Reacting to our report about their AccuVote-TS e-voting product, Diebold spokesmen are claiming that the machines are never networked. For example, Diebold’s official written response to our report says that the AccuVote-TS “is never attached to a network” and again that “These touch screen voting stations are standalone units that are never networked together.” This is false – AccuVote-TS systems are designed to be networked.
The Diebold manual that came with our machine explains how to network AccuVote-TS machines. The manual is called “AccuVote-TS User’s Guide: GEMS Touch Screen Client 4.1”, revision 1.0. In section 8.5, “Transfer Results”, the manual explains,
Results [of elections] are transferred are [sic] by means of a TCP/IP network connection, either directly, by modem or ethernet.
[…]
Representative tests of all results transfer configurations should be performed in the process of election confinguration, including transmissions by direct, modem, or ethernet connection.
Touch the Transfer Results button in order to activate the Transfer Results Window… Enter the network host name in the Host Name field using the [keyboard]. Enter the network user Id in the User Name field and the network password in the Password field.
Other sections of the manual contain similar text describing the transfer of election results over a network.
Appendix E of the manual lists “[s]upplies required and recommended for AccuVote-TS system operation, maintenance and logistical support”. The list includes “network cards” and “ethernet cabling”.
Diebold’s insistence that the voting machines cannot be networked is especially odd given that the conclusions in our report don’t rely in any way on the use of networking – even if Diebold’s no-networking claim were true, it would be irrelevant.
The silent PIN is provided to everyone, but only used by those under coercion, thus the system is simple for the majority of people (common case).
Everyone can be required to collect their credentials in person, and given the option to renew them in person on occasion. One can then say that polling stations are facilities provided to new voters or existing voters without convenient access to web terminals (or even those demanding to vote in person).
So yes, whilst we still require to associate the vote with a person (rather than a tax paying identity say), then their physical body must visit an authority (or exchange accreditation with their physical fellows). So we still need polling stations of sorts.
And yes, we still need them, so that people’s inclinations can’t be inferred from where they vote, i.e. the moment such inference is attempted people need to be free to reassert use of demonstrably private/uncoerced facilities – with a plausible excuse provided, e.g. random renewal period, re-issue of PIN, etc.
So I’m with you on all the issues you raise, and though I’m sure there are many flaws in my off-the-cuff suggestions for solutions, I still remain unconvinced that a computerised distributed system is impossible.
IIRC, Fake PINs are sometimes used for ATM cards, to trigger an alarm if coerced to withdraw money. Alternate encryption keys were used in WWII to warn Allied intelligence if a message was sent under duress.
To use this technique for voting privacy, it has to be simple enough for the average case voter, and somehow you have to give him/her the PIN securely. There can be no way for me to easily prove which PIN is the real one, so no mailing me a card. If I forget the number I need a secure way to get it again. Multiply this by a hundred million people.
Alternately, you can just require people to go to a balloting station to vote, and benefit from the physical privacy that is so hard to simulate.
See, what really matters here is the common-case balloting . The privacy of traditional balloting can be circumvented, but it is private by default. This is crucial to prevent widespread coersion.
Indeed, privacy must be thrust upon you against your will. Suppose for example that you can either vote in a balloting station or from a public computer. Under this arrangement, choosing privacy leaks information about your vote. In Pre-WWII Germany, people could vote publicly or by secret ballot, and the Nazi party used this to intimidate voters who would opt for the secret ballot.
How about a silent PIN where invalid PINs enable any number of apparently genuine votes, but ones that will all ultimately be ignored? Only the vote registered with the correct PIN will actually count.
This is certainly a tricky problem, and I was being mischievous when I said it wasn’t rocket science (a bit of a shibboleth), but I’d still back the horse called ‘possible’ rather than the one call’ impossible’.
“Why not develop a highly secure way of enabling all US citizens to anonymously express an opinion via any web browser at any cybercafe?”
Because this is, by definition, impossible.
If voting is allowed from a web browser in any cybercafe, then how do you make sure that a voter isn’t being coerced, that a second person isn’t watching the screen while he/she votes? The answer: you can’t.
