Today is election day, and before I talk about who I’m voting for, I thought I’d point out what is, to me, a far more serious issue – the growing use of electronic voting machines in spite of the demonstrated insecurity of these machines as they exist today.
Imagine the 2000 election with claims that Bush or Gore had hacked the Florida voting machines and caused untraceable changes in votes. Think about the challenges to Bush’s legitimacy today, and imagine what they’d be like in the event we were confronted with a series of news reports waking up – finally – to the insecurity of these systems.
On Declan McCullogh’s Politech list, this email went out today (it’s not up on his site yet, so I’m posting the entire thing):
—– Forwarded message ——
Declan and Dave,
Please (please!) remove my e-mail address if you decide to post this.
I’m an undergraduate in a large Georgia university, which also happens to be the place I vote at election time. Although I have been a casual follower of the voting security debate, I now find myself in a unique position. A sitting position. More precisely, sitting 10 feet away from a stack of 10 unguarded electronic voting machines. Despite having been here for for 120 minutes (and taking a conspicuous number of photos), I have yet to see any security presence, or anyone associated with these machines at all.
First thing: this terrifies me. Because although I have no reason to suspect these machines have been tampered with, I really have no way of knowing for sure. Even though it would be difficult for someone to tamper with these machines on-site without being noticed, there is a huge potential for a machine to be stolen (at which point it could either be tampered with, and then (in theory) returned, or just analyzed to locate problems with the voting software). It’s one thing to debate how secure the software is, especially when being used within sight of elections officials. It’s another thing entirely when anyone who wants to can take the machine home to play with.
Even more alarming than the lack of security around these machines is the response I have received from anyone I have tried to point this out to. The friend who initially directed me to this problem has called a half dozen different groups, ranging (in order) from the state voting commission, the local paper, the local news, campus security, and even the campus newspaper. The voting commission assured us the machines were locked. As someone standing next to the machines, I can assure you that they are not, unless a zip tie now qualifies as a lock. The press brushed us off entirely. Campus security told us it was “not their problem”.
If someone could tell me that this is somehow okay, that I’m overanalyzing the problem, and that this is in fact not dangerous behavior, it would reassure me a great deal. But if this is in any way representative of the way electronic voting systems are being deployed around the rest of the country, I fear for tomorrow’s election.
Now, descriptions of the machines. I have about 70 pictures of these, should anyone require them (but I’m holding on to them for now, in the interest of remaining anonymous until I feel these machines are secured). I have removed information that identifies directly which county these machines belong to; I am happy to reveal it later, once these machines are set up and under active surveillance.
Each container is roughly 2 feet by 2 feet square, by 1 foot deep, with collapsable legs. These containers are stacked in two piles of 5 machines each, with a larger box and a briefcase resting nearby. The small boxes have wheels on the bottom and a suitcase style handle and clasps. They appear identical to the system displayed on http://www.diebold.com/dieboldes/ . One such machine has the following information on the front, near the handle: A barcode with a green and a yellow sticker attached. The barcode reads “123678” A barcode labeled “[county name] County – Ga Purchase”. The barcode reads, “265345893” A half-removed label with the following word fragments: [bottom portion of a large word] Election S[unintelligible] 4.3.14 UPGRA[unintelligible] This text appears consistent with the Diebold Election Systems logo, as seen at the above Diebold Election Systems website.
Also, written on the top, where the legs are collapsed: “P/N 663-1141 REV–4
Model/Revision AVTS–BOOTH.1.01.004” Next to that, a yellow sticker with the text, “A-H 6-12-02”
The boxes are sealed with a large plastic zip tie (some are pulled tight; others only about halfway tight), and with a red tag with a serial number. One such tag is labeled, “SEALED 0144481”
One machine also has a label attached to the side opposite the wheels. The label is attached with a zip tie, and enclosed in a plastic container. The label reads, “02X 2 [scribbled out numeral 4] of [scribbled out numeral 4] 9”. [It is probably worth reiterating that there are, in fact, 10 machines stacked here].
The larger box is roughly 1.5 feet by 2 feet, and 1.5 feet tall, with the text, “Property of [county name] County Government, Registration, and Elections” embossed in the side.
The briefcase is blue, 3 inches deep, 2 feet wide, 1.5 feet tall, and has a handwritten label attached with the words “Provisional Voting” written on it.
I will be monitoring both Politech and Interesting People for responses, should this get posted.
—– End forwarded message —–
I’ve been reading Bruce Schnier’s great book on security (review to follow) and the reality is that all the high-tech, intrusive, civil-rights violating security measures in the world don’t mean a damn thing if you leave the hardware unattended and unsecured.
I’m currently between jobs, and one of the employment services that I registered with here in Maryland was also filling slots for poll watchers. I was too late to get the last slots, but I asked the staff about what was involved. They told me there was a four-hour “training class”, but Diebold was relying on the temp service to provide them with bodies.
The service offered to put me on the list in case a slot opened up unexpectedly. They gave me a nondisclosure form, saying basically that I wouldn’t steal their code or engage in any other chicanery. I was also given a single photocopied sheet with a Georgia statute about “vote tampering”, and required to sign a form saying that I’d read the Georgia statute.
Last week, I got a call from one of the recruiters with the service. Diebold had asked them to also provide people to set up and take down the machines, and she wondered if I’d like to be one of the people. (This might have had something to do with the PC experience on my resume; the recruiter didn’t say.) When I pointed out that I hadn’t gone through any training on the machines, I was told that all the necessary training would be done when the Diebold rep called me to tell me where to go on Monday.
It didn’t actually come through, since Diebold never contacted any of the employment service’s people — I called the service yesterday several times for updates, as the job was supposed to be from 2pm until the job was done. I was told that Diebold had cancelled on short notice.
I can’t swear that Diebold is as disorganized as this might make them sound. It’s certainly possible that the employment service was jerking me around, although I believe they were acting in good faith when they asked me to take the job. It’s also possible that something was miscommunicated yesterday, and that the service lied to me about Diebold cancelling.
Still… Diebold is hiring temps with four hours of training to staff polling places. They wanted more temps with no significant training, and no screening to speak of, to set up their machines. The only screening was a temp service that photocopied my ID and asked me to sign a form after reading a one-page statute from another state. If I’d been one day earlier signing up with the service, I’d be working at the polling place today.
If I had wanted to do something to these machines, it would have been TRIVIALLY easy to do so. This Diebold system has absolutely no assurance of security, and should not be treated as such.
What I’ve never understood is what’s wrong with the regular mechanical switch ballot boxes? I’ve only ever voted in Virginia and New York, and that’s what they use in both states. It seems perfectly reliable, and has been workign well for ages. When someone pulls the lever after flipping switches next to each candidate’s name, an odometer type thing inside the machine increments. No punch cards to get hanging chads, so source code to be tampered with, nothing. What is wrong with these? Why incur large costs to replace well-functioning machines with ones with major security flaws?!
Everyone hates this idea, but it’s the only way to have any level of tamper-resistant voting: abolish the secret vote and post them all online.
Iblis, what a terribly stupid idea.
See! I get that every time. But it’s not so crazy when you think about it. In fact, this country used to have a public ballot.
Most objections fall into 2 categories: discrimination and vote selling. Laws against discrimination based on age, sex, race, etc, etc, etc are common. Don’t see why it would be such a huge jump to prohibit discirmination based on someone’s vote. As for the latter, you can already buy an absentee ballot, so no change there.
On the plus side you get the ability to vote from anywhere. Electronic voting, online, email, ATM machines, whatever. No problems because the vote is accounted for in the online tally. You also get the only truly tamper resistant system. Let’s face it. Any “secret” system is vulnerable exactly at the point where you insert the black box.
Dear A. L.:
Back in 2000 I was a member of the design team of an award-winning design for an electronic voting machine. Why everyone seems to be treating the design objectives of such a device a great mystery completely puzzles me: reliability, security, verifiability, low-cost rank high. Touch screen systems that produce no hard copy meet almost none of these objectives.
I’ve been an election judge in a precinct in which punched-card “butterfly” type ballots have been in use for almost twenty years. Believe me, the problems encountered in Florida in 2000 tells you a lot more about the voters and election judges there than it does about punched-card ballots. For a start I’m required by law to offer a demonstration to every voter and to give a demonstration to any voter who wants one. Folks, this is not rocket science.
I’m not a fan of electronic voting machines for both security and cost reasons but I think anyone (like Instapundit) who thinks going to a completely manual system would be a big improvement ought to put their money where there mouths are and work as an election judge.
Iblis, the secret ballot is kinda one of the foundational aspects of our Republic, and while it might be conceptually neat to toss it out, the obvious problems are so big and serious that I’d call it a nonstarter.
A.L.
A.L.
Not true! Our young nation used non-secret voting.
It’s interesting to me how universal the opposition is. Left, right, wing-nut–everyone hates it…at first.
That can’t just be proof it’s a bad idea. Lots of really bad ideas have significant amounts of supporters–else there would be no NAMBLA or neo-Nazis. Hell, there’s a Flat Earth Society!
I personally would be at a loss to come up with any other proposal that garners the level of opposition that non-secret voting does. Can you?
I forgot, BTW, another common objection: the shy voter. There is a definitional trade off between the “shy voter” and any kind of security. My concern is vote fraud, which I see as a fundamental threat to democracy itself. On the flip side, think how many lazy and forgetful voters we could add to the system if they could vote from their desktops at work, cell phones while driving, or whatever. Can only do that if the system is secure.
But, Iblis, do we really want to encourage the lazy voter? As someone who tries to pay attention to who is running, what their positions are and the the overall dynamic of the body, I question the true value of a voting system that makes it easier for my considered vote to be cancelled out because “hey, I got a cousin named Bob; guess I’ll vote for this fellow.”
Lazy != Uninformed
Take, for example, my high-powered lawyer friend. He bills 2400+ hrs a year. Working like that he never makes it to the polls. But he is extremely well informed.
I’m not a big fan of uninformed voters, but they are a big improvement over fraudulent voters.
Iblis – here’s the problem. Would you like to be somebody who voted for Nader in Florida in 2000 and have that information available to anybody? Or if you live in a city with an strong political machine (I’m from Jersey, they still exist), would you be willing to buck the machine if you knew they could find out? Or if you’re up for a promotion at work and your boss is a fervent Dem/Rep, and he “encourages” you to go along with him?
I can think of more examples. What about the abused wife who wants to vote one way, but the husband makes her vote another? What about the union worker who wants to vote for a pro-gun Republican, but who would suddenly be out of work if he didn’t vote for the protectionist Democrat? What about governent workers? Judges?
A few responses:
-An anonymous ballot doesn’t solve those problems. The abusive husband, for example, can easily require the wife to vote absentee. In fact, the anonymous ballot can exasperate that kind of problem by hiding it from view. If employers, unions or political machines are pressuring voters the anonymous ballot can help them hide their crime.
If, on the other hand, the vote is not anonymous then bullying tactics are also not anonymous. If 90% of the employees in a law firm vote against a tort reform candidate that’s probably self-interest. If 100% vote that way then it’s time to call the AG.
For that reason I would argue that rather than create bullying problems, an open ballot may be more likely to reduce them through exposure to public (and law enforcement) view.
-In general, I think the fear of bullying is overblown. Consider that your voter registration is not secret. Neither is a ballot initiative petition signature, yet people willingly sign such things. Actual voter behavior indicates that fears about an open ballot are exaggerated.
