BBV: Why a VVPB will NOT save the day...

Dear friends,

I'm posting the following message (see below) on behalf of my good friend EllenT who has insufficient posts to create a new thread. She shares an important point, worthy of your consideration. As soon as this thread is up, I’m sure she will join the conversation should you have comments, as I am certain you may.

Though she has not been particularly active here in DU, Ellen was one of the principal driving forces within VerifiedVoting.org. She joined us as a volunteer only weeks after the site was launched last July, and eventually became interim Executive Director for a brief time earlier this year. We both left in March after policy decisions made it impossible for us to continue with that team.

Today, Ellen is driving www.VotersUnite.org. If you have not been there, I encourage both your personal as well as financial support be directed towards her new organization. Presently, she is raising funds to offset the $500 costs of travel from Washington state to speak before a Senate panel in California who were considering the bill to ban paperless e-voting for November.

On Super Tuesday, it became evident that the almighty prize for which we battled so diligently, the VVPB, was not the solution we believed it to be. Indeed, had the e-voting systems been equipped with printers, and had voters verified their ballots and election officials randomly audited the paper, only an estimated 10 percent of the problems that appeared that day would have been solved. The other problems of that day would have remained unresolved.

Regrettably, other events such as the push for a consolidated Senate bill took priority over our communication efforts, and we did not focus on the obvious conclusion that a VVPB now appears to be just what Bev has expressed in the past herself: that the VVPB is a panacea, and not nearly the entire solution. And we no longer have VerifiedVoting.our as our bully pulpit, so this will be one forum where we wish to clarify what we we learned on March 2nd:

Until these machines are well-improved over their current form, and the certification process is revised so that it truly becomes an effective mechanism, e-voting should be banned nationwide. They are simply too great a threat to democracy.

Here is Ellen's message:
============================================================

When I first heard about electronic voting, I thought "Good Grief!" I wrote a trivial little VB program showing how the screen can display one thing while something different is stored. There were two candidates and no matter how many times you voted for Howard, George always won. It seemed so obvious to me. How could anyone not understand?

Then I got involved with VerifiedVoting.org and attended to lobbying for HR2239. I remember listening to the computer experts talk about the security problems and feeling vaguely dissatisfied with what they were saying – as if they were missing something. But they were the experts, so I just continued pushing for HR2239. Everyone was calling for VVAT – oops, VVPB, and I called out, too. As long as it was accompanied with open source code and random recounts, then VVPB would be a satisfactory solution – not perfect, but still a lot better.

Super Tuesday brought me back to the reality I had known when I said "Good Grief!" But now I have learned that it's so much worse than I thought back then. VVPB WILL NOT SAVE THE DAY. It will not save our election system. I've been involved in software development for 22 years. I've seen how it works. I know stuff from experience.
I've worked with highly competent, thoroughly honest software developers who have found old calculation bugs that remained undetected through several released versions.

I've seen bug lists mount into the hundreds, so the manager has to select the worst 50 to fix and let the other ones crawl around in the released version of the product.

I've seen Microsoft send out upgrades (bug-fixes) on a weekly basis – and so have you.

Okay, so point 1: RELEASED SOFTWARE HAS LOTS AND LOTS OF BUGS. Many are undetected, some are known, and none are reported to the customer.

Point 2: THERE'S NO SUCH THING AS A COMPUTER GLITCH. It's a malfunction. When votes are tallied wrong, it's a malfunction. "Glitch" is such a soft little word, implying a little bitty "oops." Like losing 12,000 votes. But if the software did it once, it WILL DO IT AGAIN. That's the nature of software. If it does the same thing twice, it will do it exactly the same both times.
This means that when the newspaper reports that an election disaster was due to a software glitch, but the technicians fixed it and the election outcome wasn't affected (they always say that), there are three possibilities:

1) The "glitch" was fixed by correcting a configuration that was incorrect before.

2) The "glitch" was fixed by installing an uncertified software patch.

3) The "glitch" wasn't fixed at all.

And, BTW, fixing a bug is a huge risk. Often the "fix" introduces a new bug – or gives an old, undetected one new life. That's why software companies test and test and test again after bugs have been fixed. "Patch" is such a nice word, innocuous like "glitch". But a patch means that the code has been changed, always a risky venture.
Software is sooooo precarious. Developers know that. The general public probably doesn't.

Point 3: ELECTIONS ARE BETA TESTS OF THE VOTING SOFTWARE. For those of you who know what a beta test is, you will see what I mean immediately. For those of you who don't, a beta test is a field test of the software. It is well-known in software development circles that in-house testing only catches some of the bugs. So any reputable company does beta testing before releasing a product. Send it out to users, have them work with it for a while and report the disasters they encounter. Fix the disasters, and then – only then – is the product worth the purchase price. Only then can you be reasonably certain it won't make a mess of your computer.

