I participated in the Great Latke-Hamantash debate at Johns Hopkins this year. If you are not familiar with this serious, intellectual event, you can read about it here. I took the side of the Latke, of course, as it is the superior snack. Here is a video clip showing my opening statements in the debate. Unfortunately, we lost. (There is a rumor that the Hamantash paid off the moderator, but I can't prove it.)
Welcome to my blog. Here, I will post items of interest to me most likely focusing on:
Tuesday, December 16, 2008
Tuesday, November 04, 2008
My day at the polls
This morning, I woke up at 4:08 a.m., and I could not fall back asleep. I was charged with adrenalin. It was Election Day again. And what an election; without a doubt the most hyped-up super-charged election in my entire life. I stayed in bed until about 4:45 and got ready to head out for a long, long day at the polls. I left the house at 5:40 a.m. and arrived at my precinct a few minutes later. About half of the election judges were already there, and I got busy helping to set up our precinct so that we could open on time at 7:00.
In Maryland, we use paperless Diebold DRE voting machines. The same ones that we analyzed in our report in 2003 and that were analyzed in several follow-up reports, all of which found serious security problems. The machines are set up in a daisy chain fashion, where one of them is plugged into the wall, and then each one plugs into the one next to it. I noticed that the judges had set up 9 of our 16 machines in a line, such that voters would have to walk all the way around to get to the middle ones. So, I broke them up into a group of 4 and a group of 5, with a passage in between them. This provided much better access for voters. I had plenty of discretion in setting up our precinct, as one of the chief judges was the same as in the last election, and she told me to make any decisions I wanted and to do whatever I thought was best. We worked very well together last time, and she and the other judges deferred to me whenever there was an issue - and there were several. I made several changes to the way our precinct was set up. Numerous times, I was called away by the person who was provided by the county as the technical person to help. It didn't take long before everybody, including the two chief judges, called me away from whatever I was doing, whenever we had a real problem.
I wondered what happened in other precincts that did not have someone who was very experienced with the machines and as a poll worker. This was my sixth election working as a judge with these voting machines. I attended a half a dozen training sessions, and my research team wrote a paper about the machines. Some of the problems I had to deal with related to human factors, and others were purely technical. Let me summarize some of the problems we had in my precinct today.
One of our voting machines was dead. The first thing I noticed was that it didn't boot correctly. It said "No Election Loaded" or something like that. This did not seem good. I noticed that the battery was at 0%, and I realized that this machine was probably shipped to us with an empty battery, so whatever information was loaded onto it about our election had been erased. We called the board of election, and they sent a technician out, but he was unable to do anything about it. However, we had 16 machines, and in the previous election we had only had 12 and we had managed. I was a bit concerned because the turnout was expected to be much higher. The thought crossed my mind about what would have happened if all the machines had arrived in that condition. We had 125 provisional ballots, no emergency backup ballots, 3,091 registered voters, and 2,080 voters showed up. It would have been a total disaster.
We had several other glitches with the machines, which I consider to be minor. Some of the machines have housings that are starting to wear. On one of them the screen had broken off the rest of the machine and was barely hanging together by some wires. On another one of the machines there was a gap next to the section where the smartcard is supposed to be inserted, and a couple of voters inserted their cards into the gap. The final one got it stuck so badly that we were unable to remove it and we had to issue him a different card. My overall impression is that these machines are showing the wear and tear of several election cycles, and that they will require some pretty serious maintenance and upkeep if they are to be used again. Thankfully, Maryland plans to switch to optically scanned paper ballots in 2010. (However, at the moment, there is a possibility that Maryland will not be able to fund this change, and that it will fall through. I believe it would be more expensive to fix up the current systems and to maintain them than what it would cost to switch to op scan.)
We were also missing a cable needed to hook up one of the electronic poll books. The e-poll books are used to check voters in. They contain a copy of the voter registration database. We were able to hook up the other three e-poll books, and they worked fine. However, about an hour and a half into the election, we realized that the ethernet hub that was connecting the e-poll books to each other was not working, and we found that it had become unplugged. This means that for some non-trivial amount of time, our e-poll books were not synchronized, meaning that people could have theoretically signed in and voted several times. During that busy time, there is no way we would have noticed that. Once we realized this and fixed the problem, the e-poll books synchronized. I felt pretty stupid because I should have noticed that the e-poll books were not synchronizing, but there was a lot going on, and I overlooked that. We had an incredible turnout between 7 a.m. and 12:30 p.m., and besides working at the e-poll books, I was getting called away by the chief judges every time there was a problem, or when a voter was having trouble. It was hectic, and I was not able to pay attention to all the details as much as I would have liked. We eventually got the cable and hooked up the fourth e-poll book. At that point, we were able to check in voters faster than they could vote, and as a result, we ended up with longer lines by the machines, and so we throttled down our check-in until we found a state of equilibrium inside. During that time, the lines outside were pretty long, but I think even at the worst, the most anybody waited today at our precinct was an hour and a half.
