back to article Expert gives Congress solution to vote machine cyber-security fears: Keep a paper backup

With too many electronic voting systems buggy, insecure and vulnerable to attacks, US election officials would be well advised to keep paper trails handy. This is according to Dr Matt Blaze, a University of Pennsylvania computer science professor and top cryptographer, who spoke to Congress this week about cyber-threats facing …

  1. Notas Badoff
    Unhappy

    Chain of evidence

    Just passed on to a relative an article on a local election, where a "thumb drive" was misplaced and those votes simply not counted. Found three weeks later, the elections people carefully checked it over, totaled the for/against votes from it per election issue/race, and cheerfully said "Oh, none of the actual election results would have been changed! So no harm done (and no we won't be changing the election totals or noting the error permanently.)"

    This less than a year after my vote in a local election tied one race, 521 votes each, leading to a runoff election.

    Why the hell is "double-entry bookkeeping" described as a critical foundation for business, but election paper trails are "meh"?

    1. Jim Mitchell

      Re: Chain of evidence

      Most businesses of any size don't do bookkeeping on paper anymore, so I don't see how the comparison of "double-entry booking" and "election paper trails" is relevant?

      1. Anonymous Coward
        Anonymous Coward

        Re: Chain of evidence

        how the comparison ... is relevant?

        It shows we already knew all about how to keep track of simple numerical things well enough, and now someone is doing it wrong even though the stakes are much higher.

      2. Anonymous Coward
        Anonymous Coward

        Re: Chain of evidence

        Most businesses of any size don't do bookkeeping on paper anymore, so I don't see how the comparison of "double-entry booking" and "election paper trails" is relevant?

        Yes, businesses do. Your required to have sufficient records that HMRC can check manually. (to be fair, I know know this because at our business at the moment, HMRC thinks that our accounts figures are wrong and so are in the process of comparing the paper records (invoices, bank statements etc) to the electronic records to see if they can find any differences)

    2. Alumoi Silver badge
      Facepalm

      Re: Chain of evidence

      Why the hell is "double-entry bookkeeping" described as a critical foundation for business, but election paper trails are "meh"?

      Because people vote, politicians count the votes.

    3. TheVogon

      Re: Chain of evidence

      But if you are going to use paper anyway, what's the point of a voting machine? Surely just video recording the button presses would be a more appropriate solution?

      1. Filippo Silver badge

        Re: Chain of evidence

        Can't video record. Even if it was made to just show the voter's fingertips, that would still compromise anonymity, which is fundamental.

        Agree that if you're using paper anyway, you should just get rid of voting machines altogether.

    4. Adam 1

      Re: Chain of evidence

      > This less than a year after my vote in a local election tied one race

      I note your local election and raise you a whole state senate election.

  2. Daedalus

    NY is ahead behind ahead behind

    The English speaking world outside the USA may be interested to know that until the last decade or so, in NY and many other states, paperless voting was the norm. This was due to those famous voting machines that made it so easy to vote the "straight party ticket". Without going into too much detail, you set various small levers set against a table of candidates on the front of the machine, then pulled a big lever in front of you crosswise. This simultaneously added your votes to the various internal counters, cleared the levers you had set, and opened the curtain that concealed your actions. For the parties there were special levers that set the votes for all their candidates at once.

    After that the election functionaries would read off and report in the various counts, presumably handwritten, and the results would famously be announced in a short time that left staid old British electioneers scratching their heads that such things were possible. How could America call the race for President faster than Billericay could announce its famous first result? Well there was a lot less counting and adding to be done, for one thing. On the other hand, it was putting a lot of trust in local election officials and the people they reported to.

    Paper trail? What paper trail?

    1. Jim Mitchell

      Re: NY is ahead behind ahead behind

      I miss the old lever style voting machines. The "thunk" and physical action gave some satisfaction to doing your civic duty. Putting a ballot into a scanner just isn't the same.

      I understand the mechanical voting machines were old and required lots of maintenance, plus lots of storage, transportation, etc costs.

