Politics: Verified Vote Counting
See also News
You'd demand a receipt for cash, and you should demand one for votes. Actually, you can't walk away with a receipt, because that could be used as proof in a vote-buying scheme. But something like a receipt could be left in the physical control of the voting process.
In a sense, a receipt is nothing more than reasonably-hard-to-fake physical evidence of a transaction. We demand such evidence when there is likely to later be disagreement over the details of the transaction. With unverified electronic voting, there is no evidence. Your word against the owner of the voting machine company (who by the way may be a big GOP donor).
For a couple hundred years, Americans voted with paper ballots. The ballots were created in a printing-press-based process which inherently made the ballots equivalent. Poll workers assured only registered voters got a ballot. The voter marked the ballot, folded it, and shoved it through a slot into a wooden ballot box. Boxes were sealed, collected and transported to a safe counting site. There, the boxes were opened, the ballots read and counted, and the results tallied. Totals for an entire election were collated centrally and then reported.
The winners then got to control lives and fortunes, backed by the full weight of our law enforcement and military services.
The power transfer implications of elections are enormous. Thus there are enormous incentives to cheat. Every step of the way has been rigged, defrauded, and abused at one time or another. The only thing keeping it workable at all has been the mutual agreement among competing camps that they would keep a wary eye on each other. Thus, we have multiple poll watchers, multiple people guarding the ballot boxes at every step, and multiple eyes examining the ballots and tallying the results.
It is possible to do this in thousands upon thousands of local elections (with national implications) because the technology is simple and obvious:
Under electronic voting all this changes. The incentives to cheat are still there, but the traditional safeguards are useless. Worse than useless, actually, because they can give a semblance of honesty while skullduggery is rampant beneath the surface.
As an Electrical Engineer and as a Computer Scientist, I am confident that given a chance I could rig blackbox electronic elections at each of the steps noted above. Yet I'm a rank amateur compared to the people who (for a fee) can rig elections on behalf of powerful interests. Remember, they only have to crack one step in the process, not all of them. Like any good stage magician, they may well assure our attention is focused on one step while they work their "magic" on another.
Is this just conspiracy theory speculation? Many computer scientists, legal scholars, political scientists, and political activists are concerned. These sites tell the basic story:
Yet despite serious concerns, the various Secretaries of State are charging forward with electronic, unverified voting. http://www.nass.org/issues.html
This is not an arm's length arrangement. From their FAQ: (http://www.nass.org/faqs.html#nine)
Q: How can a company become a NASS corporate affiliate?
It is perhaps no coincidence that Sequoia, the vendor chosen for Snohomish County, is a NASS affliate.
2004-09-22 Furthermore... http://seattlepi.nwsource.com/opinion/191790_voting22.html
Former President Bush (recent senior adviser to the Carlyle Group, a partner of the parent company of Sequoia).
Each state county has its own problems and opportunities. I'll speak only to Washington State, Snohomish County.
See also: Snohomish.
Why do proposed solutions revolve around Open Source Software (OSS)?
The task is to make tampering uneconomical. Since the payoff for a rigged election is trillions of dollars in wealth transfers from losers to winners, there is a steep price on what is "adequately secure". If we are to use electronics and computing at all, we need a combination of hardware, firmware, and software that is secure against multi-billion dollar efforts to hack, manipulate, rig, etc.
Hardware, firmware, and software are defined in bits and bytes ("binaries"). Humans generally can't read binaries, so we write in human-readable formats ("source"), and use tools ("compilers") to generate the binaries. Once we have a single good copy of the binary, we need to replicate it safely to each voting machine, assure that we have done so, and load it safely into running condition.
Each step needs to be protected from tricks. As Ken Thompson pointed out, you can process OK source with a seemingly OK compiler, yet get tainted binaries. (http://www.acm.org/classics/sep95/). You can also start with OK binaries and get a tainted running system if the copy, comparison, or loading mechanisms are manipulated. In other words we need a trusted chain from source to running system.
One way to increase trust is to use a hard-to-manipulate item which was designed prior to and separate from interest in vote rigging. Another way is to make the mechanisms visible to everyone (to expose tricks) and allow everyone to propose fixes (to eliminate the tricks).
Hardware is difficult to manipulate. If it is high-volume mask-built, (e.g., an AMD or Intel CPU chip), it just isn't worth the effort to stick in a special hook for vote rigging. But if it is EEPROM or FPGA, then it is a lot easier to hack. Sometimes the chip can be pulled out of the socket and replaced by another hacked chip (e.g., when voting machines are unguarded). Sometimes it can be modified in place with special signals to unused pins (this may require specifications known only to the vendor). As a practical matter, if we use randomly chosen commodity hardware and protect it from election-specific tampering, we have reasonable protection.
Software on the other hand is trivially modifiable. It is a mere joke to put "easter eggs" in closed source software. Well financed and ill-intentioned efforts can thus be expected to be in all closed source software. The only hope is to make the software visible to everyone, thus exposing the tricks, and to allow everyone to propose improvements, thus eliminating tricks. This is in the spirit of the current Legibility And Accuracy Tests (LATs), where observers can watch the election mechanisms to assure they are as-advertised.
