Maryland Testing E-Voting System That Lets People Verify Their Votes Counted
from the experimenting-away dept
For many years, David Chaum has been pushing for a voting system that he claims will be a lot more reliable. Basically, after you vote, you get a coded number, and then after the election, you can go to an election website, punch in your code and make sure that your vote counted, and was for whom you meant to vote. On top of this, there's a system for auditors to check to make sure that votes were counted accurately, with information released publicly so people can "audit" the election without being able to connect voters to their votes. This system tends to generate a lot of controversy (though some of it appears to be from people who just don't like David Chaum, rather than because they really have a problem with his system). However, the system hasn't been really tested in an actual US election... until now. The municipal elections in Takoma Park, Maryland used the system, despite the state recently signing a big deal with Diebold. It's not clear how the overall election went yet -- or how many people actually checked their votes online (approximately 30% in an exit poll said they copied down the code). However, it's good to see that some gov'ts are not just accepting what the big e-voting firms give them, and are willing to explore more sophisticated voting systems that aren't based on pure faith in the e-voting company to get the system right.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: accuracy, david chaum, maryland, takoma park, voting
Reader Comments
Subscribe: RSS
View by: Time | Thread
Questions
The other problem is that someone could also pressure or even force someone to prove how they voted. With the secret ballot system that isn't possible, but with a receipt system it is.
Do they have answers to these problems or are they just ignoring them? I didn't see them mentioned in the article.
[ link to this | view in chronology ]
Re: Questions
Exactly my question too. If not the system is useless.
Geeks always focus on the technical aspects (me too), and of course open source is important if you are going to use electronic voting at all. But in the end this boils down to a trust issue. Can your 80 year old neighbour lady understand how the counting is done? If not, can she still trust the system?
[ link to this | view in chronology ]
Re: Re: Questions
When polls close, voters can go to the election office website, type in their ballot serial number and see a rendition of a ballot, showing the three-digit codes for their votes. This way voters can be assured that their ballot was included in the final tally."
So what the website shows is the code, not what was voted for, and the codes are different for each ballot. Which means vote buying is prevented.
Also the serial number is in no way associated with an individual voter (except through the receipt) so it would be impossible to determine the identity of a voter from the ballot. Now if you have the ballot and a copy of their receipt it's a different story.
[ link to this | view in chronology ]
Re: Re: Re: Questions
You know, I don't remember seeing that part in the article earlier. Has it been "updated"? But anyway, in that case the receipt is also not very useful to the voter either because the system doesn't tell them which candidate their vote is being counted for. So why bother?
[ link to this | view in chronology ]
Re: Questions
[ link to this | view in chronology ]
Re: Re: Questions
[ link to this | view in chronology ]
Re: Re: Re: Questions
Mine never have. Where have you been voting that they have?
[ link to this | view in chronology ]
Re: Questions
[ link to this | view in chronology ]
Re: Re: Questions
Go back and reread the article again. You missed something. The online part only has a code for a particular vote, not the specific option the person picked. It either matches with the code the voter wrote down, or it doesn't. Again, for comprehension: It does NOT specify option the voter selected, therefore it does not support vote buying.
[ link to this | view in chronology ]
Re: Re: Re: Questions
It's impossible to have this both ways simultaneously, based on basic information theory principles -- it doesn't matter how it's implemented. Now...it might be more difficult to recover that information, depending on the implementation, or it might be that some information is deliberately withheld, again, depending on the implementation, but you can't achieve both goals (that is: voter verification and anonymity) simultaneously, because you can't "have" and "not have" the same data simultaneously.
As a side point, and without looking at the algorithms they're using, this is just an observation for further study: any number of very interesting studies lately have shown that anonymized data often isn't very. I'm thinking of the NetFlix data, for example. What happens when (not if) the raw data gets disclosed? Is what's in there sufficient to allow de-anonymization?
And yes, it very much is "when". Someone will lose a CD or misplace a USB stick or have a laptop stolen. It's guaranteed. So the time to think about what the consequences are is now, not afterwards when everyone's wringing their hands and saying "No one could have foreseen...." and "We have no evidence that the data..." and all the other things that they always say to cover up their lack of vision and foresight.
[ link to this | view in chronology ]
Re: Re: Re: Re: Questions
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Questions
Umm, apparently not.
go back and read the article again
ditto
The special pen used to mark your vote uncovers a code for each item you voted for. So basically to verify your vote you record the serial # and the code uncovered when you entered your vote.
Each ballot is also different, so a JW vote on your ballot would be different than a JW vote on someone else's. There is no verification that JW on your ballot is counted towards the candidates you actually wanted.
