Computer scientists slam e-voting machines

The world's oldest professional society of computer scientists on Monday took aim at electronic voting machines, recommending they not be used in elections unless they provide a physical paper trail.

http://news.zdnet.com/2110-1009_22-5384946.html

I guess half a brain and a conscience.

Its like going to the bank handing your money to the teller and not getting a deposit slip saying i Trust you!

when all the counties nationwide started buying the things like nobody's business???

and have the time to participate in think-tank bullshit.

The CS guys have been complaining about these machines for ages, it's just that the mainstream media doesn't pick it up. It's old news in security circles. Slashdot readers are well familiar with the issue. :)

but I am looking at this from the perspective of someone who worked in county government for 11 years. The decision to approve a large $$$ contract for voting machines would be discussed in public hearing for several weeks, if not longer, and then the commissioners vote on it in a public hearing. I guarantee you, if private citizens with credentials in computer programming had shown up at a commissioner's court session and thrown (controlled) hissy fits about the machines they were about to purchase, the commissioners would take a second or third look.

And if this had happened in numerous counties nationwide, it might have made the news.

And most of the boards would not bother with seeking out professional opinion- that of course, is presented by the vendor.

People have to learn to pay attention. This has been a huge wake up call.

paying attention.

In my particular county, the meetings were held every Tuesday. Agendas were posted online in advance. Minutes were posted online. Even with that, it was rare that someone from the general public would ask to speak, even though they have every right to do so.

I'm just as guilty. Now that I no longer work for that county and live in a different county, I do not pay nearly as much attention to local politics as I used to. So I certainly understand why people don't speak up, I just want them to also understand that is why we get stuck with governmental policy we don't agree with.

Hopefully that wake up call didn't come too late.

.....don't let anyone short change you! :evilgrin:

The Federal government claims the right to audit our income as citizens and tax us accordingly. They demand paper receipts as proof of our honesty. We as citizens demand proof of their authority to make such demands. We want it in the form of paper ballots. It's as simple as that.

You want paper receipts to back up my spreadsheet and I want paper ballots to back up yours! :)

... this hasn't come out earlier. Both organizations are diligently non-partisan and mostly apolitical (ACM more so), but this is really a no-brainer for any decent EDP/IT/MIS professional.

Let's put it this way: I'd never hire an EDP/IT professional who regarded a non-auditable, black-box voting machine as reliable or a responsible design. Hell, MilSpec requirements are far more stringent with far less at stake.

There were explicit auditable logs, as there are in telephony
and banking systems. How they make the leap from auditable
capability as is standard in global MIS, to fly-by-night secret
messaging, i'm sorta shocked.

If people want paper, let them have a bloody print button. That has
been the maxim in my entire CS career... it is suspicious that no
professional body has not spoken up sooner... right on!

... of a balloting system and other business systems is the secret ballot. Formally speaking, it's entirely a question of verification and validation. QA/TQM professionals should know this as "V&V." Without a verifiable attest capability at the audit/review stage, a parallel and forensically examinable record is essential to permanently preserve the anonymized attest of the voter provided at the time of transaction initiation (ballot completion and submission).

My >35-year career has focused on business systems, management control, and audit and operational analysis. I've managed internal audit. I've done outside consulting in operational analysis. I've programmed from the chip level, to the operating systems level, to the systems software level, to the applications software level, to the 'power user' macro level. I've designed and written relational database software before such software was available on the market. I wrote communications software that incorporated functions subsequently embedded at the chip and firmware level when the technology matured. I've performed (led) 9-figure audits (major!) within Fortune 100 companies. I've written mission-critical software that was still operational a decade later with little or no modification. And I've been a "whistle-blower." (sigh)

In my professional opinion, electronic "touch screen" balloting systems are only even marginally acceptable with a hard-copy, voter-validated record - irretrievably unacceptable without one - and a virtual guarantee of electoral disaster when the software is black-box and mutable.

