November 17, 2019

Shamos on paper trails

In an interview today with CNet, Michael Shamos talks about paper trails.  Shamos is a professor at CMU who has served as a voting system analyst for the Pennsylvania Secretary of State. In this article, a transcript of an interview conducted by Declan McCullagh, he spends a fair bit of time trashing paper trails, and by that, he’s referring to the “toilet paper roll” thermal printer attachments that are sold by the major U.S. voting system vendors.

He’s correct, to a limited extent.  He discusses a “20%” failure rate, which he probably gets from some problems in Ohio.  It’s certainly the case that these things are poorly engineered.  The ostensible reason for the continuous paper roll, as opposed to cutting the sheets individually, is that you’d have better reliability.  However, having the votes recorded in the order they were cast is a clear violation of voter privacy.  A more serious concern with paper trails is that it’s unclear whether voters will bother to double-check them at all.  I’ve pointed Freedom to Tinker readers at Sarah Everett’s PhD thesis before and it’s worth doing it again.  The punchline is that roughly two thirds of the test subjects didn’t notice when our homebrew DRE system was lying on its summary screen.  In fact, they gave our machine exceptionally high marks.  They loved it.

Shamos criticizes the EFF, VerifiedVoting, the League of Women voters, and anybody else he can think of because they advocate for paper trails.  The preferred solution that they generally advocate is hand-marked optical scan ballots.  These appear to have better accuracy, and paper ballots are, inherently, paper trails that give us an unfiltered window into the voters’ original intent.  Don’t interpret Shamos’s criticism of toilet-paper rolls as a criticism of hand-marked paper ballots.

Shamos goes on to make a flip comparison between “ATM technology” and voting systems, saying we could have reliable paper trails if we only spent 10x the cost.  This is a very strange argument.  ATMs are expensive because they have a safe full of cash inside.  It’s important that you can’t steal the cash, even if you’ve got time and tools at your disposal.  Voting systems (at least anywhere I’ll ever be likely to vote) don’t dispense money.  Building a reliable printer doesn’t need to be expensive.

Then Shamos gets into the meat of the argument for paper trails.

I’m not advocating that we blindly trust machines. We have to have a way to make sure the (record is correct). If anything happens to that piece of paper, if it gets substituted or lost, there’s absolutely no way to reconstruct the election. that’s unlike an electronic system, which is if one memory fails you have the other.

The security on ballot boxes is much lower than the security on voting machines themselves. In order to do anything with those pieces of paper, they have to be handled by people. What do you think happens?

If I want to screw up an election, all I have to do is modify five votes. Then we have to do a manual recount (which is vulnerable to tampering and ballot-stuffing).

This is completely false.  Paper records are redundant with the electronic records, and that’s a huge feature.  That means that you can compare them, either statistically in aggregate, or even one-to-one (assuming there are serial numbers, which could cause some privacy concerns, but maybe you can obscure those in barcodes).  It’s certainly the case that missing paper votes can be reconstructed from electronic records.  When you have both, you reconcile.  If there’s ambiguity, then you need to resolve that ambiguity.  You then have a forensic problem.  If all the tamper-evident stickers and locks on the paper ballot box were disturbed, maybe you’re more likely to trust the electronic parts.  If the totals are radically divergent, you can’t tell which is more authentic, and the election is tight, then maybe the proper answer (from a scientific perspective) is to throw your hands up and say that you cannot legitimately state who won the election as a result of fraud.  This is defensible, scientifically, but it could lead to a political crisis.  Nobody ever said election administration was easy.

Doing away with the paper only does away evidence that might help you discover fraud.  Even if you cannot come up with the proper answer, it’s better to at least know you were under attack.

The fundamental difficulty with paper trails is that they’re ridiculously kludgey. The problem is that once you mandate paper trails, it cuts off research. There would be no reason to use anything else because it would be illegal.

Speaking as somebody who does research in electronic voting, I don’t feel that laws mandating paper trails would stop me from studying alternatives.  The 2007 VVSG standards process includes an “innovation class” for how vendors can get funky fresh technologies certified for use.  The trick is to make sure that the innovation class isn’t a loophole that vendors can use for the current crop of insecure equipment.

Does that mean you’re suggesting that we should be voting from insecure home computers even if they’re running Windows 98?
Shamos: I can point you to a mechanism (in a paper by Avi Rubin and Dan Wallach) that would allow secure voting on insecure terminals. The notion that the Internet is just not secure enough to do anything important is just wrong. It’s not insurmountable. The right people aren’t thinking about it because you gotta have a paper trail.

