Yet Another E-Voting Glitch; This One Adds 5,000 Phantom Votes
from the oops dept
Another election using e-voting machines... and another set of stories concerning massive problems. Slashdot points us to the news that a local election in Rapid City, South Dakota, was about to go to a runoff after no one hit the 50% mark, when someone finally noticed that the 10,488 vote total seemed a bit high. So, they went back and recounted the actual ballots, and discovered only 5,613 people voted, but the software added up the votes incorrectly. Once again, we're left wondering why it's so difficult to do simple arithmetic -- and why e-voting companies like ES&S are so against allowing experts to look at their source code and maybe help catch some of these bugs before they totally screw up an election.ES&S, of course, has been especially bad when it comes to transparency, despite numerous stories of glitches. It's also the company that had an employee stop by here on Techdirt, call us all "idiots" while insisting that the machines were perfectly fine and that the machines are "extremely scrutinized and very reliable" and anyone questioning their reliability was simply relying on "conspiracy blogs." Of course, his focus was on the idea that the machines were "hacked" -- a charge we never made. Our concern -- and the concern of many others -- are that the machines are unreliable, prone to errors and have serious security and process flaws. Considering how many stories we've seen of problems with those machines in real elections, that seems to be proven fact -- not "conspiracy."
And yet, ES&S has always resisted any real scrutiny. When California looked to investigate e-voting machines more fully, ES&S was the one vendor who held out for months beyond the deadline, before finally submitting its source code along with a threatening letter about how it would personally sue the Secretary of State if any of its trade secrets got out. Of course, soon after this, we found out that even its certified code didn't much matter, since it had given California machines with uncertified code for an election. In the end, not surprisingly, ES&S machines were found to have significant problems, and were decertified in California. Perhaps South Dakota should have taken note.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: e-voting, extra votes, south dakota, transparency
Companies: es&s
Reader Comments
Subscribe: RSS
View by: Time | Thread
[ link to this | view in chronology ]
Re: "If it's so easy..."
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
But really, sounds like you need to start a leading technology blog if you think you can do it so easily.
[ link to this | view in chronology ]
Re: Are you serious?
[ link to this | view in chronology ]
Re: Re: Are you serious?
"by Anonymous Coward - Jun 9th, 2009 @ 11:41am
Sounds like you need to start a e-voting company if you think you can do it so easily. Seriously, you have so many things figured out. You should be a millionaire by now."
[ link to this | view in chronology ]
Re:
Sounds like you need to start a blog of your own if you don't like Mike's. Seriously, you have so many things figured out. You should be a millionaire by now.
[ link to this | view in chronology ]
For a glorified calculator? LOL
[ link to this | view in chronology ]
ES&S are the programmers /b/tards i wonder
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
A patent blog, a copyright blog, a free blog yes. I don't know of anywhere where these things are talked about more.
[ link to this | view in chronology ]
Is it that hard?
But seriously... how exactly do you screw up counting? What am I missing here?
[ link to this | view in chronology ]
Re: Is it that hard?
[ link to this | view in chronology ]
Re: Is it that hard?
[ link to this | view in chronology ]
Re: Is it that hard?
(a more serious answer)
Well, for one thing, you would have to authenticate users to ensure that no one votes twice and to make sure that people that shouldn't vote in a specific area don't (ie: if I live in Florida and am not supposed to vote in Texas then I shouldn't be able to vote in Texas. Some people may try to vote in two places at once, or have someone else vote for them in some other area. Who knows, lots of things can happen, I'm not claiming I know all the intricacies but a little bit of creative thinking might yield some way that things can go wrong).
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
But you have to remember, there may be multiple candidates. So, TotalVoteCount might have to be a vector of integers! Trade secret is out!
[ link to this | view in chronology ]
Re: TotalVoteCount++
class FunnyInt {
...
void operator++(int) { myint += (rand()%3); }
}
FunnyInt TotalVoteCount = 0;
while (peopleVoting) { TotalVoteCount++; }
Cheers,
athe.
[ link to this | view in chronology ]
It's all in the method
One (1 item) for you, Two (2 items) for me, two (the second item) for you, three (3 items) for me. So at this point you have 2 items, and I have 5, which is all fair and equitable (according to the one doing the distribution, not the one receiving it).
The problem is that when you implement this type of count with a virtual item like 'votes' it's hard to make sure your loops are correct, if they aren't then you end up dividing out more than you actually had in the first place.
[ link to this | view in chronology ]
WTF...
Button Candidate1() Click
intCandidate1Votes = intCandidateVotes + 1
End
Am I missing something here?
[ link to this | view in chronology ]
Re: WTF...
> Button Candidate1() Click
> intCandidate1Votes = intCandidateVotes + 1
> End
You just did. Your second line should be:
intCandidate1Votes = intCandidate1Votes + 1
i.e. you missed the "1" in your variable name.
