Wisconsin Requires Open Source, Verifiable Voting

AdamBLang writes "Previously covered on Slashdot, Wisconsin Governor Jim Doyle today signed legislation that "will require the software of touch-screen voting machines used in elections to be open-source. Municipalities that use electronic voting machines are responsible for providing to the public, on request, the code used." Madison's Capital Times reports "the bill requires that if a municipality uses an electronic voting system that consists of a voting machine, the machine must generate a complete paper ballot showing all votes cast by each elector that is visually verifiable by the elector before he or she leaves the machine.""

Thank you very much

[stevenm86]

This is exactly what people have been saying all along. It is not a good idea to trust the numbers that the machine keeps track of electronically somewhere. Some sort of paper trail is definitely a good idea. Even a simple line printer that sits in the back of the room somewhere, printing a short summary of every cast ballot would work because it provides a paper trail that can be verified by a human.
Question is, why aren't other states doing this?

Re:KISS

[hazem]

What I've always thought would be a good idea would be a computer to help generate the ballot, and then a separate computer to count those ballots.

This offers the advantages of multi-language ballots with brail, audio prompts, etc. And the resulting ballot is standardized so it can be read by both machine and human - and no "hanging chads".

The ballots can then be easily counted by another machine - and human validated as necessary.

The ballot-generating computer never needs to "count" - but it could do so as a spot check against the counting computer.

Comment removed

[account_deleted]

Comment removed based on user account deletion

as long as the fraud is in electronic voting

[Anonymous Coward]

the competing non-fraudulent technology will have to be electronic.

it's how the human brain works. electronic is seen as the next step.
so the good guys have to be electronic too.

if people try a completely different route, that entire class of technology is going to be ignored.

it's idiotic but true.

Re:Nonsense

[Whafro]

the board of elections in your local municipality (depending on state, etc) is responsible for choosing the machines and the software. These are either elected officials or are appointed by elected officials, and therefore responsible for representing your interests.

The Board of Elections is responsible for ensuring that the correct software is loaded, and you, as a voter, will check the Board of Elections.

Elections don't just happen, they are overseen by people you put there, directly or indirectly.

The open source element just ensures that even if the Board of Elections has no idea about what the computer code is actually doing, that the greater community will be able to make that check and balance.

With a punch card or even a mechanical voting machine, you can see and understand how it works. By making the code for these machines open source, that same consumer/voter check and balance is being provided-- or, at least, that's the idea.

This does not address the other tampering that can happen. If you want to ensure that your elections are clean and untampered, then make sure you pay attention next time your local board of elections is up for appointment or election.

Re:KISS

[cortana]

Like EVM2K3 [sourceforge.net]? :)

Not the count, but the recount that's important...

[Ramses0]

"""How do you recount? Election results must be reproduceable by a human afterwards, especially if a virus or spyware got into the election results (either on purpose, or with malicious intent). Open Voting has this part figured out by producing a paper ballot that can be validated without the use of a computer, or you can use a computer to check it faster."""

http://www.robertames.com/blog.cgi/entries/links/v ote-hacking-2004.html [robertames.com]

Links have broken with time, but here's an updated link to Open Voting...

http://www.openvotingconsortium.org/modules.php?na me=FAQ&myfaq=yes&id_cat=11&categories=Security%2C+ Resiliency%2C+Integrity%2C+Reliability [openvotingconsortium.org]

Their systems are reallly neat and they've had a lot of smart people looking at the problem. I've not been involved in it, but have read some of their documentations, and promised myself that I'd speak up and give them google-juice anytime voting came up. Some highlights:

    - Commodity hardware / software

    - Open source code

    - Paper "receipts" that can be verified by:

        * Sight

        * Barcode

        * Audio / Visual

        * Separate "reader / recounter"

    - Accurate computer counts (ie: select count(*) from votes group by person)

    - Paper trail for recounts (re-count manually or computer assisted the receipts), with useful information hidden in the water-marked receipts (kindof like scantron stuff, where both computers and humans can read it). ...all in all it seems like a pretty good system and like I said they've done a lot of thinking about it.

--Robert

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Nonsense

[P3NIS_CLEAVER]

...and what if the hardware is hacked? Detecting this would be much harder than checking on the code, which could be verified by checksum.

I wouldn't give Doyle credit....