The problem is that this level of visibility and modifiability is impossible with proprietary software. A vendor would insist on some limited set of observers, or would require a Non Disclosure Agreement (NDA), or would attempt to limit access by copyrights, patents, etc. The only legal mechanism for this level of visibility is Open Source Software.
Open source is source which can be read, edited, changed, and passed along without fees, restrictions or legal encumbrances. The formal definition of Open Source is available from OSI ( http://www.opensource.org/docs/definition.php). OSI tracks specific legal licenses which meet this definition.
If the source compiles to instructions which create chips (ASIC, masked ROM, PROM, FPGA technologies), it is called hardware definition or design. Open Hardware is the world of shared specifications, shared schematics, VHDL and Verilog models, FPGA designs, etc. Tools and actual designs can be found at: http://opencollector.org/
If the source compiles to instructions which are stored permanently (nanocode, microcode, ROMS, PROMS) or semi-permanently (EEPROMS and EPROMS), it is called firmware. This is the typical treatment of the BIOS (Basic I/O System).
If the source compiles to instructions which are maintained on secondary memory (e.g., flash-cards, hard-drives, EEPROMS) and then copied into primary memory at load time, it is called software. This is the world of OS's (Operating Systems), libraries, services, and user applications (including voting systems).
Even hardware could be open sourced (e.g., with FPGA-based cpu's) but that may not be needed for now. Hard-to-manipulate hardware is available in the form of randomly chosen motherboards.
Open Source Software provides everything else. OSS BIOS's are available. Commodity Linux installations provide development environments which can bootstrap tool chains on new hardware from raw machine code on up. This tackles Thompson's tricky-compiler problem. It also tackles problems in the copy, comparison, and loading mechanisms.
Once you have a trusted environment, you can implement OSS voting software. Reference systems are already available: http://www.openvotingconsortium.org/
Having done that, you can practice (beta test) anywhere and everywhere. PTA meetings, cub scout packs, church groups. Any one who wants to do an election, for any reason, can use the system. No fees, no licenses.
Why is this important? Because all automated systems have bugs and only repeated use in varied settings will flush them to the surface. We can't afford to use our national elections as beta tests of proprietary systems.
Further, this sharing could grow a grassroots understanding of the care and use of the system. It will no longer be something that partly trained poll workers face only once every year or so. One of the crucial lessons from past evoting is that poor precincts had significantly more system failures than richer precincts. State and county officials also responded more rapidly to system outages in the richer precincts. This results in a statistically significant, politically biased disenfranchisement.
If it is that tricky, why use electronics at all? Why not go back to pure paper ballots? This is being done in some places. Bob Terwilliger promised to provide an esitmate of the support staff needed. We might need hundreds of volunteers for Snohomish County, but I think they are available. This issue has galvanized people.
While this seems Luddite, it actually makes sense. Elections are about trust, and perhaps only a personal face-to-face hands-on process can restore trust in the elections at this point.
Make voting day a national holiday, we will all meet in large social gatherings to manually count all our votes. That's right NO MACHINES AT ALL! This would literally put the power of our votes back in the hands of the American citizens, rebuild our sense of citizenship and community and totally remove current corporate control of our votes. And we would save a huge amount of money...and get all our votes counted much faster than 10 days.
In Washington State, we can do paper absentee ballots. This gives a paper trail for recounts, even if the original count is via uncontrolled software. Therefore, the various political groups and meetups are helping each other (and their neighbors) get signed up for absentee ballots.
If you are not registered, fill out the normal voter registration form and check "Yes" for On-going Absentee Ballot. See http://www.secstate.wa.gov/elections/register.aspx
If you are already registered, use On-going Absentee Ballot from: http://www.co.snohomish.wa.us/auditor/AudCommon02-Forms.asp#Election
As for technologically aware poll watchers, I've crossed paths with quite a few concerned newly-politicized computer scientists, programmers, and engineers in local political meetings. Yet they are sometimes unaware of the traditional ways to rig elections (and the safeguards needed). Poll watchers on the other hand tend to be long-time party members who are watchful for traditional frauds but are unaware of the new threats. We need a mix of the two skills.
Try to get paper trails established, and try to get verifiable software installed. The GOP has successfully stalled long enough to make this difficult, but it is possible. I don't have definitive solutions here, but some avenues are described in:
We need to elect politicians who work toward honest elections.
Rep Holt has taken the lead: http://holt.house.gov/issues2.cfm?id=5996
Our Sec of State is Sam Reed. He is a Republican. He has not protected Washington voters from unverified voting. It may be time for fresh ideas.
2004-06-02 The Democrats are putting up 2 candidates, who attended the candidates forum at the Everett Library DFA session this evening.
Bob Terwilliger is a Democrat. He is required by law to use mechanisms certified by the Sec of State (which he did). He chose and appears to be proud of choosing Sequoia (http://www.sequoiavote.com/mediadetail.php?id=61). However, there are rumors he realizes the unverified voting is a serious problem, and may be amenable to changes.
Creator: Harry George