...Virginia's Senate votes in a few days on whether to replace our electronic voting machines with optical scan voting machines and to require audits and meaningful recounts. Please ... call [your] senator now to vote for SB 840 on the Senate floor. More info at www.vavv.org.According to Virginia Verified Voting, the Senate P&E Committee report out SB 840 out of committee on Tuesday. It now moves to the Senate floor. (The House P&E committee is predicted to be considering the identical HB 2707 this morning).
Remember the latest voting debacle in Florida? Let's prevent this from happening here - Take a moment and call a Virginia senator or delegate in support of both bills.
Notice that these convictions are from the ease of manipulation of PAPER scanned ballots. http://www.wtopnews....
This is my field, I know a lot about this "stuff", we use secure technology to protect people's lives at DoD and in the banking community etc. If we will only treat properly our most sacred right of voting, that our kids are dying for in other countries, we would be a long way further. This is not rocket science. If we go back to existing paper scanners we go back twenty years of progress and back to night-mares equivalent to "hanging chad" like spilled coffee, missing putting the mark on the paper properly, elderly and infirm being able to write, etc. etc. etc. Not to mention the amount of time tabulation can take for an "All Paper" election.
Printers done right can work well, but alone that's not the solution either. The only way we will ever straighten out this weakness in our voting systems is to beef up the process, procedure, and physical controls in unison. The voting systems have to have all three elements to be secure and credible. Just substituting paper ballots will NEVER fix the problem. It will take having an electronic "TRUE" audit trail by printer, or better yet, an encrypted "un-hackable" memory device to protect our present voting system. We do not have to lose the money and time already invested in perfectly usable decent voting machines if they are handled and certified properly..
The central state-wide model they now use in Georgia since they fixed their voter fraud after their big voting scandal a few years back, works. That type of central controlled and certified system will work well for Virginia and end up saving lots of money. In Georgia all aspects of the voting process and the handling, testing, programming and certification of each voting machine is under the direct control of a completely non-partisan State run University. We will still need to add a physical audit trail like an almost un-hackable memory stick tokens that can also be physical and process managed or even used with printers when done right. Ask the people that know like the Election Commissioners from Fairfax County where we have been blessed with good people and a decent management structure and thus few anomalies in recent years. But even in Fairfax they will admit that things could be improved with some type of better re-countable audit trail, but not scanners.
Oh, by the way?. What about changing the laws on re-count procedures too?. I worked the Deeds recount and was appalled that even when we found a few issues in the counts we were only allowed to detect and highlight issues caused by transposing digits when they were copied from the PAPER tapes from the voting machines on to the legers for totals. Fix those un-fair stupid procedures that were shoved down our collective throats first. The Republican majority appears to believe that they have to revert to trickery and cheating to win?. Or as they say it, "All is fair in Politics".
With all due respect, you haven't been to ONE of the several long hearings of the Hugo Commission, the JCOTS commission, the General Assembly subcommittees that have been studying this issue for YEARS. There has been extensive testimony from vendors, academics, election officials, registrars, citizen activists from all points of view.
Probably the only thing we all agreed on is that adding printers to DREs is fraught with risk and complexity, although many activists would accept that rather than continue with DREs without an audit trail.
First off, DREs without an audit trail are NOT acceptable. People who program computers make mistakes. Testing can't guarantee correctness. Look at the last election, one vendors machines couldn't display Jim Webb's name on the summary screen. Never found in testing. What about worse things getting through testing? Look at the 18,000 undervotes in Sarasota. There is NO WAY to know what happened. We can suspect ballot design, Can't confirm without an audit trail.
Putting another group in charge of testing at a university doesn't fix anything. The Senate considered that option, and rejected it.
Hoping for some fantasy encrypted electronic audit trail won't work. There are some interesting ideas there, but to make it work really becomes extremely complicated for the voter. Voter inserts a card in DRE, sees letter codes on screen that indicate choices KB=Webb ..., codes change per voter, DRE writes to card, voter takes card out of DRE, inserts in VoteHere box, sees printout showing same codes as DRE showed. election officials do test votes during day to confirm, then back test votes out at end of day. This will never never work. Elections have to be SIMPLE. If you back off from the scenario above, you lose the protection and you just end up with a little DRE watching a big DRE, and hoping whoever stores the big ones during the summer doesn't have access to the little ones.
