The machines that have had audit capability built in have always had that feature disabled when actually used in elections. At least so far. The electronic machines will only be as honest as those that control them. I'd put more trust in the punch cards.
Bob Kaplow NAR # 18L TRA # "Impeach the TRA BoD" >>> To reply, remove the TRABoD!
We're still using pencils to mark 'X's on paper ballots in Canada. Automation has been tried repeatedly, but we keep going back. Sparse population makes this practical, I guess.
The vote-counting situation remains, though.
You know something's up when the returns begin to come in from Forest Lawn. ; )
Well.... no one can say he was stupid.
Randy
I GUESS YOU DIDN'T READ THE BOTTOM OF MY POST!!!!!!
who needs a stupid election? the dems and repubs are just 2 sides of the same coin.... every 4 years we flip it , and it continues to land on its edge..........
shockie B)
: )
Randy
Actually, the "entire western world economy" isn't based on "secure, auditable, verifiable, and testable electronic transaction systems". It's based on optimizing the fraud numbers to provide maximum profit at minimum cost. It's much easier (and makes better business sense) to raise transaction fees to cover fraud losses than to actually implement systems that are more fraud-resistant.
The banking industry would like fraud to go away completely, but they are realistic about it. Anti-fraud measures always either cost more to implement than to not implement, make it more difficult to use one's credit cards (resulting in lower usage rates), or both. It's a classic case of optimizing variables to maximize profits, and the banking industry is *good* at it. They will tolerate whatever level of fraud maximizes their overall profits.
So, looking towards electronic transaction systems as a "good example" of how to implement voting schemes is an inherently flawed idea....
I have a *lot* of qualms with electronic voting schemes. Any system of collecting votes that does not provide a voter-verifiable physical vote record is simply not trustable, especially for a purpose as critical as ensuring that election outcomes are actually decided by the voters. Just because a system displays a vote for candidate "A" on the screen does not guarantee that the system will record a single vote for candidate "A" in its internal tallies. Without a "paper trail", there is no way to perform any sort of checks to ensure that the vote tallies haven't been compromised.
Also, in event of hardware failure after some votes have been cast, but before data collection (computers *do* have a tendency to die at the most inopportune times), how are the votes to be counted, if there is no physical record to count?
My ideal electronic voting scheme?
Collect the votes using a touch-screen system that randomizes candidate order on-screen for every voter. Once the voter has pressed the "done" button, print up a page listing their choices in a nice large OCR-capable font, and display it to them behind a piece of plexiglsss.
Have them either hit a "confirm" button and drop the piece of paper into the (opaque) ballot box, or hit a "reject" button, and feed it through a fine cross-cut shredder, both in full view of the voter. If they rejected the ballot, let them re-vote until they get a ballot whose printout matches their voting preferences.
Electronic tallies can be used to generate initial results, but some randomly-chosen statictically significant quantity of ballot boxes must have a *full* manual count of the paper ballots, to be compared against the electronic tally. Any discrepancies in the counts between the electronic and manual tallies should be made public. In all cases, if any candidate wishes to pay for a recount, they may do so with the understanding that they will have their money refunded in the event that the winner of the election is changed by the recount.
- Rick "Trust, but verify" Dickinson
Well, I wasn't even thinking about Credit Card or POS transactions at all. I meant to imply bank, inter-bank, corporate, and securities exchange transactions; Wall Street stuff, not WalMart. ;)
In the event of fires, traffic accidents during ballot collection or delivery, inconsistent punches (chad dents), human errors, etc, paper ballots are not that reliable, either, but I understand your concern. And, as mentioned elsewhere, what happens to the ballots once they are outside of your possession is another issue altogether, as related to a vote being officially tallied and/or tallied correctly. The "paper trail" is only as good as the chain of custody procedures insofar as vote compromise is concerned.
Nothing is 100% reliable or secure. But redundant, fault tolerant electronic data processing systems can approach 100% data reliability in the short term, at least. I would "trust" an electronic voting system to accurately and reliably record, transport, and tally my vote at least as much as a manual paper ballot system, in fact, more so, if a sufficiently robust system were designed.
Gary wrote: ...
gee, I thought you were talking about eBay and PayPal ;^P
nobody says you have to vote democrat or republican - how about Green or Libertarian instead? the demos and repubs are actually different, it's hard to tell some times - vote for campaign finance reform, that'll shake things up! do something, anything, but don't resign yourself to living on the edge of a coin ...
How would you know?
What guarantees do you have that the company writing the software to tally the votes is honest? How would you know if it automatically mis-recorded, at random (with a 3% chance) a vote for the Foo Party as a vote for the Bar Party? It might make no difference in landslide elections, but it just might swing the decision from Foo to Bar in close electoral races.
And, if there's a 6% discrepancy between the pre-election polls and the outcome of the election, would it not be likely that it would be merely chalked up to "polling margin of error", or to simply the Bar Party doing a better job of "getting out the vote" than the Foo Party?
And, even if the company is, on the whole, honest, what makes you sure that every single programmer is trustworthy beyond reproach? We're talking elections here -- there's money to be made or lost by competing business interests, and the policies of one party over another. Even if all the politicians are honest and honorable , how will we be sure that a business interest won't take a chance on bribing a programmer if it will mean electing a party that has a platform more favorable to your line of work?
As I said before, without physical evidence of the actual votes cast, there can *be* no "chain of custody" to establish the legitimacy of the votes recorded. Quis custodiat ipsos custodes?
I love this country too much to let it be placed in a position where there is no way to verify the legitimacy of its elections, without raising my voice to oppose those changes. Free, fair, and honest elections are the cornerstone of our democratic republic. I won't sit idly by and watch silently as their integrity is undermined.
- Rick "Trust, but verify" Dickinson
Bob K. wrote:
Algorithms can be tested and verified and published. A test dataset can be tallied before and after, even during, an election. Any number of tamper prevention measures can easily be placed into the machines; ROM program space, etc. I have to assume the system would be tested prior to use and that it was engineered for this purpose, ie, NOT some kludge system running on a network of XP desktop machines.
Again, its not that difficult to verify the operation of a specific program, especially given the fact that the guberment will be under significant pressure to address concerns such as yours. And these are not rocket science algorithms, either.
The same people who do it now with the current system.
Recounts. A secure, well designed transaction system would minimize the requirements for a recount. Real-time collection and tally of votes is an advantage of electronic voting, IMHO Would a permanently programmed (fusible link) ROM be enough? Or a CD? A removable hard drive? There is a spectrum of physical devices/media that could maintain particular transaction information. Your vote verification step could be based upon the readout of data contained in a permanent storage device, ie, the ROM, or from two such devices; one local and another redundant "check and compare" location, or even the data received by one, or more, remote tally points. Or all three. Data voting (not election voting) between redundant storage/tally locations could give multiple, reliable transaction record storage locations and options, ie, more than one ballot record in more than one location.
It might be instructive to consider that many of the most important and secure data systems on the planet are based upon electronic hardware, storage, and digital processing algorithms. Secure, encrypted, military communications and classified databases, for example, or high security access and identification systems.
I, too, wish the integrity of elections to remain of paramount concern. I guess my experience as an electronics technician in the military may sway my opinions somewhat, but I simply know that very secure, tamper resistant, and reliable electronic data systems exist and work. I watched cryptographic systems evolve from punched paper key based systems to electronic keys, for the same reasons, in fact, that the chad issues in Florida called paper ballots into question; reliability.
You would be assuming incorrectly, from everything I have read about the Diebold and other electronic voting systems that have made it into actual use.
In fact, in a number or recent elections, the version of software used at the polls was actually "upgraded" *after* the election officials had "certified" the version to be used, but before the election, and with no "recertification" of the new software. I won't even go into the quagmire of exactly *how* a non-programmer election official "certifies" an electronic voting system, but the fact of the matter is, however the certification is done, and with whatever degree of effectiveness and trustworthiness, it's completely meaningless if the version used is not the same as the version tested.
[snipped: I asked how you could detect small devious errors]Actually, it is provably *impossible* to completely verify the proper operation of any arbitrary non-trivial computer program in finite time. Doing so is an "NP Hard" problem.
"There are two ways of constructing a software design. One way is to make it so simple that there are obviously no deficiencies and the other is to make it so complicated that there are no obvious deficiencies." -- C.A.R. Hoare
You're missing the point here -- I'm not arguing that there aren't technical means available to ensure the *durability* and *permanence* of the votes recorded. There are. However, without some way for the votor to *know* (via visual inspection and verification, for instance) that the votes recorded are the same as the votes cast, the permanence of the record is irrelevant.
In other words, even if the votes are carved into stone tablets, if the voter can't verify that the information carved into the tablets matches what he intended to vote, then the system is not trustworthy. The carver might simply carve the runes corresponding to "Bar" votes instead of "Foo" votes based on some external condition (such as the date being a certain Tuesday in November, etc.).
There will *always* be some way for the sufficiently devious programmer to "cheat" in ways that will "pass" any specific test suite. See the classic ACM speech "On Trusting Trust" for an interesting example....
I agree that secure, tamper resistant, and reliable electronic data systems *do* exist. I've worked on some. But, even if I grant the assumption that the data is not corrupted or changed in transmission, and that it is recorded onto (mythical) 100% reliable and durable media, there's still the pesky problem of being able to verify that what was recorded actually matches what was chosen by the voter.
Since the voter is no longer directly recording the vote (as he does in punch card ballots), inspection by the voter after vote recording is *necessary*. Without that step, the audit trail/chain of custody is broken, and is not trustable.
- Rick "Trust but verify" Dickinson
PolyTech Forum website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.