(Cross-posted at the Computing@Rice blog at the Houston Chronicle.)

Back in late August, Harris County (Houston)’s warehouse with all 10,000 of our voting machines, burned to the ground. As I blogged at the time, our county decided to spend roughly $14 million of its $40 million insurance settlement on purchasing replacement electronic voting machines of the same type destroyed in the fire, and of the same type that I and my colleagues found to be unacceptably insecure in the 2007 California Top-to-Bottom Report. This emergency purchase was enough to cover our early voting locations and a smattering of extras for Election Day. We borrowed the rest from other counties, completely ignoring the viral security risks that come with this mixing and matching of equipment. (It’s all documented in the California report above. See Section 7.4 on page 77. Three years later, and the vendor has fixed none of these issues.)

Well, the county also spent the money to print optical-scan paper ballots (two sheets of 8.5″ x 17″, printed front and back), and when I went to vote this morning, I found my local elementary school had eight eSlate machines, all borrowed from Travis County (Austin), Texas. They also had exactly one booth set up for paper ballot voting.

After I signed in, the poll worker handed me the four-digit PIN code for using an eSlate before I could even ask to use paper. “I’d like to vote on paper.” “Really? Uh, okay.” Apparently I was only the second person that day to ask for paper and they were in no way making any attempt to give voters the option to vote on paper.

How did it work? They had a table with three blank ballots (each a stack of two sheets of paper), of which I could choose one. Both sheets shared a long serial number on the left column, which appears to serve two functions. First, it allows the two sheets to be kept together (notably, allowing the straight ticket voting option on the first sheet to apply to the second sheet). Also, these serial numbers, by virtue of being large and hopefully random, would act to prevent ballot stuffing (assuming the county kept records of which numbers were valid). Additionally, there was a signature from one of the poll workers at the bottom of the ballot, which I presume to be an additional anti-ballot-stuffing measure.

I was handed a Bic pen and pointed to a rickety standing table with a privacy partition. At the same time, my wife voted on a standard eSlate. I decided to ask a poll worker the question of how a straight ticket on the first sheet would apply to the second sheet. The first poll worker, who was operating the eSlates, said “sorry, I was only trained on the eSlates” and made me wait until the head guy came over. The head guy then proceeded to give me an extended tutorial in the ways of our straight ticket system, requiring me to interrupt him and say, “yeah, but all I want to know is how my tick of the straight ticket box on the first sheet is carried over to the second sheet.” We ultimately concluded that it must be due to the matching serial numbers.

Anyway, despite all this fun and excitement, I still managed to finish my ballot a solid minute faster than my wife. Also, by that time, a queue of maybe six people was waiting to vote while all the eSlates were busy. I asked the poll workers at the sign-in table if they were planning to offer paper ballots to anybody in line and they looked at me as if I was insane. I also mentioned that I finished voting faster than my wife and one poll worker went as far as to say “don’t tell anybody!” as if that might (gasp!) cause people to want to vote on paper.

What’s going on here? I blame our lame-duck election administrator, who has been urging voters to use the eSlate, and doing her best to ignore the paper ballot option that she was compelled to offer as a consequence of the warehouse fire. If there’s no emphasis on paper, from the leadership on top, one could hardly expect poll workers to behave any differently.

What’s happening next?

One way or another, Harris County will have a new elections administrator after our incumbent one retires, and the next one will be responsible for rebuilding our election systems. Curiously, Travis County recently announced that they’re retiring their eSlates after the 2012 election, replacing them with paper ballots that are scanned in the precinct. This gives Harris County the chance to buy their used gear at a fraction of the price of new equipment, should we choose to go that route, or we could instead follow Travis County’s lead and ditch our eSlates entirely (save for keeping one in each precinct for accessibility purposes). Either way, we would save literally millions of dollars, relative to the costs of purchasing new eSlates from scratch, and of course the new paper ballot systems are more secure and (gasp!) faster and easier to use.

Sidebar: Are these paper ballots really private?

The Texas Election Code actually has a requirement that ballots be “numbered”, which I understand is generally taken to mean that there must be mechanisms in place to prevent tampering and ballot stuffing. (You would require a very broad interpretation of that statute in order to have allowed traditional lever voting machines, used widely in Texas prior to 2000, where there is nothing approximating individual ballot numbers in the machine.) The sparse and hopefully unguessable serial numbers on our paper ballots appear to follow the letter of the law as well as offering the ability to have ballots larger than a single sheet of paper. That’s the good news, but let’s consider what it would mean in the case where somebody was attempting to bribe or coerce my vote and they had access to the output of the central ballot scanner, which presumably includes these ballot numbers.

