Now, I know it’s still early in the law-making stage, and there’s no guarantee that this thing will get signed into law. But I’m baffled by several things already:
Why would anyone in the Florida legislature, in their right mind, even propose such a bill to begin with?
Why did the Florida Senate Ethics and Elections committee, of all people, approve this thing 8-to-1? Is this some Orwellian doublespeak joke?
I mean, people are suspicious about electronic voting as it is, so wouldn’t the prudent thing would be to push a law requiring a paper trail? Instead, we’ve got (what appears to be) Republicans in Florida going in the opposite direction, to make it even easier to commit electronic election fraud.
Does this make sense to anyone? Because I sure don’t get it…
It’s really frustrating to me that things like this are coming about, despite the large amount of apprehension that’s surfacing with respect to electronic voting. I would love to see voting moved towards computers, and away from sheets of paper… but a lot would need to happen to accomodate a change like that.
I, too, think that the Florida legislature is walking the cause two steps back. I would like to hear any type of reasoning behind their intentions, as well.
Not me. I find this idea as alarming as a rumor I heard that the voting machines are going to be networked via internet, making it far easier for someone to hack many from any location instead of having to physical visit a computer they wished to manipulate. (Apparently the crisis video game makers had a few months back over stolen source codes taken from networked computers did nothing to illustrate the danger of networking computers with what should be secured information) No paper backup makes no sense, given it’s a good way to assure a leaving voter that his/her vote went through correctly, and to double-check the accuracy of the computer’s count. Did FL like the notoriety of voting scandals the last go round? It looks like they are trying hard for a repeat…
I just do not understand why so many people are so aprehensive about e-voting. Technically it is as safe as can be. The notion that fraud is easy is just silly. The parties will have their observers and if the parties and their observers agree the system is safe why would I be afraid that it’s not? I have absolute confidence that it is technically feasible to implement a system which is secure and by secure I mean you could not steal votes from party X without the cooperation of someone in party X. In other words, as safe as paper ballots.
In my profession, I maintain expertise regarding data network security. While it is not what currently pays my bills, I have in the past provided consulting services to Fortune 500 companies regarding network security, and one of my clients was a bank.
With that said, I still would defer an issue like this to folks more expert than I on these topics. And the one expert I respect the most is Bruce Schneier (author of Applied Cryptography - the definitive textbook for cryptography).
Bruce maintains a free monthly newsletter, and recently touched on this topic.
Read the rest of the link (it’s pretty short) for some of his concerns. He also includes links to other articles on the topic. About two years ago, he also addressed Internet voting: Internet Voting vs. Large Value e-Commerce.
In my opinion, this bill is exceptionally ill advised.
My cynical, paranoid first response would be that someone is planning on doing some tricky stuff, but it won’t be in Florida; that this is a red herring, a distraction to keep eyes away from the hand that really holds the coin.
It does lead me to wonder though, should either side win in such a way that the other cries foul, what happens when they demand a recount? Are there technicalities that make e voting impossible to be verifiably recounted? It’s not exactly like being able to have a both sides keeping watch over a ballet box to make sure no one dips inside of it. There are at least 50 chances for it to fail assuming all states participate in e voting to some extent.
If either side gets something resembling a landslide, I bet the other will dispute it. Either side may possibly cry foul simply as a strategic attack. I assume this then goes to the courts, and how long will that take this time? We waited a month in 2000, could it take months to settle in a case like this? Could there ever be a clear settlement, a recount that could prove beyond a reasonable doubt that the vote was not manipulated? Would the Bush administration stay in power in until an outcome is decided?
And lastly, why the hell aren’t more of us Americans demanding verification? I bet by the end of the decade the issue will become big enough through some voting fiasco somewhere that it will have to be rethought. Until then, I fear there are those preparing to take advantage of the situation.
It’s not just fraud that people worry about. Hackers and virus creators enjoy doing things to mess with everything imaginable. What could be more alluring to a hacker than knowing you personally threw an entire country into a tizzy because you did the ultimate hack and messed with e-ballots?
Yes, this is technically possible. Unfortunately, none of the systems currently in wide use offer this safety. Right now, the only assurance we have that these systems are counting votes accurately and fairly – and will always count votes accurately and fairly – is the sincere promises of the machine-makers.
