I knew it couldn’t be that easy. The TGDC rejected NIST’s proposal (which I discussed on Friday) to decertify paperless e-voting machines after they couldn’t get the 8 votes they needed to approve it:
Committee member Brit Williams, a computer scientist who has conducted certification evaluations of Georgia’s paperless electronic voting system, opposed the measure. “You are talking about basically a reinstallation of the entire voting system hardware,” he said.
Mike Masnick points out how ridiculous this is:
Why yes. Yes we are. That’s because the entire voting system hardware is totally screwed up. So, to be more specific, we’re talking about stopping an e-voting program that has serious problems and has raised plenty of legitimate questions about just how fair and accurate our elections are. That seems like a perfectly valid reason that shouldn’t be tossed aside just because it’ll be a lot of work. We also thought that democracy itself was supposed to be hard work, but apparently some of those on the Technical Guidelines Committee disagree.
Ed Felten reports that the National Institute of Standards and Technology has released a draft of a report to the Technical Guidelines Development Committee recommending that the next iteration of its voting machine standards not permit the certification of paperless DREs. Given the speed at which the wheels of bureaucracy turn, it appears that would mean that no new paperless voting machines would be certified after the 2008 election. Existing DREs might be grandfathered in for the 2008 election and beyond.
This is great news. As Felten notes, the report recommends against certification of paperless DREs in clear and unambiguous language. It’s particularly important because if a recommendation like this is adopted by an official standards-setting agency of the federal government, it will be awfully hard for the Diebolds of world to demonize the source, as they’ve done with previous critics.
This is odd. Apparently, the CIA has recently decided that access to its entire website will henceforth be encrypted using SSL–the encryption standard used by websites accepting your credit card number.
They say this ensures that no one is able to impersonate the CIA website, but that doesn’t make a whole lot of sense. I can’t imagine why anyone would want to impersonate the CIA’s public website. And if they did, SSL is only an effective deterrent if the user manually examines the site certificate, which doesn’t seem very likely.
The other claimed benefit is to prevent eavesdropping on (or tampering with) peoples’ browsing. But that doesn’t make sense either. An eavesdropper could still see the URLs being visited by a user. And since most of the site is publicly available, static content, encrypting it is kind of pointless. It’s certainly good to encrypt personal information submitted by users, but the site was already doing that before this announcement.
Technologically-challenged institutions have an unfortunate habit of judging security using bulleted lists. Throwing more encryption at something doesn’t make it more secure. You have to think about who your attacker is and what he’s likely to be after before you start looking for solutions. In this case, it’s not clear there’s any attacker at all. As far as I can see, no one is trying to spoof the CIA’s public website or eavesdrop on people visiting it. So adding SSL is a solution in search of a problem.
Mike Masnick notes that Venezuela is ahead of the United States when it comes to adopting voter-verified paper trails for their electronic voting machines. Several commenters objected that given the level of corruption in Venezuela’s government, this doesn’t really mean anything: corrupt government officials can mis-count paper voting records as easily as electronic ones.
I don’t know enough about Venezuelan politics to have a definite opinion on whether the election is likely to be rigged, but the general point is quite true. Voting security ultimately turns on human factors, not technological ones. If the people running your election system are systematically corrupt, your election results are going to be suspect no matter what technological safeguards you put in place. E-voting (with or without a voter-verified paper trail) can’t make dishonest officials follow the rules. It simply obfuscates the voting process, making it less likely that someone will spot foul play should it occur.
By far the biggest e-voting disaster this election was in Florida:
Florida law requires a recount in all five counties in the district. But all eyes are on Sarasota County, where touch-screen voting machines recorded that 18,382 people – 13 percent of voters in the Nov. 7 election – did not cast a vote for either Republican Vern Buchanan or Democrat Christine Jennings. That rate was much higher than other counties in the district.
As the votes were being counted late Monday, Jennings took the first steps toward appealing the election with an emergency petition asking a judge to have Sarasota’s voting equipment and data secured as evidence due to “alarming aberrations” in the county’s vote tallies. The campaign wants an independent audit of the county’s voting system.
