Paper Vote Canada

The Debate: E-Voting: An Idea Whose Time Has Come?

Technology and the vote: Why has there been a stubbornly slow adoption of electronic voting?

The Agenda - November 10, 2008

Note: This episode has not yet aired, it will be on television tonight at 8 PM and again at (I think) 11 PM. The video is usually up online a few days after the show airs. I will update this posting with new information when available.

UPDATE: I have created a discussion thread on the "Your Agenda" discussion forum: e-voting. You'll have to create an account there if you want to add your thoughts before or after the show. ENDUPDATE

UPDATE 9 PM: The show has just ended. I thought the debate was good. I also thought it was positive that the debate focused on a much more realistic assessment of evoting in terms of voter engagement and turnout.

If voting was about convenience, you wouldn't have seen people standing in line for hours in the United States. Voting is about citizen engagement. If the citizens find something interesting to engage with, technology can be an enabler. But you don't need online voting for that, you need an online presence for every day other than the election, much as we're seeing already with Barack Obama, who reached out through BarackObama.com (and into many other Internet channels) and is now connecting with Americans through his transition site change.gov

To me this technology argument "young people use technology, so voting should use technology" is ridiculous. Young people aren't stupid. Putting up a Facebook page is not the answer, putting up content that they care about is the answer.

Both of the letters from the MPPs were very well informed.

As well Farhad Manjoo and Darin Barney were both well-informed about the technical issues, and it was great to see Don Lenihan being very clear that it is for the computer security experts to determine whether voting online is secure, not the politicians or corporations.

Marie Bountrogianni was obviously not well-informed about the technical issues, but unfortunately that didn't seem to stop her making incorrect assertions (if we can bank online, why not vote online? um, because they have COMPLETELY DIFFERENT SECURITY REQUIREMENTS).

John Hollins brings a corporate perspective to voting, talking about "serving customers", an approach which to be quite frank, I hate. Voters are not consumers being provided a service, they are citizens engaged in one of the few public activities of our democracy. Voting is not the same as paying a parking fine. (Longtime readers of this blog will know of Mr. Hollins and his boosterism for technology solutions.) In Canada we have very simple elections. You don't need a $3000 touchscreen voting machine with VVPAT paper trail, to record a single vote, so that when there's a problem, you can count the votes on the paper trail. JUST VOTE ON PAPER FIRST.

I will write a follow-up post on citizen engagement vs. e-voting.

Overall I thought it was a good discussion which in the end turned far more on the citizen engagement aspect.

After posting on the Agenda forum I was fortunate to get an email from Sandra Gionas and to have a chance to talk with her on the phone, and she has kindly included substantial quotes from me in her Inside Agenda blog posting Control, Alt, Delete and Vote.
ENDUPDATE

I love the loaded language people use for paper voting: "quaint", "old-fashioned"

or for the lack of technology in Canada's federal elections: "stubbornly slow adoption".

stubbornly?

This is what I had to say the last time someone argued that you couldn't stop the wheels of e-voting progress:

Ah yes. The real world. The modern world. The practical, down-to-earth, realistic, Common Sense Revolution world. Paper is obsolete, so old-fashioned, like the Geneva Convention and other inconveniences.

Bullshit.

corporate voting bullshit - Paper Vote Canada - November 24, 2006

If paper voting is so obsolete, why is it that, overwhelmingly, the most articulate and forceful campaigners against electronic voting are computer scientists? Are computer scientists generally considered stubbornly slow adopters? Could it be that the actual experts in computer technology know that from the standpoints of security, cost, simplicity and core principles of democracy, electronic voting is just a very bad idea?

You don't believe me?

* Computer Scientists question electronic voting - March 3, 2003
* Computer scientists slam e-voting machines - CNet News - September 27, 2004
* Following issuance of an analysis by four computer scientists who were members of the SERVE Security Peer Review Group, the Pentagon decided to scrap plans for the use of this technology to cast ballots in the 2004 Presidential election.
* Computer scientists weigh in on e-voting - July 20, 2006
* UC Computer Scientists Release Video on How to Hack a Sequoia Touch-Screen Voting Machine - September 9, 2008
* E-Voting Doesn’t Get Computer Scientist’s Vote - October 10, 2008

I could go on listing reports and articles for many pages, but I hope I've made my point.

Not having electronic voting is not stubborn resistance to progress, it's rational opposition to expensive, unnecessary, insecure technology that will undermine the foundations of our democracy.

Labels: canada, electronic voting, television

Voting Machines Elect One Of Their Own As President



All hail the DRE 700.

Labels: electronic voting, humour, video

500th post.



What's interesting (and sad) is that Oprah blames herself for her voting problems.

First of all, if the machine doesn't record your vote, that's because the machine is badly designed. Second of all, it means you shouldn't be using machines.

It doesn't seem to occur to Oprah that the fault could lie with the machine.

Labels: election, electronic voting, usa

shape-shifting electronic votes are more than fantasy, according to reports from states including West Virginia, Missouri, Nevada, Georgia and Colorado. Whether by accident or design, touch-screen voting machines have "flipped" votes from a caster's chosen candidate to one he opposes.

Unlike the old days when campaigners hung around street corners haranguing voters with handouts and pints of beer, the electronic era presents a sophisticated challenge to democracy.

Now, says Crispin Miller, author of Loser Take All: Election Fraud and Subversion of Democracy 2000-2008, changes can occur seamlessly, without a breath of suspicion. Electronic glitches are only one of a range of mishaps, mistakes and dirty tricks that may decide outcome on Nov. 4.

Complaints about the electronic machines have mounted, along with calls for a return to paper ballots, like Canada's.

"More traditional systems are better," says Jeremy Epstein, a technological security expert and member of two Virginia legislative commissions that studied voting machines. "Paper-based and hand-counted ballots are fast, accurate and cheap. Studies show that machines are insecure and vulnerable to attack."

Fraud fears grow as [US] voters throng polls - The Toronto Star - October 21, 2008

(The article title is not great, something like "voting machine errors and voting surpression plague election" might have been closer to the mark.)

Labels: election, electronic voting, usa

Election Data Services provides the US November 2008 voting equipment composition (I'm tempted to say "breakdown").

I should mention that they use some confusing terminology.
To me electronic voting covers optical scan, DRE and Internet voting.
They consider electronic voting to cover only DRE (usually touchscreen) machines.

An optical mark-sense reader is an electronic device just like a touchscreen machine. It uses optical sensors to read a dot on paper, rather than to record a fingerprint. It is subject to most of the kinds of attacks that a touchscreen suffers from: you can compromise the software/firmware, there may be errors in the software/firmware, the optical sensors may be mis-aligned or malfunctioning, the paper path may jam, the power can fail, etc.

As well, if you record the order in which voters submit their ballots for scanning, you can reverse this to determine exactly who voted for whom, by going down the stack of ballots - once again the secret ballot is compromised.

It is true that IF AN ERROR IS DETECTED or IF A RECOUNT IS MANDATED, you can then hand-count the ballots (albeit going slightly crosseyed staring at tiny circles for hours).

Of course if you were a clever hacker, you would just program the scanner to distort the election by a margin smaller than that which would trigger any investigation. A similarly small error would also not be detected.

NOTE: some kind of rendering bug puts this table far down on the page.

Type	% Registered Voters
Punch Cards	0.10
Lever Machines	6.72
Hand-Counted Paper Ballots	0.17
Optically-Scanned Paper Ballots	56.17
Electronic (DRE / Touchscreen) Systems	32.63
Mixed	4.22

from 2008 Voting Equipment Study (PDF)

According to votingmachines.procon.org the numbers previously were

2004: 1% paper, 35% optical scan, 29.5% DRE
2000: 1.5% paper, 29.5% optical scan, 12.5% DRE

Labels: election, electronic voting, usa

The elections staff had collected electronic copies of the votes on memory cards and taken them to the main office, where dozens of workers inside a secure, glass-encased room fed them into the “GEMS server,” a gleaming silver Dell desktop computer that tallies the votes.

Then at 10 p.m., the server suddenly froze up and stopped counting votes. Cuyahoga County technicians clustered around the computer, debating what to do. A young, business-suited employee from Diebold — the company that makes the voting machines used in Cuyahoga — peered into the screen and pecked at the keyboard. No one could figure out what was wrong. So, like anyone faced with a misbehaving computer, they simply turned it off and on again. Voilà: It started working — until an hour later, when it crashed a second time.