Unfortunately, between the leaked corporate memos documenting security holes, the tests from third-party computer experts which show how easily the results can be accessed and changed, and promises from corporate CEOs to “deliver Ohio’s electorial votes for Bush”, you’ll pardon me if I’m not ready to believe their sincere promises just yet.
I may be wrong here, but I was under the impression that they were not just any CEOs. They included people involved in making and running the incredibly-easy-to-rig voting machines!
Frankly, I’m not sure why we don’t drop voting, and go to polling. If we got a true and large enough EPSEM picked group, it would probably be even MORE accurate than actually casting ballots.
I am not making any assertions about specific systems, only about the concept. It is possible to have a system which is open to inspection by all parties concerned and which can be pronounced safe by all parties running for an election. That is all I am saying.
The opposition to the concept (not to specific systems) comes mainly from ignorance because people tend to not trust what they do not understand. In reality it is much easier to do fraud with paper ballots where you just pay off the observers. With electronic systems this could be made much more difficult.
For many years my bank would not accept orders by digitally signed email but they would accept orders by fax which are trivial to forge. I can create an email with any signature you want in a question of minutes.
Most people just oppose anything new they do not understand. If you had to transfer $1 million across the country, would you mail it with the USPS or would you send an electronic transfer? Which is more secure? We allow voting by mail. In fact some places mandate vote by mail. Why is a vote by mail any more secure than a vote by secure email? the answer is that it is not.
The issues of annonimity, security etc, have all been resolved in a very satisfactory manner and I am sure in the future people will laugh at our misgivings today just like we laugh at people who opposed the steam engine, the microwave oven or the washing machine.
Basically the concept is very similar to that of electronic cash which allows security, annonimity, etc. The concepts of blind digital signatures etc are too complex to discuss here but they are basically the same as for digital cash which has been proven safe.
The basic blinding concept is described in D. Chaum, “Blind Signatures for Untraceable Payments,” in Advances in Cryptology–Proceedings of Crypto '82, edited by R.L. Rivest, A.T. Sherman, and D. Chaum (Plenum Press).
A review of the various paradigms appears in David Chaum’s “Achieving Electronic Privacy” (Scientific American, August 1992) The linked page does not have the graphics of the original article but should give a general idea.
In my opinion is is technically possible to design a voting system which is anonimous and secure and reliable. It has to be open code so all involved can inspect it. The concept of “observer” (specific meaning for digital cash, encryption etc) guarantees the system is tamper proof. The "observer does not “trust” the machine it is embedded in. there is no need for “trust” anywhere along the line. No part of the system “trusts” any other part of the system.
It works with electronic cash. As Chaum has proven it is possible to create “digital cash” in the form of strictly information (numbers). It is possible that the bank give me digital cash by email. That I spend that digital cash at a merchant and the merchan redeems the digital cash from the bank and that no one can deny their part of the transaction (the bank cannot deny having issued the cash, I cannot deny having spent it, etc) but it protects the anonimity of those involved (the bank and the merchant cannot identify me even if they cooperate, in other words, I do not trust them or need to trust them). All these issues have been resolved by science and are as applicable to voting as they are to money.
I am not defending any specific sytems and it could well be they are flawed but that does not mean the concept is flawed. And, contrary to what people think, paper is the easiest thing to forge. It is just what we are used to using and what we feel comfortable with. But I can guarantee a digital system can have greater safeguards built in so that you need more people to cooperate than you need now. Right now if you want to stuff a ballot box full of votes all you have to do is pay off the few human observers who are physically there. Or distract them. Or. . . A digital system can be much more secure.
sailor, I certainly won’t assert that the technology doesn’t exist to provide secure electronic voting. I won’t assert that providing adequate security, even improved security, is unachievable.
However, I will assert that relying on such electronic voting systems without an auditable paper trail is ill advised at this time.
There are a number of reasons why I reach this conclusion. One, based on my thorough understanding of digital signature technology (PKI), is that such technology and the infrastructure required to operationalize mass electronic voting, simply is not practical in the near-term.