      1. Daedalus

        Re: NY is ahead behind ahead behind

        They were indeed old and required upkeep and storage etc. OTOH the new scanners will be obsolete by the time I finish typing this. Maybe the next generation will be configured to fit into the same scheme, accepting the same forms and producing the same data. OK, you can stop laughing. Of course the makers of the current generation of voting equipment will have the States over a barrel because the scanners will fail, the software will no longer be supported, the machines on which the software runs will cease to be available, and nobody even understands the current version, let alone any future ones.

        The old machines were decades old, the people who knew how to service them were retiring (or dying) in droves, but for all that they worked. We are now probably locked into a 10-year, and possibly even a 5-year, turnover cycle where the system will have to be reworked over and over with all the pitfalls for security and integrity implied by that.

      2. Nolveys

        Re: NY is ahead behind ahead behind

        I miss the old lever style voting machines. The "thunk" and physical action gave some satisfaction to doing your civic duty.

        That sounds similar to what happens with me after morning coffee. Similar outcome too.

        1. Daedalus

          Re: NY is ahead behind ahead behind

          Yes, it's amazing how certain rooms in the building become crowded around 9 a.m.

  3. Herby

    Need to seperate casting and counting of ballots

    The casting of a ballot should be a simple and verifiable action. The voter should be able to "count" his own ballot to see that he actually did the "right thing" (another topic for discussion). The counting process can be "automated" or "manual", but it should be doable by ANYONE who desires. Sure they might take multiple days of time to manually count the ballots, but the same result should be obtained as from an "automated" process.

    Yes, some sort of nice paper as the intermediary is necessary for this to happen. It should be both human AND machine readable. For all the flaws, punch cards were human readable, but there was the silly "hanging chad" problem.

    There should be no "trade secrets" in either process, and an advance "audit" (if necessary) of ALL the software should be available. Sorry, I really don't trust Diebold.

    1. Keith Smith 1
      Thumb Up

      Re: Need to seperate casting and counting of ballots

      A friend and I have discussed this very thing multiple times. 'ELECTONIC' voting should be two simple steps.

      1) Go to touch kiosk, select your choices, when complete printer attached prints your votes in text and barcode/target.

      2) Review paper and take it to agent at scan station, who scans it in, verifies it and you leave. If you goof paper goes in the shredder, and you start over.

      Paper is maintained on site/whatever until the results are finalized.

      Basically the current cardboard pen setup, just printed reliably on regular 8x11 or a4. You secure the scanner/hopper/counter machine/paper as appropriate. At the end of the day you re-scan the paper to validate. NO Exceptions! Recounts are by rescan only. Codes/targets on paper can have enough ECC info to prevent faulty reads.

      1. Mark 85

        @Keith Smith 1 -- Re: Need to seperate casting and counting of ballots

        Here in Oregon is actually simpler. They mail you a ballot. You fill it out and return it via mail. A double envelope is used, the outside for mailing and verifies via your signature that it was a "legal" vote. The inside envelope keeps your vote hidden until it's opened and run through the counting machine (or at least that's the way it's supposed to work). I'm sure it's not fool proof but the paper ballots are scanned and then stored, things can be verified.

        1. Keith Smith 1

          Re: @Keith Smith 1 -- Need to seperate casting and counting of ballots

          Unless some takes your dead jnles ballot.

  4. Anonymous Coward
    Anonymous Coward

    Voting machine Blockchain?

    Transparent and incorruptible

    The blockchain network lives in a state of consensus, one that automatically checks in with itself every ten minutes. A kind of self-auditing ecosystem of a digital value, the network reconciles every transaction that happens in ten-minute intervals. Each group of these transactions is referred to as a “block”. Two important properties result from this:

    Transparency data is embedded within the network as a whole, by definition it is public.

    It cannot be corrupted altering any unit of information on the blockchain would mean using a huge amount of computing power to override the entire network.

    1. Anonymous Coward
      Anonymous Coward

      Re: Voting machine Blockchain?

      "It cannot be corrupted altering any unit of information on the blockchain "

      Garbage in, cryptographically signed incorruptible garbage out.

      1. theblackhand

        Re: Voting machine Blockchain?

