Friday, September 29, 2006

An octopus of paper

In between various meetings yesterday, I watched some of the House Administration hearing as it was video streamed. I noticed that some of the Representatives made the same mistake that I hear others make and one that I hear repeated often in questions from reporters. "How can we possibly be advocating paper given the problems in Cuyehoga County?" In the ESI study, it was shown that some of the papers did not print, and that the papers did not match the electronic tally. It seems to me that this is like saying, "How can you possibly drive a car given the problems that existed in the Ford Pinto?" or "How can you ever trust a US company given the fraud at Enron?"

Many of us in the Computer Science community have been writing and speaking about the risks of totally electronic voting for several years (Peter Neumann has been doing it for decades). While Diebold has given us a specific instance of an extremely poor electronic voting system, the Accuvote, our criticisms have been leveled at the concept of DREs as much as at the Accuvote. On the other hand, I think that the criticisms of paper ballots apply to the specific "DRE with a paper trail" system that was deployed in Cuyahoga County, and that they do not apply to the concept of paper ballots or paper trails.

More and more, I believe that the best solution to the e-voting dilemma is to use computer-marked or hand-marked paper ballots that are optically scanned, and to randomly audit the scanners. Audio modules can be used for sight-impaired access. I do not like the idea of retrofitting DREs with long rolls of paper trails, or as one election official referred to it, an octopus of paper. I think such weak designs give ammunition to the supporters of DREs and confuse some members of Congress about whether the problem is with the concept of using paper in voting systems or with a particular VVPAT system.

Friday, September 22, 2006

Rivest on audit size estimation

Ron Rivest has a draft of an excellent paper on estimating the number of items (e.g. voting machines) that need to be audited to discover whether or not the machines are cheating. The paper assumes that there is a reliable way to manually check whether a machine is cheating. For example, if every machine had a corresponding paper trail that had been verified by voters, then one could count the papers by hand and check them against the machine.

Rivest has once again dazzled us with his creativity. He presents a simple rule of thumb that can be calculated with a calculator or in one's head for determining how many machines to audit, using what he terms the "rule of 3". Appendix A is especially useful for people who do not follow the technical details. It shows the number of machines to audit based on the number of bad ones that exist and based on the confidence level one wants to achieve. So, for example, in appendix A, you can see that if you have 1,000 machines, and there are 50 "bad" ones, then to have 95% confidence that you have discovered at least one of the bad ones, you must audit at least 57 machines. This, as compared to the rule of thumb which produces the number 59. Amazingly, the rule of thumb is so elegant, and yet it always comes close, and always errs on the side of being a little conservative, meaning that it will never recommend auditing too few.

Rivest has not published this draft, and he is still seeking comments, so if you have any suggestions after reading his paper, he would appreciate it if you could send them.

I now quote from the last section of the paper, where I think this work can have tremendous impact:

    "We hope that the rules presented here will provide useful guidance for those designing sampling procedures for would probably be best to merely mandate a sample size sufficient to detect, with a specified level of confidence, any election fraud sufficient to have changed the outcome."

I often meet with legislators at the state and federal level to discuss voting issues, and I will be pointing them to this work from now on. Thank you Ron Rivest for once again contributing something elegant, practical and long needed!

Thursday, September 21, 2006

"free" DREs are expensive

I've read that when drug dealers want to hook a new victim, they often provide free samples, and once the person is addicted, then the price goes up. By providing HAVA funds to the states and requiring them to purchase electronic voting machines, Congress may have inadvertently jump started an expensive addiction.

Let's look at Maryland. My state has spent $106 million on Diebold electronic voting machines. I am not certain, but I would have to guess that much of that money came from our HAVA funds. I have read the HAVA act, and I did not see anything in there about continued financial support to maintain these machines. However, the shelf life of commercial commodity hardware is quite low. Anyone who owns a laptop knows that at some point, the hard drive will fail and the battery will need to be replaced. Batteries are particularly short lived, regardless of whether or not they are used. Despite the fact that voting machines will mostly sit idle and are only used during testing, primaries and general elections, their parts continue to age, and some parts, such as the batteries will need to be replaced every couple of election cycles. And, these parts tend to fail in unpredictable ways. If we continue to use the Diebold DREs, we can expect that several years down the line, a significant fraction of the machines will start to fail arbitrarily in the middle of an election, when the equipment is stressed all at once. The only way to prevent this is to regularly upgrade all of the major parts, the way oil is changed in a car every 3,000 miles. This is very expensive, and there are likely to be no more freebies from the HAVA dealer.

