boats

Politics: Verified Vote Counting

  Home

  

Table of Contents

See also News

1. Is there a Problem?

You go to the bank and deposit $1000 cash. The bank has a history of cheating customers. The teller does not provide a receipt. Instead he/she points to a brochure which says "We will not tell you what we do in the backroom, but trust us."

Would you walk away confident that your next bank statement will properly show $1000 deposited?

You'd demand a receipt for cash, and you should demand one for votes. Actually, you can't walk away with a receipt, because that could be used as proof in a vote-buying scheme. But something like a receipt could be left in the physical control of the voting process.

In a sense, a receipt is nothing more than reasonably-hard-to-fake physical evidence of a transaction. We demand such evidence when there is likely to later be disagreement over the details of the transaction. With unverified electronic voting, there is no evidence. Your word against the owner of the voting machine company (who by the way may be a big GOP donor).

1.1. Historical

For a couple hundred years, Americans voted with paper ballots. The ballots were created in a printing-press-based process which inherently made the ballots equivalent. Poll workers assured only registered voters got a ballot. The voter marked the ballot, folded it, and shoved it through a slot into a wooden ballot box. Boxes were sealed, collected and transported to a safe counting site. There, the boxes were opened, the ballots read and counted, and the results tallied. Totals for an entire election were collated centrally and then reported.

The winners then got to control lives and fortunes, backed by the full weight of our law enforcement and military services.

The power transfer implications of elections are enormous. Thus there are enormous incentives to cheat. Every step of the way has been rigged, defrauded, and abused at one time or another. The only thing keeping it workable at all has been the mutual agreement among competing camps that they would keep a wary eye on each other. Thus, we have multiple poll watchers, multiple people guarding the ballot boxes at every step, and multiple eyes examining the ballots and tallying the results.

It is possible to do this in thousands upon thousands of local elections (with national implications) because the technology is simple and obvious:

  1. Once a paper ballot goes to the printer, it looks the same for each voter. It may be tedious to setup and print the tailored ballots for each jurisdiction, but at least we know no one made a special fake ballot just for Democrats or Republicans.

  2. Once a paper ballot is marked, its markings do not magically change to another choice. There is some erasure or scuffing to be detected.

  3. Once a ballot is in a box, it does not magically disappear. Nor do other ballots magically appear without having passed though the slot in the top under the watchful eyes of poll workers.

  4. Once a box is sealed and under the care of two or more competing parties, it does not magically change its contents before being opened.

  5. After the box is opened, it is straightforward to read each ballot with multiple eyes, assuring agreement among competing poll workers. Sure, there can be smudges and blanks and crossouts and double markings. But these do not lead to wholesale elimination of significant numbers. And in each case, everyone involved agrees the troubled ballot is troubled.

  6. After the initial tallies have been made, they can be carried to a central site for further summation. The numbers do not magically change while in route.

  7. Once the results are summarized, they can be reported to everyone without fear that they will magically change, or even appear differently to different members of the community.

  8. If there are problems or suspicions of problems, the ballots are still there, under lock and key, ready for recounting under even more watchful eyes.

1.2. Electronic

Under electronic voting all this changes. The incentives to cheat are still there, but the traditional safeguards are useless. Worse than useless, actually, because they can give a semblance of honesty while skullduggery is rampant beneath the surface.

As an Electrical Engineer and as a Computer Scientist, I am confident that given a chance I could rig blackbox electronic elections at each of the steps noted above. Yet I'm a rank amateur compared to the people who (for a fee) can rig elections on behalf of powerful interests. Remember, they only have to crack one step in the process, not all of them. Like any good stage magician, they may well assure our attention is focused on one step while they work their "magic" on another.

Is this just conspiracy theory speculation? Many computer scientists, legal scholars, political scientists, and political activists are concerned. These sites tell the basic story:

Yet despite serious concerns, the various Secretaries of State are charging forward with electronic, unverified voting. http://www.nass.org/issues.html

This is not an arm's length arrangement. From their FAQ: (http://www.nass.org/faqs.html#nine)

Q: How can a company become a NASS corporate affiliate?

A: As a non-profit organization, NASS relies on financial support from public and private partners. The association offers a number of membership packages for corporate affiliates, including automatic conference registrations and Web site listings.

It is perhaps no coincidence that Sequoia, the vendor chosen for Snohomish County, is a NASS affliate.

2004-09-22 Furthermore... http://seattlepi.nwsource.com/opinion/191790_voting22.html

Former President Bush (recent senior adviser to the Carlyle Group, a partner of the parent company of Sequoia).