...

so many printers had jammed that 20 percent of the machines involved in the recounted races lacked paper copies of some of the votes. They weren’t lost, technically speaking; Platten could hit “print” and a machine would generate a replacement copy. But she had no way of proving that these replacements were, indeed, what the voters had voted. She could only hope the machines had worked correctly.

...

In the last three election cycles, touch-screen machines have become one of the most mysterious and divisive elements in modern electoral politics. Introduced after the 2000 hanging-chad debacle, the machines were originally intended to add clarity to election results. But in hundreds of instances, the result has been precisely the opposite: they fail unpredictably, and in extremely strange ways; voters report that their choices “flip” from one candidate to another before their eyes; machines crash or begin to count backward; votes simply vanish.

An extensive New York Times Magazine report from January 6, 2008: Can You Count on Voting Machines?

And these are just the obvious, visible ways in which machines can fail.
There are many other silent ways in which the machines could fail internally that you would never detect.

You can move to optical mark-sense, but these are still machines:
* the poll workers need to get trained on them
* the paper can jam
* the scanners can fail
* the entire machine can fail

and on and on and on.

In case you think those are unlikely scenarios, they are already happening in advance voting in the United States.

The Jacksonville Times-Union reported long lines in northeast Florida, with at least two counties reporting problems with voting machines. In Duval County, 7 of 15 optical scanning machines used to count ballots had to be replaced, the newspaper reported.

Early voting suggests 2008 may see record turnout, expert says - CNN - October 21, 2008

Labels: election, electronic voting, usa

Note: DRE stands for Direct-Record Electronic, most commonly in the US these are "touch screen voting machines".

The main issue, according to a 2005 overview of electronic voting by the Institute of Governmental Studies at the University of California-Berkeley, is that if the record of votes cast exists only in digital form in a touch-screen system, there is no independent way to confirm the votes were recorded accurately and thus no way to conduct a reliable recount.

Overall, in the nation’s 170,000 polling places, there has been a shift from predominantly using manual systems (lever machines, punch cards, paper ballots) to computer-based systems (optical scan and DREs) in federal elections.

But according to news reports, as a result of the controversy over DRE machines, in the 2008 election many states might use optical scan paper ballots that require voters to fill in ovals with a pen.

Debate Continues over Security, Reliability of Voting Technology - America.gov - 27 August 2008

As I've said before, optical scan is the least-worst electronic technology, because you can at least do a manual recount of the paper ballots,

but you're still better off just counting the paper ballots by hand in the first place.

Labels: electronic voting

The Coast has an excellent and extensive article on issues with electronic voting, particularly as related to the Halifax Regional Municipality.

It's no wonder that Americans are increasingly distrustful of the voting process. Voting experts challenge every aspect of elections, including the registration process, the procedures at the polling place itself, the use of electronic machines and the counting and recounting of votes.

Contrast the sour American experience to Canadian elections: In this country, voters show up at the poll and are handed a paper ballot and a pencil. They check the box next to their preferred candidate and put the ballot in a box. After the polls close, an election official opens the box, and the official and poll observers from the political parties examine each ballot and agree on how the vote was cast. A final tally takes about half an hour.

The Canadian system is clean, unambiguous and fair.

But the Halifax Regional Municipality doesn't like the Canadian system, and is determined to change it.

iVote: Can electronic voting save democracy? - The Coast - September 18, 2008

Labels: canada, halifax, internet voting

There is this charming myth that machines are "reliable" and "correct" whereas people are error-prone. (The above post title is me being sarcastic.)

This will be shown to be totally false when, on election day, a percentage of the millions of voting machines fail in the following ways:

* mechanical failure
* touch screen misaligned
* touch screen doesn't work at all
* display screen fails (black screen)
* power fails
* printer fails
* card reader fails
* software error

If they were using Internet voting, the ways in which things could fail would be even more spectacular:

* computer monitor fails
* computer hard drive fails
* mouse not working
* keyboard error
* power fails
* network card fails
* router fails
* connection to ISP fails
* network attack or denial of service
* ISP hardware or software fails
* network transmission error
* voting software error
* central voting servers fail
* air conditioning in central voting server room fails
* power fails in central voting server room
* network fails in central voting server room
* server room catches fire (this happens more often than you might think)

Note that all of the above is just a sample of what WILL happen (the odds of a hard drive failing eventually are 100%) and none of the above require any malicious activity, just normal failures of systems. When you add in malicious activity, the scenarios get much, much worse.

Labels: electronic voting

"People make mistakes more than machines," said Jackson County Clerk Jeff Waybright.

Dear Jeff Waybright,

You are way wrong. You are confusing consistency with correctness. If a machine is programmed to do something (programmed, by a person) it will do that thing, consistently. If what it was programmed to do is WRONG, it will do it CONSISTENTLY WRONG.

Yours Truly,

Someone who actually knows about machines

Above quote from More W.Va. voters say machines are switching votes in the Charleston Gazette, October 18, 2008. The story reports that machines are not correctly displaying votes (presumably because of touch screen misalignment, or other malfunction).

Labels: election, electronic voting

One way to illustrate the simplicity of paper voting is to talk about how machines can fail, so...

On November 4, 2008 voting systems will fail somewhere in the United States in one or more jurisdictions in the country. Unfortunately, we don't know where. For this reason, it is imperative that every state prepare for system failures. We urge each state to take steps necessary to insure that inevitable voting machine problems do not undermine either the individual right to vote, or our ability to accurately count each vote cast.

Is America Ready to Vote? State Preparations for Voting System Problems in 2008

Labels: electronic voting, usa

It's election day in Canada.

Please vote.

Remember there are new identification rules, roughly you need either a driver's license (or health card with photo and address in Ontario) or two pieces of ID, one with name & photo and one with address.

See Voter Identification at the Polls for more information.

In general, see

http://www.elections.ca/

for any information you need about voting today.

If you're new to the process, this very simple guide will walk you through (with the exception of the new identification rules).

Labels: canada, election

I had the good fortune to be interviewed for The Toronto Star by Leslie Scrivener--which incidentally is a great name for a journalist. She quoted me quite a bit, I think the article came out well, I'm grateful to her for the opportunity.

"It's a very human system. It works," says Akerman, 40, an Ottawa technology planner and security expert. "You mark your ballot in private, but it's in a public setting. And it balances interests. You have scrutineers from different parties watching each other. It's hands on, easy to understand."

The ballot question: Paper or not? - The Toronto Star - October 11, 2008 - by Leslie Scrivener

Previously:
The Star had a very good article about the electronic voting issue in 2004, but unfortunately it doesn't seem to be online anymore, I wrote about it at

July 13, 2004 Is the future in line or online? - Toronto Star - published July 12, 2004

Labels: canada, electronic voting, newspaper

Bump in stats from being on CBC Spark on October 8.



That reminds me I should put up some info about voting places and election results on the 13th, since I usually get a pile of hits on election day.

UPDATE: In case you're wondering, most of the hits are people searching for general voting/election information (where to vote, how to vote), not about the specific issue of electronic voting in Canada.

Labels: meta

I recognize that most people don't spend much time thinking about computer security. To the extent that they do, they either assume that there's some "security stuff" that is protecting their computer and transactions, or that such stuff could be created.

Here's the problem: lots of people have tried to create secure systems for a long time, and have failed miserably.

I don't have to get technical at all, I can just talk in the consumer space.

1. For years, games companies put elaborate efforts and skilled people into trying to protect their games from piracy. They had special codes, special floppy disks with holes punched into the magnetic media or deliberate errors, physical dongles, you name it.

And yet their games were always pirated. Eventually most of them just gave up on protecting their games.

2. For years, continuing today, media companies like the record and movie industry have attempted to protect their content from piracy with Digital Rights Management (DRM). They have sophisticated hardware, elaborate codes, highly skilled people and a large monetary incentive. And they have failed.

iTunes music DRM? There's a hack.
DVD DRM? There's a hack.

3. Apple has an incentive to protect its iPhone from being used on any network, as it has an exclusive deal with AT&T. Their phone is "locked".

iPhone locking? There's a hack

THERE IS ALWAYS A HACK.

Because any piece of software or hardware you can create, I can put a layer in front of. Your software talks to a hardware dongle? I write a layer of software that pretends to be the hardware.

And we're not talking big power or political incentives here, we're talking smart kids (mostly) who wanted to play some games, listen to some music, or watch some movies.

So if they couldn't even protect SONGS, do you seriously think they're going to be able to protect AN ENTIRE ELECTION?

There is no unbreakable "security stuff" to do that, it simply doesn't exist.
And even if it did, the incredible complexity of it would mean that the entire election would boil down to "trust the machine and the computer guys".

Wouldn't you rather trust a piece of paper you can see, a counting system so simple elementary school students could perform it, and volunteers and scrutineers from your own neighbourhood that you can watch?

Labels: security

There were e-voters in more than 30 countries, with the oldest born in 1913, they said.

"We had people vote from Sri Lanka, from Korea, from over 50 Canadian cities and 25 American states," said Cathy Mellett, e-voting project manager for the Halifax Regional Municipality.

10% of HRM voters cast e-ballots (via Carol) and 28,709 cast municipal e-votes (via sparkcbc Twitter)

Hmm, so let's see. You assign a PIN number to each citizen, and mail the PIN to their address, and the verification info is their birth year, AND you're tracking their voting location, which can only be done by tracking their IP address, which semi-uniquely identifies their computer.

So you know who they are multiple times over, through the combination of PIN, birth year, mailing address, and IP address.

So number one, goodbye secret ballot.

Are you seriously going to take it on trust that they won't be tempted to check to find out who voted for whom? That no one will ever be tempted to check this?

Number two, in a world full of good people and lots and lots of bad people, from Nigerian scammers to Russian mafia, letting people vote in a Halifax election from any computer anywhere in the world is a feature? Are you kidding me?

Labels: halifax, hrm, internet voting

Dan talks to Ilona Dougherty, Richard Akerman, and Grace Lake about voting online

Episode 48 - October 8 & 11, 2008 - CBC Radio - Spark - posted October 07, 2008

The audio is available as an MP3 download, or you can subscribe to the podcast, or get it through iTunes.

Just a couple quotes from me were used, but I think I got my points across.

Labels: audio, canada, cbc radio, cbc radio spark, electronic voting

Just trying to sort out my terminology:

Internet voting = web voting = Using the Internet to record your vote on some central election servers.

Electronic voting machine (or I sometimes just say "voting machine") = any of a number of different technologies for voting, primarily about touch-screen voting machines, but I would extend it to mark-sense optical scanners as well, in its broadest sense.

Electronic voting encompasses both using electronic voting machines, and Internet voting (which you can think of as using an electronic voting machine, at a distance, over the net).

This is fairly consistent with the use at

http://en.wikipedia.org/wiki/Electronic_voting

Labels: electronic voting

I'm trying to gather my rather rambling thoughts on this topic.
This is what I just said in an email to a newspaper interviewer:

Ultimately it comes down to a choice between a very simple system in the physical world where we use a combination of privacy, being in public, and the competing interests of strangers (the scrutineers and election workers) to provide results based on physical evidence that everyone can agree upon,

or an incredibly complex system involving your computer, many computer networks, and computer servers, all running software created by strangers, with all the possibilities this raises for either malicious attacks on the election, or normal computer errors, a situation where there simply is no evidence to rely upon other than what the computer says, and the computer can lie.

In other words, electronic voting is no different than telling a stranger how you want to vote ("I want to vote for the blue party"), and then having to trust that they actually voted the way you asked, despite the fact you know that they can lie.

Can you imagine if we had used Internet voting for the last Quebec referendum? We would still be arguing about the results.

In short, although I love technology, I know the difference between appropriate technology and unnecessary technology.

Paper and pen is the appropriate technology for voting.

Labels: canada, electronic voting

Nick Van der Graaf wrote me with a pointer to his very clear and thoughtful posting about voting machines.

If it ain't broke don't fix it - May 13, 2008

When officials come away from observing an electronic vote-counting system used in Monday's New Brunswick municipal election, I hope the lesson they take with them is this: Citizens do not need a machine to vote, nor to count those votes. And I hope for the health of our democracy that they will see that the application of technology to replace humans in this area is wholly inappropriate.

Labels: canada, electronic voting, new brunswick

My friend Jessie sent me a link to this awesome clip of Homer trying to vote for Obama

Labels: electronic voting, simpsons, usa, video, voting machines

I just completed a radio interview for CBC Radio Spark, about Internet voting specifically. I think it will air next week - and I think they will only use short excerpts from the interview, but I have asked for the entire thing to be posted online.

UPDATE: I should check my stats for this blog more often - I see that there is an item specifically about this in the Spark blog

Would you vote over the internet in a Canadian federal election? - Posted by Dan Misener on October 01 [2008]

There are some good comments on the blog posting.

ENDUPDATE

I think I conveyed my three major points:
* a key element of the voting system is trust
* a voting machine (or Internet voting) is no different than telling your vote to a stranger
* a computer can lie

Or in other words, electronic voting means that in a system based on trust, you're giving your vote to a stranger who can lie.

There is one thing I regret saying, I said something like "not everyone is a computer scientist or a mathematician, the average Canadian can't comprehend web voting" - my actual intent was something more like "the average Canadian doesn't have the technical training to understand exactly how web voting works and all the associated risks".

I did then wrap up with what I think was a strong point: Internet/web/electronic voting introduces uncertainty and complexity into what should be the most certain and least complex process in our democracy.

If you look at the specific example of the Referendum, which was so incredibly close - imagine what would have happened if the next day people had started saying "I think my computer didn't record my vote correctly" - we'd never be able to resolve it - we'd still be arguing about it.

Speech! Speech!

If I was giving this as a prepared presentation (which is more my area of communication strength), rather than as an interview, it would go something like...

Voting is about policies, but also about trust. In yesterday's leaders debate, we saw five people around a table that most of us will never meet, five strangers. We have to determine, in part, whether we trust them. Similarly most of us only talk to our MPs for a few minutes when they show up at the door before the election; they are also strangers.

It's quite a remarkable transfer of trust, from millions of people to a few hundred, transferring the authority to declare war and to spend billions of taxpayer dollars.

The process to transfer this trust is voting, which also involves trusting strangers - you probably don't know the poll workers or the scrutineers.

But the good news is that in the physical world, we are really good at reasoning about how to manage the risks of trusting strangers. If a stranger asks for directions on the street, you will probably help them, but if they ask for a $100 loan and your name and address and promise to return the money to you later, you probably won't help them.

Our existing paper-based, human-counted system is based on our understanding of the balancing of motivations and self-interest, along with a clear physical evidence chain. You mark the ballot yourself in secret, you drop it in the box in front of everyone, and you trust that the competing interests of the scrutineers from the different parties will ensure that the open counting of the paper ballots is done properly.

If there's an issue, you can just count the ballots again.

And you know that if something does go wrong, all of those people live in your community and have to deal with the consequences.

You literally could have an elementary school class run a classic Canadian Federal election scenario and they could identify all of the possible risks, because reasoning about physical evidence and human behavior is one of our strengths.

Now imagine instead that when you walk into the polling station, they say to you "for improved efficiency, just tell this stranger how you want to vote, and he will go and handle the rest". So you tell him "I want to vote for the red party" and he goes and marks a ballot in secret and drops it in the ballot box. Now you have to trust that stranger totally. You can ask him, "did you vote for red?" and he can assure you over and over, but you can never actually know, for certain, how he voted on your behalf.

In effect, his report of your vote is now testimony, or even hearsay.
We understand this quite well in our criminal justice system. Physical evidence (e.g. a marked ballot that you can see) has the highest degree of credibility. Testimony much less so, because humans can lie. Hearsay least of all, because humans can really lie a lot about other people.

You go from e.g. seeing an X in a circle on a piece of paper, to having someone say "I definitely marked an X by the red candidate", to someone saying "I think I thought I saw someone mark an X by the red candidate".

So now we just need to replace one step and I think you'll see the problem: replace "tell your vote to a stranger" to "enter a your vote on a computer".

How is that like telling a stranger? Well when you think about it, computers don't program themselves. Every computer program, and even every computer chip, was designed by someone - by a stranger. Actually by many many strangers. The computer is not some cold objective logic machine, incapable of error, the computer is the embodiment of the human intentions that went into its code and hardware - the computer is a human, in silico.

That means all of the things a person can do, a computer might do - a computer might fail, because of an error, or a computer might behave maliciously, because of malicious intent.

That is to say, the computer can lie. We often don't think about this, because for commercial reasons most people write code intended to behave well and to present information correctly. But there's no reason your code can't say

get input
if input = "vote blue" then
record +1 blue vote
display "voted for blue"
else if input = "vote red" then
record +1 blue vote
display "voted for red"
end

THE COMPUTER CAN LIE.