All voting software should be open source so we can catch errors like that.
[ link to this | view in chronology ]
Button Candidate1() Click
intCandidate1Votes = intCandidateVotes + 1
End
Am I missing something here?
Not at all.
Again; consider the same companies who make ATM machines with their 'high rate of failure' (joking) are making voting machines.
One would *think* a voting machine would require a lot less work than an ATM...
[ link to this | view in chronology ]
Re:
Not if you understand the problem. The big difference is that votes are supposed to be anonymous whereas banking transactions are just the opposite of that. This one simple difference makes the problem much different.
[ link to this | view in chronology ]
Re:
Actually, this is a really interesting comment. Would one think that? This one certainly does not: I think that a voting transaction -should- be handled with the same security and attention to detail provided for a currency transaction. However, I believe it is very likely that many would agree with you, that collecting votes should be "simpler than an ATM". Maybe this is part of the problem. Completing a voting transaction should be every bit as carefully completed and monitored as getting 20 bucks out of the ATM.
[ link to this | view in chronology ]
How hard is it?
[ link to this | view in chronology ]
Re: How hard is it?
Personally, I think votes should be on paper and counted by hand. Anyone who thinks a programmed voting machine is a good idea must also love computerized slot machines and off shore online poker.
Another scary thought: Voting machines are designed to be field configurable at the hardware level, using the Internet. They can change behavior during the voting and from what I have seen/heard the security is not world class.
[ link to this | view in chronology ]
PEBCAK
[ link to this | view in chronology ]
What to worry about ...
My concern as a firmware engineer is that there is an independent audit trail. Yes, let the machines count the votes but print a completed ballet which the voter can examine and put into the box. Then, after voting has closed, take a statistically valid sample of the paper ballets and compare that to the results. It's called quality assurance.
Here in Texas we use a voting machine that provides no such audit trail. As a thirty year veteran of creating systems containing embedded computers, I know they are fallible because I've created systems with bugs that got past all our testing.
[ link to this | view in chronology ]
Re: What to worry about ...
Yeah, that sounds about right.
[ link to this | view in chronology ]
Re: TW
[ link to this | view in chronology ]
total vote count???
10488 / 5613 = 1.868 !!!!
Which means that according to the machine:
1 = 1.868
Computer: n. One who computes.
It is mathematically IMPOSSIBLE for 1 = 1.868 by accident. The ONLY POSSIBLE conclusion, therefore, is that someone programmed that into the software. Whether or not they did it intentionally is irrelevant; they did it.
[ link to this | view in chronology ]
Re: total vote count???
Irrelevant? To me it's the differnce between public embarrasment and all out revolution.
[ link to this | view in chronology ]
Re: Re: total vote count???
In other words a US president being elected by a faulty outcome is pretty damned severe; but a minor proposition is not so bad. Both are cause for public enmity, but an all out revolution over a minor prop? Not so much.
So, I'll grant that whether or not a programming error is intentional is, in fact, NOT irrelevant in regards to public emotions. From a system designer's point of view, however, it IS irrelevant; who cares WHY it was done, just fix it!
[ link to this | view in chronology ]
Conspiracy Theorist?
Not only that, but I think the FTC needs to crawl up ES&S's ass with a microscope and find out what is going on. Why has this not been done?!?
[ link to this | view in chronology ]
Re: Conspiracy Theorist?
So yeah, you're a conspiracy theorist. The problem is that your theory is probably true.
[ link to this | view in chronology ]
Re: Conspiracy Theorist?
I've looked, and can't find any news articles, nor can I remember the governer's name for the life of me; but rest assured this DID happen.
[ link to this | view in chronology ]
Voting Machines Made Simple
B) Use a MOUSE and KEYBOARD - Everybody uses those already and don't need to be calibrated (ease of use)
C) Paper trail - terminal prints vote receipts which are submitted by the voter as the official vote, electronic copy is mere convenience (auditing)
D) Voting program is open source and freely available to be run on any PC (debugging)
Then the program itself is broken into multiple pieces based on area the vote is relevant for. So all areas in the state have the exact same program for all the state level elections and same for local communities. This way the implementation is the same everywhere.
People can announce the results of the electronic election, but the results aren't certified until all the paper 'receipts' have been counted
[ link to this | view in chronology ]
Re: Voting Machines Made Simple
The voting machine should be JUST a machine to help people mark their ballots, not a counting system. The voters should hit the terminals, make their votes, and a printed and completed ballot should come out.
That ballot can then be checked by the voter, and any problems dealt with before the vote is submitted. Then it should then be hand carried and deposited in the vote box for later counting.
