[Update 9/20/07: I have read the report and review it here: summary and points-by-point]
I just got an interesting comment from Daniel Castro, the author of an Information Technology & Innovation Foundation (ITIF) report on electronic voting. Castro’s comment:
I just wanted to make sure you were aware of the report we just released on electronic voting. We discuss the limitation of paper audit trails, alternative technologies (to paper) that can be used for audit trails, and suggest that we should focus the national discussion not on whether or not we should have paper trails, but rather on how to implement universally verifiable (or end-to-end verifiable) voting systems.
From the report’s teaser:
Americans trust computers to run critical applications in fields such as banking, medicine, and aviation, but a growing technophobic movement believes that no computer can be trusted for electronic voting. Members of this movement claim that in order to have secure elections, Americans must revert to paper ballots. Such claims are not only incorrect but attack the very foundation of our digital society, which is based on the knowledge that information can be reasonably secured. Clearly, no system with a human element—including electronic and non-electronic voting machines—is error-proof, and specific versions of certain voting machines have security weaknesses. Neither of these facts, however, should be taken as a universal indictment of e-voting.
…
Congress is now considering legislation that would mandate that all DRE voting machines have voter-verified paper audit trails, and many states will vote on similar legislation this year. We believe it is time for the debate on e-voting technology to move beyond a discussion of paper audit trails. To restore voter confidence and promote secure election technology in the United States by ensuring that states can continue to improve their voting systems, we recommend the following:
* Congress and the states should allow the use of fully electronic ballots, not restrict electronic voting systems to those that create paper ballots.* Congress and the states should require that future voting machines have verifiable audit trails, not require machines that create verifiable paper audit trails.
* Congress should provide funding for the U.S. Election Assistance Commission to issue grants for developing secure cryptographic voting protocols and for pilot testing of new voting technology.
I have not read the report yet but I plan to. The teaser has both appealing and off-putting aspects. I believe that the debate about electronic voting ought to be broader and have a place for other cryptographically secure voting systems. On the other hand the evidence that I have seen suggests that electronic voting machines do not have a clear advantage over paper systems and are often more expensive, more error prone, and more fraud prone then paper systems (hand counted, optical scan, or punch-card).
ITIF’s report was pre-announced in a few forums I pay attention to and has had a relatively poor reception to it’s announcement. I hope to see better coverage of the actual report coming soon:
- A poor reception from John Gideon of VotersUnite.org (posted at the Brad Blog)
- A poor reception at Slashdot
- Rick Carback of PunchScan‘s take
Many critics focus their analysis on whose pocket ITIF is in. This is less of a concern to me then what they have to say.
All About Voting 
I’m not surprised the “anti-tech” lobby didn’t like it. The report didn’t not attempt to pussyfoot around this group, calling some of the solutions these groups are advocating a “19th century” solution to the problem. It was a little gruff, but you’ve gotta admit, it was bold.
As for the the “whose pocket” argument, it’s in the league of the global warming discussion: if you don’t agree we’re all going to die, whatever your scientific reasoning may be, you’re in the pocket of the oil companies. It’s trite, its unscientific, and it’s just a bad way to treat people.
The strongest support for voter-verified paper audit trails has come from computer scientists.
Ed Felten, professor of computer science at Princeton and director of the Center for Information Technology Policy, has a response up at Freedom to Tinker:
http://www.freedom-to-tinker.com/?p=1202#comments
The Task Force on Voting System Security of NYU’s Brennan Center for Justice has called strongly for voter-verified paper records:
Click to access download_file_36340.pdf
Read the profile document “About the Brennan Center Task Force” and decide if these are anti-tech folks:
Click to access download_file_39281.pdf
“The strongest support for voter-verified paper audit trails has come from computer scientists.”
Sounds like you’ve been reading a the blogs of a few prominent folks. This E2E stuff is pretty new, give us a chance to get established.
It appears Ed Felten didn’t read the whole report. See here:
Every one of “the prominent folks” that I know of has conceded that computer science will likely be able to develop very good crytptographic verification -or E2E, as you refer to them- methods. VoteHere has been around for a while, and Rick cites it in his discussion of the ITIF report.
The question is: even if you can design a technically excellent alternate verification system, how do citizens and election officials verify that this is what is running on their voting systems? Citizens, and party and candidate observers, can at least comprehend and conduct oversight of the chain of custody of paper ballots. When the only people who can truly verify the verification protocols are technical experts, then transparency is lost.
“The question is: even if you can design a technically excellent alternate verification system, how do citizens and election officials verify that this is what is running on their voting systems? Citizens, and party and candidate observers, can at least comprehend and conduct oversight of the chain of custody of paper ballots. When the only people who can truly verify the verification protocols are technical experts, then transparency is lost.”
This argument is specious as anyone who wants to learn can comprehend the systems and conduct their own oversight. “technical expert” is not a special club, and Punchscan in particular uses minimal cryptography (technically, you could carry out the protocol without any cryptography) — you could probably learn everything you needed to know to make your own auditor in a few days.
There’s also an adversarial system of resources — if the democrats suspect foul play, they can pay someone they trust to build their own auditor (and vice-versa w/ libertarians, republicans, or greens). Not all people who can understand the system belong to one party.
Observe that even today you still have this fundamental problem — somewhere along the line you have to trust someone to be an observer, and this is because you have to sleep, eat, and are incapable of being omnipresent.
These systems actually provide far more transparency, because potentially anyone can perform a *stronger* form of oversight than what is typical.
“Observe that even today you still have this fundamental problem — somewhere along the line you have to trust someone to be an observer, and this is because you have to sleep, eat, and are incapable of being omnipresent.”
Yes, this is true. However, “observing” simple election process is direct. Delving into computer systems so complex that *nobody* understands them fully is indirect. You *assume* this or that, and, in particular, you assume that you know how the system is operating. Sure, it can be made difficult to defeat security on a system. However, is there any computer system in existence so secure that throwing a few tens of billions of dollars at the problem of bypassing the security could be guaranteed to fail?
Paper ballots, whether generated by hand or created by a machine, that are voter-verified, can be watched every step of the way, from the moment the votes are legally cast until the boxes are opened. With some systems, the boxes aren’t opened at all, they are sequestered, until audit or court order. However, ballots are properly public record, and Florida, in particular, makes that explicit. Anyone can see ballots, if they are willing to pay the expenses associated with it. Election observers, properly, should be able to see them when ballot boxes are opened. And to photograph them. Photography of ballots, again, is explicitly lawful in Florida. If this were routine, if multiple election observers photographed ballots immediately, at the polls, prior to counting or sequestration, alteration or counting manipulation would be extraordinarily difficult, it being necessary to confine it to the period beginning with the voter marking the ballot, by whatever method, and ending with the opening of the ballot box.
I’m with those who think we do not need sophisticated computer techniques to ensure the integrity of elections, and I find the idea that we can rely upon these techniques, *at this time*, to be naive. Computer voting was foisted on the public prematurely and with entirely the wrong technology.
In a mature system, as I see it, we would have something like paper ballots, hand-marked, with computer-generated ballots printed for use by those with special needs. The ballots would be deposited in boxes closely watched by multiple observers, and, indeed, it’s been suggested that webcams be used to make even closer scrutiny possible, by a broader group. Then, when the polls close, the boxes would be opened, *the ballots would be serialized,* and then observers would be free to photograph them, all while being watched. In addition, the ballots would be scanned for official use.
How would the counting be done? Actually, *it does not matter.* The public count could be done as cheaply as results in reasonable accuracy; the fact is that this could be done with practically zero technology cost, with equipment that is present in every office. A fax machine makes a quite adequate scanner, for example. Image analysis adequate to count votes is trivial, and public source software could handle it. But the existence of multiple public archives of ballot images would allow *anyone* to count the votes, using whatever technology, including human recognition, and to compare the counts *ballot by ballot* with those of others.
So, please, tell me why we should rely upon complex computer security schemes? Why we should pretend that it is impossible to hack them? How in the world could we possibly know that? To defend against a government-level effort to compromise a system would take a super-government level security effort, I’d suggest on general principles. And that is not going to happen. We are not going to spend a hundred billion dollars to design a “safe voting system,” when we can do it practically for free.
Abd ul-Rahman Lomax: You seem to fundamentally misunderstand the concepts behind these systems. It doesn’t matter how much money you throw at the problem — the billions or trillions it would take to break these systems would only let you associate a serial number w/ a plaintext vote, and not change it. No amount of malicious software or unknown flaws is able to change the outcome.
These systems are better because voters and election observers can directly (from the comfort of their computer in their underwear) ensure that their ballots made it to the final tally without modification, and that once there they are decrypted faithfully.
The systems support unconditional integrity, and the (exceptionally strong) cryptography is there to protect privacy. You get the equivalence of “voice vote” integrity and still maintain a secret ballot.
Any machine in any election can be rigged by whoever controls the physical location of the machine. We are facing an ever closing window of time to save our Republic, and the main tool of the salvation is the Hand Counted Paper Ballot (HCPB).
On the other hand, ITIF is just another front for those who make money through politicians selected by the machines, not the voters. The ITIF report is similar to the mountain of BS supporting the official 911 story, which is an obvious obfuscation. The report is another of myriad attempts to obscure the reality of our voting system, which is now run so that elections can be stolen.
These people are scared to death of hand counted paper ballots, because their benefactors would be voted out of office.
So they will do anything to keep the machines, recruiting the disabled, the computer nerds and the suckers to their cause.
To Rick. The “specious” argument of lack of transparency is unfortunately true. You may have all the technical ability necessary, but to think you are going to have access to the code is incredible. In most places, one cannot even videotape the machine!
Face it, someone who doesn’t want to ban every type of voting machine in favor of letting the voters count their own votes is against majority rule.
Chris Bundy:
Your comments demonstrate a lack of understanding of what an end-to-end verifiable system is. I recommend reading material from the PunchScan website (which incidentally does not involve any voting machines).
The point of such systems is provable radical transparency. No access to source code is required for a voter to be sure that the election counted their vote. Many such systems do not involve a voting machine of any sort.
One of the voting reform sites calls itself ‘black box voting’ to oppose voting machines that are ‘black boxes’ whose inner workings are not visible to voters and others. But it is important to realize that any public election is essentially a black box from the point of view of the voter. How, as a voter, am I to know that my vote was actually counted? How do I know that the people that control the elections do not cheat? How do I know that supposed independent observers are actually there and not paid off? Consider that 6 out of 11 post WWII US presidents had careers that were arguably heavily influenced by election fraud:
http://www.rangevoting.org/PresFraud.html
End-to-end verifiable systems offer a solution for this where the election system can prove that no fraud occurred.
Re: “main tool of the salvation”. Your use of religious terminology could be interpreted as an indication of fanaticism. It does not serve your purpose well.
Re: “Any machine in any election can be rigged by whoever controls the physical location of the machine. ” True. But also true for paper ballots. The hazard with electronic voting is that new classes of fraud are enabled. Sometimes people refer to this as ‘wholesale’ fraud rather than ‘retail’ fraud. But fraud is possible with hand counted paper ballots and there is a long history of such fraud in the US! Hand counted paper ballots are not enough!
We should support research and limited deployment of end-to-end verifiable voting systems and not legislate their use away.
I’ll check this out in more depth this week. I’m sure your system would be good, but I think it would be nearly impossible to sell it, since most voters are becoming even more leary (Ha Ha) of machines. Besides, we have to sell it to the public and to stonewalling officials, we have to buy the technology, we have to install it, we have to train everyone how to use it, etc., and we are quickly running out of time.
We can get the hand count situation going tons faster because it is so simple, requires only printing, some cheap ballot boxes and cardboard partitions to put on folding tables. And number 2 pencils.
I’m sure I’m going to love your system, but I can envision getting 99% of it installed, with just a little chink in the Armor that the neo-cons can drive a truck through, then having three weeks left before the election.
I like hand counts because it is simple, there is an army of people involved, all the tabulations are done right before your very eyes.
I have some friends who are Computer Science instructors at a major university.
They described this IFIF Report as a “steaming pile”.
I prefer to see my vote on paper, thank you.