You can see very real examples of this in sophisticated virus social engineering - the virus presents a window that says "you need to update your antivirus software immediately [ok] [cancel]" and when you press [ok], it actually fills you computer with viruses.

Beyond that, even without malicious intent, the computer can fail in a million bazillion ways - bugs in the code, hardware error, network error, power failure, overloaded by too much network traffic (as happened with Do Not Call List), and on and on. Whereas a paper voting system can continue without power, and short of burning the paper or killing the people, it has limited ways that it can fail.

And this is an important point: people already attack physical voting systems, which is very high risk. (See e.g. Zimbabwe.) The reason they take this risk is the rewards are enormous - wealth beyond any other criminal scheme, power, privilege...

Consider that spammers have already constructed networks of hijacked machines ("botnets") - millions of machines in some cases - just to take advantage of the few thousand or at most few million dollars they can earn by ripping people off. Now just think - if there's Internet voting they can use the exact same technology to control who gets access to BILLIONS OF DOLLARS.

So think about it - you would never vote by telling a stranger your intent and letting them vote for you - why would you vote by telling a strange machine your intent and letting it vote for you?

Labels: canada, cbc radio, cbc radio spark, internet voting, radio

I've written here before about the false idea that if we make voting "convenient" by enabling online voting, it will increase turnout.

If you want to increase turnout, have a campaign to increase turnout.
Have ballot boxes at workplaces, or make the entire day a holiday.
There are lots and lots of ways to increase turnout.

Supporting Internet voting is asking for catastrophe in many different ways:
* it turns the solemn act of voting, one of the few acts of citizenship, into something no different than adding an item to your Amazon.ca shopping cart
* it means that you're using inherently unsafe, unsecured machines to provide the infrastructure for the most critical process of our democracy
* it means that someone can stand with a gun to my head and force me to vote the way they want while they watch (which, incidentally, also applies to voting by mail)

If you seriously think online voting will engage "the youth", then why not just go all the way and let them vote on their cellphones and called it "Greatest Canadian Idol"? (The sad part is that their cellphones are almost all much more secure than their computers.)

Here's what prompts this latest concern:

Elections Canada hopes it has the answers.

The federal agency has adopted a five-year strategy to boost turnout, with a focus on youth engagement.

Key planks in the plan are to communicate more frequently with voters between elections, via education programs, and to make voting more accessible to all Canadians.

Elections Canada is hoping to adopt online voter registration in two years, a tool already available in some provinces like Alberta.

Perhaps more importantly, the agency hopes to test web voting within five years, beginning with a byelection.

"The general philosophy is to take the ballot box to the voter," says Mayrand, Canada's chief electoral officer.

If the Internet gamble proves successful and security concerns can be addressed, Elections Canada would ask Parliament to amend legislation to include e-voting for general elections.

"Youth are quite familiar with technology. They expect to be able to use it for most of their life activities," Mayrand adds.

Black Mark - Calgary Herald - September 6, 2008

The problem being, voting is not like "most of their life activities".
Voting is not banking, voting is not surfing the net, voting is not listening to music, voting is not texting a friend.

Banking is an example that is often used, or online taxes, but these are completely false examples. The bank knows exactly how much money you have, as does the government, and every transaction has an audit trail and can be reversed.

Voting must not have an audit trail, and cannot be reversed (if you are going to retain a system of private, secret ballots).

Voting, since it provides the transfer of power from the very many to the very few, is a very attractive attack point for malicious actors, and I mean "attack point" quite literally - people die for their vote already today, can you imagine how much more tempting for all of the negative forces in our society to take advantage of the vast computer networks that already exist for spam and attacks ("botnets") and use them to throw the election or to write a targetted virus to compromise the election?

That's not even to touch the issues of just running the election assuming everything actually goes right. The Do Not Call List site just went down because of high demand after it was launched. The Tax servers routinely get overloaded when millions of Canadians use the online systems near filing day. That's not a problem, because those transactions are repeatable.

What happens when the election servers go down from heavy demand on election day?
People resubmit their vote? We have the vote again another day?

A human-run, human-counted paper voting system has a very small number of failure modes, all of which anyone who understands the physical world can easily work out (people can steal the ballot boxes, etc.)

Computer-run, computer-counted voting systems have almost unlimited failure modes, which almost no one except computer and network security experts can fathom.

A paper voting system must work during the voting, and during the counting, and then it just disappears.

An electronic voting system requires servers that must be secured both physically and electronically 365 days of the year, every year, in case a vote is called.

The whole idea that you would get any benefits from online voting is patently ridiculous. The only way you can make it appear to work is to ignore all of the security issues, ignore all of the ongoing cost issues, treat it as if it were a banking or other repeatable and auditable transaction, as if voting is something that should somehow be made "efficient", and make a bunch of claims about turnout.

It is a Very Bad Idea.

Previously:
November 28, 2006 let's have a discussion
November 15, 2006 Geist on e-voting

Labels: canada, internet, internet voting

DOBBS: For more than two years here, we've been reporting on the serious threat that electronic voting poses to this democracy. As a result, some states have begun to scrap their e-voting machines altogether. But a third of the nation will still be using e-voting machines in November. And more disturbing a new report says election officials often are outsourcing their responsibilities to the very companies that make the e-voting machines, even trusting those companies to count the votes. Kitty Pilgrim has our report.

(BEGIN VIDEOTAPE)

KITTY PILGRIM, CNN CORRESPONDENT (voice-over): Ellen Theisen has been a software writer for more than two decades. Living in Washington State, she was disturbed by electronic voting problems across the country, so she formed a nonpartisan citizen's activist group to investigate voting irregularities. A new report by that organization, VotersUnite.org, says that private companies now run many elections.

ELLEN THEISEN, VOTERSUNITE.ORG: Elections should be accountable to the people and run by public officials who are selected by the people to run them. So when that's handed over to private vendors, these public elections are no longer public.

PILGRIM: According to the report, many jurisdictions in the country are entirely dependent on the voting machine companies. The companies also tabulate results. State officials have to take their word for the results. The company owns the software and equipment and doesn't have to share it. It's proprietary. Election officials often can't do a recount without help. One state that rejected that arrangement is Oklahoma. In 1992, Oklahoma put in its own optical scan system, which is still owned and operated by the state.

MICHAEL CLINGMAN, OKLAHOMA STATE ELECTION BOARD: Election night, it's really all public officials dealing with the election and nobody else.

PILGRIM: Oklahoma wasn't tempted by new federal funds in 2002 when many other state and local governments used the Help America Vote Act money to buy touch screen machines.

UNIDENTIFIED MALE: There was really nothing on the market we would buy then and there's still nothing we would want to buy today.

Lou Dobbs Tonight - August 20, 2008

Labels: electronic voting, usa

Rep. Rush Holt

Anything of value should be auditable. ...

To give voters the confidence that they deserve that their votes will be counted as they intended... in every election there should be an audit.

See the full interview



Countdown with Keith Olbermann - #4 Man vs. Machine

via Black Box Voting forum

Labels: usa, video

The basic premise of e-voting went something like this:

1) Electronics makes things "efficient" and will save money.
2) Elections are a government service just like any other.

Underlying this was an extraordinarily naive concept of elections as uncontroversial events that would never be challenged, and that no one would ever make a serious attempt to commit election fraud. There would never be close races. In essence, a disdain for the whole voting process, because it implies that a single vote will never make a difference.

This is simply demonstrably untrue, as elections with contested results have been a worldwide problem, with accusations flying, often with violent repercussions. Time and time again we have seen incredibly close elections.

The reality is: the more complicated and indirect you make the voting process and the vote counting process, the more you open the system to suspicions of fraud, and associated loss of confidence in the results of the election.

As I've said before, voting is an incredible act of civic alchemy, in which the will of the many is transmuted into tremendous power for a very few (e.g. in the US, a few hundred people leading a nation of 300 million). WITHOUT COMPLETE CONFIDENCE, this cannot work; a million people are not going to hand over power to a single politician unless they are confident s/he was actually selected by a fair vote.

In a partisan environment with close-fought elections, this means that now

EVERY SINGLE ELECTION WILL BE CHALLENGED

Oh, brilliant cost savings there, you idiot technocrats. Instead of pen and paper and election results in hours with full confidence of the electorate, elections will now turn into endless recounts, court challenges, and code examinations. Since it is almost impossible to prove that machines weren't hacked, any case where there is not a full paper trail will end up basically unresolvable.

Hand counted paper ballots were never broken,
the only way to fix this problem is to go back to them.