Consider the mechanical lever machines. I am very critical of many aspects of these in terms of transparency, recountability and audit. However, in terms of maintenance cost, these voting machines were relatively cheap. Oil the gears and they lasted for decades. How many people have had the same computer for 10 years? Clearly the primary reason the answer is "very few" is that software and hardware become obsolete as technology advances. But as a result, manufacturers know that they only need computer parts to last 4-5 years at most, and thus there is no need for them to spend extra money producing parts that last longer.

Unless Maryland has a special fund put aside to regularly replace or upgrade many of the hardware components of the electronic voting machines we use, then in future elections, we will find that voting machine hardware failure rates at the polls will rise dramatically. If this past primary is any indication, such Election Day hardware failures will greatly disrupt our ability to hold fair elections.

I'm sure Congress did not set out to thrust an expensive habit upon the states, but those who yielded to the temptation of the HAVA windfall may have to find a way to fund the maintenance and upkeep of this equipment, and it is not going to be cheap.

Monday, September 18, 2006

Felten on voting machine keys

Ed Felten posted a very interesting comment on his blog today. It appears that the same key that Diebold and some Maryland officials tout as securing the memory cards in the Accuvote machine is found in hotel room minibars. Felten points out that while many of the problems that have been discovered in the Diebold machines are technical in nature and difficult to explain, this one is understandable to anyone. This example serves to illustrate to even non-technical people the public relations tactics of the vendor and its supporters. Was it really too difficult for them to design a more secure key? Who do they think they are fooling when they say that someone would have to pick the lock to access the memory cards? I can assure you that the cryptography that was saw in our 2003 analysis displayed weaknesses that were equally stunning, albeit more technical in nature.

Saturday, September 16, 2006

Diebold should let us analyze the "new" system

As most of you who read this blog know, Ed Felten and his students at Princeton have implemented the attacks that we described in our paper back in 2003 and some new attacks as well. I was aware of this work and was an early peer reviewer of their paper. I have watched Diebold's reaction to the Princeton paper, and they are reacting as expected based on their track record. Doug Jones has posted a very good commentary about the Diebold response.

Here's what I recommend. Diebold's defense against our paper and against Princeton's paper is that we looked at an old version of the system. Well, my response to that is, let us look at the new one! Every election administrator in the country who uses the Diebold machines should want Ed's team and mine to perform a security assessment of their voting technology. If Diebold's system is not vulnerable to Princeton's virus, then wouldn't they welcome such a public analysis? If they fear that the new version is vulnerable, then isn't that a question that needs to be answered publicly?

Diebold maintains that they now use AES for encryption, and that for this reason, they are immune to the Princeton "hack". Their responses always demonstrate to me how little they understand about security. The Princeton malicious code is running on the machine with access to all of the data and memory. There is nothing in this system preventing malicious code from accessing the AES keys on the machine, and Diebold has never used any kind of key management. They always use the same key in all of the machines.

Why is it that in this country, vendors can get away with this? Shouldn't it be part of the process to have competent and independent security reviews? I think that vendors should have to post their security mechanisms, algorithms and protocols publicly, and let the security community evaluate them. The computer security community eschews security by obscurity. If the voting machines have good security, we'll say so, and if they don't, we'll point out the flaws so that they can be fixed. Secrecy creates legitimates doubts and suspicion. Diebold is not acting like a company that wants to get it right. They act instead like a company that is afraid to have their weaknesses exposed.

Wednesday, September 13, 2006

Princeton report on Diebold

Finally, someone has had a chance to study an actual Diebold system. I believe this report is going to shake things up and hopefully be the end of the Accuvote DRE.

