I wrote an op-ed that appears in today's Baltimore Sun. Here is the text of my article:
When it comes to voting technology, Maryland will soon take a big - and welcome - step backward.
In 2004, the state switched almost all of its precincts to Diebold touch-screen voting equipment, called direct recording electronic machines (DREs). In 2006, Maryland adopted these devices for all precincts. But when we cast ballots for president this November, Maryland will use DREs for the last time in a statewide election.
In 2010, we will return to a low-tech but far more secure system: optically scanned paper ballots. I know that many Marylanders have enjoyed the simplicity of tapping their candidate choices atop the DREs' sleek screens. But for me, the day these machines are tossed in the scrap heap cannot come quickly enough.
I have written extensively about the shortcomings of computer voting machines, and I will not go into detail here about why we can never be sure that these devices accurately count and report the selections made by the people who use them. Instead, I'd like to focus on a simple reason why software-based voting systems are impractical, given the state of voting system certification and the nature of the software industry.
First, consider the certification. Most states today require that voting systems meet federal standards. At specialized labs, vendors must submit their voting systems to a battery of tests in order to qualify for certification. In a rigorous process that can take many months, these labs check the resistance of the machines to temperature changes, evaluate the coding practices used in any software components and review other operating features, as required by federal rules, and in some cases even tougher state guidelines.
Once a voting system is certified, it is considered set in stone. Any change, no matter how small, requires that the entire system be recertified from scratch. This is appropriate, because a small change in one part of the system sometimes has significant and unanticipated effects on other parts of the system. This is especially true if the change is in the software. When it comes to computer voting systems, it is usually the software - the code that directs a computer to perform specific tasks - that harbors the primary Achilles' heel.
Here's the problem: The software industry has evolved in such a way that nearly all computer programs require frequent changes and repairs. This realignment takes place regularly and, to a great extent, invisibly. (How many home computer users understand what has happened during a regular Windows Update?)
Such updates are needed because software is complex and prone to glitches. It is not "often" buggy; it is "always" buggy. And when one bug is fixed, the fix itself can lead to other bugs. Microsoft releases new versions of its software and patches with regularity.
Even Apple, which has some of the best programmers in the world and spends more than most companies on software development, is aware that its products have bugs that must be fixed as quickly as possible. This property of software is not obvious to people who have never programmed, but for computer scientists, it is an accepted and well-understood phenomenon.
When bugs are found in software-based electronic voting systems - as they inevitably are - election officials often face an irreconcilable dilemma. They can ignore the bug, which could result in an incorrect vote tally or a paralyzing crash during the election, or they can try to have the bug fixed. But fixing the bug involves changing the software, and by law the voting system must then be recertified. Given the long time and additional expense that this process takes, recertifying may not be an option.
What if a serious software bug is discovered the week before the election? Even if it can be fixed in time, it would be illegal to use the resulting system in an election, and I would argue that there would not be time to properly test a bug fix for such a complex software system. On the eve of an important election, would you want to wrestle with a critical decision such as this one?
So the next time your laptop freezes up or a popular program on your computer crashes, ask yourself: How would you feel if this was your voting system on Election Day? Let's welcome the paper ballot system that is coming back in 2010. It is the best system for Maryland.
Tuesday, September 16, 2008
Sunday, August 31, 2008
ISE exploits MMORPGs
Researchers at my consulting company, ISE, discovered vulnerabilities in Age of Conan and Anarchy Online. The game producers were notified, and no details were released until the vulnerabilities were closed. It's instructive to see what was wrong and how such vulnerabilities can be avoided. The details are posted on our web site. A story appeared in today's Baltimore Sun.
Saturday, July 12, 2008
How an iPhone debut is like an election
I'm an iPhone junkie. I waited in line yesterday morning to get my iPhone, but I only had two hours, and after my time was up, I had made only minor progress, while the line grew pretty long behind me, so I abandoned my newfound iPhone junkie friends and left the Apple store (well, the line outside the Apple store) empty handed. Only later did I learn that the line was moving so slowly because of glitches in the system caused by so many simultaneous activations. John Markoff said it well in his NYT article today.
