Weekly Edition
Return to the Security page
| |||||||||||||
Securing our votesThis has been a bad few weeks to be a voting machine vendor. Three separate governments, California, Florida and the UK looked at the devices and have come to remarkably similar conclusions. The machines they looked at are poorly designed, poorly implemented and subject to a wide variety of security threats. None of the studies mentioned it, but it is likely that the machines looked great. The most comprehensive study was done by California Secretary of State Debra Bowen's office. That study looked at three electronic voting systems, each from a different manufacturer. Each system had three separate teams investigating, one looking at the source code, a "red team" that had physical access to the device and an accessibility team. Their conclusions were not surprising to anyone who has paid attention to this issue over the years. All three of the voting machine systems were found to be sorely deficient by all three teams. Even accessibility, which is one of the major benefits touted by electronic voting advocates, was found lacking:
Although each of the tested voting systems included some accessibility
accommodations, none met the accessibility requirements of current law and
none performed satisfactorily in test voting by persons with a range of
disabilities and alternate language needs.
Though it is certainly terrible not to meet the needs of some individual voters, safeguarding the election process and accurately reporting the vote totals need to be higher priorities. Since they obviously had not successfully completed the accessibility task, one would hope they were able to secure the voting process. Unfortunately, they could not get the primary job done right either. The red team reports were released first and the conclusions were devastating:
The red teams demonstrated that the security mechanisms provided for
all systems analyzed were inadequate to ensure accuracy and integrity
of the election results and of the systems that provide those results.
The teams were able to defeat the physical security of the voting machines, modify or overwrite the software in the machines as well as subvert the tabulation machines in order to provide incorrect vote counts. All of this just by having access to the machines themselves; the same access that election officials, poll workers and, to a lesser extent, voters, have. Several days later, the source code teams' reports were released and, at that point, were almost anti-climactic. Unsurprisingly, they found numerous, hideous source code flaws in all three systems. Buffer overflows, hard coded passwords ('diebold' being a particularly difficult one to guess), misuse of encryption, integer overflows (wrapping vote counts to negative or zero perhaps); the list goes on an on. It is as if the voting machine vendors are completely unaware of the last twenty (or thirty or forty) years of software security flaws. In reality, they are most likely not unaware, they are just arrogant. Diebold, Hart and Sequoia (the companies whose machines were studied) do not depend solely on their technical "prowess" to win bids for providing voting machines, politics plays a huge role. These are well connected companies. It also helps that they are all uniformly bad, there are literally no secure choices for a government agency to make. Florida's study only covered Diebold equipment, but it echoed the findings in the California study. Avi Rubin of Johns Hopkins University, who participated in a 2003 study of Diebold's voting machine, notes:
So, Diebold is doing some things better than they
did before when they had absolutely no security, but they have yet to do
them right. Anyone taking any of our cryptography classes at Johns Hopkins,
for example, would do a better job applying cryptography.
One of the bigger problems found was that Diebold assigned cryptographic keys to each voting machine that is derived from an MD5 hash of the machine's serial number. Rubin again:
This is arguably worse than having a fixed static key in all of the
machines. Because with knowledge of the machine's serial number, anyone can
calculate all of the secret keys. Whereas before, someone would have needed
access to the source code or the binary in the machine.
The UK also released reports on the outcome of electronic voting trials held in May. The overall summary of the trial, was, once again, not very favorable:
The
level of implementation and
security risk involved was
significant and unacceptable.
There remain issues with the
security and transparency of the
solutions and the capacity of the
local authorities to maintain
control over the elections.
This was not the result of security professionals analyzing the systems for flaws, but was instead noted in actual trials of the equipment in an election. The California study was quite well done and well thought out, except for one thing: it was done long after the equipment was bought and used in elections. This is the kind of study that needs to be done before buying the equipment. Due to the conclusions of the study, Bowen revoked the certification of the equipment from all three vendors, but immediately had to conditionally re-certify them as a practical matter. Even with a six month lead time, replacement systems (either electronic or of some other kind) could not be deployed before the 2008 California presidential primary voting. The reaction to the California study by the manufacturers was typical. It is the same reaction they have had to each and every study done of the security of their devices: trivialize it. Each released a statement in reaction to the study conclusions, essentially admitting the flaws, but claiming that any "laboratory study" would find vulnerabilities. According to these vendors, it is impossible to make a secure voting system. As they certainly know, no one is asking these vendors to break the laws of physics or to produce perfectly secure code. It would appear that they expend far more effort in deflecting criticism and lobbying various legislative bodies than they spend trying to secure their code and equipment. It is not necessary that the equipment be tamper-proof, merely that tampering can be detected. At least minimal precautions, perhaps to the level taught to computer science undergraduates, should be taken with the software. This is not anywhere near as hard a problem as the vendors make it out to be. Many of the techniques needed to secure voting machinery are well known and well understood, at least outside of the vendors' labs. This is an area where open source methods could be and should be applied. Organizations like BlackBoxVoting.org and the NSF Accurate project should be working on solutions. Private companies have shown themselves to be completely incompetent at producing secure voting equipment, it is time for another solution to be tried. (Log in to post comments)
Securing our votes Posted Aug 9, 2007 2:09 UTC (Thu) by modernjazz (guest, #4185) [Link] Great and very important article---thanks! Let's hope this issue gets theattention it deserves.
Securing our votes Posted Aug 9, 2007 2:32 UTC (Thu) by charris (subscriber, #13263) [Link] Secretary of State Bowen posted a comment over at Winds of Change. The following bit caught my attention:IMHO, the mark sense / optical scan systems are a good choice. My primary recommendation for improvement would be to use open source software for the op scan processing in the polling place, as well as for the central tabulation equipment. Whoever does that first will have a winning hand -- the public is demanding transparency, as well they should!Nice plug for open source there.
Securing our votes Posted Aug 9, 2007 2:54 UTC (Thu) by Baylink (subscriber, #755) [Link] I shake my head in disbelief.
There are clearly obvious solutions to all of these problems, and I didn't even think them up.
*Don't use the computers to count the votes*. Just use them to do the UI. Get the votes, and print everything as OCR-A on a cardboard card that drops through the printer into a clear plexiglas box where the voter can confirm that it contains everything they voted for (by the simple expedient of printing everything for which they did *not* vote as well, clearly tagged differently), then have them turn a mechanical knob that drops the ballot into a locked box, or into a trash box/small shredder.
Count the ballots using an OCR-A optical scanner. Serial number and checksum the data. 100.00% accuracy shouldn't be hard at all.
Your counting machines then reduce to one per precinct... or per area. And humans can count the ballots too, should the Republicans try to steal yet another election.
Sure, you can keep a running count in each machine, but that shouldn't be the *certifiable* count. You can't *recount* that (says a Floridian, looking over his shoulder). You can recount printed cards.
I can't personally think of a failure mode in this design that can't be avoided.
Anyone?
Securing our votes Posted Aug 9, 2007 6:47 UTC (Thu) by tadmini (guest, #41980) [Link] Good point. I never understood why would somebody want to use a computer to count the votes, given the immaturity of most information systems today.
Can't we just stick to good old paper ballots and be done?
Securing our votes Posted Aug 9, 2007 15:17 UTC (Thu) by Baylink (subscriber, #755) [Link] You'll note the-solution-that-isn't-actually-mine does, in fact, utilize recountable, human-readable, paper ballots, which can be the critical path on the count.
Securing our votes Posted Aug 9, 2007 10:57 UTC (Thu) by NRArnot (subscriber, #3033) [Link] Some voters will be short-sighted or have impaired vision, and won't be able to check a paper under a plexiglass cover, especially if printed in horrid OCR-A.
Better: print out an oldfashioned paper with a big X against the voter's chosen candidate, which he can view with a magnifying glass at a distance of three inches if he needs to, and then deposit in a ballot box. There should be no problem developing software that can locate a printed X in one of N boxes.
But still not good. You have increased the vulnerability of the election to rigging by pre-stuffed ballot boxes, since all papers will appear identically marked. The oldfashioned marked-by-hand paper is better, because no two voters will mark their X alike. It's far harder for one miscreant to produce 1000 convincingly differently handmarked votes, than 1000 identical printed ones.
A scanner can do a perfectly good fast first approximation sort and count of handmarked ballots, which in most elections will be good enough. When it's close, one then moves to iterative refinement, rechecking and recounting bundles of papers (by hand) over and over again (usually, the first recount suffices) until sufficient accuracy is attained.
Another improvement would be if the printer also sequentially numbered the papers it printed, starting at a random number not known before the polling station opened for business. This would make pre-stuffing easily detectable (and correctable). The problem would be convincing voters that it wasn't destroying the secrecy of their vote.
One word that all posts above forget: Posted Aug 9, 2007 13:57 UTC (Thu) by hummassa (subscriber, #307) [Link] VOTE SECRECY. There is a very good reason why your vote is secret.<slashdot-esque-fiction-mode> 1. I am your boss (and the boss of 10000 other people) 2. I say to you: "vote on Joe Corrupt for me, and then take a pic of the thingy on the clearbox with your cell phone and bring it to me by monday, or don't bother coming at all." (*) 3. Joe Corrupt wins the election by 10000 votes. 4. ??? 5. Profit!! </slashdot-esque-fiction-mode> (*) just to be clear: I work in a governmental institution with 3000 employees and 300 interns and apprentices. The two buildings have, combined, some 4000 cell phones. I believe at least 3000 of them have cameras. I haven't seen a good (== fast && cheap && secure [IMHO]) alternative to electronic voting yet. So, I'll refer you to my reccount of my experiences and opinions: http://lwn.net/Articles/100202/ http://lwn.net/Articles/100326/ HTH.
One word that all posts above forget: Posted Aug 9, 2007 15:34 UTC (Thu) by Baylink (subscriber, #755) [Link] All currently available approaches have this problem. Collecting your camera phone at the counter and giving it back to you after is the only solution I can see; IE: a policy against taking cameras of any kind to the booth. Since the booths aren't actually booths anymore, they're generally in the open, this is less of an issue, I suspect -- it would be obvious if you had a phone or camera out.
Loved your riff, though. :-)
One word that all posts above forget: Posted Aug 9, 2007 15:38 UTC (Thu) by Baylink (subscriber, #755) [Link] One other observation: if the ballots are numbered sequentially, and you log the random starting number -- or print "FIRST BALLOT" on it -- then you can audit that a stack is complete, and extra-counting organizations, as you mention in your other posting, can tell they have all the ballots.
And it should be cheap enough to build counting boxes that lots of different people can do it commercially, and such orgs can all buy them from different people, or even build them themselves, and if the paper handling is good enough, then the ballots will *survive* 50 counts.
Hell, the election officials themselves could buy counting machines from different manufacturers and run each election through twice and compare.
And *none of the equipment is on the security critical path* in this approach, in case anyone missed that.
You *can* have preliminary counts come out of the terminals themselves, but there's no sense in hacking those, because the system procedures make it worthless to change them -- the dual count of voter-approved paper will show any mistakes.
One word that all posts above forget: Posted Aug 16, 2007 22:30 UTC (Thu) by edgewood (subscriber, #1123) [Link] Jane Employee: OK, boss!
Jane ventures down to the voting booth, punches up a ballot for Joe Corrupt, <click> takes a picture of it under the plexiglass, then presses the "Spoiled Ballot" button. She votes for her preferred candidate, then pushes the "Correct Ballot" button.
She then delivers the picture of the vote she didn't actually cast to her boss, and anonymously calls the Election Commission on her way home.
Securing our votes Posted Aug 9, 2007 15:31 UTC (Thu) by Baylink (subscriber, #755) [Link] Yes, but handmarked ballots don't solve the problem which electronic voting terminals were putatively primarily intended to solve: people who can't write, or can't see.
OCR-B is fine with me. :-)
That's an implementation detail.
The paper would be something like 8.5x5.5 inches, with the information printed in at least 14 point, and pressed against the plex box at eye level, with a sliding magnifier and appropriate lighting.
As for stuffing, both the random-start sequential number and my own idea: a transparent locked catch box, will solve that problem. I actually want to catch and count all the spoils as well.
As far as
> The problem would be convincing voters that it wasn't destroying the secrecy of their vote.
what makes you think they care now? You *did* watch the last 2 presidential elections, right?
Those in a position to evaluate will be, I think, satisfied with the answers.
Teller machines Posted Aug 9, 2007 7:41 UTC (Thu) by tnoo (subscriber, #20427) [Link] ATMs (Automatic Teller Machines, Bancomat) have all the needed technologyand are often manufactured by the same companies (e.g. Diebold). Everybody seems to be happy with them, from a usability point of view, and they can easily cope with a huge amount of secure transactions, including audit trail and receipt.
So what's wrong with the voting machines?
tnoo
Teller machines Posted Aug 9, 2007 15:40 UTC (Thu) by Baylink (subscriber, #755) [Link] It's much more difficult to collect on a mass-subversion of ATMs, and much lower in leverage regarding what you get.
Stealing elections is much more worthwhile.
Just like DRM Posted Aug 9, 2007 8:23 UTC (Thu) by dskoll (subscriber, #1630) [Link] DRM will *never* succeed. Neither will using computers to run fair elections. I don't understand why so many intelligent people are wasting so much effort trying to get voting-computers to work.
Use paper ballots and human counters. Done.
Just like DRM Posted Aug 9, 2007 9:19 UTC (Thu) by charris (subscriber, #13263) [Link] IIRC, wholesale move to electronic voting started with the butterfly ballots in Florida in the 2000 election. A prime example of the need to be careful of what you wish for. That said, I voted using a Diebold machine in 2006 and it kept a record of the votes on a strip of paper that I could see, so there was a paper trail as well as the electronic memory. I suspect the big problem isn't the voting itself, it is the ease of jigging the machine to create false votes. How easy it is to jig the machines in practice, I don't know. During the last election cycle there were three recounts in the Washington governor's race and lost ballots kept turning up in King's County until the election results changed. So it isn't clear to me that paper ballots are really better than the machines.
Hanging chads Posted Aug 9, 2007 10:31 UTC (Thu) by nowster (subscriber, #67) [Link] Weren't the ballots in 2000 election machine-counted initially? They were on punched cards.
Hanging chads Posted Aug 11, 2007 3:57 UTC (Sat) by giraffedata (subscriber, #1954) [Link] Virtually all ballots in US elections have been counted by machine for at least 20 years. Some of those machines use more electronics than others. The exceptions have been rural areas where hand counting is cheaper, but those areas are now tending toward mail-in ballots counted by machine. Hand counting has been a backup for when the machine fails, and various jurisdictions have various rules on what is adequate evidence of a machine failure. The legal controversy in the 2000 Florida presidential election had to do with interpreting Florida's vague rules in that regard (Florida isn't special -- almost all states had vague rules). Since ultimately none of the counting issues affected that famous election (while a full hand recount was found to be not legally required, a bunch of journalists did one anyhow and found that no matter how you counted the ambiguous votes, George Bush won), and the only real unfairness was the misunderstood Palm Beach County butterfly ballot (if voters had voted for the candidate they meant to vote for, George Bush would have lost), I think the GUI makes a lot of sense. It's a more powerful medium than any paper ballot can be.
Hanging chads Posted Aug 17, 2007 8:02 UTC (Fri) by forthy (guest, #1525) [Link] while a full hand recount was found to be not legally required, a bunch of journalists did one anyhow and found that no matter how you counted the ambiguous votes, George Bush won No, you remember incorrectly. They found that if you only recounted the four districts Al Gore wanted to have recounted, George Bush still won. But if you recounted all Florida, George Bush would have lost. Most of this just went under, since the publication was short after 9/11, and due to the "many scenario" theme in the article, the conclusion was not obvious (it also depended on the standard of "voters intent"). See Wikipedia. Unfortunately, the Times article cited there is only available to subscribers. But it's certainly wrong that "no matter how you recounted, George Bush won". You can however say that it was too close to call, because due to the uncertainty with the recounting, you still didn't get a convincing result. If you can't get a winner, the rule "the winner takes it all" shouldn't apply, and if you can't do so, because your election process has a way too high error margin, even less so. IMHO, if this recount had been published a month before 9/11, the conclusion would have been different, and George Bush would have had a snowball's chance in hell to stay president.
Hanging chads Posted Aug 18, 2007 18:37 UTC (Sat) by giraffedata (subscriber, #1954) [Link] They found that if you only recounted the four districts Al Gore wanted to have recounted, George Bush still won. But if you recounted all Florida, George Bush would have lost. Thanks. I stand corrected. But looking at the free abstract of that article, I see it says Bush could have lost; i.e. it depends on your rules for counting ambiguous ballots. I found another source that says even in the 4-district recount, if you interpreted "overvotes" a certain way, Gore could win. (An overvote is where someone votes for two candidates; I don't know what the proposed methods for disambiguating those are). IMHO, if this recount had been published a month before 9/11, the conclusion would have been different, and George Bush would have had a snowball's chance in hell to stay president. So you think somehow Bush's presidency would end just because 50% of the people in Florida didn't vote for him? Many people, including the US Supreme Court, thought the actual count was not as important as the count defined by the rules of the game. And that it's no great travesty of democracy if there is a .05% error in the voting.
Securing our votes Posted Aug 9, 2007 10:04 UTC (Thu) by rwmj (subscriber, #5474) [Link] Even with a six month lead time, replacement systems (either electronic or of some other kind) could not be deployed before the 2008 California presidential primary voting. Can't they just "deploy" some pieces of paper and some pencils, and volunteers to count the votes? This is how it works in the UK, and it works very well indeed. Rich.
Securing our votes Posted Aug 9, 2007 13:30 UTC (Thu) by nix (subscriber, #2304) [Link] AIUI, in the US there are many more votes for each voter to cast, so counting by hand would be somewhat more longwinded. (Still that's not an excuse, really.)
Securing our votes Posted Aug 10, 2007 7:11 UTC (Fri) by tnoo (subscriber, #20427) [Link] > AIUI, in the US there are many more votes for each voter to cast, so> counting by hand would be somewhat more longwinded. (Still that's not > an excuse, really.)
In Switzerland we have 4 vote dates per year, each with up to 10
Works perfectly, and is fast and reliable.
Securing our votes Posted Aug 11, 2007 16:33 UTC (Sat) by dirtyepic (subscriber, #30178) [Link] You also have 1/40th the population and 1/225th the size. ;)
Securing our votes Posted Aug 11, 2007 23:38 UTC (Sat) by nix (subscriber, #2304) [Link] I'm not sure that's relevant: after all, there are fewer people to countthe votes, as well.
Securing our votes Posted Aug 13, 2007 7:40 UTC (Mon) by himi (guest, #340) [Link] Vote counting is an embarrassingly parallel problem - there are no dependencies, all you need to do is divide the ballots up into groups, count the groups, then sum the results. Conveniently, the number of people available to count the ballots also scales linearly with the number of ballots.
I've never understood the attraction of voting machines - I'm Australian, and we've always done perfectly well with hand counting. A fair number of Americans that I've discussed this with think there are valid reasons for using them in the US, though . . .
himi
Securing our votes Posted Aug 13, 2007 8:54 UTC (Mon) by dlang (✭ supporter ✭, #313) [Link] when you go to vote, how many selections do you make on one ballot?
if it's a small number then manual counting isn't that bad, but in the US it's not unusual for there to be a couple dozen selections (including the 'vote for up to 3' type of selection). this makes counting the votes more complicated and manual counting more error prone.
Securing our votes Posted Aug 13, 2007 9:05 UTC (Mon) by rwmj (subscriber, #5474) [Link] when you go to vote, how many selections do you make on one ballot? In general [government] elections in the UK, which are the most important elections, usually you pick one candidate from a list of 3 or 4. So obviously counting these is easiest. Local elections are more complicated - for example the last London mayoral election in (IIRC) 2002(?) had a fantastically complicated series of ballots with transferable votes which I don't think even voters really understood well. Anyway, all are counted by hand. Perhaps the lesson here is that you should simplify the ballots? If the ballots are too complicated to be counted by hand, do the voters themselves understand or care enough about them? Rich.
Securing our votes Posted Aug 11, 2007 16:28 UTC (Sat) by dirtyepic (subscriber, #30178) [Link] It's not a technical matter but a legal one. As I understand it, by law you cannot change the method of recording, tabulating, or reporting votes within six months of the election. This allows everyone enough time to rig the machines in their favor. The deadline for the February presidential primary was August 3rd.
Distraction Posted Aug 9, 2007 14:16 UTC (Thu) by jmorris42 (subscriber, #2203) [Link] We are all tech geeks so we tend to obsess over the tech. But it really doesn't matter all that much. If the people running the election have half a clue and can be trusted you will get a result that is accurate enough for the purpose with paper, punch cards or the most insecure Dibold machine. And if you don't have reliable and trustworthy people running the election you won't get an accurate result. Period, full stop.
"It isn't who votes that counts, it is who counts the votes." Name one disputed election where the problem was really in the process rather than the people?
The infamous 'butterfly ballots' were laid out by a Democrat in the local government. So it wasn't some scheme by Karl Rove, it was just a local guy who perhaps did poorly at trying to ram all of the candidates onto a fixed size ballot. I say perhaps because the physical limit was real and unless you have a better solution than his, and it is so obvious that his failure to think of it can be described as incompetence I find it hard to lay much fault at his door.
Most of the other irregularities in the last few cycles have involved:
1. Accusations of discouraging voters by, long lines, challenging identity, etc.
2. Dead people, felons, etc. voting. Other disputes over voter identity. Example: Sen. Landrieu's popularity with the dead in N.O. giving her victory in '96. Historians are pretty much agreed these days that JFK won on the strength of the vote fraud in IL and TX.
3. Ballot box stuffing. Example: The most recent Gov election in WA where unsealed boxes of 'uncounted' ballot kept appearing until the Democrat had enough votes to win at which point all recounting instantly ceased.
Tech probably can have only a marginal influence on any of those sources of actual vote fraud. So yes we should insist on secure and transparent machines, but be under no illusion it will make all that much difference.
Distraction Posted Aug 9, 2007 15:43 UTC (Thu) by Baylink (subscriber, #755) [Link] > If the people running the election have half a clue and can be trusted you will get a result that is accurate enough for the purpose with paper, punch cards or the most insecure Dibold machine. And if you don't have reliable and trustworthy people running the election you won't get an accurate result. Period, full stop.
Unfortunately, no, that's actually factually incorrect.
If the people running the election are honest, and even the people buying the machines are honest... but the people *making* the machines have promised "to deliver the State of Ohio for President Bush" (*actual quote* from a Diebold exec who was also the state party reelection chairman; look it up), then it doesn't *matter* that those local people are honest.
Paper, punch cards, yes. That Diebold machine. Unh-uh.
Alas, *lots* of people believe as you do.
Distraction Posted Aug 9, 2007 15:47 UTC (Thu) by Baylink (subscriber, #755) [Link] Additionally, Theresa LePore was in fact a Republican, who tactically switched her party registration to coat-tail the incumbent in the slot; she is now registered No Party:
http://en.wikipedia.org/wiki/Theresa_LePore
and see also
Distraction Posted Aug 10, 2007 15:18 UTC (Fri) by nix (subscriber, #2304) [Link] Number 3 is quite interesting, actually, because it needn't be physical stuffing at all. All the fraudster needs to be able to control is the time of recount termination and the order in which boxes are submitted for recounting: if you can tell which region each box came from and the regions are sufficiently gerrymandered, the fraudster can just submit boxes exclusively from regions gerrymandered to have his party of choice win, and then stop the recount before submitting any boxes from regions gerrymandered the other way (or even fairly-shaped regions, if there are any left).
Securing our votes Posted Aug 9, 2007 16:39 UTC (Thu) by rgmoore (subscriber, #75) [Link] Though it is certainly terrible not to meet the needs of some individual voters, safeguarding the election process and accurately reporting the vote totals need to be higher priorities. I don't agree. Accessibility to all voters is critical. A voter who can't cast a ballot has been disenfranchised. Any system that systematically disenfranchises a predictable subset of voters is irretrievably flawed.
Securing our votes Posted Aug 9, 2007 20:27 UTC (Thu) by phiggins (subscriber, #5605) [Link] Not being able to count the votes cast correctly and having that count easily manipulated takes disenfranchisement to a whole new level. I'm afraid that I just wouldn't care whether I or anyone else got to cast a vote or not if I knew that I couldn't trust the votes to be counted correctly. It makes the entire election process completely pointless.
And? Posted Aug 28, 2007 21:05 UTC (Tue) by renox (subscriber, #23785) [Link] >>I don't agree. Accessibility to all voters is critical.
Sure, but security is also critical, secrecy is also critical, etc.
>> A voter who can't cast a ballot has been disenfranchised.
That's not true, if a voter cannot cast a ballot alone, he can still vote if you authorise him to have a helper or someone which can cast a vote for him, of course this possibility also gives the possibility of buying votes, it's a tradeoff.
>>Any system that systematically disenfranchises a predictable subset of voters is irretrievably flawed.
Then all the systems are 'irretrievably flawed', what's your point?
Securing our votes Posted Aug 9, 2007 16:40 UTC (Thu) by harold (guest, #44046) [Link] At our municipal elections we marked a paper ballot that was then scanned, so there is paper trail if a recount is needed.
Manual + Machines Posted Aug 10, 2007 14:52 UTC (Fri) by filker0 (guest, #31278) [Link] A solution to the accessability problem, the paper trail, and the untrustability (is that a proper word?) of the current crop of electronic voting machines would be a hybrid system.
One idea is using the paper ballot that requires the voter to connect two bars with a solid line; this may require a felt tip pen with a specific ink, supplied at the voting place. The ballot is also provided with optical registration marks. For those that need a touch screen for accessability reasons, you have a machine that has a slot into which the ballot is inserted and a touch screen terminal. This displays the information and translates the voters interaction into a position on the paper, where it draws/prints a line. The optical registration marks allow the mechanism to print it in the correct place even if there are printing variations. Further confidence measures might include printing the position code as part of the bar, so malfunctioning printer registration mechanisms won't produce unuseable ballots. On an undervote, the voting machine requests confirmation, listing the unvoted for items, and marks the voter's confirmation (if the voter doesn't want to go back and vote for those issues/positions/whatever) on the ballot before it's released.
The paper ballot is then manually carried over to the ballot reader, scanned for a poll count, and deposited in a locked box. The voting machine itself is not required, and when used does not keep a tally of the vote itself. Only the poll counting unit counts and the paper ballots come out of the polling place. The voter can (and will be encouraged to) examine the machine filled (and manually filled) ballot before depositing it in the counter.
A single polling place could have one or more machines and lots of stations for manual marking. In case of a technical failure, the voting can continue with manual marking. The cases in Ohio in 2004, where some polling places had too few machines for the general election (though they had enough for the primary) would be mitigated, and the chances for fraud reduced.
Still, to some degree, no technical fix will prevent all vote rigging schemes, as the schemers have a fixed target each election cycle. An educated voting populace is our best defense.
|
|||||||||||||