Elections are the field tests for Diebold, ES&S, Sequoia, Hart, and the others. You can't find an appropriate user base to do an adequate field test unless you hold an election. Simple as that.
So we see people pushing the magnification button and the ballot disappears. Yup, exactly the sort of thing that would show up in a beta test. The wrong screen appears when the thing is booted up with low batteries. Definitely beta test material. USER ERROR IS JUST NOT A GOOD ENOUGH EXCUSE. A good software program, one that has been thoroughly tested, beta tested, and is now robust, accounts for user error. This is why when you delete a folder with files in it, the program says, "Are you sure you want to do that?" Just in case you made a mistake.

In the software development world, engineers spend a great deal of time, energy, and money to ensure that users can make errors without destroying their data or wasting their precious time recovering from their goofs. (Thus the blessed "Undo" command.) So when an election is chaos because of user error – either poll workers or voters or both – the fault lies with the developer. ALWAYS.

Point 4: THE LONG CERTIFICATION PROCESS IS A HINDRANCE TO GOOD SOFTWARE. When you find a bug – a common occurrence – it must be fixed. But with the NASED qualification process followed by the state certification process, all according to law and costing $10,000 or more a pop, it's much, much, much easier to leave the bugs unfixed or sneak a fix in behind the backs of the authorities. And who knows what gets snuck in with it – inadvertently or not.
The nature of software development is that it operates on a short time-line. Find a bug, fix the bug, send out a notice so customers can download the patch. All in a matter of days. What if Norton had to get every virus definition file certified in a six-month process? What if Microsoft had to wait six-months between updates (bug-fixes)?
Point 5: THE CERTIFICATION PROCESS IS A JOKE. As Bev so marvelously pointed out, when federally-qualified machines fail miserably, what is the solution? Make the repairs and send them back to the same people to test them again. Think about it. Hundreds of election disasters have occurred in the last two years. ALL OF THEM have occurred with federally-qualified, state-certified equipment (except perhaps in Mississippi.) Why do we care if something has a NASED number? It means nothing. Look at the evidence.

Point 6: ELECTRONIC ELECTIONS AREN'T TRANSPARENT, EVEN WITH A VVPB. You cannot watch the ones and zeros moving around, recording votes, counting votes, tabulating the results. Election officials can have all their procedures in place perfectly, but the processes that do the most important work of an election are not visible to them, and they are not in control of them at all.

Point 7: VENDORS CONTROL OUR ELECTIONS.
With electronic voting, ballots are recorded and tabulated by software processes, which are:
- developed by anonymous software engineers, who are hired by vendors.
- federally qualified by anonymous testers, who are hired by vendors.
- installed and maintained by technicians, who are hired by vendors.
- trade secrets of the vendors and therefore not open to public scrutiny.

And if we get VVPB printers, the printers and the software that drives them will be developed, tested, qualified, installed, and maintained by the vendors.

Point 8: ELECTRONIC ELECTION PROCEDURES ARE IN THEIR INFANCY. Election officials all over the US are attempting to run electronic elections using procedures adapted from the procedures for paper ballots. Most of the officials aren't very computer savvy. They may be trying really hard, but they aren't qualified to do what they are being asked to do. Partly they realize they are over their heads, and so they attempt to maintain a good relationship with vendors whose help they rely on. But I'd be surprised if even 1% of them have any idea how far over their heads they are.

Many of them get offended when we talk about insiders doing malicious programming. They think we're talking about them. They think they are programming when they configure the ballot designs. They don't even know what programming is.

As a software technical writer, I have dealt with novice users for 22 years. They are completely befuddled by computers. Most people are. Computer professors, computer professionals, and teen-agers. Other than that, everyone is befuddled by computers. Electronic elections are being run by people who are befuddled by electronics.

Point 9: THE PEOPLE WHO MADE THE CRAPPY HARDWARE MADE THE SOFTWARE. How many times has your computer overheated and broken down? Never? Well, voting machines have. The hardware isn't even adequate. Sometimes they take 40 minutes to boot up – what is that? They just quit working correctly, right in the middle of an election. Touch screens are misaligned. Sensors don't sense correctly. The people who brought us these worthless hardware devices also designed and developed the software that runs on them. What does that tell us?

MAIN POINT: If you think VVPB (even with open source code and random recounts) will save the day, you are wrong. It cannot safeguard against:
- Bugs – inadvertent or advertent – in the software.
- Inadequate testing.
- Laughable certification process.
- Legal restraints on fixing software bugs in a timely manner.
- Legal restraints on fixing software bugs before an election.
- Intimate involvement of vendors in the electoral process.
- Computer novices running electronic elections.
- Security procedures developed by officials who are befuddled by computers.
- Pieces of crap disguised as voting machines.

Don't misunderstand. I'd love to see HR2239/S1980 pass, but if we stop there and say "all is well, the problem is fixed," we're only fooling ourselves.

