Saturday, May 20, 2006

.

Vote or Die...bold

Warning: Very long post today.
A little over a week ago, the Washington Post reported on some security issues with the Diebold computerized voting machines. Not that this is anything new; the whole Diebold thing has been a disaster from the beginning.

But back in December 2003, a friend sent me a missive that one of the liberal mailing lists was sending around, and asked my opinion, as an Official Computer Guy, on what they say. Here's an updated/edited version of my reply, edited for invective and for length, though it'll still be pretty long. I suspect this'll prompt comments both from fellow Computer Guys and from the "computer-based voting is evil" crowd (though considering that I have something like 20 regular readers here — this isn't Pharyngula — I think the damage will be controlled).


Subject: The Threat From Computerized Voting Machines
I'll start by saying that this sort of hype puts me off, and might have prompted me to toss the message, unread, had you not been the one to send it. It won't do to criticize the "other side" for exaggeratedly dire warnings of "threats", when the "good guys" do the same.

We start with a principle so obvious it seems strange even to write it: For a democracy to work, the people must believe that balloting is conducted fairly and votes are counted accurately.
Yes, clearly; that's the main thing that the 2000 thing did to us — it shook that belief. We'll get back to this later, but remember that the operative word here is "believe".

type of touch screen computerized voting machine. These machines register votes on a memory chip and then digitally transmit the results via telephone modem to election headquarters.
Hm, well, an oversimplification — and one that the message plays on later to take advantage of the fear of "chips" and "digital" and such.

We can only hope that neither glitches nor tampering will change or erase any of our votes. We all know that computers sometimes crash and lose data. Power cords get pulled out of the wall. And what better trophy for a hacker—or over zealous campaign worker—than to skew the outcome of the actual election?
OK, so here's where I have a lot to say, because this is entirely alarmist hype. So let's start by putting some things into perspective and removing the hype:

First, we always have to start with a system that we believe is well designed, well implemented, and thoroughly reviewed. We accept the New York voting machines for that reason: you don't see what happens when you push a lever, and you simply "trust" that pushing the lever marked, say, "Gore" doesn't actually register a vote for "Bush", doesn't randomly ignore you and do nothing, or any such — because we believe that these machines work as advertized, have been properly designed, constructed, and checked. So let's assume for the moment (we'll get back to this point later) that the computer programs and hardware involved here are similarly well designed, constructed, and checked.

We all know that computers sometimes crash and lose data.
Yes, and if Man were meant to fly, he'd have wings. This is perhaps the biggest fallacy of the Computer Age. We've had fail-safe technology for data for at least 30 years. No, you don't have it on your computer, because it's not worth the expense to you to have it. So you rely on backups. But even with that, you can see how it works: you make copies of the data periodically. If you lose one copy, you have another to get it from. If you lose both copies, or if you don't make backups frequently enough, then you lose data. A system with critical data, such as, say, a bank (we aren't afraid of having banks keep their records of our money in computers, are we? I hope not, because they all do) simply makes multiple copies in real time. If a computer crashes, or someone pulls the plug, we at most lose the transaction that was in process at the time. Once the transaction is complete and acknowledged — once the vote is accepted and the voter leaves the booth — the data are safe from loss due to computer failure.

Boxes of paper ballots can (and do) get lost in transit. Fires happen. Suppose there's a fire in the room where thousands of uncounted ballots are being kept. Would we not "lose data" there? Unlikely? Well, yes, but far more likely than data loss in a well-designed computer voting system. In fact, the computer system has enormous advantages in this regard. Rather than one paper ballot that could be lost or damaged, or one voting machine that could be damaged and lose all the votes that haven't yet been unloaded, the computer would make several simultaneous copies in different places. Perhaps (and this isn't fully thought out, so it's just an example of how it might work) there'd be one copy on the computer's hard drive, one on removable media that a worker would remove and take elsewhere hourly, and one or more sent by (private! [more on that soon]) network to a central counting point. Loss of any one, or even two of these wouldn't lose the votes. Further, all three could be counted instantly (not so with paper) and cross-checked, to verify that they match.

Data loss is simply not a real issue. It's possible, surely, but the possibility is minuscule, and is far less than with any voting system we've had before.

Accuracy of ballots is also better with a proper computer-voting system. With a paper ballot, one can place extra votes that invalidate the ballot. One can fail to vote on something one meant to vote on. Voting machines prevent the former, but still allow the latter (note the state "questions" on the recent NY ballot, where half the voters appear to have neglected them). The computer can prevent a voter from placing an invalid ballot, and can also warn the voter, when she makes to finalize the ballot, that she has left some items unvoted. If she wants, she may still leave them blank, but if she's forgotten or neglected them, there's an opportunity to fix that, which she didn't have with other voting systems.

