AT&T Tech Support 360
- Related Stories
-
Senators to abandon '08 e-voting paper trail mandate
July 25, 2007 -
House panel approves e-voting paper trails
May 9, 2007 -
A sampling of e-voting glitches on election day 2006
November 7, 2006 -
E-voting hobbled by security concerns
October 6, 2005 -
E-voting report could push audit trails
October 4, 2005 -
Poll: E-voters not so afraid of election-day hacks
August 3, 2004 -
High hopes for unscrambling the vote
June 8, 2004 -
Fight over e-voting leaves election plans as casualties
May 20, 2004
(continued from previous page)
Of course, the correlation may not be perfect. If Voter No. 1 signs in but gives his space in line to Voter No. 2 who's in a hurry, a reconstruction of the votes based on public records will incorrectly identify their votes.
Having multiple machines and multiple lines can also create a randomization effect, but Moyer says that in his experience as a poll worker there's only one line that feeds into multiple machines. In addition, he says, poll workers log the voter into the ES&S iVotronic, which starts the time-stamped entries and means there's no additional randomization of voters taking different amounts of time to start the process.
A uniquely Ohio problem?
Even though other states do use the ES&S iVotronic paper trails, they don't necessarily make them available for public perusal.
Natasha Naragon, a spokeswoman for the Arkansas secretary of state, said she knew of no way to disable the time stamps on the voting machines' printed output. But, she said, "our law does not allow for public access to our voted ballots" and said they remain sealed unless there's a recount.
Iowa's procedures seem designed precisely to avoid the Ohio situation. "Iowa has an administrative rule, because the paper trail is in voter sequence, that prohibits providing to any of the bodies that have access to the paper rolls any information that would allow them to link individual ballots on paper roll to the voters," said Sandy Steinbach, the state's director of elections.
Computer scientists and security experts say restricting the public's access to e-voting paper trails by tinkering with open records laws is insufficient--it doesn't protect against, for instance, an insider perusing the ballots and reconstructing them.
They do say paper trails are necessary to provide a physical check on what could be a buggy or maliciously programmed machine. But they offer three suggestions: deleting the time stamp, not keeping a list showing in which order people vote, and adding a paper slicer and shuffler to randomize how the physical audit trail is recorded.
Lorrie Cranor, director of the Usable Privacy and Security Laboratory at Carnegie Mellon University, says that "you need to have mixing either in the recording of the orders of the voters or the votes, or preferably both."
"Audit trails are really important, but so is privacy," she said. "Many of the vendors of (e-voting machines) have actually put ID numbers on the paper records, which also could be used to reconstruct which voter is associated with a vote."
Moyer and Cropcho have posted a summary of their findings on their Web site, ThePublicBallot.org.
For its part, ES&S claims that printing out time stamps is recommended by standards adopted in 2002 by the Federal Election Commission.
ES&S spokeswoman Friedman-Wilson pointed to two sections of the standards, one of which says "all audit record entries shall include the time-and-date stamp." The other says error messages, critical system status messages, and a record of a voter "activating and casting each ballot" should be part of the audit log. (It does not, however, explicitly mandate that the outcome of the vote be printed.)
"Because the voter verifiable paper audit trail is one element of the audit function of a voting unit, one could interpret these guidelines as requiring the time stamp have citations within the guidelines," Friedman-Wilson said in an e-mail message.
Johnnie McLean, the deputy director of the North Carolina Board of Elections, said: "Our public records laws don't include that paper record. A voted ballot is considered confidential." In West Virginia, secretary of state spokesman Ben Beakes said: "There would be no way to match the time with the voter because in our poll book system, all you would find is an alphabetical list of the people they voted, not the time they came into the polling place."
Ohio, by contrast, may be unique. "It's my understanding from our legal staff that a public document consists of anything that is in the public domain," said Gallaway, the secretary of state's communications director. "I think that both of those (the time-ordered poll books and the time-stamped paper trail) would be considered that."
That has left computer scientists, already alarmed about the security of e-voting machines, dismayed at the interaction between time stamps and Ohio laws. "Security and privacy and the integrity of the voting system depend not only on the technology, but also on the procedures and the combination of the two," said Stanford's Dill. "This is a case where the combination of technology and procedures are working together to create a privacy threat."
CNET News.com's Anne Broache contributed to this report
See more CNET content tagged:
e-voting,
Ohio,
ballot,
vote,
audit
It doesn't NECESSARILY prove but it COULD. If you looked when the polls weren't busy you might be able to correlate 100% the person to the vote.
In any case even the vendor saw that this could be a problem.
