(Cross-posted at the Computing@Rice blog at the Houston Chronicle.)
Back in late August, Harris County (Houston)’s warehouse with all 10,000 of our voting machines, burned to the ground. As I blogged at the time, our county decided to spend roughly $14 million of its $40 million insurance settlement on purchasing replacement electronic voting machines of the same type destroyed in the fire, and of the same type that I and my colleagues found to be unacceptably insecure in the 2007 California Top-to-Bottom Report. This emergency purchase was enough to cover our early voting locations and a smattering of extras for Election Day. We borrowed the rest from other counties, completely ignoring the viral security risks that come with this mixing and matching of equipment. (It’s all documented in the California report above. See Section 7.4 on page 77. Three years later, and the vendor has fixed none of these issues.)
Well, the county also spent the money to print optical-scan paper ballots (two sheets of 8.5″ x 17″, printed front and back), and when I went to vote this morning, I found my local elementary school had eight eSlate machines, all borrowed from Travis County (Austin), Texas. They also had exactly one booth set up for paper ballot voting.
After I signed in, the poll worker handed me the four-digit PIN code for using an eSlate before I could even ask to use paper. “I’d like to vote on paper.” “Really? Uh, okay.” Apparently I was only the second person that day to ask for paper and they were in no way making any attempt to give voters the option to vote on paper.
How did it work? They had a table with three blank ballots (each a stack of two sheets of paper), of which I could choose one. Both sheets shared a long serial number on the left column, which appears to serve two functions. First, it allows the two sheets to be kept together (notably, allowing the straight ticket voting option on the first sheet to apply to the second sheet). Also, these serial numbers, by virtue of being large and hopefully random, would act to prevent ballot stuffing (assuming the county kept records of which numbers were valid). Additionally, there was a signature from one of the poll workers at the bottom of the ballot, which I presume to be an additional anti-ballot-stuffing measure.
I was handed a Bic pen and pointed to a rickety standing table with a privacy partition. At the same time, my wife voted on a standard eSlate. I decided to ask a poll worker the question of how a straight ticket on the first sheet would apply to the second sheet. The first poll worker, who was operating the eSlates, said “sorry, I was only trained on the eSlates” and made me wait until the head guy came over. The head guy then proceeded to give me an extended tutorial in the ways of our straight ticket system, requiring me to interrupt him and say, “yeah, but all I want to know is how my tick of the straight ticket box on the first sheet is carried over to the second sheet.” We ultimately concluded that it must be due to the matching serial numbers.
Anyway, despite all this fun and excitement, I still managed to finish my ballot a solid minute faster than my wife. Also, by that time, a queue of maybe six people was waiting to vote while all the eSlates were busy. I asked the poll workers at the sign-in table if they were planning to offer paper ballots to anybody in line and they looked at me as if I was insane. I also mentioned that I finished voting faster than my wife and one poll worker went as far as to say “don’t tell anybody!” as if that might (gasp!) cause people to want to vote on paper.
What’s going on here? I blame our lame-duck election administrator, who has been urging voters to use the eSlate, and doing her best to ignore the paper ballot option that she was compelled to offer as a consequence of the warehouse fire. If there’s no emphasis on paper, from the leadership on top, one could hardly expect poll workers to behave any differently.
What’s happening next?
One way or another, Harris County will have a new elections administrator after our incumbent one retires, and the next one will be responsible for rebuilding our election systems. Curiously, Travis County recently announced that they’re retiring their eSlates after the 2012 election, replacing them with paper ballots that are scanned in the precinct. This gives Harris County the chance to buy their used gear at a fraction of the price of new equipment, should we choose to go that route, or we could instead follow Travis County’s lead and ditch our eSlates entirely (save for keeping one in each precinct for accessibility purposes). Either way, we would save literally millions of dollars, relative to the costs of purchasing new eSlates from scratch, and of course the new paper ballot systems are more secure and (gasp!) faster and easier to use.
Sidebar: Are these paper ballots really private?