The only way to get a fair election is to have a transparent election. Electronic elections, by definition, are NOT transparent. And that's on top of all the other problems.

Votes should never be recorded electronically. Period.

It doesn't matter how the ballot is created, but the piece of paper that is verified by the voter must be what is counted. Not a receipt.

All of your points are well taken, but miss the big picture:

Even if the entire election system outside of the paper ballots go up in flames, we can count the votes by reading the paper ballots. Making the election system bug-free and smooth-running does NOT mean that deliberate fraud cannot occur.

Fair election systems have two basic requirements:
1. Make it as hard as possible to tamper with the election.
2. Provide as much backup and redundancy into the system so that errors and malfunctions do not destroy the results.

VVPT provides a unique way to maker it harder to tamper with the election because the paper is outside the control of the control of the DRE manufactures when proper election procedures are developed and followed.

VVPT provides a unique redundancy outside of the election system.

Look at the big picture.

If San Diego had used vvpb printers on Super Tuesday, how would they count the votes of the hundreds of people who were turned away from the polls because the PCM's didn't boot up right?

If Fairfax had used vvpb printers last November, would the paper backup have even been recounted when only 1% of Rita Thompson's votes were discarded? She only lost by 1% so the problem probably wouldn't have even been noticed if the buttons on the touch screens hadn't malfunctioned too.

In Orange county on Super Tuesday, paper backup would have shown that 7000 voters voted on the wrong ballots.

In Maryland paper backup would show that the people who used magnification simply didn't vote in the Senate race. (How is this giving vision-impaired people equal access?)

Your first requirement isn't satisfied by DREs using VVPB, because it is *impossible* to know if the software was "tampered with" before it was installed. It's so very easy to write a program that prints what is on the screen and records something different. That's neither redundancy or backup. Random recounts might catch it. Or they might not.

There are two more basic requirements for a fair election:
** Let the voters vote.
** Count the votes accurately in public view.
Neither of these requirements are being met by the DREs.

Have you considered having a fund drive with a status bar to show your progress toward reachng a goal?

Welcome to DU!! :toast:

Voter Verified Paper Ballots always.

IF DRE's- then voter verified paper ballots, period.

As/per a 1% difference in candidate vote totals, here is where we need to rewrite state laws so that differences greater than a piffling .50% are a mandatory manual recount. If there had been a voter verified paper ballot, at least Thompson could have called for a recount, even if it was not triggered by state law.

Voter verified paper ballots are a crucial part of the back up system, but only part. Audits, audits, audits.

Yes, VVPB won't stop the disenfranchisement when people simply can't vote on the things because they go haywire. There are too many mistakes happening with the current systems- so many that, were this happening in the "real" world, the vendors would have their contracts cancelled. And the idea of beta testing in an election is about as wrong headed as it gets. Yet we hear that all the time, "You can't work the bugs out if you can't use them." Right...it's democractic to take away, oh, say, 10% of the votes due to beta testing. That's what vendors and election officials are trying to get the public to swallow. It's never, never OK.

The argument is swinging to not using any system that both creates and counts ballots. While that may be a good thing to do, keep mandating VVPB up front because we have a long way to go before we win the PR battle with election officials over DRE's. I see some states and counties going with optical scan instead of DRE's, already, over the VVPB issue. That's a beginning but even not using DRE's isn't going to provide protection.

Keep in mind that Bev found scores of examples of mistakes in optical scan systems. Anything that is counted by a program is at risk.

You said, " Count the votes accurately in public view." I agree, but this is not done with optical scan, either. People may witness the counting but how many can tell if the computer counts correctly or incorrectly?

Meanwhile, the crux of the issue is centralization vs. decentralization and lack of transparency. The whole move to centralize everything is anti-democratic. Democracy works when it is NOT centralized. All those individual precincts and individual county records, while cumbersome, act as a check and balance on centralization of power. Look how much they WANT to lose that- voter registration, consolidating polling places, computers counting votes, central counting.....

The move to "modernize" elections is just an excuse to centralize and centralization is the antithesis of democracy. This is one place where you do not want control in a few hands. In a decentralized system, it might be harder to manage, it might be harder to stop small scale fraud protential, but by its very nature, it is more democratic and inhibits large scale fraud potential.

About the League- please keep in mind that the LWV position came from the top down. That is a VERY non-League thing and many in the League are disgusted. People have resigned positions over this.

Kay Maxwell should step down. She imposed a supposed LWV position on the body of the LWV, another example of centralization of power, this time taken without concensus of the League.

Good point about centralization! Everything gets bigger, control gets handed to fewer and fewer people.

How many people even think about the word "state" as meaning a sovereign body? No, it's taken on the connotation of "province". Too bad each of our states isn't really sovereign, united with the others for strength instead of sameness. We might not see them rushing out to follow what they *think* is a mandate from the centralized government to replace their current election systems with DREs.

vapor ballots. I am way on board with this idea! Thanks Ellen and Greg! I am glad to see yall on board with paper and only paper. The new battle cry...