New Hampshire is lucky they have optical scan (the least-worst of the electronic options) so that confidence can be restored by a manual recount.

For a taste of what's to come, see ArsTechnica - Analysis: Why the "Hillary hacked NH?" story is important (Updated)

Labels: electronic voting, optical scan, rant, usa

Added FeedFlare, which provides some additional capabilities for emailing and bookmarking within each post.

UPDATE: Minor template change to adjust FeedFlare.

Labels: meta

From The Daily Show, November 2, 2006

This blog has just moved to the new blogger, so some things may break.

Labels: meta

1. Procedures are more complicated than in-person voting
2. No immediate feedback / oversight if there are problems with the ballots
3. People screw up and put their signed declarations in the same envelope as their vote, thus a) spoiling their ballot and/or b) revealing who they voted for

Globe and Mail - Postal-ballot errors spark review - December 19, 2006

Municipal Affairs and Housing Minister John Gerretsen says he's considering revisions to Ontario's municipal elections law as towns and townships continue to struggle through counts of problem-plagued mail-in balloting in the Nov. 13 vote.

...

This week, judges in Bracebridge and Lindsay ordered that efforts be made to count ballots that had been determined spoiled by clerks in four Ontario municipalities because no signed declaration was enclosed.

Although some other municipalities faced with high postal-ballot rejection rates -- generally about 20 per cent -- instituted procedures before election day to try to salvage the votes, that option was refused by Lake of Bays Township in Muskoka, the City of Kawartha Lakes and the townships of Highlands East and Minden Hills.

Minden Hills is the only municipality so far where the added votes have made a difference. Out of 849 rejected ballots, 256 votes were found with a signed declaration improperly inserted inside the secrecy envelope and the vote was allowed.

As a result, challenger Lisa Schell saw her 11-vote loss to Clayton Cameron reversed to give her a one-vote majority.

Slashdot reports

"Paperless electronic voting machines 'cannot be made secure' [pdf] according to the [US] National Institute of Standards and Technology (NIST). In the most sweeping condemnation of voting machines issued by any federal agency, NIST echoes what critics have been saying all along, that due to the lack of verifiability, 'a single programmer could rig a major election.' Rather than adding printers, though, NIST endorses the hand-marked optical-scan system as the most reliable."

(in case you're wondering, Internet voting counts as a "paperless e-voting machine")

I wonder how many experts have to say that electronic voting sucks before people will listen.

Of course, crazed luddite that I am, I would eliminate the machine-based counting as well, and just have humans count the paper.

Slashdot - NIST Condemns Paperless Electronic Voting - December 1, 2006 /.

Adam asserts that I have

a very disturbing and one sided perspective

But Adam, you haven't responded to a single issue that I raised.

I welcome all perspectives, provided they are fact-based.

In particular, I invite realistic threat-risk assessments, cost assessments, and cultural assessments.

Let us take Internet voting.

1. Is the code open-source?
2. Has the code been audited by neutral computer security experts?
3. Where are the servers?
4. How are the servers protected?
5. Has the server security been audited by neutral computer security experts?
6. Who pays to protect the servers and the code for the thousands of days during which they are not being used for municipal elections?
7. Who wrote the code?
8. Have they all passed an independent security certification?
9. Do they have ties to any particular political party or other organization that might have an interest in the outcome of the election?
10. How do you mitigate the risk of paying or forcing someone to vote in the way you want, as you watch them on the Internet?
11. How do you mitigate the risk of the massively insecure home computers that are used for Internet voting?
12. When the full costs of security audits and thousands of days of security protection are taken into account, in order to provide a single day of municipal voting, how do you justify the expense?

There's a dozen questions. I have way more where those came from.
I challenge anyone to answer.

From a comment on my previous posting

You need to recognize that municipalities such as Markham are no less concerned about the integrity of the voting process, they simply live in the real world and recognize that offering Internet voting is clearly a solution for voter apathy.

Adam Froman
President
Delvinia Interactive

Ah yes. The real world. The modern world. The practical, down-to-earth, realistic, Common Sense Revolution world. Paper is obsolete, so old-fashioned, like the Geneva Convention and other inconveniences.

Bullshit.

You want the real world?
The real world is run, to a very large extent, by corporations.
Corporations exist, their sole purpose is, BY LAW, to make money.
To make money, as constrained by the legal framework.
Corporations also must, under our system, continue to grow.
To grow endlessly.

There are only two ways for corporations to grow
1) By finding more ways to charge people more money for things
2) By changing the legal framework itself, to remove constraints on them making more money

A corporation is providing Internet voting in Markham not out of the goodness of its heart, not out of a passion for citizen involvement, but to make more money.

Delvinia is promoting the wonders of that Internet voting system because it was paid to.

Tobacco companies and their paid apologists promoted smoking, even when the evidence against them was damning and incontrovertable, because more smoking made them more money.

Carbon dioxide emitters and their paid apologists promote unrestricted carbon emissions, even when the climate change evidence against them is damning and incontrovertable, because emitting more carbon makes them more money.

Corporations hate, by their very nature, by their DNA, any activity that does not transfer money from the public to corporations. If they could charge us for thinking and breathing, they would.

Internet voting is not about getting more VOTERS it's about getting more MONEY from the government to voting technology CORPORATIONS.

Corporations that, as I have already noted, may have an interest in the outcome of the voting. Let's imagine that one party said they would eliminate the legal fiction of corporations as a person if elected, and the other would increase the rights of corporations and lower corporate taxes.

Now tell me, are you going to trust the corporate designed and run voting system to decide the outcome of that election?

But you don't even need to go to that extent.
Paying people to SAY stuff is much cheaper than paying people to DO stuff well.

How do I maximize profits at my corporation?
Make the cheapest, most quickly and half-assedly programmed system possible.
Don't pay to test it.
Don't pay security experts to evaluate it.
Don't bother with secure design at all.

Computer security COSTS MONEY.
Good computer security costs A LOT of money.
Corporations HATE SPENDING MONEY.

Instead, just pay some people to go out and say "hey, look at this wonderful system, it's improving your quality of life. It's yet another modern convenience, like the washing machine and refrigerator. It's all about serving you, the customer."

Who are you going to trust on electronic voting?
Paid corporate advocates?

Or neutral observers, with no financial incentive, who are trained security experts.

I am a trained computer security expert.
I make zero dollars from anyone for opposing electronic voting.
In fact, it costs me greatly in my own time to oppose it.

The reason I oppose it is that history teaches us that the integrity of our voting systems is always at risk. We have a good, cheap, transparent voting system.
To destroy that would be folly.

Everything in life is not a financial transaction, with a service provider and a client. Voting is not electronic banking, it's not paying your taxes, it's not selecting the latest reality show contestants online, it's not online gambling.

Voting translates voter INTENT into voter CONSENSUS through TRUST.
It's a civic duty. It's a free interaction between citizens and the society as a whole.

Internet voting undermines that trust.
There is no way to do secure, anonymous, independent Internet voting.
It. Is. Impossible.

To compromise a paper election, I must either compromise the ballots, the local counting, or the total tally. People understand security in the physical world extremely well. Any citizen (for that matter, any child) can understand the current paper-based voting system, and could explain to you clearly the small number of ways in which it could be compromised, and how to mitigate against those risks.

To compromise an Internet election, the easiest thing is for me to compromise the voter. This may be in charming ways, like a bottle of hard liquor in exchange for your voting code. Or in less charming ways, like holding a gun to your head and watching you vote the way I want.

I can also attack:
- the home computer
- the home computer software
- the computer network
- the corporate voting software
- the corporate vote counting software

Most citizens have not the faintest idea of the security risks involved, nor do they have the skills to rationally assess the risks. Many citizens, in fact, do not even own a computer, and instead of being empowered by Internet voting, are instead further marginalized.

Wow, that's a boon for democracy, that is.

I have written thousands of words in this blog about the folly that is Internet voting. I may, on my own free time, go back and find some of those links, for those of you too afflicted with apathy to bother to do a search.

If someone who is an actual neutral computer security expert would like to debate this issue, I would be more than happy to do so.

PS When carrying your paid advocacy over to Wikipedia, at least respect the Wikipedia rules and syntax. Thanks.

The ubiquitous Michael Geist had a good article last month, Time To Cast A Vote Against E-Voting

Democracy depends upon a fair, accurate, and transparent electoral process with outcomes that can be independently verified. Conventional voting accomplishes many of these goals - private polling stations enable citizens to cast their votes anonymously, election day scrutineers offer independent oversight, and paper-based ballots provide a verifiable outcome that can be re-counted if necessary.

