From the Chicago Methods Reporter comes this story about poorly trained election administrators and misapplied overrides. One of the affected voters writes:

“Jim and I went to vote at 7 a.m. We were given Democratic ballots and pens. But when I got to the booth, my pen didn’t work — it was like a felt-tip marker with no ink. So I went back to the desk and was told — along with several other confused voters trying to swap out their nonfunctional pens — that these were “invisible ink” pens that would not leave marks on the ballot but would absolutely be read by the scanners.

Except that they weren’t. The optical scanners were spitting out ballots until one of the election judges used a key to override the system and get the ballots into the box. After my ballot was rejected once, I got a confirmation that my vote “counted” (when the number on the ballot box blipped from 19 to 20), but Jim was given a regular ballpoint to fill in his, and it counted right away.”

The voter made enough of a fuss that they managed to get the precinct to try to “make good”. They did this by contacting the first 20 voters at that location and inviting them to re-vote.

The Chicago Tribune covers this too.

(Aside: There are voting systems that really do use special pens. For example the soon-to-be publicly described Scantegrity II system uses invisible ink on part of the ballot that is only visible when highlighted.)

Rick Carback of punchscan has asked me to help publicize a project of his.

He describes it here as a discussion board-like setting for discussing the latest VVSG Draft.:

This week I started disseminating news of my latest project, the VVSG-OF. The idea is to provide a discussion board-like setting for discussing the latest VVSG Draft. The hope is that, through open discussion, a few new ideas might come up that would not otherwise happen in the short times available in conferences on the document.

This is not to be confused with EAC’s own comment tool, which is a convenient, albeit mostly one-way, avenue to express your opinions on the document. When the comment period is over in early March, I will print out all the comments and mail them to the EAC (by me on behalf of each commenter).

If you are at all interesting in the voting process and where that will be heading in the coming years, I urge you to take a look!

Some background from the VVSG overview:

This document represents a recommendation from the Technical Guidelines Development Committee to the Election Assistance Commission for a voting system standard written to address the next generation of voting equipment. It is a complete re-write of the Voluntary Voting System Guidelines (VVSG) of 2005 and contains new and expanded material in many areas, including reliability and quality, usability and accessibility, security, and testing. The requirements are more precise, more detailed, and written to be clearer to voting system manufacturers and test laboratories. The language throughout is written to be readable and usable by other audiences as well, including election officials, legislators, voting system procurement officials, various voting interest organizations and researchers, and the public at large.

1.1 Purpose

This document will be used primarily by voting system manufacturers and voting system test labs. Manufacturers will refer to the requirements in this document when they design and build new voting systems; the requirements will inform them in how voting systems should perform or be used in certain types of elections and voting environments. Test labs will refer to this document when they develop test plans for verifying whether the voting systems have indeed satisfied the requirements. This document, therefore, serves as a very important, foundational tool for ensuring that the voting systems used in U.S. elections will be secure, reliable, and easier for all voters to use accurately.

Follow that? The Voluntary Voting System Guidelines (VVSG) are federal guidelines for how voting systems and machines should operate and be tested. The 2007 VVSG is in a period of public review. Rick’s project is to host a copy of the VVSG that allows people to comment on a paragraph-by-paragraph basis and to more easily ‘converse’ about particular paragraphs.

My take:

I apparently don’t the skill / talent of being able to read very much of bureaucratic documents like this. I’ve tried 4 or 5 times and abandoned it fairly quickly. Given that this document is federal guidelines for how voting systems (particularly electronic voting systems) are developed and tested I suspect that there is a whole lot of this document that I would disagree with. But unfortunately my eyes glaze over every time I try to dive in.

Daniel Castro has responded to review of the ITIF eVoting report that he wrote.

In that review I agree with his thesis that “end-to-end verifiable” voting systems should be encouraged and be part of the debate on electronic voting and I basically agree with his recommendations. But I strongly disagreed with his assessment of the relative risks of paper systems, electronic voting systems, and electronic voting systems that print a voter verified paper trail. I also found much of the tone of his report offensive.

My assessment is:
e2e verifiable system > paper system > eVoting with voter verified paper trail > eVoting

His appears to be:
e2e verifiable system > eVoting > eVoting with voter verified paper trail > paper system

And I believe that we both agree the e2e voting systems need more support and some trial runs but are not yet ready for widespread deployment.

To put it pithily, “I agree with the thesis of this disagreeable report“.