-I’m not persuaded by arguments that a change is not an improvement unless it is perfect. No system is perfect, but some are better than others.
If ballots were open there would be more lawsuits. We can pretty much assume that there would be a new class of discrimination claim based on voting. Some of those cases would be meritless and some wouldn’t. We could also assume that some people would not vote because they don’t want that vote to be part of the public record. Our elected representatives pull this stunt all the time, so it’s no stretch to assume that common folk would too.
But let’s look at the alternative. Say you work in a precinct. Traffic is light all day, but when you tally the votes you discover that 97% of the precinct’s registered voters have voted. That seems high based on the traffic you saw and historical voting patterns, but the machine has the votes and codes. Everything is in order. No machine? Fine. The ballot box has all the cards and they are properly punched. Now what? You look at the list–every registered voter had to sign it before voting. Most of the names aren’t signed. You count the signed names and discover that only 27% voted. That’s more like it. Now you know that something is fishy. So what do you do? Nothing. There’s nothing you can do. Without a way of attributing each vote to a voter (by definition a non-anonymous system) there is no way to audit what happened. You can’t repair the vote, so you have to accept results that you know are fraudulent. When a presidential election can turn on just 500+ votes, that seems unfathomable.
I like the idea (published voting records). When we get tired of screwing around with ballots and return to the traditional bullets, it will make it easier to track down and kill those that didn’t vote properly. Look at Rawanda. 95% voted for el President. He is having a real problem tracking down the 5% that refused his vision of the future. Think of all that time and effort that could be spent on something productive like bribe gathering or treasury looting. Eventually we will be as advanced as the Iranians. They bring the ballot box to you! How convenient. And the guys with machine guns are really helpful in getting everthing filled out correctly. Ah yes, American voting techniques are certainly in need of modernization. I’m sure the UN would be eager to help.
Kerry akbar
On the *origins* of the secret ballot:
So it seems that the concern about reprisal for votes isn’t necessarily one without foundation in history.
A.L.
Adam,
Actually, mechanical voting machines have a number of failure/tampering modes. More to the point of your question, they are big and heavy (hard to move, lots of space to store) and require a fair amount of maintenance to keep in working order.
Our county currently used to have voting machines but now uses what’s probably (in concept at least) the best electronic-voting system: optical scanning of a marked paper ballot.
I wrote a blog post (http://centristcoalition.com/blog/archives/000524.html)
on why current e-vote reform efforts just aren’t going to cut the
mustard, and make some concrete suggestions on improvements.
If I could trade the City of Austin going back to paper for me serving
as an elections judge, I would sign the dotted line in a second,
because instead I’ve been a programmer and software designer for many
years.
Let me quote from my posting:
After 2000 in Florida, every vote cast could be rechecked by first
manual recounters, then a second time by a newspaper coalition. You
can’t do that with e-voting right now; admittedly, you couldn’t pin
down results beyond the 5% punch card error bar, but you can’t even
verify e-votes to 100% error.
Well it would sure make voting panel studies a lot cheaper, assuming you use some identifying number and not the name. (Anyone who has every tried to “crosswalk” different files based on name alone, or even name and birth date, knows what a pain in the behind this is.) Most Americans aren’t shy about telling people how they voted anyway. The primary objection to such a rule is that secret ballots are critical in newly democratized states, or states in transition to democracy and open society, so it would be a lousy precendent for the US to set.
I’ve read this in someone else’s comment a while back, but don’t remember whose. The problem with open voting isn’t bullying, it’s the outright buying of votes, where payment isn’t delivered until they receive proof of your vote. With secret ballots, this isn’t possible because there is nothing substantive to buy or sell.
And the way to solve the main issues of e-voting (including insecurity of hardware) is a Voter Verifiable Paper Trail. That is, a piece of human-readable paper (behind a glass or whatnot) that the voter can verify is correct before submitting their vote. This paper trail can then be used for audits and recounts (something sorely lacking in Diebold’s systems).