“Maybe we are going to have to do a do-over. It may be the only solution if we cannot do an adequate recount,” Jennings’ attorney Jeffrey Liggio said.
The stark reality is that they can’t recount the output of e-voting machines. A recount involves individually inspecting each ballot and determining the voter’s intent. With e-voting, there are no ballots to inspect. The contents of the computers’ memory are all you get. You can “recount” that all you want, but it doesn’t provide any kind of independent verification of the result.
State officials Monday acknowledged problems with the lack of a paper trail.
“I do see some interesting things that are happening in regards to votes that seemed to have disappeared or people didn’t vote,” said Chief Financial Officer Tom Gallagher, a member of the state Election Canvassing Commission that ordered the recount. “You don’t know if they chose not to vote or whether they didn’t, and possibly a paper trail would show more clearly.”
Computer security experts like Avi Rubin have been saying this for years. Maybe their arguments will be more persuasive now that it’s no longer a hypothetical problem.
Techdirt points out an especially serious example of e-voting gone wrong:
In one of the stories we spotted yesterday about e-voting glitches, it was amusing to see (at the very, very bottom) the idea that “no major problems” were reported for e-voting in Florida. Florida and Ohio, of course, are the two places where e-voting stories have raised the most questions, and there had already been a number of reports of e-voting problems in Florida voting last week when their early polls opened. So, it looks like ABC may need to revise that “no major problems” report, as the EFF points us to a report saying that 13% of the electronic responses in Sarasota County included no vote for Congressional Representative. That means that somewhere between 8,000 to 10,000 people who voted for other things, like governor, appear to have not voted for House Representative–and no one seems to have a good explanation. It’s certainly possible that all those people decided to go “none of the above,” but it seems unlikely–especially since similar undervoting was not seen in other counties covered by the same Congressional district. Also, there were complaints all day about the e-voting machines not properly recording votes in that county. So, while people are asking for a recount… there’s nothing to recount since the machines did not record the votes. Amusingly, the EFF also notes that the very same county had a referendum on the ballot about the e-voting machines, and the people overwhelmingly voted to scrap the machines and bring back paper ballots. So what was it the press was just saying about no major glitches with e-voting?
One of the things that makes computers incredibly useful is that automate routine tasks so they can be done without human supervision. That’s fantastic for most tasks, but it’s a disaster when the task at hand is recording votes, because it means that if there’s a programming bug, it will do things the same wrong way with each and every voter. And because the counting process is totally opaque, no one notices until it’s too late.
E-voting machines may streamline the voting process, but that’s actually not a benefit at all. A slow, labor-intensive voting process means there will be more human eyes around to spot mistakes early enough that they can be corrected. But because we delegated the process to a computer, there were no human beings in a position to notice the problem.
CNN has a round-up of voting problems with yesterday’s elections. There seem to be a lot of problems like this:
The New Jersey Republican Committee said Republican voters filed four affidavits saying that they weren’t able to vote for Republican Senate candidate Tom Kean because the Sequoia voting machines they were using were already programmed to vote for Democrat Bob Menendez, according to NJRC Counsel Mark Sheridan. Michelle Schaffer at Sequoia told CNN, “We have been in close communication with the New Jersey attorney general’s office, and we are not aware of any issues that are problematic nor have they raised any to ask us about. “
As tempting as it is, I think it would be a mistake for critics of e-voting to highlight these sorts of problems in their arguments against paperless voting machines. They’re closely analogous to, say, the butterfly ballot debacle from 2000. Human error is inevitable in any election. And it’s a big country, so even if there are dozens of reports of scattered e-voting problems in particular precincts, that probably just reflects the fact that e-voting is new, so both people and the news media are more likely to report e-voting related problems.
What makes e-voting uniquely bad is two things: first, they’re brittle. Paper ballots are not subject to problems like software bugs, power outages, incorrect equipment setup, etc. Under almost any circumstances, it’s still possible for a voter to mark his or her ballot and go on his way. In contrast, with e-voting, the voter’s got to wait around until the machine is fixed, and the poll workers most likely won’t know how to fix it. If the downtime is significant, a lot of voters will get frustrated and leave the polling place. So the system is much less resilient to unexpected problems. We saw several of this kind of problem in Ohio, Indiana, Delaware, and elsewhere.
Secondly, and far more importantly, in precincts without voter-verified paper trails, we can’t be confident that the vote totals represented the actual votes that were cast in each precinct. I haven’t seen any evidence that foul play of this kind occurred. My guess is that none did. But if an election were stolen by hackers, we wouldn’t necessarily find out about it, because there’s no way to audit the result in precincts without paper trails.
Jim Lippard notes that HBO’s “Hacking the Vote” special is available for viewing on Google Video here. I haven’t had time to watch it yet, but if Diebold hates it, it must have some merit.
On an unrelated note, am I blind, or does Google video still not have an “embed this video” feature? That seems to have been one of the most important factors in YouTube’s rise to prominence, and it can’t possibly be a difficult feature to clone. Why hasn’t Google implemented it yet?
Wow:
In Indiana’s Marion County, about 175 of 914 precincts turned to paper because poll workers didn’t know how to run the machines, said Marion County Clerk Doris Ann Sadler. Election officials in Delaware County, planned to seek a court order to extend voting after an apparent computer error prevented voters from casting ballots in 75 precincts.
Illinois officials were swamped with calls from voters complaining that poll workers did not know how to operate new electronic equipment
In Florida, voting was briefly delayed at four districts because of either mixed up ballots or electronic activators being unintentionally wiped out, according to Mary Cooney, spokeswoman for the Broward County Supervisor of Elections. Voters were forced to use paper ballots after an electronic machine broke in the Jacksonville suburb of Orange Park.
In suburban Pittsburgh, some precincts opened late because workers couldn’t zero out voting machines, raising concern that votes from previous elections had not been purged
In Passaic County, N.J., Republicans complained that a ballot had been pre-marked on some machines with a vote for the Democratic Senate candidate; the state attorney general was looking into the matter.
In Utah County, Utah, workers failed to properly encode some of the cards that voters use to bring up touchscreen ballots.
In Kentucky, a school board race was inadvertently left off the touchscreen ballot in two precincts in Bourbon County, requiring the county clerk to make paper ballots on the spot.
And the polls haven’t even closed yet. I thought e-voting was supposed to make elections less error-prone.
Ohio is having problems with e-voting again:
In one elementary school in the predominantly black district of East Cleveland, Ohio, all 12 machines went down when voting opened at 6:30 am (1130 GMT), according to an AFP correspondent at the scene.
The machines were not started up until two hours later and poll officials refused to hand out paper ballots until a lawyer for the watchdog group Election Protection showed up.
“The machines weren’t working and they were just turning people away,” said the attorney, Fred Livingstone. “They are not allowed to do that.”
More than 250 problems were reported at polling places in Ohio soon after polls opened according to an Election Protection watchdog operation run by a minority rights group and other non-governmental organizations.
I see two reasons for concern here. First is the obvious one: one of the basic requirements for voting machines is that they work. Every voting system has problems, but I’m not aware of any situations in which paper ballots refused to boot.
The more serious concern, though, is the possibility that this was the result of deliberate tampering. It’s conceivable (although highly unlikely) that someone programmed those machines to crash in order to reduce voting in precincts thought to be favorable to a particular candidate. I think it’s unlikely–but it’s not impossible. But if someone were trying to steal an election, this is precisely the kind of tactic they might employ. It would look like an ordinary computer glitch, and people would probably think it was just a coincidence that it happened mostly in precincts that heavily favored a particular candidate.
Like I said, this was probably an innocent glitch, not a case of tampering. But it’s very worrisome that we will never know for certain.
The Technology Liberation Front is the tech policy blog dedicated to keeping politicians' hands off the 'net and everything else related to technology.