The setback was a classic example of the problems that can follow when complex systems have single points of failure. In this case, the company appeared to almost invite the problems by having both existing and new iPhone owners try to get through to its systems at the same time. 'There are certainly lessons in preparedness,' said Richard Doherty, a consumer electronics industry consultant who is president of the Envisioneering Group in Seaford, N.Y. He compared the day with Christmas morning, “the acid test for many years” for electronics companies because customers contact them in droves after opening presents and trying to get gadgets to work.
Of course, the Apple problems, as described in this article, are instructive when considering using electronic systems in elections. The debut of the Apple iPhone caused an unprecedented stress on their system on a single day, and there was no way for Apple to stress test their system in preparation for that day. I'm sure they performed many tests, and they clearly had plenty of notice to prepare for yesterday, and still, the system failed in unexpected ways when faced with the actual flash crowd of iPhone enthusiasts. That's not to say such a system will always fail. Sometimes it will work fine. But the takeaway from this is that a large, complex system, such as an election, running on a particular day, with no opportunity for a realistic to-scale test, may fail on election day in ways that cannot be predicted.
For this reason, it is important to keep systems as simple as possible, plan for contingencies, and assume the worst might happen. If it does not, there will have been no harm in having been prepared. But in the unfortunate circumstance where things do fail, as they did yesterday for Apple, we will all be better off for having been cautious.
The setback was a classic example of the problems that can follow when complex systems have single points of failure. In this case, the company appeared to almost invite the problems by having both existing and new iPhone owners try to get through to its systems at the same time. 'There are certainly lessons in preparedness,' said Richard Doherty, a consumer electronics industry consultant who is president of the Envisioneering Group in Seaford, N.Y. He compared the day with Christmas morning, “the acid test for many years” for electronics companies because customers contact them in droves after opening presents and trying to get gadgets to work.
Of course, the Apple problems, as described in this article, are instructive when considering using electronic systems in elections. The debut of the Apple iPhone caused an unprecedented stress on their system on a single day, and there was no way for Apple to stress test their system in preparation for that day. I'm sure they performed many tests, and they clearly had plenty of notice to prepare for yesterday, and still, the system failed in unexpected ways when faced with the actual flash crowd of iPhone enthusiasts. That's not to say such a system will always fail. Sometimes it will work fine. But the takeaway from this is that a large, complex system, such as an election, running on a particular day, with no opportunity for a realistic to-scale test, may fail on election day in ways that cannot be predicted.
For this reason, it is important to keep systems as simple as possible, plan for contingencies, and assume the worst might happen. If it does not, there will have been no harm in having been prepared. But in the unfortunate circumstance where things do fail, as they did yesterday for Apple, we will all be better off for having been cautious.
Thursday, July 03, 2008
"Paper ballots" not "paper trails"
I've noted some confusion in discussions with reporters recently, and I have to assume that this confusion is somewhat widespread. The issue is whether or not a "paper trail" resolves the problems with electronic voting. The term "paper trail", in my opinion, is an unfortunate one. When I first got seriously involved in this issue in 2003, many of us advocated paper trails as a solution to paperless DREs. The thinking was that if every vote is recorded on a piece of paper and that paper was audited by the voter, then a correct tally could be produced by counting the papers. This could be used to audit the machines, or as the definitive ballots. In theory, this seems reasonable, but it doesn't work in practice, and the theory is a bit flawed as well.
As I describe this, keep in mind that the underlying premise is that the software-only DREs should not be trusted. Software often fails in unexpected and unexplainable ways, and in the case of national public elections, there is a threat that the software could have been rigged or modified, or just be plain old buggy. The bottom line is that elections are more trustworthy if we don't have to trust the software. So, given that premise, paper trails only provide some benefit if the papers are actually counted. Otherwise, the machines are just as vulnerable as ones that don't have paper trails. Unless there is a policy for checking the ballots, and unless voters actually inspect the paper trails, we might as well just use DREs because the paper trails are useless under those circumstances. In practice, things are actually worse. Vendors have developed paper trails that are unwieldy, difficult to count, printed with fading ink, and prone to failure and paper jams.
All of my experience with paper trails on DREs leads me to believe that instead of "paper trails" what we need are "paper ballots". In paper ballot systems, ballots are produced as in traditional elections, and these are the official ballots of record. By using touch screen ballot marking devices to create paper ballots (or even allowing people to mark them by hand), we avoid all of the problems of the paper trails. We end up with ballots that can be counted multiple ways, and which provide tangible evidence of the intent of each voter.
So, my advice is to abandon the term "paper trail", to abandon DREs with paper trails, and to start talking about paper ballots.
As I describe this, keep in mind that the underlying premise is that the software-only DREs should not be trusted. Software often fails in unexpected and unexplainable ways, and in the case of national public elections, there is a threat that the software could have been rigged or modified, or just be plain old buggy. The bottom line is that elections are more trustworthy if we don't have to trust the software. So, given that premise, paper trails only provide some benefit if the papers are actually counted. Otherwise, the machines are just as vulnerable as ones that don't have paper trails. Unless there is a policy for checking the ballots, and unless voters actually inspect the paper trails, we might as well just use DREs because the paper trails are useless under those circumstances. In practice, things are actually worse. Vendors have developed paper trails that are unwieldy, difficult to count, printed with fading ink, and prone to failure and paper jams.
All of my experience with paper trails on DREs leads me to believe that instead of "paper trails" what we need are "paper ballots". In paper ballot systems, ballots are produced as in traditional elections, and these are the official ballots of record. By using touch screen ballot marking devices to create paper ballots (or even allowing people to mark them by hand), we avoid all of the problems of the paper trails. We end up with ballots that can be counted multiple ways, and which provide tangible evidence of the intent of each voter.
So, my advice is to abandon the term "paper trail", to abandon DREs with paper trails, and to start talking about paper ballots.
Tuesday, April 01, 2008
Adios iPhone
I was flying back from California last week, watching a video on my iPhone, and next to me was this guy who kept glancing at me and smirking. "Is that an iPhone?", he finally asked. I nodded. "Humph," he grunted and assumed an air of superiority. I was a bit taken aback so I asked him why he didn't like iPhones. "Oh," he said, "they're okay, I guess," and then he mumbled under his breath "if you are into that sort of thing." I couldn't just let that go, so I asked him if he had ever actually used an iPhone.
He looked around as if to see if anyone else was looking, and gave me a conspiratorial smile. "I've got something to show you," he said. And he proceeded to pull out a tiny gadget that looked like an earpiece for a phone. "Check out my device," he said. "It's an integrated PDA, phone, GPS and HD multimedia station." I asked him how he dialed the phone, and he said that it uses a built-in address book with voice recognition. You just say a name , and it looks it up in your address book and dials. What about names that aren't in the address book? He says that since the device is always online, it does a directory search over the Internet and tries to find a match that way. But, how do you know what number it found? There's no display! Before I understood what was going on, he removed a contact lens from his eye and asked me to put it in. I thought this was crazy. But, he had a liquid that he sprayed on it to clean it. Still skeptical, I popped it into my eye, and I was completely blown away. As if floating in air was a transparent view of a screen with a phone style interface. "Now," he said, "use your pupil to navigate the cursor, and crunch your jaw to click. Right side of the mouth for right click, left side for regular click, and bite your tongue to scroll." It took me a little practice, but I was soon able to move things around the screen with ease. I could see as if I was looking at a computer screen. It was like nothing I've ever seen before. And then he played a movie for me. Unbelievable resolution, and hi fidelity sound. The growing pain in my tongue was the only downside I could see to this device.
The "phone" had a full fledged PDA interface. It had video watching mode, an Internet browser, visual voicemail, and many other features that I had never even heard of. I asked my new friend where he got this, and he said that it is a prototype of a new product he invented that he is calling the EyePhone. He had a few glitches to work out, and then he was going to try to commercialize it. I volunteered on the spot to be a beta tester for him, and he agreed. I now have a room full of these test devices, and a year's supply of Hi Definition contact lenses. Needless to say, I am dumping my iPhone.
So, if you ever see me staring off into space with a blank look, it's not that I'm ignoring you; I'm probably just reading email or looking something up in my calendar, perhaps checking to see what happened on April 1.