But, even if we have sufficient technology (I agree we do), and even if we have sufficient funding to operationalize the technology (which we don’t), unauditable electronic voting is still a very bad idea. Why? Because the perception of integrity by the populace is just as critical as the actual integrity of the system.
You continue to argue that many people simply don’t trust what they don’t understand. I fully agree - and assert that that is reason enough to not rely on electronic voting (without an audit trail). The instability within the electorate created by the lack of trust of election results is sufficient reason to avoid such systems.
Perhaps the best summary of the position I support is elaborated by Rebecca Mercuri, and can be found here. Much more information on this topic compiled by Rebecca can be found here.
I acknowledge the expertise of David Chaum on this topic, but make two quick points. The work you cite was created very early in the development of the technology, and many many issues have arisen since he contributed these works. Second, even David Chaum acknowledges the necessity of an auditable voting result.
An article in The Economist back in 2002 summarized some of these issues, and just happens to mention all three of the experts mentioned in this thread so far.
I strongly suspect that David Chaum would agree with me that this particular piece of proposed Florida legistlation is exceptionally ill advised.
Agreed. It will take time for people to slowly feel confident using electronic votes but it will happen eventually. If paper gives them confidence then so be it. But let us be clear here: e-voting can be made safer than paper voting. What we are discussing is how to present it and introduce it to the people who are suspicious by nature. Like everything else it will be introduced gradually. When some places report they are using electronic voting systems and they feel confident then people will become accostumed and will accept it. It is interesting to note now the acceptance has little to do with actual security and almost everything to do with perception and becoming accustomed to the idea.
And I agree with him but “auditable” does not mean “paper” at all. Electronic voting systems will be auditable but the paper part is only false security.
I am not expressing any opinion on this particular bill as I don’t know it. My opinions are about electronic voting in general.
Since the OP is specific to the proposed Flordia legislation, I may be moving toward a bit of a hijack, so I will defer to rjung regarding what is appropriate to debate within this thread.
For the most part, I think we agree with many of the most basic facts of this issue. For example, we both agree that e-voting can be made safer than paper voting (safer meaning secure with high levels of integrity).
However, you appear to support the implementation of paper-less voting systems now, or at least in the very near future (right?). I don’t.
I’ll agree that “auditable” doesn’t require a paper trail. However, I will note that most security and electronic voting experts concede that a paper (or paper-like) receipt is the best solution in the near term. So these aren’t simply the people that don’t understand the technology. The people that best understand the technology are the strongest proponents for such systems.
For some more recent perspectives on this issue, consider the writings of Robert X. Cringely. From two recent columns:
To sum up, just because we can, doesn’t mean we should.
There’s another issue here, too–the ability of a corrupt individual person to manipulate the system.
I dont know anything about electronic security.But I do know how to count pieces of paper (or mechanical voting machines with physical switches and gears inside)
I know that any cheating done on paper (or mechanical machines) is limited by the physical premises.One person can cheat in ONE voting precinct only. He can intentionally miscount, or even change the paper ballots phsyically, but he can only affect a few hundred votes which he records in his voting station. .Any cheating (or even honest mistakes, like the “hanging chads” in Florida) may be hard to prove later, but at least it is limited to one small precinct.
Convincing me that E-voting on a network is “safe” wont work–it is simply beyond my comprehension. One teenaged hacker with a laptop sitting in an igloo at the North Pole could publicly claim that he had broken into the system and changed everything.
It’s a reasonable claim–And I would have NO way to disprove it.Millions of hackers are out there, and I see them every day in my email box, when my anti-virus warning pops up.
So I (and millions of other Luddites) would have no choice other than accepting the government’s promises that “everything is okay”.
The arguments given here about how safe e-money is don’t convince me. The real reason I trust my bank and credit card is that I get a monthly statement ON PAPER
that I can verify. If anything looks suspicious, I can go to court, and demand evidence-- I know I never bought a million dollar diamond , and the diamond merchant knows he never sold it to me.
But in elections, there is no other evidence. We need a paper trail to guarantee integrity.Otherwise all we have is a politician’s promise . And we know how the public feels when told to accept a politician’s promise (such as, say, that Iraq has WMD.)
