[Newsletter] Electronic voting machines, and why it's hard

Paul Suh paul.suh at ps-enable.com
Tue Sep 19 11:47:44 EDT 2006 

Folks,

This newsletter is a bit ahead of schedule, but I've got something  
else on tap for next week and this newsletter is timely.

Voting System Failures in Maryland

We just received a gilt-edged reminder of just how fragile our  
democracy is here in Maryland. In Montgomery county, where I live,  
the voter access cards for the Diebold voting machines were not  
distributed to the precincts before the election started. As a  
result, many people were unable to vote in the morning until the  
Board of Elections was able to send the cards over by courier. People  
voted on paper provisional ballots, until the precincts ran out of  
the provisional ballots. Some places resorted to photocopying  
ballots. Polls were ordered to stay open an hour later than  
scheduled, but this still doesn't compensate for people like my  
neighbor Scott, who had to leave on a plane that afternoon.

This was a garden variety logistical screw up with no direct  
connection to the electronic voting machines. However, the Diebold  
system did have an indirect effect, via the Keep It Simple, Stupid  
principle. The Diebold system has many elements -- the cards, the  
voting machines themselves, power requirements, the technical  
support, the setup instructions for modem connections, etc. The  
probability of a problem arising is directly proportional to the  
number of things that the logistics people need to keep track of.  
Adding in the Diebold electronic poll books for this election squared  
the complexity of the system. Is it really surprising that there was  
a logistical snafu?

To compound the problem, the current system does not have obvious  
ways to degrade gracefully. It either works or it doesn't -- and if  
it doesn't then the result is chaos. It is possible to design a  
system that does degrade gracefully -- the space shuttle is an  
example, albeit an imperfect one. The engineers for the space shuttle  
have designed a system where a known potential failure point leads to  
a known path for recovery. To set this up takes time and skill and  
effort -- three elements that are in notoriously short supply among  
the people at the Maryland State Board of Elections. Even at NASA,  
they know that some failures are too catastrophic, and cannot be  
recovered from -- but at least they've thought through some of the  
possible failure modes.

Note: one of the arguments that electronic voting machines proponents  
use is the human error argument. Electronic voting machines are  
supposed to take human error out of the equation. This last fiasco  
was the direct result of human error. How did electronic voting  
machines protect against human error in this situation? This is a  
perfect example of how electronic voting machines move the place  
where human error can occur from the individual voter to the  
programmer or the board of elections. Where previously an error would  
cause problems for an individual voter or at most a single precinct,  
now errors result in chaos county-wide or state-wide. People who know  
computer systems understand that the way to avoid these sorts of  
problems is to reduce the number of single failure points via  
redundancy -- RAID, failover, etc. The electronic voting machines  
have *no* redundancy, and are begging for failures.

A good place to look for coverage on this issue is the Washington Post:

http://www.washingtonpost.com/wp-dyn/content/article/2006/09/12/ 
AR2006091200535_pf.html
http://www.washingtonpost.com/wp-dyn/content/article/2006/09/14/ 
AR2006091401614_pf.html
http://www.washingtonpost.com/wp-dyn/content/article/2006/09/16/ 
AR2006091600804.html

In the last article, there's an interesting quote: "Jensen [Jean  
Jensen, secretary of the Virginia State Board of Elections] said that  
not a single vote was lost in 2004 and that 8,000 to 10,000 voting  
machines were in use on Election Day." How can she prove this? In  
fact, it's an unprovable statement -- if you think about it, in an  
anonymous voting system you can only prove that a vote was lost. It  
is impossible to prove that a vote was *not* lost.

Why Is It Hard to Create an All-Electronic Voting System?

Why have the systems become so complex (beyond the desire for higher  
fees from the voting machine makers)? It's because they're facing a  
hard problem, whether or not they recognize it. I maintain that there  
are three fundamental elements to an election as we know it. I call  
them the three A's:

1) Accuracy - the votes must be counted accurately.
2) Anonymity - must not be able to tie a ballot to a voter after the  
fact.
3) Auditability - recounts can be done by anyone.

Accuracy would seem to be a given -- if you can't get the count right  
it's not a good system. Yet, this is the place where traditional  
paper-based voting systems fail. Traditional paper-based systems are  
subject to human fallibility in determining the vote counts, but they  
were all we had until recently.

Anonymity is now a given, although it was not always the case.  
Nevertheless, a cursory study of voting in the Tammany Hall era in  
New York City or voting in the Soviet Union leads quickly to the  
conclusion that this is a necessary condition for a fair election.  
Interestingly enough, most electronic record systems NOT associated  
with voting attempt to do the exact opposite -- they attempt to  
create an irrefutable trail associating a transaction with a person  
(non-repudiation).

Auditability is critical to public confidence in elections. If Joe or  
Jane Citizen who has no specialized skills cannot reach the same  
counts as are posted, then there will be no public confidence in the  
election. It may take an ordinary person longer to reach the  
conclusion than the election system, but the result should be the  
same. And if the original count and the recount come up with  
different numbers, there must be a way to resolve the discrepancy.

Any two of these requirements can be fulfilled easily enough.  
Straight paper-based systems (such as Florida's notorious hanging  
chads) sacrifice (1) in favor of (2) and (3). DRE's in their present  
form sacrifice (3) in favor of (1) and (2). A voting system based on  
digital signatures would sacrifice (2) in favor of (1) and (3).

At least for now, the best choice are the precinct-based optical scan  
machines. These fulfill all three elements also provide for two  
additional goals: protectipm against mis-votes (alert to undervotes  
and prevent overvotes) and accessibility to other voters (such as the  
blind and visually impaired, or non-English speakers).

Places to Go for More Information

http://truevotemd.org/
http://blackboxvoting.org/



--Paul


Paul Suh                                                          
http://www.ps-enable.com/
paul.suh at ps-enable.com                           (240) 672-4212



-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2508 bytes
Desc: not available
Url : http://mail.goodeast.com/pipermail/newsletter/attachments/20060919/92d65cd0/smime.bin

More information about the Newsletter mailing list