Really?  A recent paper that I just submitted to a workshop talked about how Internet voting might work, by virtue of having remote precincts set up in places like embassies and consulates, and using dedicated voting machines.  You could send the results home over the Internet.  Voting on dedicated voting machines with an Internet connection might be workable.  Voting on Windows 98 PCs would be an unmitigated disaster.  Botnets control literally millions of computers out there.  What if you’re voting from a botnet-infested computer?  Could the botnet modify your vote?  Why not?  For these sorts of reasons, the authors of the SERVE Report, including Avi Rubin, recommended strongly against voting on generic PCs.  Shamos says that Avi and I would support secure voting on insecure terminals?  Sure.  We’ll probably be beaten by the bioengineers working on flying pigs.

Update: in private email, Shamos states that he was citing our 2003 workshop paper, “Authentication for Remote Voting“.  That paper discusses how to do bidirectional remote authentication, which would certainly be applicable to an Internet-based remote voting system.  That paper, however, offers no technique that could allow for secure voting on insecure home computers.

I say, and the advocates are forced to admit it, that there’s never been any evidence that a DRE machine has been tampered with in an election. They say that doesn’t mean it never happened. I agree with that. But I believe deeply that if people were out there trying to hack elections we would see evidence of failed attempts.

Indeed, there’s no evidence to support a lack of tampering, but that’s meaningless.  A better way to look at this is that the incredibly poor security of modern paperless electronic voting systems makes it cheaper than it ever has been before to manipulate votes.  The cost per vote for electronic manipulation is almost nill, particularly if you allow for viral attacks, where one corrupt DRE can take out the entire tabulation system (a vulnerably shown to apply to Hart InterCivic and Diebold as part of the California Top to Bottom reports from last summer).  Regardless of whether somebody has attempted an attack like this, it’s dirt cheap – cheaper than with paper, because manipulating paper takes more time and more labor.  The economic incentives are clearly in play for electronic election fraud.  The big question is whether it’s more cost effective to manipulate voters through other means (e.g., dubious television advertising, robotic phone calls, etc.).

When a bridge collapses, do we outlaw bridges or do we inspect bridges of similar design? If the design itself is fundamentally flawed, then those bridges are going to have to be taken out of service and rebuilt. If there’s a fix, however, you can add a bracing member.

Excellent point.  DRE systems from all the major vendors have been conclusively shown to be fundamentally flawed in their design.  Even if and when the vendors patch their software, the time delay to push those patches through the certification process guarantees they won’t be ready for November.  Optically scanned paper ballots are available today and they work quite well (despite known security vulnerabilities in the tabulators).  Likewise, junky toilet-paper roll printers are available today, despite known problems with their ability to print and with voter’s ability to catch mistakes.

One last point:

Please don’t use the term “paperless.” It’s a construction of the advocates and it’s false and misleading. They’re not paperless. They just don’t produce a contemporaneous paper that the voter can view.

The word “paperless” is really insidious. The word “less” is meant to imply that they’re thereby missing something. Whoever decided to come up with the term “paperless” deserves a left-handed prize for their imagination. It’s wonderful for them. Paperless.

Yes, “paperless.”  It’s a fine word.  I’ve been using it for years.  It concisely captures the lack of redundancy, the reliance on poorly engineered software, and the risky nature of using paperless DRE voting systems for something as important as a national election.

Paperless electronic voting systems can be made better, using tricks like Benaloh’s challenge mechanism, which can catch a machine, in the act, while it might otherwise be trying to corrupt the vote.  We used a variant on his mechanism in our research prototype (paper to appear this summer at Usenix Security).  Nonetheless, I really like the term “paperless” when hooked to “electronic voting machine” because it creates a burden of proof for the system designer.  You want to go paperless?  Fine.  Prove to us that your system is secure.  Without paper, we’ll assume it’s insecure until proven otherwise.

Comments

  1. Many of things you are finding objectionable don’t really seem to be what is talked about in the article. It is also out of order from the original article (I assume reordered to importance or something), which makes the clips here not make as much sense taken apart as they do together.

    For instance, in your first clipping, he makes the very good point that forcing a recount of the paper record opens the process up to tampering. The larger problems he is alluding towards are which record is the “official” record and the chaos that could ensue by modifying just a few votes and forcing the reconciliation. The point is that it causes chaos, not that you can reconcile, yet you posit that he is saying you cannot reconcile and argue against that.

    Later, he makes his point more clear: “What we really want are end-to-end verification systems. I want to be able to tell that my vote was counted. These paper trails do not provide end-to-end verification. No serious manufacturer is working on end-to-end verification. We’re not making any progress toward that end except in the theoretical journals. Why? Because the idea of paper trails has completely gummed up the works.”

    This is probably the most interesting part of the whole piece—Why didn’t you mention that? Instead, given the limited information here, you make him sound like a shill for vendors…

  2. All of this seems like an interlocking series of better-vs-good arguments. Obviously provable end-to-end verification (including a paper trail or not) would be better than a paper trail without end-to-end verification. And equally obviously, machines that produce a (not provably tamperproof) paper trail are better than machines that produce nothing but a few final numbers with no audit trail at all. And by gosh, a machine that in addition provably verified the instantaneous eligibility of voters to vote without disclosing their identity or order of voting to anyone would be better than any of those.

    The question is to what end the arguments are being deployed. Certainly hydrogen fuel-cell cars are a wonderful idea, but it was really stupid to ditch mandates to improve the gasoline-engine mileage for most of a decade just because fuel cells might eventually be even better. And given that the voting machines currently in use don’t meet even basic standards of acceptability, it seems odd to hear someone making an argument that, in effect, can be employed to perpetuate their use.

  3. supercat says:

    Electronic systems would have some significant advantages over paper, if they were designed suitably. With an electronic system, it should be possible for representatives of both parties to confirm before and after the election that machines are running the right software (with hardware interlocks to prevent the software from being modified between the two checks), and also to independently read out the results and share digitally-signed copies. Said exchange could take place less than five minutes after the election; this would thus reduce the ability of cheaters to adjust election results only as much as necessary to secure a ‘win’.

    It may be possible to enhance mechanical lever machines to offer an even better level of security, but I don’t know that such machines could be fabricated at an affordable price these days.

  4. Rick notes:
    “For instance, in your first clipping, he makes the very good point that forcing a recount of the paper record opens the process up to tampering. The larger problems he is alluding towards are which record is the “official” record and the chaos that could ensue by modifying just a few votes and forcing the reconciliation. The point is that it causes chaos, not that you can reconcile, yet you posit that he is saying you cannot reconcile and argue against that.”

    What he calls “chaos” is what the rest of the world calls “reconciliation.” He offers no justification for why the recounting process is somehow less tamper-resistant than the rest of the process. If anything, you’ve got more people nosing around in a recount, making it harder to get away with post-election tampering than you might have had with pre-election tampering.

    Rick then quotes a part of Shamos that I left out: “What we really want are end-to-end verification systems. I want to be able to tell that my vote was counted. These paper trails do not provide end-to-end verification. No serious manufacturer is working on end-to-end verification. We’re not making any progress toward that end except in the theoretical journals. Why? Because the idea of paper trails has completely gummed up the works.”

    I indeed like the idea of end-to-end verifiable elections. We’ve used a cryptographic mechanism with the sort of properties that Shamos wants in our research prototype. However, it’s incorrect to say that paper trails have in any way, shape, or form “gummed up the works.” What’s gummed up the works are vendors who, despite years of attention, have failed to produce such products. If any of the big vendors were offering a product on today’s market with these sorts of cryptographic properties, then the legislative world would be a very different place. If you speak to supporters of Holt’s bills, one refrain that you hear is that they’re keen to regulate today’s certified equipment to make sure it’s properly used, as best as possible. If and when tomorrow’s technology comes to market, then, so they would say, it would be reasonable to revisit the bills to create new laws or amendments.

    My fear is that Shamos is letting his desire for tomorrow’s products stand in the way of our need to properly regulate the ones we’re stuck with today.

  5. Charlie Strauss says:

    You are too kind to shamos!
    But on the subject of Toilet Paper roll printers. These things have many other flaws. One of these is that the Sequoia design allows the voter to prove his vote to a third party making is salable. After the Sequoia prints out your vote record on the paper (really slowly) it asks you to approve it. If you don’t it prints a rejected stamp on paper, and then you try again. When you finally do accept it, it prints the mark of a cast ballot at the bottom, then slowly scrolls the foot long ballot out of sight. If you took a camera-phone picture moments after the “cast ballot” imprint was visible it’s proof of how your unchangable ballot was cast.