Tuesday, September 12, 2006

My day at the polls - Maryland primary '06

I don't know where to start. This primary today is the third election that I have worked as an election judge. The last two elections were in 2004, and I was in a small precinct in Timonium, MD. This time, I was in my home precinct about 1/2 a mile from my house. We had 12 machines, over 1,000 voters and 16 judges. I woke up at 5:30 in the morning and was at the precinct before 6:00. It is now 10:18 pm, and I just got home a few minutes ago. As I have made it my custom, I sat down right away to write about my experience while everything was still fresh. In anticipation of this, I took some careful notes throughout the day.

The biggest change over the 2004 election was the introduction of electronic poll books that we used to check in voters. I was introduced to these in election judge training a few weeks ago. These are basically little touchscreen computers that are connected to an Ethernet hub. They each contain a full database of the registered voters in the county, and information about whether or not each voter has already voted, in addition to all of the voter registration information. The system is designed so that the machines constantly sync with each other so that if a voter signs in on one of them and then goes to another one, that voter will already be flagged as having voted. That was the theory anyway. These poll books turned out to be a disaster, but more on that later.

Around 7:15, when we had been open for business for 15 minutes already, a gentlemen shows up saying that he is a judge from another precinct nearby and that they did not receive any smartcards, so that they could not operate their election. We had 60 smartcards, and the chief judge suggested that we give them 20 so that they could at least get their election started. As she was handing them over, I suggested that we had to somehow verify his claim. After all, anyone could walk in off the street and claim this guy's story, and we would give them 20 access cards. The chief judge agreed with me. The guy pulled out his driver's license to prove who he was, but I told him that we were not doubting who he was, we just wanted to verify that we should give him the cards. He seemed to understand that. After calling the board of elections, we were told to give him the cards and we did. A little later, several voters who came in informed us that news reports were saying that in Montgomery county, there was a widespread problem of missing smatcards. I could only imagine what a nightmare that was for those poll workers because as it was, our precinct did not have this problem, and as you'll see, it was still tough going.

My precinct uses Diebold Accuvote TS, the same one that we analyzed in our study 3 years ago. The first problem we encountered was that two of the voting machine's security tag numbers did not match our records. After a call to the board of elections, we were told to set those aside and not use them. So, we were down to 10. We set up those machines in a daisy chain fashion, as described in the judge manual, and as we learned in our training. We plugged the first one into the wall and taped the wire to the floor with electric tape so nobody would trip over it. About two hours into the voting, I noticed that the little power readout on the machines was red, and I thought that this meant that the machines were on battery power. I pointed this out to one of the chief judges, but she said this was normal. An hour later, I checked again, and this time, the machines were on extremely low power. This time, I took the plug out to of the wall and tried another outlet nearby. The power icon turned green. I showed several of the judges, and we confirmed that the original outlet was indeed dead. Had I not checked this twice, those machines would have died in the middle of the election, most likely in the middle of people voting. I hate to think about how we would have handled that. A couple of hours later, the board of elections informed us that we should use the two voting machines with the mismatched tags, so we added them and used them the rest of the day (!).

When we were setting up the electronic poll books, I took over because I was more comfortable with the technology, and the others quickly deferred to me. So, a couple of hours into the election, when one of the poll books seemed to be out of sync with the others, the judges came and brought me to have a look. It appeared that this poll book was not getting synced with the others. I tested it by waiting for someone to sign in with a different poll book, and then a few minutes later trying to sign in that voter on the one in question. The voter was shown as having not voted yet. I repeated this test for about 20 minutes, but it never registered that voter as having voted, and the poll book was falling behind - about 30 by then - the other poll book machines. I suggested rebooting that machine, and we tried that, but it did not change anything. I pointed out to the chief judges who were huddled around me as I experimented, that as time went by, this poll book was going to fall further and further behind the others, and that if someone signed in on the others, they would be able sign in again on this one and vote again. After a call to the board of elections, we decided to take this one out of commission. This was very unfortunate, because our waiting lines were starting to get very long, and the check-in was the bottleneck. The last few hours of the day, we had a 45 minute to an hour wait, and we had enough machines in service to handle the load, but it was taking people too long to sign in.

