Wisconsin Requires Open Source, Verifiable Voting

AdamBLang writes "Previously covered on Slashdot, Wisconsin Governor Jim Doyle today signed legislation that "will require the software of touch-screen voting machines used in elections to be open-source. Municipalities that use electronic voting machines are responsible for providing to the public, on request, the code used." Madison's Capital Times reports "the bill requires that if a municipality uses an electronic voting system that consists of a voting machine, the machine must generate a complete paper ballot showing all votes cast by each elector that is visually verifiable by the elector before he or she leaves the machine.""

KISS

[grub]

[T]he machine must generate a complete paper ballot showing all votes cast by each elector that is visually verifiable by the elector before he or she leaves the machine.

And how do we know that the prinout matches whatever counter is incremented within the computer? Being open source makes it tamper-resistent, not tamper-proof. Would it not be easier to just use a paper ballot in the first place? Then any recount could be performed against the actual ballots cast, not as a spot check against computer (glitches|fraud).

ABOUT GODDAMN TIME!

[Mattness]

Paper receipts should be a no brainer, as should be open source software for voting machines. Too bad this isn't occurring in every state, yet. Or is it? I am an ignorant person about this topic. Someone enlighten me.

Re:KISS

[McGiraf]

if there is a doubt you ask for a recount and count .... the paper ballots!

duh ..

Re:KISS

[Dutchmaan]

We can only move in the right direction.. This is a positive step to be sure, and as flaws in this system reveal themselves we will take further steps toward refining the process of preserving intergrity in the voting system.

The perfect democracy is a goal and can never really be perfectly attained... but it serves as a compass to keep us going in the right direction.

Doesn't precude bar codes

[justanyone]

There seems to be (happily) no preclusion of printing bar codes indicating the choices underneath the names of the candidates. This should allow for rapid and accurate scanning and counting. Ballots can be verified by hand or other (possibly 3rd party) means to prove that the bar codes equal the name on the ballot.

This will speed up and make more accurate the counting vs. OCR of the candidates' names.

Re:KISS

[SatanicPuppy]

I'm all about e-voting, but the way it's shaped up, I'm going to have to agree with you. Everybody fills it out with a #2 pencil, fill in the WHOLE bubble Grandma, then put your thumbprint in the corner, and stuff it in the nice locked box.

Even that probably isn't truly secure in our system. The joker who picks up the boxes will lob a couple in the lake on the way to get them counted.

Re:KISS

[grub]

"if". Being that leadership of government is being determined, I'd prefer the actual cast ballots be counted. Canada does it in a few hours with 1/10th the US population (and the public can view the count I believe)

Re:KISS

[cait56]

That's why you also need a write-only audit trail produced
before the voter leaves the booth. A second paper copy is
certainly one form of a write-only audit trail.

Keep in mind that paper-ballots were far from perfect.
Counters could and did vote for people who neglected
to fill in for some contests, and/or create extraneous
marks on the ballot to make it retroactively ambiguous.

A print-out with full candidate names is a lot harder
to alter than a pre-printed form with Xs inside of boxes.

Re:KISS

[kfg]

. . .put your thumbprint in the corner . . .

No.

KFG

Re:KISS

[blazer1024]

Voting systems are only as good as the people administering them. Even with the most super-secure systems, if you pay/kill off enough of the right people, it doesn't matter what the vote really was. Especially if you screw with random polling on television so it *looks* like the vote is going to head in the direction you want it to, as well... nobody's going to question the local news station's informal polls anyway.

If all that fails, just get plenty of dead people to vote. That what they do here in Albuquerque anyway.

Re:KISS

[HUADPE]

Agreed. One of the major tenets of democratic voting is the secret ballot. This is in and of itself a problem with electronic voting because the order of votes can be counted as well as the votes themselves. A determined individual can then match the order and time of votes to individuals as they signed in to the polling place. Non-secret ballots can allow for voter intimidation (will the new mayor fire people who voted against him?)

Re:KISS

[AKAImBatman]

Mod parent up:

100% Correct
100% American
100% Insightful

Remember that one of the key points in an election is anonymous ballots. The entire point is that someone can't hold a gun to your head (or hold your family hostage, blackmail you, or do millions of other nasty things) to force you to vote the way they want you to. The moment a ballot can be traced back to its owner is the day our entire system will collapse.

What about ....

[Anonymous Coward]

The article states that "any device used". To me that implies that each county is responsible for deciding which machine they use. Is the state making sure that any system used also uses a standarized format for the results?

Also, just because you publish some source, that is no guarantee that that was the source that went into creating the binaries that are being executed. Are they going to use a mechanism to verify that a vendor publishes the exact source? Are they going to force vendors to react to bugs found within a specific timeframe. After all, someone examining the source could find a problem and potentially use it as an exploit, this usually isn't an issue because you're banking on someone else also finding the problem and being open/honest about it, but for something like voting, is that good enough? It seems like a lot of focus is being given to it being open source, but is ignoring other software deployment issues.

Re:KISS

[oni]

Just off the top of my head, I would say:
Give the voter a receipt that consists of, 1) a long randomly generated ReceiptID, 2) a plaintext record of the vote (as in, "you voted for Kodos"), and 3) a cryptographic signature.

So in other words, I have a peice of paper that I get to take home with me and on that peice of paper is written:
------ Begin PHP Signed Text -----
ReceiptID 243524534523423454345234234
Voted For: Kodos
------ Begin PHP Signatre Block -----
(signature here)
------ End PHP Signatre Block -----
------ End PHP Signed Text -----

After the election, you can publish the ReceiptIDs and vote records on a website. Anyone who wants to verify the authenticity of the election can tally all the votes themselves. If I want to make sure that MY vote counted, I can look it up. If I see that they changed my vote, I can come forward with my reciept. I can't change my receipt because it's crytographically signed. Nobody can find out who I am because my reciept number has nothing at all to do with me, it's just a random unique number.

(why is it that this stuff always seems easy to us slashdotians? Why do corporations always make it so complicated and broken??)

Federal Mandate Time

[Kefaa]

Can someone explain why we can standardize street signs and the amount of sugar allowed in school lunches but we cannot get a standardized election system?

After the 2000 election debacle, we had money thrown at the states to "fix the problem." So we ended up with 35 different solutions.

A simple federal mandate - the voter must be verifiable, their vote must be able to be able to be authenticated after they leave the booth, in the event of a recount and the system can be fully audited. Instead, we have systems with no paper trails, questionable vendor operations, and seemingly contradictory election results.

We can make millions of secure stock sales, bank transfers and on-line purchases daily, and we cannot get a vote counted and auditable? The people who produced these machines should be fired for stupidity and forced to return our money.

Re:KISS

[mooneyd]

That's exactly how it should be done. Use a touch screen to make your choices, it prints out a op-scannable ballot you can hold in your hand and verify. You then stick it in one of two slots: the scanner slot or the shredder slot. That action will either confirm or reject your vote inherantly. If you reject the ballot, you can go through it again on the touchscreen, otherwise you are done.

And the machines should be developed by national research labratory in a completely open and transparent way. The source code, design plans and manufacturing process would be completely auditable by the public. No corporate control of voting machines. No security through obscurity.

Re:KISS

[hazem]

The problem with a receipt is that it can then be used to make sure you voted a certain way.

corrupt boss: Joe, have fun voting, and be sure to bring back your receipt so I can know how you voted and decide if I'm going to fire you. Oh yeah, and if you don't have a receipt, I'll fire you.

Re:KISS

[sam1am]

As has been mentioned elsewhere; this is a bad idea, because you could be "persuaded" to share your receipt number with someone else, who could use it to verify you voted a certain way.

Guy sets up booth taking receipts that prove a vote for candidate A, you get $10.

Or more insidious, your boss tells you you need to vote for candidate A. In order to obtain your next paycheck, you must show your receipt that you voted for candidate A.

Once you leave the polling place, you should not be able to verify your vote to yourself or anyone else.

(Now, if you took that receipt and dropped it in the ballot box on the way out of the polling place, that's another story)

There isn't a voter name on the receipt, RTFP

[Medievalist]

Although that would work on incredibly stupid voters, simple intimidation usually works on them anyway.

Voters with half a brain cell copy, forge or borrow a receipt to show to the boss.

There's no voter name on the receipt, thus no way for the boss to know how YOU voted.

Re:KISS

[Rich0]

Agreed - the simplest and most efficent solution is full automation with some percentage of completely random auditing.

In each state pick 10 precients at random, and count every last vote in them - they better agree to the automated total.

The proposal to always count them manually amounts to 100% auditing. Sure, it works, but it really isn't necessary. In fact, it is likely to have a higher error rate since there is no value being checked against (unless you have two independant groups count all the votes separately and submit separate counts which are then cross-checked).

Have each machine programmed, assembled, and sealed by an individual who signs some dotted line. If the count turns out wrong, the machine gets a major investigation. If there is fraud, the individual gets sent to prison with an opportunity to somewhat reduce his sentence by singing like a canary.

The EU uses systems like this for drug imports. If you want to certify a lot of manufactured drugs as safe for use in Europe, you have to have an EU citizen sign on the final line. The logic is that there is at least somebody personally accountable for the action who lives in the EU jurisdiction. In the same way, if a megacorp builds a bridge there is still an individual engineer signing each drawing.

The key to law enforcement is individual accountability. No need to waste huge amounts of money counting every vote by hand. You just need to make sure the system fosters accountability. If you check 5% of the precients across the country the chance of any widespread fraud going uncaught is very low. Once widespread fraud is detected you would of course count every last piece of paper three times, and send the bill to the perpetrators...

Re:KISS

[Anonymous Coward]

So... Guido comes up to me as I'm walking toward the polls, and says "Vote Quimby, or I break your kneecaps". As I exit the polls, Guido demands to know my reciept number.

If I lie to him (making up a number), he can verify that it doesn't match anything, and the next day... ouch.

If I tell him the truth, he can now verify whether or not I voted for Quimby, and thus will probably succeed in affecting my vote via threatening me.

This is why no real voting system provides any sort of reciept to the voter which can in any way be used to connect a voter to a vote -- they open the door to vote-buying and threats.

Or as a great man once said, every complex problem has a solution which is simple, attractive, and wrong. Providing a reciept, whether plaintext, cryptographically signed, or carved in stone, is simple, solves one problem (assuring the voter his vote was counted), and creates another (allowing bought or compelled votes).

Re:KISS

[Richard Steiner]

That might be a thing to do anyway just as a sanity check...

Re:KISS

[Anonymous Coward]

Another way to detect tampering would be to have each voting machine generate some random number of fake votes. If someone hacks the protocol and they alter one of the fake votes, it can be detected by the host and in the recount.

Why is this "open source"?

[mykdavies]

I don't see any sign that this bill requires the code to be open source. The bill requires it to be made public, but does it actually require the state to make it available under an open source licence?

The WIS quote only says that "the coding for the software that is used to operate the system on election day and to tally the votes cast is publicly accessible and may be used to independently verify the accuracy and reliability of the operating and tallying procedures to be employed at any election". For them to call this open source is bad enough, but for Slashdot to repeat this misunderstanding of the term is ridiculous.

Re:KISS

[hackstraw]

I wish I was on a website with computer geeks.

"hanging chads"

Bullshit. Punchcards were first made in the early 1800's and then used more commonly by big computer companies like IBM in the late 1800's. They were not used after the late 70's because they sucked. I work with people that used punch cards to program computers. They never talk about "chads" they talk about things like getting cards out of order, dropping them on the ground and not being able to edit them once made. They don't talk about "chads", those are invented words for the 2000 election well after nobody used punchcards for over 20 years.

I've taken a number of standardized tests for over 20 years that have never, ever used punchcards or had hanging chads. They were all done with standard #2 pencils and a piece of paper that could scan them at remarkable speeds and accuracy. I'm sure somebody could counter with a time that one kid had his SAT score off by a point or two out of 1600 or the 2400 or whatever it is now, but AFAK they are beyond human accuracy, and never, ever have "chad" issues.

So, why all the talk and fuss about this stuff? Are elections routinely rigged? Is this the new terrorist plot? Are the scantron type ballots that I have used rigged or wrong? Are the mechanical vote counters rigged or wrong? Was the President of the United States chosen by popular ballot in 2000? Does it even matter?

The more this disinformation keeps us busy, it makes those who really matter in these matters more free to have more room to do whatever they want to do.

I don't believe its any more difficult to count nominal data accurately than it ever was. Its the people that do the counting that are always variable, and will always be.

Re:KISS

[MindStalker]

Traitors is a bit of a strong word.
If your talking about the current system of paper ballots its simply a matter of what was avaiable at the time of creation and the unmobility of the average election council to go with unproven new systems. If your refering to things such as diebold I again point to the untechness of the election coucils. Now diebold themselves, is most likly a combination of lazy employees just trying to earn a buck.... and TRAITORS!

Re:Condorcet, not IRV

[metamatic]

The existence of preference cycles in condorcet results is a pretty serious problem. Frankly, it makes it a non-starter as far as I'm concerned.

Wikipedia lists seven different algorithms for resolving cycles. Can you imagine TV news explaining to the average American how the set theory behind the Schwartz set method determines the President?

IRV may be flawed, but it's easily understandable, and a huge improvement on FPTP.

Re:KISS

[dfenstrate]

From what I understand, the hanging chads were most likely the result of voter fraud by the election officials in charge.

They would take a stack of ballots, and run an icepick through their preferred candidate's hole.

If their candidate was the same as the voters, the card was unchanged. If it wasn't, a new hole would be made and the vote invalided for multiple voting. Since Icepicks weren't the proper instrument for voting, they left chads hanging.

Of course, who you think the fraudulent election officials were fucking up ballots for depends largely on your party affiliation.

Personally, I only remember one candidate in the 2000 election trying to cherry-pick areas to recount, and these chosen areas became famous for their hanging chads.

Of course, I don't have any substatiation of this, so take it with a grain of salt.

More directly on topic, I'm all for wisconsin's law to be adopted here in New Hampshire for electronic voting machines. The voting machine computer tally could be hand counted (or verified by a machine from a completely different vendor for speed) in maybe 1-3% of the voting districts, randomly chosen after the election, for consistency.

Re:KISS

[VE3MTM]

US Code, Title 42, Chapter 20, Subchapter 1, Section 1971:

(b) Intimidation, threats, or coercion
No person, whether acting under color of law or otherwise, shall intimidate, threaten, coerce, or attempt to intimidate, threaten, or coerce any other person for the purpose of interfering with the right of such other person to vote or to vote as he may choose, or of causing such other person to vote for, or not to vote for, any candidate for the office of President, Vice President, presidential elector, Member of the Senate, or Member of the House of Representatives, Delegates or Commissioners from the Territories or possessions, at any general, special, or primary election held solely or in part for the purpose of selecting or electing any such candidate.

Source: http://assembler.law.cornell.edu/uscode/html/uscod e42/usc_sec_42_00001971----000-.html [cornell.edu]

Ah, yes, those pesky laws.