Here is his response. This is posted with his permission:

Thank you for sending me this link. I enjoyed reading your perspective, even if we disagree on certain points.

A few comments in response to some of your points:
1. “Poisonous labeling of opposing views” – I understand that many people did not like some of the labels we put out there, but I want to clarify a point. I recognize and agree that many people who are opposed to e-voting without paper trails are technophiles and/or computer scientists. But if you’ll notice I always used the word “many”, which I do believe is an accurate representation of certain people and beliefs. But I did not use the word “most”, nor did I mean to imply that every person opposed to it was in this category.

I sent the following comments to somebody else, but I think they apply to your comments as well:

I do not think that everyone opposed to DREs is technophobic, but I do think “a growing technophobic movement believes that no computer can be trusted for electronic voting.” For example, there are a number of statistics the Eugene Spafford cites in his recent article that show people distrust technology:

“A number of indicators show that some of the voting population does not have confidence, or is losing confidence, in the technologies that have been deployed as a result of HAVA. A study by the Pew Internet Trust found that groups of minority voters in the South do not trust the technology and believe it has been manipulated, or could be manipulated, so that their votes would not count. They expressed a significantly higher rate of distrust in computerized voting technology than the general voting population.”

From: http://www.nae.edu/nae/bridgecom.nsf/weblinks/MKEZ-744M69?OpenDocument
Now, is this mistrust a result of technophobia or a result of legitimate concerns about the security of the voting machines? Probably a little of both. But I do see a lot of comments on blogs from people who say they want to go back to a paper and pencil voting system. We also had Rep. Kucinich introduce a bill calling for a return to hand-counted paper ballots in presidential elections. If the fear is unrealistic or exaggerated (which I believe it is), is it technophobia?

I also say “Many opponents of electronic voting machines are motivated by a distrust of technology, anger at election results, and conspiracy theories about voting companies.” But again, I do not say (or believe) this applies to everyone. However, again, I do think many people feel this way.

But in the end, it does appear that these comments have distracted people from the real message – which is that we want more secure elections.

2. “Misleading arguments about reasonable security of digital data” – Actually, I have been a reader of RISKS Digest for a number of years! I disagree with your statement that I say all computers should be trusted. Obviously that is not the case. As you see in RISKS, many security flaws are from poor implementation or design. But there are also some systems that have avoided security problems from good design and good implementation. My point was that we can trust computers systems in many areas (finance, aviation, health) — certainly not all systems, and they need to meet high quality standards. And we cannot simply say “because computers have problems, we cannot use them for voting.” By that logic, we would also need to not use them in all these other areas. Instead, we should have a deeper analysis of the costs and benefits of different systems.

3. “Misleading arguments about reasonable security of digital data… the credit card system is a good example of” – I think we have to focus more on overall risk and likelihood of a threat. The credit card system is not very secure, but it also does not pose much of a risk to consumers. Everybody is capped at a maximum liability of $50, and most banks would never even charge consumers this fee because they do not want to lose anyone’s business. Similarly, I do think we should focus more on how serious the risk is from e-voting. This report is directed at policy makers. Before they decide to spend upwards of $1 billion (a huge amount, even by Washington standards), Congress should evaluate the current level of threat now, and the expected (reduced) level of threat after spending this money. Personally, I do not think the current benefits of paper audit trails justify this expense. I do think other improvements (i.e. — better testing standards, more research on universally verifiably voting systems) would be a more cost-efficient use of money, and give us better improvement in voting security.

4. Importance of e-voting for disabled voters. – I believe that this should be a top priority / criteria for voting systems. Disabled voters are a minority group — many who depend on government to provide services or legislative support for their communities –- and I think to have a strong democracy we should all make sure that every group is able to vote privately and independently, especially if the technology exists to allow it.

5. “No system currently deployed in the US allows a voter to know that his or her vote was actually counted. Voting systems that attempt to address this are worthy of research support a limited deployment but are not, in my assessment, ready for wide deployment.” – I mostly agree (although I think VoteHere might be ready). I think one of the main points of the paper is to ask the question, should we spend $1 billion on paper audit trails now, or spend $50 million now on research for universally verifiable voting systems, and then the $1 billion or so to upgrade to much more secure voting systems).

This email is getting long, so I will stop here. I am glad that we (mostly) agree on the thesis and recommendations –that is the most important part.

A bit more brainstorming about ways to aid the end-to-end verifiability meme. Other suggestions are welcome.

• Have a forum for discussing E2E verifiable systems. For example a yahoo group or a google group. Initially I would suggest an open all-purpose forum covering both technical discussion and general advocacy and discussion.
• Have a website promoting the general idea of E2E verifiable systems – not just specific systems
• Each E2E project should have a website dedicated to it with clear descriptions of how it works intended for non-academic readers. (It should of course also include sections targeting academic readers) The Punchscan web site does very well here. But many others do not – even projects involving the same people.
  Some examples:
  • Scantegrity does not include an HTML treatment
  • I can not casually find a site describing Ron Rivest’s and Ben Adida’s scratch and vote system; The best link I can find is a Technology Review article and a PDF on his site
  • Rivest and Warren Smith’s descriptions of ThreeBallot, VAV, Twin, and variants are not written and presented in a way intended for a general audience. There is a press release and some pdfs.

Aleks Essex of Punchscan, prodded by one of my comments, posted his thoughts about raising the profile of end-to-end verifiable systems in the public eye:

The allaboutvoting suggestion was to establish an outreach to the broader public about E2E. Of course this is a good idea, and something that’s overdue. But that’s going to be tough. As for Punchscan, our approach to raising its profile has always been by “doing.” First we designed and built it. Then we debuted it in a binding election. Then we won an international competition. I think that these milestones were all necessary; people need things they can “touch.” Pictures and movie of real voters using Punchscan I think helped “make it real” to people, because it was real. Winning the ten thousand dollars sure got people interested. So I’d say it’s these “press” moments that will see E2E find its way into “normal” conversation, if only for a moment.

My prodding comment was:

Unfortunately much of the talk about E2E is pretty off.
I’ve seen:
* “there is no problem”
* “your solution is something only geeks can understand”
* “your solution is to just ‘trust us’”
* hijacking of E2E potential as a call to inaction with respect to the use voting machines without any verification
* lots of heavily technical bureaucratic jargon that I don’t quite follow yet

Does the E2EV movement have any umbrella outreach and discussion place? My perception of it right now is that it is gaining momentum academically but that there is little advocacy intended for a general audience. What little there is seems to be partitioned into individual E2E projects (like punchscan) rather than movement wide.

An active yahoo group might be a helpful start.

I’m thinking of just starting an E2EV yahoo group myself but I’m not yet sufficiently committed to research and invite all the people needed to jump start a community.

Here is my point-by-point review of Daniel Castro’s ITIF eVoting report.

This is a long post. I recommend that you first read a summary of my views.

I am basic agreement with the thesis of the report which is that the debate about eVoting should move beyond voter-verified paper audit trails to include systems that can prove to a voter that their vote was counted as cast. However, I found the tone and focus of the report disagreeable and I disagreed with much of the material in the report advocating for eVoting and against voter-verified paper audit trails.

Poisonous labeling of opposing views

Much of the report (especially the first half of it) attacks voting reform advocates who support paper audit trails or who oppose the use of electronic voting machines. Some rational is given which I will address below but I find the attacks themselves intolerable.

Some examples:

• a growing technophobic movement – slanderous; ignores that many in the movement are technophiles, computer scientists, and software developers
• Many opponents of electronic voting machines are motivated by a distrust of technology.
  Again, ignores that many opponents are technophiles, computer scientists, and software developers. For example, Slashdot is a technology-oriented site whose readers and commenters are strongly against against eVoting.
• Unfortunately, the effort to bring voting machines into the digital age has been politicized by various interest groups…
  This is an oversimplification and refuses to acknowledge that objections to eVoting systems are often completely rational and non-partisan.
• …anger at election results, and conspiracy theories about voting companies
  Any change to how a political system works is subject to this issue. The way to resolve it is to ensure that the results of an election are trustworthy and not manipulated by insiders. As the ITIF report points out, the US has a history of election fraud. It is rational to not have full trust in election results. Quoting Joseph Stalin: “The people who cast the votes decide nothing. The people who count the votes decide everything.”. And quoting Tom Stoppard: “It’s not the voting that’s democracy, it’s the counting.”