The electronic poll books presented an even bigger problem, however. Every so often, about once every 15-25 minutes, after a voter signed in, and while that voter's smartcard was being programmed with the ballot, the poll book would suddenly crash and reboot. Unfortunately, the smartcard would not be programmed at the end of this, so the poll worker would have to try again. However, the second time, the machine said that the voter had already voted. The first few times this happened, we had some very irate voters, and we had to call over the chief judge. Soon, however, we realized what was happening, and as soon as the poll book crashed, we warned the voter that it would come up saying that they had already voted, but that we knew they hadn't. Then, the chief judge would have to come over, enter a password, and authorize that person to vote anyway. Then we had to make a log entry of the event and quarantine the offending smartcard. Unfortunately, the poll books take about 3 minutes to reboot, and the chief judges are very scarce resources, so this caused further delays and caused the long line we had for most of the afternoon and evening while many of the machines were idle. Another problem was that the poll book would not subtract a voter from its total count when this happened, so every time we had an incident, the poll book voter count was further off the mark. We had to keep track of this by hand, so we could reconcile it at the end of the day.

At times, the remaining two poll books were way out of synch, but after a while, they caught up with each other. When the lines got really long, we considered the idea of trying to use the third one that had caused problems, but we all agreed that we would feel very stupid if all of them started crashing more. I was worried that synching three of these on an Ethernet hub was more complex than 2, and in fact, they were crashing a bit less often when we had only 2. The whole time I was worried about what we would do if these thing really died or crashed so badly and so often that we couldn't really use them. We had no backup voter cards, so the best we could have done would have been to start letting everybody vote by provisional ballots. However, we had two small pads of those ballots, and we would have run out quickly. I can't imagine basing the success of an election on something so fragile as these terrible, buggy machines.

Throughout the early part of the day, there was a Diebold representative at our precinct. When I was setting up the poll books, he came over to "help", and I ended up explaining to him why I had to hook the ethernet cables into a hub instead of directly into all the machines (not to mention the fact that there were not enough ports on the machines to do it that way). The next few times we had problems, the judges would call him over, and then he called me over to help. After a while, I asked him how long he had been working for Diebold because he didn't seem to know anything about the equipment, and he said, "one day." I said, "You mean they hired you yesterday?" And he replied, "yes, I had 6 hours of training yesterday. It was 80 people and 2 instructors, and none of us really knew what was going on." I asked him how this was possible, and he replied, "I shouldn't be telling you this, but it's all money. They are too cheap to do this right. They should have a real tech person in each precinct, but that costs too much, so they go out and hire a bunch of contractors the day before the election, and they think that they can train us, but it's too compressed." Around 4 pm, he came and told me that he wasn't doing any good there, and that he was too frustrated, and that he was going home. We didn't see him again.

I haven't written at all about the Accuvote machines. I guess I've made my opinions about that known in the past, and my new book deals primarily with them. Nothing happened today to change my opinion about the security of these systems, but I did have some eye opening experiences about the weaknesses of some of the physical security measures that are touted as providing the missing security. For example, I carefully studied the tamper tape that is used to guard the memory cards. In light of Hursti's report, the security of the memory cards is critical. Well, I am 100% convinced that if the tamper tape had been peeled off and put back on, nobody except a very well trained professional would notice it. The tamper tape has a tiny version of the word "void" appear inside it after it has been removed and replaced, but it is very subtle. In fact, a couple of times, due to issues we had with the machines, the chief judge removed the tamper tape and then put it back. One time, it was to reboot a machine that was hanging when a voter was trying to vote. I looked at the tamper tape that was replaced and couldn't tell the difference, and then it occurred to me that instead of rebooting, someone could mess with the memory card and replace the tape, and we wouldn't have noticed. I asked if I could play with the tamper tape a bit, and they let me handle it. I believe I can now, with great effort and concentration, tell the difference between one that has been peeled off and one that has not. But, I did not see the judges using that kind of care every time they opened and closed them. As far as I'm concerned, the tamper tape does very little in the way of actual security, and that will be the case as long as it is used by lay poll workers, as opposed to CIA agents.