While technology may someday allow us to replicate these essential features online, many of them are currently absent from Internet voting, which is subject to any number of possible disruptions, including denial of service attacks that shut down the election process, hacks into the election system, or the insertion of computer viruses that tamper with election results.

Electronic voting machines are similarly prone to error. Last year the City of Montreal implemented an electronic voting system that was later characterized as a "debacle" with delays, equipment malfunctions, and erroneous results. The City acknowledged that some of the electronic voting machines were "lemons" - voting too quickly caused the machines to breakdown, while 45,000 ballots were counted twice (an error corrected before the results were announced).

Both Internet and electronic voting are also unable to guarantee independent verification. Unlike paper, electronic votes are subject to manipulation, placing enormous power in the hands of the electronic voting machine companies who must ensure tamper-free results.

For general information about this event see Wikipedia - Ontario municipal elections, 2006.

I voted today in Ottawa, I believe the counting system is a Diebold Accuvote OS.

As I saw my ballot slide silently into the machine with its prominent "Accu Vote" logo, I thought about how these machines silently kill the humanity of the voting process.

Plus which, you get this flimsy paper "voting shield", which they still have to open up in case your ballot is upside down (in which case, they see who you voted for), or backwards (apparently the genius counting machine can't handle backwards ballots).
The whole thing makes you feel like voting is a slipshod yet automated process, neither of which should be the impression left with citizens.

I encourage you to vote today, if applicable.
If you don't like voting on these machines, the first step is to contact your city councilor and mayor, and make them aware of your displeasure, and also of the costs associated with voting machines.

I am also happy to re-print any experiences (positive or negative) you have had with voting machines today. Just send me an email and include a line to the effect of "you have my permission to reprint this report in your blog".

On a side note, I saw with dismay that TD Bank's exciting new ATM's are made by... Diebold. Oh great, now they're handling my money too.

The recent voting machine controversies/disasters in the US (and Quebec) have, finally, woken Canadians up to the potential problems from the use of electronic vote counting machines.

The response from government and thought leaders is, as far as I can tell "don't worry, can't happen here, completely different, hey, look, is that a pony?"

a computer is a computer is a computer
Go take a computer science course and learn about Mr. Turing, if you don't understand that. Any computer can be hacked. You can change the software, you can alter the firmware, you can compromise the hardware. Plus which, you can't tell through external inspection whether a machine has been altered. Which means you need a perfect chain of custody for the machine, 24x7x365.

Now of course, auditing every single machine down to the assembly code level, and securing them in an e-voting machine Fort Knox for the thousands of days when they're NOT being used, just to ensure that they work for about 12 hours on one day, would be enormously, prohibitively expensive. This would also be the actual cost of voting machines.

But that would interfere with the bulls--t about voting machines being modern and efficient and cost-saving. So no one actually does it. At best, some machines are sort of checked by someone, and we sort of trust the people who are handling them on election day, and then they go to some warehouse somewhere and we forget about them.

With that in mind, read the incorrectly cheerful Ottawa Citizen editorial comment City of Ottawa Technology gets my vote, November 6, 2006, page A14 (not available online)

David Reevely, The Ottawa Citizen

Sometimes the old ways are the best, and that's never been truer about anything than it is about voting.

Tick a paper ballot, drop it in a box, wait for it to be counted. Simple. It's worked for as long as we've had democracies. Efforts to update it have largely been failures.

Correct.

Under its old name [Global Election Systems, now part of Diebold], the company made the machines that Ottawa uses to count ballots in municipal elections. Ottawa's elections manager Shane Kennedy, who has overseen civic elections since 1994, is on his third using a tabulator called the Accu-Vote OS.

"We've used the same equipment all that time and it's been entirely successful," Kennedy says.

The machine looks a little like a fax: you slide your ballot in and it gets scanned and counted and spat out again. When the polls close, results are available in minutes, not the hours it used to take to count several hundred thousand pieces of paper. For the candidates, one way or the other, the drinking can begin immediately.

Although they're from the same manufacturer, Ottawa's machines bear none of the weaknesses the American critics point out.

"The hacking relates to touch-screen technology, primarily," Kennedy says in defence of Ottawa's machines. "It's a totally different animal."

None of the weaknesses? NONE OF THE WEAKNESSES? Wrong.
Did I mention that any system running computer code can be hacked?
Maybe not as easily as the crappy Windows touch-screens, but it's still possible.

Quebec's director-general of elections, Marcel Blanchet, examined Diebold's ES 2000, an updated version of the machines Ottawa uses, when he reviewed the province's municipal elections last year. Those elections saw an unprecedented deployment of e-voting machines across Quebec, and an unprecedented number of problems with them.

Things weren't bad enough to nullify any elections, Blanchet concluded, but he still advised that Quebec's cities stop using e-voting machines at least until the province sets standards of accuracy and security.

This is almost certainly overkill, especially for the simple tabulating machines. They need electricity and memory chips and they can jam, which ballot boxes don't, but other than that they're just fancy counting machines -- they don't replace the ballot itself, as touch-screen machines do.

Oh I see, they're just "simple tabulating machines". Sure, they have memory chips, but they're just "fancy counting machines".

FANCY COUNTING MACHINES?
What the f--k do you think a computer is?

If they're so simple, why not have humans count the votes? Why do we need simple technology to replace humans? But wait, they're fancy? If they're so complicated, aren't they vulnerable?

Machines have gears and levers and you have to be a mechanical engineer to compromise them, if you can alter their behavior at all. COMPUTERS have code. Any code can be changed.

In Ottawa's elections, the machines sit on tables out in the open, guarded by clerks and scrutineers. Before the machines could be hacked all the overseers would have to go bad together, and if that happened, the technology would be the least of our problems.

Another criticism of Diebold's touch-screen machines is that they don't make a paper trail. The only record that a voter has been in the booth is in the ephemeral form of electrons on a microchip: if somebody did crack open a machine and go to work on it, there'd be no other record to check the machine's results against. In Ottawa, Kennedy's returning officers at each poll keep the ballots in traditional boxes. If every tabulator failed, each ballot could still be counted by hand.

So, they machines are out in the open... during election day. And the other THOUSANDS OF DAYS they are unused? Where are they exactly? Are there clerks and scrutineers and overseers watching them, 24x7x365?

If every tabulator failed?
And how, exactly, are we going to know if the tabulator failed?
Will there be a flashing red light indicating "tabulator now failing to count ballots correctly"?

No. In fact, these "simple machines" betray no evidence of their internal workings.

Their only, ONLY saving merit is that IF YOU CHALLENGED THE COUNT, you could count the paper.

But if counting the paper is the last word in confidence, then

JUST USE PAPER AND HAND COUNT

But wait, there's more
CFRA - City Defends Voting System - November 8, 2006

The City of Ottawa insists the electronic voting system for Monday's Municipal Election is safe.

Ottawa's Elections Office has issued a memo to all councillors and candidates after a recent documentary into the electronic tabulation system used in the United States.

The HBO documentary raises the possibility that an election system could be accessed with intent to alter the outcome of the vote tabulation.

The City Clerk says Ottawa's preparations for the municipal election by electronic vote have met the standards imposed by an independent third party auditor in the past and those standards are in place for this year's election.

The clerk adds security standards put in place by the municipal election administration make it impossible to hack into the system to access memory cards.

1. What standards? What auditor? Who decided the auditor was qualified and trustworthy? For this election? What about previous ones?
2. "impossible to hack"? hahah ahahahahahahaaha

I challenge the City of Ottawa to invite teams of actual computer security experts, using actual computer security standards, to openly do a threat-risk assessment on the voting system. I can guarantee it is not "impossible to hack".

Plus which, an auditor is a lot of extra expense, then re-assuring citizens reduces confidence in the elections, gee, this is a lot of hassle and money.

You know what would be cheaper and easier?

JUST USE HAND-COUNTED PAPER

I will be writing to both the Ottawa Citizen, CFRA and to my city councilor (before and after the election).

The electronic voting perspective on recounts seems to be
1) they will be easy
2) (perhaps) they happen rarely

But what's important recounts is not how quickly they happen (in fact, "speed" is an odd thing to make paramount in vote counting). What is important is how confident the people are in the result.

Anyone can understand a paper ballot recount, and the routes for challenge are quite limited. This is important, because elections ultimately transfer power from many people, to one. There are over 400 House seats in the US, and about 300 million citizens. That's a huge transfer of power, from hundreds of millions, to hundreds.