To prevent bribery and coersion, a voting system must be designed so that I can’t prove how I voted after I’m done, without going to considerable trouble. This is why it must take place at designated balloting stations, where people will notice if you peep into the voting booth.
And yes, there are ways around this, from taking a photo inside the ballot booth, to filling out an absentee ballot. But practically there is a huge difference between this, and a voting system that lets every man in the country watch his wife as she votes.
Not exactly rocket science now is it?
Actually, designing a distributed secure election using bits is pretty difficult.
the_zapkitty Says:
(…following up after further research triggered by an interesting article that came out last night…)
Gabriel Said:
“Well, in at least one field Brazilian tech surpasses yours: We are going to our 6th election on eletronic machines, and no fraud was witnessed.”
Yet… 🙂 Or rather, no one’s noticed it yet.
“It´s a very simple system, and it´s not networked.”
Actually, it is networked. Shouldn’t be surprised… after all, they are Diebold systems 🙂
“For security reasons, all votes are printed, if a double check is needed.”
Actually, no go. It seems the printouts you speak of are generated by the same machines that would be tampered with in a worst case scenario… so the
“printed votes” are utterly worthless if a node of the the network has been subverted.
http://www.technologyreview.com/read_article.aspx?id=17563&ch=infotech&sc=&pg=1
“Paper receipts that appeared behind glass — so voters could confirm their choices but not walk off with the evidence — were tried on 23,300 machines in 2002, with plans to install them nationwide two years later. But the machines’ maker was resolutely opposed to this system, and the tribunal decided to rely instead on ”ballot box bulletins.” (emphasis zapkitty) These bulletins — printouts of each machine’s overall votes, made after the polls close — serve as a backup record of the tallies transmitted electronically over a secure network. But they can’t show whether a programming flaw or malicious hack deleted or changed votes inside the machine before the printout was made, computer scientists say.”
As noted, the name pf the vendor is familiar… as is the attitude:
“Brazil’s machines are made by Diebold Procomp, the Brazilian subsidiary of Diebold Inc., of North Canton, Ohio, which also makes many of the voting machines now used in U.S. elections. And Diebold has said that voters should trust its equipment, more than any paper record, to deliver fraud-free elections.”
And this gem from Diebold:
”The more you introduce paper into a voting system the more you introduce the possibility of fraud,” said Michael Jacobsen, a Diebold spokesman. ”Electronic voting is the most accurate and secure voting that is out there.”
And then Diebold is caught lying with regards to their US systems, and then lying some more, and then lying yet again.
Now, it is very true that Brazil has paid much more attention to the problems involved with e-voting than the U.S. has, and that’s very much to Brazil’s credit… and our shame.
But you seem to have been infected with the strange “faith in flawless e-voting” that Diebold seems to promulgate, if not downright proselytize, wherever they go… and given the exceedingly weird Diebold hijinks and deception that have been ferreted out here in the U.S., verified, ferreted out again, and verified yet
again… Brazil just might want to look again at some of their starting assumptions regarding their e-voting systems.
Certainly, quite a few computer scientists in Brazil are doing just that.
A story at Engadget claims that in Maryland, Diebold said it was mystified: “why some units failed to communicate properly with one another …”
If the quote is accurate, it should not be a surprise to Dielbold that their systems are networked or connected.
Here’s the link
http://www.engadget.com/2006/09/27/diebold-makes-its-e-poll-book-software-glitch-free/
If it comes down to an argument between you who say “non-gameable systems are not possible” and me who says “transparently, demonstrably accurate voting systems are required and possible”, we aren’t necessarily at an impasse.
I think the latter will suit our purposes most adequately. The former is a red herring.
It’s true that I think that it is not possible to create a non-gameable system, whether electronic or paper. What you need to do is make it harder to game, and require a big enough conspiracy to game it that such a conspiracy is unlikely, or so unwieldy that it comes to light. This is far easier, and far quicker to implement, with simple paper ballots and counting as done, for instance, in Canada. It is possible that at some future date it might be possible to do the same with an electronic system, but what about the years in between? The paper system could be implemented — assuming (big and so far apparently invalid assumption) that our legislators require it — in a few months, perhaps weeks. It just isn’t going to be possible for an electronic system to be made that fast, not one with good controls that can’t be gamed with a small conspiracy.
Diebold remains silent over flaws, errors, deceptions, and outright lies…
…
… but it seems that they are votingearly and often:
http://www.bradblog.com
http://www.bradblog.com/?p=3541#more-3541
http://www.capitalnews.org/
Gabriel Said:
“Well, in at least one field Brazilian tech surpasses yours:”
Really? If so then it wasn’t all sweetness and light getting there…
http://www.cic.unb.br/docentes/pedro/trabs/election.htm
… and it still ain’t…
http://today.reuters.com/news/articleinvesting.aspx?type=bondsNews&storyID=2006-09-27T192524Z_01_N27411099_RTRIDST_0_BRAZIL-ELECTION-SECURITY.XML
Well, in at least one field Brazilian tech surpasses yours: We are going to our 6th election on eletronic machines, and no fraud was witnessed. It´s a very simple system, and it´s not networked. For security reasons, all votes are printed, if a double check is needed.
We ussually get results from elections about 1 hour after closings, and here everyone is obliged to vote.
If it comes down to an argument between you who say “non-gameable systems are not possible” and me who says “transparently, demonstrably accurate voting systems are required and possible”, we aren’t necessarily at an impasse.
I think the latter will suit our purposes most adequately. The former is a red herring.
The fact that Diebold’s systems are gameable does not lead to the conclusion that we need a non-gameable system.
You don’t determine your needs by the failures of proposed solutions, but by your requirements, and proposed solutions either meet or fail those requirements.
You also don’t determine your needs by the successes of existing solutions, e.g. any solution must be paper based, because paper based systems have worked in the past.
Our requirements are for a system that is transparently, demonstrably accurate.
We observe that Diebold’s systems are not transparently, demonstrably accurate.
We do not add this in support to a despair that demonstrably accurate systems are impossible.
We may, however, suspect that the task of developing the mechanism that delivers power to the US government should not be entrusted to a proprietary software developer.
Naturally, those in charge of procuring voting systems will discount such suspicions as typical paranoid delusions.
It doesn’t matter. The solution is for an interested community to develop a voting system. The government will not do it. Proprietary ISVs will not do it. The people must do it.
There must be some not yet subdued by Soma, surely?
In related news, this article illustrates (ironically) the consequences of Diebold’s downplay:
http://www.avantnews.com/modules/news/article.php?storyid=281
Well, no, by definition, you can’t game a system that is “transparently, demonstrably accurate”.
Well sure. And if you simply create a Star Trek style replicator and give one to everybody, all the world’s problems would go away. 🙂 But in the real world, such non-gameable systems are not possible. Like locks, you want something that’s enough trouble that getting past it is not worth the trouble — and an election makes things worth a lot of trouble. One major problem with electronic systems is that if they can be gamed (and really, you know they can — making up imaginary non-gameable systems is easy, but not real) they can be gamed by a relatively small number of people, and hence a small conspiracy. Gaming a system with paper ballots and local counting, and the paper trail, takes a huge conspiracy.
Making a system that requires a big conspiracy to game it is like having a better lock — it doesn’t stop a theft, but it makes it more trouble than it’s worth. Although theoretically possible, the non-gameable electronic system you suggest is incredibly unlikely, judging from all our decades of experience with electronic systems.
Theoretically (I can’t stress this is just a conversation I’m not encouraging anyone) what would it take to silently break one of these machines?
Most of the debate with Diebold has been about fraud. What if someone saw their candidate was doing poorly in exit polling and decided to “vote” late in the day but had a small device that shorted out the computer.
This could be something simple like a couple of 9v batteries hooked up to a capacitor.
“I think you’d need robots programmed strictly Asimov”
Riiight. I remember how well that turned out in the recent movie…
Can we be sure that e-voting isn’t a solution looking for a problem? I voted in the last federal election here in Canada and didn’t have any problems. In fact, anyone who could put pen to paper and tick off a box could do it. A chimpanzee could probably have done it.
