FOUNDER + Weblog
VoteHere founder, Jim Adler, provides perspective on electronic voting.
Friday, October 22, 2004
VoteHere's Andy Neff On Tour!
VoteHere's Chief Scientist, Andy Neff
, will be discussing e-voting transparency and audit at the following universities over the next several weeks:
University of California, Berkeley
Electrical and Computer Science Department
October 22 2004, 3-4 pm PDT, Event Link
California Institute of Technology
Society of Industrial and Applied Mathematics
October 29 2004, 3:00 pm PDT, Event Link
Previous speakers include Tony DeRose, Senior Scientist at Pixar Animation Studios, and Peter Norvig, Director of Search Quality at Google
Computer Science and Electrical Engineering Departments
November 11 2004, time/place TBA
School of Computer Science
November 18 2004, 12 pm EST, Event Link
Here's the abstract from his talk entitled Trustworthy Electronic Election Results without Trusted Machines:
Electronic devices and systems potentially offer many of the same benefits to the process of conducting elections that they have already delivered to the worlds of finance and business. Unfortunately, the requirement for ballot secrecy, along with the high degree of complexity possible in today's devices, makes it impossible for the general voting population to directly infer that systems tasked with collecting and counting votes are behaving accurately and honestly.
We describe how techniques from mathematics and cryptography can impose a rigid structure on the election data itself to resolve this dilemma. Such structure allows the simultaneous requirements for secrecy and transparency to be satisfied without demanding that the hardware and software that process the data be trusted. Voters can track their own ballots through to the final count, and dispute any discrepancy between it and their intended choices, even though they are not provided with any evidence that can prove to someone else which candidates, or issues, they voted for.
Thursday, October 07, 2004
Caltech/MIT Voting Technology Conference: Innovations for Today and Tomorrow
Monday, October 04, 2004
The Nevada Primary CPR Experiment
On September 7, Nevada residents were able to vote with a DRE outfitted with contemporaneous paper record (aka, a voter-verified paper ballot or VVPB). The experiment was summarized
by Dan Tokaji with press links and election official reaction.
Two significant issues emerged from anecdotal evidence of those observing the election. First, 80-90% of voters did not compare the paper record to the voting machine. Second, of those voters that did
compare the paper record, it took them 30-60% more time to vote. Both of these issues should be confirmed with scientific data.
The first issue of voters ignoring the paper record portends the very serious situation that I describe here
. If the paper record is not a source document prepared (or even reviewed) by the voter, how can it be used in a recount?
Monday, September 20, 2004
The Venezuelan E-Vote Audit
On August 15, 2004, 9.6 million Venezuelans voted using 19,200 electronic voting machines in nearly 4,600 polling places. These voting machines produced both an electronic ballot and paper ballot backups to be used in case of recount. The official results showed that Chavez won 59% to 41%, an 18% margin of victory.
This single-race election was hotly contested and observed by The Carter Center and the Organization of American States (OAS). The Carter Center published areport
of the audit phase of the election.
I did an analysis
of the audit which can be found here
. The analysis is based on ideas in the paper
by C. Andrew Neff entitled Election Confidence: A Comparison of Methodologies and Their Relative Effectiveness at Achieving It,
presented at the NIST conference on Building Trust and Confidence in Voting Systems
in December 2003.
The conclusion of the analysis is that the Venezuelan paper ballot audit was largely ineffective because (1) the machine and ballot chain-of-custody was breached, and (2) the post-election audit would not have detected manipulation of 5.5% of the ballots, allowing a swing of 11% of the vote. Luckily, the 18% margin of victory turned out to be larger than the fraud rate detectable by the audit. If the election was closer than 11%, the audit would have been inconclusive and the Venezuelan people would have had no basis for confidence in their election results.
Regardless of the type of voting system used in an election, care must be taken to ensure that systems and procedures before, during, and after the election are carefully designed to produce provably confident results.
Unfortunately, paper ballot audit systems are especially prone to procedural problems as evidenced in the recent Zimbabwe elections
and alleged in the Venezuelan recall
. In fact, paper ballot-based systems have long suffered fraud and error precisely because they are so dependent upon perfect procedural design and execution, which present so many opportunities for fraudulent disruption. The New York Times alone has documented 800 cases of electoral fraud over the past 150 years -- one case every 69 days.
