David Wagner, UC Berkeley CS Dept
Wagner discussed how to deal with what he considers the fact that today's paperless DREs are unable protect the integrity of our elections. In his opinion, we need to ban paperless DREs or move to something better.
He gave some computer science background to the options with a metaphor: pots versus laptops. Pots don't crash. Not so with software. A pot is simple and has no moving parts. Computers have millions of transistors and run on millions of lines of code; there is no way to prevent inadvertant bugs or spot every maliciously introduced trojan horse.
Wagner brings up the Therac 25, which was a medical irradiation device that was controlled solely by software, and ended up resulting in 6 deaths when it exposed patients to 100 times the proper level of radiation. "If you're relying solely on complex software systems for safety critical functions, you're playing with fire."
Douglas A. Kellner, Commissioner, New York City Board of Elections
"If you can't count the votes in public, it's not a suitable voting technology. Period." But this removal from public view, according to Kellner, is the effect of paperless electronic voting machines.
The experience in NY: the city was the first to call for electronic machines, back in 1988. There were "dozens and dozens" of safeguards built into the process. He became an election official in 1992, and found the safeguards hard to crack but that those were mostly eroded in the rush for national paperless elections. NY stopped its contract in the 1990s. NY, if it goes electronic again, will have a paper trail.
Kim Alexander, California Voter Foundation
CVF is still urging the decertification of all paperless systems. The voting systems panel unanimously voted to decertify the Diebold TSx, which represents 75% of Diebold's stock in CA. If Secretary of State Shelley accepts the recommendation, the TSx won't be used in November.
Reasons that Alexander gave for the board's decision:
Mike Shamos, Professor, Carnegie Mellon University
Whatever the problems with paperless machines, paper is not the answer, according to Shamos. Every election that has been manipulated has been manipulated with paper. There has never been a proven case of election manipulation with electronic system. This is different from failed elections due to bad equipment, evidence of which is plentiful.
He cites a 20 year history of success with DREs in Pennsylvania; the problems elsewhere are engineering problems. The question is what probabilit y of error we are willing to accept in the risk of miscounts and undetected tampering. The way forward is through testing; the interested parties must decide how to test the systems to be satisfied that they operate satisfactorily (not perfectly).
Shamos concluded by stating that paper audit trails aren't the only solutions to DRE concerns; independent equipment manufacture and auditing are probably.
Scott Konopasek, Registrar of Voters, San Bernardino County, California
If voting machines are adequately administered, Konopasek is confident that DREs can be secure. Human beings, however, are the most vulnerable part of the integrity of elections.
He is in favor of better verification tools. But here is his position on paper: VPAT is necessary, but a duplicate paper ballot will not solve any problems.
Dan Tokaji, Assistant Professor of Law, Ohio State University, Moritz College of Law
Focus on: equality. The right to vote is "sacred" and "fundamental to democracy."
More acronyms: "contemporaneous paper record," or CPR. This is a synonym for VVAT. Relying upon these measures without proper testing is a "recipe for disaster."
Dimensions of the debate:
A lack of familiarity with election admin has led to four mistakes:
Showed a cooking pot and then a laptop. He said, what's the difference between these two? Ping yells: "The pot doesn't crash!"
David then showed something called the Therac 25. A medical device that killed quite a few people before it was discontinued. The problem was that they moved from the older system to the Therac 25 very quickly and that there was not sufficient testing. People died in the quick adoption.
You can't recount votes unless they're on paper. NYC asked for the first design of an electronic voting machine. Mr. Kellner ended up showing that how ever many safegaurds you insert into the system, you still need an official record in order to be able to verify the vote and reconcile an audit trail.
NYC ended up stopping the electronic voting machine procurement as it was to error-prone and not a valid representation of the electorate's votes.
Tremendous progress can be made by speaking out... the computer professionals have done a good job.... NYC will demand an paper-based audit trail.
We are still calling for the de-certification of all machines that do not produce a paper record. Yesterday was a great day as the TSx was recommended for decertification.
Here's notes from the case Kim made to SoS Shelley yesterday about decertification of all electronic voting machines that do not produce a paper-based audit trail:
There were wide-spread problems with electronic voting machines in the March 2 election. There were smart card encoder problems in Alameda and San Diego Counties. In Orange County the wrong ballot was presented to voters. There were problems getting the optical scan ballots recorded. In Napa county the Sequoia machines didn't record votes because they couldn't recognize the ink used to record votes.
They produced results that cannot be verified. (Kim walked us through the life of an electronic ballot). Each of these steps much be glitch-free and perfectly programmed. Any errors are difficult to detect and it would be impossible to figure what the correct vote would have been.
This all erodes public confidence in the legitimacy of state and federal elections.
It's bad enough that we use any software given the poor state of software regulation... but given what we've seen, it's also irresponsible and dangerous.
A government can only be legitimate when the process is transparent and verifiable.
Whatever the problems are, paper is not the answer.
Every election that has been manipulated has been done so with paper. Any time a human being has custody over the ballots, bad things an happen.
There has never been a proven case where electronic elections have been manipulated. There are two cases: the equipment is garbage or elections are stolen maliciously. Adding a paper trail actually increases the likelihood that a machine won't boot in the morning.
"I view the problem as an engineering problem. Specify the properties of a system that you want, we test to those criteria, we certify the machine."
If a vendor could produce a machine that is certifiable, I would recommend that we let it go. We need to test the things. No testing mechanism will uncover all possible errors.
The election system is much broader than just what happens on election day. There are many more opportunities to disenfranchise voters. There are many layers of checks and balances that exist in this process.
I hear this argument all the time: you can't disprove that you don't know what you don't know. It is intellectually dishonest to claim these systems are insecure, because it's never been proven.
I have a vested interest in making sure that there is an audit trail. "The VVPAT and other audit trails are needed. A poorly concoted version of such a thing is not desirable."
He's a former ACLU counsel. He teaches civil rights.
There's something else that he cares about besides this: equality. Something that is especially important in the rights to vote. This is sacred.
The proposal to require a VVPAT (which he calls a CPR (contemporaneous paper record)) advances the right to vote. It will certainly deny equality.
There are three dimension to this debate:
What kinds of voting rights do people have?
Accuracy: Many people's votes are not counted. Paper-based systems loose thousands to hundreds of thousands of votes.
Racial disparagement: Electronic voting machines help eliminate racial gaps in counted ballots.
Disability rights: People need to be able to vote unassisted.
Anti-DRE folks make four mistakes:
(I'm going to stop here)
]]>The Battle for Accountable Voting Systems
1) Principles
- Elections are dispute resolution for social conflicts
* "The people have spoken ... the bastards!" -- Dick Tuck concession speech.
- Where should the burden of proof lie in elections?
* Now, losers have burden to prove election results are inaccurate.
* Dill proposes that burden should be on providers of elections. They have access to the information, technology, process, etc.
Audit: The ability to independently construct election results from original recortds.
For paper, you need:
* chain of custody
* locked ballot box
* voter makes permanent record
* transportation and counting of ballots are observed by officials and political parties.
- e.g. in California, two poll workers accompany each ballot box in transit
2) Trust and DREs
* "You have to trust somebody" Is this true?
* DRE = "Direct Recording Electronic"; does not necessarily include voter verifiable record.
* Consider a scribe system. You walk into a booth with a man behind the curtain. You tell him your vote and he writes it down but you never see him do this. This is essentially a DRE system.
* The only person who can check that the ballot is recorded correctly is The Voter. Any system that claims to be verifiable without the Voter is not really verifiable.
* Voting from a computer security scenario: pretty much worse case possible.
- Assets being protected: democracy
- Potential Attackers: Hackers, Candidates, Zealots, Foreign Gov'ts, Criminal Orgnaizations -- maximum number of attackers.
What Prof. Dill is worried about:
- Programmer adds hidden vote-changing code
- Code concealed from inspection
- Code only triggered during real election using cues (date,voter behavior) or explicitly by voter, poll worker, wireless network
- Changes small % of votes in plausible ways.
- Election outcomes can be changed without detection. No way to challenge results.
- No DRE can give us verfiable elections without paper.
- Local election officials are helpless to intervene -- they have no access to the electronic election process.
- Voting systems are especially vulnerable because they discard vital information for verfication -- the identity of the voter. In other secure transactions, we count on the identity of the transactors (e.g. bank transactions). ATMs have videocameras and three separate paper trails.
- What software are we running?
* open source does not solve the problem. Can still be hacked.
3) Voter Verifiable audit trail
* Voter instructs machine to fill out ballot
* Machine shows ballot to Voter
* Voter verifies that vote is correct via "trustworthy technology", e.g. paper printout.
* Record of verfication can be audited later by local officals.
Options:
* Manual ballots with manual counts
* Optically scanned paper ballots
* Touch screen mahcines with voter verifiable printers
* maybe crypto-based systems?
* Bottom Line: Paper is the only current option
4) Conclusion
- Before we adopt any radical new election technology, burden of proof should be on providers that elections are verifiable.
]]>