[daemonenwind]

This from the same guy who feels that you should not have to prove your identity before voting. [64.233.167.104]

I would expect this is only a ploy to make it seem like he cares about the voting irregularities which occurred in WI during the 2004 Presidental election, causing several leading Milwaukee Democrats to be investigated.

Reading the requirements, not only does no one currently offer such a machine, but most machines in the state wouldn't live up to it today.

OSS isn't enough

[gcauthon]

That's great that their system will be open source, but that isn't quite enough. There are a few things that I think would make the systems more trustworthy in addition to the open source requirement:

• Secure hashes on every single file on the system. A technician should be able to take a voting system and quickly determine if any files were modified (programs, shared libs, data, etc).
• Reliable network security. No modems or network connectivity of any sort. Find some other way to tabulate the votes that doesn't compromise the integrity of the system.
• More testing and absolutely no changes between testing sign-off and election day.
• Other than voting, the system should be completely read-only. The voting should have some sanity checks as well. For example, votes can not decrease and only one vote can be made within a certain period of time.
• The certifications themselves and testing results should be made public.
• Any information should be available through the FOIA and should have a clear and concise retention policy. No more showing up at the election polls only to find workers forming an ant trail to the dumpster.

Re:Nonsense

[AeroIllini]

I don't get why you guys are coming off with this kind of response KNOWING how in Florida 2000 we all got to see how it did NOT work, and how people got confused or thrown off by their poor understanding of how it DID work. Through what may be deliberate fiddling, or more likely incompetence, the ballot paper in parts of Florida made it potentially unclear to some people who they were voting for, and unclear to those counting the votes who the voter had actually voted for. That is what I call a total farce, and it couldn't have happened if the election had been conducted using a simple sheet of paper with a handwritten X scrawled next to the chosen candidate.

I agree with you whole-heartedly, but there are several factors keeping things from being that simple.

The ballots here in the US usually contain a huge number of elections. In the last presidential election, we were asked not only to vote for the president, but also for congressmen, judges, city councilmen, county board members, and other various municipal elected officials, not to mention the three to five different local resolutions on each ballot. The butterfly ballot system (which became famous in Florida in 2000 for the Pat Buchanan situation) is simply a way to condense a large amount of information in an anonymous way onto a small ballot card. These things are literally books, usually with ten or more pages of elections to vote for. It's not a perfect system, certainly, but putting all the same information on a single sheet of paper with room for marking a candidate, clearly delimiting the various elections taking place, allowing for instructions in both English and Spanish, and making the text large enough to read makes for a rather large sheet of paper. And asking people to read candidates off one sheet and mark their choice on another sheet creates all the same confusion and problems people had with the butterfly ballots.

I think our best bet in the US for paper ballots is to create printed booklets with instructions and a single election on each page. The actual listed candidates and boxes for marking a vote would be contained on a perforated sheet like a coupon, which the voter rips out and stuffs in the ballot box. The voter would keep the booklet after voting. The creation of these booklets could be automated without much fuss; each municipality could retrieve their booklets as a PDF file and have them printed and stapled before the election. It's not like ballots are secret until the day of the election.

But truly, in any voting system, accuracy boils down to the skill of the people recording the votes. In paper voting, that means the people counting, the people recording the votes, the people calling in the numbers to state headquarters, and the people assisting voters with questions. In computerized voting, that means the people who designed and built the hardware, the people who wrote the firmware, the people who wrote the software, and the people in charge of the networks doing the reporting to a central agency. Mistakes will be made, and recounts will happen. If automation does not help fix the mistakes that are made, and in fact creates many more problems, then it is not worth the trouble.

Re:KISS

[AKAImBatman]

Your system really isn't any different than the one in the US. In the US, you must first register to vote. This only needs to be done once, after which the voting place will expect you. As soon as you check in, your name is crossed out and you're given a ballot. That ballor has no identifying information, thus securing your right to a secret ballot. If a recount goes into effect, two things can happen:

1) The ballots themselves are recounted
2) The voters who showed up are verified to ensure that no one voted who shouldn't have. (e.g. Dead people.)

The system is tedious, but it works. The problem that has arisen, however, is that districts want to streamline voting by using electronic ballots. Since it can be difficult to *prove* that a counted vote wasn't changed after the fact, we have various stories like this one pointing out the many problems with E-Voting.

Where is an open-source voting machine?

[epaulson]

Is there a non-profit out there that has produced an open-source voting machine? Either software that converts a regular PC into a voting machine, or maybe even take it a step further and is willing to build the hardware and sell it at cost to governments.