The best (considering both the technical and operational factors) technological base that currently exists for balloting is paper-based optical or "mark-sense" technology. From an operational perspective, even that technology absolutely requires error/fraud detection through manual sample counting, with sample selection based on a 99% confidence interval considering the electoral margin. (Not at all your typical +/-3% MoE @ 95% confidence!) No electronically-tabulated election system result should ever be certified without the completion of such a manual audit count.


On edit: In my opinion as a voter and citizen, no election having an audited result within 'fuzz' (i.e. narrower than the best tabulation accuracy achievable) should ever be certified. Florida's 2000 results should've been declared a 'tie' and Florida's electoral votes voided. If it were a trial, it'd be grounds for a retrial akin to a 'hung jury.' When it's an election, it should be rerun or voided. In the "winner take all" context of a Presidential election, there is no winner so there's no "all" to be taken.

Problem is, we have some officials who think sloppy tolerances are OK.

Besides, they've been promised by The Election Center and vendors that nasty paper would go away.

Some (not all) don't seem to have the grey matter to figure out that democracy goes out the door with the paper.

In large scale finance, with a million or more simultaneous users,
like the VISA network and such, there is plausible security and
fraud is rather minimal considering the scale of deployment. I
am a big fan of technological voting, using telephone keypads and
secure network connectivity.

The common channel systems that service all of north america, have
massive real-time databases that work a charm, considering that
phone calls have a higher reliability than electoral ballot counters.
.. like 4 to 5 nines. (99.99999).

To maintain the secret ballot, make a secure join table that links
"voter" with the "ballot" table. Then use secure SQL on a database
like Sybase Warehouse IQ, and you could, with a dialup front end,
run a nationwide secure, auditable, secret ballot over the phone
lines with voice software.

The join table is then purged after the election, so that there
remains no link between voter and ballot.

I am shocked at the level of accuracy in these voting systems. No
bank could operate with such sloppy systems. Why does the public
get them instead?

I think TN, that it is a dying generation that could build a
computer from scratch from the chips to the application... and a
new generation of technologists are framed in to stratified layers
without ever having done firmware, nor the very high level
multinational system rollouts. Honestly, i see it as a deliberate
form of de-skilling in the profession, as such people are a threat
to businesses that seek to re-define the software profession as
proprietary secrets, rather than mathematical common knowledge.

Building secure, auditable systems is totally passe, to the point
where billion dollar companies that make them like tandem were
absorbed in to the HP/compaq monstrosity without fanfare. Sadly,
the number of people that will know how to design a relational
database system from scratch, with real world experience designing
the actual engines, is reducing to zero as a generation retires.

... of such technologies to achieve a reliable base for electoral processes, I feel I must point out the fatal flaw in making a comparison between existing secure transaction processing functions and the deployment of such functions in balloting.

Existing end-to-end systems share a common (and essential) attribute: The interests at both ends of the system have a common, collaborative interest in ensuring its accuracy and reliability. The same cannot be said of electoral systems. (Just as an example, businesses can devote their attention to 'man-in-the-middle' vulnerabilities, while electoral systems users cannot.)

All manner of error/fraud detection and correction processes exist in concert with current business-oriented systems, not the least of which are autonomous 'reverse channel' feedback loops for post hoc validation and verification at the individual element level, at various levels of the implemented technology. No such discrete feedback loops can exist in an election system and still preserve the secret ballot.

In even examining the viability of current technologies, 'technologists' themselves (particularly the more-recently arrived) are handicapped. The complexities of existing technologies require that those implementing them rely, not upon an in-depth and detailed understanding of the manner in which they're implemented, but upon a mental model of their functional design goals. That mental model corresponds to the reality of such systems in much the same fashion as a map corresponds to a territory. But let's never forget that the map is not the territory!

