CA Proposes Rigorous Voting Machine Testing

christian.einfeldt writes "During her successful campaign for California Secretary of State, newly-minted California Elections Czar Debra Bowen spoke repeatedly of the need to use free open source software in voting machines to ensure the integrity of California's elections. Now that Secretary Bowen is acting on that campaign pledge, closed-source voting machine vendor Diebold worries aloud that rejecting its black-box voting machines could snarl California's elections. Diebold's concerns come at the same time that it is suing Massachusetts for declining to purchase those same voting machines." Quoting: "California's elections chief is proposing the toughest standards for voting systems in the country, so tough that they could [have the result of banishing] ATM-like touch-screen voting machines from the state. For the first time, California is demanding the right to try hacking every voting machine with 'red teams' of computer experts and to study the software inside the machines, line-by-line, for security holes."

novel idea

[gEvil (beta) (945888)]

Thoroughly test the voting machines before deploying them? Wow! Why didn't I think of that?

Re:novel idea

[TheMeuge (645043)]

I smell a "Diebold sues California" /. headline coming.

Re:novel idea

[Chris Burke (6130)]

I can't for the life of me understand why California even considers doing business with Diebold any more.

Shouldn't the list of requirements for Calfornia's voting machine aquisitions have a clause about "Company should not have repeatedly lied to California legislators, covered up known flaws, nor violated deployment policies by modifying units in the field without validation of those modifications"?

Diebold has been in trouble with California before. The fact that they can continue to even try to offer voting machines in that state kinda surprises me.

Re:

[avronius (689343)]

Here's a complete solution:

1. Create software for electronic voting. Use pictures of candidates (and their names, of coz').
2. Add a printing plugin that spits out a little chit with the picture of the candidate that the voter selected, as well as a bar code that includes the name of the candidate.
3. Place chit in voting box for validation if required - used in case recounts are requested.
4. Profit!!!

Or was that...

[avronius (689343)]

In retrospect, perhaps Step 4 should have said "Govern!" and Step 5 should have been "Profit!!!"

Re:

[gEvil (beta) (945888)]

Use pictures of candidates (and their names, of coz').

A picture of the candidate and the names of their cousins?

Re:

[avronius (689343)]

Thanks for drawing attention to my inability to avoid insulting someone while trying to set them at ease. Thanks, also, for implying that, by acknowledging that I am an insensitive clod, and being aware that I have a problem, and taking steps towards resolving that problem, I am somehow more of an insensitive clod than a non-self-confessed, non-help-seeking, run-of-the-mill insensitive clod, you insensitive clod.

Don't worry, I'm selling maps to the solution of that for those that couldn't follow ;)

Re:

[gyroid (1081639)]

If a state selectively purges voter rolls, supplies too few machines for specific precincts, or uses law enforcement and batteries of volunteers to challenge or intimidate voters, the accuracy of the machines doesn't really matter.

Oh, California

[$RANDOMLUSER (804576)]

I thought I read "Computer Associates Proposes Rigorous Voting Machine Testing", and my head started to hurt.

Good idea

[UbuntuDupe (970646)]

I agree with this proposal. They need to double -- perhaps, triple -- check to make sure the code works as intended.

But I also think CA has been otherwise prudent. For example, using Diebold instead of volunteer open source code. I mean, how can they afford all the volunteer labor?

Re:

[RingDev (879105)]

check to make sure the code works as intended.

The next step would be to check and make sure that the intention the code works with is the intention the people desire.

-Rick

Re:Good idea

[Coryoth (254751)]

The next step would be to check and make sure that the intention the code works with is the intention the people desire.

And this is why formal specification should be used. It provides a middle tier between implementation code, and English language specification. Verifying that the code properly implements the formal specification can be done programatically and independently quite easily. In turn, validating the formal specification, by comparing it to the peoples desires in terms of a English language set of requirements is easier than trying to compare coed to the requirements, since it is only intentions that are formally defined, with no issues of implementation to complicate the matter. Stating your intentions in an unambiguous way, via formal specification, ought to be an obvious first step for anything where the need for assurance is as high as it with electronic voting.

One principal of a democracy

[saibot834 (1061528)]

One principal of a democracy is that everyone can verify the counting of votes.

