[EM] Why We Shouldn't Count Votes with Machines

Dave Ketchum davek at clarityconnect.com
Thu Aug 14 23:01:45 PDT 2008


On Wed, 13 Aug 2008 22:00:06 -0700 rob brown wrote:
> On Wed, Aug 13, 2008 at 9:16 AM, Kathy Dopp <kathy.dopp at gmail.com 
> <mailto:kathy.dopp at gmail.com>>  wrote:
> 
>     On Tue, Aug 12, 2008 at 11:28 PM, rob brown <rob at karmatics.com
>     <mailto:rob at karmatics.com>> wrote:
> 
>      >> How?  Do we want an infinite loop of a voter running paper through a
>      >> cheap printer trying to obtain an accurate ballot record and the
>      >> machine refusing to print one while it switches a vote wrongly?
>      Or do
>      >> we want the voter to be able to cancel the ballot and let the poll
>      >> workers know that he needs a paper ballot instead that he can mark
>      >> himself?
>      >
>      > I'm fine with the latter.  Actually that seems like a reasonable
>     thing to
>      > do.
> 
>     I agree, but that is not happening on all of todays' voting systems.
>     Election officials seem to be hopelessly slow to grasp the problem or
>     the solution.

This is a possible place for some new, clear, thinking - the Election 
officials likely couldn't fix this by themselves.

We are in trouble - failures have been proved too often, and there is 
good reason to believe most failures do not even get proved.

Even working correctly, Plurality voting is not adequate.  While there 
are many competing methods, Condorcet is discussed here:
      Ballot is ranked, as is IRV's.
      Plurality voting is permitted, and can satisfy most voters most 
of the time - letting them satisfy their desires with no extra pain 
while getting their votes fully credited.
      Approval voting is likewise accepted, satisfying a few extra voters.
      Fully ranked voting is Condorcet's promise, giving full response 
to those desiring such when desired.

Open source is ESSENTIAL:
      While it encourages quality programming by those who do not want 
to get caught doing otherwise, it also encourages thorough testing by 
the community.
      But, there is a temptation for copying such without paying:
           Perhaps the law should provide a punishment for such.
           Perhaps customers should pay for such code before it
becomes open - and get refunds of such payments if the code, once open,
proves to be unreasonably defective.

The community should be demanding of Congress such support as may help.

While "open source" could be thought of as just the voting program, 
proper thinking includes the hardware, protecting the program against 
whatever destructive forces may exist, and verifying what happens.

Secret ballot is essential.  While voter should be able to verify the 
vote before submitting such, this is only to verify - goal above is 
election programs that REALLY DO what they promise.
>
>      >
>      >>
>      >>  If so, why not let the voters vote on a paper ballot to
>      >> begin with?
>      >>
>      >> Any ideas?
>      >
>      > Cost?
> 
>     Wrong answer.  Paper ballot optical scan systems are so much more
>     economical than e-ballot systems that if you purchase all-new optical
>     scan systems, the on-going cost savings totally pay for the initial
>     purchase within four years and then begin saving taxpayers lots of
>     monies.  See http://electionmathematics.org and click on Voting
>     Systems for links to cost comparison studies.
> 
>      >
>      > But honestly, the big problem I have with paper ballots filled
>     out by hand
>      > is that they make the transition to a ranked system a lot harder,
>     both in
>      > terms of difficulty filling in the ballot and difficulty counting
>     them.  As
> 
>     That is a good argument against using any ranked ballot systems then
>     since the integrity of e-ballot systems cannot be adequately ensured,
>     given the secret ballot and the difficulty of implementing systems to
>     detect and correct errors with a secret ballot.
> 
> 
> Well here is where you and I differ.  I think if electoral fraud in the 
> US were eliminated, it would be a good thing, but not dramatically 
> change things, any more than eliminating shoplifting would dramatically 
> change our economy.  I do not believe that such fraud changes the 
> outcome of a large percentage of elections, and in those it does, it was 
> pretty close anyway. 

Most elections do not inspire the fraudsters.  The few they care about 
may be near ties, responding to minimum fraudulent effort.