As we were computing the final tallies towards the end of the evening, one of the Diebold machines froze. We had not yet printed the report that is used to post the results. One of the judges went to call the board of elections. She said she was transfered and then disconnected. We decided to do a hard reboot of it after we closed down the other machines. When we finished the other machines, we noticed that the problem one had somehow recovered, and we were able to finish. Strange because it was frozen for about 10 minutes.

So, this day at the polls was different from my two experiences in 2004. I felt more like an experienced veteran than a wide eyed newbie. The novelty that I felt in 2002 was gone, and I felt seasoned. Even the chief judges often came to me asking advice on how to handle various crises that arose. Several other suggested that I should apply to be a chief judge in the next election cycle, and I will probably do that. The least pleasant part of the day was a nagging concern that something would go terribly wrong, and that we would have no way to recover. I believe that fully electronic systems, such as the precinct we had today, are too fragile. The smallest thing can lead to a disaster. We had a long line of "customers" who were mostly patient, but somewhat irritated, and I felt like we were not always in a position to offer them decent customer service. When our poll books crashed, and the lines grew, I had a sense of dread that we might end up finishing the day without a completed election. As an election judge I put aside my personal beliefs that these machines are easy to rig in an undetectable way, and become more worried that the election process would completely fail. I don't think it would have taken much for that to have happened.

One other thing struck me. In 2004, most voters seemed happy with the machines. This time around, many of them complained about a lack of a paper trail. Some of them clearly knew who I was and my position on this, but others clearly did not. I did not hear one voter say they were happy with the machines, and a dozen or so expressed strong feelings against them.

I am way too tired now (it's past 11 pm) to write any kind of philosophical ending to this already too long blog entry. I hope that we got it right in my precinct, but I know that there is no way to know for sure. We cannot do recounts. Finally, I have to say a few words about my fellow poll workers. We all worked from 6 a.m. to past 10 p.m. These volunteers were cheerful, pleasant, and diligent. They were there to serve the public, and they acted like it. I greatly admire them, and while the election technology selection and testing processes in this country make me sick, I take great hope and inspiration from a day in the trenches with these people.

Monday, September 11, 2006

Wagner responds to House committee

David Wagner has posted a response to some follow-up questions from the House Administration and Science committees after his testimony in Congerss recently. This is one of the best and well thought out summaries of why VVPR is critical and of the security problems of DREs. I strongly urge you to read this and to circulate his responses widely.

Absentee is not the answer

In response to the Baltimore Jewish Times Q & A article published about BRAVE NEW BALLOT, a reader wrote in:

    A transparently countable paper ballot may be secured and used by voting an absentee ballot. While requesting and submitting an absentee ballot requires a little forethought, the benefit of knowing one's vote will indeed be counted as intended is worth the effort. While it is now too late for the Primary election, there is still plenty of time to request and vote absentee for the General election.

I disagree with this, although I can appreciate the sentiment. Here are the reasons why I disagree with the idea of using the absentee ballot mechanism because of the security problems with electronic voting:

  • I beieve that In Maryland, you are required to sign an affidavit that you are unable to be at the polls on election day. I don't think people should be encouraged to lie in an affidavit.
  • Absentee voting by mail opens up the opportunity for vote selling, and voter coersion. It should not be used as a replacement for precinct voting.
  • Even if you vote by absentee, you are only guaranteeing that your vote will be recorded correctly. The general problem of the vulnerability of the machines to rigging, tampering, and unintentional faults still exists, and the election outcomes will still be in question.
  • Absentee voting is a band-aid solution to the problem of people who cannot come to the polls. Increased absentee voting would transfer the trust in the system to the postal service, and I don't think that is appropriate, nor secure.

So, while I think that the lack of a paper record of votes in Maryland is an absolute disaster, I do not believe that encouraging absentee voting is a good response.

Sunday, September 10, 2006

Areas of expertise

There is a story in today's Baltimore Sun about electronic voting and the upcoming primary in Maryland on Tuesday. In the story, Donald Norris, director of the National Center for the Study of Elections at the University of Maryland, Baltimore County, is quoted as saying:

    "Computer science guys are able to get away with what I consider to be shameless scare tactics that don't take into account everything else that goes on in an election."

So, I looked up Dr. Norris on google. He has bachelors degree in History, and an MA and Ph.D. in Government. I would never take it upon myself to critize his understanding of government or history, and I find it surprising that he's willing to criticize computer scientists' understanding of the security issues in electronic voting systems. Sure, there are procedures for handling the voting machines and auditing them in Maryland, but I don't think Donald Norris appreciates the extent to which DRE voting machines are vulnerable, independent of whatever else goes into securing the election.

It is a fact that every single study by security professionals, including my research team, RABA, SAIC and Compuware and Inofsentry, have uncovered serious security vulnerabilities. It is a fact that there has never been a study conducted by computer security professionals that has concluded otherwise. None of the safeguards mentioned by Norris in the article, locks and tamper tape on the machines, accuracy tests before and during the election, and vigilance by poll workers, address the three primary concerns that I have, namely transparancy, auditability, and recovery.

Say that a bug in the voting system software that has never been triggered before causes thousands of voting machines to fail halfway through the election during the primary. What would we do? Seriously, what would we do? Nobody, not Dr. Norris, not myself, and not any comptuer scientists that I know can guarantee that a Windows-based system, running a 50,000 line application will not fail in a new and unexpected way when subjected to a load not possible during testing. So, it's 2 p.m., and half of the people have voted, and suddently all the machines start to crash. I've seen systems where this happens before. What do we do?

I know what we would do. I am a poll worker, and the instruction manual would tell me to notify the chief judge, who would call the board of elections. What would they do if they started receiving calls that the machines were failing and couldn't be rebooted? They would not know what to do.

This kind of failure is not that uncommon, due to bugs and accidents. What if somebody, say a foreign government, wanted this to happen? Would it be hard for them to cause such failures? I don't think so. It's hard enough to get big computer systems running reliably without such adversaries.

My request of Donald Norris is to stick to what he is an expert in, and to leave it to computer scientists to give opinions about computer systems. I would not argue Physics with a Physicist, and I would not correct a German professor's German. I don't think Donald Norris should be criticising the computer experts' opinion. But it's worse. He's criticising us for giving our opinions and not just criticing our opinions.

Friday, September 08, 2006

Bernie Galler, 1928 - 2006

One of the best, kindest, smartest and nicest people I have ever met died this past week. Bernie Galler, my friend, advisor, and mentor since I was 17 years old left this world unexpectedly and far too soon at age 77. I am not going to talk that much about his diverse set of accomplishments. They already appear in his obituary. What I can say is that besides my parents, nobody has had as profound an impact on my life, both professionally and personally than Bernie did. When I was at the University of Michigan, I used to call him my "father away from home." And he truly treated me like family.

I met Bernie Galler my first week of college in an undergraduate advising meeting. From the very first moment I met him, I felt that I had known him all of my life, and I realize now that it was because he treated me almost exactly the same as my own father. He took a great and genuine interest in me, asking me questions about my background and my personal life. It wasn't probing, it was just a true curiosity, and his advice came out of friendship and a desire to make my world a better place. Bernie created an atmoshphere of instant comfort in the room. Having just separated from my parents for the first time, there was a tremendous amount of comfort in meeting Bernie. In that first meeting, he offered me to call him anytime I had questions, and he gave me several phone numbers. He really meant it. Only now, as a busy professor myself, can I appreciate how unusual that was.

I continued meeting Bernie every semester. He convinced me to join the Honors program, and he set me up with summer jobs. He seemed personally thrilled with every accomplishment of mine, as though he had accomplished everything I did himself. Only my parents had ever shown me that kind of encouragement. I vividly remember one meeting with Bernie that stands out. I had recently broken up with a girlfriend, and I was very upset. As soon as I walked in, Bernie put everything down and walked over and put his hand on my shoulder. He asked me what was wrong, and we spent an entire hour talking about my lost relationship. He wasn't 40 years older than me then; he wasn't my professor; he was just my best friend.

