Glass Box Voting

Interesting article on the costs of voting machines. A spokesman for Premier Election Systems (formerly Diebold Election Systems) is quoted saying:

“An ATM is significantly a more expensive device than a voting terminal…” said Riggall. “Were you to develop something that was as robust as an ATM, both in terms of the physical engineering of it and all aspects, clearly that would be something that the average jurisdiction cannot afford.”

Glass Box Voting was founded on the premise that that statement is not true.

The article also reminds us of the fun fact that Diebold Accuvote-TS machines can be opened with a standard minibar key.

I do not agree with the premise of the headline that money for improving voting machines has all gone to Iraq - our government has the resources to fund multiple priorities, and the integrity of the voting process seems to me to be an important priority. I agree with Ed Felten:

“It all depends what you compare it to,” said Felten. “If you compare the amount of money we spend actually administering the election versus the amount that’s spent trying to convince people to vote this way or that way, it looks pretty small. It you compare it against the importance of getting the outcome right, it also looks relatively small. So, to me, it’s an investment that we should be willing to make.”

Hat tip to infodiva and slashdot. Also want to remind new readers of an old post: The difference between an ATM and a voting machine.  Edit - oops, meant to link to Voting as a security problem.

Another article about public discontent with electronic voting machines, the complaint is lack of VVPAT.  I had not heard of Danaher machines, will have to learn more about those.

From New Jersey, reports of reliability concerns with Sequoia machines.

From Ohio, news of a speaking tour by two representatives of the Secretary of State’s office to raise awareness of the results of the Everest Study (pdf link), concluded in December 2007.

On gmiller’s OSDV blog, which I found from the Facebook group .

[UPDATE]

I’m in favor of unmoderated comments.  Once I figure out how to set this site to do that, I will.

Interesting article in today’s Post.

In addition to machines, I believe most jurisdictions need more citizens to take part in election administration beyond just election day, both before the day (getting trained in election procedures generally) and after (auditing).

Glass Box Voting will not be able to supply certified machines for the 2008 elections, but we will have some ready for municipality-scale elections by election day 2009.

[UPDATE]

The administrator mentioned not knowing if the money is there. That’s a problem between him, Virginia, and the Electoral Assistance Commission, of course, but as far as I know, there are still billions in unallocated HAVA funds. What he lacks are products that are easy to administer, flexible enough to meet local requirements, and secure enough that the public will accept them. What a shame.

I just watched a very good talk on voting cryptosystems and the cryptographic principals and primitives behind them.  I found the link here.

What’s a better way to store votes?

versus

Safes

Safes are good places to keep money, because money, like mushrooms, grows in the dark. Safes are not good places to keep things that require light, like votes and houseplants.

When you put money in a safe, your concern is that the money be there when you open it. The bank that owns the safe has the same objective. You probably do not want the safe to have a readout that displays it’s contents to arbitrary members of the public.

You trust your bank, your bank trusts you (although they often should do more to be sure it is you, not someone stealing your identity) and it all works out. The bank staff knows how to operate the safe correctly, since they do it every day, and the safe is guarded at night by people who don’t know how to open it.

Ballot Boxes

As discussed before, a ballot box has different and greater security requirements.

A ballot box collects votes, not money. Votes, or more precisely ballot images, are not fungible like money - they are multidimensional, multivalued data elements rather than scalar units with a denomination. For example, my vote yesterday included the primary candidate for president (pick one), primary candidate for representative (pick one), circuit court judge (pick no more than two from a list of two), female delegates to the national convention (vote for no more than four), and male delegates to the national convention (vote for no more than four).

(How common is it to vote for delegates by gender btw?)

A ballot box must make information about it’s contents public. It should display how many votes have been cast, and should allow auditors to determine that votes have not been altered at any point.

Update

After watching the video in the post above, I realize that I overstated the case. A ballot box much make some information about it’s contents public, e.g. number of votes and the current validity status of each vote. The vote choice or ballot image must not be visible at all times, but only at the end of the process when it’s tallying time.

Here’s a good paper analyzing the Nedap/Groenendaal ES3B machine used in The Netherlands. My favorite bit is when they hacked the machine to play chess.