Of course, the poll worker who puts out the blank ballots can track who gets which ballot. Furthermore, I could simply write down my own ballot number. Because these numbers are sparse, and thus hard to guess, somebody bribing or coercing me would have some serious leverage on me if I produced an invalid ballot number. If I sneakily remembered one of the other two ballot numbers from the table, I could present my coercer with one of those numbers instead, but then I would have no knowledge of how (or even if) that other ballot was cast, and could thus get in trouble with my coercer.

How can this coercion risk be mitigated? One simple option is to render the ballot numbers only as barcodes. Very few of us can visually read a barcode, much less the newer two-dimensional barcodes. So long as we ban smartphones or other cameras, we’re in good shape. Concerned voters or auditors, who want to ensure the same number exists on both ballot sheets could hold them up to a bright light, lining them up together, to make sure that they match up.

Oh, and ballots aren’t private with the current eSlate either. See the California report, linked above, “issue 25” on page 58. See also Section 7.1 which starts on page 72.

Today, of course, is Election Day in the U.S. Many of our U.S. readers will be casting their votes electronically.

CITP has been front and center on the e-voting issue. Here’s a quick set of CITP e-voting links:

• Video of CITP lecture by Hari Prasad, on India’s e-voting system
• Alex Halderman and his students’ analysis of the 2010 District of Columbia online voting trial
• Ari Feldman and Alex Halderman’s demonstration of Pac-Man running on a voting machine,
• Andrew Appel’s work on New Jersey’s Sequoia AVC Advantage machines and the accompanying lawsuit: trial update, summary of plaintiffs’ witnesses’ testimony, and summary of defense witnesses’ testimony
• joint work by Steve Checkoway and his UCSD colleagues, with Ari Feldman, Alex Halderman, and me, on security issues in the Sequoia AVC Advantage machine (with video)
• my analysis of discrepancies in the 2008 New Jersey presidential primary
• Security Analysis of the Diebold AccuVote-TS Voting Machine by Ari Feldman, Alex Halderman, and me

Finally, in keeping with tradition here, on Election Day I post photos of unguarded voting machines in the Princeton area. Here are two photos taken over the weekend:

[This entry was updated at 1:00 PM Eastern on 2 Nov 2010, to add the Checkoway et al. item.]

In 2009 the Superior Court of New Jersey, Law Division, held a trial on the legality of using paperless direct-recording electronic (DRE) voting machines. Plaintiffs in the suit argued that because it’s so easy to replace the software in a DRE with fraudulent software that cheats in elections, DRE voting systems do not guarantee the substantive right to vote (and to have one’s vote counted) required by the New Jersey constitution and New Jersey statutory law.

I described this trial in three articles last year: trial update, summary of plaintiffs’ witnesses’ testimony, and summary of defense witnesses’ testimony.

Normally in a lawsuit, the courtroom is open. The public can attend all legal proceedings. Additionally, plaintiffs are permitted to explain their case to the public by releasing their post-trial briefs (“proposed findings of fact” and “proposed conclusions of law”). But in this suit the Attorney General of New Jersey, representing the defendants in this case, argued that the courtroom be closed for parts of the proceedings, and asked the Court to keep all post-trial documents from the public, indefinitely.

More than a year after the trial ended, the Court finally held a hearing to determine whether post-trial documents should be kept from the public. The Attorney General’s office failed to even articulate a legal argument for keeping the briefs secret.

So, according to a Court Order of October 15, 2010, counsel for the plaintiffs (Professor Penny Venetis of Rutgers Law School aided by litigators from Patton Boggs LLP) are now free to show you the details of their legal argument.

The briefs are available here:
Plaintiffs’ Proposed Findings of Fact
Plaintiffs’ Proposed Conclusions of Law

I am now free to tell you all sorts of interesting things about my hands-on experiences with (supposedly) tamper-evident security seals. I published some preliminary findings in 2008. Over the next few weeks I’ll post a series of articles about the limitations of tamper-evident seals in securing elections.