See this excerpt:
Of course, the correlation may not be perfect. If Voter No. 1 signs in but gives his space in line to Voter No. 2 who's in a hurry, a reconstruction of the votes based on public records will incorrectly identify their votes.
Having multiple machines and multiple lines can also create a randomization effect, but Moyer says that in his experience as a poll worker there's only one line that feeds into multiple machines. In addition, he says, poll workers log the voter into the ES&S iVotronic, which starts the time-stamped entries and means there's no additional randomization of voters taking different amounts of time to start the process.
busy times of the day, but one should NEVER be able to figure out
how ANYBODY voted, ever. The ability to cast a secret ballot is at
the core to our system of elections. As this study shows, the votes
of particular people were able to be identified.
The system is flawed. All kinds of academic experts have been
talking about this for years, but they were ignored.
Ohio also want to destroy a secret ballot for union elections. If
the unions can tell how their members are voting in elections god
help us....
Still, this isn't what should happen and should be fixed...
However, the voter must never be able to "read" their vote off the card because this would facilitate vote selling ("If you vote X and show me you did so, I'll give you $10") and coercion (such as one dominate spouse "urging" the other to vote a particular way and expecting verification that they did so). Also, techniques involving rarely used physical tokens is difficult to administer because they would get misplaced and have to be reissued -- which is cumbersome and costly (and charging for the 100th replacement for an absent minded person would probably be construed as an illegal "poll tax").
A properly traceable system needs to have a way to verify that a particular vote was recorded correctly. In some areas, your "voter receipt" (torn off the ballot) could be used to verify that your ballot was recorded correctly - but it's just your word that you didn't actually punch out both candidates for one office (i.e., invalidating the vote by "overvoting") and that someone else must have done so later.
I believe there are schemes that would leverage technology to solve these problems.
One such scheme might be to provide the voter with a paper receipt containing an encrypted representation of their vote as well as a unique (but randomly generated) identification "vote id", and a random bit of key material. The encrypted representation would be stored along with the vote in the voting system EXCEPT that the randomly generated key would not be stored. The encryption key (simplistically here - the actual implementation would be more complicated but the inclusion of all this key material is the point) would include a voter supplied portion (this material would be provided by the voter at the time of voting - they must remember it if they want to challenge how their vote was counted), a randomly generated key (not stored, but displayed on the receipt in cleartext), additional key material would be from a public key of each member of an M member non-partisan panel - probably composed in part of judges. The encryption would be done in such a way that N of the M (where N<M) panel members' private keys would also be required to decrypt the vote (this is one area my description is simplistic - there might be a bunch of session keys and what not to support this).
If a voter wanted to verify/prove that their vote was/was not counted correctly, they would make a request to examine their recorded vote. The examination would take place at a secure facility using a secure system. The examination would require the voter (and the key they entered when voting), their receipt (containing the unique id for this "vote instance" as well as the randomly generated key saved only on the receipt), and "N" of the panel members present to enter their private key material. The secure system would scan the receipt, take all the provided key material, and look up the vote (by "vote id") in the database, verify that the stored encrypted vote matched that on the receipt (helping validate that the receipt IS a real rather than forged receipt), and then reveal the recorded vote to the voter in a secure shielded area with NO ONE ELSE in the secure area (disabled individuals would be accommodated by having a randomly selected trusted person - perhaps a judge - available to assist the voter by reading the vote etc). If the votes don't match, and the voter wishes to pursue the mismatch, there would be a process to examine the source of the discrepancy (this would probably require that the voter reveal their key to a trusted group of investigators).
With a little additional effort (probably using a one way hash of the encrypted vote? - I would need to think this part through a bit more) it should be possible for a voter to verify via a public web site that their vote was actually recorded (but, of course, not how it was recorded). Obviously the system which serves this web site would be working ONLY with one-way hashes of encrypted stuff extracted from the underlying (secure!) database. This would allow voters to verify their vote was cast and, coupled with the count of votes and voters, make it impractical to "insert" or "delete" votes.
Of course, all the software and the hardware design (but, of course, none of the embedded private validation keys etc.) used in this system should be available for all to examine and all of it should have verification built into the lowest levels (starting with hashing/encryption embedded on a difficult to modify chip and with high levels of hardware integration). Without this public review, the system could not be trusted.
This could perhaps be made more secure by including some biometric information to give three factor authentication for the "vote revealing" process (what I know [my key], what I have [my receipt], is this MY receipt [biometric match]) - but gathering and storage of such information is likely to be unacceptable and the benefit seems sufficiently small to be outweighed by the privacy concerns.