Then you take these votes, process them with another machine, and use that machine to actually count the paper ballots. Store the paper ballots under seal for any appeals. Otherwise, you are done. No way for the software to fuck up, and it is easy as heck to go back and check the paper ballots.
totally electronic voting (single machine / networked machines) is a very risky way to go.
[ link to this | view in chronology ]
Re: Re: Voting Machines Made Simple
[ link to this | view in chronology ]
Don't here about someone supposed to win 5 bucks and win 5,000 bucks.
[ link to this | view in chronology ]
Re:
Such things have happened. The casinos don't like to publicize it and they make the people give the money back.
[ link to this | view in chronology ]
Because if you label someone that disagrees with you a crazy conspiracy theorist they must be wrong. I'm very disappointed in what passes for good logic these days.
[ link to this | view in chronology ]
Voting machines
The Secretary of State requires we have an electronic voting machine available, but "if one person uses it, you need to get a total of five to use it".
So, a guy came in and insisted on using that machine. Most people who vote are VERY nice (cream of the crop) so we found four others who agreed to use the machine to help us out.
Wonder what the results were? We had five people - wonder if it was reported as 50, 500, 5000, ???
[ link to this | view in chronology ]
[ link to this | view in chronology ]
After someone votes on a computer he is given a unique voting number at the time he votes. Only the voter knows what the number is. He also types in some unique random comment in an input box in a computer. (The random comment is to prevent the system from giving two different people (who voted for the same person at about the same time) the same voter number. It helps ensure that each vote counts, makes it harder for the system to cheat the people). He is also given a page number, the page that his vote will appear on.
Online is posted a large text/html file and it categorizes votes by state. Say you click on a state, California. You are given a page with a thousand (or whatever) voter numbers and what each voter number voted for. At the bottom of the page are some standard navigation buttons (like the ones at the bottom of a google search) that lets you navigate pages (and perhaps an option that lets you type in the page you want to jump to). Every voter can jump to the page of his voter number and see that it shows, next to his voter number, who he voted for. So the list may look something like this.
voter number - date:time - vote - comment
001 - date:time - Ron Paul - Hello!
002 - date:time - Barack Obama - Hi!
etc...
(perhaps removing the date:time might be a good idea for privacy reasons, ie: someone might figure out when someone voted and based on that they could figure out who they voted for. Very unlikely though but it really depends on what we value more, transparency or privacy).
That way voters can ensure that their votes count but no one can know who I voted for because only I know my voter number.
Now, before I vote (and we already have a system in place to keep track of this where we have lists of registered voters and someone crosses off who voted) I go up to someone on a computer, show him my ID, and he types in my name on the computer. It shows that I'm registered to vote in that area and that I didn't already vote. He gives me permission to go to another computer, in a booth, and vote. From his computer he authorizes the computer in the booth to allow a vote. I go in the booth and vote (it asks me, are you sure you want to vote for this person, I click yes. I can also type in a vote if the person I want to vote for is not on the list of course, this should ALWAYS be true for ANY state). A sheet prints out of a printer that tells who I voted for. At the outside of the booth, next to the top, a red light flashes indicating that I voted. I look at the sheet to make sure it's correct and fold it up so no one else can see who I voted for. The vote registers in the computer system as well. A second sheet prints out with my voter number and my comment (though I can think of some reasons that this might be a bad idea). I keep that sheet. I go to another person on another computer (I like the idea of having different people working separately as much as possible to avoid one person coordinating everything because if one person coordinates everything this leaves a higher potential of voter fraud from that coordinator. Separating roles as much as possible is good at preventing corporate employees from cheating their employers and it's good here too). There is a box. I drop in my vote (the first sheet that printed out, I keep the second), give him my name, show him my ID, and he registers on his computer that I voted. He also verifies that someone just voted on the booth number that I just voted on (and that this is the booth I was assigned to vote on by the first computer. He then clears the booth allowing the first computer to assign another voter to it. We can have multiple booths and multiple computers assigning voters to booths and verifying who voted after the vote). He also has a list of all registered voters (a stack of papers). He finds my name and crosses it out (we already do this. In the case of multiple computers, I have to figure out which computer contains my list. It's alphabetical by last name, one computer from A - F, another from G - N or whatever). This way we also have a paper trail of who voted. He also has a printer and that printer prints my name. He drops that in another box. This way we can independently confirm that both boxes have the same amount of papers (ie: number of votes = number of people who voted). There are cameras everywhere and, depending on how much you value transparency over privacy, perhaps those cameras can be posted online so everyone can monitor everything to avoid voter fraud.
The other computer(s) keeps another list of everyone who voted but it doesn't keep track of who voted for what. So each voting arena has two lists, one of everyone's voter number and who that voter number voted for and another with the first and last names (and drivers license number perhaps) of everyone who voted. Both computers feed this data into a third computer that independently makes sure that the number of people who voted = number of votes. All the software involved is open source and code is available to the public.
