @ 12:36am

Selling votes?
Receipts are a great idea that's why you get them everytime you charge something on your credit or atm card.

It is NOT illega to get a receipt of how you voted as long as your name and personal identifying info is no on it.

You CAN sell your vote even easier with a write in ballot. Just sign the ballet and take it to the purchaser to fillin the ovals or circles. They then put your pre-signed ballot in the mail and that way they vote for you.

C'mon people wake up! The receipt is a great idea that's why special interests countered it with the bogus claim that it allows you to sell your vote.

By the way how do you buy votes if it is illegal? Run an add on tv saying descrete vote buying? Give me a break! Don't be fooled receipts ensure honesty followed by random surveys.
[ link to this | view in thread ]