Thus, a few false wins can be big trouble.
> 
> If plurality voting were replaced with a ranked system such as a 
> condorcet method, I beleive it WOULD dramatically change the entire 
> dynamic of politics, in a very, very good way, by nearly eliminating the 
> polarized nature of government due to partisanship.  That is huge, 
> comparitively.

Could be BIG - Plurality NEEDS primaries.  Condorcet does not need 
such, but could not object if parties chose to do them anyway for 
other reasons.

> 
> So my priorities are different.
> 
> Giving up on fixing a huge problem because it makes it more difficult to 
> fix a much smaller problem is not something I can support.
> 
> (and btw, I believe this list is about reforming the voting methods, not 
> so much about fixing security problems.....so if you are willing to 
> abandon all attempts at reform because you don't think you can solve 
> your particular problem as easily on a reformed system, it seems 
> unlikely to fly here)
> 
>     Making the source code for the voting programs open source does not
>     make all the myriad of other programs, drivers, OS, etc on the voting
>     system open source - that could be used to rig the vote.  Also of
>     course election officials do not have the resources to verify software
>     and it would take years to set up systems to verify the software on
>     voting systems *and* require trusted technicians to do so.
> 
> 
> The whole system top to bottom should be open source.  This is not 
> particularly hard....plenty of people run "pure" boxes, on commodity 
> hardware.  The obvious choice for OS would probably be Linux, with 
> freeBSD being another option.
> 
> The whole point of open source is that if the "officials" don't verify 
> it satisfactorily, someone will.  A security researcher could make 
> themselves famous for discovering something malicious in voting software.
> 
> The only thing that is immune to checking would be the compiler itself, 
> since the compiler needs a compiler to compile itself....but someone 
> would have had to have done something evil (and very, very brilliant) a 
> long time ago to pull that off....good for a sci fi novel anyway, but 
> not so much in the real world.