I agree. if this thread is very specifically about the FLA legislation then I have nothing to say.
Correct
Well, I am not supporting anything. Just saying that electronic voting can be secure and if the parties find it secure then I have no problem. I think the safeguard against fraud is not whether the voter gets a little slip of paper or not but whether the parties and observers agree it is safe.
I just don’t see what the paper slip does for security. I just think it’s a feel-good thing but I suppose feel-good things also have their place because they make people feel-good. All I am saying is that I, personally, have no problem with e-votes. If they give me a nice slip of paper I don’t have a problem with that either. I’ll scan it and put the scan in my hard disk which is what I do with any piece of paper I have any interest in. What will the paper say? only that I voted? How will it work if a recount is needed? Forging the receipt will be trivial. I just can’t see how this does any good.
Well, yes. The reasons would be convenience and saving time, effort and money. The time is when the public is ready. Every new system takes time to become accepted.
My main point I guess is that the security will not come from voters getting slips of paper but from the entire system being open and verifiable by all parties concerned. People keep thousands of dollars in the bank without need to understand the bank’s security systems. Voters do not need to understand the technology behind the system. Just be assured by experts from all parties involved that the system is safe.
This is in total error. The observers from all parties can verify the results at the precinct level just like they do now and these figures are public and verifiable. All you need is an adding machine.
[/quote]
Convincing me that E-voting on a network is “safe” wont work–it is simply beyond my comprehension. One teenaged hacker with a laptop sitting in an igloo at the North Pole could publicly claim that he had broken into the system and changed everything.
It’s a reasonable claim–And I would have NO way to disprove it.Millions of hackers are out there, and I see them every day in my email box, when my anti-virus warning pops up.
[/quote]
They could claim the same thing now. Did you count the votes yourself?
Um, no. Right now there are observers at every level who verify that there is no fraud. Observers from the government and from the parties who are running. You can do exactly the same thing electronically. You do not count the votes personally, you rely on those observers to do it and you trust them. If they all agree the system was safe and the result was fair then you trust them. Electronically it would be the same. You do not need to understand one sytem or the other.
Well you are obviously one of those people who find comfort in a slip of paper and you will probably get it. But the statement the bank sends you is for your information and means close to nothing. Many people, including myself, have told their banks they would rather do everything online and please save the paper.
This just shows that you do not understand the concepts involved. Which is fine and normal. When everybody around you says it is safe you will accept it. It is normal for people to reject what is new and they don’t understand. It is normal for them to accept what is commonplace and they still can’t understand. Electronic voting will become commonplace in the not too distant future.
If you send your vote by mail, how can you be so sure it was counted correctly other than trusting the USPS and a whole bunch of other people? It is much easier to commit fraud there than with a well designed electronic system.
Actually, I’d like to see a separate thread with an informed debate about electronic voting schemes. A politics-free one, please! In particular, I’d like to learn more about the current proposed vendor schemes; it’s my understanding that all of them are closed-architecture systems, which is one of the alarm points – is that correct? And if we go to open-systems stuff, how would that affect security? The systems sailor talks about, which are indeed used for things much more important than the piddling question of who occupies the White House, are mostly closed and rely at least in part on security by obscurity. Another thing they have is that both sides of a transaction can match their records before or after a transaction is complete – I get a bank statment telling my how many times and how hard I hit the ATM and I’ve got a full-time employee who does nothing but reconcile what goes in and out of the accounts for which I’m responsible, for example. And there’s a certain trust level – If I tell my bank they’re nuts and delivered the wrong money or securities, the transaction is held in abayance until everyone matches up records and works things out. How, precisely, would an audit trail system work when the anonymity of each individual voter (or if not his anonymity, his choices) is an important part of the system?
I ask this and request a separate thread because (hold on tight, you won’t see this too often!) I haven’t the faintest idea of the answers to any of this stuff. So if you guys and others can do a separate thread without the DIEBOLD IS A REPUBLICAN WTFOMG11111!!! stuff that normally infects them I’d be grateful and perhaps some ignorance might be eradicated.
We are mostly in agreement, at least in all fundamental ways, so I only wish to quibble a few comments to the bolded portions.