It started with what we thought was a very obvious statement. We claimed on our website that the Nedap was just another computer, and that as such it could just as easily be programmed to play chess or to lie about the election results. We didn’t think more of it until Jan Groenendaal, placed a document on the Nedap/Groenendaal website to talk about our website “Wij vertrouwen stemcomputers niet”. In it, he says: “[…] And with regard to the claim that our machine can play chess: I’d like to see that demonstrated”.

So obviously, one of our first goals now that we had access to the device was to make it play chess. Apart from proving our point, programming it to do this would also confirm that we knew everything we needed to know about the hardware before getting into the election fraud business. After having learned roughly how the hardware worked we used a gcc 68000 crosscompiler to create a Nedap IO-library containing functions to initialize the system, write data to the display, read the keyboard, and write debug messages to the UART. Together with newlib, a small clib implementation, we then managed to compile and run Tom Kerrigan’s Simple Chess Program (TSCP). This was non-trivial only because we had to squeeze out quite a few tables to make it run using only the available 16 kBytes of RAM. Getting the chess pieces to magnetically attach (the keyboard is mounted at an angle) was also not that easy since the foil switches are stuck to a plastic base. We ended up using using 2 and 5 Eurocent coins underneath the paper, taped such that we could press the underlying foil switches with the edge of the coin.

It knows all the rules and every now and then it can be surprisingly clever for what it is. But in all honesty we have to admit that it does not play chess all that well.

In more serious research they also developed malicious software that would manipulate the vote totals.

A good article on recent history and where things stand today with voting machines. A quote:

The earliest critiques of digital voting booths came from the fringe — disgruntled citizens and scared-senseless computer geeks — but the fears have now risen to the highest levels of government. One by one, states are renouncing the use of touch-screen voting machines. California and Florida decided to get rid of their electronic voting machines last spring, and last month, Colorado decertified about half of its touch-screen devices. Also last month, Jennifer Brunner, the Ohio secretary of state, released a report in the wake of the Cuyahoga crashes arguing that touch-screens “may jeopardize the integrity of the voting process.” She was so worried she is now forcing Cuyahoga to scrap its touch-screen machines and go back to paper-based voting — before the Ohio primary, scheduled for March 4. Senator Bill Nelson, a Democrat of Florida, and Senator Sheldon Whitehouse, Democrat of Rhode Island, have even sponsored a bill that would ban the use of touch-screen machines across the country by 2012.

Generally a good article, although it tends to oversimplify - touch-screen does not have to mean paperless, for example. There’s a bit in the last page that points out that optical scan ballots are not a panacea:

Still, optical scanning is hardly a flawless system. If someone doesn’t mark a ballot clearly, a recount can wind up back in the morass of arguing over “voter intent.” The machines also need to be carefully calibrated so they don’t miscount ballots. Blind people may need an extra device installed to help them vote. Poorly trained poll workers could simply lose ballots. And the machines do, in fact, run software that can be hacked: Sancho himself has used computer scientists to hack his machines.

A DRE+VVPAT system can offer accessibility features that a sheet of paper alone cannot do, and can also simplify complex ballots. I spoke to an election judge from Half Moon Bay who described just how complex the paper balloting procedure is during a primary election. They must have ballots on hand for each of twelve registered political parties, with instructions written in any language spoken by more than 5% of the local population, which in his case is English, Chinese and Spanish. The resulting thirty-six ballots are difficult to handle.

I just voted on a Diebold AccuVote-TS (I will call them Diebold machines as long as they have Diebold branding all over them). Everything went very smoothly - I was greeted by friendly and knowledgeable elections workers, the touchscreen was calibrated, my vote was presented to me for review, I mashed on the “Cast Vote” button on the screen, and then… poof. Nothing. I had no tangible evidence that my vote was recorded according to my wishes.

VVPAT is voter verified paper audit trail. It means a piece of paper records your vote choice in parallel with the electronic record. Many experts recommend mandatory VVPAT in conjunction with audits that reconcile the paper with the electronic counts for a statistically meaningful sample of available data. I don’t know about the Maryland audit procedures, but since there’s no VVPAT, there’s nothing to audit.

In an earlier post I discuss security requirements for a voting system. Let’s just review how well they were met today.

(more…)