Compilers do not have to be that complex - since voting programs need 
not be that complex, such as would need a high powered compiler.
> 
>     Well, perhaps 5% of voters would *see* the error (because no fraudster
>     is stupid enough to switch *all* target votes available), but most
>     might think they made a mistake on the first try.
> 
> 
> Then it is a UI problem.
>  
> 
>      > especially if you simply leave it on screen when you print the
>     paper copy.
> 
>     Huh?  Try doing that yourself. I do not know if the summary *screen*
>     version of the ballot appears at the same time as you get a chance to
>     check the paper version of the ballot. I don't think that is
>     necessarily an option you would have.
> 
> 
> What is so hard about that?  The point is, if the UI is designed 
> reasonably well, a large percentage of voters will *know* if the machine 
> is cheating.
>  
> 
>      > And they are going to talk about it.  And the next year, people
>     will be a
>      > lot more likely to notice.
> 
>     If you followed the voting news nationwide like I do, you would know
>     that people have been talking about it a lot since the November 2004
>     presidential election, in particular there was lots of vote switching
>     reported in Ohio.
> 
> 
> Yes but this is different.  This is like going to the store, and having 
> one thing on the cash register and another on the credit card receipt.  
> A store might get away with that for a day or two, but people will catch 
> on quickly, and suddenly word will get out that the store is cheating 
> people, and a larger percentage of people will check, etc.  Most likely 
> though, the store will know they will be out of business soon if they 
> try this on anything more than the tiniest of scales, and just not try it.
> 
> Completely different from what may have happend in florida or ohio, 
> where people might suspect something is up, but it isn't blatant and it 
> is hard to know.
> 
>     Anyone could easily switch out any open source or not program that is
>     compiled into machine language during some routine maintenance and no
>     one would know the difference.  Do you really think that election
>     administrators are going to have the funds and that VVV's are going to
>     cooperate to put together a list of all compilers, switches, hardware
>     and firmware versions for every piece of software on their machines so
>     that the versions can be checked after the elections?  
> 
> 
> It isn't that hard, if designed to be done this way.
> 
>     In Utah, the
>     VVV shipped us atleast three different versions of the voting system
>     software alone, and who knows how many unique versions of hardware,
>     firmware, drivers, and hardware.  If you believe that these VVs are
>     standardized, you are quite mistaken.
> 
> 
> Then it is a design problem.
>  
> 
>     And which technicians  and programmers do you want the public to
>     *trust* to ensure that all the software on the VV is doing what it
>     should?
> 
> 
> Fact is, you've gotta trust someone, whether it is hand counted, optical 
> read, or whatever.  This is not a new problem.
>  
> 
>      > Most likely though, no one is able to hide such devious stuff in code
>      > visible to security researchers.
> 
>     Yes. Of course with all of today's VV's you can simply take 30 secs to
>     1 min to use any of the easily accessible back doors to simply change
>     the vote counts on the central tabulators, without even installing any
>     malicious software on them at all.
> 
> 
> Then that is a design problem.
>  
> 
>     OK. You don't believe the research.  Any particular reason you are so
>     certain that more than 30% of voters bother to check their paper
>     ballot record?  Any particular reason you think that all the research
>     that shows that deliberately introduced errors in the ballots during
>     tests are only discovered by 30% of those who *try* to find the
>     errors?
> 
>     I.e. I think you had better come up with some facts to show why you
>     believe that all the research is wrong that shows that fewer than 10%
>     of voters are accurately proofing their machine printed ballot
>     records, not just say you don't believe the research which sounds very
>     plausible to me and no one has claimed is wrong up until yourself now.
>      Not even the VVV's or the DRE supporters have attacked this research
>     to my knowledge.
> 
> 
> I don't discount that most people don't check the results.  I do think 
> its absurd that someone could change a significant number of votes this 
> way without drawing intense attention from the few that notice, and 
> after than a lot more people will notice.  This is emergent phenomena, 
> that is hard for a simple study to directly measure.
> 
> It is like any other security issue, that if people don't think it is a 
> problem they are less likely to be vigilant.  If you live in a town with 
> little burglary, you may not lock your doors.  If burglary starts to be 
> a problem, people lock their doors, install alarms, buy firearms, etc.
> 
> Is it possible that most people today don't check this stuff carefully 
> because they think it is not a huge problem, and that enough other 
> people will be monitoring the system.....and they just might be right?  
> I'm sure you are the type that carefully balances your checkbook to make 
> sure the bank isn't cheating you.  I don't.  I assume there are lots of 
> other people making sure that banks don't regularly steal people's 
> money, and statistically, it's not worth my time to monitor it so closely.
> 
> Same thing here.  By your logic, banks could steal 60% of peoples money 
> because only 40% of people balance their checkbooks.  But that is crazy.
> 
>      >> The voter would either think that he must have made a mistake on the
>      >> first try, or complain about his vote being switched.
>      >
>      > Yes, and a lot of people complaining would draw more attention to
>     it, and
>      > more people would start checking.  If it happened on a large
>     scale, the
>      > problem would be tracked down,  and the programmer would be put
>     away for a
>      > long time.
> 
>     And *how* pray tell, would that programmer be *tracked down*?
>      Magic? Voodoo?
> 
> 
> Or....a basic source code control system?
>  
> 
>     So what are YOU suggesting be done if many voters notice that their
>     votes have been switched by DREs during an election? REDO THE ELECTION
>     and hope it doesn't happen again during the second election since no
>     manual audit can recover the accurate vote counts?
> 
> 
> I don't think it would get to that point, at least not on a large scale, 
> for reasons I have pointed out.
> 
>     I'm sorry but I  don't have any time to continue this today. Maybe
>     tomorrow.
> 
> 
> Likewise, I'm out of time for this.  I think I've said my piece.

Perhaps my 2-cents will inspire a response.  I agree, in general, with 
Rob that we have a fixable problem that NEEDS fixing.
> 
> -rob
-- 
  davek at clarityconnect.com    people.clarityconnect.com/webpages3/davek
  Dave Ketchum   108 Halstead Ave, Owego, NY  13827-1708   607-687-5026
            Do to no one what you would not want done to you.
                  If you want peace, work for justice.






More information about the Election-Methods mailing list