The routes of challenge for electronic vote counts are almost limitless.
You could challenge:
1) the manufacturer
2) the programmers
3) the software
4) individual machines
5) the people managing the machines on voting day
6) voters - potential hacking by individual voters
7) chain of custody on the machines or the memory cards

And probably more I haven't though of.
And even worse, many of those challenges are almost impossible to resolve.

This is bad, because close elections requiring recounts actually happen ALL THE TIME.

Gosh, if only this could have been predicted.
Oh wait, everyone who understands e-voting did predict this.

After warnings that electronic voting could cause trouble in Tuesday's U.S. elections, there are signs of "what now appears to be a growing debacle," the CBC's Henry Champ reports from Washington.

By mid-afternoon, officials in at least three jurisdictions — Denver, Colo., Muncie, Ind., and Davidson County, Tenn. — were asking federal judges for extended voting hours because, they said, voting machines in their areas have not functioned and they cannot handle the numbers of voters at the polls without more time.

Seventy-five precincts in Indiana — considered a bellwether state — failed to open on schedule because machines malfunctioned. In Cleveland, where there were problems with new machines in September's party primaries, things seemed no better.

"Again the same problem," Champ said. "Machines and machine supervisors unable to get the operations underway. Voters piling up in the doorways."

CBC News - Electronic voting shapes up as election debacle - November 7, 2006

DailyKos has a story Vote by mail is the answer.

Umm.
Here's my opinion.

* Internet voting - so many things wrong with this I can't even begin.
* Electronic touchscreen - the absolute worst in-person voting. You have no idea what was recorded for your vote, and neither does anyone else.
* Scanned paper ballot - this is the least-worst electronic option, only because in the event of complaint, the paper could be counted. It still suffers from the other electronic flaws - malicious or accidental error could alter the vote counts. Also if the ballots are stacked one-by-one as they're scanned, you could in theory figure out who voted for whom.

* Vote by mail and Internet voting actually share common flaws:
1) No more secret ballot. Anyone can watch you vote. If they like, they can threaten you until you vote how they want.
2) Weak authentication. Someone got a voting code or ballot and voted. Maybe it was you. Maybe it wasn't.
3) Less connection with the vote gathering, chain-of-custody and counting process. Your votes go somewhere, and are counted by someone. Are they organized? Supervised? You don't get to see, unless you specifically make the effort, and probably you don't get to watch the chain-of-custody, only the final count. Any time chain-of-custody is interrupted, there is potential for fraud - in fact, that's how they tried to steal the paper-ballot, hand-counted Presidential election on Battlestar Galactica.

* Vote using paper secret ballot in public, with hand-count afterwards.
The public secret ballot is actually a remarkably well-tuned voting system.
I can't think of any that is better. No one knows how you vote. Chain of custody is usually right in front of your eyes. Anyone can see the votes counted. A child can understand how the system works.

I have written lots more on this topic previously in this blog.

Yet it seems to work when our mighty technology fails.

Programming errors and inexperience dealing with electronic voting machines frustrated poll workers in hundreds of precincts early Tuesday, delaying voters in Indiana, Ohio and Florida and leaving some with little choice but to use paper ballots instead.

In Cleveland, voters rolled their eyes as election workers fumbled with new touchscreen machines that they couldn't get to start properly until about 10 minutes after polls opened.

"We got five machines -- one of them's got to work," said Willette Scullank, a troubleshooter from the Cuyahoga County, Ohio, elections board.

In Indiana's Marion County, about 175 of 914 precincts turned to paper ballots because poll workers didn't know how to run the machines, said Marion County Clerk Doris Ann Sadler. She said it could take most of the day to fix all of the machine-related issues.

CNN - AP - Polling places turn to paper ballots after glitches - November 7, 2006

These places spent thousands of dollars on electronic voting machines, only to end up voting on paper anyway. You know what would be dramatically easier and cheaper?

JUST USE PAPER

This cautionary documentary exposes the vulnerability of computers - which count approximately 80% of America's votes in county, state and federal elections - suggesting that if our votes aren't safe, then our democracy isn't safe either. Premieres Thursday, November 2 [2006] at 9pm.

http://www.hbo.com/docs/programs/hackingdemocracy/

indirectly via Slashdot Diebold Demands That HBO Cancel Documentary /.

In one week, more than 80 million Americans will go to the polls, and a record number of them--90%--will either cast their vote on a computer or have it tabulated that way. When that many people collide with that many high-tech devices, there are going to be problems. Some will be machine malfunctions. Some could come from sabotage by poll workers or voters themselves. But in a venture this large, trouble is most likely to come from just plain human error, a fact often overlooked in an environment as charged and conspiratorial as America is in today. Four years after Congress passed a law requiring every state to vote by a method more reliable than the punch-card system that paralyzed Florida and the nation in 2000, the 2006 election is shaping up into a contest not just between Democrats and Republicans but also between people who believe in technology and those who fear machines cannot be trusted to count votes in a closely divided democracy.

Can This Machine Be Trusted? - Time - October 29, 2006

AMSTERDAM, Netherlands Voters in Amsterdam and 34 other Dutch cities may be using paper and pencil instead of computerized voting machines in national elections next month.

The government on Monday banned the use of one common type of computer voting machine, fearing that secret ballots may not be kept secret. It ordered a review of all electronic machines after the Nov. 22 election.

Government Renewal Minister Atzo Nicolai said the move was necessary after an investigation found the machines made by Sdu NV emitted radio signals that a technology-savvy spy could use to peek at a voters' choices from a distance of up to several dozen meters (yards).

"What can be detected is the image on the screen that's visible to the voter, by which his voting could be monitored," Nicolai said in a letter to parliament.

"In short, the machines made by the company Sdu can now be tapped, and there are no technical measures that can be taken before the upcoming elections that would prevent this tapping and guarantee the secrecy of the ballot."

He said he had revoked the permits for all the machines, about 10 percent of all voting machines used in the country.

A sample of the other machines used in next month's vote will be tested before the results are certified to ensure against fraud, Nicolai said.

The turnabout came after a group called "We Don't Trust Voting Computers" protested the vulnerability of electronic voting to fraud or manipulation.

Dutch government scraps plans to use voting computers in 35 cities including Amsterdam - IHT - AP - October 30, 2006

via Slashdot Voting Machines Banned by Dutch Minister /.

Daytona Beach -- Early voting was delayed in Volusia County for about an hour and 15 minutes Saturday morning after a transformer blew and knocked out power to the City Island Library in Daytona Beach.

Elections Supervisor Ann McFall said the polling place was closed after the electricity went out about 9:55 a.m. The power didn't come back until about 1:30 p.m. but residents were allowed to vote after about 11 a.m. Elections officials opened windows to let in light and checked voter registrations by calling the elections office in DeLand using cellular telephones. The site remained open later, as well.

Officials discovered another problem Saturday night -- the ballot count was off by 20 votes.

McFall said votes cast during the power outage were stored in one compartment of the vote-collection box, where they were supposed to be held until they could be fed into the electronic-vote counter. Twenty ballots likely spilled into another compartment, where counted votes are kept.

She said she plans to recount those ballots Nov. 5, when she also will recount ballots cast on Thursday at the DeLand elections office because the vote count there was off by one.

Now imagine a power outage say, in the middle of US voting day.
With thousands of people waiting to vote on exciting modern touch-screen electronic machines. None of which, I can pretty much guarantee, have power backup.
Plus which, I'm guessing the machines handle a sudden power outage with all the grace of most computer systems - damaged files, corrupted databases, errors on memory cards.

Power outage delays voting - Orlando Sentinel - October 29, 2006

as midterm [US] elections approach this November [2006], electronic voting machines are making things worse instead of better. Studies have demonstrated that hackers can easily rig the technology to fix an election - and across the country this year, faulty equipment and lax security have repeatedly undermined election primaries.

from Will The Next Election Be Hacked? by Robert F. Kennedy, Jr. in the October 04, 2006 issue of Rolling Stone (issue #1010).

On October 24, 2006 the Chief Electoral Officer of Quebec released a report (in French only) "Report on the Evaluation of New Methods of Voting". In a press release, three root causes of problems with electronic voting machines in the 2005 municipal elections were identified:

* an imprecise legislative and administrative framework
* absence of technical specifications, norms and standards
* poor management of voting systems (especially lack of security measures)

He has recommended that the current moratorium on the use of these systems be maintained, and leaves it up to the provincial legislature to decide whether or not to use electronic voting in future.