2. What's the current situation?

Each state county has its own problems and opportunities. I'll speak only to Washington State, Snohomish County.

2.1. Washington

2.2. Snohomish County

See also: Snohomish.

3. Why Open Source?

Why do proposed solutions revolve around Open Source Software (OSS)?

3.1. Overview

The task is to make tampering uneconomical. Since the payoff for a rigged election is trillions of dollars in wealth transfers from losers to winners, there is a steep price on what is "adequately secure". If we are to use electronics and computing at all, we need a combination of hardware, firmware, and software that is secure against multi-billion dollar efforts to hack, manipulate, rig, etc.

Hardware, firmware, and software are defined in bits and bytes ("binaries"). Humans generally can't read binaries, so we write in human-readable formats ("source"), and use tools ("compilers") to generate the binaries. Once we have a single good copy of the binary, we need to replicate it safely to each voting machine, assure that we have done so, and load it safely into running condition.

Each step needs to be protected from tricks. As Ken Thompson pointed out, you can process OK source with a seemingly OK compiler, yet get tainted binaries. (http://www.acm.org/classics/sep95/). You can also start with OK binaries and get a tainted running system if the copy, comparison, or loading mechanisms are manipulated. In other words we need a trusted chain from source to running system.

One way to increase trust is to use a hard-to-manipulate item which was designed prior to and separate from interest in vote rigging. Another way is to make the mechanisms visible to everyone (to expose tricks) and allow everyone to propose fixes (to eliminate the tricks).

Hardware is difficult to manipulate. If it is high-volume mask-built, (e.g., an AMD or Intel CPU chip), it just isn't worth the effort to stick in a special hook for vote rigging. But if it is EEPROM or FPGA, then it is a lot easier to hack. Sometimes the chip can be pulled out of the socket and replaced by another hacked chip (e.g., when voting machines are unguarded). Sometimes it can be modified in place with special signals to unused pins (this may require specifications known only to the vendor). As a practical matter, if we use randomly chosen commodity hardware and protect it from election-specific tampering, we have reasonable protection.

Software on the other hand is trivially modifiable. It is a mere joke to put "easter eggs" in closed source software. Well financed and ill-intentioned efforts can thus be expected to be in all closed source software. The only hope is to make the software visible to everyone, thus exposing the tricks, and to allow everyone to propose improvements, thus eliminating tricks. This is in the spirit of the current Legibility And Accuracy Tests (LATs), where observers can watch the election mechanisms to assure they are as-advertised.

The problem is that this level of visibility and modifiability is impossible with proprietary software. A vendor would insist on some limited set of observers, or would require a Non Disclosure Agreement (NDA), or would attempt to limit access by copyrights, patents, etc. The only legal mechanism for this level of visibility is Open Source Software.

3.2. Definitions

Open source is source which can be read, edited, changed, and passed along without fees, restrictions or legal encumbrances. The formal definition of Open Source is available from OSI ( http://www.opensource.org/docs/definition.php). OSI tracks specific legal licenses which meet this definition.

If the source compiles to instructions which create chips (ASIC, masked ROM, PROM, FPGA technologies), it is called hardware definition or design. Open Hardware is the world of shared specifications, shared schematics, VHDL and Verilog models, FPGA designs, etc. Tools and actual designs can be found at: http://opencollector.org/

If the source compiles to instructions which are stored permanently (nanocode, microcode, ROMS, PROMS) or semi-permanently (EEPROMS and EPROMS), it is called firmware. This is the typical treatment of the BIOS (Basic I/O System).

If the source compiles to instructions which are maintained on secondary memory (e.g., flash-cards, hard-drives, EEPROMS) and then copied into primary memory at load time, it is called software. This is the world of OS's (Operating Systems), libraries, services, and user applications (including voting systems).

3.3. What is available?

Even hardware could be open sourced (e.g., with FPGA-based cpu's) but that may not be needed for now. Hard-to-manipulate hardware is available in the form of randomly chosen motherboards.

Open Source Software provides everything else. OSS BIOS's are available. Commodity Linux installations provide development environments which can bootstrap tool chains on new hardware from raw machine code on up. This tackles Thompson's tricky-compiler problem. It also tackles problems in the copy, comparison, and loading mechanisms.

Once you have a trusted environment, you can implement OSS voting software. Reference systems are already available: http://www.openvotingconsortium.org/

Having done that, you can practice (beta test) anywhere and everywhere. PTA meetings, cub scout packs, church groups. Any one who wants to do an election, for any reason, can use the system. No fees, no licenses.

