What's wrong with VVPAT? Is Holt good enough?

What's wrong with VVPAT?

Imagine you've been called to give testimony before the Carter-Baker Commission.

You're being asked to describe a method employing Paper Ballots. You're told that Holt's Bill, HR 550, has been called the "Gold Standard". But, would you describe it that way? Would you recommend it's implementation? Or, would you want to see it modified in some ways?

There's much to like, and little not to.

1. A paper record is produced, but not in the case of machines designated for use by the disabled. And how will you "designate" the disabled anyhow? I thought the ADA does not permit that.

2. Audits are mandatory, but are the audit criteria adequate?

3. Software has to be "open". IT Pro's...will that safeguard the system?


What would make the Holt Bill better?


Here's the Holt Bill HR550 Summary Page:
http://www.govtrack.us/congress/bill.xpd?bill=h109-550

Here's the text version:
http://www.govtrack.us/congress/billtext.xpd?bill=h109-550

Here's the pdf:
http://www.govtrack.us/data/us/bills.text/109/h550.pdf


On reply #2 I'll post some excerpts.


In order to save our scroll fingers, please post replys to post #1.



What would make the Holt Bill better?

Election Community Testimony & Position Statements
http://vote.nist.gov/ECPosStat.htm

Submit a position statement
[email protected]

Written comments to the Technical Guidelines Development Committee (TGDC) are posted here chronologically. In addition, NIST held Public Hearings on September 20, 21, and 22, 2004 to gather data and information relative to the work of the Technical Guidelines Development Committee. The oral and written testimony from those hearings is posted here as well:

TGDC Public Data Gathering Hearings: Oral and Written Testimony (9/20-22, 2004)
http://vote.nist.gov/TGDCagendatestim.html


More discussion about it here:
http://www.democraticunderground.com/discuss/duboard.php?az=view_all&address=203x361325#top

‘‘(2) VOTER-VERIFICATION AND AUDIT CAPACITY.—

‘‘(A) IN GENERAL.—

‘‘(i) The voting system shall produce or require the use of an individual voter-
verified paper record of the voter’s vote that shall be made available for inspection and verification by the voter before the voter’s vote is cast. For purposes of this clause, examples of such a record include a paper ballot prepared by the voter for the purpose of being read by an optical scanner, a paper ballot prepared by the voter to be mailed to an election official (whether from a domestic or overseas location), a paper ballot created through the use of a ballot marking device, or a paper print-out of the voter’s vote produced by a touch screen or other electronic voting machine, so long as in each case the record permits the voter to verify the record in accordance with this subparagraph.

‘‘(ii) The voting system shall provide the voter with an opportunity to correct
any error made by the system in the voter-verified paper record before he permanent voter-verified paper record is preserved in accordance with subparagraph (B)(i).

‘‘(iii) The voting system shall not preserve the voter-verifiable paper records in
any manner that makes it possible to associate a voter with the record of the voter’s vote.

‘‘(iv) In the case of a voting system which is purchased to meet the disability
access requirements of paragraph (3) and which will be used exclusively by individuals with disabilities, the system does not need to meet the requirements of clauses (i) through (iii), but shall meet the requirements described in paragraph (3)(B)(ii).


‘‘(B) MANUAL AUDIT CAPACITY.—

‘‘(i) The permanent voter-verified paper record produced in accordance with subparagraph (A) shall be preserved—

‘‘(I) in the case of votes cast at the polling place on the date of the election, within the polling place in the manner or method in which all other paper ballots are preserved within such polling place;

‘‘(II) in the case of votes cast at the polling place prior to the date of the election or cast by mail, in a manner which is consistent with the manner employed by the jurisdiction for preserving such ballots in general; or

‘‘(III) in the absence of either such manner or method, in a manner which is consistent with the manner employed by the jurisdiction for preserving paper ballots in general.

‘‘(ii) Each paper record produced pursuant to subparagraph (A) shall be suitable for a manual audit equivalent to that of a paper ballot voting system.