He looked around as if to see if anyone else was looking, and gave me a conspiratorial smile. "I've got something to show you," he said. And he proceeded to pull out a tiny gadget that looked like an earpiece for a phone. "Check out my device," he said. "It's an integrated PDA, phone, GPS and HD multimedia station." I asked him how he dialed the phone, and he said that it uses a built-in address book with voice recognition. You just say a name , and it looks it up in your address book and dials. What about names that aren't in the address book? He says that since the device is always online, it does a directory search over the Internet and tries to find a match that way. But, how do you know what number it found? There's no display! Before I understood what was going on, he removed a contact lens from his eye and asked me to put it in. I thought this was crazy. But, he had a liquid that he sprayed on it to clean it. Still skeptical, I popped it into my eye, and I was completely blown away. As if floating in air was a transparent view of a screen with a phone style interface. "Now," he said, "use your pupil to navigate the cursor, and crunch your jaw to click. Right side of the mouth for right click, left side for regular click, and bite your tongue to scroll." It took me a little practice, but I was soon able to move things around the screen with ease. I could see as if I was looking at a computer screen. It was like nothing I've ever seen before. And then he played a movie for me. Unbelievable resolution, and hi fidelity sound. The growing pain in my tongue was the only downside I could see to this device.
The "phone" had a full fledged PDA interface. It had video watching mode, an Internet browser, visual voicemail, and many other features that I had never even heard of. I asked my new friend where he got this, and he said that it is a prototype of a new product he invented that he is calling the EyePhone. He had a few glitches to work out, and then he was going to try to commercialize it. I volunteered on the spot to be a beta tester for him, and he agreed. I now have a room full of these test devices, and a year's supply of Hi Definition contact lenses. Needless to say, I am dumping my iPhone.
So, if you ever see me staring off into space with a blank look, it's not that I'm ignoring you; I'm probably just reading email or looking something up in my calendar, perhaps checking to see what happened on April 1.
Thursday, February 21, 2008
Lunar Eclipse
Last night, there was a lunar eclipse - the last one until December, 2010. Since it was very cold and had just snowed, instead of setting up my tripod outside like I should have, I took some pictures and hand held the camera. Still, they came out okay. If you want to see the pictures, click here. My daughter was pretty excited about it, and was even willing (eager!) to extricate herself away from American Idol to look at it several times.
Saturday, February 02, 2008
An article about Internet voting
David Dill and Barbara Simons have written an excellent essay about some of the risks of Internet voting and a system that is being deployed for the Democratic primary. While the dangers of electronic voting with paperless DREs have been covered in great detail in this blog and in other places, the risks of voting on home computers over the Internet are significantly greater. It seems only fitting that Dill & Simons published this article on Groundhog Day. If you saw the Bill Murray movie where every day repeats as though for the first time, you'll appreciate the way Internet voting seems to appear again in every election in a similar fashion. Dill and Simons refer to Internet voting "experiments" as a whack-a-mole.
Thursday, January 24, 2008
My cool Mom
My Mom leads the Israeli dance group in Nashville, TN, where I grew up. They dance at Vanderbilt where she is Professor of Mechanical Engineering. They recently produced a short video about the group, which is narrated by my Mom who also stars in it with her dance group. Check it out.
Monday, January 21, 2008
ACCURATE annual report available
ACCURATE is A Center for Correct, Usable, Reliable, Auditable, and Transparent Elections. We are funded by the National Science Foundation, and I am the center director. Our 2007 annual report is now available here. It highlghts the Center’s major accomplishments and activities in 2007. This coming election year promises to be our most interesting and productive, as members of ACCURATE engage in all aspects of the election, as well as in researching technologies for improving future elections.
Thursday, January 10, 2008
2008 Election Judge Training
I attended my Maryland election judge training session today. It was a 3 hours class for returning judges. There was really nothing new for me. I've already worked 4 elections using the Diebold Accuvote machines, and we will be using them again this year. I did, however, notice a change in the tone of the class.
Right up front, the instructor told us that the three most important factors for us to consider are "Security, Integrity, and Accuracy". These three things were stressed throughout the day. The instructor talked about the 20/20 segment where a hacker was able to change tallies on the machine (I think it was Harri Hursti), and told us of a new tamper tape that was placed on the corner of the machine where there is a screw for opening up the casing. As before, I had a good look at this tamper tape and determined that it would be extremely difficult to tell if the tape had been voided or not. I think these tamper tapes are emperor's clothes designed to make administrators feel good. One of the trainers referred to it as the "Lou Dobbs seal", in reference to Lou Dobbs' coverage of e-voting problems leading up to the 2006 election.
We spent more time training on the poll books than I had in previous elections. These are those machines that failed miserably in the 2006 primary. The instructor told us that the books would not work properly if they were turned on at the same time, so each poll book had to be turned on and enabled before the next one. I remember hearing this as one of the explanations of why so many stations failed in 2006. I hope that she is mistaken, and that the machines will still work even if powered up in arbitrary order. Otherwise, Maryland will have problems again in 2008, because I'm certain that not all judges will remember to follow these instructions. The poll books have a new feature this year that the instructor was very proud of. The chief judges can reverse a voter's check-in and reissue them a voter authority card. This feature is a bit scary, although I can see how it would be useful under certain circumstances. This is enabled via a 4 digit PIN that is supposed to be known only to the chief judges.
It struck me as ironic that we were required to fill out a survey about our experience as a judge, as well as an evaluation of our instructors. We were given the surveys on paper, with round ovals to fill in so that the survey and evaluation results could be optically scanned and tabulated. It struck me that the survey and evaluation of our election judge training was more auditable, secure, reliable and transparent than the machines that will be used in the actual election.
I hope that when I train for the 2010 election in Maryland, that we will be working on how to collect paper ballots, to avoid residual votes, and to work with precinct count scanners of paper ballots. If the state does not fund this change, then the measure to move to paper ballots that passed in the legislature last year and was signed by the governor will be thrown out.
Here are some pictures that I took at training today.
Right up front, the instructor told us that the three most important factors for us to consider are "Security, Integrity, and Accuracy". These three things were stressed throughout the day. The instructor talked about the 20/20 segment where a hacker was able to change tallies on the machine (I think it was Harri Hursti), and told us of a new tamper tape that was placed on the corner of the machine where there is a screw for opening up the casing. As before, I had a good look at this tamper tape and determined that it would be extremely difficult to tell if the tape had been voided or not. I think these tamper tapes are emperor's clothes designed to make administrators feel good. One of the trainers referred to it as the "Lou Dobbs seal", in reference to Lou Dobbs' coverage of e-voting problems leading up to the 2006 election.
We spent more time training on the poll books than I had in previous elections. These are those machines that failed miserably in the 2006 primary. The instructor told us that the books would not work properly if they were turned on at the same time, so each poll book had to be turned on and enabled before the next one. I remember hearing this as one of the explanations of why so many stations failed in 2006. I hope that she is mistaken, and that the machines will still work even if powered up in arbitrary order. Otherwise, Maryland will have problems again in 2008, because I'm certain that not all judges will remember to follow these instructions. The poll books have a new feature this year that the instructor was very proud of. The chief judges can reverse a voter's check-in and reissue them a voter authority card. This feature is a bit scary, although I can see how it would be useful under certain circumstances. This is enabled via a 4 digit PIN that is supposed to be known only to the chief judges.
It struck me as ironic that we were required to fill out a survey about our experience as a judge, as well as an evaluation of our instructors. We were given the surveys on paper, with round ovals to fill in so that the survey and evaluation results could be optically scanned and tabulated. It struck me that the survey and evaluation of our election judge training was more auditable, secure, reliable and transparent than the machines that will be used in the actual election.
I hope that when I train for the 2010 election in Maryland, that we will be working on how to collect paper ballots, to avoid residual votes, and to work with precinct count scanners of paper ballots. If the state does not fund this change, then the measure to move to paper ballots that passed in the legislature last year and was signed by the governor will be thrown out.
Here are some pictures that I took at training today.
Subscribe to:
Posts (Atom)