TCS Daily


Voting Early and Often

By Glenn Harlan Reynolds - September 19, 2006 12:00 AM

Can I call 'em, or can I call 'em? Nearly four years ago, I predicted charges of electoral fraud before the polls had even opened in the 2002 elections. I was right, and such charges have only grown louder as in recent elections.

It's easy to dismiss this as the grousing of losers, for the good reason that that's pretty much what it is. But although it's easy, fun -- and basically the right thing to do -- to heap scorn on the purveyors of silly conspiracy theories, we shouldn't stop there. One of the great risks of the modern world is that when a cause is propounded by loudmouthed fools, we tend to dismiss the cause as well as the fools.

But in fact, there are lots of reasons to worry about ballot security. Computers are inherently insecure, and electronic voting machines are basically computers. As this report illustrates (complete with video), Princeton researchers were able to hack a Diebold voting machine in short order. And get this summary of how it turned out:

"1. Malicious software running on a single voting machine can steal votes with little if any risk of detection. The malicious software can modify all of the records, audit logs, and counters kept by the voting machine, so that even careful forensic examination of these records will find nothing amiss. We have constructed demonstration software that carries out this vote-stealing attack.

"2. Anyone who has physical access to a voting machine, or to a memory card that will later be inserted into a machine, can install said malicious software using a simple method that takes as little as one minute. In practice, poll workers and others often have unsupervised access to the machines.

"3. AccuVote-TS machines are susceptible to voting-machine viruses — computer viruses that can spread malicious software automatically and invisibly from machine to machine during normal pre- and post-election activity. We have constructed a demonstration virus that spreads in this way, installing our demonstration vote-stealing program on every machine it infects.

"4. While some of these problems can be eliminated by improving Diebold's software, others cannot be remedied without replacing the machines' hardware. Changes to election procedures would also be required to ensure security."

And though Diebold gets the most bad press, all electronic voting machines of this type are vulnerable. So the problem is real, even though it's often shouted about by nutty conspiracy-theorist types. And a voting system needs to be secure enough not just for ordinary purposes, but secure enough that reasonable people, at least, won't have serious doubts about its integrity. Our current voting system doesn't pass that test. As a recent article in the Washington Post noted:

"What is clear is that a national effort to improve election procedures six years ago -- after the presidential election ended with ambiguous ballots and allegations of miscounted votes and partisan favoritism in Florida -- has failed to restore broad public confidence that the system is fair."

And as the abstract above notes, to fix this problem we need not only changes to hardware, but to voting procedures.

On the hardware front, I think that it's important that the hardware not only be secure, but also that it be secure in an understandable way. A system using biometrics and fancy encryption -- even it it's truly secure -- is a "black box" to most voters. They can't understand its workings, and must thus take the word of, well, somebody. That's not trust-inspiring, meaning that even if the underlying system actually is trustworthy, it won't be trusted as it should.

It's for this reason that I've previously recommended paper ballots -- they're pretty secure, especially compared to electronic voting machines, and their workings are easily understandable. Paper ballots aren't the only way to achieve this end, but they're certainly a good one, and any alternative method needs to share these characteristics. If, as some argue, people are too dumb to use punch-card voting, then we can use touch-screen machines that punch a card for the voter and then spit it out, so that the voter can inspect it before depositing it in a ballot box. The key is to have a human-readable output that's what's actually counted. And that output should be at least as hard to alter as a paper ballot, and any alteration should be at least as obvious as it would be on a paper ballot. This may cost a bit more, but it's a small price to pay for something that's at the core of our political system.

But moving beyond the hardware, we also need to look at voting procedures. Machine fraud, after all, is only one form of voting fraud. That means we need to work harder at ensuring that voters are actually eligible to vote, and that they don't vote more than once. This means stricter identification processes at polling places, cleaner voter-registration lists, and techniques of the sort used in other countries (finger-inking, for example) to ensure that people don't cast multiple votes.

There has been considerable resistance to these techniques -- interestingly, often from the same people who don't trust voting machines -- but that resistance doesn't seem to have much actual basis. (The notion that minority voters might be intimidated by anti-fraud procedures seems implausible to me, as well as a bit condescending. It's just as plausible that people would be more willing to vote if they had more faith in the outcome's honesty.) At any rate, in a world where I have to show photo ID to buy a beer, requiring something similar for voting doesn't appear to be asking too much.

It seems to me that if people are serious we ought to be able to reach a good compromise -- more reliable voting hardware, along with more reliable voting procedures. If people aren't willing to make that deal, then I think we should conclude that they aren't really worried about fraud.

Glenn Harlan Reynolds is a TCS Daily contributing editor.

Categories:

43 Comments

Individually verifiable results
Here's what we really need, whether the ballot is paper, electronic, telepathic, or just plain random... We need a way that for each race in each election, an individual voter can verify that his vote was counted in the result he intended and not counted in the result he did not intend. Upper division math offers a way.

For each race, assign each voter a unique prime number, perhaps randomized so that the votes of particular people can't be ascertained without having the mapping of people and primes for the race. When the voter votes, print a receipt of their vote (i.e. "Yes" or "No", "Bush" or "Gore") along with their prime for that race. When publishing results, publish the product of all primes cast for each choice.

Now, if we draw from the first 1 billion primes, each individual voter can use their prime to ensure it was counted in the right count and even verify the vote count. While prime factorization is a tough problem for really large numbers, it's fast enough for personal verification if we know that only the first billion primes are involved! If you had a receipt that showed your vote went into the wrong count, then you can raise a fuss. And we push the voter fraud problem to the ability to produce "tamper-proof" receipts.

I'd be more than happy to be the next elections czar. TYVM.

How about Saturday?
I know a lot of people work on Saturday, but more work on Monday tthru Friday. How about we vote on Saturday?

The problem is purely in the procedure
Local and state governments need to be tied together in a coherent way for identity. Governnment records relating to a person's death should automatically trigger code in another system that manages voter ID to add the person's unique identifying information to a "Voter Revocation List" which is analogous to a "Certificate Revocation List" used in encryption to keep track of a list of encryption certificates that have been declared invalid. Then, a third system could be in place that would immediately alert law enforcement if anyone on VRL tries to vote.

Everybody's doing it
We've got a case here in Wisconsin where a Pol running for office for state government is being investigated for voting twice in the 2000 election. There seems to be irrefutable proof that he registered and then voted in Wisconsin using his ex-wife's address, then drove to Chicago and voted there using his old address.

And I don't know about "bought" votes, but the last time I voted in ChiTown in 1996, the stub from my punch card ballot was good for a beer at the local pol's favorite bar.

Purple Fingers
If it is good enough for Iraq, why not the USA?

Instant Background Checks for Voters (Waiting Period in Some States)
Machine fraud, after all, is only one form of voting fraud. That means we need to work harder at ensuring that voters are actually eligible to vote, and that they don't vote more than once. This means stricter identification processes at polling places, cleaner voter-registration lists, and techniques of the sort used in other countries (finger-inking, for example) to ensure that people don't cast multiple votes There has been considerable resistance to these techniques.

I've said it many times before, and I'll say it again:

Make the requirements to vote the same as to own a gun.

Simply go to the polling place, fill out a Form 4473, show your ID, and the poll worker will check with the FBI database to make sure that you're not prohibited from voting. If everything is working correctly, you will be allowed to vote in a few minutes.

If the GCA/Brady system doesn't violate the rights of gun owners, then what possible objection could there be to implementing the same system for voting?

-RR

primes
I don't think we have found 1 million primes yet, much less a billion.
The highest primes found so far are hundreds of digits long.

problems with verifiable output that can be removed from the voting place
In the past, people would pay for votes. But they would demand that the voter bring back their receipt to prove that they had voted for the candidate they were paid to vote for.

With the present system, the vote buyer has to take the voters word for it.

What about a 2 day voting period?
Say, Friday and Saturday. If you cut down the number of voting places, you wouldn't need twice as many poll workers.

Another scheme would be a 24 hour voting period. All polls in the nation open and close at the same time. That way you eliminate the problem of people on the west coast.
In Hawaii, as often as not, the presidential race has been announced and the loser conceeded, before you even get off work.

quid pro quo
I'm pretty sure that as long as there is no agreement to vote for a particular candidate in exchange for money (or a beer), that there is no problem with the law.

I'd love to see a voter ID card, with unique numbers
Tie all voting systems together, and if that particular number tries to vote twice in a single election, it's instantly into the hosgow for him.

Preferably the ID would have a picture on it, or some other form of biometrics, so that only the person named could use it.

I've heard a number of people declare that some, especially minorities are "intimidated" by such a system. This is a claim that makes no sense to me. They already have a book with your name in it, and they cross off your name when you get your ballot. So the claim that "the man" will know if you voted is irrelevant. They already do, and nobody is complaining about the current system.
There's no way to know how you voted, either with the current system, or with any proposed ID system.

