Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

Create Account  |  Retrieve Password

Hard Evidence of Voting Machine Addition Errors

Posted by kdawson on Tue Apr 29, 2008 01:56 PM
from the got-some-splainin'-to-do dept.
Security Government Politics
goombah99 writes "Princeton Professor, Ed Felton, has posted a series of blog entries in which he shows the printed tapes he obtained from the NJ voting machines don't report the ballots correctly. In response to the first one, Sequoia admitted that the machines had a known software design error that did not correctly record which kind of ballots were cast (republican or democratic primary ballots) but insisted the vote totals were correct. Then, further tapes showed this explanation to be insufficient. In response, State officials insisted that the (poorly printed) tapes were misread by Felton. Again further tapes showed this not to be a sufficient explanation. However all those did not foreclose the optimistic assessment that the errors were benign — that is, the possibility that vote totals might really be correct even though the ballot totals were wrong and the origin of the errors had not been explained. Now he has found (well-printed) tapes that show what appears to be hard proof that it's the vote totals that are wrong, since two different readout methods don't agree. Sequoia has made trade-secret legal threats against those wishing to mount an independent examination of the equipment. One small hat-tip to Sequoia: at least they are reporting enough raw data in different formats that these kinds of errors can come to light — that lesson should be kept in mind when writing future requirements for voting machines."
+ -
story

Related Stories

[+] Your Rights Online: Sequoia Threatens Over Voting Machine Evaluation 221 comments
enodo writes "Voting machine manufacturer Sequoia has sent well-known Princeton professor Ed Felten and his colleague Andrew Appel a letter threatening to sue if New Jersey sends them a machine to evaluate. It's not clear from the letter Sequoia sent whether they intend to sue the professors or the state — presumably that ambiguity was deliberate on Sequoia's part. Put another clipping in your scrapbook of cases of companies invoking 'intellectual property rights' for bogus reasons." Sequoia seems to be claiming that no one can make a "report" regarding their "software" without their permission.
[+] Your Rights Online: Sequoia Vote Machine Can't Do Simple Arithmetic? 254 comments
whoever57 writes "Ed Felten is showing a scan of the summary from a Sequoia voting machine used in New Jersey. According to the paper record, the vote tallies don't add up — the total number of Republican ballots does not match the number of votes cast in the Republican primary and the total number of Democratic ballots does not match the number of votes cast in the Democratic primary. Felten has a number of discussions about the problems facing evoting, up to and including a semi-threatening email from Sequoia itself." Update: 03/20 23:30 GMT by J : Later today, Felten added an update in which he analyzes Sequoia's explanation. He has questions, comments, and a demand.
Firehose:Hard evidence of voting machine addition errors by goombah99 (560566)
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

Hard Evidence of Voting Machine Addition Errors 25 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.

  • That may be... (Score:3, Funny)

    by Anonymous Coward on Tuesday April 29 2008, @01:57PM (#23241260)
    ...but these are good, solid, Republican errors!

    God bless the American Voting System!

    • Re:That may be... (Score:4, Interesting)

      by wealthychef (584778) * on Tuesday April 29 2008, @02:04PM (#23241406)
      The fact that the company is using legal threats to suppress investigation into the errors is a good argument for using open source equipment that anyone can inspect. I do NOT trust a proprietary solution.

      • Well then perhaps you should consider this (Score:5, Informative)

        by goombah99 (560566) on Tuesday April 29 2008, @02:17PM (#23241630)

        The fact that the company is using legal threats to suppress investigation into the errors is a good argument for using open source equipment that anyone can inspect. I do NOT trust a proprietary solution.
        Open voting consortium [openvotingconsortium.org] needs volunteers and money. Unlike a normal open source project where all that matters is the quality of the code. This one needs feet on the ground and money to travel in order to get laws changed in 50 states to allow the use of the equipment. (for example many states have laws about how ballots are defined that this protocol requires changing. Many states require certifications which are far from free. But mainly it takes demonstrations and lobbying.)

        Right now they have a matching grant challenge, so nows a good time to offer cash. But think about also being an advocate in your state for getting the laws to allow this system.