Such 'maps' are the building blocks of our thinking at various levels of abstraction, and are essential to the massively hierarchical industry-wide development processes for such knowledge workers.

EDP/MIS/IT is almost unique in the history of enterprise in that there is virtually nothing that's tangible and immutable about the materials and components that we work with. We work with and implement shared abstractions that disappear (except in our minds) when the power goes out. Zeros and ones. (Even the 'zero' is a symbolic abstraction, the invention of which is traceable. The Romans didn't even have it.)

One of the reasons I found myself following the career path I did was my life-long fascination with 'edge conditions,' anomalous behaviors, and side-effects of such systems - essentially 'looking behind the curtain' of the abstractions to the more detailed implementations. Belaboring the aforementioned metaphor, I did enough 'map-making' to almost-intuitively incorporate their limitations in my thinking. Indeed, as a programmer, I was nearly always obsessed with program design logic that didn't stop with "Branch if Equal" and "Branch if Unequal," nearly always considering the "Branch if Other." (Some ITers will understand that and chuckle.)


On edit: Tandem 'fault-tolerance' was as much smoke and mirrors as reality, imho. While there are formalisms and principles that can approach a realization of such an ephemeral goal, the essential and unavoidable truth is that even 'fault tolerance' relies wholly on 'fault awareness' embedded in the design and implementation at all levels of such systems. It's a "Murphy-guided" approach: "Whatever can go wrong, will go wrong." It's supplemented by a paranoid-Murphy: "Even that which can't go wrong, will go wrong." Touch-screen systems follow the polar-opposite notion: "No news is good news." (Only a fool assumes that "if it can go right then it will go right.") These systems seem to be obsessed with ignoring and repressing recognition of the potential for any error or fraud. If there's no 'error detection' then there can be no 'error correction.'

There are a lotta devious sorts of fraud that run around stock
exchanges like NYSE. Using financial trickery, orders whilst
appearing legal arriving at superdot or ABS (stock and bond
market electronic exchange links), can be fraudulent, so that
a series of statistical and discrete processes sweep the market's
incoming messages to observe and detect fraud. This is completely
beyond fault tolerance... as the 5 nines are platform anymore and
with proper engineering, even boundary conditions are known.

I once did a job at NASDAQ before the 1986 crash doing capacity
planning for the communications front end systems CQS and MSI (
Certified Quote System... MSI ran SOES (small order execution
system). All space allocations were set to be at twice (2x) the
total capacity ever recorded. Well, come that october, i rang in
to the computer room in connecticut to see how things were going
on that black monday... and it seems that the boundary conditions
that i was ordered to plan to, they were wrong... and the systems
had to be shut down to clear out the queues, causing massive
disruption... lesson... it was not the computers, but the methodology of defining false boundary conditions and using them
as hard ground.

Frankly, i think they should be doing this E-voting thing in special
trials in some places to perfect the technology, progressing it to
scale, as current database technology could easily process every
vote in teh whole nation between a coupla server farms, with
replication server keeping integrity. Then, only after successful
trials at statewide scale, should such systems then be shifted to
replace the organizational/voting systems in place today.

THe systems are only as good as the full human/system organizational
entity... and it seems too much trust is being placed on the hardware
without concept of, as you say, corrupting possibilities accross the
entire meta-system.

I love computer science, in that plato's forms really exist... that
while no chair is exactly the same as any other, the meta-chair that
keeps records of all chairs, can be singular, and itself substantial, (of course given the power-off insubstantiality of
all that is substantial about comptuter science) DU is not much
of a message board with the power out.

I do think that evoting should be linked with e-registration and
passport and drivers license registration, that the country begin
towards an information digital certificate guaranteeing citizen
uniqueness for digital government services. Smart european
governments are already a long way down this path of single
instance recognition of the citizen, as without this step, the
latter bits are built on a pile of sand.

How does one start an E-mail petition?
I have an Idea - but I'm vague on the specifics.

This comming from a computer geek