Slashdot Log In
Hard Evidence of Voting Machine Addition Errors
Posted by
kdawson
on Tue Apr 29, 2008 12:56 PM
from the got-some-splainin'-to-do dept.
from the got-some-splainin'-to-do dept.
goombah99 writes "Princeton Professor, Ed Felton, has posted a series of blog entries in which he shows the printed tapes he obtained from the NJ voting machines don't report the ballots correctly. In response to the first one, Sequoia admitted that the machines had a known software design error that did not correctly record which kind of ballots were cast (republican or democratic primary ballots) but insisted the vote totals were correct. Then, further tapes showed this explanation to be insufficient. In response, State officials insisted that the (poorly printed) tapes were misread by Felton. Again further tapes showed this not to be a sufficient explanation. However all those did not foreclose the optimistic assessment that the errors were benign — that is, the possibility that vote totals might really be correct even though the ballot totals were wrong and the origin of the errors had not been explained. Now he has found (well-printed) tapes that show what appears to be hard proof that it's the vote totals that are wrong, since two different readout methods don't agree. Sequoia has made trade-secret legal threats against those wishing to mount an independent examination of the equipment. One small hat-tip to Sequoia: at least they are reporting enough raw data in different formats that these kinds of errors can come to light — that lesson should be kept in mind when writing future requirements for voting machines."
Related Stories
[+]
Your Rights Online: Sequoia Threatens Over Voting Machine Evaluation 221 comments
enodo writes "Voting machine manufacturer Sequoia has sent well-known Princeton professor Ed Felten and his colleague Andrew Appel a letter threatening to sue if New Jersey sends them a machine to evaluate. It's not clear from the letter Sequoia sent whether they intend to sue the professors or the state — presumably that ambiguity was deliberate on Sequoia's part. Put another clipping in your scrapbook of cases of companies invoking 'intellectual property rights' for bogus reasons." Sequoia seems to be claiming that no one can make a "report" regarding their "software" without their permission.
[+]
Your Rights Online: Sequoia Vote Machine Can't Do Simple Arithmetic? 254 comments
whoever57 writes "Ed Felten is showing a scan of the summary from a Sequoia voting machine used in New Jersey. According to the paper record, the vote tallies don't add up — the total number of Republican ballots does not match the number of votes cast in the Republican primary and the total number of Democratic ballots does not match the number of votes cast in the Democratic primary. Felten has a number of discussions about the problems facing evoting, up to and including a semi-threatening email from Sequoia itself."
Update: 03/20 23:30 GMT by J : Later today, Felten added an update in which he analyzes Sequoia's explanation. He has questions, comments, and a demand.
This discussion has been archived.
No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
Full
Abbreviated
Hidden
Loading... please wait.
That may be... (Score:3, Funny)
God bless the American Voting System!
Re:That may be... (Score:4, Interesting)
Parent
Well then perhaps you should consider this (Score:5, Informative)
Right now they have a matching grant challenge, so nows a good time to offer cash. But think about also being an advocate in your state for getting the laws to allow this system.
OVC not only has open code but it also has an open bussiness model. They won't require you use it on any hardware they offer. It runs fine on off the shelf equipment. Any company could use the code, states could use the code. OVC would simply maintain it and certify that it is being deployed correctly.
Open voting solutions is another open source project with a different bussiness model but open code.
Parent
How OVC system works (Score:5, Informative)
Here's the process:
1) voter makes selections on a touchscreen. These are recorded but this is NOT a cast ballot or a record of the vote.
2) computer prints out a paper summary ballot of the voters choices in an easy to read ballot-like format
3) also along the edge is a 1-D barcode encoding the selections in an obfuscated but not encrypted format.
4) voter can now cast this ballot by depositing it in a metal box. Or they can tear it up and ask to vote again. or they can walk out with the ballot if they like (it's not cast unless deposited so it's not a "receipt").
6) After polls close, witnesses and the election judge unseal the box, and hand shuffle the ballots to destroy any residual vote order.
7) then election workers, use a bar code wand to scan every ballot. As it is scanned the ballot is recreated on screen and the judge can compare any ballot she chooses to the paper copy. (this provides one of many random checks on the fidelity of the bar code)
8) as each ballot is scanned, the computer also checks the ballot creation record of the ballot generating machines. Every ballot must have a valid ballot creation session that matches the paper ballot. (the reverse is not true--there will be more ballot creation sessions than actually cast ballots since some ballots were discarded or taken and revoted.) This step is a partial safeguard against ballot stuffing, since an attacker will now have to modify many records and witness accounts to change the ballots (alter the machine records, alter the paper ballots, alter the turned in ballots, etc... And alter various anti-forgery measures)
Nice features:
1) nothing forecloses hand counting the paper in a recount since it's the official ballot not the electronic record or the bar code.