However, if they were able to get copies of video surveillance film from any public/private security cameras used in the larger settings...
This is also why roll-based paper trails are badly flawed. Even scanned-paper ballots need to be handled carefully - the order of votes needs to not be recorded electronically (just the total), and when the voting boxes that hold the scanned ballots are opened, the (nicely stacked) ballots in the box need to be randomized. (Note that simply "cutting" the stack is probably enough.)
brother companies were started by wealthy
partisan BushDick contributors, are run by
wealthy partisan BushDick contributors, were
forced on the voters (via that nonsensical
BushDick partisan "Help America Vote Act" after
the piecemeal debacle they pulled off in 2000)
with the sole purpose of flipping votes from D
to R, and made millions for the few while
disenfranchising the many. The SINGLE AND ONLY
solution is to send ALL the DREs back, demand a
refund, and go back to the mark-on-paper
standard ballot that first-graders use to
advance to second grade. If the BushDicks claim
they can't get optical scanners in place before
the primaries, point out that they can always
borrow them from the schools for a day.
Nor is the "disabled" diversion anything more
than a ploy. Disabled people need assistance to
vote regardless of which system is used.
Dump the DREs. NOW. And if your county is
still run by BushDicks, you can make sure your
ballot has a paper record by voting absentee
ahead of time.
In Missouri's St. Louis County, when we have to remove a paper spool, each one is initialed by the two assistant supervisors and supervisors, and the next one is inserted under their supervision as well. I don't know if it's done by a bi-partisan team in Ohio, but it's definitely done by one in Missouri. (We'd have more than two parties present here if the legislature changed the law, but at the moment it's only Democrats and Republicans.)
As for reconstructing how the voters voted, are they really only using one machine per polling place in Ohio? In St. Louis County, we've had three machines at the polling places where I've worked, and the voters go to them in random order. I don't think it'd be particularly easy to match them up to the voting rolls, which do not show the time the voter came in to vote. In a brisk election, I don't think I'd want to try that experiment.
During a very slow election, such as the last one I worked, you might have been able to figure out how the election was going just from the banter of the voters as they walked out the door. We could have given you a pretty close to 80% accurate guess about the ballot initiative's chance of success if we weren't sworn not to reveal the outcome of the election, even in jest.
And "observers in the polling place"? Most polling places in Missouri are in public schools. Do you think that you're going to get away with hanging around a school all day without the principal getting suspicious? They don't mind election officials. They actually like having us around, I suspect, because it gives them a chance to work elections into the syllabus, but I don't think that anyone other than an official poll watcher or challenger would get a chance to hang out at the polls all day.
http://www.thepublicballot.org/2007/8/21/two-common-misconceptions
Duuuuhhhhhhh..... (* CHUCKLE *)
So where is the story? Or has common sense... or perhaps "lack there of"... become the story? (* GRIN *)
Walt
Someone could still sit and write it down though. Which is why the ballots should be separate pieces of paper (not a paper roll) and they should not have sequential serial numbers.
As a Colorado poll watcher, I have the right to record the names of people who vote. By observing the sequence in which they use a specific DRE, I know the sequence of their (supposed) votes recorded on the VVPAT. Access to the roll means access to their "ballot". The canvass board and election officials have legal access to the roll.
NO!, I do not trust the officials. Not because they are evil, but because the protection of a secret ballot is sacrosanct. If any pathway to retrieving a specific voters ballot exists, it might be used: (1) by the court, or (2) for political purposes by a partisan official, or (3) to create a "threat of disclosure" needed by vote-buyers and voter-intimidators to suggest that they can know a voter's selections.
Furthermore, HART Intercivic suffers not only the problem described above, but also uniquely identifies every PAPER and VVPAT ballot with a unique, NON-REMOVABLE, serial number and barcode. Voters can make a record of this serial number on their ballot and use it to later identify their specific ballot. Consequently, the market for vote-selling is facilitated and the opportunity for voter intimidation is supported.
The arrogance of vendors who trample on our right to use a secret ballot must be punished by immediately forcing them to meet our requirements for "privately voted anonymous ballots".
Al
Al Kolwicz
Colorado Voter Group
2867 Tincup Circle
Boulder, CO 80305
303-494-1540
AlKolwicz@qwest.net
www.AlKolwicz.net
www.coloradovotergroup.blogspot.com
The voter list is public because a politician can call the people who hasn't voted and remind them to vote.
Matt
- Absentee
-
by fooooot
September 7, 2007 7:16 PM PDT
- Simply become an absentee voter and bypass the whole problem.
-
Reply to this comment
-
See all 22 Comments >>