Misleading arguments about reasonable security of digital data

A number of arguments are made that digital data is generally trustworthy and can be secured. (Obviously, Mr. Castro is not a reader of the RISKS Digest.) Some examples:

• foundation of digital society… based on the knowledge that information can be reasonably secured
  Misleading. Many things have wide adoption despite NOT offering reasonable security. The current credit card system is a good example of this.Arguably election systems should have a very high bar for what is considered sufficient security. Consider that a reasonable argument can be made that tampering with an election is treason. (An election is an expression of the will of the people and democracy operates on the ideal of government by the people. ‘The people’ is the ‘the sovereign’ and elections are the primary way that the will of the sovereign is expressed.) I agree that the fact that both paper voting and eVoting systems can be vulnerable to fraud. However it is clear that eVoting enables wholesale fraud that was not possible with paper systems. To me, any argument for eVoting must introduce an overwhelming benefit. Such a benefit has been lacking in the systems that have been used to date.
• At the heart of the argument against e-voting is the notion that a computer cannot be trusted – an idea that flies in the face of our digital culture
  Many of the DRE opponents (myself included) are deeply vested in our digital culture. As an example, I work daily at programming software and have a degree in computer science. We know that computers are tools that do what they are told to do. Elections are contests that occur every few years where the contestants are highly vested in the outcome and where past contests have a known record of attempts to cheat. To blithely say that computers should be trusted ignores this reality. A robust election system should work on the assumption that parties do not trust each-other and will sometimes try to cheat. Many systems using eVoting do not do well under these assumptions without a robust trustworthy verification process.
• e-voting offers the chance to minimize the margin of error [from fraud or error] by offering complete end-to-end auditing
  This is true but fails to acknowledge:
  1. No system currently deployed in the US currently offers this
  2. complete end-to-end auditing can also be offered by voting systems where the voter does not interact with a voting machine when they vote
• Because some people do not understand that voting machines must undergo independent testing, they fear that a voting machine may steal their vote.
  They fear so rightly. It is trivial to write software that will behave correctly under some circumstances and incorrectly under others. Voters also have little confidence that the software that was certified is what is actually running on the machines when they vote. In practice, it is common for uncertified software to be running on the machines.

Discussion on the merits of eVoting
A number of arguments are made suggesting that eVoting is superior to other systems. I agree with many of the arguments about the benefits of eVoting systems but I think the report underplays the risks and costs of eVoting. In my judgment ITIF does not offer a convincing argument for using eVoting over using paper ballots with technologies like punch-card or optical scan.

• in the binary world of computers, “dimpled chads” do not exist
  True but fails to acknowledge that DREs introduce their own classes of risks and that these risks enable ‘wholesale’ fraud rather than just ‘retail’ fraud.
• In the 2000 U.S. presidential election… punch-card voting machines created ballots with half-punched ballots. When election officials could not determine voter intent, they had to discard these ballots.
  Neglects to mention that this apparently happened due to negligent and possibly fraudulent manufacturing defects.
• Electronic voting also has the potential to revolutionize the voting process for blind, disabled, or illiterate voters
  This argument is vastly overplayed.
  1. accessibility technology exists other than electronic voting
  2. in the CA top-down review DREs actually did very poorly at meeting their accessibility goals
  3. Suggesting that everyone submit to a more fraud prone voting system due to the needs of a small portion of the population is unwise. It is like suggesting that a building may not have any stairs in it because some people are unable to use stairs. Accessibility is an important issue but it is falsely used as an argument to impose poor changes that affect all of the people; not just those with accessibility needs.
• many states allow early voting at central polling locations… in the days prior to Election Day… Early voting with paper ballots is impractical and expensive because custom ballots must be made available for each precinct, often in multiple languages…. DRE voting machines can host ballots for every precinct, so election officials can more easily provide early voting.
  This is an excellent point and in my view one of the few decent arguments in favor of electronic voting. Note that there are other solutions to the problem of effective early voting systems. Why Tuesday? is a good source for discussion on this issue. Note that one alternative is increased use of vote-by-mail where the ballots that are sent to people are for the correct precinct and in the correct language.
• Critics [of eVoting] claim that reliance on physical security controls is a weakness; however, paper-based voting systems also depend on physical security controls to avoid cheating.
  True. But the consequences of cheating can be larger with altering of a DRE. The cheating can be more subtle or, in some cases, can compromise other DREs as well. Cheating by an insider such as an employee of the DRE manufacturer who can control what code is used on ALL of the DREs is especially worrisome.