When conducting Election Day audits, it is vital to determine the efficacy of any audit strategy. The number of machines, precincts, ballots, or receipts must be chosen carefully to statistically guarantee that if fraud is attempted, it is surely caught.
Thursday, July 29, 2004
Expert issues e-voting system challenge to hackers in Vegas
An Associated Press story reports on a challenge to inspect VoteHere's VHTi technology. Here's a few excerpts:
Rebecca Mercuri, a Harvard University-affiliated research fellow, encouraged hackers to inspect software code made available on the Internet by VoteHere, an electronic voting software company based in Bellevue, Wash., and called upon other voting machine vendors to make their codes and products available.
Mercuri said her challenge was in response to a similar bet issued by Michael Shamos, a Carnegie Mellon University computer scientist and voting technology consultant. Shamos has promised $10,000 to anyone who can hack into a voting machine undetected.
"Anybody can hack into anything," Shamos said. "I can break into a bank. The question is are they going to know the money is gone."
A challenge was issued to VoteHere founder Jim Adler said his company published the code to its patented election security software hoping people would test it.
Adler said the key to ensuring the integrity of e-voting is detection.
"This is not about preventing fraud. This is about detecting fraud," Adler said. "What you want is to have enough transparency so you can detect when fraud happens."
: We at VoteHere have been committed to transparency since 2001 when we first presented the technical papers
at ACM (updated here
), to September 2003 when we released documentation
to the foundational VHTi technology
, to April 2004 when we released the VHTi source-code
, to June 2004 when we released our VHTi source-code to the NIST National Software Reference Libary
. We've purposely been transparent to invite, not only inspection but, tough scrutiny.
Transparency is the best way to ensure that any election problem, whether malicious or accidental, is detected
. As discussed here
, it is always good to build big fences, but it is critical to have a dog that barks when intrusions occur. By providing voters with a private receipt
to verify their vote was counted properly and providing the public with a meaningful audit of results, VHTi is that guard dog.
Tuesday, July 27, 2004
Wall Street Journal: No Doctored DREs
In today's Wall Street Journal, John Fund opines
on electronic voting. He notes that (1) better technology is on the way (like VoteHere's VHTi
which Fund describes quite well), and (2) some states aren't waiting and jumping toward untested solutions like the voter-verified paper ballot (VVPB, aka contemporaneous paper record or CPR):
Fixes for the real problems with DREs are in the works. Woefully inadequate federal standards for testing voting machines are being toughened. A system is being developed in which each voter would receive a record of his choices that would be put into a code only decipherable by election judges. After the polls closed, all receipts would be posted on the Internet. Voters could use their serial number to find the image of their receipt, and make sure it matched the one they got at the polls. [emphasis mine]
Also, last Friday's Computerworld had an article
discussing how the Kerry campaign is considering cryptographic solutions to e-voting:
However, speaking on condition of anonymity, an IT industry source who met last week with members of Sen. John Kerry's staff said the Kerry campaign is considering a move to pull back from the position taken by the Democratic National Committee and Howard Dean's Democracy for America organization. Dean and the DNC have endorsed the voter-verifiable paper ballot requirement for e-voting systems -- something that only the state of Nevada has planned for November. According to the official, the Kerry campaign is considering support for verification of the final vote tally through some form of encryption. [emphasis mine]
: It is becoming increasingly clear that encrypted private receipts and public audit are the keys to ensuring high integrity e-voting. These receipts can be taken out the poll-site, cannot
be used for vote-selling, but can be used to ensure that every vote is counted properly
Also, the public audit means that anyone can perform a meaningful audit of the election results. The VVPB cannot do this. As discussed here
, the VVPB cannot be used for recount and does not allow the voter to verify their vote was counted
Tuesday, July 20, 2004
(Rescheduled) Testimony to US House Government Reform Subcommittee on E-voting Security
Tuesday, July 13, 2004
E-voting: Nightmare or nirvana?
In a recent CNET debate
on e-voting security, Michael Shamos (Computer Science Professor, Carnegie Mellon University) offers perspective on solutions for DRE security issues:
The [CPR or voter-verified paper ballot type] receipt issue is temporary. There are elegant cryptographic methods that enable a voter to be assured from purely public records that her vote has counted--yet without being able to prove that fact to a vote buyer.