Why is this important? Because all automated systems have bugs and only repeated use in varied settings will flush them to the surface. We can't afford to use our national elections as beta tests of proprietary systems.

Further, this sharing could grow a grassroots understanding of the care and use of the system. It will no longer be something that partly trained poll workers face only once every year or so. One of the crucial lessons from past evoting is that poor precincts had significantly more system failures than richer precincts. State and county officials also responded more rapidly to system outages in the richer precincts. This results in a statistically significant, politically biased disenfranchisement.

4. Why Electronic at all?

If it is that tricky, why use electronics at all? Why not go back to pure paper ballots? This is being done in some places. Bob Terwilliger promised to provide an esitmate of the support staff needed. We might need hundreds of volunteers for Snohomish County, but I think they are available. This issue has galvanized people.

While this seems Luddite, it actually makes sense. Elections are about trust, and perhaps only a personal face-to-face hands-on process can restore trust in the elections at this point.

From http://www.openthecode.com/QA.asp

Make voting day a national holiday, we will all meet in large social gatherings to manually count all our votes. That's right NO MACHINES AT ALL! This would literally put the power of our votes back in the hands of the American citizens, rebuild our sense of citizenship and community and totally remove current corporate control of our votes. And we would save a huge amount of money...and get all our votes counted much faster than 10 days.

5. What can we do?

5.1. Near Term

We need:

  1. Papers trails
  2. Technologically aware poll watchers

In Washington State, we can do paper absentee ballots. This gives a paper trail for recounts, even if the original count is via uncontrolled software. Therefore, the various political groups and meetups are helping each other (and their neighbors) get signed up for absentee ballots.

If you are not registered, fill out the normal voter registration form and check "Yes" for On-going Absentee Ballot. See http://www.secstate.wa.gov/elections/register.aspx

If you are already registered, use On-going Absentee Ballot from: http://www.co.snohomish.wa.us/auditor/AudCommon02-Forms.asp#Election

As for technologically aware poll watchers, I've crossed paths with quite a few concerned newly-politicized computer scientists, programmers, and engineers in local political meetings. Yet they are sometimes unaware of the traditional ways to rig elections (and the safeguards needed). Poll watchers on the other hand tend to be long-time party members who are watchful for traditional frauds but are unaware of the new threats. We need a mix of the two skills.

5.2. Intermediate

Try to get paper trails established, and try to get verifiable software installed. The GOP has successfully stalled long enough to make this difficult, but it is possible. I don't have definitive solutions here, but some avenues are described in:

5.3. Longer term

We need to elect politicians who work toward honest elections.

5.3.1. Federal Level

Rep Holt has taken the lead: http://holt.house.gov/issues2.cfm?id=5996

See: http://www.verifiedvoting.org/legislation/

5.3.2. State Level

Our Sec of State is Sam Reed. He is a Republican. He has not protected Washington voters from unverified voting. It may be time for fresh ideas.

2004-06-02 The Democrats are putting up 2 candidates, who attended the candidates forum at the Everett Library DFA session this evening.

  • Andy Stephenson (http://www.andystephenson.com/). Andy is on this issue, and "gets it". He also gets the patriot act. However, his background is so low key and non-establishment that it will be an uphill battle for his campaign. [Andy dropped out of the race June 25, 2004.]

  • Laura Ruderman (http://www.leg.wa.gov/house/members/d45_2.htm, http://www.laurarudeman.com) She lays on the "I'm a legislator" schtick pretty thick. I don't think that is the issue. Sec of State is an administrative task -- it requires understanding and dedication, not just schmoozing. She's a glib speaker, but she utterly missed the issues on open source. Someone is helping her --- she tried to regurgitate the fake-compile threat from Ken Thompson's Turing Award lecture (http://www.acm.org/classics/sep95/). (That is of course the reason the OSS approach uses commodity silicon and OSS from BIOS up.)

    So maybe my best bet is to find out what her tech gurus really think. If they are pure Microsoft-and-shared-source, then I'll have to expose them as frauds and GOP plants. If they genuinely want verified elections, they'll set that aside and work on real OSS-to-the-silicon.

5.3.3. County Level

Bob Terwilliger is a Democrat. He is required by law to use mechanisms certified by the Sec of State (which he did). He chose and appears to be proud of choosing Sequoia (http://www.sequoiavote.com/mediadetail.php?id=61). However, there are rumors he realizes the unverified voting is a serious problem, and may be amenable to changes.

 
Creator: Harry George
Updated/Created: 2005-07-15