Re:KISS

[deblau]

And how do we know that the prinout matches whatever counter is incremented within the computer?

We don't, other than by inspecting the source. Once we cast our vote using a paper ballot, how do we know it was actually counted? We don't, other than by having observers present. Source inspection is the digital analogue of human election observers.

IMHO, having computers count is more accurate than having people count. Remember, as Stalin may or may not have said [about.com], "those who cast the votes decide nothing; those who count the votes decide everything." Florida 2000 and Ohio 2004 showed us that. Computers have no motivation to lie, and I can inspect a computer's source code. I can't inspect the mind of the person counting my paper ballot. To me, computers have more accountability.

Voting System Proposal

[fossa]

Based on suggestions I've read in the comments, how about this:

Voter enters polling place, name scratched off list as usual. Voter enters booth. For each office up for election, voter types* a name or names+ into the voting machine. A blank vote or "Nobody" would indicate no vote for that office. Referendums etc. could be indicated with some predefined response (preferably more than a simple "yes" or "no" in order to avoid Windows-dialog-box-style confusion). When finished, the voting machine prints out the completed ballot. The format is importantly both human readable and machine readable via OCR. Surely if the machine knows the font beforehand, OCR can be fairly quick and highly accurate...? A ballot would essentialy be a list like:

President: John P. Doe
Senator: Jane T. Smith
Representative: Joe G. Johnson
Increase taxes for schools?: Do not increase

A ballot may contain special marks to help a machine reader align the text, but the actual vote info must be human readable (i.e. not a barcode). The voter reviews the ballot and either destroys it and creates a new one, or submits it to the ballot box. Ballots are then machine tallied after all ballots are collected (it is important to not tally instaneously for the sake of voter anonymity). Hand recounts may be conducted as necesarry.

The good parts about this are 1) machine countable, 2) human countable, 3) transparent (voter puts physical paper ballot into box rather than bits into a database), 4) tamper resistant (difficult to invalidate votes by marking or tampering with the ballot after the fact) 5) anonymous.

One problem is: how to type a candidate's name. Keyboard? What about those with disabilities? I'm not really familiar with alternate text entry systems, but surely some exist.

* The biggest problem is, of course, determining who is meant by "John P. Doe", since there may be many John P. Does in America. I don't really like the idea of requiring people to "get on the ballot" because anyone who doesn't know who to vote for will almost certainly pick a candidate who is on the ballot. But I don't really have a solution for an all-write-in system. Please address this as a separate issue. In lieu of requiring a typed name, the system could easily offer a selection of candidates as is common now. (How do write-in votes work now? I assume they are silently ignored unless it's clear that a majority of votes are not for someone on the ballot which almost surely never happens).

+ Some offices may allow multiple candidates. Some voting systems may allow multiple votes, possibly ranked, for a single final winner. This voting method lends itself well to these alternative (surperior IMO) methods.

Discuss.

Re:KISS

[YetAnotherLogin]

Yeah, but even if it was open source, you'd never really be to trust it unless you compiled it yourself. For example, Ken Thompson was able to bug the compiler so that it installed a backdoor whenever the login(1) program was compiled. For details you should see his paper Reflections on Trusting Trust [acm.org].

This seems to be a BS political move

[Anonymous Coward]

Sorry folks. As someone who knows Wisconsin state IT (and posting anonymously). The voter registration server and apps (SVRS) are CITRIX based. And the papers are already publishing complaints about that application. It is failing to poor project management by state workers with a history of poor project management. The state CIO is a linux advocate (Matt M.), but even he had to bow to pressure for a high profile project and go with HP UX. And our efforts to get rid of MS Exchange had been fairly difficult, and may yet hit the papers. (Even the governor's office hasn't attempted the email conversion despite Larry Ellison's visit...Oracle is trying to help replace MS). The governor can sign anything he wants in to law, but how will it be implemented? And how will the municipalities feel about further requirements to get voters registered and voting, when SVRS works so poorly? It sounds like the average Wisconsin citizen is not going to be very happy with what the state government dictates. From my point of view, too many state IT management folk are jumping on the open source bandwagon because of the CIO, rather than practising good IT. Sounds like the governor signed into law a feel good law without thinking about the consequences. Do I have the answers? Nope, just know this will be a great idea, poorly implemented.