I think that the worst part of our election had to do with the voter registration database. We had numerous people who came in but were not listed as registered. One man I remember said he had voted forever in this precinct and had even voted in the primary. He was there with his wife who was in the system and who was able to vote. But, his name was simply not there. We looked in the statewide database and even in a paper printout we had of the registered voters, and he did not exist. We gave him a provisional ballot, but I don't have confidence that it will ever be counted. Numerous people were listed as not registered in our precinct despite having voted there before. This was also the hardest part for us as judges because we were on the front lines with these justifiably irritated voters. I didn't want to defend our system, but I didn't want to denigrate it either. Most people understood that we were volunteers who were working very hard to try to make the election work, but some of the ones with registration problems only saw us as part of the problem that was causing them to miss out on the ability to vote. I dreaded those moments when I realized that the voter in front of me was going to have a problem and I had to be the one to tell them.
At one point, the chief judge called me over because a voter had a serious problem. The voter was convinced that the machine was not working correctly. She showed me the problem. There was a race for judge that allowed the voter to pick up to two choices for judges. She had picked one but wanted to leave the other one blank. When she got to the summary screen, the race was colored in pink (to represent an undervote), and it had the name of the judge, and under it were the words "Not Selected". She told me that she had wanted to select the judge, but that her choice was not selected. It took me a few times going back and forth to the summary screen to figure out what was going on. Since she voted for one and not both candidates, the race was flagged as an undervote. Her two choices were shown as "the one she chose" and the other as "Not selected", rather than saying that the one she chose was not selected. Once I explained this to her, she was satisfied. There were about 5 or 6 times that I had to help voters because they misunderstood the machines.
At the end of the day, we shut down the machines and tallied the votes. Then, we transmitted the final tallies to the board of elections using the modem provided with the machines. Interestingly, in my precinct, registered Democrats outnumber registered Republicans by a 4-1 ratio, but Obama won over McCain by 20%. Surprisingly, on one of the machines, McCain actually beat Obama by 2 votes. Several of the other judges had some interesting theories about why the results diverged from the expected values, but nobody suggested that the machines had gotten it wrong somehow. Despite all kinds of glitches and mishaps throughout the day, people just believe the results that come out of the computer, and I think this is a natural human tendency.
Do I think that the machines were hacked or that some bug caused us to get the wrong results? I can't say that I do. However, what would have happened if McCain had won by a 2-1 ratio? Would we have come up with all kinds of interesting theories? Or, would someone have questioned the machines? What happens if a candidate in one of the local races that was close wants to challenge the result? The answer is - nothing. There is no way to recount the election. We have the totals that the machines produce, and that's it. No insight into how those numbers were achieved and no way to recreate them. The election cannot be audited. This is a terrible way to run elections, and I sincerely hope that when I work the 2010 election, it is with paper ballots and rigorous audit procedures.
So, now I'm home after another exhausting day. I'd like to propose that election judges work 8 hour days instead of 16 hour days. The current system is so physically exhausting that the judges, many of them elderly, are more concerned with getting out of there and going home than with taking the time to follow all of the procedures to the letter. And, the procedures are critical. I believe you could more than double the participation of poll workers if it wasn't such a grinding, unforgiving day. I don't know how I manage to get these blog entries written, and I'm not sure this is a tradition I can continue because after getting up before 5 a.m. and working all day in one room, writing all of this before I go to bed is getting harder and harder. But, now is when it's all fresh on my mind, and I was afraid I would forget some of it; I had to get this out tonight.
So, now I'm going to watch election returns for a while with Ann, have a glass of wine, and then go to bed. Good night!
In Maryland, we use paperless Diebold DRE voting machines. The same ones that we analyzed in our report in 2003 and that were analyzed in several follow-up reports, all of which found serious security problems. The machines are set up in a daisy chain fashion, where one of them is plugged into the wall, and then each one plugs into the one next to it. I noticed that the judges had set up 9 of our 16 machines in a line, such that voters would have to walk all the way around to get to the middle ones. So, I broke them up into a group of 4 and a group of 5, with a passage in between them. This provided much better access for voters. I had plenty of discretion in setting up our precinct, as one of the chief judges was the same as in the last election, and she told me to make any decisions I wanted and to do whatever I thought was best. We worked very well together last time, and she and the other judges deferred to me whenever there was an issue - and there were several. I made several changes to the way our precinct was set up. Numerous times, I was called away by the person who was provided by the county as the technical person to help. It didn't take long before everybody, including the two chief judges, called me away from whatever I was doing, whenever we had a real problem.
I wondered what happened in other precincts that did not have someone who was very experienced with the machines and as a poll worker. This was my sixth election working as a judge with these voting machines. I attended a half a dozen training sessions, and my research team wrote a paper about the machines. Some of the problems I had to deal with related to human factors, and others were purely technical. Let me summarize some of the problems we had in my precinct today.
One of our voting machines was dead. The first thing I noticed was that it didn't boot correctly. It said "No Election Loaded" or something like that. This did not seem good. I noticed that the battery was at 0%, and I realized that this machine was probably shipped to us with an empty battery, so whatever information was loaded onto it about our election had been erased. We called the board of election, and they sent a technician out, but he was unable to do anything about it. However, we had 16 machines, and in the previous election we had only had 12 and we had managed. I was a bit concerned because the turnout was expected to be much higher. The thought crossed my mind about what would have happened if all the machines had arrived in that condition. We had 125 provisional ballots, no emergency backup ballots, 3,091 registered voters, and 2,080 voters showed up. It would have been a total disaster.