Discussion on the merits of voter-verified paper audit trails

A number of arguments are made suggesting that eVoting without a voter verified paper audit trail is better than eVoting with a voter verified paper audit trail. I agree with many of the arguments about the expense, complication, and cost of a voter verified paper audit trail, but I think that the report underplays the value that they add. In my view they net out as a being an improvement. That said, in my view there definitely some risk of it being “putting lipstick on a pig”. In my view eVoting has to offer very strong value for it to be worth all of the eVoting costs and risks.

Examples:

• …paper audit trails for DREs … do not provide complete security to voters and they increase costs and risks
  I agree that they do not provide complete security. None of the systems in widespread use (paper or otherwise) provide complete security to voters.
• The …property… that the vote was tallied as recorded… is not provided by voter-verified paper audit trails.
  This is not fully true. One can perform an audit comparing the paper audit trail with the vote counts reported by the voting machines. Passing such an audit demonstrates one of:
  1. the election was not tampered with
  2. the auditor cheated
  3. both the audit trail and the vote counts reported by the DRE were tampered with but match

  Thus an audit offers some assurance but not full assurance that the votes were tallied as recorded.

• Contrary to the claims of e-voting opponents, though, merely adding paper audit trails to DRE voting machines does not make elections more secure…. no voter regardless of the presence or absence of paper audit trails, currently knows whether his or her vote was actually counted
  I agree that adding a paper audit trail is not enough and that there are better approaches. As I demonstrated above, voter verified audit trails do add some small value. Some argue that it adds so little net value that it is just “putting lipstick on a pig”. No system currently deployed in the US allows a voter to know that his or her vote was actually counted. Voting systems that attempt to address this are worthy of research support a limited deployment but are not, in my assessment, ready for wide deployment.
• Another common argument made by opponents of e-voting is that without paper receipts, an attacker can easily make a voting machine alter ballots without being detected…. Opponents of e-voting… claim that they can ‘hack an election’ but none of their attacks are plausible under real-world election scenarios.
  I strongly disagree. Many DREs are hackable in ways that can realistically occur and compromise a whole election rather than just a single machine. This is especially true in cases where there are chain-of-custody issues with machines that can allow access (examples: ’sleepovers’ of machines at peoples homes, machines left for days in delivery boxes in teacher’s lounges) and in cases where machines are networked in such a way that a single corrupt machine can spread issues to other machines via viruses and the like.
• …opponents of e-voting demand paper ballots and paper audit trails so that they can be used in a manual recount. Yet manual tallying introduces numerous possibilities for fraud and error given the unpredictable human elements.
  Yes. However manual recounts are a well established process by which people can gain confidence that election results were not tampered with. It is not ideal, but it is the only system currently used.
• If there is a discrepancy between the audit record and the electronic record, neither voters nor election officials will know which record to trust. Ultimately, election law will determine whether the electronic record or the paper record is counted as the true ballot in a disputed election.
  True. This is a good outcome as it is clear to all that there was fraud or error and what the extent of it was. This is vastly preferable to an outcome where there was significant undetected fraud or error. Ed Felton makes this point elegantly.

Moving beyond voter-verified paper audit trails
The thesis of the report is that the debate about eVoting needs to move beyond voter-verified paper audit trails and include other, better, verification technologies. I fully agree.

The report unfortunately does not focus on other proposals until late in the paper. I wish that it had focused more on this and less on promoting eVoting and disparaging paper trails and objections to eVoting.

When the report finally does talk about other systems the information is a bit to thin for my taste. I did like the contents of Box 2 which describes some of the primitives and principals of how cryptographically secure voting systems work. I feel that the author should have mentioned that not all cryptographically secure voting systems involve voting machines or voters interacting with voting machines. I wish also that he had mentioned the systems PunchScan and TriBallot.

Recommendations
The report makes three recommendations. I am in basic agreement with these recommendations.

• Congress and the states should allow the use of fully electronic ballots, not restrict electronic voting systems to those that create paper ballots.
  I do not fully agree. For such a recommendation to be acceptable it must be coupled with the system having an acceptable verifiable audit trail. It is my fear that this report will be used to justify continued use of electronic voting systems without any sort of verifiability.
• Congress and the states should require that future voting machines have verifiable audit trails, not require machines with verifiable paper audit trails.
  I agree. I am concerned that this recommendation does not limit the continued use of non verifiable systems that are currently in use. I am also concerned about the details of what is considered an acceptable verifiable audit trail.
• Congress should provide funding for the US Election Assistance Commission to issue grants for developing secure cryptographic voting protocols and for pilot testing new voting technology.
  I agree with the principle of this recommendation. Ideally funding is for open academic research of voting technology. I am unsure if the EAC is the correct vehicle for providing this funding.