People do get a say in the matter if they can speak as one.
It’s providing the facility to enable that collective expression that is missing, and yet a platform is readily available in the form of the Internet.
150 million US citizens online. 300 million US citizens in total (probably most of whom can get to a cybercafe, library, or pal’s laptop).
Not far off a quorum eh?
If you can enable a significant chunk of the US population to express themselves via a polling system that is ‘transparently, demonstrably accurate’, then you have what is know as a ‘fait accompli’ in terms of providing a successor to Diebold.
It’s not rocket science, it’s just not very interesting to those who work for warm feelings, and not very lucrative to those who work for tons of money (like Diebold, who stick with proprietary business models).
@Crosbie: I think you’re spot on, mate. If only such a system could be reliably created (I think you’d need robots programmed strictly Asimov), we might have something. I think you’re partially right about the lack of imagination – we folk of the US live in something of an oppressor-state – brought about by an already-corrupt governinging body; however, some of the greatest thinking done through history was under the darkened sky of oppression.
All told, the Diebold machines are crap. I used one in the primary just last week, and I could list at least three or four vulnerabilities just in the “social engineering” context of the polling location alone, the machines notwithstanding. As if we actually get a say in the matter, anway. ::shrug::
Someone pass me that Krylon – I have a big A-in-a-circle to paint somewhere not-exactly-inconspicuous.
I think the folks at Diebold are a bunch of fucking liars.
Bryan Feir Says:
“… Remember these statements are being made by people in legal and marketing, not engineering… the voting machine business was purchased by Diebold… so the core Diebold people don’t necessarily know how it works anyway.”
So the people at Diebold literally may not know what they are talking about?
Who would have guessed it from their PR? … 🙂
Do these people understand their own technology or do they just assume that we don’t?
Probably some of both. Remember these statements are being made by people in legal and marketing, not engineering.
Also, as I recall, the voting machine business was purchased by Diebold from another company to start with; so the core Diebold people don’t necessarily know how it works anyway.
I believe that Deibold wants the public to beleive that this machines cannot be network’d. Could you ever visualize the value of that information?
I thought I would ever miss a ‘chad’.
Well, no, by definition, you can’t game a system that is “transparently, demonstrably accurate”.
The problem is that the government craves power, and craves control over the mechanism that grants that power. It will not willingly relinquish that control, even back to the people.
To say that voting is a peculiar problem only solvable by paper ballot, that any computational approach is necessarily prone to corruption, is a failure of imagination probably biased by the flawed, if not corrupt, approaches we’ve seen so far.
Why not develop a highly secure way of enabling…
Like we have with payments, which of course are never susceptible to fraud? 🙂
You can probably game the system, in the system, in such a secure computer transaction, but gaming it with false ID and such would probably be easier. I say go with the paper ballots, which as has been pointed out, are easy to use, resistant to fraud, and you get a count either the same evening (Canada) or within a few days (Europe). Cost is low, widespread fraud is hard, and the paper trail is built-in — what’s not to like?
Why not develop a highly secure way of enabling all US citizens to anonymously express an opinion via any web browser at any cybercafe?
As soon as you create any such mechanism, especially where it is transparently, demonstrably accurate, you will simply, by popular fiat, have produced a superior democracy.
Each vote must be expressed by a US citizen (or their chosen delegate) no more than once in any poll. The state or county of the delegate may be provided with the vote.
Not exactly rocket science now is it?
This is a problem of the people, that should be solved by the people, for the people.
If they communicate over the internet, what’s to say that both ends are not vulnerable to an attack from a computer outside the system that manages to acquire their IP addresses?
Do these people understand their own technology or do they just assume that we don’t?
maybe they’ve discovered already that the machines can be injured via internet? “vote slammer” :S
Just to be complete…
In addition to networking to upload the election result, previous discussion had it that the ability was there to download the ballot to the machines over a network before the election. Is that mentioned in the manual?