Finally, please understand, this bill and correct VA code allows PRECINCT BASED optical scan, but NOT centrally tabulated optical scan. The latter is very cheap, but full of risks for fraud, and what people are usually talking about when acting horrified about using paper, leaving visions of ballot box stuffing etc.
In precinct based systems, the voter puts the ballot into the tabulator which checks for overvotes, giving them a chance to correct, and then goes into a locked ballot box.
Yes, officials need to preserve the integrity of the ballot box. Just as they have to handle the memory cards today. The electronic tabulators give a fast accurate count, the paper and audits give an INDEPENDENT check that tabulators are programmed correctly.
Now, today, we have 3 options only
1. Keep DREs as is
2. Add printers to DREs
3. Switch to precinct based optical scan
There are no other options available now, and the ones you mention are really mirages put out by people that want to keep DREs. I know you are intelligent and experienced, so I encourage you to look at the details of the electronic audit trail ideas and the University testing idea. They don't pan out. You may want them to, but they won't.
Doesn't it bother you that AVS WinVote puts wireless cards in our voting machines? relying on WEP encryption?
Or that a former employee says they change the software for each VA county, but kept the same version number to avoid having to recertify. (see black box voting forum, search for AVS)
Or that they haven't been certified by 2002 standards which are the only ones that have even some security standards in them?
Or that the vendors pay for the testing, the test plans and results are secret? Or that the EAC revoked the authority of one of the test centers recently?
I agree with most of what you have here. However starting at the questions you ask, you make my argument for me. Yes wireless with only WEP has to go because it can be cracked. But since it takes a bunch of data about a gigabyte being sniffed for a relatively long time and the traffic that these machines will generate in basically miniscule by even normal internet surfing standards... WAP with 256 bit keys would be a simple upgrade, but NO wireless is much better... ethernet cables would be far better and extremely simple to use instead. All data even on cables should be encrypted as it moves to place a secure envelope around any data. IPSec tunnels using AES are a simple facility to impliment today or to require from the manufacturers.
My contention is that even with optical scanners, True CERTIFICATION and process control are paramount period. You make the point that their has been at least an equivalent of tampering in the way the software versions have been handled. That can't be tolerated ever !!! This is exactly why in Georgia they have an academic institution doing all the non-partisan certification of all software and programming. They never let the manufacturer touch the machines once they are delivered other than to repair them. If a machine breaks and has to be touched, the machine gets re-certified.....
Look, I don't need to play one-upsmanship with you on credentials, but in the 38 years I have been doing software, systems, networks, and cyber security I have a little experience at this too... in fact, you and I would probably find we agree on a lot more than we disagree, But these bills start us down a path with basic issues un-resolved in process and procedures. As I said earlier, the false sense of security only still sets us up to be burned if the physical and/or logical environment are not completely controlled no matter which technology is used.
Now to answer what has been addressed above.
1)This bill proposes madatory optical scan balloting (OSB). I have read much OSB including an imperical study that found OSBs were far and away the system that had the fewest tabulation errors. The DRE system that most of us use was the worst. (I can find the citation if needed.)
2) NO HANGING CHADS HERE! OSB requires only a pen and a ballot printed on cardstock. Where I vote (Fauquier county) we still use this system. The print size and the format are so obvious only the blind would have trouble.
3) This bill requires a mandatory audit with each election where a percentage of precincts statewide would have there results compared to a manual count of the ballots. This would help insure accuracy of the system. In addition, the precincts to be audited would be chosen at random, to discourage "hanky-panky." if/When a discrepancy is found, the auditing is expanded to include a larger percentage of precincts.
4) The paper ballots would remain the final/official record of the vote not digital readouts.
5) This bill does not address the problem of actually recounting or lack therof (eg. Deeds v. McDonnell). That problem must be addressed in another bill.
This is a good bill. Please support it. Do not throw out the baby with the bath water, because of misperceptions of what this bill does, or does not do. Do not discount it because it does not address every ill that may exist in the current election system. This is bill is the first step. It shall certainly be followed by more...But first we must take that first step otherwise we stay where we are and all of the problems we have will stay with us into the forseeable future.
For Delegate contact info:
http://dela.state.va...
http://dela.state.va...
The bill says we switch to optical scan machines, and that we audit a small percentage of the machines as part of every canvas before the election is certified. An audit is a hand count of the paper ballots to compare with the electronic count. The goal is to make sure there isn't a problem with the machines.
During a recount, 2 things happen
1. We do an expanded audit, selecting an addition 3% of the machines. If the audit shows the machines are broke, then the court can order expanded hand counts.
2. If the audit shows the machines are working, then we do a machine recount on the other machines. That is also useful because the machines focus on the one race, and spit out any ballots with undervotes or overvotes in that race - which can then be examined by hand. This last machine recount is what Sen. Deeds was prevented from doing by the court, primarily because VA code didn't say when to do the machine recount. This bill fixes that. That part of the bill came from Creigh Deeds SB 878 that he rolled into Sen. Devolites-Davis SB 840.
Precinct based optical scan machines are the best alternative available. Adding printers to DREs is horrible: voters don't look at them, paper jams, rolls of paper are hard to audit and recount, long ballots don't fit, privacy at issue. Its complex and the machines were not designed for it.
Opt scan has been around for years, has an audit trail, is cost effective, reliable and transparent. The key is that it must be _precinct_ based, which this is. That gives the voter a chance to correct overvotes. It also gives you two truly independent counts: the paper and the tabulator.
The solution the first commentator mentioned to follow Georgia's example won't fly. First, it basically just says that if you pay a university to look at some source code and test machines etc, that all errors will be caught in advance. Dubious assumption. Second, the Senate considered this and rejected it. The state board of elections met with Georgia about it, and Sen. Howell introduced a bill to set up something similar. But in Georgia, they only have one machine. We have 6 vendors. It won't really work in Georgia IMHO, but the SBE secretary testified correctly that it would be much more expensive and complex in VA because of the multiple vendors.
The other options I've heard raised include waiting for some complex fancy encryption device or creating an audit trail by photographing each confirmation screen. How practical is that for recounts? And how is the voter supposed to verify the bits stored by the camera as opposed to the bits stored by the DRE.
The best practical solution is precinct based optical scan.
Please call your Senator and Delegate to support this bill.
In particular, the head of the Virginia Registrars Association Larry Haake testified to that effect, and so did the Fairfax County Registrar. This was before the Campaigns and Elections subcommittee in the Senate.
The election officials generally hate the idea of printers on DREs, and for good reason.
Many of them don't want an audit trail of any kind. Its much easier just to assume everything is fine. Can't have a problem if you never bother to look for it. Mrs. Luca will rail against paper if you ask her, but she'll do the same if you ask her about printers. She dislikes every option but keeping DREs as is.
I think the right to vote is so sacred to our way of life that anyone who interferes with that privilege in any way should be prosecuted for a major felony. The idea of cheating or even dirty tricks disgusts me and it should anyone who cares about our system of government. As I said above, Paper ballots are an invitation to a false sense of security, FIX THE SYSTEM and anything works if it can be properly certified. Don't go backwards twenty years because of an over-reaction and misplaced trust in an older flawed technology.
This is a good bill, please support it.l
For those that watched the HBO special on voter fraud, it was optical scanned ballots that were shown.... the demonstrations of voting machine manipulation in Florida were optical scanned ballots, the recent convictions in Ohio as noted in an earlier post were with optical scanned ballots. I think any reasonable person would see the pattern here..... FIX the system not the technology. Make the penalties for fraud and even dirty trick so strong that people won't mess with the system. Don't go backwards with all good intentions and end up playing right into the hands of the "bad guys" with a false sense of security.
There are two problems that we have no protection against today:
1. Unintentional software programming errors that were not caught in pre-election testing. Let's call them bugs.
2. Software intentionally introduced to alter the election results that evades pre-election testing. This is known as fraud. There is some risk from outsiders, but the most significant risk is from someone with inside access.
Considering we have 6 vendors, 100 or so jurisdictions with their own staffs, technicians, DBAs, security guards, network admins, election staff, county workers etc. The vast majority are good actors.
Bugs exist. Testing doesn't prevent them.
Fraud exists in many other areas, and in elections historically. Lets hope Virginia's DREs are free of bugs and fraud. The problem is there is no way to confirm that assumption, or correct it if necessary.
All this talk about fixing the system is a distraction. Of course, its critical to have good security measures (I was part of a committee that recommended a bill that is now before the Senate to require security plans and practices from the vendors and counties) Of course, we should have penalties for fraud.
Diebold broke the certification rules by allowing interpreted software which created a security hole - which the Florida group exploited. Diebold also lied about it to election officials when asked if they allowed interpreted software. Yes that was an opt scan tabulator. But what makes you think they treat the certification guidelines any more seriously with their DRE software?
The Ohio case doesn't prove your point at all. Some election workers cheated to get of work in a recount. With DREs, there is nothing to recount anyway. Probably all this shows is that there are dishonest and lazy people in every profession, all the more reason to demand an audit trail.
See the Ed Felton's video at Princeton of how easy it was to corrupt a Diebold DRE with just a little bit of inside access.
But even if you are willing to wish away the danger of fraud, are you serious to think that we can assume every programmer for every DRE vendor never will have an error get through testing?
I can't bring myself to support these bills without the missing pieces, but in this case my vote doesn't count its the votes of our Delegates and Senators.... maybe, just maybe our little debate here has gotten some of their attention. I also agree the system can not stay status-quo, it is still broken in the general case... worse some places than others, but broken none-the-less.
Want better security of ballots and equipment. Agreed
SB 1226 addresses some security issues. There is another provision (bill or current code) that requires ballots be under lock and key - discussed in committee. Can't cite.
The only question we seem to disagree on is how to provide the missing audit trail.
All election officials hate printers on DREs. Most activists do too. That is not a good or sellable option. Is that what you want?
Precinct based opt scan provides an audit trail and is low cost, low technology risk. Available today?
There are NO other viable options. We can hope for some future technology, but the ones that have been proposed have many problems and introduce blind dependency on some other technology - digital photos of ballots for audits, or some encrypted electronic audit trail. Who audits those? I wish there were a magic cure, but there is not. Certainly not available and tested today. Waiting means accepting the status quo.
Which of the three available options do you prefer?
DREs, opt-scan, or DREs with printers?
By my approach I would want to have a standard inexpensive USB Flash Drive that would be plugged into each DRE at start of day and then not touched until the poles close. Each DRE and each flash drive would be serial number identical/related. The contents of the flash drive would be time stamped records of every ballot entered just as though it would be if it were to be printed out on a hard copy printer. The entire file and all intervening transactions would be encrypted using 256 bit AES with a key only known to the central election HQ. The DRE would treat the flash drive as a write-only device just like a paper tape only completely secure and unreadable to human eyes. Any change in status of the machine or the plugged in status of the flash drive would be accounted for by an incident log and the log on the drive that would include a heart beat record with machine status every second. The amount of text this would actually generate would be miniscule compared to the relative capacity of a standard twenty dollar cost, one gigabyte flash drive. The only development work necessary is the adapting of printer interface software to put out the encrypted flat file and the mechanism necesarey to do the initial key exchange. Now I would want to do a full process flow and try some penetration testing to validate the implimentation and key exchange procedures, but this would cheap, easy to install, and one more way to control what happens in the precinct with the use of electronic non-partisan observers, the DRE machines themselves.
The Flash drives could only be readable not ever writable with simple software on a laptop or tablet computer at the end of the day or at HQ later... the time stamps and heart beats would make the files very difficult to manipulate and almost impossible to tamper with if the interface is designed properly and the encyption envelope around the file is maintained. Also, the files could be later consolidated at election HQ and analyzed for voting traffic patterns and anomalies and kept indefinitely should their contents be needed later.
The DREs already have redundant memories to guard against hardware failure.
What we have no protection against is SOFTWARE failure, either inadvertent mistakes or malicious intent.
If the software is flawed, if it changes the vote that was cast, it doesnt matter how many memory sticks, hard drives, hidden tapes or digital images that the software writes of that altered vote.
Adding redundant hardware does not protect against the threat of flawed or fraudulent software.
Only the voter can verify the secret ballot. The voter can only verify something he can see (rules out bits written to flash memory) and that can't change (rules out pixels on a screen)
I know you are very intelligent and well meaning. I can accept (barely) if you don't think the threat of flawed or fraudulent software is serious. But I hope you can understand at least that adding more digital devices that the voter cannot verify does not solve the problem. Maybe solves a different problem, but not the concern about software.
To be crystal clear, imagine a programmer who gets access to some DREs during the off season, and somehow changes the code that writes results to the hard drive. He could flip every N votes say. Maybe you need a signal to turn on that mode so that it doesnt happen during testing. Might be hard to do, but certainly not impossible. Voter sees his choices on the screen, but what gets written is different. Now adding more hard drives and memory sticks doesn't solve that problem. Fraud is one real risk, but there are others. Plain old bugs are still with us despite all the testing.