        The suspicion for some time has been that many of the US vote counting machines are of questionable quality and are likely to not show any evidence of tampering regardless of whether it is done accidentally or deliberately. ie. https://tech.slashdot.org/story/02/07/20/0124232/unauditable-voting-machines

        Adding blockchain is unlikely to paper over the cracks of the software underneath.

  5. tom dial Silver badge

    It is not clear why so many people are so concerned to get electronic voting "right" when there is no obvious reason to have it at all other than to speed reporting of the outcome. Manual voting using paper ballots with optical counting, if desired, satisfies the requirement quite well, including quick answers. Manual counting would take longer, but arguably be more transparent. There is absolutely no requirement that returns be complete enough by the 10PM or 11PM news to project a winner; no harm follows from procedures that were (almost) fast enough to project national election winners with decent accuracy before the advent of voting machines.

    Recounts, if needed, can be handled the same way and will take no more than about twice as long.

    1. bazza Silver badge

      Going part way as you suggest - paper but machine countable - is a plausible option.

      However the benefit of manually counted paper votes is that the result is harder to argue about, gives stronger attestation of the result. If a machine count were contested you'd then have to manually count it; that takes a lot of organisation and time to do if unprepared which is likely unacceptable in such circumstances. May as well be prepared, so why not do a manual count in the first instance...

      At the end of the day it's all about perceptions. It maybe acceptable to a population simply to know that there is a permanent paper record and that a manual count could be done if required and individuals can verify that the vote they cast is recorded on their piece of paper. Personally speaking I'd be very interested in the design of the counting machine, because that's the place where something nefarious would be attempted.

      1. Charles 9

        No, manual counts can be challenged, too, subject to misinterpretations, corruption, etc. Remember that the manual recount of the infamous "hanging chad" election was itself challenged. And due to the human condition, there's probably no real way to satisfy everyone of note. After all, ALL voting machines are man-made.

        1. Mage Silver badge

          infamous "hanging chad"

          Stupid system. Inherently unreliable. Indelible Marks on solid paper are better and readable with 1930s technology!

          1. Charles 9

            Re: infamous "hanging chad"

            Except they can still be switched with a sufficiently-resourced and -determined adversary.

  6. Tom Melly

    Obligatory link (and a good point):

    https://xkcd.com/463/

    1. Anonymous Coward
      Anonymous Coward

      Have an upvote, that puts it perfectly.

      Personally I think if you use electronic voting and it's connected to the internet in any way whatsoever you might as well let everyone vote on an etch-a-sketch.

      1. John Robson Silver badge

        https://m.youtube.com/watch?v=w3_0x6oaDmI

        1. theOtherJT Silver badge

          Got in there before me on the Tom Scott video.

          The one they're talking about here is "Hey, we keep a paper trail of what the machine did, so it's ok!"

          NO. NO IT'S NOT OK! The paper trail will say what the machine SAYS it did. If the machine is compromised you can't trust the paper trail either. This does not solve the problem in any way.

          1. Mage Silver badge

            The paper trail will say what the machine SAYS

            The only sensible paper trail is human marked paper ballots.

            A printer only slightly improves an electronic terminal and only if terminal never connected to anything else.

            Humans currently can't do 100% security or accuracy in programming.

            1. Charles 9

              Re: The paper trail will say what the machine SAYS

              They can't do 100% security or accuracy in hand-counting, either. So you lose either way.

            2. KSM-AZ

              Re: The paper trail will say what the machine SAYS

              Look *anything* can be manipulated. The goal is to make manipulation as difficult as possible.

              A printer improves things dramatically, in that the ballot "MARKS" can be both visible and barcoded. There could be random spot checks post-voting. If there was a question (say) a party/group could request re-counts using their own scanners, or manually, as long as they want to pay for it. The machines that print the scannable ballot can be trivially 100% isolated. The paper generated should be near 100% legible and scannable. The scan results could trivially be validated by alternate scanning and/or manual counting.

              Every voter sould be able to physically look at the printed ballot with their votes on it and verify it before it is taken and scanned. If something was out of whack the printed names could be counted by hand as a check. As a matter of course there should be a "hand count" limit unless some sort of anomoly can be proven for a given set of ballots by a particular machine. If no resaonable descrepancy can be shown machine counts stand.

              Current party systems should keep most fraud at bey. ie, I take my counting machine to precinct X eyeball count N ballots, feed them into my machine, verify, Feed the stack, Verify precinct result.

              Again, you can always have fraud, someone could be tossing out paper ballots they don't like, etc. Every scanned ballot should get serialized on scan, and again you have a total count validation and cross check point. You have to make it as difficult as possible to cheat.

  7. Bryan Hall

    Anonymous - why?

    In addition to using a paper fill in the box and optically scan it method, I would like to see my vote tied to me. I have never understood this compulsion to have it be anonymous, other than to disallow the possibility of verification against individual voters to allow fraud.

    I would like my vote recorded, and then be verifiable by myself online. The lookup key? Simply the sequential number of my place in line against the voter registration book I sign in against. Multiple books just start with different thousands (10001, 20001, etc).

    1. MK_E

      Re: Anonymous - why?

      It's to disallow the possibility of someone getting a hold of the list of who voted for whom and putting a brick through the windows of anyone who voted against their preferred candidate.

    2. Ben Trabetere

      Re: Anonymous - why?

      It is also to prevent the owner of a underpants factory from "urging" the gnomes to vote a certain way - rewards to those who voted correctly, penalties for those who didn't.

      Then, with each gnome's verification in hand, the underpants factory owner sits down with elected officials for a nice chat over how much those votes are worth.

      1. Alumoi Silver badge

        Re: Anonymous - why?

        So what's wrong with that? It works like a charm in over half the world.

    3. Anonymous Coward
      Anonymous Coward

      Re: Anonymous - why?

      "I have never understood this compulsion to have it be anonymous"

      Anonymous voting is the only way to keep the vote from being controlled by those with the biggest bribes or the most guns.

      1. Charles 9

        Re: Anonymous - why?

        But that presents a dilemma. There's no way to be sure your vote STAYS yours, and that happens to be EQUALLY important (you can't have both because anonymity prevents attribution and vice versa). So you have to choose which is more important: a FREE vote or a TRUE vote.

        1. Richard 12 Silver badge

          Re: Anonymous - why?

          A free vote.

          If the votes of my neighbours can be bought and verified as such, then there was no vote.

          Only someone with money buying a result.

          1. Charles 9

            Re: Anonymous - why?

            And if a sufficiently-resourced adversary can switch the votes without my knowledge, then there was no vote either.

            Only someone with political power forcing a result.

            Either way, you lose.

        2. Filippo Silver badge

          Re: Anonymous - why?

          "So you have to choose which is more important: a FREE vote or a TRUE vote."

          Arguably, they are both the same problem. Applying pressure to the voter or modifying the ballot after voting are both ways to tamper with someone's vote, making it neither free nor true, in both cases.

          The point is that mitigating ballot fraud, while a significant challenge, is way easier than mitigating voter blackmail in absence of anonymity. Basically, introducing attribution is a cure that's worse than the disease.

          Note that I say "mitigating" because you can never completely eliminate election fraud; the process is just too big. That's one of the reasons why it's important for as many people as possible to vote, even when they dislike every candidate. Reduce the statistical impact of fraudolent votes.

          1. Charles 9

            Re: Anonymous - why?

            No, because you now get stupid or random votes which are just as bad, especially in close contests where Unintended Consequences. Some would say recent elections resulted in Unintended Consequences due to stupid votes.

  8. Version 1.0 Silver badge

    Putin approved method

    All we have to do now is hack the scanners.

  9. Tom Paine

    Pencil and paper

    Talk about over-thinking. If ever there was a problem for which "computers" was the wrong answer, this is it.

  10. ilianko

    open votes please!

    Secret ballot is like proprietary (closed) source software... and btw papers are much easier to fake, because we have decades of experience how to do it.

    1. Anonymous Coward
      Anonymous Coward

      Re: open votes please!

      My father was an election official in the UK for nearly 40 years. He was responsible for the local ballot boxes. Just before the election he collected them and stored them in his house until the election. The box was checked by him to ensure that it was empty, then secured and sealed with wax seals and red tape (which is actually pink). After arrival at the polling station when the poll opened the seal on the ballot slot at the top was removed by him, and documented, the seals on the lid were left in place. The ballots were delivered separately. This was scrutinized. He, or another official (often my mother!) had oversight of the box all of the time that the poll was open. When the poll was closed, the ballot slot was again sealed. He then took the ballot boxes to the returning officer, and got a signature for them and saw the boxes opened. I was impressed that this was taken so seriously, but obviously it also relied highly on the integrity of the people involved.

      When I voted for the first time, I noticed that there were a number of small holes punched in the ballot paper, so I asked him about it. He told me that the holes identified the paper and were so that a check could be made that the correct authentic papers were in the box. I was less impressed when he told me that these could also be used to match a voter to the ballot. I gathered that this could be used to determine if an individual had voted for a communist or fascist candidate, as this was forbidden to some State employees (including at the time, me). This was apparently only done in only a few specific cases as it was time consuming and required a warrant (Executed by Special Branch for the Security Service?).

      AC because big brother really is watching, but they probably know who I am anyway.

      1. aberglas

        Re: open votes please! UK Election Official

        That story about the UK, if true, is appalling.

        In Australia, ballot boxes are only sealed in the pollling both, with scruitineers present to confirm they are empty. And scruitineers are present when the seals are broken to count the votes.

        It takes about an hour to manually count the votes at a booth in front of scruitineers.

        As to the New York lever machines, I think there were plenty of stories of election officials routing those. They are no better than computers, being an unauditable, black box.

        1. Anonymous Coward
          Anonymous Coward

          Re: open votes please! UK Election Official

          "That story about the UK, if true, is appalling."

          Same AC here. Yes, it's true, but happened nearly 50 years ago. At the time only the "right people" were chosen for the work, like Established Civil Servants and middle-to-high ranking Local Government Officers. The ballot counters were often Bank Officials as they were accustomed to similar work.

          Later on, I believe it is possible that the ballot boxes were shown to be empty at the polling station before polling started, and then sealed in front of the scrutineers. I guess that the original justification was that the ballot papers were delivered separately and so could not be placed in the box before it was sealed.

    2. Daniel 18

      Re: open votes please!

      You obviously are not aware of the various practices and procedures that make faking paper ballots and voting records virtually impossible at any meaningful scale, while protecting the secrecy of the vote.

      I've helped run more than one national election done solely with paper ballots and a paper based audit and counting system. We've had centuries to make such systems pretty much bulletproof.

      1. Charles 9

        Re: open votes please!

        I disagree, especially given the size and scope of today's political parties. I believe if they REALLY wanted to, they could fake all they want to fake and blackmail all the rest to swear by it.

        1. Richard 12 Silver badge

          Re: open votes please!

          They can't, because there are too many people on the other sides (parties) who don't want them to do it.

          Swapping one box of physical ballots is probably feasible. Swapping enough boxes to make a meaningful difference is effectively impossible.

          Stopping people registering or breaking the horrifically poor security of the elecronic ballot machines is far easier to do at the necessary scale.

          1. Charles 9

            Re: open votes please!

            "They can't, because there are too many people on the other sides (parties) who don't want them to do it."

            Unless they really AREN'T and they're actually in cahoots.

            "Swapping one box of physical ballots is probably feasible. Swapping enough boxes to make a meaningful difference is effectively impossible."

            A hotly-contested election would mean only one or two would suffice. As for more boxes, never underestimate the scope of major political parties.

    3. Filippo Silver badge

      Re: open votes please!

      Papers are easier to fake individually, but nearly impossible to fake at large scale. Because elections are a fundamentally statistical process, some localized fraud is bad, but not critical. Electronic voting, on the other hand, has the potential to allow large-scale fraud, which would be critical.

    4. Filippo Silver badge

      Re: open votes please!