The Texas Election Code actually has a requirement that ballots be “numbered”, which I understand is generally taken to mean that there must be mechanisms in place to prevent tampering and ballot stuffing. (You would require a very broad interpretation of that statute in order to have allowed traditional lever voting machines, used widely in Texas prior to 2000, where there is nothing approximating individual ballot numbers in the machine.) The sparse and hopefully unguessable serial numbers on our paper ballots appear to follow the letter of the law as well as offering the ability to have ballots larger than a single sheet of paper. That’s the good news, but let’s consider what it would mean in the case where somebody was attempting to bribe or coerce my vote and they had access to the output of the central ballot scanner, which presumably includes these ballot numbers.
Of course, the poll worker who puts out the blank ballots can track who gets which ballot. Furthermore, I could simply write down my own ballot number. Because these numbers are sparse, and thus hard to guess, somebody bribing or coercing me would have some serious leverage on me if I produced an invalid ballot number. If I sneakily remembered one of the other two ballot numbers from the table, I could present my coercer with one of those numbers instead, but then I would have no knowledge of how (or even if) that other ballot was cast, and could thus get in trouble with my coercer.
How can this coercion risk be mitigated? One simple option is to render the ballot numbers only as barcodes. Very few of us can visually read a barcode, much less the newer two-dimensional barcodes. So long as we ban smartphones or other cameras, we’re in good shape. Concerned voters or auditors, who want to ensure the same number exists on both ballot sheets could hold them up to a bright light, lining them up together, to make sure that they match up.
Oh, and ballots aren’t private with the current eSlate either. See the California report, linked above, “issue 25” on page 58. See also Section 7.1 which starts on page 72.
Georgia state government has battled in court to be able to require a photo ID of every voter who goes to a polling place to vote. Most often the ID presented is a driver’s license.
On 11/02/10, when I presented my driver’s license before voting in Cobb County, Georgia, I was surprised that a poll worker scanned the bar code of my license before handing it back. I’m still trying to figure out the implications of such scanning for privacy and security.
Despite the misgivings I have for my native country, I do believe that the French counting method is the best I encountered so far. The ballot boxes are opened in a public area. (usually a school or city hall) Then, the counting is performed by volunteers (pulled from the crowd right then and there) in front of anyone who cares to attend. And people do attend. Few stay for the entire time but there is pretty constantly a couple people in attendance. The paperwork is again filed in front of everyone. Also, there is usually a rep from each party present. Amusingly, if you are a volunteer at the polling place, you legally have a right to receive a copy of the source code of the voting machine if that place uses voting machines. (still rare)
Regarding your issue on using unique serial numbers for coercion, there is a solution offered by electronic voting. You could have an option to cast a “coerced” ballot. If you selected that option, you would be able to cast a second vote. After that second vote, the machine would calculate and cast cancellation votes. So, for instance, if you were coerced into voting for the democratic candidate, the machine would allow you to do that, (after or before your “real” vote) provide you evidence of you voting for the democratic candidate and then cast a vote for every other candidate cancelling out your coerced vote. There would be no way for the person coercing you to check that.
What is the point of a clear paper trail and scanning if the scanning machines were to run software/hardware that cheats and never allows the totals to lead to a condition for a recount?
A manual count should always be done even if this official count takes a full month or more using volunteers.
I also think that recounts should be done in a central location where enough safety precautions can be taken.
Without a manual count, you’d need at least 2 machines from different vendors doing every single vote with all differences between these machines resulting in manual counting. You would also have to hope these two vendors are not coordinating. This system would have a statistical likelihood of failure, but it could be very low if the machines independently are of high quality (the problems, which might roughly even out anyway, would be if both made a mistake at the same time and yielding the same wrong result.. hopefully a very small percent probability times another small percent to give a much smaller probability of this happening).
Perhaps as a substitute, we can require that independent teams use a trustworthy FOSS distro and build from source the voting software. Hash sums are taken of these parts and put together into a new distro. That iso value is hash summed and the distro (eg, on a thumbdrive) is distributed to all machines. The machines should be COTS. We boot to that distro after verifying before witnesses that the thumbdrive at that time still matches the hashes taken at the time of build (by independent parties). We boot, install the distro, and test. These tablets get used to vote (having spent the days after the installation and testing locked somewhere safe). To add the votes, we have a team of independent parties call out the count totals one machine at a time. Everyone there can grab those figures and add things up themselves and public online.
While there are many ways to cheat physically, I will perhaps never trust a single electronic machine system. [An electromagnetic signal from nearly on the date of voting can cue the machine to run that other set of instructions. By the time this signal comes in, it’s known well which key you want to favor. And the code can be run off hardware so that if software were to be reinstalled, it would still achieve the same effect (if the software was the expected software). You only need to manipulate the proper memory locations, etc.]
Electronic is good in saving time and removing some degree of tampering, but the protocol must be secure, preferably also using machines that have a high likelihood of running good software (FOSS on COTS). Also, if the machines fail, we need a paper trail as backup, on a per machine basis (so a printout is made, the voter verifies and drops it off in a slot behind the machine).
Some other ideas: have the machines submit a hashed file through the network. This gets verified when the machines are delivered (with their bags of paper slips), but it should work to raise the bar to cheating. In fact, the machines can keep an open TLS/SSL connection with the central server throughout the entire day. Any machine losing contact results in an alarm going off (and if necessary a phone call) followed by a physical check. If the machines are not trusted on an individual basis, then avoid this unless you filter and record all network traffic. (Of course, encrypted e&m transmitter in the bowels of the machine might be transmitting already).
Cheating can be done in many ways. We have probably already caught some of the more sloppy cases (and people still don’t learn), but there will be a constant effort to game the system.
[When I voted, entering the paper into the machines was not the bottleneck, so why not have 2 independent vendor machines jot the votes (and serial ids to verify the corresponding votes matched) and the paper go into a separate box?]
I chose paper. I write a lot of software and know a lot of people that write software. I wouldn’t trust the code used for such an important task unless it was open for inspection.
That’s not to say I’d expect voting machine software to be “open source” but I think if it is to be used in our national elections, the source code should be openly available for inspection. This would very, very quickly tease out most of the bugs, plus it would expose who is doing things right, and who isn’t. Regarding that old problem of putting people in the wrong category during primaries… how does one screw that up? I mean really, this can’t be complicated. Plus, for such absolutely mission critical code, there are methods for exhaustively testing code (especially when the code isn’t that complex).
…of course even then.. I’d probably still pick paper, if for no other reason than the clear paper trail.
I do not know why US paper ballots always seem to be so bizarrely large. Every time I see an article about paper voting in US elections, I see people holding HUGE (think at least A3-sized, perhaps even A2 or bigger) sheets of paper. Is that really the ballot?
Here in Brazil, before we started using electronic voting machines (and probably is still the same in the backup paper voting system used when they break down and there is no backup machine available), they were always smaller than a single A4 sheet (around half an A4 sheet if I recall correctly). You marked your candidates in a single side. If I recall correctly, for things like president or state governor, there was one checkbox for each; for others, you wrote the candidate number, or the party number if you wanted to vote for a party; the first two digits of the candidate number are always the party number. After you were done, you simply folded the paper ballot in half (hiding the side you marked) and put it in the ballot box.
In the electronic voting machines, you just type the candidate numbers in sequence (for president/governor the candidate number and the party number are the same, since they are only two digits long).
Canadian, not from the U.S. here, but my understanding is that:
A) in the U.S., all levels of government from municipal to federal are voted on at the same time, and
B) in the U.S., a lot of things are voted on that aren’t voted on in most other countries.
So you can end up with a ballot that includes city councillors, the local sheriff, the state governor, the district attorney, the regional congressman, the state senator, and various local ballot issues and propositions, all on the same ballot.
A good chunk of point ‘A’ dates back to the original U.S. which had a lot of spread-out settlements and where, for many people, voting meant most of a day each way to travel to the nearest town.
The Hart system has the capacity to disable the serial numbers and not print them on the ballot. I believe it also has the capacity to only print the serial number in barcode form, omitting the digits (though I believe it’s a 1-D barcode). However, I was given a different rationale for the existence of these serial numbers: I was told that it was to help prevent counting a ballot twice, if it gets accidentally scanned two times.
California bans serial numbers on ballot. California election law states that all blank ballots of a particular ballot type must be identical (thus, no serial numbers). Thus, California mandates that the Hart system be configured in a way that disables the serial numbers.
Your suggestion of printing the serial numbers only as a barcode seems like a reasonable mitigation to me.
I’m curious what the Texas election code says on ballot secrecy. Does it require ballot secrecy? If so, is there a contradiction in the election code, where it requires ballot secrecy in one place and in another place introduces a requirement that is inconsistent with ballot secrecy?
> I was told that it was to help prevent counting a ballot twice,
> if it gets accidentally scanned two times.
It’s obviously possible to attain this in a better way by inventing a robust watermarking system which includes a secret key which (hopefully) is only known to the scanning system (thus making the watermark value useless for the purpose of matching a ballot with a voter, since the corrupt election worker cannot compute the value even with full information about the ballot itself).
OTOH, my jaw would probably dislocate if the manufacturers of evoting equipment would manage to get to this level of cluefulness (on the algorithmic level).
> Your suggestion of printing the serial numbers only as a barcode
> seems like a reasonable mitigation to me.
I think that all three of us should be a bit embarrassed that we didn’t immediately think of the following trivial fix : have the central scanning machine never output the serial number itself, only a (secretly) keyed cryptographic hash of it.
> I think that all three of us should be a bit embarrassed that we didn’t immediately think of > the following trivial fix : have the central scanning machine never output the serial number > itself, only a (secretly) keyed cryptographic hash of it.
I don’t understand what problem this solves or how it solves that problem. (Yes, I know plenty of crypto; that’s not the issue.) Want to elaborate? The secrecy problem Dan Wallach explained manifests even if ballots are never scanned: a malicious poll worker can note the serial number on the ballot handed to Alice, then later pick out Alice’s ballot from the pool of voted ballots (if the malicious poll worker has access to those ballots after the election) and determine how Alice voted.
It’s amazing how much better paper ballots with the on premise scanner seem to be. I was given a choice in Virginia and chose paper. They had 4 privacy booths and one scanner and I was out much faster than the people waiting in line for the Winvote, or whatever the electronic ones are called.
I saw the real strength of paper in the 2008 presidential election. They had 14 cardboard privacy booths for paper voting and about 6 electronic voting machines. Once you checked in, there was no wait for paper, but the electronic machines seemed to have quite a line. Other than for accessibility reasons, I don’t understand why anyone would choose the electronic voting systems.
This is even ignoring the very significant security reasons to have a paper trail. I still think that electronic voting systems should be required to print out a filled out ballot that looks like the ones that people are filling out (and is scanned in the same scanner. That gives you accessibility, plus the ability to confirm your own vote, plus a paper trail.
My state (Hawaii) has had e-slate as an option for a couple of cycles. In my precinct there is one e-slate machine provided and one optical scanner. There are about 20 booths for marking the paper ballot for optical scan. While I was there there was no line for the e-slate and about 2-3 in line for pushing the paper ballot through the optical scan (and at a quick glance maybe half the booths were occupied when I went in). There is no “straight ticket” option here, so that isn’t an issue. I’m not sure what all the optical scanner will detect, but it will at least alert on an “over vote” and it is permitted to invalidate at vote’s option the ballot and re-vote. There are a number of non-partisan races in which you can vote for more than one candidate. Hawaii also offers early voting at centralized locations, and for this e-slate is required, supposedly to allow for setting the proper district/precinct ballot options, which it is said would be too hard to manage with paper optical scan. I don’t like e-slate myself, aside from technical issues I don’t find it very private (law allows an assistant for a voter, and there isn’t a good way to do that with e-slate), and considering you get about 5 minutes with the user interface only a couple times an election cycle it isn’t that user-friendly. In Hawaii we typically have most problems with optical scan in primary elections, as Hawaii is an open primary state, so the ballot is sectioned-off into party areas and a non-partisan area that everyone votes. It’s up to the voter to determine in the booth which (if any) party to vote, but you can only vote in one party’s section. This year (seemed to be first time in my memory) besides the party sections there was an “overview” area where you selected a box for party. I assume this was designed to help identify voter errors as if the voter picked one party but then voted in a different party’s section that could be trapped by the scanner.
You mention that centralized locations require the eSlate. This isn’t strictly necessary. Many vendors, including the maker of the eSlate, offer “ballot on demand printing”, where a laser printer produces a ballot just for you when you walk in the door and present your credentials. When my parents voted early in Florida, this is how it worked for them.