[ link to this | view in chronology ]
Re: Questions (proposed answers)
It sounds like they just need one more step, similar to that implemented by TrueCrypt encryption. TrueCrypt provides a way for someone to "reveal" low-value data while keeping the real data encrypted in such a way that there is no possible way for the attacker to even prove it exists. (You have to understand some things about encryption to understand how this is possible, but it really does work.)
Perhaps they could just provide a "practice vote" button and clearly warn voters that this will in every way look/act like a real vote and a receipt will be issued, but it will not actually count in the election. Anyone being threatened will figure out the usefulness of "practice voting" pretty quickly.
A variant of this would be to only issue one receipt, even if a practice vote was cast in addition to the real vote. However, as part of the practice vote, have the user enter their own code. Unless that code is entered (and the "user code, if applicable" field would always be displayed on the confirmation web page), only the practice vote result would be displayed with no indication that it is a practice vote or that a real vote result also exists. This way, no one could be shaken down after they voted to see if they had more than one receipt.
[ link to this | view in chronology ]
Re: Re: Questions (proposed answers)
Sure they could. All the vote buyer has to do is instruct the voter as to how to cast their "practice" vote in addition to their counted vote. Afterward, the buyer simply has to require the voter to reveal both votes to prove that they voted as instructed.
Not as simple as you thought, huh? That's why no one has yet figured out how to make a receipt system also a secret system. The two goals are diametrically opposed.
[ link to this | view in chronology ]
Re: Questions
For example, all a supporter of a long shot candidate has to do is purposely vote for a different candidate and then use his or her receipt as "proof" of a rigged election to get the election results invalidated.
[ link to this | view in chronology ]
Open Source Anyone?
[ link to this | view in chronology ]
Re: Open Source Anyone?
As I've pointed out previously, while of course open source is a mandatory requirement for voting systems, it's not sufficient -- in fact, it's not even close.
Go read Bruce Schneier's 2004 essay on what it would cost to steal an election. Then adjust appropriately for the political and financial climate of 2010. Then realize that there is easily enough money in play to pay for custom hardware -- that is, wafer fab. And anyone who has mastered even first principles of security knows that what's in the code doesn't matter if the hardware has been gamed.
It is exceedingly foolish to deploy or advocate electronic voting systems given this reality. We would be far better served by using the simplest available methods (e.g., pencil and paper) as those are far more difficult to attack en masse. Given the infrequency of our elections, it is really quite unimportant if result compilation takes a week or two.
[ link to this | view in chronology ]
You'd think all involved parties would be interested in having accurate vote counting. In the land of the sheep, home of the lame? Think again.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Here's the solution
Some measure would have to be made for ballots where someone disputed that the machine voted the way they expected, but a well designed machine shouldn't have problems with this, and the paper ballots could be utilized as an audit trail if the electronic results are in question.
[ link to this | view in chronology ]
Re: Here's the solution
[ link to this | view in chronology ]
Re: Here's the solution
This system uses *paper* ballots. How would it help to make a paper copy of a paper ballot? You didn't read the article, did you?
[ link to this | view in chronology ]
Re: Here's the solution
The system as proposed enables no more vote-selling than do portable cameras (or pork barrel spending, for that matter). Seriously, being able to verify that your vote was cast the way you wanted means the system "must be discarded immediately"? I'm happy to hold voting systems to a high ideal standard, but they only need to be so good before they're better than what's currently in use. Good on Takoma Park for preferring an provably unhackable system (ie, mathematically impossible to both correctly report everyone's ballots and falsely report the total vote) over the proven insecure Diebold system.
[ link to this | view in chronology ]
Re: Re: Here's the solution
It is not necessary that voters verify their votes: presumably, having cast them, they KNOW how they cast them.
It is necessary, however, that everyone else be able to verify that votes are not altered and that they're counted properly. This is a different design problem, but one that has to be solved in order for us to verify that elections are conducted properly.
And the problem is that any solution to the first -- which actually allows voters to in any way verify their specific ballot choices after the fact -- enables vote-selling, bribery, and extortion. And of course without that, it's really quite meaningless to provide any verification, e.g. "Your ballot was counted" does not tell the voter that their ballot was counted correctly, although I'm sure many ignorant people will foolishly presume it does.
However, as a society, we require a solution to the second. Moreover, we require a solution that preserves anonymity and that works even when individual voters don't care to participate in it. Beyond that, it has to work in spite of hardware and software failure, operator incompetence, and voter incompetence. And beyond that, it has to work in the presence of very sophisticated. well-funded attacks (see Schneier's article, again, which is required reading for anyone commenting on voting machines).
And nobody is even remotely close to that. Merely "better than what we already have" is simply not good enough, because "what we already have" is pathetic. And democracy is far too important to allow the franchise to be used as a alpha test site for electronic voting.