    Additonally their system is poorly thought out. Since it’s an afterthought it sits on a outrigger behind the main unit. To allow you to see it, they had to cut a hole in the metal privacy valences that surtround the tough screen. Then to restore privacy they have velcro-vinyl privacy shields. THe net result is the paper tape lives in an unlit cloister and can be hard to see. To then remedy that they allow for a larger font. That font doubles the vertical height of the ballot. While not noticable on a short demo ballot, on a long ballot it means the print out that you verify has to be done in multiple pages of scrolling. you can’t see your whole ballot at once. This also means it burns through paper at twice the rate. TO remedy that they introduced a lower bond paper for the printer. (And that make it more likely to jam)

    what a kludge. One would ridicule them more was not the diebold afterthought paper tape even more poorly designed right down to a cheesy dime store magnifier and the lack of proper guides for the paper (leading to jams).

    THe ES&S has it’s own problems.
    For example, on demo day in the security of the booth I managed to flip open the rear panel and yank out the memory card and put in my pocket. All the while talking to the ES&S rep sitting outside the booth. I then replaced it.

    These things just are duct tape and bailing wire afterthoughts on security

  6. supercat says:

    It is mind boggling how many simple ideas are not implemented. For example, how about providing locking points for standard padlocks? Each party can supply a padlock to its own supervisor; a party that keeps its own keys secure need not worry about whether people with keys to other locks are trustworthy. It would seem multiple locking points should be standard on all voting equipment. So what’s the point of using a ‘mini-bar” lock?

  7. supercat says:

    //The larger problems he is alluding towards are which record is the “official” record and the chaos that could ensue by modifying just a few votes and forcing the reconciliation.//

    There should be a procedure in place where voting problems that are attributable to a particular entity, and which make it impossible to determine the real winner, will result in a re-vote PAID FOR BY THE RESPONSIBLE ENTITY.

    Otherwise, one will be left with a situation like in Washington State, where the number of illegitimate votes(*) exceeds the margin of victory, and yet there’s no procedure defined to do anything about it and so the supposed victor can claim the throne. In that sort of environment, it really doesn’t matter what safeguards are included.

    (*) If there are ‘b’ ballots cast in a precinct where ‘v’ people voted, and b>v, then by the Pigeonhole Principle, there must be at least b-v ballots that do not represent legitimate votes cast in that precinct. The excess ballots may or may not be the product of deliberate fraud, but they certainly do not represent votes that are cast and counted properly.

  8. One issue that I rarely see considered in relationship to Internet voting is the importance of the secret ballot. Any “home voting” or other system that breaks this concept will seriously damage democracy.

    If someone else can watch you vote, and be sure you voted the way you say you did, opens the door to vote buying, to one spouse forcing another to vote one way (on threat of beatings, or whatever), to employers forcing employees to vote one way (on threat of firing, etc.).

  9. With respect to coercion resistance and Internet voting, you may want to check out this earlier Freedom to Tinker posting: http://www.freedom-to-tinker.com/?p=1252

  10. Can I interpret this post to mean that we should use the phrase “funky fresh” in the section of ACCURATE’s VVSG comments referring to the Innovation Class?

  11. “He offers no justification for why the recounting process is somehow less tamper-resistant than the rest of the process. If anything, you’ve got more people nosing around in a recount, making it harder to get away with post-election tampering than you might have had with pre-election tampering.”

    The recount process is more subject to tampering because there are many more people with ballot access. It’s true that more people might be watching but it is not as if they are watching all that carefully or will be able to catch everything that an attacker could do to the process. It is well known throughout history that the hand counting process is the easiest attack vector and I don’t see why he needs to go into detail about that. One common attack would be to invalidate ballots by subversively over voting the ballots you do not like. This could be done quite successfully even on camera without anyone noticing with a small piece of lead or marker under your fingernail.

    As Bev Harris likes to point out, the longer you store the ballots the more subject they are to tampering. It is also true that the more access you give, even if you provide more oversight, the more subject the process is to tampering. You would need overwhelming levels of oversight (at least 1-2 people per person counting watching very closely everything the person is doing), and even then a clever slight of hand magician could probably still tamper with the process (see: http://www.noob.us/entertainment/lady-magician-strips-down-naked-to-prove-she-has-nothing-to-hide/, note that this is not safe for work)

    Again, I think you fail to argue against the point. Which is not that it works, but that it is not the panacea it is people claim it to be. This is especially true of the roll-tape printers which is the likely result of much of the proposed legislation regardless of your preferred solution (which might be worse than no paper trail at all). Instead of arguing with what is, you are arguing with your desired solution. Of course that solution is better—Shamos will probably agree with you whole heartedly— but this is, unfortunately, not what is happening.

    “it’s incorrect to say that paper trails have in any way, shape, or form “gummed up the works.” What’s gummed up the works are vendors who, despite years of attention, have failed to produce such products.”

    There is no incentive to do so, but there is incentive for paper trails (to be ahead of the curve on the coming legislation). This is why you see so many paper-trail products. I think it is fair to say that it has gummed up the works to some degree. A mandate or financial incentive for the new technologies would have the vendors scrambling to incorporate the new technology.

    A larger problem is the monolithic certification program for voting equipment. It is impossible for a startup to get into the market without millions of dollars of money to blow away on the process with no guarantee that anyone will buy their product. Even if it gets “certified”, the certification doesn’t mean anything to the election boards, there is no metric. If anything, this has gummed up the works more than anything else. There is absolutely no reason why a printer manufacturer should not be able to create a printer that conforms to some voting standard and sell it directly to voting board.

    “My fear is that Shamos is letting his desire for tomorrow’s products stand in the way of our need to properly regulate the ones we’re stuck with today.”

    Yet, you argue for a switch to technology which many states/counties don’t use.. I realize that it is a widely available product but the development of the technology itself is a minor drop in the bucket compared to the costs of retraining, voter education, deployment, etc. Legislation is dangerous because it is sometimes impossible to change. There are many examples of legislation that clearly should be changed but hasn’t been for years.

    Those last two positions are clearly arguable, so we’ll just agree to disagree.

  12. Rick wrote: “It is well known throughout history that the hand counting process is the easiest attack vector and I don’t see why he needs to go into detail about that. One common attack would be to invalidate ballots by subversively over voting the ballots you do not like. This could be done quite successfully even on camera without anyone noticing with a small piece of lead or marker under your fingernail.”

    I disagree that tampering with paper is the “easiest”. It’s certainly easier to tamper with individual ballots, but nothing beats the automation available with computers. Hart InterCivic, for example, has an “Adjust Vote Totals” features built into its “Tally” tabulation software package. You can directly edit the totals any way you’d like. (An entry appears in a separate log, but if nobody looks at that log…) Election fraud has never before known the efficiencies of scale available with electronic voting systems.

    You would need overwhelming levels of oversight (at least 1-2 people per person counting watching very closely everything the person is doing).

    Have you ever been to a big recount? I was at the Sarasota recount in November 2006. Observers were everywhere. The people extracting votes from the machines were working in teams. It would have been relatively difficult for one person, working alone, to have tampered with anything there.

    Again, I think you fail to argue against the point. Which is not that it works, but that it is not the panacea it is people claim it to be. This is especially true of the roll-tape printers which is the likely result of much of the proposed legislation regardless of your preferred solution (which might be worse than no paper trail at all).

    I’m not sure exactly which point you think I’m failing to argue. Current toilet-paper roll tapes have a variety of problems (see Charlie Strauss’s comment for more). No doubt about that. The original Holt bill had explicit language to require “durable” records that would have forced vendors to redesign these things. The more recent “emergency” Holt bill provided money for municipalities to buy the current printers (a political compromise) or to buy precinct-based optical scanners (the preferred solution). While I’d love to be king for a day and require better printers with better paper, I understand that compromise is one of the key ingredients in how laws get written, and I feel that the “emergency” Holt bill, on the balance, is far better than nothing because it provides money that allows municipalities to buy precinct-based optical scanners.

    There is no incentive to do so, but there is incentive for paper trails (to be ahead of the curve on the coming legislation). This is why you see so many paper-trail products. I think it is fair to say that it has gummed up the works to some degree. A mandate or financial incentive for the new technologies would have the vendors scrambling to incorporate the new technology.

    Shamos’s original words were that these requirements would stifle “research”. You’re arguing that it stifles product development. Those are very different activities. Successful companies do both short-term development and long-term research, even when that research might not be immediately applicable to their bottom line.

    There is absolutely no reason why a printer manufacturer should not be able to create a printer that conforms to some voting standard and sell it directly to voting board.