Bernie encouraged me to apply to Michigan for graduate school, and he ended up as my Ph.D. advisor for a while, and then as co-chair of my doctoral committee. I also remember Bernie's support as I made it through the tough qualifying process for the Ph.D., which wasn't the smoothest sailing for me, and I remember his pride when I graduated. Again, you would think that he himself had graduated that day. At Michigan, I was a teaching assistant for Bernie several times, and by the end of my time in Ann Arbor, I was used to meeting him for lunch regularly and having dinner at his house.

Over the years, we stayed very close, emailing and visiting. Last year, I visited with Ann and the kids, and we had dinner at the Galler house with Bernie and Enid. Bernie got on the floor with the children and played with them - quite a sight! He also pulled out a box of toys that looked like they must have been old when I was 3 years old. We felt right at home.

Yesterday, at the funeral, I saw that Bernie's affection and friendship that I had always felt was the rule for him, not the exception. I listened to his beautiful family speak about him, and I felt as though I was speaking. I was at the same time jealous that these people had been able to spend their whole lives that close to him, and at the same time fortunate that he played such a big role in my life. I will miss him dearly, but I will try to use his life as a model for my behavior, as I often have in the past.

The world has lost one of the truly great and remarkable people. Exceptionally talented, and infinitely giving. Such people come along once in a lifetime.

Tuesday, September 05, 2006

BNB is official

Today is the official release of BRAVE NEW BALLOT. I'm heading to DC this afternoon to start the book tour, with the first stop the Diane Rehm show at 10:00 a.m. tomorrow morning, for a live interview about the book on NPR. The Maryland primary is a week from today, and I will post a summary of my day as an election judge as soon as I can. In the meantime, in the next few days, I expect to blog about several new and pressing issues related to the upcoming election.

Sunday, September 03, 2006

Brave New Ballot sighting

Brave New Ballot is not officially released until this Tuesday, September 5, in two days. But, Ann and I were in Barnes and Nobles in the inner harber in downtown Baltimore last night, and we were looking in the Current Affairs section, and Ann spotted the book. There were 10 copies on the shelf, facing front. Luckily, my Treo 700p has a half decent camera on it, so here's the proof:

Friday, September 01, 2006

On the importance of paper ballots

A lot has been said about paper ballots and paper trails in the last few years. There are many good arguments for having the paper, including the ability to audit the machines, transparency of the vote counting, recount capability, and voter confidence. But there is another reason why it is important to have paper ballots (which I prefer over VVPAT on a DRE), and that is simply that electronic ballots are more fragile than paper. A power glitch can cause a magnetic memory card to lose its data. So can a magnet. There are multiple ways that electronic data can be come corrupted or lost. Paper is not immune to corruption or loss, but there are two big differences. The loss of many paper ballots is more likely to be noticed immediately, and a loss event is likely to effect fewer paper ballots than electronic votes. One memory card can hold thousands of votes, and such a card is significantly smaller than a deck of cards.

Look at the New Mexico election in 2004. The Washington Post published a story about how 678 votes were completely lost due to a programming error of the electronic voting machines by election staff that was not properly trained. Arguments were made by different people on different sides of the issue about why these votes were lost, or whether they in fact were really lost. The bottom line is that if people had voted with paper ballots (even if they were marked using a ballot marking electronic touchscreen machine), then the election workers would not have even been in a position to cause the votes to be lost.

Another example is Carteret County, NC where, as many news stories reported, 4,532 votes were lost due to faulty electronic equipment.

As we approach another election this fall, we have to consider the possibility of close races and lost votes. With so much at stake, it is a shame that we have to worry about whether or not computers will crash, memory cards will die, or election workers will make mistakes that could cause the wrong results to be tallied. Equally frighting is the possibility that the election will simply fail due to an unecoverable problem.

I don't think enough emphasis has been placed on the problem of recovery in the discussion of e-voting. It is easier to recover from election problems if we have paper ballots to count and machines to audit against paper than if all we have are electronic tallies.