2) the untrusting voter can take the printed ballot to a third, un-netowrked machine to read the barcode back to him to see that it matches. Or she can leave with it and take it outside to some place that will also do this (say the ACLU or the Green party might have a booth set up offering this) Or she could take a cell -phone picture and decode it using some bar-code reader on the web. etc.....
It's a good test because even a single failure leaves the voter with deomstable official proof of an error. And it's robust because an error in the bar code discovered late in the process does not screw the election--you can still recount the paper ballots text.
3) the bar code is made 1D and short, deliberately so that it is information strarved. There can't be any diaboloical things hidden in it, like the voters identity or ways to tell other stand alone scanners to collude in what they tell the voter is in it. Also it allows very low tech equipment to read it (cue-cats wands $5)
As can be seen theres many onion layers to the security model. It's not depeneding of fool proof steps to remain that way. It's robust against operator error.
Additional features are that the touch screen can be just a commodity computer. it boots off an un mutable cdrom not a disk drive. So after the elections you can simply discard the computers. That is, give them to schools or state agencies or sell them on e-bay. These are not sophisticated voting machines. This frees up the monies normally used for secure storage and maintainece.
Since the voting terminals are cheap you can have many of them to avoid lines or problems with machine failure.
Since t
Parent
Re: (Score:3, Interesting)
They can take a picture of a ballot, and use another one to deposit.
Nothing to blackmail against, give bonuses for, etc.
Re:How OVC system works (Score:4, Insightful)
Two questions:
1. You propose using a 1D barcode along the side to "encode" the selection(s). It deliberately contains the minimal amount of data necessary to record the vote at the time of counting. Yet the barcode contains data that links it to a session on the voting machine, so that the printed ballot can be linked to a physical use at the machine. How do you obfuscate the session so you can't connect a particular voter to the vote,
In OVC the machine just records the session happened but it has no way to ID who voted. This point was debated at length in the design. One lighter weight protocol is simply to record the vote pattern and not create a UID for the session. Then one is simply verifying that some session had that vote pattern. That is less unique but still a reasonable check. If I recall correctly the standard OVC system uses a UID. But the protocol could work without it.
In both cases they both have to not only get these into the metal box, but they have to also remove the same number of other ballots.
Even if they did that, there would still be an anomolous number of ballot creation sessions. More sessions than ballots cast, discarded or left the prceinct without voting.
If they tried to stuff the ballot box in some private moment--perhaps later in the evneing when the boxes are hauled down to city-hall, then these wont match the scanned records or the Creation sessions.
It would take a rather daunting conspiracy to pull off this in just one precinct. Expertise in the computer hack, and the paper stuffing is needed.
(I did think of one possible solution for #1 but you introduce additional hardware into the system. Right now the touchscreen voting systems I've used, someone hands you a smart card, you put it in the system, it keeps the card locked in until it's recorded whatever you've entered, and then you hand it back to the election official. You could do the same thing, except the card is merely an "access card," rather than a "vote-recording card.")
2. Continuing with the barcode, how do you encode a short-enough code that still permits write-in candidates? Obviously you can't use a barcode format like [session-number]-[candidate-number] if you provide a "Write-in" option.
Parent
Re:That may be... (Score:4, Insightful)
These machines are intended and designed to prop-up the parlour-game of democratic basis for American government. They are not meant to "work". They are meant to reduce the definition of "democracy" to merely "voting" for the general public - and then to manage that vote. If they decrease the confidence of a certain segment of the public in the whole process, then they are also serving their secondary purpose: The devolution of the US to Banana Republic status.
The coup was completed in 2000. The dramatic operations began 40 years earlier, but it took awhile.
You don't see this. You think you still live in the same country that you were born in, that you attended Elementary School in, that you call the same name.
But it just isn't true. Visitors to your country get it in a very short time - but most of them clamp their mouths shut - it is quickly apparent that Americans are uncomprehending.
This isn't just Republicans. Sure - the Republican leaders are the sharp and shiny spear-tip, slicing the American side. The Democrats are just as on board - the solid wooden shaft, following this through the body. The elite of these - Cheney's and Pelosi's - will keep their mansions and their millions, their holidays in Vail and Sun Valley.
They will never join the people who "voted". That would be to join Dr. King, or Mel Carnahan.
Parent
Re: (Score:3)
I'm in Michigan, the DNC decided to toss out all primary votes from MI and FL. LA's GOP delegates are under dispute, meaning they may not represented at all. Nevada's GOP convention was supposed to be completed by now but was postponed.
The primaries are a sham on both sides this year. And that's without even getting into the equipment issues.
Re: (Score:3, Insightful)
Re:That may be... (Score:4, Insightful)
Parent
One thing to say... (Score:5, Insightful)
Re: (Score:2)
more like:
Devil elopers, Devil elopers, Devil elopers!
Re: (Score:3, Informative)
It's significantly more difficult to tamper with a paper system. For starters, if you want to forge ballots, you need a shitload of paper ballots. You can't just walk up to a container of ballots, fiddle with it for a few seconds, and change ballots marked for one candidate into ballots marked for the other. You have to physically move paper around. Lots of electio
Is this the code? (Score:2, Funny)
{
count = 0;
}
Votes::Votes(Candidate * pcand)
{
secretHandle = pcand;
count = 0;
}
Votes::operator ++()
{
if(secretHandle){
if(secretHandle->get_id()==GOOD_CANDIDATE) count +=5;
}
else ++count;
}
I've just got to ask... (Score:5, Insightful)
Seriously, how hard?
Someone presses a button and a counter gets incremented. Big whoop.
Any error at all in a programming exercise that goddamn simple is evidence enough for me to call for a full on corruption investigation.
Re: (Score:2)
Re: (Score:3, Funny)
Re:I've just got to ask... (Score:4, Insightful)
Aside, even if the devs were 100% perfect and typed ALL the code perfect, there's nothing stopping some jerk from slipping something in at final compile time, or even after that with "last minute update" to the "firmware".
Parent
Re: (Score:3, Insightful)
Free software voting machines don't engender trust (Score:4, Insightful)
This really has nothing to do with a voting machine's software being "closed source".
From the voter's perspective, there's no real solution to this problem but hand-counting of voter verified paper ballots. For me the ultimate solution to this problem is this: Voters walk up to a machine they had no part in preparing and (optionally) use it to prepare a voter-verified paper ballot. That ballot is then stored and counted by hand. This process makes the trustworthiness of the machine completely irrelevant. If any voter doesn't trust the machine to do this job, they should be given the freedom to fill out the ballot by hand (also handy when the computer breaks down or the power runs out). There are substantial benefits to using computers to prepare voter-verified paper ballots and there are substantial benefits to using exclusively free software voting machines [counterpunch.org] but trustworthiness is not one of those benefits. Nobody can trust any computer they don't control and no voter is given the freedom to completely control their voting machine. Even if trusted voting machine software existed nobody would be able to know that their voting machine was running it.
Contrary to another poster's view [slashdot.org] on this, no audit trail would be sufficient to engender trust in any code because the preparation of the audit trail would always be in question.
The benefits of a free software voting machine lie in the government and public avoidance of monopoly (thus reducing maintenance cost and possibly increasing machine flexibility), and supporting business opportunities (politicians love it when they can say some project "creates jobs" in their district), and in turn leaving the body that paid for the machines in a position where they can make the machines meet their needs. All proprietary software distributors are monopolists. It is this monopoly that each proprietary software voting machine manufacturer works to protect; this is what's really at stake for those businesses. If any one of them were more user-focused than they are (ES&S is in a great place to be this user-focused since they don't depend on other software for their machines), they would see free software voting machines as a point of sale. They could be the best situated to compete in the maintenance market for their brand of machines because they've known their machines the longest, so ostensibly they know those machines best. Governments will think this way when it comes to purchasing support contracts whether long-term or ad-hoc.
Alas, competing monopolies is the way of things right now in the US. The voting machine makers have the country carved up like the mafia in The Godfather movies and they exploit county after county in every sale. I ought to know, I helped Champaign County, Illinois recommend a pair of voting machines to the county board. We saw demos from a few vendors (ES&S, Hart Intercivic, and Diebold via their local distributor) and picked the least worst pair of machines (ES&S).
Parent
free software with voter verified paper record. (Score:2)
A fraud investigation is a good idea but that's not enough. There's a real possibility the companies involved can sleaze out of things because they have kept everything secret all along. Documenting the lack of evidence and lack of transparency is a good exercise on it's own because it will cast doubt on elections that use non free software and other impossible to verify mechanisms. The fact is they can't prove the election results are good or fair and that's unacceptable.
Re: (Score:3, Informative)
Except for a KISS Aproach to the problem, every factor that they can think of must be resolved.
Disability for the Blind, Deaf, limited or no movement.
English and non-english speakers.
They need to be hack proof but operated by unskilled workers.
The hardware needs to work in all kinds of crazy conditions.
Approprate Record Keeping without effecting the privacy of the voter.
Final output data needs to be easially readable.
Flexible for write-in votes.
The list goes
Re:I've just got to ask... (Score:4, Insightful)
Parent
Re: (Score:3, Insightful)
Re: (Score:2)
Re: (Score:3, Interesting)
Re:I've just got to ask... (Score:4, Insightful)
Parent
lots of stuff going on (Score:5, Interesting)
Another plausible error mode here is the one the ES&S ivotronics had (and ones with old firmware still have). Certified voting machines are required to redundantly store the votes, usually 3 times, and there may be some effort to have these in different memory modules.
A while back ES&S had a bug that was triggered by a low battery voltage. The low battery condition would cause the logger to report this in the log. However the log entry was too long and cause a buffer over flow that over wrote the header of one of the redudant vote files. When the votes were read out at the precinct the machine did not notice the corrupt header and a second programming bug caused the malformed headers to cause other problems including mis-reported various things (like the maching ID) which then caused all sorts of downstream problems.
When the votes were read out by another method the corruption of the primary vote file was detected and it silently failed over to the secondary record. This produced a vote report that did not match up with the first one.
A reveiew of multiple systems was done by the Florida election supervisor who estimated about 1 in 7 machines reported wrong. He was fired.
Parent
Re: (Score:3, Funny)
It's really easy actually. I'll get it started:
Re: (Score:2)
heh. (Score:5, Funny)
{
return true;
}
Next article: (Score:5, Funny)
Re:Next article: (Score:4, Informative)
He's got bona fides as a researcher in the field, and I believe was asked to do this work in TFA -- DMCA notices are going to roll off unnoticed, like ....well, like votes for the democratic party on one of these Sequoia machines, apparently.
Parent
I'm amazed by this every time that I (Score:5, Insightful)
But this gets shoved under the carpet at every turn like a bit of dirt that not even MSM wants to report on.
It makes me sad to be American, well, sad that such things happen in America. We are supposed to be better than this. We were (I think) and I hope that we are better than this soon. It's disgusting.
The machines themselves are not complex pieces of equipment that take rocket scientists to develop or maintain. According to someone that should know, they are not even as secure as an ATM machine. How fucking sad is that?
Why, yes, I do have some suggestions. Where is the forum for me to submit them?
Re: (Score:2)
Only once a manned spacecraft blew up. The actual history of actual problems and treatment of reports of problems at NASA I think demonstrates this rather clearly.
While rigged, insecure, or simply inaccurate voting machines might also lead to deaths (and even far more of them), the connection isn't as immediate, obvious, visible and dramatic.
And this will change things how? (Score:4, Interesting)
What do you think the chance of this affecting the use of voting machines is? How often is anything of great significance altered due evidence being presented that it is inadequate?
Rationality is on the defensive. It certainly doesn't have much place in public policy any more. In every aspect of life, people are being convinced that the universe is not subject to laws which can inform our actions by predicting consequences, but that we are at the mercy of outside forces beyond our understanding, let alone control.
The 'Invisible hand' of the market means we must accept everything capitalism throws at us. The 'Intelligent designer' controls all life and we must not meddle with it. The natural rhythms or the Earth/Sun are responsible for global warming, so environmentalism is futile.
In the face of such a widespread campaign to render people helpless and reason impotent, no amount of evidence will achieve anything.
My Question (Score:3, Insightful)
Are there any good reports as to how accurate paper ballot counting really is? And how far off do the two diverge?
Re: (Score:3, Interesting)
As for how much they diverge, that's exactly the problem: we don't know, and attempts to find out have resulted in stonewalling and threats.
Studies of ballot counting accuracy (Score:4, Insightful)
Hand counting paper ballots is robust and adaptable. However even here it is hard to test under labratory conditions.
The most recent study is one happeing right now in Bernalillo county NM, by University of New Mexico and Caltech. Many different ways of counting ballots by hand are being tried (different numbers of observers, different ways of verbalizing, different ways of pre-sorting ballots, and different orders of counting races, etc...) One of the more remarkable findings so far is that teams of counters can have prodigiously different rates of counting (10x variation). This makes logistics of recounting hard to predict and hard to allocate resources for.
However even that study is flawed in part by the neccessity of time. You cant convince people to count a full election a dozen different ways. So you have to use shorter ballots or only count selected races and this will mask certain error modes.
Another kind of error mode those studies cant' examine is the one that happened in Washington state during the Governor's race. In king county, various piles of ballots were "misplaced" and later "discovered". It could be malice, but more likely incompetence and lack of procedures causing ballots to be stacked willy nilly in various store rooms or in different containers when gathered from all the precints.
I'm really please with Bernallilo County Clerk Maggie Toulouse for staging this mock recounts since these will iron out procedural issues and establish a lot of currently anecdotal human factors issues more concretely. Moreover the willingness to be som open about this and invite activists in is quite refreshing. Many clerks have a siege mentality--and of course this is because they have so many activitst making demands and too little money to staff their positions.
The typical clerks office pays less than $10/hour to new staff and your not going to get IT folks for that rate.
Send Maggie [bernco.gov] an email telling her she's got your respect: clerk@bernco.gov [mailto]. Clerks really deserve a pat on the back when they do it right.
Parent
Simple solution? (Score:2, Insightful)
The easy solution would be to have 2 paper print-outs: 1 that the voter tears off (like a receipt) and can examine to verify that they voted the way they intended, and 1 that is automatically ripped off and deposited in the 'lock box' for any audits or recounts that migh
Re:Simple solution? (Score:5, Informative)
Boss: "Show me your receipt for candidate X tomorrow or don't bother showing up"
Husband: "Show me your receipt for candidate X tomorrow or it will be painful"
Creepy Person outside polling place: "Show me your receipt for candidate X and I will give you $10"
Yes, a paper trail is important, but one that you can refer to outside the polling place has very different problems.
Parent
As opposed to what? (Score:3, Insightful)
And I can't believe people are still raising this objection. If the choice came down to:
A. The system you describe where individuals could be pressed to vote a certain way individually or face consequences from known or knowable others who would be committing a crime which would be easy to prosecute.
B. The system we have now, where votes can be stolen wholesale and
Re: (Score:2)
The way they or anyone else manipulating the vote intends. How many times does it need to be said: The whole idea of a secret ballot is that it's secret to everyone, including yourself once you leave the polling booth. No amount of cleverness can get around this.
The second system is fine, though I think it's not going to be fun in from a ma
John (Score:2, Insightful)
If there's no paper ballot created you didn't vote (Score:3, Informative)
Whether it's Hillary Clinton, Barak Obama, or John McCain elected this year, the rest of the world should bring as much pressure on them to reform our elections process as they have in those other countries. Stuff like this prove that people here are working more and more to push back against it, but if you care about what happens here yourself (and if you don't, I don't blame you) push your leaders to push our leaders harder on this.
Am I the only one (Score:2)
How fucking dumb are these people working for there companies?
Here is the real smoking gun... (Score:4, Interesting)
http://www.freedom-to-tinker.com/?p=1267 [freedom-to-tinker.com]
"Let's assume the Democrat party is assigned option switch 6 while the Republican Party is assigned options switch 12. If a Democrat voter arrives, the poll worker presses the "6 button followed by the green "Activate" button. The Democrat contests are activated and the voter votes the ballot. "
Then the following comment nails it:
"Rich Kulawiec Says:
March 20th, 2008 at 2:59 pm
I'm working through this explanation with a paper-and-pencil mockup, but meanwhile I'll note Sequoia's use of the right-wing code phrase "Democrat Party" instead of "Democratic Party". It seems to have become fashionable of late among some to use this term as a thinly-veiled insult, then deny that it's intentional. Given how carefully [at least some portions of] this explanation seem to be worded, I don't for a moment believe this is a mistake."
Slot machines are more secure than this! (Score:3, Insightful)
http://gaming.nv.gov/documents/pdf/07jan11_techstds_kiosks_proposed.pdf [nv.gov]
These guys have some ridiculously high standards to ensure the integrity of gaming equipment. Why can't we get similar standards for voting machines?
-ted
Re:Don't forget ... (Score:5, Funny)
Troll month. hehe. It is troll Tuesday, though.
Parent
Re: (Score:3, Insightful)