    For better or for worse, our voting certification standards are built around the concept of certifying the entire system, top to bottom, software and hardware, as a single monolithic entity. Military-spec security certifications are generally done in exactly the same way, so it’s not like this is unprecedented. I agree that there would be a number of benefits for monolithic voting systems to be broken into separately certified components with standard interfaces allowing mix-and-match. The first place I’d do the split is between the voting machines and the tabulation machines. Then I’d split the software and hardware for the voting machines. Costs would drop dramatically if voting hardware was a commodity running independent software (analogy: the split between Microsoft’s software and Intel’s hardware).

  13. I disagree that tampering with paper is the “easiest”. It’s certainly easier to tamper with individual ballots, but nothing beats the automation available with computers. Hart InterCivic, for example, has an “Adjust Vote Totals” features built into its “Tally” tabulation software package. You can directly edit the totals any way you’d like. (An entry appears in a separate log, but if nobody looks at that log…) Election fraud has never before known the efficiencies of scale available with electronic voting systems.

    All the ballots are available to you in a recount, not just individual machines. It’s not clear that the automation you speak of would be the choice in the context of a paper trail if someone really didn’t want to get caught (you’d want to do both, I guess). In any case, I was speaking historically about fully paper based systems—revise to “was the easiest”.

    Have you ever been to a big recount? I was at the Sarasota recount in November 2006. Observers were everywhere. The people extracting votes from the machines were working in teams. It would have been relatively difficult for one person, working alone, to have tampered with anything there.

    Sarasota was using paper-tapes from the machines, which are more difficult than opscan ballots to tamper with (you have to do an exact swap, you can’t mark or remove). In any case, this video I found from Sarasota 2006 is not very inspiring:

    http://www.youtube.com/watch?v=Jmp3XJEjXMU

    It takes less than a second to do a swap and it doesn’t look like team members/observers were looking carefully at everyone handling the tapes all the time. The teams raise other questions about how they were chosen..

    Shamos’s original words were that these requirements would stifle “research”. You’re arguing that it stifles product development. Those are very different activities.

    You were the one who said “What’s gummed up the works are vendors who, despite years of attention, have failed to produce such products.” — I was responding to your statement, not Shamos’. Lack of incentive also stifles research, but I think you correctly interpreted that Shamos was talking about using the research and getting it into the hands of the public sooner.

    For better or for worse, our voting certification standards are built around the concept of certifying the entire system, top to bottom, software and hardware, as a single monolithic entity. Military-spec security certifications are generally done in exactly the same way, so it’s not like this is unprecedented.

    This process has largely been a failure. Few products are certified to the highest levels of assurance, and in some schemes, none at all.

    There are many places where a well-defined standard would be straightforward, and it would improve the situation significantly.

  14. Successful companies do both short-term development and long-term research, even when that research might not be immediately applicable to their bottom line.

    This might be true in some limited way, but I wish that were more true than it is. There are many companies who are successful that do not do long-term research. There are also many companies that are successful who have cut back significantly on this long-term research. I find it to be kind of a sad state of affairs.

  15. Rick writes: Sarasota was using paper-tapes from the machines, which are more difficult than opscan ballots to tamper with (you have to do an exact swap, you can’t mark or remove).

    Not exactly. Sarasota used ES&S iVotronic systems, which lack any kind of contemporaneous paper trail. What happened during the recount was that teams of two workers would have a table piled up with iVotronics from the same precinct. They would serially unbox each one, power it up, and extract its votes onto a PEB (personal electronic ballot). Once they finished the whole precinct, they would connect a thermal printer to the serial port and print the totals from the precinct. A runner would then carry the PEB plus the printout over to somebody standing in front of a microphone before a battery of TV cameras who would then read it out.

    To the extent that you believe the iVotronic software was operating correctly (which, for the sake of this discussion, let’s assume is true), this procedure leaves relatively little room for sleight of hand, particularly with huge numbers of people wandering around and observing the process from all angles.

    (I stupidly left my camera back in my hotel room, but Kimball Brace from Election Data Services happened to be there. I had an all access pass, and he didn’t, but he brought a Nikon D2x with all the trimmings. We agreed that I’d take a bunch of shots with his camera and he’d send me a copy of the pictures. I’m still waiting for those pictures…)

  16. Look at the problems Ed Felten has been pointing out with the paper tapes from the New Jersey election. It’s far from clear what has gone wrong but in at least some cases the fault appears to be with the paper rather than with the machine internals. The result has been to cause confusion and ultimately could lead to loss of confidence in the reliability of the election results. If adding a paper trail is going to decrease rather than increase the reliability of the count, do we really want to go down that path?

  17. As I’ve pondered how to make elections more secure the concern that bubbled to the top for me was who do we set up to ensure a fair election? In my precinct the election judges are elderly volunteers. I’m confident that none of them have a degree in Computer Science. How, then, are they supposed to have an intuitive understanding of what might and might not risk vote tampering?

    Even the (presumably CS Degreed) programmers who program these machines don’t seem to understand security risks judging by the results of inspections by Wallach, Felton and others.

    The main reason I’ve finally concluded that optical-scan ballots are the best method is that average citizens can intiutively tell what behavior and operations might put the ballots at risk of tampering. That’s not the case with electronic systems.

    I’m surprised that this argument doesn’t appear more often.

  18. Rick writes: “The recount process is more subject to tampering because there are many more people with ballot access. It’s true that more people might be watching but it is not as if they are watching all that carefully or will be able to catch everything that an attacker could do to the process. It is well known throughout history that the hand counting process is the easiest attack vector and I don’t see why he needs to go into detail about that. One common attack would be to invalidate ballots by subversively over voting the ballots you do not like. This could be done quite successfully even on camera without anyone noticing with a small piece of lead or marker under your fingernail.”

    As for the hand counting process being the easiest attack vector, that depends on your metric. If you use the required number of informed participant to alter the election result as the metric, then hand counting is far from the easiest attack vector, especially in a statewide or national election. Strange that almost two years after the Brennan Center report put forth that metric, Shamos ignores it, and no one mentions it in this comment thread.

    How many corrupt hand counters does it take in a jurisdiction to swing the entire recount? More than the one person who could, by inserting malicious software into the election management system, or into one machine in the case of many current systems, corrupt an entire county’s electronic tallies.

    Re the overvote attack mentioned in the comment quoted, come on. Even if no one noticed someone brushing her finger up against the same position on the ballot on camera, overvotes are hard to hide. Too many overvotes and people begin to wonder. And if two or more people are in close proximity as the ballots are handled, and if they represent competing political interests (parties, candidates, etc.) then you have even less chance.

    Re end-to-end verification (“with or without a paper trail”), even if this is doable, how can this be as transparent to the general electorate as paper? Verification technology has to be trusted. Paper ballots or paper trails depend on a well-observed chain of custody, but observation of this chain of custody requires no technical specialization.

  19. As for the hand counting process being the easiest attack vector, that depends on your metric.

    Elsewhere in the thread I do specify “used to be.” I apologize again for not using two adjectives to indicate the past as opposed to one.

    How many corrupt hand counters does it take in a jurisdiction to swing the entire recount? More than the one person who could, by inserting malicious software into the election management system, or into one machine in the case of many current systems, corrupt an entire county’s electronic tallies.

    1, changing 3-5% in most cases, which is well under the radar and likely to be effective where it counts (some people overvote like this to signal their dissatisfaction with the candidates, and look at the numbers it took for someone in Sarasota to even notice a problem..). If you managed to get people doing this in other counties during a recount, it would look “normal”.

    The more dangerous problem, and easier to exploit, is the chain of custody between the election and a possible recount. It only takes 10k to get a machine that could replicate tamper-evident seals, likely well worth it given that half a billion dollars was spent on elections in 2006. However, assuming that CoC is solid, you still have the other issues I mentioned above.

    Re end-to-end verification (”with or without a paper trail”), even if this is doable, how can this be as transparent to the general electorate as paper? Verification technology has to be trusted. Paper ballots or paper trails depend on a well-observed chain of custody, but observation of this chain of custody requires no technical specialization.

    But you really achieve the protection reliably if and only if you trust all the observers and ballots are never out of their sight. By contrast, the E2E methods have significantly better security properties.

  20. It only takes 10k to get a machine that could replicate tamper-evident seals, likely well worth it given that half a billion dollars was spent on elections in 2006. However, assuming that CoC is solid, you still have the other issues I mentioned above.

    And then it takes people willing to forge precinct-official signatures on the seals, and fill out entire ballots so that the non-targeted races match. It’s more work than slipping a memory card in to a machine, and requires more exposure. And it takes access to enough blank ballots (assuming you aren’t going to overvote) to do the job, with a way around ballot-accounting procedures.

    But you really achieve the protection reliably if and only if you trust all the observers and ballots are never out of their sight.

    Or if you have video surveillance of ballot storage when there are no eyes directly on the ballots. And/or the locks to ballot storage areas made accessible only by keys held by members of multiple political parties, and others – police, civic groups?

    By contrast, the E2E methods have significantly better security properties. If you say so. But insider fraud will always be a potential concern, and presumably E2E systems would be used across jurisdictions, reducing the number of informed participants required to change an outcome.

    I assume that as long as there have been elections there have been many people with the means and motive to commit outcome-changing fraud. And that there always will be such people, and that election integrity will always involve an “arms race.”

    You describe problems with paper ballots as old as elections. But every fraud scenario you describe with paper ballots requires localized. fraud, something that our democracy has been able to survive for centuries, and a problem remedied by stronger citizen oversight, and stricter procedures, such as ballot accounting and hand-count audits that begin very soon after an election.

  21. people willing to forge precinct-official signatures on the seals, and fill out entire ballots so that the non-targeted races match. It’s more work than slipping a memory card in to a machine, and requires more exposure.

    Signatures are never checked—even if they were they aren’t very checkable to begin with. Also, exit polls/the most recent poll could give you plenty of time to make a convincing result for the other races. Remember, you are only swapping the small percentage you need, not all of them.

    But insider fraud will always be a potential concern, and presumably E2E systems would be used across jurisdictions, reducing the number of informed participants required to change an outcome.

    This is actually what E2E is designed to address, among other things… It would substantially increase the number of informed participants and resources required. 1

    But every fraud scenario you describe with paper ballots requires localized. fraud,

    The scenario w/ machines is worse but not significantly different. The danger here is that we are comparing the best with the worst. The truth is far less comforting. Switching back is not going to automatically get all the properties and oversight we are talking about here.

  22. Elsewhere in the thread I do specify “used to be.” I apologize again for not using two adjectives to indicate the past as opposed to one.

    two *words*, technically the first was a noun… It is amazing what the mind thinks and what the fingers can type sometimes.

  23. supercat says:

    //How, then, are they supposed to have an intuitive understanding of what might and might not risk vote tampering?//

    Each party supplies its own election judges with equipment and procedures that will verify the integrity of the election equipment being used. Parties might appoint experts to monitor certain precincts and X-ray the equipment, but for the most part the procedure would be:

    -1- Each voting machine has uses memory cartridges: a ‘code/parameters’ cartridge and a ‘cast ballot’ cartridge. The cartridges have a ‘read/write’ port and a ‘read-only’ port, and are constructed in such a way that the former may be locked via multiple tamper-evident seals.

    -2- After the ‘code/parameters’ cartridge is prepared for an election, the read/write port is sealed. Each party’s election judge will then insert the cartridge (read port) into their equipment to verify that it contains exactly what it is supposed to.

    -3- Once the ‘code/parameters’ is prepared for an election, it will be installed into the voting machine, and tamper-evident seals put in place to ensure it is not removed until after the election. The voting machine’s hardware will be designed to only permit code execution from that cartridge.

    -4- Next, the ‘cast ballots’ cartridge will be erased and then installed in the machine, again with tamper-evident seals. The code/parameters cartridge should indicate on screen that it is properly blank.

    -5- At the end of the election, election judges will examine the seals to ensure both cartridges remained in the machine, and will then seal the ‘read/write’ port on the ‘cast ballots’ cartridge.

    -6- Once that port is sealed, each party’s judge will use its reader equipment to make a copy of the ‘cast ballots’ cartridge. The judge will then insert a standard USB memory stick or other such device into its reader, which will store to it a digitally-signed copy of the ballot cartridge. The judges will then exchange these sticks.

    -7- The judges will then put the sticks given by the other judges into their own machines, which will verify that they indeed contain copies of the ballot signed with the other party’s judge’s signing key.

    No fancy computer expertise required for the election judges. The only practical attacks I can see would be:

    -1- Sleight of hand substitution while handling the original ballot cartridges. Should be made somewhat difficult with quality seal materials.

    -2- A voting machine built from fake (rigged) chips. Should be detectable via X-ray.

    -3- Having people vote illegitimately. Can happen independent of voting medium.

    -4- Overt non-cooperation (e.g. a party refusing to give the other party a copy of the ballot bearing its own signature). Policy will have to dictate what happens then.

    -5- Betrayal of a party by its judges. If a party can’t trust its own officials, no level of procedural safeguards will protect it.

    The key point is that if a party’s own judges are trustworthy and are watchful enough to prevent sleight-of-hand games, a good electronic system should be pretty secure. Too bad nobody seems interested in incorporating the security features that would make it so (e.g. hardware write-proofing, and prevention of code execution from unauthorized sources).