December 5, 2020

Flaky Voting Technology

Opponents of unauditable e-voting technology often talk about the threat of fraud. They worry that somebody will compromise a voting machine or will corrupt the machines’ software, to steal an election. We should worry about fraud. But just as important, and more likely, is the possibility that software bugs will cause a miscount that gives an election to the wrong candidate.

This may be what happened two weeks ago in a school board race in Fairfax County, Virginia. David Cho at the Washington Post reports :

School Board member Rita S. Thompson (R), who lost a close race to retain her at-large seat, said yesterday that the new computers might have taken votes from her. Voters in three precincts reported that when they attempted to vote for her, the machines initially displayed an “x” next to her name but then, after a few seconds, the “x” disappeared.

In response to Thompson’s complaints, county officials tested one of the machines in question yesterday and discovered that it seemed to subtract a vote for Thompson in about “one out of a hundred tries,” said Margaret K. Luca, secretary of the county Board of Elections.

“It’s hard not to think that I have been robbed,” said Thompson, whose 77,796 recorded votes left her 1,662 shy of reelection. She is considering her next step, and said she was wary of challenging the election results: “I’m not sure the county as a whole is up for that. I’m not sure I’m up for that.”

And how do we know the cause was a bug, rather than fraud? Because the error was visible to voters. If this had been fraud, the “X” on the screen would never have disappeared – but the vote would have been given, silently, to the wrong candidate.

You could hardly construct a better textbook illustration of the importance of having a voter-verifiable paper trail. The paper trail would have helped voters notice the disappearance of their votes, and it would have provided a reliable record to consult in a later recount. As it is, we’ll never know who really won the election.

Comments

  1. It’s absurd to claim your software is secure if it still has bugs in it! (If you can’t program Murphy’s computer, don’t even bother to try Satan’s.)

    djb for voting machine programmer!

  2. > And how do we know the cause was a bug, rather than
    > fraud? Because the error was visible to voters. If this
    > had been fraud, the “X” on the screen would never have
    > disappeared — but the vote would have been given,
    > silently, to the wrong candidate.

    Why not both? Perhaps fraudulent software was installed on the machine that was *supposed* to silently post the vote to the wrong candidate, but due to a bug the “X” was removed from the name of the candidate who should rightfully have received the vote.

  3. 37 states use Diebold machines and their GEMS software… write your Secretary of State, support Rush Holt’s HR 2239 which would require voter-verified paper ballots, open source (in the “you can see it” sense) elections software as well as software version audits and random precint audits.

  4. What is the motivation for electronic voting? I think that the goals for using electronic voting sould be clearly defined. If the only goal is to do voting with less resources e.g. cheaper than with mechanical or hand-tallied votes, then using electronic voting without code review, open processes and cryptographically verified audit or paper trail is unnecessary. They’d just cost more, so use the cheapest brand!

    I believe most people find the previous claim to be absurd. Voting is very important – the people who are elected by definition will hold a great deal of power. There must be strong accountability in the voting process. Traditionally this has been accomplished by having a lot of people from all political (and non-political) sides taking part in the whole voting process to allow transparency.

    The traditional “paper votes” hold a very important position in this process. The physical paper votes provide foundation for the voting process in two ways: a) the voter can visually (or by other means) verify that their vote is recorded correctly before submitting the vote. b) the vote can be monitored by the people participating in the voting process continously. It is highly likely that anyone stuffing the ballot box would be noted. It is highly likely that switching the ballot box would be found out. Loss of a ballot box is guaranteed to be noted. These are accomplished by seals, markings, documentation and of course, having a lot people around who have interest in not letting the other people cheat.

    None of these methods are of course foolproof, but they do make a large-scale voting fraud very hard. With the sanctions versus payoff of vote fraud it is just as expected: well-organized voting process is hard to subvert.

    Note that the whole process is public. It is as transparent (open source?) as you can get. There are no secrets in the making of the paper used, no secret pencils, no secret methods of performing punching. Everybody partaking in the process has all (at least access to) the information on how the voting process works.

    Enough of rehashing public knowledge — now to a more concrete suggestion.

    If the goal of the electronic voting is to speed up tallying *and* keep transparency of the process, the electronic voting machine could produce something that is permanent, verifiable by the voter and can be recounted efficiently, yet perform the “first approximation tally” of the results electronically (for fast results).

    There would be effectively three voting records: a human-readable version, which can be verified the voter. Second, on the same human-verifiable paper printout, put a bar-code encoding the same information as in the human-readable version. Finally, the electronic voting machine has also internal electronic tally. If there electronic tally by the machine is suspect, you fall back to the computer-readable barcode. If the barcode is suspect, the final line of defense is the human-readable and voter-verified version.

    This would be a lot more transparent than pure electronic voting. By default, use the electronic version. Perhaps all votes would be later (at more leisurely pace) verified by scanning the barcoded paper votes to cross-check the purely electronic vote. The barcode printouts would themselves also be verified by random sampling comparing barcode results to human-readable version.

    Fraud and/or errors in the electronic voting machines would thus be detected by high probability. Thus, the balance of voting would be regained: payoff vs. penalties would be high enough to acts as effective deterrance against voting fraud. Also the public confidence is gained, when they can both verify the vote, and the process.

    Note that the electronic voting software or hardware is not itself required to be open source: only its outputs (both paper and electronic) must be standardized so that they can be verified by software/hardware from independent vendors or parties.

  5. There was a Texas case which involved faulty chips as well in at least three voting districts — only one noticed the oddness of their outcome and traced it down, but all three districts had the same rather odd 5-digit number of votes.

  6. Companies should not develop voting software. States should develop voting software. Why should Virginia or any other state pay for a commercial company’s shabby product when their own Universities are perfectly capable of producing robust, audited voting software?

  7. Ned Ulbricht says:

    I’ve been off-handedly trying to work out a model which would tend to either support or counter your assertion that bugs are a “more likely” cause of system failure than malicious attack.

    We can define several types of system failure:
    1) An election which is wrongly awarded to a candidate. (integrity failure)
    2) An election where we do not have an acceptable level of confidence that the election has been awarded to the winning candidate. (assurance failure)
    3) An election which cannot be conducted. (availability failure)
    4) An election where individual voters choices are identifiable. (confidentiality/anonymity failure)

    In addition, if we detect a negligent or malicious failure, we may not be able to identify the perpetrator. (accountibility failure)

    Part of the problem in working out a defect model for these kinds of failures is that deployed election systems do not seem to meet generally accepted engineering principles for high-reliability, mission-critical systems. For instance, if single-point failures were eliminated to a known level of confidence, then the analysis would be eased.

    Anyhow, I think this needs more work. But I am not satisfied that with properly engineered systems, the chance of failure from accidental defects is greater than that from malicious attacks.

  8. In my area we use what seems to me to be the best system. Voters use the familiar “fill in the oval with a soft lead pencil” method on a paper ballot that is clear as to which choice the oval is for. The paper ballot is then machine scanned. The “paper trail” is created by every voter, not some who bother to verify a paper record created by the machine.

  9. That’s What You Get For Trusting Privately Developed Software in an Election

    Alex over at Marginal
    Revolution on Florida
    early-voting glitches: "Please, please, no. I can’t take it again."

    The idea of using privately developed software in election is just
    plain dumb. You have no idea what’s in there — whether it’s ba