The only correct approach to this is to use paper/pencil methods UNTIL someone manages to solve all of these problems simultaneously AND demonstrate the ability to fend off a multi-year, multi-hundred-million dollar attack. Because that's the threat, and it's incredibly foolish to merely wish it away because it's a hard threat to counter.
[ link to this | view in chronology ]
Re: Re: Re: Here's the solution
To steal an election with this system is more complex than pencil and paper, aside from bribing/switching the groups people counting the votes (auditors) you also have to somehow steal the votes in the first place, through complex replacement of the software.
[ link to this | view in chronology ]
Re: Re: Re: Re: Here's the solution
Right. And what I'm telling you is that even if you personally verify the software (presuming that you have the relevant skillset, the tools, and the time) that is NOT a guarantee that the software is going to do what you think it does -- because you haven't verified the hardware.
This is why I keep referencing Schneier's critical essay and find myself increasingly frustrated with people who haven't read it and grasped the implications. People are simply not coming to grips with the budget available to attackers and thus with the scope/scale of the attacks they can mount. So even optimistically presuming that the software is perfect (and anyone with the slightest clue knows it's not and has no prospects of being so anytime soon), there's no reason to believe it's executing correctly.
Here's the URL for Schneier's essay: http://www.schneier.com/crypto-gram-0404.html#4
He wrote that in 2004. I think his estimate should conservatively be revised upward by a factor of 5, given the changes in economic conditions, political climate, etc. So anyone deploying systems such as these MUST be prepared to engineer against attackers with half-billion dollar budgets. Which means gate-level attacks. Which is exactly what I'd be doing were I the attacker, ignoring all the blathering about software, since I would know that in the end it will execute on my hardware.
There is no place for "faith" anywhere in these system or this process. Faith is for fools.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Here's the solution
I guess what I'm arguing is that there are more hurdles to overcome in stealing the election with this system than there are in the pencil/paper system.
I've perused Schneier's essay, and I disagree with some major parts of it (a candidate still has to run a legitimate campaign to even fake a victory, and the money has to come from and go to somewhere, so there's a lot of hurdles to prevent just bam, campaign budget = steal election budget) - I don't think it's relevant.
Whether the money is there to steal that specific election or not, the best we can do is the best we can do. I don't see how pencil and paper provides a greater level of public scrutiny than this open system?
[ link to this | view in chronology ]
Re: Re: Re: Re: Here's the solution
Not according to the article. It only allows you to verify that you ballot was supposedly read. It tells you nothing about how it was counted.
[ link to this | view in chronology ]
Re: Re: Here's the solution
So, with a portable camera how do you prove that the ballot you took a picture of is the same one you dropped in the box?
It would nice if some of you at least thought about the problem a little bit before pronouncing your supposed solution.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
It does not allow vote selling
The problem with that is of course how do you know your 2 digit code did go to your candidate, which is where the independent auditor part comes in.
It really is a pretty well thought out system, taking a lot of human error and laziness into account in its design. I really think the actual use of this system is the most promising news on voting I've heard in the last 10 years
[ link to this | view in chronology ]
Another view
Open source is an element for future voting systems. But it requires a mechanism in place to ensure that the open source code reviewed is exactly the same code that is on the devices.
Selling votes is very very easy. I request an absentee ballet to be sent to me at home. In the evening I go to the Do Drop Inn and hold up my ballot. Let the auction begin. At work my boss calls me in to his office. Steve we have to let some people go soon. But if you let me help fill out your ballet, I may find a way to keep you on the payroll. Of course this never ever happens!!!
Much of the source for the voting disenfranchisement is the result of a Catch 22 design of the 2002 and 2005 Election Assistance Commission Voluntary Voting Guidelines. The testing requirements were created to certify existing (or near term) technologies. Virtually no room in the requirements to create and innovate with technologies that come on line over the past 5 years.
The good news is the 2007 Voluntary Voting Guidelines ( http://www.eac.gov/vvsg ) does include a new classification named Innovative. The guidelines will become more dynamic and can be changed to accommodate new technologies and ideas.
Of course you are free to complain or you could dive in and create new ways of moving the voting industry forward.
[ link to this | view in chronology ]
Re: Another view
I don't think so. This is the real world, not somebody's testbench. Should experimentation be done? Sure. Should it be done when real elections are involved? Absolutely not.
[ link to this | view in chronology ]
Re: Another view
That's also a problem with absentee ballots. But why make it worse? That's kind of like saying "Well, people are killing each other anyway, so let's just go ahead and let them". That's *not* the solution.
[ link to this | view in chronology ]