        OVC not only has open code but it also has an open bussiness model. They won't require you use it on any hardware they offer. It runs fine on off the shelf equipment. Any company could use the code, states could use the code. OVC would simply maintain it and certify that it is being deployed correctly.

        Open voting solutions is another open source project with a different bussiness model but open code.

          • How OVC system works (Score:5, Informative)

            by goombah99 (560566) on Tuesday April 29 2008, @03:32PM (#23242726)
            OVC is not merely yet another touchscreen. It's a different kind of voting system. It's procedures are straighforward and simple yet at first blush may seem overly elaborate. In fact each of the seemingly simple steps in the process is a result of long deliberation by many voting system and security experts to foreclose various error modes and attack modes (e.g. chain voting, or secret ballot violations) while not making something too complex to operate and maintain. It also has to fail in a safe mode and be robust against operator error.

            Here's the process:
            1) voter makes selections on a touchscreen. These are recorded but this is NOT a cast ballot or a record of the vote.

            2) computer prints out a paper summary ballot of the voters choices in an easy to read ballot-like format

            3) also along the edge is a 1-D barcode encoding the selections in an obfuscated but not encrypted format.

            4) voter can now cast this ballot by depositing it in a metal box. Or they can tear it up and ask to vote again. or they can walk out with the ballot if they like (it's not cast unless deposited so it's not a "receipt").

            6) After polls close, witnesses and the election judge unseal the box, and hand shuffle the ballots to destroy any residual vote order.

            7) then election workers, use a bar code wand to scan every ballot. As it is scanned the ballot is recreated on screen and the judge can compare any ballot she chooses to the paper copy. (this provides one of many random checks on the fidelity of the bar code)

            8) as each ballot is scanned, the computer also checks the ballot creation record of the ballot generating machines. Every ballot must have a valid ballot creation session that matches the paper ballot. (the reverse is not true--there will be more ballot creation sessions than actually cast ballots since some ballots were discarded or taken and revoted.) This step is a partial safeguard against ballot stuffing, since an attacker will now have to modify many records and witness accounts to change the ballots (alter the machine records, alter the paper ballots, alter the turned in ballots, etc... And alter various anti-forgery measures)

            Nice features:
            1) nothing forecloses hand counting the paper in a recount since it's the official ballot not the electronic record or the bar code.

            2) the untrusting voter can take the printed ballot to a third, un-netowrked machine to read the barcode back to him to see that it matches. Or she can leave with it and take it outside to some place that will also do this (say the ACLU or the Green party might have a booth set up offering this) Or she could take a cell -phone picture and decode it using some bar-code reader on the web. etc.....

            It's a good test because even a single failure leaves the voter with deomstable official proof of an error. And it's robust because an error in the bar code discovered late in the process does not screw the election--you can still recount the paper ballots text.

            3) the bar code is made 1D and short, deliberately so that it is information strarved. There can't be any diaboloical things hidden in it, like the voters identity or ways to tell other stand alone scanners to collude in what they tell the voter is in it. Also it allows very low tech equipment to read it (cue-cats wands $5)

            As can be seen theres many onion layers to the security model. It's not depeneding of fool proof steps to remain that way. It's robust against operator error.

            Additional features are that the touch screen can be just a commodity computer. it boots off an un mutable cdrom not a disk drive. So after the elections you can simply discard the computers. That is, give them to schools or state agencies or sell them on e-bay. These are not sophisticated voting machines. This frees up the monies normally used for secure storage and maintainece.

            Since the voting terminals are cheap you can have many of them to avoid lines or problems with machine failure.

            Since t

              • Re:How OVC system works (Score:4, Insightful)

                by goombah99 (560566) on Tuesday April 29 2008, @04:58PM (#23244090)

                Two questions:


                1. You propose using a 1D barcode along the side to "encode" the selection(s). It deliberately contains the minimal amount of data necessary to record the vote at the time of counting. Yet the barcode contains data that links it to a session on the voting machine, so that the printed ballot can be linked to a physical use at the machine. How do you obfuscate the session so you can't connect a particular voter to the vote,
                The voter's use of the machine does not require activation in an identifiable manner. (by contrast e.g. Most DRE type systems have an activation chit that comes when the voter registers.)

                In OVC the machine just records the session happened but it has no way to ID who voted. This point was debated at length in the design. One lighter weight protocol is simply to record the vote pattern and not create a UID for the session. Then one is simply verifying that some session had that vote pattern. That is less unique but still a reasonable check. If I recall correctly the standard OVC system uses a UID. But the protocol could work without it.

                and how do you prevent someone from creating a lot of sessions and generating multiple receipts, i.e. stuffing the box?
                It's the old Onion layer philosophy. You are wrapping a lot of layers here to make that hard. The person has to create these ballots somehow. If they are created externally and stuffed then they also have to somehow alter the computer records to that created these. If they are created on those machines, they have to do so during polling hours and in plain view.

                In both cases they both have to not only get these into the metal box, but they have to also remove the same number of other ballots.

                Even if they did that, there would still be an anomolous number of ballot creation sessions. More sessions than ballots cast, discarded or left the prceinct without voting.

                If they tried to stuff the ballot box in some private moment--perhaps later in the evneing when the boxes are hauled down to city-hall, then these wont match the scanned records or the Creation sessions.

                It would take a rather daunting conspiracy to pull off this in just one precinct. Expertise in the computer hack, and the paper stuffing is needed.

                (I did think of one possible solution for #1 but you introduce additional hardware into the system. Right now the touchscreen voting systems I've used, someone hands you a smart card, you put it in the system, it keeps the card locked in until it's recorded whatever you've entered, and then you hand it back to the election official. You could do the same thing, except the card is merely an "access card," rather than a "vote-recording card.")

                I'm not following you. OVC does not need an activation chit. It's not even a big problem if a voter generates multiple ballots as long as administrative controls assure they only cast a single one. These controls are well practiced so that's not a challenge. But it does aid security to try to recapture all unused ballots since this will allow better correspondence with the generation sessions in the event of a discrepancy. But it's not neccessary to be perfect.

                2. Continuing with the barcode, how do you encode a short-enough code that still permits write-in candidates? Obviously you can't use a barcode format like [session-number]-[candidate-number] if you provide a "Write-in" option.

                See the OVC site for details on this. If I recall correctly, the bar code just flags the existence of a write-in, not the name. The write-in name can be either be recovered manually or recovered from the vote creation session. There's trick ballot secrecy issues that write-ins tend to unavoidably pierce in almost any system. But incase I got this wrong check their site as This may have changed.

      • Re:That may be... (Score:4, Insightful)

        by Jeremiah Cornelius (137) * on Tuesday April 29 2008, @02:38PM (#23241922) Homepage Journal
        Look.

        These machines are intended and designed to prop-up the parlour-game of democratic basis for American government. They are not meant to "work". They are meant to reduce the definition of "democracy" to merely "voting" for the general public - and then to manage that vote. If they decrease the confidence of a certain segment of the public in the whole process, then they are also serving their secondary purpose: The devolution of the US to Banana Republic status.

        The coup was completed in 2000. The dramatic operations began 40 years earlier, but it took awhile.

        You don't see this. You think you still live in the same country that you were born in, that you attended Elementary School in, that you call the same name.

        But it just isn't true. Visitors to your country get it in a very short time - but most of them clamp their mouths shut - it is quickly apparent that Americans are uncomprehending.

        This isn't just Republicans. Sure - the Republican leaders are the sharp and shiny spear-tip, slicing the American side. The Democrats are just as on board - the solid wooden shaft, following this through the body. The elite of these - Cheney's and Pelosi's - will keep their mansions and their millions, their holidays in Vail and Sun Valley.

        They will never join the people who "voted". That would be to join Dr. King, or Mel Carnahan.

      • Re:That may be... (Score:4, Insightful)

        by Tassach (137772) on Tuesday April 29 2008, @04:35PM (#23243700)
        Forget open source. There is a time and a place to use software, and there is a time and a place to use pen and paper. Elections are not the place to use software. A big metal box with a slot on the top to accept paper ballets, and locked with a big-ass padlock will always be better and more reliable than any electronic system you can come up with.

  • One thing to say... (Score:5, Insightful)

    by Brad1138 (590148) * <brad1138@yahoo.com> on Tuesday April 29 2008, @01:57PM (#23241262)
    Paper Ballots - Paper Ballots - PAPER BALLOTS!

  • I've just got to ask... (Score:5, Insightful)

    by Nursie (632944) on Tuesday April 29 2008, @01:59PM (#23241302) Homepage
    ... How hard can it be?

    Seriously, how hard?

    Someone presses a button and a counter gets incremented. Big whoop.
    Any error at all in a programming exercise that goddamn simple is evidence enough for me to call for a full on corruption investigation.

    • Re: (Score:3, Informative)

      by jellomizer (103300)
      You forget one thing... GOVERNMENT INTERVENTION...
      Except for a KISS Aproach to the problem, every factor that they can think of must be resolved.
      Disability for the Blind, Deaf, limited or no movement.
      English and non-english speakers.
      They need to be hack proof but operated by unskilled workers.
      The hardware needs to work in all kinds of crazy conditions.
      Approprate Record Keeping without effecting the privacy of the voter.
      Final output data needs to be easially readable.
      Flexible for write-in votes.
      The list goes

        • Re:I've just got to ask... (Score:4, Insightful)

          by jellomizer (103300) on Tuesday April 29 2008, @03:33PM (#23242746)
          Imagrants go to the U.S. have children, in the state, they are full citizens. They move back to the home country grow up and learn their languge and go back to America legally... They speek there languge as a primarly language. Or the other case while less common now, lets take Lewiston ME, say 50+ years ago. That city everyone spoke French as their main language, it is possible for a child to grow up and go to all French School and work and interact all people who speak French, without having to learn to read or speak good English.
    • Based on all this, it must be pretty hard after all. I assume they would have 2 separate counters, a grand total incremented as above, and an individual anonymous vote recorder. Both of these could be compared at a later date on paper vs. the electronic records. I assume it's hard because, well if it were made as easy as it could be, then you probably couldn't patent it or call it a "trade secret" since it's entirely obvious how it would work.

      • lots of stuff going on (Score:5, Interesting)

        by goombah99 (560566) on Tuesday April 29 2008, @02:58PM (#23242202)
        In this case there are almost certainly multiple errors, one of which is the design error sequoia explained that causes the wrong ballot to be recorded.

        Another plausible error mode here is the one the ES&S ivotronics had (and ones with old firmware still have). Certified voting machines are required to redundantly store the votes, usually 3 times, and there may be some effort to have these in different memory modules.

        A while back ES&S had a bug that was triggered by a low battery voltage. The low battery condition would cause the logger to report this in the log. However the log entry was too long and cause a buffer over flow that over wrote the header of one of the redudant vote files. When the votes were read out at the precinct the machine did not notice the corrupt header and a second programming bug caused the malformed headers to cause other problems including mis-reported various things (like the maching ID) which then caused all sorts of downstream problems.

        When the votes were read out by another method the corruption of the primary vote file was detected and it silently failed over to the secondary record. This produced a vote report that did not match up with the first one.

        A reveiew of multiple systems was done by the Florida election supervisor who estimated about 1 in 7 machines reported wrong. He was fired.

      • Well, hiding all those backdoors has got to be pretty hard, right?

        • Well, hiding all those backdoors has got to be pretty hard, right?
          With closed-source, it's not hard at all. That's where the problem lies.

          Aside, even if the devs were 100% perfect and typed ALL the code perfect, there's nothing stopping some jerk from slipping something in at final compile time, or even after that with "last minute update" to the "firmware".

          • This really has nothing to do with a voting machine's software being "closed source".

            From the voter's perspective, there's no real solution to this problem but hand-counting of voter verified paper ballots. For me the ultimate solution to this problem is this: Voters walk up to a machine they had no part in preparing and (optionally) use it to prepare a voter-verified paper ballot. That ballot is then stored and counted by hand. This process makes the trustworthiness of the machine completely irrelevant. If any voter doesn't trust the machine to do this job, they should be given the freedom to fill out the ballot by hand (also handy when the computer breaks down or the power runs out). There are substantial benefits to using computers to prepare voter-verified paper ballots and there are substantial benefits to using exclusively free software voting machines [counterpunch.org] but trustworthiness is not one of those benefits. Nobody can trust any computer they don't control and no voter is given the freedom to completely control their voting machine. Even if trusted voting machine software existed nobody would be able to know that their voting machine was running it.

            Contrary to another poster's view [slashdot.org] on this, no audit trail would be sufficient to engender trust in any code because the preparation of the audit trail would always be in question.

            The benefits of a free software voting machine lie in the government and public avoidance of monopoly (thus reducing maintenance cost and possibly increasing machine flexibility), and supporting business opportunities (politicians love it when they can say some project "creates jobs" in their district), and in turn leaving the body that paid for the machines in a position where they can make the machines meet their needs. All proprietary software distributors are monopolists. It is this monopoly that each proprietary software voting machine manufacturer works to protect; this is what's really at stake for those businesses. If any one of them were more user-focused than they are (ES&S is in a great place to be this user-focused since they don't depend on other software for their machines), they would see free software voting machines as a point of sale. They could be the best situated to compete in the maintenance market for their brand of machines because they've known their machines the longest, so ostensibly they know those machines best. Governments will think this way when it comes to purchasing support contracts whether long-term or ad-hoc.

            Alas, competing monopolies is the way of things right now in the US. The voting machine makers have the country carved up like the mafia in The Godfather movies and they exploit county after county in every sale. I ought to know, I helped Champaign County, Illinois recommend a pair of voting machines to the county board. We saw demos from a few vendors (ES&S, Hart Intercivic, and Diebold via their local distributor) and picked the least worst pair of machines (ES&S).

  • heh. (Score:5, Funny)

    by Kingrames (858416) on Tuesday April 29 2008, @02:00PM (#23241318)
    public boolean IsVoteTallyCorrect()
    {
      return true;
    }

  • Next article: (Score:5, Funny)

    by sm62704 (957197) on Tuesday April 29 2008, @02:01PM (#23241330) Journal
    "Princeton Professor, Ed Felton was arrested today for violation of the DMCA..."

    • Re:Next article: (Score:4, Informative)

      by discogravy (455376) on Tuesday April 29 2008, @02:54PM (#23242146) Homepage
      I realize you were going for Funny, and got there, but for those unaware, Prof. Felton is not new to this game [wikipedia.org], has done research (and testified about it) on the MS' "IE can't be removed" antitrust defense, Diebold voting machine bullshit, and Sony's rootkit bullshit among a few other things.

      He's got bona fides as a researcher in the field, and I believe was asked to do this work in TFA -- DMCA notices are going to roll off unnoticed, like ....well, like votes for the democratic party on one of these Sequoia machines, apparently.

  • I'm amazed by this every time that I (Score:5, Insightful)

    by zappepcs (820751) on Tuesday April 29 2008, @02:02PM (#23241352) Journal
    see another story about vote machine problems. If it was a NASA rocket motor there would be congressional investigations, news people camped out waiting for news of the investigation at NASA headquarters etc.

    But this gets shoved under the carpet at every turn like a bit of dirt that not even MSM wants to report on.

    It makes me sad to be American, well, sad that such things happen in America. We are supposed to be better than this. We were (I think) and I hope that we are better than this soon. It's disgusting.

    The machines themselves are not complex pieces of equipment that take rocket scientists to develop or maintain. According to someone that should know, they are not even as secure as an ATM machine. How fucking sad is that?

    Why, yes, I do have some suggestions. Where is the forum for me to submit them?

  • And this will change things how? (Score:4, Interesting)

    by damburger (981828) on Tuesday April 29 2008, @02:08PM (#23241466)

    What do you think the chance of this affecting the use of voting machines is? How often is anything of great significance altered due evidence being presented that it is inadequate?

    Rationality is on the defensive. It certainly doesn't have much place in public policy any more. In every aspect of life, people are being convinced that the universe is not subject to laws which can inform our actions by predicting consequences, but that we are at the mercy of outside forces beyond our understanding, let alone control.

    The 'Invisible hand' of the market means we must accept everything capitalism throws at us. The 'Intelligent designer' controls all life and we must not meddle with it. The natural rhythms or the Earth/Sun are responsible for global warming, so environmentalism is futile.

    In the face of such a widespread campaign to render people helpless and reason impotent, no amount of evidence will achieve anything.

  • Here is the real smoking gun... (Score:4, Interesting)

    by bgspence (155914) on Tuesday April 29 2008, @02:21PM (#23241710)
    Sequoia's Explanation, and Why It's Not the Whole Story
    http://www.freedom-to-tinker.com/?p=1267 [freedom-to-tinker.com] ...
    "Let's assume the Democrat party is assigned option switch 6 while the Republican Party is assigned options switch 12. If a Democrat voter arrives, the poll worker presses the "6 button followed by the green "Activate" button. The Democrat contests are activated and the voter votes the ballot. " ...

    Then the following comment nails it:

    "Rich Kulawiec Says:
    March 20th, 2008 at 2:59 pm
    I'm working through this explanation with a paper-and-pencil mockup, but meanwhile I'll note Sequoia's use of the right-wing code phrase "Democrat Party" instead of "Democratic Party". It seems to have become fashionable of late among some to use this term as a thinly-veiled insult, then deny that it's intentional. Given how carefully [at least some portions of] this explanation seem to be worded, I don't for a moment believe this is a mistake."

    • Re:Simple solution? (Score:5, Informative)

      by corsec67 (627446) on Tuesday April 29 2008, @02:18PM (#23241652) Homepage Journal
      I can't believe that people STILL don't understand what is wrong with a receipt of how you voted that you remove from the polling place.

      Boss: "Show me your receipt for candidate X tomorrow or don't bother showing up"
      Husband: "Show me your receipt for candidate X tomorrow or it will be painful"
      Creepy Person outside polling place: "Show me your receipt for candidate X and I will give you $10"

      Yes, a paper trail is important, but one that you can refer to outside the polling place has very different problems.

      • is it troll month on slashdot?
        Heheheh, You must be new here. Really, really new. You kids these days, you don't know trolling. What you see now is nothing compared to the great trolls of days past. Twofo, meh. Meept, now there was a troll. Or the maresex guy, or 'think of your breathing.' Why, we even had secret SIDs for trolls to meet in to discuss the art of trolling. Trolltalk, that was here! Then there was this whole spoke thing. Sometimes you were 'on teh spoke' and sometimes you weren't. Few knew what the hell it meant, but everyone said it.

        Troll month. hehe. It is troll Tuesday, though.

    • Studies of ballot counting accuracy (Score:4, Insightful)

      by goombah99 (560566) on Tuesday April 29 2008, @02:39PM (#23241946)
      Yes Caltech and MIT have done studies on vote count accuracy. Surprisingly nothing beats hand counting paper ballots. However this sort of assessment is very hard to do because the nature of the error space is so fickle. e.g. machine counting is generally perfect except when it's not. So one has very non gaussian error modes that require huge sampling and unanticipatable conditions to discover.

      Hand counting paper ballots is robust and adaptable. However even here it is hard to test under labratory conditions.

      The most recent study is one happeing right now in Bernalillo county NM, by University of New Mexico and Caltech. Many different ways of counting ballots by hand are being tried (different numbers of observers, different ways of verbalizing, different ways of pre-sorting ballots, and different orders of counting races, etc...) One of the more remarkable findings so far is that teams of counters can have prodigiously different rates of counting (10x variation). This makes logistics of recounting hard to predict and hard to allocate resources for.

      However even that study is flawed in part by the neccessity of time. You cant convince people to count a full election a dozen different ways. So you have to use shorter ballots or only count selected races and this will mask certain error modes.

      Another kind of error mode those studies cant' examine is the one that happened in Washington state during the Governor's race. In king county, various piles of ballots were "misplaced" and later "discovered". It could be malice, but more likely incompetence and lack of procedures causing ballots to be stacked willy nilly in various store rooms or in different containers when gathered from all the precints.

      I'm really please with Bernallilo County Clerk Maggie Toulouse for staging this mock recounts since these will iron out procedural issues and establish a lot of currently anecdotal human factors issues more concretely. Moreover the willingness to be som open about this and invite activists in is quite refreshing. Many clerks have a siege mentality--and of course this is because they have so many activitst making demands and too little money to staff their positions.

      The typical clerks office pays less than $10/hour to new staff and your not going to get IT folks for that rate.

      Send Maggie [bernco.gov] an email telling her she's got your respect: clerk@bernco.gov [mailto]. Clerks really deserve a pat on the back when they do it right.

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.