By the way...may I post your comments on my site???

:-)

Ideally, voters would mark Xs on plain paper ballots.

Drop their ballots in a transparent ballot box.

Be allowed to watch the ballot box until a public hand-count in the same room.

:kick:

One more thing: Both GregD and EllenT were the driving forces behind the old VerifiedVoting.org.

Both are dedicated, very smart, brilliant folks who have done wonderful work for America on behalf of this issue.

And Ellen: Check your PayPal account. I have my own very significant fund raising to do for the new "Phase 2" investigation into kickbacks, but Ellen, you've done stellar work; I use your "Myth Breakers" publication all the time. You are an excellent organizer. I hope very much to see you (and GregD) right at the front in the national movement. I couldn't go to testify before the California folks this time around, and thank goodness they had your talent there. That's why I just took a bite out of our own PayPal account to support you.

And, of course, you are right about the paper ballots. Look what they're trying to do: computerize voter registration, put every voter on a smart card, eliminate the poll-book sign in (another important PAPER record) and have invisible digital sign-in instead, with smart cards; create the ballot digitally, using secret software, then record the vote invisibly, and after that, tally it up invisibly as well.

We need physical records, folks. This is getting out of control. They keep trying to redefine the issue: It is not computer program integrity so much as TRANSPARENCY. Nowhere does it say that our country is of the computer programmers, by the computer programmers, and for the people.

Let's not take the people out of the voting system. Paper ballots. I'm behind you 100%.

Bev Harris

Bev, thanks so much for the support -- financial and position! You're right. Invisible everything. And the idea of encrypting stuff to make it all safer gives it another level of invisibility. Less technology, not more, is what we need in our election systems.

Have people forgotten 2001 A Space Odyssey?

Look up "spoofing," that'll make you feel scure about totally computerized elections. Caveat- I don't know anything about this site and the term "alleged" is used too much for my tastes. However, in discussion with someone who had a high security clearance at one time, when I asked how something could be,(radar vs. what the truth eventually came out to be) his one word response was, "spoofing":

http://www.afio.com/sections/wins/1999/35.html
OFFENSIVE CYBERWAR OPERATIONS - - US offensive information warfare operations, a black art that is a tightly guarded secret not usually openly discussed, were used during the recent air assault on Yugoslavia, according to General John Jumper, Commander Allied Air Forces Central Europe. It allegedly included an effort to penetrate Yugoslavia's computer systems, possibly to put false targets into the Yugoslav air defense network displays. The Pentagon may release some aspects of these operations in the Kosovo "lessons learned" report to be released later this month

An alleged DIA expert was quoted to say that cyber attacks on air defenses would likely take one of two forms. Firstly, deceptive materials could be inserted onto computer screens through intercepted communications links, to match what operators would be disposed to believe - - relying on prior cognitive profiling of key hostile decisionmakers. But secondly, in Kosovo, the techniques used were probably more straightforward, by inserting false radar images or SIGINT intercepts in such a way that automated systems, or even experienced radar operators, would accept and act on them. What the Yugoslav air defense personnel actually saw or did with the information is not yet in the public domain.


Here's one to make you feel good. This guy is on the board of VoteHere, the company that wants to take the world to Internet voting and electronic vote verification:

Robert Gates, director of the CIA for President George Bush. A nine-year member of the National Security Council and security expert to four presidents representing both political parties. A dean at Texas A&M University, he is an expert on computer espionage and business enterprise risks.

http://www.csc.com/solutions/managementconsulting/mds/mds101/205.shtml

This organization has single-handedly done more damage to the current fight for clean voting than any other group. I think we should join. I think we should show up at their national meeting in June, along with another League of Women Voters member, Dr. Barbara Simons, who has bucked their position favoring paperless ballots (Simons is one of a handful of computer scientists who derailed the Pentagon's Internet-based "SERVE" project).

I think, in fact, that a whole bunch of smart women should join, show up in June, and steer that organization back to sanity.

Bev Harris

I am amazed to have observed what LOWV has been doing.

I think this is a great idea. Count me in and I will tell friends of mine to join as well.

Connie

I know it's in June. I also heard that the LWV bylaws allow for the members to do a vote of no-confidence in the leadership, if sufficient numbers. The rules on that would be interesting.

Sorry for hijacking the thread GregD.

Bev

Washington DC Hilton Washington and Towers
202-483-3000

LWV-US Convention Registration
202-429-1965

What has happened to VerifiedVoting.org?

It's almost like it is now in the past tense.

Clearly some drama went down beyond my perview. I did notice that their newsletters began again with the words #1 on them which I thought a little odd.

al

brought in an EFF guy to run it. They are heavy into fund raising and being politically correct at all times. There is a place for that, but (although their newsletter tries to take credit for the California decisions) in my opinion, it is the investigators and the agitators and the organizers and the educators who made that happen.

What EFF did was send 10,000 emails to the same guy with essentially the same message. What EllenT did was to educate the hell out of a whole bunch of public officials (that's what the "Myth Breakers" handout at http://www.votersunite.org does). What Jim March, Andy Stephenson and and I did was continue investigating until there was so much evidence it was impossible to ignore...

Four independent reports have contributed to doubts about the integrity of our voting system. They are linked in the lead story on my web site. The RABA Report, the SAIC report, the CompuWare Report, and the Hopkins/Rice Report. But in and of themselves, they didn't get anything yanked, because the manufacturers keep lying and saying they fixed all that.

http://www.blackboxvoting.org exposed the use of uncertified software by printing 24 memos, with a certification chart, proving the use of uncertified software, and we did that September 12, 2003.

I spoke with Marc Carrel from the Secretary of State's office on October 8, 2003 to let him know about the memos that showed uncertified software, and the use of uncertified technology like using cell phones to transfer votes.

In December, Andy Stephenson and I spoke with Marc Carrel again -- he asked what we'd found in our expanded investigation of certification, because California had just released a report that their audit showed all Diebold counties were using uncertified software. He specifically asked me if we had evidence that Diebold knew they were not supposed to do this. We had the evidence, and after a wild flurry at Kinkos, got it to him in time for his voter panel meeting.

Same day, Andy and I broke the story of the felons programming the voting system. The California secretary of state's office copied our press kit and marched into the voter panel meeting with a stack of them a foot high and passed them out. Diebold president Bob Urosevich turned crimson.

Jim March and I, and SAVE-Democracy (San Diego voting rights group) provided more investigation and more evidence, in the form of a series of ludicrous security foo-faws and evidence of machine malfunctions on March 2.

Jim March, Jody Holder, Art Cassell and I also exposed evidence from Alameda County, Stanislaus County, San Joaquin County, and Riverside County about machine malfunctions and unauthorized access by vendor technicians on March 2.

I located, and Jim March interviewed and took the declaration for James Dunn, the California equivalent to Rob Behler, of rob-georgia fame. Dunn testified, to the gasps and outrage of a stunned crowd, and the cross examination of Urosevich was devastating.

Without going into detail, I happened to review about 600 pages of memos from Diebold lawyers, and in these found evidence that Diebold and its lawyers had deliberately lied to the secretary of state. These documents were entered into evidence and were the subject of a blistering cross examination.

There were many efforts, by hundreds of people, but without the investigaton, documentation, agitation and education, California wouldn't have happened.

Now, these same investigations will be used to decapitate the Riverside lawsuit against the secretary of state. I'll be in Sacramento this week with a witness who can blow the doors off of the contention of visually impaired voters in Riverside that the paperless touch screen protects their rights. It's going to be an explosive day, but one you'll probably not hear much about, at least for quite a while.

My take. I'd like to see EFF stop pretending that BlackBoxVoting.org does not exist, and I'd especially like to see them stop referring to me as though my contribution to this issue was simply to find the Diebold files and that "I didn't understand their significance" so Avi Rubin et. al. came riding in on a white horse to save the day. What Avi Rubin, along with Wallach, Stubblefield and Kohno, did was to put their names on a formal report, but much of what it detailed had already been made public.

Yes, that's correct. Nearly everything in Avi Rubin's report was published right here on DemocraticUnderground.com five weeks earlier -- in fact, the information on the hard-wired 1111 password, the PCMCIA card risks, and the improper use of encryption was published here, by other programmers, three weeks before the files were released into the wild.

And for those who haven't followed all the history: The person who released them was althecat, on http://www.scoop.co.nz, in conjunction with an article called "Bigger than Watergate" which he wrote, and an article called "Inside a U.S. Voting Machine" or something like that, which I wrote, which exposed flaws with the GEMS program later confirmed by the RABA Report.

How about it, EFF / VerifiedVoting? Time to start acting like a coalition instead of the lone ranger? Start with an apology for helping to shut down BlackBoxVoting back in September. Then proceed with some common courtesy to everyone else who's working hard on this issue. We don't have time for turf-protecting right now. Jump in and work shoulder to shoulder with the rest of us.

Bev Harris

I have the same worries about the EFF. If the actions of the EFF lead to laws that make electronic voting machines safe and acceptable from a legal point of view, we will indeed have better electronic voting machines than the crap vendors are offering now, but we will have lost this war because fundamentally electronic voting machines are not safe.

The EFF is also a single target for those who are trying to ram these electronic voting machines through. It's a well fortified target, but I believe that any failure on the part of the EFF would have very bad repercussions for the rest of us who are now fighting electronic voting.

Building a single political fortress on this issue is a very bad idea. Agility is important -- our opposition has many concentrated resources to use against single large targets, but they can't stop smaller groups and individuals from speaking out to their elected officials.

Democracy must be defended by We the People.

The League of Women Voters should have been the one organization we could count on to fight invisible ballots. With them on the right side of this battle, things very well might have gone differently.

I hadn't thought about joining, but when you put it that way ...

Sounds intriguing. }(

A suttle point, but perhaps worth noting:

Even if we hand tally votes, there will at some point be someone with a calculator, adding columns of numbers from different precents.

I'll wager that we've used "uncertified" calculators in many an election. What gives me faith in those calculators is that they were not designed for the sole purpose of summing votes in an election, they were generic calculators bought at the local shopping center.

Maybe you really wanted to say "no automated vote scanning/counting, period?" ;-)

I, personally, want to vote in such a way that I can see the physical medium (the ballot), where my vote is recorded, and I can verify that before I exit the voting booth. I really don't care if the computer prints that ballot, or if I fill in the dots. Either way is fine with me. What that gives me, is assurance, that if a "manual recount" was deemed necessary, I know another human being with eyes like mine at some point will be able to look at my exact ballot and know with no ambiguity what my vote was for each race. That's the crux of the issue - that a manual recount is possible, and short of physical violence a highly accurate recount will occur if needed.

Its a simple fact. Anyone with any knowledge of software or memory, who is honest, will tell you that. I've heard the statement made by people in state governments made that they are "at the mercy of the vendors." Why is that? Why do vendors get to choose what media the people will vote with? Why are the states not responsible to insure fair elections?

I would be fine with voting software that prints out a ballot but is not used to count votes. It's a minor variation of the "butterfly ballot" without the "chad issues" and seems like it would be pretty simple to produce.

Electronic Voting is being pushed simply so elections can be manipulated and "rigged." No honest person with a bit of knowledge would ever want their vote to be trusted to a software program.

I've been saying this from the very beginning, but the people involved in this have simply been too blind to listen. There is utterly no magical way to be sure of the integrity and validity of electronic balloting. It can never be done.

Therefore, the ONLY solution that is feasible, and affordable, and do-able today, and viable for the long run is the PROOFING BOX.

Each machine would print out one or two paper ballots. One could be retained by the voter if s/he wishes. The other--mandatory--would be reviewed by the voter, folded, and dropped into a lock box. That lock box would remain locked, and only opened in the event of a recount.

"That lock box would remain locked, and only opened in the event of a recount."

So, if I want to rig an election, why would I rig it in a way that would trigger a recount?

I can tell you that some public officials who have been particularly stubborn about fighting the paper ballot, when it looks like they may lose that battle, shift immediately to: "Yes, but NEVER USE IT unless there is a recount. Make sure you don't expand the auditing."

Those people sound crooked to me, frankly. Proper auditing should involved very robust use of the paper to check against the machine (if machines are used) and this should happen in every election, not just recounts.

"That lock box would remain locked, and only opened in the event of a recount."

If the IRS used this model, they'd say, "We will never ever audit you unless your tax return is within 1 percent of the cutoff to the next tax bracket."

Well, if you were a tax cheater, and that was the rule, would you EVER cheat so that you were within one percent of the cutoff?

Look, I know this issue inside out, and I read GregD / EllenT's post three times. It's deep, and it's dead-on accurate, folks.

Bev Harris

PROOFING BOX SOLUTION

1) Voter uses any electronic machine to cast her/his ballot.

2) Prior to finalizing, machine automatically produces a paper printout "Proof" of her/his vote.

3) The voter verifies and finalizes her/his vote.

4) On exiting the booth, the voter folds and deposits the Proof in a locked Proofing Box (not unlike the thousands now being used for paper ballots.)

5) The Proofing Box remains locked unless a recount is ordered, in which case the recount is done via the Proofing Box ballots.

This simple, practical approach will resolve all remaining problems related to this issue.

It will permit electronic voting to go forward immediately.

It will serve as a detterent to fraud and rigging, because there will be back-up accountability.

Similarly, it will serve to detect flaws in the system or in its administration.

Also, it will serve to inspire the confidence of the voting public in a system which is otherwise inscrutable, esoteric, and daunting.

This is the same as vvpb, except that the voter gets to touch the paper backup. Votes are still recorded electronically and the primary count is electronic.

This is not a solution to the myriad, complex problems involved in DRE elections.

that there is no cheating. Otherwise - great!

it is only a HALF solution ...

What is wrong with using Touchscreens to generate paper ballots which are then COUNTED, ballot by ballot ? ....

You seem to think that only 'close' elections require direct ballot counts .... such a policy would allow for elections to be fixed as long as the difference between candidate votes fall below the threshold of that required for recounts ... Why allow this unreliable system even a CHANCE to bugger the elections ??? ...

:kick:

First, yes all software has bugs. However, its possible to remove an increasingly high percentage of them if you place no limits on time or cost. BBV systems should be held to the same standard as aviation, medical or other very-high-risk systems.

I'm sorry, but counting votes of a list of registered voters for a list of qualified candidates does not appear to be rocket science to me, and I've done nothing but sit through requirements and functional design sessions, then write and execute IT and UAT scripts for the last several years.

The simplest solution to finding code issues will be for the client (government) to take full ownership of the code product in the machines purchased, and release it for public review.

Why not, in fact, have the government produce a reference hardware design and let the open source community and any interested commercial vendor propose their own software implementations?

The real security issues here are good old fashioned hardware and network security, not the code itself. One of the basic requiremnts of a highly secured personal computer is that it not be attached to a network. I don't see why BBv machines shouldn't meet the same standard. The should record their results both internally (for quality review) in both hard copy and electronic format. They should store the officiall counter vote on secure flash memory devices that can be manually tracked for security.

At the end of the day, BBV need not be insecure or easily corruptable. Remember, the mechanical pull-level machine was in itself and industrial-age answer to the problems of paper ballot security.

To paraphrase Shakespeare, the problem is not in the bits, dear Brutus, but in ourselves.

Design a secure system and you will get a secure system.

Second, I don't see what a visible but not accesible paper tape system (say, behind a piece of plastic) that shows the votes cast can't be an end-user quality tool and the basis of recounts. This is how cash registers work and are balanced millions of times a day around the world. The care and feeding of the paper tape mechanisms is well understood by anybody who's spent more than one day as a cashier.

If we insist that the paper trail system be overly complex, or involved voter control of paper, we are just adding fuel to the arguments against. Take the cash register as the model, and I don't see how anyone can object.

Here's a point I missed before – Point 10: VOTING SOFTWARE IS A HORSE OF A DIFFERENT COLOR.

Virtually all software applications are designed to give feedback to the user. That's their purpose. The user enters input, the computer does something to it, and hands back the results to the user. This is true in a spreadsheet, a word-processor, a computer game, an aviation program. Part of the alpha testing process is to ensure that the results are correct.

As users work with the software on a daily basis, they notice things that don't mesh and often they report it to the manufacturer. We are so used to working with software that gives feedback, and gives it correctly, that we are now taking it for granted. When I save a file and then open it again tomorrow, I see the same data I had in the file yesterday. I don't even think about that it was software that accomplished both the saving and retrieving tasks correctly. It's just so natural, it seems like "of course."

Wrong. Not "of course". Software developers have spent an enormous amount of time, effort, and money to make sure that the feedback their applications give to users constantly, daily, minute-by-minute, is accurate. Because that's the only way they can make money.

Voting machine software is the only software I can think of that is specifically designed NOT to give feedback to the user. (Sorry, screen feedback at the time of the voting doesn't count.) Once the data is saved, the user never gets to look at it again. The only people who ever see the results are those who have no idea what the input was. THIS IS A HUGE BLIND SPOT IN THE PROCESS. The law does not allow this blind spot to filled since votes must be anonymous.

So any comparisons to cash registers (which give constant checkable feedback, even though they aren't software) or any other software at all are bogus.

I get acknowledgement of certain entries, but I don't know the "outcome" until I 1) received a correct amount of cash from the machine and, more importantly, 2) I received a printed statement.

By making the paper roll voter visible (but inaccesible to immediate tampering), the user is given feedback of the correctness of their vote *and* a paper trail is completed.

For individual data entry choices, a simple "You have select Chuthullu for Supreme Ruler. Is this correct? " would be sufficient.

For the initial start of the process, a "You are D. User, residing at 123 Pinko Lane, voting in District 1, Ward 1, Precinct 1. If this is correct, press Yes to proceed to your ballot. If this is not correct, press Cancel to reset this ballot."

At the end of the day (especially during initial phases of use) some auditing between the announcement of the election night returns and the promulgation of the official returns should be satisfactory.

I'm simply not going to be a Black Box luddite. I'm just going to be your basic Royal Pain In The Ass That's Not In The Signed Off Requirements" sort of person I am in every day life.

And I think the requirements must provide for a hard copy audit trail, verified visually by the voter. I don't think the audit paper should be seperate from the user verification, which precludes giving them a copy.

It would be trivial to print one thing to the external tape and another to the internal, although this could be made more difficult on the hardware level by driving two identical printers off a single datastream.

...is to create a voter verified paper hard copy (ballot) of the voter's true choices.

To just print a tape that the vote does not see is not VVPB, although certain vendors and officials have tried to imply it is the same thing.

ALL voting systems should produce a voter verified paper ballot, whether the voter marks a ballot, or the machine prints out the voter's choices that the voter verified and leaves in a secure ballot box.

VVPB is never, ever a separate item that the voter does not get to verify. That's why we say, "voter verified paper ballot."

The next problem, is making sure the systems are audited to the extent that auditing can beging to catch irregularities.

Overarching all of that, is the fact that most of these machines have horrendous failure rates, of one sort or another. VVPB or not, the voter's don't get to vote. Given that, every polling place should have paper ballot backups for people to vote on- and if they have those backups, why not vote on paper in the first place?

Also keep in mind that the big vendors and overseers of the voting industry seem to be doing their level best to keep the new, VVPB competitors out of the market. These guys might have better and more reliable equipment, but we'll never know.

"Given that, every polling place should have paper ballot backups for people to vote on- and if they have those backups, why not vote on paper in the first place?"

Chuckle. Of course. It's just too obvious. Why go to all the trouble of having a computer print out backups that must be kept for future counting when you can just have the papers in the first place and forego the computerized record?

Basically, if we use VVPB properly, there's no reason to have the electronic vote... at all. Too easy a solution. We must keep at it until we figure out something more complicated.

...we still have the electronic count to deal with.

Either way, VVPB DRE, or non-DRE, we've got to audit those paper ballots.

Anybody with a BSCS learned to write code that will run correctly the first time, every time, but since it's a pretty unworkable model in a commercial production software environment we all forgot it very quickly unless we decided to be research computing scientists. Voting software wouldn't be complicated, it would be really, really, really important, so the methods of Dijkstra et al are applicable. So, yes, we can have error free software. We just have to be willing to pay the price. And it does not involve testing, just someone with the right qualifications that we trust to review the proof and insure that the code so provided (and only that code) is what's compiled. I suppose that would have to be a team of such folks so that each constituency gets to feel protected.

And what's the big deal about paper ballots, anyway? Analog prestidigitation far predates any kind of digital legerdemain. If I can levitate a woman and saw a man in half, changing a few pieces of paper in a box should be child's play. Any decent illusionist can build a box into which you and 99 friends can put ballots all marked with an X, that you can watch ublinkingly for 6 hours, and from which will (seemingly) be removed the 100 (seeming) original ballots with an O on each of them.

The only way I see around that one is to forgo the 'secret ballot'; some way that I can find the piece of paper that purports to be mine and compare it to one that I know represents my original act and confirm whether the two still agree. I can think of a few ways to do that, but all require trusting a machine. Conundrum.

I do go on, and that's probably enough.

If the source code is reviewed and approved, the voting machine company can still say they found a bug they need to fix immediately before the election or else the election will be a disaster.

How many election officials would say no to that?

If the code is written with the full force of proof of correctness (something never done in commercial software) the vendor will have to show the reviewing committee an error in the proof, not just clarim a defect in the code.

You can apply good computing standards and theorys all day to this and it won't make enough difference in the end. Help? Yeh, a little.

There is no way, currently, to insure that the code in the machine is the code that was approved.

There is no way, currently, to insure that code remains the same after it is compiled. Learned about a little term called, "Malicious Compiler," from Dr. Barbara Simons.

Code is never, ever, totally bug free.

Programs have back doors- it's common practice and they have them even when you don't think they do. Witness the Linux back door.

We don't have computer professionals using this equipment. Most of them, as Bev stated, think they are "programming" the computer when they create a ballot form.

Even the most marvelous code in the world is tainted once it leaves the hands of its originator.

Computer voting eliminates one of the basic tenents of democracy- that ALL can participate in every aspect of it. People control democracy, not machines. People have to be able to do more than vote, they must be able to particiapte in the process ALL the way through. Machines can assist but they can never take over those functions. We have to have manual, random audits. It's part of the check and balances system of our country. We have to have paper ballots, we must have a verified vote on paper that we can use as a check and balance on the systems that are only supposed to assist us- not become the totally self-contained election judge.

Yes, we should improve code any way possible. But we cannot eliminate the checks and balances in voting. We have to have an independent means of auditing the performance of these systems, a voter verified paper ballot and the laws that mandate the auditing.

There is a whole lot of could, should and would. The bottom line is, there is no money for that kind of research and development. Congress was too busy being lobbied by the defense industry to pass legislation that people think mandates them to buy machines before ANY OTHER PROVISIONS of the HAVA Act have been carried out, in effect, negating those provisions. Once the money is spent, the states have their hands tied, so the rest of the Act is a moot point. Sorry, no can do now.

HAVA should be repealed, but Congress probably won't go there when you have the Jim Dickson's of the world claiming they speak for the disabled.

Meanwhile, whatever happended to that lawsuit against Diebold and the National Federation of the Blind over the ATM's? Is NFB still getting a million (?) a year from Diebold?

There is a lot of good stuff in this thread.

Can an administration that condones, encorages, and/or covers up torture, rape, and murder in Iraq be trusted with electronic voting machines?

I don't think so.

:kick: