Diebold Voting Machines. Scary or not?

Great Debates
21

In our municipal elections (Ottawa, Canada) the ballot is a fairly heavy-weight letter-size sheet. You fill in the ovals beside the candidate(s) you are voting for using a black marking pen, then slip the ballot into a covering sleeve and hand it to the returning officer. He slides it into a machine that looks something like a small desktop photocopier, which extracts the ballot from the sleeve, scans it, electronically tallies the vote, and slides the ballot into a locked box. Quick, electronic vote counting, the original ballot retained in case of recounts, and it even rejects the ballot if there is a problem (double voting, poorly marked choice, etc.).

Sounds like a good solution for your problems.

22

Definatly scary!

First of all, with a paper ballot anybody can see how the process works. You mark your choice (pretty much), ballot goes in big box, and then all the ballots are counted later.

With electronic voting you make your choice and then…who knows! The process is a “black box” which means the internal workings are not known to the public (remember those are Diebold’s trade secrets in there, stay out!). How do we know the votes are being counted fairly.

Second, electronic data is too easily corrupted and our changed. Which is harder: flipping some 1’s and 0’s around or phyisicaly altering paper ballots?

Third, and most important, voting machines have been shown to be extremely bugr idden. Diebold alone has had dozens of problems, even including lost votes! Having to reboot sucks enough when I’m playing GTA3 but if the leader of my country, or my state, or my city, are elected this way then system problems are not an option. The 2000 election was bad enough but think what would have happened if turned out a few voting machines had glitches, it would have been bedlam!

23

Several of the questions here are of a factual nature, but the heart of the matter is debatable, so I’ll move this thread to GD.

bibliophage
moderator GQ

24

Logically speaking, I believe this is a false dilemma. By ignoring the obvious middle ground, you alienate both sides. The companies producing the software insist on proprietary software so they retain their rights. The privacy advocates insist on open source reviews. But “open” is not the necessarily the opposite of “proprietary”. Unfortunately, when people say open source, too many people hear Open Source, as in GPL, with is the antithesis of closed proprietary. However, there is a perfectly valid middle ground: proprietary software in which the author retains full and exclusive rights which is published for review. This is fairly common in the security field because no one trusts security software which is a black box. It doesn’t require some open source license like GPL in order to open the source for review.

25

What I think would be ideal would be a system similar to what cash registers use. A two part carbon paper roll. The voter gets the top copy, the carbon copy stays on the roll. All the rolls are saved and if there’s a question, you can go back through the rolls. And this would be really easy to do as the technology already exists…

26

There are some design goals for e-voting which seem multually exclusive on first glance. One is that every vote can be verified and audited. Your scheme does that. Another is that every voter have absolute secrecy so there is no way to tie a voter to a vote. If the receipts are all on a roll, you can tie a voter to a vote simply by monitoring the order in which voters enter the booth. That’s a really fundamental flaw for a secret ballot.

David Chaum (a bona-fide security guru famous for electronic cash algorithms) has a paper discussing some of these topics:
http://www.vreceipt.com/article.pdf

27

Micco, you can do that as well without a paper trail obviously. If you monitor the booths and the voting machine, ou can exactly tell who voted for whom even without the paper trail.

28

Is there a way to find out whether these voting machines will be used in our wards?

29

Please explain. I’m not talking about monitoring activity within the booth, just monitoring who goes in and comes out. We have to assume we can maintain the privacy of the booth itself, but not the surroundings. If your paper trail is serial (like a roll of receipt tape) then it’s trivial to tie a voter to a vote.

It’s also possible if your voting implementation is poorly designed, such as one that records votes by creating a new timestamped or indexed record in a database. This is bad implementation because it violates the secrecy of the vote just like a paper receipt. But assuming your back-end electronics are implemented using a sound design, how would you tie a voter to a vote without a paper trail?

30

Granted, if the implementation is sound, then there is no problem. You can’t trace the vote back to a specific booth and if it is not timestamped then you cant trace it back. But the problem is that you can’t tell if the implementation is sound. You dont know if the vote is saved with a timestamp and stamp of origin or not. Plus there is a pretty simple way around this. You can just have the machine print the results at random places on the paper. For example you can have a roll, which can have 4 votes printed in a line and the machine randomly chooses one column when you cast your vote. So in the end, while, if you were the first voter to use a booth, it can be said that one of the four votes in the first line is yours, you dont know which one exactly.

31

I’d go with the system of using the electronic unit to fill out the paper ballot for you. I’d also eliminate all networking. The individual voting machine fills in a paper ballot, the voter turns that into a collection unit which tallies votes for that location, then those records get hand carried to the regional office and so forth. It won’t have the votes counted in a half hour, but we don’t need that.

I think that the networking aspect of these units is far more dangerous than corporate malfeasance, because it opens the door for mass exploitation of the system. Even if it was only a LAN, you could still have someone smuggling in a PDA. Better to limit the access.

32

I never advocated the GPL or any other Open Source (note the caps) license. I merely advocated that the code be open-source as in open to review and possible external modification. As in the opposite of closed-source, which would mean that it’s not peer-reviewed and not modifiable by outsiders.

I fully respect Diebold’s right to its code. I do not respect it supposed `right’ to make a voting system a secret.

33

Oh, you can have that too. Just print a bar code at the bottom of the ballot that contains the same information the voter selected. The bulk counting can be done by bar code, and if there are disputes, the human-readable portion can be used for recounts and verifications.

And if the bar code doesn’t match the human-readable stuff (easily checked), then it’s time for an investigation…

34

As a programmer who has worked on a few different data mining projects, and am currently involved in financial market software, I completely and totally distrust voting software.

Not only do I think it needs to be open source, but I think it needs to be open source that has been used as a voting system in non-governmental orgs first, before it is used by the gov. Like rotary clubs or the Elks Lodge or corporate voting or whatever; it needs to be put through its paces in a non-governmental atmosphere first.

I do not in any way trust the long term effectiveness or reliability of any proprietary voting software, and only trust open source after it has been around and been put through its paces in a variety of environments.

Its not so much the security of the system Im concerned with, though that is a concern; I am far too familiar with the arrogance that plagues many of the best programmers when it comes to QA, and all it takes is one mistake to slip through, one minor error of logic, and we’re all counting screwed results. Simply dividing by 10 rather than 100, or something else very minor. Mistakes that may not be found for years, that dont cause an error to be generated but cause numbers to be crunched in an oh so subtly wrong way, throwing the results of elections long gone by into question. Its not a matter of if it would happen, but when.

Unless they are the first company ever to release bug free software.

Open source isnt just a good test of security, its the best and worst QA process a programmer or company can put their work through.

35

Voodoochile: If you release it to the world like that, I’m pretty sure a wide range of American and international computer types would gladly put it to use in a wide range of tests, rational and irrational. We’ll make the code cry uncle, and crash like a Pinto full of kerosene. :wink:

Which is, of course, what we want: Every bug discovered in testing is a bug that doesn’t exist in the release version. Ideally, this software’s bug report entires should skyrocket for the first few weeks/months (depending on its complexity and popularity), then decline to a trickle as final stability is achieved. I think it’s very do-able.

Stability and security are necessary preconditions to the existence of this system. That alone justifies an open-source development model. But I think the philosophical arguments are at least as strong: If the voting system is controlled by a secretive group, the voting system is broken and needs to be fixed. For once, pragmatism and idealism are on the same page.

36

According to a NY Times editorial that appeared online on 1/31/04 and entitled,
How to Hack an Election

Maryand bought over 16,000 AccuVote-TS machines from Diebold (that do not leave a paper trail) over “considerable opposition,” and then hired a security firm to try to hack them.

With no sweat whatever, they were able to reprogram the access cards used by voters and thus vote many times. They attached a keyboard to a voting terminal and changed its vote count. And with a modem, they were able to change votes remotely.

The Times reported that the machines’ vulnerabilities were “almost too bad to be true.” All 16,000 machines “have identical locks on two sensitive mechanisms, which can be opened by any one of 32,000 keys." And the hackers had no problem getting duplicate keys from local hardware stores. But this wasn’t necessary at all. One of the hackers picked the lock in about ten seconds.

The pisser of it is Diebold sent outa self-congratulatory release on all this headlined: “Maryland Security Study Validates Diebold Election Systems Equipment for March Primary.”

Want more? In Boone County, Indiana, an electronic voting system tallied over 144,000 votes in an election with less than 19,000 registered voters.

I can’t give you a cite on this. Yesterday, when I again tried the link below, it no longer worked:

http://www.nytimes.com/2004/01/31/opinion/31SAT1.html (1of2) [1/31/2004 11:41:11AM]

(Everything to the right of html (above) is superfluous, of course, but I included it for the sake of completeness.)

If you want a copy of this Times article, I will email a copy to you as an attachment.

37

Cartesian Product.