Further, it now becomes easy to increase ballot fairness by, for instance, presenting the candidates or the parties in random order, which differs each time the machine is used, smoothing out the "first listed" advantage. It allows more flexibility in ballot design (it's not just a list of names and levers, it's easier to show how things line up and are related); candidates' photos can be included, if we want; bios and candidates' statements can be readily accessible if we think that's a good idea (I do).

Now there's the issue of tampering. I'll first note that the current system allows tampering, and we rely solely on the honesty of the people at the polling places and of the people counting the ballots. Ballot-stuffing would actually be quite easy, and could only be detected if there were a reason to check. It would also be easy for a worker simply to "lose" a box of ballots from a largely Democrat district, say, and what would we do? We'd just say "Oh, well."

With a computer system, we'd have, instantaneously, multiple, separated copies of each ballot, with separate real-time counts in multiple places. That's a lot harder to tamper with. That's nearly impossible to "lose". And critical data can be electronically signed to detect tampering (electronic signatures don't just identify the "signer", but also tell you if the data that's "signed" has been altered afterward), just in case.

Hacking (or "cracking", as we prefer to call it): Now we're starting to get into the "well designed and implemented" part. First, as I said about the network that we'd transmit the data on: private. This stuff would not go on a public network, such as the Internet. Not now, and not in the foreseeable future. Further, the data would be encrypted and signed, preventing snooping and tampering. With multiple copies, if tampering is detected on one copy, we can invalidate that copy and use another. I suggested three copies before; I could just as well have suggested six. Or ten. How many would we want to have in order to assure ourselves that the possibility of someone's tampering with all of them would be vanishingly small?

The computer system that runs this stuff would not be Windows (didn't we see the Blue Screen of Death on one of the Metrocard machines?). Nor Linux (though my guess is that that's the starting point for now). Nor.... It would be a specially designed system that has been designed from the ground up as a voting-machine system, that has been carefully implemented and tested, and that has been checked and rechecked by independent groups of experts. Just as our voting machines are today. There's no reason this couldn't be safer and more secure than the voting systems we have now, if it's done properly.

Now, that's "if it's done properly". It must not be rushed, and the validation of the system must not be shortcut — that is where the danger lies. A computer voting system can and should be better than anything we have now, but it could also be full of holes if we roll it out without taking the same sorts of precautions we'd take in rolling out mechanical voting machines, or even a paper voting-and-counting system.

Now, all that said:

There is a simple solution to these problems. The California Secretary of State has ordered that these new computerized voting machines print out a paper copy of your vote for your approval before the vote is registered. These printouts would then be saved in case the machines malfunction or there is any question as to whether or not they have been tampered with.
Of course we should do this! Why on Earth should we not? Of course we should do it, and anyone who thinks it's a bad idea might be suspected of having some nefarious agenda. It is always a good idea to have more data, to have a way of validating and cross-checking what we have. If it's good for the computer to make three copies on the network, two on RAID-array hard drives, and two on removable media, then it's good also for it to make a paper copy, and, further, to allow the voter to look at that paper copy just to be sure.

We have two things working here. One is simply having the paper as another copy of the ballot, but the other is the extent to which that paper will help people trust and accept the system — since the operative word is "believe". And it's clear that many people will not trust the system, at least not at first, unless the paper is there. Yes, people must trust their voting system.

There are two disadvantages, though. The first is one that I believe will not be a big deal, and will go away soon enough: the concern that candidates (or special interest groups or whatever) will insist on falling back on the paper ballots unnecessarily, causing inaccuracies in counting, delays in counting, processing, and validating, and significant extra expense in the voting system. I believe, though, that as the system proves itself, any such effect will wane, and idle requests to use the paper, without clear reasons for doing so, will soon enough not be tolerated.

What I'm more worried about is that we might see the paper cross-check as a reason not to put the time, effort, and money into securing and validating the system properly otherwise. A computer voting system, like any voting system, must be well designed, well implemented, and well validated apart from any manual cross-checking that's available. We must not, having the option of paper backup, shortcut the proper, secure, and audited system design. If we're assured of that, then the paper copies can only help in the acceptance of the system, and can only be a good thing to add.

Without a paper trail, there is no way to reliably validate an election or conduct a reliable recount. It's that simple.
I actually don't believe that, because I believe that the paper is less reliable, for the reasons I outlined above. This was amply proven in Florida in 2000.

And so, interestingly, while I disagree with nearly everything that note says in its supporting arguments, I agree with the goal: have the system make paper copies, in addition to what else it does. It's a good thing to do.


That was my response then, about a year before the 2004 elections. As I re-read it now, in the light of the Diebold controversies since, the 2004 election results (and the accusations of vote tampering then), and the current reports about the security of the Diebold system, I stand by what I said then. And I point out that the reports in the news do not teach us that we shouldn't vote using computers, but that the Diebold system is not suitable to the task. We should right now be working on designing a proper system — I suggest one where the source code is openly available, for all to review and validate.

No comments: