Paper Trails Don't Ensure Accurate E-Voting Totals

An anonymous reader writes "In an new report from the Information Technology and Innovation Foundation they say that paper trails increase costs and can actually reduce the chances a voters' choices are accurately counted. Congress is considering a 'Voter Confidence and Increased Accountability Act of 2007,' which would mandate 'voter-verified' paper audit trails."

Re:Worthless article

[VirusEqualsVeryYes]

As to why paper trails are bad, they don't say

That's textbook FUD for ya. Make a claim, let the news sink in, then follow up later with easily debunked reasoning far after everyone's stopped paying attention.

I've been interested in the Caltech/MIT Voting Technology Project [caltech.edu] for awhile now, and they have quite a few papers on voting issues, including discrepancies, statistics, technologies, reliability. One paper in particular [caltech.edu] (PDF warning) speaks of a study done on different methods of verifying user voting. For the mock election, they randomly inserted incorrect vote records, and thus tested different methods of auditing, to see how often voters noticed the discrepancy. With the paper trail, only 8% acknowledged any problem (i.e., realized that the machine voted wrong). For an auditing system, that's not at all counterproductive as the topical article would have you believe, but it's still pathetically ineffective.

A different kind of auditing system is advocated in the paper: one using audio via headphones to play back the recorded votes to the voter. 77% of voters caught the errors. Of course with every added system, there is inherent risk -- listening devices, accessibility, etc. -- and, of course, audio auditing is relatively untested, but this seems promising. This, however, assumes that the problem is with voters or the machines making an honest mistake and not with the machines maliciously changing votes. Thus, the best course of action would be to have both paper and audio: one to help the voter, the other to verify recounts and prove unreliability.

Of course, no auditing system, no matter the sophistication or rate of helpfulness, will matter if the machines themselves are designed to be corrupted and the vote counts manipulated. Ultimately, it will be far more beneficial to the American people if, rather than trying to force accountability and regulations on corrupted producing companies bought and paid for by corrupt political crooks, the machines are written and produced, or at least heavily tested, by independent committees.... May I suggest academic committees, such as this Caltech/MIT VTP, or similar groups? Their ultimate goal is to certify reliability, and since academics is far less motivated by money, they're far less likely to be corrupted. Or so goes my theory, anyway.

Re:What do you expect ?

[JoelKatz]

"My opinion is that there is no 'secure' e-voting system."

I think we can all agree that there is no secure paper voting system. The paper votes can either not lost can be replaced with other pieces of paper.

"I also do not see any reason to abandon paper-based voting, which still is not 100% secure, but much more difficult to 'hack' due to transparency by distribution of control."

How is paper based voting more difficult to hack than a cryptographically signed, publically available "receipt" for each vote? Pieces of paper can be lost. A cryptographic receipt cannot be lost, because you can then prove it's not in the final tally.

I agree that all current electronic voting systems are bad jokes. But this does not mean that a properly-designed electronic voting scheme cannot be significantly more secure than any paper based system could ever be.

Re:Why the fuck do you guys need the machines?

[speaker of the truth]

What's ridiculous is that everything is done at once. If these terms are for the same length, have the State, County and Municipal positions done on a particular year, then two years later have the President, Representative, and Senator and then two years later have the State, etc. Also every election day should be made a public holiday that all but a very few have the day off for, and those that do work are given a special time (either before they work or afterwards) where they can vote outside of normal hours.

But of course the two major parties benefit from voter apathy as it helps ensure one of them will be voted. So the system is designed to maximize voter apathy.

Re:What do you expect ?

[JoelKatz]

'There's a lot of resistance to any idea that would allow a voter to prove who he voted for since that could be used to blackmail people into voting a certain way (e.g. "anyone who didn't vote for Bush gets fired!").'

Right, that's why nobody's suggesting that. None of the proposed schemes make it possible to determine who a voter voted for without that voter's cooperation. With that voter's cooperation, he can simply tell you. None of them make it possible for a voter to *prove* that he voted a particular way.

A common mistake is to assume that "voting receipt" must make it possible to prove how any given voter voted. This is true if and only if the receipt contains two items of information:
1) Who voted.
2) How they voted.

Nobody is suggesting any kind of receipt that contains both of these pieces of information. The scheme I proposed above contains how the vote was cast but as for the "who voted" part, it contains only an identifier that is randomly chosen by the voting machine and that cannot be provably associated with any particular voter.

(And note that that proposed scheme above was not intended to be a practical scheme. It was just intended to prove specific points. For example, it proves that you can provide receipts that allow a voter to prove to themselves and those with whom they cooperate that their vote was counted but not be coerced into voting a particular way. It proves that a cryptographic scheme can provide certain types of assurances that many think such scheme cannot provide. And so on. It's not suggested as an actual practical scheme.)

If I were being really suspicious about fud

[Joseph_Daniel_Zukige]

I would be guessing that this article is a red herring designed to make voting machines that _do_ print paper trails appear more respectable.

Re:Why the fuck do you guys need the machines?

[I_Voter]

well-wisher wrote:

"What is it about American society that forces them to elect every state official?"

---------------

One Reason

From the voters perspective the U.S. doesn't have political parties - only political labels.

Political parties in the U.S. used to be organizations that could field politicians that reflected the organizations interests, and would carry the organizations name on the ballot. By requiring political parties to nominate by publicly funded primaries, most U.S. states now require nomination by primary elections in each of our single member districts. The private member based political parties technically still exist, but now have no control over their own name! While I don't claim that real political party platforms are all that honest, we vote for many different individual politicians who are not all that honest either.. One elected politician can't pass a law! Heck: One elected politician can't get a bill out of committee!

A political party in a two-party system is a gigantic coalition of many different interests. Lacking an enforceable party platform, the other forces that decide which of these interests will get rewarded, after the votes are counted, are not very clear in either major party. Not clear to the voter anyway.

I_Voter

Much like Alice's cat - U.S. political parties have disappeared - leaving behind nothing but the many similar smiles of very individualistic politicians.

Where's the proof?

[trianglman]

Are there any facts associated with this article? It appears that this is just one group's claim, backed up by nothing other than their opinion.

The facts of the matter are:

• The current mixed method voting options are very prone to error. Most are in a non-human readable format (marked, or worse punched, dots on a piece of paper). And all are paper ballot trails.
• Electronic voting, with closed source machines (and even to some extent with open source machines), is inherently insecure if the vote count that matters is only stored electronically.
• Paper voting trails are reliably valid under three conditions: The people voting look at the papers and verify that it reflects their vote. The ballots are secured the same as any other paper ballot. The paper ballots are regularly and thoroughly audited after, during and in between each election.

with all this, a well mandated, accessible, audited electronic voting system is more secure than previous voting methods. There is no excuse for these companies to have created and sold the craptastic voting machines they did. There is no reason for Diebold, an ATM maker, to have only made voting machines that had no paper trail capabilities. If they tried to sell something like that toa bank, their contract would have been dropped in a heartbeat, but election boards across the country didn't blink an eye. It is time that there be a nationwide standard that works within a degree of certainty. Electronic voting machines with paper audit trails are accessible, human readable, and as secure as anything we currently use. You don't have questions of "Did this voter actually mark a circle?" or "Which of these half erased circles did the voter mean?" or "That chad isn't punched all the way through, so I will just do it for them because I know what they meant." It is very hard for an auditor to see "President: Al Gore" printed on a receipt in human readable form and say that the voter chose George Bush.

Re:Yet again ...

[Anonymous Coward]

The problem is that a significant number of people have difficulty understanding how to correctly cast their vote using a pencil and a piece of paper.

The problem is that arcane rules leftover from the jim crow days make it arbitrarily difficult to cast a vote. Whether it's "punch out square holes with a round rod" or "mark the box next to the candidates name" with various definitions of "mark" and "next to", cases like that bbc case show that bad ballot design isn't just a US problem.

Others have done it right, you draw a line from the office to the person you want in that office. No multiple columns of boxes (seriously, wtf is with that uk ballot?), nothing to punch out, no "ballots will only be counted if the greek letter phi is correctly written within the third column to the right of the voters name if the vote was completed by 1pm, otherwise the chinese character for love must be placed in the second box to the left".

Re:Paper Trails Ranked By Value

[JoelKatz]

"Are you suggesting handing out fictitious receipts or random receipts of other people's votes?"

No. I'm not suggesting doing anything. Just proving what's possible.

You can only hand out fictitious receipts if you create the same number of such receipts for each candidate and then subtract them later. This is possible, though it seems kind of inelegant.

Handing out other people's votes, why not? (So long as the voter can't be identified, of course.) That a vote was cast for a particular candidate is a matter of public record.

"The problem is that, either way, if I'm receiving a bribe to vote a certain way then I want a receipt that says how I voted. If I can't control how my fake receipt reads, I might was well vote as instructed and only ask for a single, accurate, receipt. If I can control how my fake receipt reads, I can cheat the bad guy by requesting a receipt that contains a given vote, but that means that either I get a fictitious receipt or someone else's. The former is easy to defeat, since the bad guy just has to check the published results and see if the receipt he was given appears on it."

The fictitious results could be included and not identified as fictitious. This is a bit tricky as you need a verified system to make sure the same number of fictitious votes are created for each candidate. Ideally, it would also make it as hard as possible to know which votes were fictitious. It's possible, but not particularly practical.

"The latter means that early voters have fewer receipts to choose between (heck, the first voter won't be able to get *any* other receipts), which makes it easier for the bad guy to tell he's being cheated, so it's safer to only ask for the single receipt."

I agree. Any practical system would have to solve this. It's clearly possible to solve it, though not clear that there's an elegant solution for it that we can all be happy with.

Again, we don't know what voting system is best yet. One of the reasons is that people have incorrect assumptions about what they want in a voting system. I'm trying to break those assumptions.

For example, one incorrect assumption is "you can't let a voter prove his vote was counted without making it possible for a voter to prove how he voted". The scheme I discuss above proves this assumption is true. Hopefully this will result in people fixing their requirements so instead of saying "no voter receipts are acceptable" they will correctly read "it should be as difficult as possible for a person to prove to anyone else that they voted a particular way".

I'm trying to do only two things:

1) Get people to refine their requirements so they say what they actually want, not what they assume is possible. (Because many things might be possible that they can't think of. We need to know the requirements so innovations can be made and applied.)

2) Prove that it's possible to have cryptographic verifications that go beyond what a "drop a ballot in a box" system can provide.

It's the paper that does the job.

[Joseph_Daniel_Zukige]

No reason for electronic voting machinery, except maybe for those with physical conditions that make it unreasonably difficult to use a bubble sheet.

Bubble sheets can be tallied electronically, but that's after the voting is all over with.

Simple ballot + stub, locked ballot box, proper accounting of unused ballots, with human judges and election observers, that's all that's necessary.

Every additional complexity just adds points of attack.

joudanzuki