We had several other glitches with the machines, which I consider to be minor. Some of the machines have housings that are starting to wear. On one of them the screen had broken off the rest of the machine and was barely hanging together by some wires. On another one of the machines there was a gap next to the section where the smartcard is supposed to be inserted, and a couple of voters inserted their cards into the gap. The final one got it stuck so badly that we were unable to remove it and we had to issue him a different card. My overall impression is that these machines are showing the wear and tear of several election cycles, and that they will require some pretty serious maintenance and upkeep if they are to be used again. Thankfully, Maryland plans to switch to optically scanned paper ballots in 2010. (However, at the moment, there is a possibility that Maryland will not be able to fund this change, and that it will fall through. I believe it would be more expensive to fix up the current systems and to maintain them than what it would cost to switch to op scan.)
We were also missing a cable needed to hook up one of the electronic poll books. The e-poll books are used to check voters in. They contain a copy of the voter registration database. We were able to hook up the other three e-poll books, and they worked fine. However, about an hour and a half into the election, we realized that the ethernet hub that was connecting the e-poll books to each other was not working, and we found that it had become unplugged. This means that for some non-trivial amount of time, our e-poll books were not synchronized, meaning that people could have theoretically signed in and voted several times. During that busy time, there is no way we would have noticed that. Once we realized this and fixed the problem, the e-poll books synchronized. I felt pretty stupid because I should have noticed that the e-poll books were not synchronizing, but there was a lot going on, and I overlooked that. We had an incredible turnout between 7 a.m. and 12:30 p.m., and besides working at the e-poll books, I was getting called away by the chief judges every time there was a problem, or when a voter was having trouble. It was hectic, and I was not able to pay attention to all the details as much as I would have liked. We eventually got the cable and hooked up the fourth e-poll book. At that point, we were able to check in voters faster than they could vote, and as a result, we ended up with longer lines by the machines, and so we throttled down our check-in until we found a state of equilibrium inside. During that time, the lines outside were pretty long, but I think even at the worst, the most anybody waited today at our precinct was an hour and a half.
I think that the worst part of our election had to do with the voter registration database. We had numerous people who came in but were not listed as registered. One man I remember said he had voted forever in this precinct and had even voted in the primary. He was there with his wife who was in the system and who was able to vote. But, his name was simply not there. We looked in the statewide database and even in a paper printout we had of the registered voters, and he did not exist. We gave him a provisional ballot, but I don't have confidence that it will ever be counted. Numerous people were listed as not registered in our precinct despite having voted there before. This was also the hardest part for us as judges because we were on the front lines with these justifiably irritated voters. I didn't want to defend our system, but I didn't want to denigrate it either. Most people understood that we were volunteers who were working very hard to try to make the election work, but some of the ones with registration problems only saw us as part of the problem that was causing them to miss out on the ability to vote. I dreaded those moments when I realized that the voter in front of me was going to have a problem and I had to be the one to tell them.
At one point, the chief judge called me over because a voter had a serious problem. The voter was convinced that the machine was not working correctly. She showed me the problem. There was a race for judge that allowed the voter to pick up to two choices for judges. She had picked one but wanted to leave the other one blank. When she got to the summary screen, the race was colored in pink (to represent an undervote), and it had the name of the judge, and under it were the words "Not Selected". She told me that she had wanted to select the judge, but that her choice was not selected. It took me a few times going back and forth to the summary screen to figure out what was going on. Since she voted for one and not both candidates, the race was flagged as an undervote. Her two choices were shown as "the one she chose" and the other as "Not selected", rather than saying that the one she chose was not selected. Once I explained this to her, she was satisfied. There were about 5 or 6 times that I had to help voters because they misunderstood the machines.
At the end of the day, we shut down the machines and tallied the votes. Then, we transmitted the final tallies to the board of elections using the modem provided with the machines. Interestingly, in my precinct, registered Democrats outnumber registered Republicans by a 4-1 ratio, but Obama won over McCain by 20%. Surprisingly, on one of the machines, McCain actually beat Obama by 2 votes. Several of the other judges had some interesting theories about why the results diverged from the expected values, but nobody suggested that the machines had gotten it wrong somehow. Despite all kinds of glitches and mishaps throughout the day, people just believe the results that come out of the computer, and I think this is a natural human tendency.
Do I think that the machines were hacked or that some bug caused us to get the wrong results? I can't say that I do. However, what would have happened if McCain had won by a 2-1 ratio? Would we have come up with all kinds of interesting theories? Or, would someone have questioned the machines? What happens if a candidate in one of the local races that was close wants to challenge the result? The answer is - nothing. There is no way to recount the election. We have the totals that the machines produce, and that's it. No insight into how those numbers were achieved and no way to recreate them. The election cannot be audited. This is a terrible way to run elections, and I sincerely hope that when I work the 2010 election, it is with paper ballots and rigorous audit procedures.
So, now I'm home after another exhausting day. I'd like to propose that election judges work 8 hour days instead of 16 hour days. The current system is so physically exhausting that the judges, many of them elderly, are more concerned with getting out of there and going home than with taking the time to follow all of the procedures to the letter. And, the procedures are critical. I believe you could more than double the participation of poll workers if it wasn't such a grinding, unforgiving day. I don't know how I manage to get these blog entries written, and I'm not sure this is a tradition I can continue because after getting up before 5 a.m. and working all day in one room, writing all of this before I go to bed is getting harder and harder. But, now is when it's all fresh on my mind, and I was afraid I would forget some of it; I had to get this out tonight.
So, now I'm going to watch election returns for a while with Ann, have a glass of wine, and then go to bed. Good night!
Tuesday, October 21, 2008
Another problem with DREs
DREs really worry me because of security concerns and the fact that they cannot be properly audited. However, there is another problem with DREs, which this year, I think is going to be very serious.
News reports today are highlighting long lines at the polls for early voting. This is not unexpected, as the turnout for this election is bound to be tremendous. I'm very concerned about the impact a high turnout will have on an already stressed voting system. In Maryland, for example, we use touchscreen DRE machines. Precincts only have a handful of these machines, and they create a tight bottleneck in the voting process. As a poll worker, I've seen people take 30-45 minutes to vote. I've also seen it done in 5 minutes. The average, by my observation, is around 8 or 9 minutes. With an increased turnout, the expected growth in the lines is exponential. That is because the throughput of the election machinery does not change, so additional people will be added to the line much faster than the system's ability to absorb them, and the lines will be long - very long.
When Maryland switches to paper ballots with optical scanners in 2010, this problem will go away. The reason is that the time critical resource will be the scanner, and people can scan their ballots in seconds. The process of filling out the paper ballots can be massively parallelized. We could have 40 or 50 people filling out ballots at the same time, and even with only a couple of scanners, we can move people through the voting process much faster. Using touchscreen DREs, the time critical resource is the voting machine and voters spend on the order of 8 or 9 minutes, and sometimes much longer to vote. Paper ballots with op scan counting will eliminate long lines at the polls. And, I am worried that long lines are going to be a serious, serious problem in the election, which is two weeks from today. However bad it might be in early voting right now, and indications are that it's bad, I fear that on November 4, the problems will be worse.
News reports today are highlighting long lines at the polls for early voting. This is not unexpected, as the turnout for this election is bound to be tremendous. I'm very concerned about the impact a high turnout will have on an already stressed voting system. In Maryland, for example, we use touchscreen DRE machines. Precincts only have a handful of these machines, and they create a tight bottleneck in the voting process. As a poll worker, I've seen people take 30-45 minutes to vote. I've also seen it done in 5 minutes. The average, by my observation, is around 8 or 9 minutes. With an increased turnout, the expected growth in the lines is exponential. That is because the throughput of the election machinery does not change, so additional people will be added to the line much faster than the system's ability to absorb them, and the lines will be long - very long.
When Maryland switches to paper ballots with optical scanners in 2010, this problem will go away. The reason is that the time critical resource will be the scanner, and people can scan their ballots in seconds. The process of filling out the paper ballots can be massively parallelized. We could have 40 or 50 people filling out ballots at the same time, and even with only a couple of scanners, we can move people through the voting process much faster. Using touchscreen DREs, the time critical resource is the voting machine and voters spend on the order of 8 or 9 minutes, and sometimes much longer to vote. Paper ballots with op scan counting will eliminate long lines at the polls. And, I am worried that long lines are going to be a serious, serious problem in the election, which is two weeks from today. However bad it might be in early voting right now, and indications are that it's bad, I fear that on November 4, the problems will be worse.
Tuesday, September 16, 2008
Software dependence is dangerous in voting systems
I wrote an op-ed that appears in today's Baltimore Sun. Here is the text of my article:
When it comes to voting technology, Maryland will soon take a big - and welcome - step backward.
In 2004, the state switched almost all of its precincts to Diebold touch-screen voting equipment, called direct recording electronic machines (DREs). In 2006, Maryland adopted these devices for all precincts. But when we cast ballots for president this November, Maryland will use DREs for the last time in a statewide election.
In 2010, we will return to a low-tech but far more secure system: optically scanned paper ballots. I know that many Marylanders have enjoyed the simplicity of tapping their candidate choices atop the DREs' sleek screens. But for me, the day these machines are tossed in the scrap heap cannot come quickly enough.
I have written extensively about the shortcomings of computer voting machines, and I will not go into detail here about why we can never be sure that these devices accurately count and report the selections made by the people who use them. Instead, I'd like to focus on a simple reason why software-based voting systems are impractical, given the state of voting system certification and the nature of the software industry.
First, consider the certification. Most states today require that voting systems meet federal standards. At specialized labs, vendors must submit their voting systems to a battery of tests in order to qualify for certification. In a rigorous process that can take many months, these labs check the resistance of the machines to temperature changes, evaluate the coding practices used in any software components and review other operating features, as required by federal rules, and in some cases even tougher state guidelines.
Once a voting system is certified, it is considered set in stone. Any change, no matter how small, requires that the entire system be recertified from scratch. This is appropriate, because a small change in one part of the system sometimes has significant and unanticipated effects on other parts of the system. This is especially true if the change is in the software. When it comes to computer voting systems, it is usually the software - the code that directs a computer to perform specific tasks - that harbors the primary Achilles' heel.
Here's the problem: The software industry has evolved in such a way that nearly all computer programs require frequent changes and repairs. This realignment takes place regularly and, to a great extent, invisibly. (How many home computer users understand what has happened during a regular Windows Update?)
Such updates are needed because software is complex and prone to glitches. It is not "often" buggy; it is "always" buggy. And when one bug is fixed, the fix itself can lead to other bugs. Microsoft releases new versions of its software and patches with regularity.
Even Apple, which has some of the best programmers in the world and spends more than most companies on software development, is aware that its products have bugs that must be fixed as quickly as possible. This property of software is not obvious to people who have never programmed, but for computer scientists, it is an accepted and well-understood phenomenon.
When bugs are found in software-based electronic voting systems - as they inevitably are - election officials often face an irreconcilable dilemma. They can ignore the bug, which could result in an incorrect vote tally or a paralyzing crash during the election, or they can try to have the bug fixed. But fixing the bug involves changing the software, and by law the voting system must then be recertified. Given the long time and additional expense that this process takes, recertifying may not be an option.
What if a serious software bug is discovered the week before the election? Even if it can be fixed in time, it would be illegal to use the resulting system in an election, and I would argue that there would not be time to properly test a bug fix for such a complex software system. On the eve of an important election, would you want to wrestle with a critical decision such as this one?
So the next time your laptop freezes up or a popular program on your computer crashes, ask yourself: How would you feel if this was your voting system on Election Day? Let's welcome the paper ballot system that is coming back in 2010. It is the best system for Maryland.
When it comes to voting technology, Maryland will soon take a big - and welcome - step backward.
In 2004, the state switched almost all of its precincts to Diebold touch-screen voting equipment, called direct recording electronic machines (DREs). In 2006, Maryland adopted these devices for all precincts. But when we cast ballots for president this November, Maryland will use DREs for the last time in a statewide election.
In 2010, we will return to a low-tech but far more secure system: optically scanned paper ballots. I know that many Marylanders have enjoyed the simplicity of tapping their candidate choices atop the DREs' sleek screens. But for me, the day these machines are tossed in the scrap heap cannot come quickly enough.
I have written extensively about the shortcomings of computer voting machines, and I will not go into detail here about why we can never be sure that these devices accurately count and report the selections made by the people who use them. Instead, I'd like to focus on a simple reason why software-based voting systems are impractical, given the state of voting system certification and the nature of the software industry.
First, consider the certification. Most states today require that voting systems meet federal standards. At specialized labs, vendors must submit their voting systems to a battery of tests in order to qualify for certification. In a rigorous process that can take many months, these labs check the resistance of the machines to temperature changes, evaluate the coding practices used in any software components and review other operating features, as required by federal rules, and in some cases even tougher state guidelines.
Once a voting system is certified, it is considered set in stone. Any change, no matter how small, requires that the entire system be recertified from scratch. This is appropriate, because a small change in one part of the system sometimes has significant and unanticipated effects on other parts of the system. This is especially true if the change is in the software. When it comes to computer voting systems, it is usually the software - the code that directs a computer to perform specific tasks - that harbors the primary Achilles' heel.
Here's the problem: The software industry has evolved in such a way that nearly all computer programs require frequent changes and repairs. This realignment takes place regularly and, to a great extent, invisibly. (How many home computer users understand what has happened during a regular Windows Update?)
Such updates are needed because software is complex and prone to glitches. It is not "often" buggy; it is "always" buggy. And when one bug is fixed, the fix itself can lead to other bugs. Microsoft releases new versions of its software and patches with regularity.
Even Apple, which has some of the best programmers in the world and spends more than most companies on software development, is aware that its products have bugs that must be fixed as quickly as possible. This property of software is not obvious to people who have never programmed, but for computer scientists, it is an accepted and well-understood phenomenon.
When bugs are found in software-based electronic voting systems - as they inevitably are - election officials often face an irreconcilable dilemma. They can ignore the bug, which could result in an incorrect vote tally or a paralyzing crash during the election, or they can try to have the bug fixed. But fixing the bug involves changing the software, and by law the voting system must then be recertified. Given the long time and additional expense that this process takes, recertifying may not be an option.
What if a serious software bug is discovered the week before the election? Even if it can be fixed in time, it would be illegal to use the resulting system in an election, and I would argue that there would not be time to properly test a bug fix for such a complex software system. On the eve of an important election, would you want to wrestle with a critical decision such as this one?
So the next time your laptop freezes up or a popular program on your computer crashes, ask yourself: How would you feel if this was your voting system on Election Day? Let's welcome the paper ballot system that is coming back in 2010. It is the best system for Maryland.
Sunday, August 31, 2008
ISE exploits MMORPGs
Researchers at my consulting company, ISE, discovered vulnerabilities in Age of Conan and Anarchy Online. The game producers were notified, and no details were released until the vulnerabilities were closed. It's instructive to see what was wrong and how such vulnerabilities can be avoided. The details are posted on our web site. A story appeared in today's Baltimore Sun.
Saturday, July 12, 2008
How an iPhone debut is like an election
I'm an iPhone junkie. I waited in line yesterday morning to get my iPhone, but I only had two hours, and after my time was up, I had made only minor progress, while the line grew pretty long behind me, so I abandoned my newfound iPhone junkie friends and left the Apple store (well, the line outside the Apple store) empty handed. Only later did I learn that the line was moving so slowly because of glitches in the system caused by so many simultaneous activations. John Markoff said it well in his NYT article today.
The setback was a classic example of the problems that can follow when complex systems have single points of failure. In this case, the company appeared to almost invite the problems by having both existing and new iPhone owners try to get through to its systems at the same time. 'There are certainly lessons in preparedness,' said Richard Doherty, a consumer electronics industry consultant who is president of the Envisioneering Group in Seaford, N.Y. He compared the day with Christmas morning, “the acid test for many years” for electronics companies because customers contact them in droves after opening presents and trying to get gadgets to work.
Of course, the Apple problems, as described in this article, are instructive when considering using electronic systems in elections. The debut of the Apple iPhone caused an unprecedented stress on their system on a single day, and there was no way for Apple to stress test their system in preparation for that day. I'm sure they performed many tests, and they clearly had plenty of notice to prepare for yesterday, and still, the system failed in unexpected ways when faced with the actual flash crowd of iPhone enthusiasts. That's not to say such a system will always fail. Sometimes it will work fine. But the takeaway from this is that a large, complex system, such as an election, running on a particular day, with no opportunity for a realistic to-scale test, may fail on election day in ways that cannot be predicted.
For this reason, it is important to keep systems as simple as possible, plan for contingencies, and assume the worst might happen. If it does not, there will have been no harm in having been prepared. But in the unfortunate circumstance where things do fail, as they did yesterday for Apple, we will all be better off for having been cautious.
The setback was a classic example of the problems that can follow when complex systems have single points of failure. In this case, the company appeared to almost invite the problems by having both existing and new iPhone owners try to get through to its systems at the same time. 'There are certainly lessons in preparedness,' said Richard Doherty, a consumer electronics industry consultant who is president of the Envisioneering Group in Seaford, N.Y. He compared the day with Christmas morning, “the acid test for many years” for electronics companies because customers contact them in droves after opening presents and trying to get gadgets to work.
Of course, the Apple problems, as described in this article, are instructive when considering using electronic systems in elections. The debut of the Apple iPhone caused an unprecedented stress on their system on a single day, and there was no way for Apple to stress test their system in preparation for that day. I'm sure they performed many tests, and they clearly had plenty of notice to prepare for yesterday, and still, the system failed in unexpected ways when faced with the actual flash crowd of iPhone enthusiasts. That's not to say such a system will always fail. Sometimes it will work fine. But the takeaway from this is that a large, complex system, such as an election, running on a particular day, with no opportunity for a realistic to-scale test, may fail on election day in ways that cannot be predicted.
For this reason, it is important to keep systems as simple as possible, plan for contingencies, and assume the worst might happen. If it does not, there will have been no harm in having been prepared. But in the unfortunate circumstance where things do fail, as they did yesterday for Apple, we will all be better off for having been cautious.
Thursday, July 03, 2008
"Paper ballots" not "paper trails"
I've noted some confusion in discussions with reporters recently, and I have to assume that this confusion is somewhat widespread. The issue is whether or not a "paper trail" resolves the problems with electronic voting. The term "paper trail", in my opinion, is an unfortunate one. When I first got seriously involved in this issue in 2003, many of us advocated paper trails as a solution to paperless DREs. The thinking was that if every vote is recorded on a piece of paper and that paper was audited by the voter, then a correct tally could be produced by counting the papers. This could be used to audit the machines, or as the definitive ballots. In theory, this seems reasonable, but it doesn't work in practice, and the theory is a bit flawed as well.
As I describe this, keep in mind that the underlying premise is that the software-only DREs should not be trusted. Software often fails in unexpected and unexplainable ways, and in the case of national public elections, there is a threat that the software could have been rigged or modified, or just be plain old buggy. The bottom line is that elections are more trustworthy if we don't have to trust the software. So, given that premise, paper trails only provide some benefit if the papers are actually counted. Otherwise, the machines are just as vulnerable as ones that don't have paper trails. Unless there is a policy for checking the ballots, and unless voters actually inspect the paper trails, we might as well just use DREs because the paper trails are useless under those circumstances. In practice, things are actually worse. Vendors have developed paper trails that are unwieldy, difficult to count, printed with fading ink, and prone to failure and paper jams.
All of my experience with paper trails on DREs leads me to believe that instead of "paper trails" what we need are "paper ballots". In paper ballot systems, ballots are produced as in traditional elections, and these are the official ballots of record. By using touch screen ballot marking devices to create paper ballots (or even allowing people to mark them by hand), we avoid all of the problems of the paper trails. We end up with ballots that can be counted multiple ways, and which provide tangible evidence of the intent of each voter.
So, my advice is to abandon the term "paper trail", to abandon DREs with paper trails, and to start talking about paper ballots.
As I describe this, keep in mind that the underlying premise is that the software-only DREs should not be trusted. Software often fails in unexpected and unexplainable ways, and in the case of national public elections, there is a threat that the software could have been rigged or modified, or just be plain old buggy. The bottom line is that elections are more trustworthy if we don't have to trust the software. So, given that premise, paper trails only provide some benefit if the papers are actually counted. Otherwise, the machines are just as vulnerable as ones that don't have paper trails. Unless there is a policy for checking the ballots, and unless voters actually inspect the paper trails, we might as well just use DREs because the paper trails are useless under those circumstances. In practice, things are actually worse. Vendors have developed paper trails that are unwieldy, difficult to count, printed with fading ink, and prone to failure and paper jams.
All of my experience with paper trails on DREs leads me to believe that instead of "paper trails" what we need are "paper ballots". In paper ballot systems, ballots are produced as in traditional elections, and these are the official ballots of record. By using touch screen ballot marking devices to create paper ballots (or even allowing people to mark them by hand), we avoid all of the problems of the paper trails. We end up with ballots that can be counted multiple ways, and which provide tangible evidence of the intent of each voter.
So, my advice is to abandon the term "paper trail", to abandon DREs with paper trails, and to start talking about paper ballots.
Tuesday, April 01, 2008
Adios iPhone
I was flying back from California last week, watching a video on my iPhone, and next to me was this guy who kept glancing at me and smirking. "Is that an iPhone?", he finally asked. I nodded. "Humph," he grunted and assumed an air of superiority. I was a bit taken aback so I asked him why he didn't like iPhones. "Oh," he said, "they're okay, I guess," and then he mumbled under his breath "if you are into that sort of thing." I couldn't just let that go, so I asked him if he had ever actually used an iPhone.
He looked around as if to see if anyone else was looking, and gave me a conspiratorial smile. "I've got something to show you," he said. And he proceeded to pull out a tiny gadget that looked like an earpiece for a phone. "Check out my device," he said. "It's an integrated PDA, phone, GPS and HD multimedia station." I asked him how he dialed the phone, and he said that it uses a built-in address book with voice recognition. You just say a name , and it looks it up in your address book and dials. What about names that aren't in the address book? He says that since the device is always online, it does a directory search over the Internet and tries to find a match that way. But, how do you know what number it found? There's no display! Before I understood what was going on, he removed a contact lens from his eye and asked me to put it in. I thought this was crazy. But, he had a liquid that he sprayed on it to clean it. Still skeptical, I popped it into my eye, and I was completely blown away. As if floating in air was a transparent view of a screen with a phone style interface. "Now," he said, "use your pupil to navigate the cursor, and crunch your jaw to click. Right side of the mouth for right click, left side for regular click, and bite your tongue to scroll." It took me a little practice, but I was soon able to move things around the screen with ease. I could see as if I was looking at a computer screen. It was like nothing I've ever seen before. And then he played a movie for me. Unbelievable resolution, and hi fidelity sound. The growing pain in my tongue was the only downside I could see to this device.
The "phone" had a full fledged PDA interface. It had video watching mode, an Internet browser, visual voicemail, and many other features that I had never even heard of. I asked my new friend where he got this, and he said that it is a prototype of a new product he invented that he is calling the EyePhone. He had a few glitches to work out, and then he was going to try to commercialize it. I volunteered on the spot to be a beta tester for him, and he agreed. I now have a room full of these test devices, and a year's supply of Hi Definition contact lenses. Needless to say, I am dumping my iPhone.
So, if you ever see me staring off into space with a blank look, it's not that I'm ignoring you; I'm probably just reading email or looking something up in my calendar, perhaps checking to see what happened on April 1.
He looked around as if to see if anyone else was looking, and gave me a conspiratorial smile. "I've got something to show you," he said. And he proceeded to pull out a tiny gadget that looked like an earpiece for a phone. "Check out my device," he said. "It's an integrated PDA, phone, GPS and HD multimedia station." I asked him how he dialed the phone, and he said that it uses a built-in address book with voice recognition. You just say a name , and it looks it up in your address book and dials. What about names that aren't in the address book? He says that since the device is always online, it does a directory search over the Internet and tries to find a match that way. But, how do you know what number it found? There's no display! Before I understood what was going on, he removed a contact lens from his eye and asked me to put it in. I thought this was crazy. But, he had a liquid that he sprayed on it to clean it. Still skeptical, I popped it into my eye, and I was completely blown away. As if floating in air was a transparent view of a screen with a phone style interface. "Now," he said, "use your pupil to navigate the cursor, and crunch your jaw to click. Right side of the mouth for right click, left side for regular click, and bite your tongue to scroll." It took me a little practice, but I was soon able to move things around the screen with ease. I could see as if I was looking at a computer screen. It was like nothing I've ever seen before. And then he played a movie for me. Unbelievable resolution, and hi fidelity sound. The growing pain in my tongue was the only downside I could see to this device.
The "phone" had a full fledged PDA interface. It had video watching mode, an Internet browser, visual voicemail, and many other features that I had never even heard of. I asked my new friend where he got this, and he said that it is a prototype of a new product he invented that he is calling the EyePhone. He had a few glitches to work out, and then he was going to try to commercialize it. I volunteered on the spot to be a beta tester for him, and he agreed. I now have a room full of these test devices, and a year's supply of Hi Definition contact lenses. Needless to say, I am dumping my iPhone.
So, if you ever see me staring off into space with a blank look, it's not that I'm ignoring you; I'm probably just reading email or looking something up in my calendar, perhaps checking to see what happened on April 1.
Thursday, February 21, 2008
Lunar Eclipse
Last night, there was a lunar eclipse - the last one until December, 2010. Since it was very cold and had just snowed, instead of setting up my tripod outside like I should have, I took some pictures and hand held the camera. Still, they came out okay. If you want to see the pictures, click here. My daughter was pretty excited about it, and was even willing (eager!) to extricate herself away from American Idol to look at it several times.
Saturday, February 02, 2008
An article about Internet voting
David Dill and Barbara Simons have written an excellent essay about some of the risks of Internet voting and a system that is being deployed for the Democratic primary. While the dangers of electronic voting with paperless DREs have been covered in great detail in this blog and in other places, the risks of voting on home computers over the Internet are significantly greater. It seems only fitting that Dill & Simons published this article on Groundhog Day. If you saw the Bill Murray movie where every day repeats as though for the first time, you'll appreciate the way Internet voting seems to appear again in every election in a similar fashion. Dill and Simons refer to Internet voting "experiments" as a whack-a-mole.
Thursday, January 24, 2008
My cool Mom
My Mom leads the Israeli dance group in Nashville, TN, where I grew up. They dance at Vanderbilt where she is Professor of Mechanical Engineering. They recently produced a short video about the group, which is narrated by my Mom who also stars in it with her dance group. Check it out.
Monday, January 21, 2008
ACCURATE annual report available
ACCURATE is A Center for Correct, Usable, Reliable, Auditable, and Transparent Elections. We are funded by the National Science Foundation, and I am the center director. Our 2007 annual report is now available here. It highlghts the Center’s major accomplishments and activities in 2007. This coming election year promises to be our most interesting and productive, as members of ACCURATE engage in all aspects of the election, as well as in researching technologies for improving future elections.
Thursday, January 10, 2008
2008 Election Judge Training
I attended my Maryland election judge training session today. It was a 3 hours class for returning judges. There was really nothing new for me. I've already worked 4 elections using the Diebold Accuvote machines, and we will be using them again this year. I did, however, notice a change in the tone of the class.
Right up front, the instructor told us that the three most important factors for us to consider are "Security, Integrity, and Accuracy". These three things were stressed throughout the day. The instructor talked about the 20/20 segment where a hacker was able to change tallies on the machine (I think it was Harri Hursti), and told us of a new tamper tape that was placed on the corner of the machine where there is a screw for opening up the casing. As before, I had a good look at this tamper tape and determined that it would be extremely difficult to tell if the tape had been voided or not. I think these tamper tapes are emperor's clothes designed to make administrators feel good. One of the trainers referred to it as the "Lou Dobbs seal", in reference to Lou Dobbs' coverage of e-voting problems leading up to the 2006 election.
We spent more time training on the poll books than I had in previous elections. These are those machines that failed miserably in the 2006 primary. The instructor told us that the books would not work properly if they were turned on at the same time, so each poll book had to be turned on and enabled before the next one. I remember hearing this as one of the explanations of why so many stations failed in 2006. I hope that she is mistaken, and that the machines will still work even if powered up in arbitrary order. Otherwise, Maryland will have problems again in 2008, because I'm certain that not all judges will remember to follow these instructions. The poll books have a new feature this year that the instructor was very proud of. The chief judges can reverse a voter's check-in and reissue them a voter authority card. This feature is a bit scary, although I can see how it would be useful under certain circumstances. This is enabled via a 4 digit PIN that is supposed to be known only to the chief judges.
It struck me as ironic that we were required to fill out a survey about our experience as a judge, as well as an evaluation of our instructors. We were given the surveys on paper, with round ovals to fill in so that the survey and evaluation results could be optically scanned and tabulated. It struck me that the survey and evaluation of our election judge training was more auditable, secure, reliable and transparent than the machines that will be used in the actual election.
I hope that when I train for the 2010 election in Maryland, that we will be working on how to collect paper ballots, to avoid residual votes, and to work with precinct count scanners of paper ballots. If the state does not fund this change, then the measure to move to paper ballots that passed in the legislature last year and was signed by the governor will be thrown out.
Here are some pictures that I took at training today.
Right up front, the instructor told us that the three most important factors for us to consider are "Security, Integrity, and Accuracy". These three things were stressed throughout the day. The instructor talked about the 20/20 segment where a hacker was able to change tallies on the machine (I think it was Harri Hursti), and told us of a new tamper tape that was placed on the corner of the machine where there is a screw for opening up the casing. As before, I had a good look at this tamper tape and determined that it would be extremely difficult to tell if the tape had been voided or not. I think these tamper tapes are emperor's clothes designed to make administrators feel good. One of the trainers referred to it as the "Lou Dobbs seal", in reference to Lou Dobbs' coverage of e-voting problems leading up to the 2006 election.
We spent more time training on the poll books than I had in previous elections. These are those machines that failed miserably in the 2006 primary. The instructor told us that the books would not work properly if they were turned on at the same time, so each poll book had to be turned on and enabled before the next one. I remember hearing this as one of the explanations of why so many stations failed in 2006. I hope that she is mistaken, and that the machines will still work even if powered up in arbitrary order. Otherwise, Maryland will have problems again in 2008, because I'm certain that not all judges will remember to follow these instructions. The poll books have a new feature this year that the instructor was very proud of. The chief judges can reverse a voter's check-in and reissue them a voter authority card. This feature is a bit scary, although I can see how it would be useful under certain circumstances. This is enabled via a 4 digit PIN that is supposed to be known only to the chief judges.
It struck me as ironic that we were required to fill out a survey about our experience as a judge, as well as an evaluation of our instructors. We were given the surveys on paper, with round ovals to fill in so that the survey and evaluation results could be optically scanned and tabulated. It struck me that the survey and evaluation of our election judge training was more auditable, secure, reliable and transparent than the machines that will be used in the actual election.
I hope that when I train for the 2010 election in Maryland, that we will be working on how to collect paper ballots, to avoid residual votes, and to work with precinct count scanners of paper ballots. If the state does not fund this change, then the measure to move to paper ballots that passed in the legislature last year and was signed by the governor will be thrown out.
Here are some pictures that I took at training today.
Subscribe to:
Posts (Atom)