Professor Shamos has inspected and certified voting systems for Pennsylvania and Texas. Also included in the debate were Dan Tokaji (Assistant Professor, Ohio State Moritz College of Law), David Dill (Founder of VerifiedVoting.org and Computer Science Professor, Stanford University), and Cindy Cohn (Legal Director, Electronic Frontier Foundation).
: Professor Shamos refers to a voter-verified receipt offered by VoteHere
and others. A true voter-verified receipt allows a voter to verify that their vote actually counted without enabling vote buying. A voter-verified receipt is superior to a CPR (contemporaneous paper replica, aka voter-verified paper ballot/record) since a voter has no idea whether the paper replica will ever be counted. Also, as discussed here
, a CPR is ineffective for recounts.
Monday, July 12, 2004
Computerworld: E-voting's Rush to Failure
Tommy Peterson, Computerworld's Technical Editor, offers this opinion
on e-voting. She makes two important points. First, she cautions that the contemporaneous paper replica (CPR, aka voter-verified paper ballot/trail) is not the answer:
Setting up a parallel paper trail for voters within an e-voting system, as some have suggested, is not the answer. That would be cumbersome, threaten the secrecy of the ballot and still leave the system open to tampering.
Second, she makes the point that voters need a means to verify that their vote counted
The use of blind-signature encryption protocols could preserve secret balloting while giving voters a means to verify election results.
There is growing awareness that CPR provides only the perception
of confidence and doesn't provide the real
confidence gained from voters having the means to verify that their vote was actually counted properly. Although Ms. Peterson mentions early, and important, "blind signature" approaches to voter verification, they have been generally eclipsed by more advanced voter-verified receipts
that provide such capability.
Thursday, July 08, 2004
E-voting security, looking good on paper?
A good article
in the UK Register by Thomas C Greene
which logically discusses the flaws of adding a contemporaneous paper replica (CPR, referred to in this article as the voter's receipt or paper record) to an electronic voting machine or DRE. Here are a few of the more interesting points:
But the piece of paper creates an illusion of enhanced security, which is why so many people insist in it. People imagine that, so long as the printout matches their recollection of votes cast, it's proof that the DRE machine is recording their votes properly. In fact, it's no such thing.
There is no logical reason for a voter to assume that the printout in his hand, and the electronic tabulation in the machine, are the same. Numerous types of attack could produce an accurate record of voter choice on paper, yet still tweak the electronic results. And if the two results should differ, there is no way for the voter to know it. [discussed here - jma]
The only useful purpose of the paper trail would be to enable a recount using a different medium when there is reason to suspect the electronic results. However, for the printouts to be of any value in a recount, voters would have to review them carefully and note any discrepancies before the receipts are collected. Many ballots are long and confusing, so the idea that even a majority of voters would bother to scrutinize theirs is hardly guaranteed.
... if voters neglect to examine their receipts carefully before submitting them, they're worthless - there's no basis for trusting them more than any other result. [discussed here - jma]
Mr. Greene criticizes CPR on many of the same points made by the election community here in the US. If the efficacy of CPR is theoretically questionable and has yet to be practically proven, why are so many trying to prematurely make it the law?
Posted at 2:11 PM
- (Rescheduled) Testimony to US
Reform Subcommittee on
- Testimony to the California
Voting Systems Procedures Panel
- VoteHere Releases
Ballot Boxes Go High Tech:
- Wall Street Journal:
Crypto meets e-voting
- A Bit of Support from Dave Kearns
- Election Year Hysteria?
- Congressional HAVA Authors
- The Electronic/Paper
- Avi Rubin's Day at the Polls
- NY Times:
Did Your Vote Count?
New Coded Ballots May Prove It Did
- Procedures, Procedures, Procedures
- Can We Even (Re)count the
Contemporaneous Paper Records?
- Speaking Past Each Other
- Caltech-MIT Statement on
Verification and Audit
- David Jefferson Recommends
VoteHere Verification Analysis
- Testimony to US House Government
- Testimony to the California
Voting Systems and
Procedures Panel, April 2004
- NIST Symposium, December 2003
Remarks & Webcast
- Oxford Union Debate
- National Meeting on
Election Reform, December 2002
- League of Women Voters
- Leadership Conference on
- AAPD Disability Vote Project
- Dan Tokaji's EqualVote Blog
Join my email list
Subscribe by sending email to