Now unless you teach everyone how to program I don't see how you can preserve this principal.

How many principles of democracy are there?

[Chmcginn (201645)]

One principal of a democracy is that everyone can verify the counting of votes.

Umm... this is a new one to me. I mean, it sounds like a good idea, and all... but then again, if we're using the old punch-card type of voting machines, being able to verify them requires being able to read them, which many people can't do anyway. Besides the fact that in a typical presidential election, there's, what, nearly a hundred million votes cast? It's physically impossible for a single person to check that many b

Re:

[mdsolar (1045926)]

I was just writing to my Senator Mac Middleton (Maryland Senate) that losing the ritual of hand counting ballots means that we also lose a means of strengthening community ties. You don't actually have one person count all the ballots, it is done in a group with observes from all campaigns watching for errors. In the end everyone goes to bed late and is civil about the result. There is a greater level of participation and more human interaction this way.

Maryland's house passed a bill to adopt optical s

Funny thing

[WindBourne (631190)]

is that we seem to keep learning and re-learning that lesson. Back in the 1960 election, there was a lot of evidence that indicated that kennedy won chicago by having the dems cheat. Many systems were put in place to prevent that cheating. Now, with the new current system, the evidence is even more overwhelming and yet, we are back to trying to prevent cheating. In particular, it appears that Ohio, Florida, and even texas had massive amounts of voter fraud during the last couple of elections. I guess that our society will be doomed to re-living the same problems over and over as long as we have politicians like rove ( and the dem == before).

Re:

[AK Marc (707885)]

One principal of a democracy is that everyone can verify the counting of votes.

We do not now, nor have we ever had, any system to verify votes. We can count them again, certify them, but never verify them. Until I, as a voter, can see how the state counted my vote, no vote is ever verified. They may count my ballot twice, but I can never know who they count it as having voted for. True anonymous verification is a system where I can identify my vote, but no one can determine how I voted.

Unaccaptable failure rate?

[Firethorn (177587)]

31 machines out of 340 districts? How many were in each district?

Heck, from what I've read, they've had problems with more than 10% of the diebold machines.

At least with an automark type system you still have the paper ballots to fall back on, even if a voter might require assistance to fill it out.

When a diebold type device malfunctions you have the potential for lost and/or erronous vote information, not to mention that NO votes can be taken.

10% Failure Rate.

[Irvu (248207)]

Ahh but thanks to the intervention of well-paid lobbyists Federal standards make 10% an "acceptable rate of failure" for an election.

Re:

[Firethorn (177587)]

Security is the only place where it becomes an issue - but seriously, it shouldn't be that hard. Google built an empire on white-box commodity-hardware. We can't build a machine that properly counts clicks?

Las Vegas manages to operate thousands of video gambline machines that are far more complicated mechanically speaking(it has to dispense stuff) that have to pass extremely rigorous standards, there are millions of ATM machines that have incredibly low error rates.

Sure, we could build it. It'd likely be m

Re:

[Daniel Dvorkin (106857)]

Diebold is a company that specializes in designing and manufacturing ATMs, so obviously there are problems with voting machines that ATM technology does not currently address.

This would only be true if Diebold wanted to make voting machines that work properly. They don't.

e-voting must be as strong as paper

[davidwr (791652)]

Properly monitored paper ballot voting system is about as good as you can get for the average person. It's main weakness is that it's not private for people who cannot see or read the language of the ballot and for people who cannot mark the ballot for whatever reason. The fact that you must go to a voting station rather than voting from home is also a disadvantage.

Any replacement system must preserve the strengths of a paper ballot.

This means

• Open specifications
  
• validation and verification of all equipment and procedures concerning the vote

In practice, this means the voting hardware and software must be open to public inspection. The same goes for the procedures used by voting officials.

It also means to the extent possible, the entire process must be observed by interested and neutral parties. Obviously the actual voting must be done in secret but anything that doesn't reveal an individual's vote should be observed. Those things that cannot be easily observed, such as actual electronic count, must be repeatable by another method, such as a hand-count, with the same results.

Re:

[morgan_greywolf (835522)]

Right. And that's why I keep saying that if you want to know what I think is the approach, it's touch screens with Open Source software/firmware with a paper receipt trail. This allows for the accuracy of electronic counting with a paper backup -- if the paper doesn't match the electronic count, then the software either has bugs or has been tampered with (or there are forged paper ballots, but that's easily countered). Either way, the software can be reviewed by independent computer experts to determine

Re:

[Coryoth (254751)]

* Open specifications
* validation and verification of all equipment and procedures concerning the vote

In practice, this means the voting hardware and software must be open to public inspection. The same goes for the procedures used by voting officials.

I would go even further and demand that both an English language and a formal specification that are open. That way you can validate the formal speciifcation against the English language version, and you can formally verify software code against the formal specification. There are plenty of independent systems that would allow such formal verification of code to be done, and machine checked. Sure, this requires more work to write a formal specification and to write code that can be verified against it... b

Mass Diebold request blocked

[mdsolar (1045926)]

The request by Diebold to block Massachusetts from buying from another vendor was blocked: http://computerworld.com/action/article.do?command =viewArticleBasic&taxonomyName=hardware&articleId= 9014518&taxonomyId=12&intsrc=kc_top [computerworld.com]
--
The proper use of a silicon ballot: http://mdsolar.blogspot.com/2007/01/slashdot-users -selling-solar.html [blogspot.com]

Pre-Hacking

[Nonsanity (531204)]

"For the first time, California is demanding the right to try hacking every voting machine with 'red teams' of computer experts and to study the software inside the machines, line-by-line, for security holes."

And this is a bad thing for the public... HOW?

Re:

[mOdQuArK! (87332)]

Well, it'll cost the taxpayers a fair bit to do that kind of testing properly - looking at it that way, you'll get a dollar value of how much the taxpayers think a corruption-resistant democracy is worth!

What we need is a slot machine...

[by Anonymous Coward]

Any electronic voting machines should be regulated to at least the same level as a slot machine. But for some reason we apparently believe that handling the $20 dollars we want to gamble in a casino is more important than the results of an election.

A casino would never field a slot machine (even a 1c machine) that was as insecure as a Diebold voting machine.

The security model for a slot machine is rock solid. The hardware and software (source included) must be submitted and approved by each jurisdiction. The security model ensures that if even one bit in the software has been corrupted, the machine ceases to function. The cash-in and payout of each machine is redundantly logged. The machines are completely power tolerant, meaning you can cut the power at any time; when the power is restored the machine will come back up in exactly the same state that it was in before power loss. The machine can print tickets (for a paper trail), as well as talk securely over a network.

Basically, all the requirements we'd like to see in a voting machine are the same that a slot machine already conforms to. There's no reason to re-invent the wheel here, most of the work has already been done.

Treason

[loftling (574538)]

I think that attorneys for the government should be able to demand to see source code for all the machines already deployed. If source cannot be produced (or it does not compile to the same machine code present on the voting machines) then those responsible should be rounded up and tried for treason. Seriously: at no point should *anything* related to how these machines tally votes have been regarded as a secret: that's simply not how voting works in the US.

I believe that California shouldn't have to demand transparency, I think that we citizens have implicitly expected transparency all along.

Donate to the Open Voting Consortium [openvotingconsortium.org], they've been working with Debra Bowen and many others to fix the system.

This should be so simple...

[dostojevski78 (1004267)]

It amazes me that the US can't get their elections done right. They have the technology to power the worlds most important financial systems, to pilote a drone on the other side of the world and beat any given human in a game of chess. WHY THE ##CK haven't they managed to come up with a voting system that's rock solid, transparent, secure and dependable?!? Why is that even a hard thing to do?

Heck, I think even _I_ could design such a system:

- Buy a standard issue PC with a standard issue laserprinter
- Make a simple voting program
- Give every voter a Live CD with a unique hard coded serial.
- The CD is inserted under the supervision of election workers, and the PC is booted up.
- The voters goes behind the curtain where they find a screen, a mouse and a printer.
- The voter casts his/her wote. The vote and the unique ID is stored on the local HD, and two coppies is printed out on paper.
- The voter comes out, ejects the CD AND KEEPS IT, and puts one paper vote in a ballot box. Keeps the other copy.
- The computer is powered down before the next vote.

This way one can always check the DB against the paper ballots afterwords. AND: Every citizen who thinks the election has been tampered with can A: Review the software on their CD. B: Check the official "election website", punch in the unique ID from the CD/paper coppy and verify that it's registered correctly.

This is not complex, this is not expensive, this is not difficult, and as far as I can see; this is practicaly fool proof given a certain degree of random manual chek of wotes. (To eliminate the factor involving electorial workers doing nasty stuff to the PCs etc.)

Or am I over looking something here...?

Re:

[uncqual (836337)]

Check the official "election website", punch in the unique ID from the CD/paper coppy and verify that it's registered correctly.

One minor nit... This is a bad idea because it makes buying and selling votes more reliable. With a scheme like this, the vote-buyer can verify that the vote-seller really followed instructions before payment is made. As it is now, vote-buying is unreliable (at the retail level) because the buyer can't tell if they got what they paid for.

But, overall there are plenty of good

That doesn't quite fit my definition of "simple"

[achurch (201270)]

Heck, I think even _I_ could design such a system:

[8(!) steps and commentary elided]

Or am I over looking something here...?

Perhaps you might not have heard the story of the king and the toaster [netinteraction.com]?

This may not be quite that bad, but the point still stands: Don't use more technology than is needed to solve the problem. In this case, it's much simpler than you suggest:

1. Election supervisor checks that voter is authorized to vote.
2. Voter takes pen and paper ballot.
3. Voter writes candidate's name on paper.

Re:

[Manchot (847225)]

Even relatively sane, simple mandates like checking for a valid ID at the poling station get shut down.

Those laws are often struck down as unconstitutional, and for good reason. If you are an American citizen who doesn't have an ID (which you cannot constitutionally be required to own as a direct result of our right to privacy), you should still be able to vote. More practically, from a statistical viewpoint, people with lower incomes and the elderly are surprisingly likely to not have IDs. You might say, "

Nice to see

[frenchs (42465)]

This issue is actually the very reason this woman got my vote in the last election. I'm glad to see she is holding to her promises. We definitely need more politicians to do this. She, unlike a large number of politicians, seems to have a reasonable grasp on the internets and tech as a whole.

http://www.ss.ca.gov/executive/bio.htm [ca.gov]

Re:

[MsGeek (162936)]

Indeed. The fact Debra became our Secretary of State was balm that soothed the wounds of four more years of Arnold Freaking Schwarzenegger and his signature on my Masters Degree diploma if I go to the university of my choice.

Go Debra go! So nice to have a real, live she-geek in public office!

They'll "study the software inside the machines"?

[roystgnr (4015)]

I suspect they'll really study software outside the machines, code which the manufacturer swears is the same as the software inside the machines, cross his heart. That's still an improvement over the current situation, but it's not good enough for democracy. If a computer is turning your ballot into a microscopic electromagnetic pattern rather than a human-readable printout, you simply can't be certain that your vote was counted. Software audits may make election hacking more difficult, but they'll never make it impossible.

How hard can it be to program a voting machine?

[Peter Trepan (572016)]

They just take votes and record them. The only remotely novel programming problem should be the security, and they don't appear to have implemented any! How can these machines keep screwing up when ATMs keep on not screwing up?

I'm not a computer scientist, but I know many of you are. Is there some hidden level of difficulty here? Some reason why making voting machines should be such a challenge for Diebold?

Re:

[One Louder (595430)]

It's a shame you never saw any part of California besides Los Angeles.

Re:

[fredrated (639554)]

Born and raised in Cal, yeah, there are 'kooks' for politicians sometimes, but these kooks are like 'let's see if we can make people happier by making their food less poisonous' as opposed to the kooks that think things like 'let's not tell people the air at ground zero is poisonous because then bin Laden will be even more satisfied with the results'.

We'll keep our kooks, you keep yours and we will both be happy. I hope.

Waaaaay off topic, I know

[by Anonymous Coward]

four seasons are Wildfire, Mudslide, Earthquake, and Smog

Boy, I'd like to see a shoji screen of these four seasons!

As much as I dislike CA....

[Chmcginn (201645)]

I don't see this being a problem with California, per se. I'd say it was more a problem of large corporations. Economy of scale is a great thing. But when a company reaches the 'counting drops of solder to close the barrel' stage, a lot of individual choice type options might vanish.

And, wait... are you complaining that your car has stricter emissions standards? I'm certainly not, living in the second-most smog infested state in the US. If it weren't for CA emissions being standard on so many vehicl

Re:As much as I dislike CA....

[Chmcginn (201645)]

Car companies are far more likely to decide simply to not sell cars in CT than CA.

Many car companies might, this is true. But I'd be willing to bet that some car companies would make it an option, albiet an expensive one.

So CA gets to decide what level is correct, and all the other states have to go along for the ride.

As other posters have pointed out, there are cars sold that don't meet the CA standard. There's packages of solder that don't contain the "This product blah blah state of California blah blah" label. The point is, CA is deciding what's best for it, not for anyone else. It's not their fault if many large companies go along for the ride.

Re:

[gurps_npc (621217)]

Detroit and Japan continue to make cars that do not meet California emissions tests.

The fact that you bought such a care tells me that you looked at the cars that did not meet the California emissions tests and said "No thank you".

What probably happened is that the majority of the people in the country with needs similar to yours thought that cars should meet California's tests. The few people that did not want the cleaner cars had different needs then you did.

You don't have a beef with California, you

Re:

[gurps_npc (621217)]

Then admit that the people of CONNECTICUT are the ones to blame, not California. Connecticut voters said "we want to use CA's rules". No California's forced CT to do it, you guys did it to yourself. Or better yet, get off your butt and campaign for someone to cancel that law.

Like I said before, stop blaiming California, and accept responsibility for your own actions (or lack thereof) in this case.

Re:

[QuantumRiff (120817)]

NO, CA emissions rules suck. Oregon and Washington are looking at adopting California's Emissions requirements. That would mean several freakish things. Namely, no personal Diesel vehicles. You cannot buy a VW diesel or a Jeep liberty Diesel in CA new. Diesels in the state of CA have to be over a certain weight. That is getting rather outdated. You can buy a 7000lb Hummer that burns gas like no tomorrow, tears up the highways with its weight (and even get a tax credit, since because of its weight, it

Re:

[drinkypoo (153816)]

My car has "California" emissions and I live in Connecticut. This is just one example of how California mandates things for the rest of the country.

Interestingly, I can purchase a car in Connecticut, drive it to California, register it, and pass a smog check.

Vehicles with California emissions and vehicles without are smogged to different specifications, even here in California.

The restriction only requires new cars sold in California to conform to different standards.

In California, they make you label e

Re:

[Mongoose (8480)]

I guess you never been to the OC or bay area. Irvine is cleaner than disney world and twice as planned out. It's just a ton of cute asian girls mostly Japanese/Persians/Indians all over the place. Lots of good food and way too many shops. Also the nearby beaches and the nature preserves are nice. It does suck that the weather is so dry, but most people perfer it that way.

Re:

[Stanistani (808333)]

Shall I take a few potshots at your state? Nah. Too easy.
The air is minty fresh where I live... with a hint of lemon salt.

Allow me to help you out... you refer to California as "the land of fruits and nuts" or "the left coast" and you decry our no-smoking restaurants on a regular basis.

You, on the other hand, live in Utopia, where milk and honey and nutmeg butter flow in an unbroken stream past the toes of the colossus that is M. Jodi Rell. Christopher Dodd and Joseph Lieberman hold the banner of progress w

Re:Good

[Random BedHead Ed (602081)]

I'm shocked. Deibold generally tries very hard to avoid the appearance of bias or impropriety, and they offer quality e-voting products that they strive to improve in response to much-appreciated constructive criticism from the community. Whenever they fix an issue with their products, like the closed-source software or the easily-copied security key, they are quick to get the updates out and always thank the community for helping them to improve their products. Their recent suit against Massachusetts has given them a serious PR boost with other states. So yes, their response to this move really surprises me.

(Sorry if your sarcasm gland is asploding.)

Re:

[Teancum (67324)]

While having it on paper is good, it can be better still.

As I've mentioned before when this issue is raised, computers should only be used for electronic ballot preparation. The actual ballot which you use for casting your vote should be prepared in the voting booth, and be done using OCR characters and/or a bar code (or something simple but easy for a voter to evaluate). At that point, who cares what company has actually designed the equipment for the vote processing?

You can establish standards for both