(Above information copied from my additions to Wikipedia - Electronic voting in Canada.)

This was reported in the Canadian press starting on the 24th, see e.g.

RDI (French) - Des scrutins à jamais entachés - October 24, 2006 (includes links to videos)

CBC (English) - Electronic voting blamed for Quebec municipal election 'disaster' - October 25, 2006

In a new report on problems with Quebec's 2005 municipal election, chief electoral officer Marcel Blanchet targets the electronic voting system used to collect and count the votes.

The election was an expensive disaster marked by errors, which produced inaccurate numbers and unreliable results, the report said. And the new electronic system is to blame, it adds.

The full report (French only) is Élections municipales de novembre 2005 - Rapport d’évaluation des nouveaux mécanismes de votation (PDF, 3.2 MB). There are also Appendices (PDF: 3.4 MB / 120 pages).

There are more links at DGEQ News - Report on the Evaluation of New Methods of Voting.

Previously:
November 27, 2005 Montreal's electronic vote: what went wrong
November 13, 2005 articles about the Quebec election / articles concernant l'élection au Québec
November 13, 2005 Electronic counting fails Quebec

Lou Dobbs has been doing a great job of reporting on the dangers of electronic voting. Unfortunately it's difficult to find most of the reports on CNN.com, but as luck would have it, the transcript of his one-hour special "Democracy at Risk" is available.

http://transcripts.cnn.com/TRANSCRIPTS/0610/29/ldt.03.html

He and his team covered all the major angles, exposing the many risks.

I was interested to hear that Montana insists on either hand-counted paper ballots (the best option) or optically-scanned paper ballots (the second best option).

In a deeply misguided move, Peterborough Ontario will be providing Internet voting in the 2006 municipal election.

I quote:

Internet Voting = No long line-ups, no traffic, no bad weather days!

Hmm, my slogan would go more like:

Internet Voting = no proof that people have voted, no ballots you can recount, plus I can stand with a gun to your head as you vote!

Oh also, I can potentially easily tell who voted for whom even if I'm not watching you, thanks to the convenient online voter database that is needed.

http://www.peterboroughvotes.ca/

They will be using Dominion Voting Systems.

via Electronic voting in Canada

After the 2000 US presidential election and its scads of hanging chads, election officials across the country began casting about for solutions. One proposal included getting rid of those pesky paper ballots altogether and going with electronic voting machines. It sounds good in theory, but as a friend of mine once said, "do that and we'll find out who hackers want to be president."

A group of computer science professors are joining the forces critical of electronic voting machines as they are currently deployed. Eugene H. Spafford, a computer science professor at Purdue University and chairman of the U.S. Public Policy Committee of the Association for Computing Machinery has expressed his concerns over the security of electronic voting machines used in the US. "As experts in computing, we have grave reservations about the safeguards in place with many of the computerized voting technologies being used," said Spafford in a letter to Rep. Vernon Ehlers (R-MI), chairman of the Committee on House Administration.

Ars Technica - Computer scientists weigh in on e-voting - July 20, 2006

http://www.usenix.org/events/evt06/
August 1, 2006, Vancouver, B.C., Canada

EVT seeks to bring together researchers from a variety of disciplines, ranging from computer science and human factors experts through political scientists, legal experts, election administrators, and voting equipment vendors. The workshop will include short paper presentations as well as vibrant panel discussions with substantial time devoted to questions and answers. Attendance at the workshop will be open to the public, although speakers and presentations will be by invitation only.

CFP deadline April 3, 2006

EVT '06 will be co-located with the 15th USENIX Security Symposium (Security '06), July 31–August 4, 2006.

I mentioned in previous postings about the Quebec 2005 municipal electronic voting problems that Bell was also a supplier (although, AFAIK, not implicated in the issues that were reported). (For more info on that situation, see previous postings list of voting machines used in Quebec municipal elections 2005 and Montreal's electronic vote: what went wrong.)

I couldn't find a Bell link at the time, but I finally ran across one. Quite a splash they have across their page. Starts with a teaser



that leads to a full page of info. I particularly liked their list of e-voting benefits

Electronic compilation of results

The electronic compilation devices used by Bell Business Solutions ensure efficiency, thoroughness and integrity throughout the voting process, whether for a municipal or school board election, referendum or any other consultation.

Simplified functions

* Simple and quick voting process
* Objective counting of ballots (with no human involvement)
* Major reduction of electoral staff
* Fewer duties for electoral staff
* Fast disclosure of results

Let's see, so in summary: it's fast and there are fewer people. Ah. Efficiency! How we worship you! Our voting must now be PRODUCTIVE! Maybe we should eliminate humans from the voting process altogether, and let the machines objectively decide our fate.

Objective with no human involvement?
Um, so the machines programmed themselves did they?

What you mean is, some computer code written by humans you don't know, in the United States, not reviewed by any humans in Canada, will decide the results of the election according to their programmed whims, with no humans to verify the results.

Ah, progress!

They used the Accu-Vote ES, which is a mark-sense reader

Accu-Vote ES electronic ballot box

The Accu-Vote ES system uses an optical reader to record votes on a memory card as ballots are being cast. It considerably simplifies the electoral process for everyone involved and guarantees that the final results will remain secret until the polls close.

In Québec, since 1995, more than 120 cities and municipalities have successfully used vote counting devices. More than 4 million ballots have been recorded by voters during these elections.

The Accu-Vote is made by everyone's favorite reliable, trust-worthy electronic voting machine company: Diebold. Here's a look at their Accu-Vote OS scanner.

Unknowns:
- are there any Canadian standards these machines were tested against?
- were these machines tested against any US standards?
- does anyone test these machines at all?
- are these machines Bell owns, or do they lease them from the US?
- who guards these machines when they're not in use?

Bell: Elections made simple

Err, simpler than humans marking an X on paper and then humans counting it?

Who said elections were complicated?
How about elections maintained completely trustworthy and accurate?

I leave you to contemplate the shiny map of electronic vote-counting progress

Workshop on Electronic Voting and e-Government in the UK
27 February, 2006 09:00 AM - 28 February, 2006 05:30 PM
e-Science Institute, 15, South College Street, Edinburgh

Mass-scale systems intended to deliver e-Government in a democratic context pose a range of under-explored design problems. In particular, we are far from having identified a core set of requirements for such systems. The need for confidentiality, privacy, transparency, accountability and user control are all critical to the success of such systems yet we are still far from determining how to implement such requirements and how the design of such systems will affect user behaviour. In this workshop we aim to address these very broad issues in general together with a more focused examination of e-voting as an exemplar of e-government systems.

Turnout in Jan 2006 Federal election was 64.9% according to current results on http://enr.elections.ca/National_e.aspx

According to http://www.elections.ca/scripts/OVR2004/23/table4.html the turnout has been:

2006 64.9%
2004 60.9%
2000 61.2%
1997 67.0%
1993 69.6%

My idea of office voting wouldn't work due to people being from many different ridings, too complicated.

I say:
1. Make it a holiday
2. Make it mandatory to vote

A Canadian federal election has been called for Monday January 23, 2006.

More information at Elections Canada.

For background info on this 39th general election, see the Wikipedia entry Canadian federal election, 2006.

Canadians, GO VOTE.

I was interviewed by PC World Canada for a piece on electronic voting.

E-voting: Death of the ballot or ticking time bomb?

I don't think I gave a great interview, I should have written some talking points, I was kind of all over the map with needlessly complex or vague explanations.
I think the article accurately reflects what I said.

I do completely disagree with a statement by Joe Church, president of CanVote.

When asked about these issues, Church points out that their systems have been thoroughly tested and that mock elections, held by municipal officials prior to the actual election, have proven to be 100 percent reliable. Aside from these, Church also points out that the convenience and increased voter turnout overcome the security concerns that some people may have.

Um, yeah, I can make my voting machine 100 percent reliable in a mock election too.
The pseudocode looks like this:


if (mockelection) then
  produce correct results
else
  produce desired false results


Elections aren't supposed to be convenient. We're not election consumers. Elections are a CIVIC DUTY as CITIZENS. Making getting to the polls easier is fine - have advance polls, polls in people's workplaces, that's all good.

If you want increased voter turnout then
1. try to figure out why voter turnout is low, then fix that
2. if that doesn't work, make voting mandatory

I don't at all like this "young people vote in Canadian Idol, why not make the election like that?"

Um, because the election is not supposed to be some easy, meaningless act of consumer entertainment.