Now there is the question, what about those who didn't vote at all? How do we know that someone who works for a voting booth or whatever won't vote on their behalf once the voting booth is closed? Say Joe Blow is registered to vote but he never votes. If I'm at the voting place and I conspire with others who work there, I might see that he didn't vote and vote on his behalf.
The trick is when I register to vote I get an online account on some government website. The government associates this account with me and verifies who I am on a personal basis (ie: when I register to vote at some place, they look at my ID and then they hand me a keyboard to type in my password. I write down my password or, if I forget it, I can call a government official, give him enough info about me to validate who I am and he can reset my password. I can always change it online. Or maybe I have to go to some government building, like the DMV, to change it, who knows). I login to that account (type in my username and password) and a site shows up with my name and below it lists all the years that I was registered to vote and lists whether or not I voted and, if we value transparency over privacy, when I voted (having the time of vote can make it easier for government officials to track who voted for whom based on when people voted). For example it can say
2000 - voted - time of vote
2004 - did not vote
This information comes from the list of registered voters who voted. This ensures that no one voted on my behalf if I didn't vote (of course my voter number is not associated with this account and each year that I vote I get a different voter number. No one but me can possibly associate my voter number with me since that's not in the system anywhere, so I still have my privacy). I can then go to the other, independent public site (the one above), look for my voter number and ensure that that voter number voted for who I voted for (and verify the comment and time). Authorities can ensure the identity of everyone who voted (because they have their full names and all their information including where they are supposed to vote) to avoid dubious votes from dubious names. They can also ensure that the number of votes = number of people who voted both on paper and with the computers.
The beauty here is that all voters can ensure that the system registered whether or not they voted and, if they voted, who they voted for (and when they voted) without anyone else being able to associate them with who they voted for.
To make the system even more transparent, at the cost of privacy (if one values transparency over privacy), we can have another page that links to various states. You click on a state and it lists the full names of everyone who voted (but not when they voted since that can then be associated with the voter number since the voter numbers also list the time. Or maybe they should list both because that helps validate things more accurately, depending on what you value more, transparency or privacy). This way anyone can verify that, according to the system, they voted, they can verify that the system registers who they voted for, and they can validate that number of voters = number of votes. Also, if someone shows up on the list who is no longer alive, someone else may notice it. There can be search features built in to search for voter numbers or names as well.
This system isn't foolproof. People/authorities still need to verify that dubious names don't show up with dubious voter numbers. That problem exists now, so it's not like my system creates this problem. But at least this system gives enough transparency to make the job easier (ie: by validating that independently produced numbers match and by allowing each voter to validate that the system properly registered whether or not they voted and who they voted for). Suspicious patters like
001 - 9:30 - Ron Paul - some comment
002 - 9:30 - Rron paul - some comment
....
1000 - 9:31 - Ron paul - some comment
would quickly raise public suspicions. So at least the public can scrutinize the data and look for suspicious patterns as well.
[ link to this | view in chronology ]
Re:
Except the Ron Paul part is OK.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
and perhaps you can also list the year they were born on the public site (again, depending on what we, as a society, value more and to what degree. Privacy or transparency).
So it can look like this
2000 - voted - name of person - year of birth - time of vote
Say Joe Shmow is a common name and he appears on the Nevada list. Someone knew Joe Shmow and they know his age and when he died.
2000 - voted - Joe Shmow - 1890 - time of vote
Clearly Joe Shmow is probably not 100+ years old so that alone may raise a red flag with everyone (which is good). But this person may think, "oh, that could be another Joe" since this is a common name. However, when he sees the year of birth, he can more easily know that it's the same Joe (how many Joe Shmows lived in Nevada that were born on this exact year? Or perhaps it can have the exact birthdate, making it easier to identify, depending on how much we value privacy vs transparency). and he'll know that this person is no longer alive. It can spread through blogs and people can then investigate.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
We want to put enough necessary voting information (and only the necessary information) in the public to domain (ie: on the Internet) to allow the public to analyze the data and (if all of the available data is analyzed correctly) ensure, with close to 100 percent certainty, that voter fraud did not occur without compromising the privacy of voters.
The above system can allow the public to ensure that each vote counts without compromising the privacy of voters but it doesn't ensure that ONLY registered voters vote only once and that votes by fictitious people aren't fabricated in the system. It can help ensure that obvious problems don't occur, Ie: if the number of votes is higher than the population then we know something is wrong. Ensuring that each vote counts would make it harder for someone to simply insert a bunch of fictitious votes because that would make the voter count go up (since you can't delete votes from actual voters and replace them with new votes because each voter can independently confirm that their votes count) and if it goes suspiciously high then we can start questioning the integrity of the system.
[ link to this | view in chronology ]