      Open votes would allow putting pressure on voters. Pressure makes a vote every bit as fake as altering the ballot, and would be far harder to prevent.

  11. Anonymous Coward
    Anonymous Coward

    Why vote anyway?

    How about we cut the middle man and have the corporations elect the politicians straight up.

    If we don't like who they pick, we just boycott such corporations.

    If money is the ruler, we need to play by its rules and stop playing silly election games.

    1. Charles 9

      Re: Why vote anyway?

      So you're willing to give up the fight and be a wage slave all your life?

    2. Filippo Silver badge

      Re: Why vote anyway?

      If you get a headache, do you cure it with decapitation?

  12. Mage Silver badge
    Facepalm

    Bleeding obvious

    Also ditch the machines with knock out "chads". Electronics has been able to "count" paper with marks in boxes since 1930s! It was actual text (OCR) that was cracked in 1970s.

    The USA is huge, so no wonder there are some world leading companies. I had four major business trips, one very extended. I visited R&D and factories and was amazed how much was like 1950s or older. There is a lot of stupidity as it's totally obvious that paper is hard to edit and electronic data is easy to change with no trace. Hence some companies use multipart DMP continuous fanfold. You can produce multipart on laser / inkjet, but it's trivial to edit transaction and print new copies. Continuous printout makes a much harder to abuse audit trail.

    1. Charles 9

      Re: Bleeding obvious

      Unless they make a SECOND audit trail, complete with details. I don't think it's outside the realm of a sufficiently-resourced adversary.

  13. PhilipN Silver badge

    Preferred solution to electronic voting >

    Eliminate all politicians

    1. Charles 9

      Re: Preferred solution to electronic voting >

      But without politicians, how do you get things done short of war? If you and another state/district have a trade dispute or whatever, how does it get settled without bloodshed?

      In the US in the 60's a lot of the student protests over Vietnam were because they were old enough to be sent to die but not old enough to vote for the people sending them to their deaths. Without politicians, how would such wrongs get corrected given there could be true injustices that are actually endorsed by the majority?

      IOW, how do you get around the phrase "Necessary Evil"?

      1. Charles 9

        Re: Preferred solution to electronic voting >

        Thumbing me down doesn't make it less true. How would things get done PROPERLY without politicians?

  14. Colin Bull 1
    Mushroom

    don't assume officials are morons

    Or as one election clerk summarized: please help, but please don't assume officials are morons...

    This is from the UK national elections

    https://www.plymouth.gov.uk/sites/default/files/RegistrationAndElectionsReport.pdf

    6.48 The error in the declaration of the result for the Plymouth Sutton and

    Devonport constituency was out of keeping with the rest of the count

    organisation. The error occurred as a result of a faulty formula applied to an

    excel spreadsheet collating the results from the ward based mini counts

    within that constituency. The Formula counted seven of the eight mini counts,

    omitting Efford and Lipson. The same faulty formula on the same

    spreadsheet was used to verify the count against the votes cast thereby

    balancing the numbers.

    I think it is reasonable to assume that a large proportion of officials are morons and who would believe these officials are using excel as part of an election system.

  15. Norman123

    With all the hacking reported in the cyber media, a rational person would have to conclude those who make the machines and their codes could be compromised by power/wealth to enable those gaining most from hacking the system, to hack it for the benefit of very few at the expense of the most. In other words, when a lot of power and wealth is at stakes, the system is always subject to manipulation. How the average voter will know if their votes count?

    Elections become even more suspect when we add the influence of mind manipulation through media controlled by very few. As the late comedian/turned social philosopher stated: big business "got you by the balls"!

  16. sjo

    Election Commission of India has now rolled out VVPAT (Voter Verifiable Paper Audit Trail) electronic voting machines, for the upcoming elections.

    This is from the official site:

    http://eci.nic.in/eci_main1/current/ImpIns2_18102017.pdf (See page 12)

    Last few elections in India have been conducted using Electronic Voting Machines.

    1. Anonymous Coward
      Anonymous Coward

      Not even that is immune. Slips can LIE, tell you one thing and the machine another, and there's no way for you to verify it.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon