Hard Evidence of Voting Machine Addition Errors 275
goombah99 writes "Princeton Professor, Ed Felton, has posted a series of blog entries in which he shows the printed tapes he obtained from the NJ voting machines don't report the ballots correctly. In response to the first one, Sequoia admitted that the machines had a known software design error that did not correctly record which kind of ballots were cast (republican or democratic primary ballots) but insisted the vote totals were correct. Then, further tapes showed this explanation to be insufficient. In response, State officials insisted that the (poorly printed) tapes were misread by Felton. Again further tapes showed this not to be a sufficient explanation. However all those did not foreclose the optimistic assessment that the errors were benign — that is, the possibility that vote totals might really be correct even though the ballot totals were wrong and the origin of the errors had not been explained. Now he has found (well-printed) tapes that show what appears to be hard proof that it's the vote totals that are wrong, since two different readout methods don't agree. Sequoia has made trade-secret legal threats against those wishing to mount an independent examination of the equipment. One small hat-tip to Sequoia: at least they are reporting enough raw data in different formats that these kinds of errors can come to light — that lesson should be kept in mind when writing future requirements for voting machines."
Re:I've just got to ask... (Score:3, Informative)
Except for a KISS Aproach to the problem, every factor that they can think of must be resolved.
Disability for the Blind, Deaf, limited or no movement.
English and non-english speakers.
They need to be hack proof but operated by unskilled workers.
The hardware needs to work in all kinds of crazy conditions.
Approprate Record Keeping without effecting the privacy of the voter.
Final output data needs to be easially readable.
Flexible for write-in votes.
The list goes on....
Then they may want it to be flexible by district or by state or both having those rules...
After all the requirement there is no Time for Candate[buttonID]++;
If there's no paper ballot created you didn't vote (Score:3, Informative)
Whether it's Hillary Clinton, Barak Obama, or John McCain elected this year, the rest of the world should bring as much pressure on them to reform our elections process as they have in those other countries. Stuff like this prove that people here are working more and more to push back against it, but if you care about what happens here yourself (and if you don't, I don't blame you) push your leaders to push our leaders harder on this.
Well then perhaps you should consider this (Score:5, Informative)
Right now they have a matching grant challenge, so nows a good time to offer cash. But think about also being an advocate in your state for getting the laws to allow this system.
OVC not only has open code but it also has an open bussiness model. They won't require you use it on any hardware they offer. It runs fine on off the shelf equipment. Any company could use the code, states could use the code. OVC would simply maintain it and certify that it is being deployed correctly.
Open voting solutions is another open source project with a different bussiness model but open code.
Re:Simple solution? (Score:5, Informative)
Boss: "Show me your receipt for candidate X tomorrow or don't bother showing up"
Husband: "Show me your receipt for candidate X tomorrow or it will be painful"
Creepy Person outside polling place: "Show me your receipt for candidate X and I will give you $10"
Yes, a paper trail is important, but one that you can refer to outside the polling place has very different problems.
Re:Next article: (Score:4, Informative)
He's got bona fides as a researcher in the field, and I believe was asked to do this work in TFA -- DMCA notices are going to roll off unnoticed, like ....well, like votes for the democratic party on one of these Sequoia machines, apparently.
Re:One thing to say... (Score:3, Informative)
It's significantly more difficult to tamper with a paper system. For starters, if you want to forge ballots, you need a shitload of paper ballots. You can't just walk up to a container of ballots, fiddle with it for a few seconds, and change ballots marked for one candidate into ballots marked for the other. You have to physically move paper around. Lots of election shenanigans has been caught over the years because of the difficult inherent in working with (especially in destroying or concealing) large volumes of paper. Bits are ephemeral at best.
The police -- and people in general -- are well-attuned due to personal experience to signs of low-tech crime. Have you seen the average age of poll workers? Physical theft, forgery, and ballot-stuffing are all easy-to-understand concepts, and the safeguards against them follow logically. Electronic security measures are only logical if you understand electronic systems, which many people don't, and are very much non-obvious otherwise.
For instance, with paper ballot boxes, it doesn't really matter if you store the empty boxes in an insecure location on the morning of the election. Any idiot can open up the box before voting begins and make sure the thing is empty. But if you do that with an electronic system, you've just created the perfect opportunity for someone to sabotage the machine with new firmware that will tamper with the votes being cast. That's a trivial example but there are lots of others.
Electronic voting systems might be a fine choice once we have a few generations of people around who have grown up intimately involved with high technology, people who fundamentally understand and are as familiar with computer systems as today's adults and senior citizens are with paper. Until that happens, it's totally inappropriate to replace paper. The electronic systems are simply not mature enough. Give them another century or so, and in the meantime we'll stick with what we know works.
There's simply no compelling reason to switch from paper to electronic systems, unless you're looking for a way to rig an election without any pesky paper trail.
How OVC system works (Score:5, Informative)
Here's the process:
1) voter makes selections on a touchscreen. These are recorded but this is NOT a cast ballot or a record of the vote.
2) computer prints out a paper summary ballot of the voters choices in an easy to read ballot-like format
3) also along the edge is a 1-D barcode encoding the selections in an obfuscated but not encrypted format.
4) voter can now cast this ballot by depositing it in a metal box. Or they can tear it up and ask to vote again. or they can walk out with the ballot if they like (it's not cast unless deposited so it's not a "receipt").
6) After polls close, witnesses and the election judge unseal the box, and hand shuffle the ballots to destroy any residual vote order.
7) then election workers, use a bar code wand to scan every ballot. As it is scanned the ballot is recreated on screen and the judge can compare any ballot she chooses to the paper copy. (this provides one of many random checks on the fidelity of the bar code)
8) as each ballot is scanned, the computer also checks the ballot creation record of the ballot generating machines. Every ballot must have a valid ballot creation session that matches the paper ballot. (the reverse is not true--there will be more ballot creation sessions than actually cast ballots since some ballots were discarded or taken and revoted.) This step is a partial safeguard against ballot stuffing, since an attacker will now have to modify many records and witness accounts to change the ballots (alter the machine records, alter the paper ballots, alter the turned in ballots, etc... And alter various anti-forgery measures)
Nice features:
1) nothing forecloses hand counting the paper in a recount since it's the official ballot not the electronic record or the bar code.
2) the untrusting voter can take the printed ballot to a third, un-netowrked machine to read the barcode back to him to see that it matches. Or she can leave with it and take it outside to some place that will also do this (say the ACLU or the Green party might have a booth set up offering this) Or she could take a cell -phone picture and decode it using some bar-code reader on the web. etc.....
It's a good test because even a single failure leaves the voter with deomstable official proof of an error. And it's robust because an error in the bar code discovered late in the process does not screw the election--you can still recount the paper ballots text.
3) the bar code is made 1D and short, deliberately so that it is information strarved. There can't be any diaboloical things hidden in it, like the voters identity or ways to tell other stand alone scanners to collude in what they tell the voter is in it. Also it allows very low tech equipment to read it (cue-cats wands $5)
As can be seen theres many onion layers to the security model. It's not depeneding of fool proof steps to remain that way. It's robust against operator error.
Additional features are that the touch screen can be just a commodity computer. it boots off an un mutable cdrom not a disk drive. So after the elections you can simply discard the computers. That is, give them to schools or state agencies or sell them on e-bay. These are not sophisticated voting machines. This frees up the monies normally used for secure storage and maintainece.
Since the voting terminals are cheap you can have many of them to avoid lines or problems with machine failure.
Since t