Historical background
Much of the report gives historical background of paper and electronic voting in the US. Generally I found this section informative and interesting.
Of note:

• By 1982, more than half of the American electorate was using punch-card voting machines… These machines used the punch-card paper ballots made infamous during the controversial 2000 US presidential election
  I find it negligent to not mention the investigation by Dan Rather into the suspicious nature of the 2000 presidential election punch-card issues.
• The content in Box 1 about fraud in elections involving LBJ was very interesting. Readers interested in more of the history of fraud in US presidential careers should read the US Presidents and Election Fraud page at RangeVoting.org. Evidence is presented there suggesting that the careers of at least 6 post-WWII US presidents depended heavily on election fraud.

Surprising bits
A few interesting and surprising (to me) tidbits mentioned by the report.

• I was not aware that HAVA had $30million for pilot programs and improved voting technology that congress never funded.
• I was not aware of many of the alternatives brought up by the paper. I have not evaluated them so I can neither praise nor damn them. They include: audio verification of votes, various two-machine proposals, and a few cryptographically secure proposals: VoteHere and Scratch & Vote

I’m writing up a full point-by-point review of the ITIF eVoting report. [Update 9/20/07: It's written. Here is the point-by-point review]

For now, here is a quick summary of my impressions.

I agree with the basic premise of the report that the debate about electronic voting needs to be broader and include other verification technologies than voter-verified paper audit trails. I am in basic agreement with the policy recommendations of the paper but I feel that these recommendations need some caveats. I discuss the recommendations below.

I disagree with much of the setup of the report. The susceptibility to fraud of electronic voting machines is downplayed too much as is the ability of voter-verified paper audit trails to mitigate that. The tone of the report when talking about organizations promoting voter verified audit trails or promoting distrust of eVoting is absolutely poisonous and Mr. Castro should be ashamed. I suspect that much of the poor reception this paper is getting is due to that.

I fear that this report will be used as a motivation to continue to use eVoting without any sort of verifiability (paper audit trails or otherwise) rather than used to encourage the use of better verification technologies than voter verified audit trails. Some of the reactions on the web suggest that this paper is received that way. For example, Tech dirt’s review focuses on the paper trail bashing rather than the potential of better verification technologies and, in fact, completely misses that the report is proposing the need to refrain from legislating away better verification technologies:

A think tank has released a report bashing the idea of requiring paper trails for e-voting systems. The logic behind this uses some sleight of hand and some misdirection to make such a statement actually try to sound sensible. The key argument the group makes is that a paper trail would not increase security while increasing cost. That’s actually true — but that’s not the point. People aren’t asking for a paper trail to increase security. They’re asking for a paper trail to make the machines auditable so the machine’s ability to count accurately can be checked. In response to this, the think tank notes that the paper trail might not be perfect, so it’s a waste. They point out that printers jam and the hand counts of paper trails may not be accurate either. That’s nice, but again it’s missing the point. Without those things, there’s simply no way of knowing whether or not the computer count was accurate or whether the votes were tampered with.

The recommendations

The report makes three recommendations:

• Congress and the states should allow the use of fully electronic ballots, not restrict electronic voting systems to those that create paper ballots.
  I do not fully agree. For such a recommendation to be acceptable it must be coupled with the system having an acceptable verifiable audit trail. It is my fear that this report will be used to justify continued use of electronic voting systems without any sort of verifiability.
• Congress and the states should require that future voting machines have verifiable audit trails, not require machines with verifiable paper audit trails.
  I agree. I am concerned that this recommendation does not limit the continued use of non verifiable systems that are currently in use. I am also concerned about the details of what is considered an acceptable verifiable audit trail.
• Congress should provide funding for the US Election Assistance Commission to issue grants for developing secure cryptographic voting protocols and for pilot testing new voting technology.
  I agree with the principle of this recommendation. Ideally funding is for open academic research of voting technology. I am unsure if the EAC is the correct vehicle for providing this funding.

[Update 9/20/07: I have read the report and review it here: summary and points-by-point]

I just got an interesting comment from Daniel Castro, the author of an Information Technology & Innovation Foundation (ITIF) report on electronic voting. Castro’s comment:

I just wanted to make sure you were aware of the report we just released on electronic voting. We discuss the limitation of paper audit trails, alternative technologies (to paper) that can be used for audit trails, and suggest that we should focus the national discussion not on whether or not we should have paper trails, but rather on how to implement universally verifiable (or end-to-end verifiable) voting systems.

From the report’s teaser:

Americans trust computers to run critical applications in fields such as banking, medicine, and aviation, but a growing technophobic movement believes that no computer can be trusted for electronic voting. Members of this movement claim that in order to have secure elections, Americans must revert to paper ballots. Such claims are not only incorrect but attack the very foundation of our digital society, which is based on the knowledge that information can be reasonably secured. Clearly, no system with a human element—including electronic and non-electronic voting machines—is error-proof, and specific versions of certain voting machines have security weaknesses. Neither of these facts, however, should be taken as a universal indictment of e-voting.
…
Congress is now considering legislation that would mandate that all DRE voting machines have voter-verified paper audit trails, and many states will vote on similar legislation this year. We believe it is time for the debate on e-voting technology to move beyond a discussion of paper audit trails. To restore voter confidence and promote secure election technology in the United States by ensuring that states can continue to improve their voting systems, we recommend the following:
* Congress and the states should allow the use of fully electronic ballots, not restrict electronic voting systems to those that create paper ballots.

* Congress and the states should require that future voting machines have verifiable audit trails, not require machines that create verifiable paper audit trails.

* Congress should provide funding for the U.S. Election Assistance Commission to issue grants for developing secure cryptographic voting protocols and for pilot testing of new voting technology.

I have not read the report yet but I plan to. The teaser has both appealing and off-putting aspects. I believe that the debate about electronic voting ought to be broader and have a place for other cryptographically secure voting systems. On the other hand the evidence that I have seen suggests that electronic voting machines do not have a clear advantage over paper systems and are often more expensive, more error prone, and more fraud prone then paper systems (hand counted, optical scan, or punch-card).

ITIF’s report was pre-announced in a few forums I pay attention to and has had a relatively poor reception to it’s announcement. I hope to see better coverage of the actual report coming soon:

• A poor reception from John Gideon of VotersUnite.org (posted at the Brad Blog)
• A poor reception at Slashdot
• Rick Carback of PunchScan’s take

Many critics focus their analysis on whose pocket ITIF is in. This is less of a concern to me then what they have to say.

In response to the Timothy Ryan op-ed “A Damaging Paper Chase In Voting”, Rick Carback (one of the punchscan developers) wrote about HR811:

…the article makes an excellent point — mandating a specific technology (which has been known to be problematic since the inception of voting) is a bad idea. By contrast, the authors of the bill could have taken the approach of Software Independence, where the outcome of an election can be determined independently of a piece of software. Any software independence approach would rule out paperless DREs, a hidden audit trail printout, and other ill-conceived technology. DREs with unreliable printers for a VVPAT approach could also be excluded, but you would need to add a reliability requirement (not hard to do). Our system, and similar systems like PAV, would more easily fit into such a definition.

From the eWeek article referenced:

The Technical Guidelines Development Committee, a committee appointed by the Election Assistance Commission to study security issues involving electronic voting, voted on Dec. 5 to recommend a move to software independence in voting machines used in the United States.
…
Software independence means that election results can be determined independently of whether voting machines have software problems or had their security penetrated.
An example of such software independence would be with machines that use voter verifiable paper audit trails.
The committee vote recommended that NIST (National Institute of Standards and Technology) develop standards for such software independent machines. However, the committee stopped short of recommending that existing machines that are certified under the EAC’s best practices be decertified.
…
The EAC still has to approve whatever the TGDC comes up with by July, and that will be followed by a public comment period, and this is the first step in something that probably will not come out until March of 2008, Norden said, adding that some types of voting systems that can’t be verified or audited, such as the old mechanical lever systems, are already on their way out.

I find several aspects of the recommended software independence policy confusing. I suspect that if I found some language closer to the actual policy proposal I would understand better.

But here goes:

• Does the policy of software independence apply to systems that do not use software in the interaction of the voter with the voting system? The reference to level systems not passing the policy suggests that it does.
• If the TGDC recommendations were made policy would that prevent a jurisdiction from switching back to a system that they used to use if they had problems with a new one? For example, a jurisdiction may have troubles with electronic voting machines and want to revert back to mechanical lever or punchcard systems. Perhaps the grandfathering rules ought to tolerate reversions.
• Independant verification by whom? The example cited was a voter verified audit trail. Is the verification always by the voter?
• What is considered an acceptable independant verification? Take the example that the article cited: a voter verified audit trail.But that still yields a hackable system. Some potential problems:
  • What is the proceedure when the voter rejects the displayed audit receipt? How are patterns of problems noticed and reported on?
  • Several studies have demonstrated that many voters do not validate their votes.
  • A machine can easily print a receipt that disagrees with it’s actual behavior
  • Machines can be set up to print bogus audit trails that match bogus votes
  • When are the audit trails examined and compared to the tallies in the voting machines?

From A Damaging Paper Chase In Voting by Timothy J. Ryan for the Washington Post comes this piece opposing HR811. Among other things it points out that HR811 would conflict with voting systems that cannot provide a paper trail (like Prime III, an Auburn University project that I am not familiar with and hence do not endorse in any way) or cannot preserve all paper records (like punchscan) I would be interested in hearing the reaction of people involved with punchscan to this piece.

When early jet aircraft crashed, Congress did not mandate that all planes remain propeller-driven. But this is the kind of reactionary thinking behind two bills that would require that all voting machines used in federal elections produce a voter-verifiable paper record. These bills — the Ballot Integrity Act (S. 1487), and the Voter Confidence and Increased Accessibility Act (H.R. 811) — are understandable backlashes to the myriad problems encountered in the implementation of electronic voting.
…
The response proposed in these Senate and House bills is for all such machines to produce paper receipts that voters can examine to ensure that their votes were correctly cast. The goal — a double-check of the machine tally — is worthy. Unfortunately, paper records are no panacea for the shortcomings of machines, and mandating paper removes the incentive for researchers to develop better electronic alternatives.
…
Paper verification looks good on, well, paper, but it is not the cure-all some of its proponents believe it to be. More than two centuries of U.S. elections have shown us that paper is at least as susceptible to chicanery as electronic records. Paper ballots can be modified, counterfeited or destroyed with relative ease. It is not at all clear that they constitute a more reliable medium than electronic records.
…
All of these drawbacks and more might be tolerable if a paper trail were the only way to double-check votes, but it is not. It is not even the best way.

A system called Prime III, developed by researchers at Auburn University, would employ a separate electronic “witness” in each voting booth. The witness, which would operate independently of the DRE machine, could more efficiently double-check the DRE’s tallying of votes while safeguarding privacy and being more accessible to the disabled.

Another system, Punchscan, designed by a team at the University of Maryland, offers an exciting array of features: After casting their ballots, voters can go to a computer and use a receipt to view their individual ballots online. An exceptionally clever ballot format allows voters to see the marks they made on their ballots in such a way that they can recognize that the marks are in fact theirs, while still obscuring their specific candidate selections, as is necessary to prevent vote-buying. While a simple paper trail ensures that the voter’s choices were accurate at one instant in time, the Punchscan system goes much further. Voters can confirm not only that their ballots were cast correctly but also that they were faithfully counted after the election.

Unfortunately, the language in the Ballot Integrity Act and the Voter Confidence and Increased Accessibility Act, the latter of which is likely to move to the floor before the end of the month, would prohibit the use of both Prime III and Punchscan — Prime III because it does not produce a paper record and Punchscan because the paper record is not preserved by election officials. Given time and the right market incentives, alternatives such as these can be developed, perfected and implemented. On the other hand, mandating a paper record will commit American democracy to an antiquated alternative for the foreseeable future.

Punchscan was the winning system in the 2006 2007 VoComp competition.

In their own words:

Punchscan is a voting system invented by David Chaum that allows voters to take a piece of the ballot home with them as a receipt. This receipt does not allow voters to prove how they voted to others, but it does permit them to:

• Verify that they have properly indicated their votes to election officials (cast-as-intended).
• Verify with extremely high assurance that all votes were counted properly (counted-as-cast).

It uses simple cryptographic techniques to ensure election integrity. The demos on their ‘learn more’ page shows how a voter casts and verifies their vote as well as showing how election integrity can be audited.

After you go through the demos you should also review the excellent FAQ.

The system that is demonstrated can only handle ballots for which there are two candidates for each race. I believe that they have extensions to the system to handle multiple candidates and well as handling

• alternate voting systems
• improved support for disabled voters
• write-in candidates

So it ready for prime-time use?
I don’t know. It has only been used for a few elections and is a very new system so I suspect that it is not ready for wide deployment.

If you are interested in following the development and deployment of punchscan you can join their mailing list.