First, I would argue that the paper receipts have more value than just to make people “feel-good”. However, I would also argue that the value of making people “feel-good” is more than sufficient to justify their use. As I mentioned earlier, having the electorate trust the process is critical (a point I think you agree with).
To your point, I would also agree that there are other ways of providing the addtional security value of a paper receipt without using a paper receipt, but instead using technology. I just don’t think implementing such technology now is cost effective.
To the “What will the paper say?” question, I tend to like the recommendation of David Chaum. The biggest concern over paper receipts that are “human readable” and reflect the votes that you just made is that it could enable voter fraud by allowing people to buy votes. I agree that that concern is valid. The receipt could easily reflect the same information in an encrypted manner, such that it could be validated electronically, but only by election officials. For example,
[techno speak]
Each voting machine could have a digital certificate with RSA keys, and be used to secure a precinct-level private key. The voting results, along with a voting record index number, could be encrypted with the precinct-level private key, and then “signed” (encrypted hash) with the machine digital cert. The precinct-level public keys could be kept private until voting results are certified. However, those keys could be used to validate voter receipts in the meantime.
[/techno speak]
Yes, that is an alarm point. There is near consensus among security experts that “proprietary security” is an oxy-moron. And it is a fallacy to assert that no open system can be secure. Most security experts would assert that “security by obscurity” is false security (at least in the general case - there are exceptions, it really depends on the threat you are attempting to protect against).
I’d be happy to participate in the thread you propose, however, I am not the best person address the specific electronic voting systems on the market. It is not really an area that I am stongly versed (which is part of the reason I rely on experts that I trust). And while I may often come off quite partisan, I’m pretty sure I could participate in such a thread without resorting to any partisan screeches.
The Florida Legislature does what it wants with impunity. By and large, its members run without any real opposition, and the term limits we imposed 10 years ago have made things worse – they inspired the House and Senate to redraw districts like never before to ensure that their successors would also be of the same party. Our legislative process is for sale to the highest-bidding lobbyist, and it will be so for the foreseeable future.
In the past couple of years, our Legislature has done the following:
[ul][li]Passed a bill that allows the largest phone rate increases in state history over vocal, statewide opposition. The bill as written allows the local telcos to raise prices by 20% annually with no review. This will allow increased competition, and lower our rates overall, is the claim that the Legislature has made. Addendum: When the House finally realized that we wouldn’t take this, they floated a potential review of this bill, post-passage. Our governor (Jeb! Bush) shot that down.[/li][li]Refused to implement a constitutional amendment requiring smaller class sizes, citing limited funds. This is at the same time that we are embarking on a school voucher program of unprecedented size. The state has begun allowing corporations to skip paying up to $100m of their income tax by paying it straight into the voucher program, which is run with only minimal supervision and no standards for schools that participate.[/li][li]Refused to implement a constitutional amendment requiring the development of high-speed rail linking Tampa, Orlando, Miami, and Jacksonville.[/li][li]Refused to consider the enactment of a services tax on top of our sales tax. We have no personal income taxes here, so our state funds come almost solely from sales taxes. Implementing the services tax would more than double the funds available to our state, clearing the way to implement the two previously mentioned amendments. The odd thing about this tax is that most of the tax watchdog groups were for it. [/li][li]Floated (still in committee, but sure to be passed) a bill that would make it more difficult for the citizens to enact an amendment to our Constitution. The bill would require the citizens’ group that is sponsoring the initiative identify on the ballot where the funding for the initiative would come from. The Legislature’s initiatives for new programs are conspicuously exempt from this requirement.[/li][li]Floated (still in committee, but sure to be passed) a bill that would require citizen initiatives pass with a 67% majority in order to be approved. Similar to the above bill, the Legislature’s actions still require only 50% + 1 vote to pass.[/ul][/li]
So at this point, nothing that our Legislature does surprises me; moreover, our governor is on record as supporting all of the actions that I mentioned above. I assume that a lobbyist for Diebold wrote the bill to which rjung refers and it will probably be passed and signed without significant changes to it. Statewide, voters are screaming about all of these things (and more – there are more), but the districts as drawn virtually guarantee this will carry on for a very long time.