In my opinion, the only reason to object to an ID based system, is that it makes cheating harder.

you will always have the fraudulent among you
electronic voting is the future, it's gonna come and there's nothing we can do about it except make it as safe as possible. i'm no techie but i'm sure there are people who can figure out ways to make things more secure.

seems to me the main problem is the potential for fraud that is much larger and much harder to detect than with other voting methods. but the idea that electronic voting is somehow inherently fraudulent is mostly conspiracy stuff spread by lefty luddites. anyway, paper ballots are perfectly fraud-free, right?...just ask tammany hall, mayor daley, mayor rizzo, lbj, etc. election fraud is as old as elections themselves...it only became a cause celebre when a republican won a disputed election instead of a democrat.

and not to change the subject or be politically incorrect (ok, maybe just a little), but elections in this country will always be suspect as long as the troops on the ground administering the voting process are senile octogenarians who can't even find my name in 18-point boldface type on a list. they are gonna be expected to debug electronic voting machines when they couldn't even successfully feed my 2004 badnarik ballot into the ballot box?

Good God!
PAPER BALLOTS!!! How do you think Lyndon Johnson kept getting elected in Texas? By rigging paper ballots! And Huey Long and his cronies in Lousiana? By rigging paper ballots!

SOMEBODY can always get behind electronic systems --- but they're easier to trace. Tell me about LBJ's first senate race and Ballot Box 13!!!

New Amendment
Everyone must vote.

Should be pretty easy to spot the false votes.

Until people are prosecuted for voter fraud, it will continue. And since both parties participate, neither will push it.

LOL
I hear ya, muscleman. My first experience in "poll watching" was just surreal.

Nearly all the functionaries were Medicare qualified. I was told by party headquarters that while I had a legal right to observe the proceedings, I must reveal who and what I was about.

So I approached these sweet, bespeckeled little old ladies as they set up their voter reg. books (and lunches, snacks, knitting, and crossword puzzles) and told them exactly what I was there for.

Apparently, they only caught the word, "observing" and from then on until the close of the polls, I was the go-to-gal and all powerful seer of seers in the polling process.

I literally gave a thumbs up or down on every question (or on the tough calls... "Hmmm, downtown needs to address this; better give 'em a call".

Empress of Elections! What a fun day! I had the power and it was great! I was a wise ruler and being fairly well-informed about the rules, it wasn't all that difficult to be fair. (after all, I am a Republican ;)

But the whole thing backfired as I was subsequently enlisted to repeat this for several more elections. I did feel guilty, truth be told, but the wonderful look of welcome on the faces of these happy old pollers (Good! The Chief is here!!) made it too hard to come clean.

I'll never say where this happened except to reveal what is too ironic to count as irony... Florida!

INTERNET VOTING
I bank on-line. Thousands of dollars move in and out of my checking and savings accounts every month.

My state accepts on-line payments for my DMV registration fees. I file my state and federal income tax via the internet. Tax refunds are deposited to my checking account via the internet. My Army retirement and Social Security checks are deposited to my checking account via the internet.

I invest via the internet.

The list goes on and on.

So, why can't we vote via the internet?

Time for a math refresher course...
Ugh. You don't need a one million digit prime. You just need the millionth prime (which is 15485863).

LOL.
Right, the current [censored]ed up system ensures that there is not market for selling votes. That is like saying if the government banned the private possession of gold, it would keep women from sleeping with men in exchange for jewelry.

time for a reading refresher
I never said anything about a million digit prime.

More reading refresher
I never said that the current system made selling of votes impossible.
I said it made the confirming that the bought off voter actually voted the way you told him to impossible.

ah
yes indeed and some women would need a Brinks truck.
Tying a voter to a ballot in any form defeats the purpose of having secret ballots.
While the receipt would ensure a sense of integrity in the system, it would also instill a sense of vulnerability in the voter.
Parsing ballots between linked lists is only private if the linked list is deleted.
Then someone could simply switch receipts or forge receipts.
The answer to infection of the machines would be to hermetically seal them.
You then abstract the link between the online system and the machine.
An off-the-cuff example would be to upload the results through a banking machine.
OR
transport the machines to a central location and upload them securely.

The machine would not need a sophisticated operating system.
It could be simple enough to download lock-stock-and-barrel just prior to the actual vote. You could then use the great idea of primes for the machines themselves.
That way the receipt would be the same for every voter.
Vote attached to CPU ID.

you wouldn't a monitor and an Ipod would could handle the job.
No clock in the machine.
lock up the Ipods and seal the box - before and after.
require the user to press the key three times.

Don't be silly
Purple fingers would make it take longer for the Democrats who vote for dead people to get in line again to vote again.

They wouldn't let it happen unless they had a monopoly on ink remover lotion, since their philosophy of moral equivilence makes them think the Republicans are as dishonest as themselves.

Ballot Box 13
Just because the last 200 voters who placed their ballots into Ballot Box 13 did it in alphabetical doesn't really mean that someone went down the list of voters who hadn't yet voted and voted for them.

Just because people rose from the dead to vote for LBJ and then returned to their graves without disturbing the dirt doesn't mean fraud occurred. Who says Democrats aren't people of faith?

Optical scan voting
The simplest, most reliable system I can think of is the optical scan method, similar to the way standardised tests are graded. You fill in a box next to the candidate's name and an optical scanner counts the votes. It's low cost, as simple to do as a paper ballot, and is quickly and accurately counted.

For some reason, federal and state governments have been very big on electronic voting, despite the abominable expense and the numerous software glitches that were immediately reported. Many districts were shut down last time around, as electronic machines went down. The solution being touted now is to have a backup system-- of paper ballots!

One can't help but wonder why (I believe) four billion dollars in federal money has gone to the states to encourage them to go over to the new system. Do the legislators have a financial interest in companies like Diebold?

For an inexpensive, virtually foolproof system, I recommend the optical scan method.

It is in the process
I have a blog post here http://www.codemonkeyramblings.com/2006/09/voter_fraud_is_in_the_process.php that goes into some more detail on some of the things that he missed out on.

Re: INTERNET VOTING
If you can't be bothered to get off your pustulant backside and waddle off down to the polling station to personally put pen to paper, I'm not sure you really deserve a vote.

Err, all IMO, of course.

Re: you will always have the fraudulent...
"electronic voting is the future"
- Why?

"i'm no techie but i'm sure there are people who can figure out ways to make things more secure"
- That's the problem. Paper and pen is understood by everyone and the best practices are universally known.

"seems to me the main problem is the potential for fraud that is much larger and much harder to detect than with other voting methods"
- Bang on the nail. Minimal risk of fraud and abuse is a prerequisite of any voting system. People *must, must, must* always be convinced that a vote is free, fair and free of fraud before anything else.

-"the idea that electronic voting is somehow inherently fraudulent is mostly conspiracy stuff spread by lefty luddites"
No it isn't, it's been proven in study after study, especially involving a certain company that also gives shedloads of cash to one particular political party (in the US) above all others, and which prefers to keep the source code that runs its machines secret - so how can you be sure that those machines are free from fraud?

"anyway, paper ballots are perfectly fraud-free, right?"
- Anything and everything is open to fraud and abuse - the key is to minimise and marginalise it. The last two presidential elections in the US suggests that there's some work to be done on election processes across the country. Voting machines will only make fraud *less* easy to spot, which is why certain people like them.

"elections in this country will always be suspect as long as the troops on the ground administering the voting process are senile octogenarians who can't even find my name in 18-point boldface type on a list."
- As long as they are honest, that shouldn't be such a problem.

All IMO.

how do ensure that the person holding the ID, is the one voting with internet voting?
...

Optical Scan Not Foolproof.
Have you ever seen the directions for optican scan forms?

Use a no. 2 pencil, stay in the lines, don't erase, but if you do, do so thoroughly without damaging form... yadda yadda yadda.

Far from foolproof, which is part of the reason professional exams such as the Uniform CPA exam are being migrated to electronics stuff. Theoretically, if you're smart enough to take such a test, your smarter than average.

Now just wait until those idiots in Florida who were so perplexed by punch cards are told to fill in the tiny ovals on a scan form. They'd be apoplectic and screaming about "disenfranchisement" when somebody told them they couldn't use a crayon...

Florida voters
I might add, that the only voters who had problems with voting. Were the Democratic ones. The Republicans apparently had no problems. Al Gore backs me up on that claim.

More on Internet Voting
I'm sure software can be written to make voting as safe as internet banking. How can you make sure of anything? No system is 100% safe. How can one make sure who voted and mailed absentee ballots or, even if they were counted? I wonder if more people would vote if they could do it on the internet?

Pustulant Backside?
You spying on me? How'd you know I have boils on my backside?

I have voted in nearly all elections for 44 years. However, I'm unhappy about how few of us vote. I like the idea of 48 hours to vote on a Friday and Saturday, but that would take an amendment to the Constitution. Besides, I think many people like the idea of getting out of work for an hour or two as some employers allow. I bet many people would not vote if it meant "giving up" part of their weekend.

safety
Nothing is 100% safe, however, that is not an excuse to add avoidable risk.

Bank cards are stolen all the time and used at ATMs.
One difference is that I lose when someone steals my bank card and uses it fraudulently.

When someone pays me to let him use my voter card, I win.

Motivations are completely different in your analogy.

Verifiable Option
I'm not sure about the prime number thing, however we could at least make verifiable votes an option for voters who are no longer confident in the integrity of the system.

I also don't understand why something as important as a ballot box is so easy to break into...

Even if physical access is easy, there are numerous products like controlled serial numbered tamper tape which could be used to guarantee that no has had unauthorized access to hardware and encryption techniques which could ensure that unauthorized access to software was also virtually impossible.

Force Voting Mashines through an NSA certification process.
- That's the problem. Paper and pen is understood by everyone and the best practices are universally known.

It's also cumbersome and very expensive & time consuming to perform recounts.

- No it isn't, it's been proven in study after study, especially involving a certain company that also gives shedloads of cash to one particular political party (in the US) above all others, and which prefers to keep the source code that runs its machines secret - so how can you be sure that those machines are free from fraud?

Put NSA in charge of assuring the security of voting mashines. If NSA doesn't certify it as being secure, then it can't be used.



Whatever
Mark, stick to politics, stay away from math. You said that you didn't think we'd found a million primes yet, much less a billion. Your PC could find the first million primes (in order) in less than a minute. I supplied the millionth prime for you, which is a pretty small number. Primes are quite dense in the space of integers. Finding the first billion by brute force isn't rocket science and doesn't require a Cray or a even a day. So your particular criticism about the feasibility of the system I outlined is baseless.

Easy
Take a lesson from the porn industry. Charge their credit card. (Kidding)

Florida Voting
State Database so that you can't vote in 2 places in FLorida and so that felons can be scrubbed from rolls whereever they commmited the crime. New voting cards were issued by each SOE.
Each supervisor of elections picks and checks the machines, overseen by state. Our county does not use Diebolds.
8-10 day voting period prior to elections, including 2 weekends, mandated by the legislature. You may vote in any of a number of locations in the run up to election day.



Absentee ballots are available for all elections, no reason required. These are paper ballots, optical scan. Issued absentee ballots are numbered and the number recorded, so you can check online to see if your ballot was received and counted. The numbers are scanned and torn off before the vote is counted, so that the secrecy of the ballot is maintained.


Picture ID is required at the polling place; if not submitted, the voter is allowed to vote provisionally and the ballot is reviewed before being counted.


Procedures in the polling places use audit procedures. Machines are read before the vote and the Clerk for the precinct and two poll workers (one from each party - I am the token Republican in the polling place I usually work in) must sign the tape. It must be posted on the door of the polling place where the public can see it. At the end of election day, every machine produces a paper tape which is compared at SOE HQ with the totals sent by wireless (the tape is official). Pollworkers count the number of voters from the books and from the tickets given out, the number of spoiled ballots, etc. and cross check for differences.
I suppose the machines are hackable, but the results are posted, precinct by precinct online, along with registered voters by party. A statistical analysis would certainly show up results unsupported by numbers.

Why do you think your vote matters?
Just remember Mark Twain's immortal words ...

"If voting really mattered, they wouldn’t let you do it!"

Politicians want to stay in power -- The USA has a lower Congressional turnover rate than the ruling council of the old USSR. --

They can stay in power only if they keep the voters stupid because stupid voters are easier to fool. That is why the public school system is in such sad condition and the television offers 3rd grade humor and instant crime solving dramas.

It scares me when more people can name the 3 stooges than can name the 3 branches of Government.

First, we eliminate the fools
Actually a pencil and paper is not totally foolproof. I'm sure there are some people who don't know how to form an "x". But do we really want these people's votes to count? Optical scan's about as foolproof as methods can get. You'd know if you tried it.

For one thing they don't rely on your haing a pencil in your pocket (hardly anyone does any more). They have a convenient marker chained to the booth. And what you fill in is the space between two parallel lines. It's not very hard to do that.

If you mess up your ballot you just return it to the monitor, who will give you a new ballot. So there aren't many spoiled votes. It stacks up very well against all the other methods-- where e-voting is by all accounts the most glitch-prone and the easiest for hackers to crack. See this analysis:

http://www.nyvv.org/doc/CostComparisons.pdf

Dingy Harry says that requiring photo ID's to vote, is a form of poll tax.
Considering that photo ID's are required for just about everything these days, very few don't have them. For those that don't, you can get them at the DMV for at most a few dollars.
In GA's bill, the one that the courts recently tossed out because showing an ID would prevent people otherwise qualified from voting, the state offered to wave even that fee, if the person was willing to certify that paying it would create a financial hardship.

Let's face it, if voter fraud were ever eliminated, half the Democrats now in office would lose in the next election.

there go the last of the Democrats.
...

TCS Daily Archives