‘‘(iii) In the event of any inconsistencies or irregularities between any electronic records and the individual permanent paper records, the individual permanent paper records shall be the true and correct record of the votes cast.

‘‘(iv) The individual permanent paper records produced pursuant to subpara-
graph (A) shall be the true and correct record of the votes cast and shall be used as the official records for purposes of any recount or audit conducted with respect to any election for Federal office in which the voting system is used.


(b) ACCESSIBILITY AND VOTER VERIFICATION OF RESULTS FOR INDIVIDUALS WITH DISABILITIES.—

(1) IN GENERAL.—Section 301(a)(3)(B) of such Act (42 U.S.C. 15481(a)(3)(B)) is amended to read as follows:

‘‘(B)(i) satisfy the requirement of subparagraph (A) through the use of at least one direct recording electronic voting system or other voting system equipped for individuals with disabilities at each polling place; and

‘‘(ii) meet the requirements of paragraph

(2)(A) by using a system that—

‘‘(I) if strictly electronic, physically separates the function of vote generation
from the functions of vote verification and casting,

‘‘(II) allows the voter to verify and cast the permanent record on paper or on
another individualized, permanent medium privately and independently, and

‘‘(III) ensures that the entire process of voter verification and vote casting is accessible to the voter.’’.


(a) MANDATORY AUDITS IN RANDOM PRECINCTS.—

(1) IN GENERAL.—The Election Assistance Commission shall conduct random, unannounced, hand counts of the voter-verified records required to be produced and preserved pursuant to section 301(a)(2) of the Help America Vote Act of 2002 (as amended by section 2) for each general election for Federal office (and, at the option of the State or jurisdiction involved, of elections for State and local office held at the same time as such an election for Federal office) in at least 2 percent of the precincts (or equivalent locations) in each State.

(2) PROCESS FOR CONDUCTING AUDITS.—The Commission shall conduct an audit under this section of the results of an election in accordance with the following procedures:

(A) Not later than 24 hours after a State announces the final vote count in each precinct in the State, the Commission shall determine and then announce the precincts in the State in which it will conduct the audits.

(B) With respect to votes cast at the precinct or equivalent location on or before the date of the election (other than provisional ballots described in subparagraph (C)), the Commission shall count by hand the voter-verified 16
records required to be produced and preserved under section 301(a)(2)(A) of the Help America Vote Act of 2002 (as amended by section 2) and compare those records with the count of such votes as announced by the State.

(C) With respect to votes cast other than at the precinct on the date of the election (other than votes cast before the date of the election described in subparagraph (B)) or votes cast by provisional ballot on the date of the election which are certified and counted by the State on or after the date of the election, including votes cast by absent uniformed services voters and
overseas voters under the Uniformed and Overseas Citizens Absentee Voting Act, the Commission shall count by hand the applicable voter- verified records required to be produced and preserved under section 301(a)(2)(A) (as amended by section 2) and compare its count with the count of such votes as announced by the State.

any bill that has the "voter verified paper ballot" language...will die. Apparently it turns DRE's into ballot marking devices. OK I'd go for that.

And yes, turn the DRE's into ballot markers.

makes no sense

maybe such a bill will die, but SO WILL THE BILLS WE HAVE. None of them will pass or even come to a vote, in all probability. so the argument that an opscan bill or a VVPB bill or a NO-DRE bill would fail is completely MOOT. It's a senseless excuse to not propose a real bill that would make a difference.

That's from "Invisible Ballots". ;)

Speaking as a person who has done an election audit and continues to do election auditing, some observations based on direct experience (at least as to how Holt would play out in my state).

Please note, this bill is not deceptively titled. It's called the "voter confidence" bill of 2005. If passed, it will succeed in creating more confidence. No one ever said it would create more accuracy and integrity, but it will be the feel good bill of the year for some.

Let's see:

1. Holt roughly says VVPA "shall all be preserved LIKE other paper ballots are preserved within such polling place;"

... and that Equals =
LOCK 'EM UP AND THROW AWAY THE KEY, THEN SHRED THE DAMN THINGS AT 22 MONTHS JUST LIKE BALLOTS PER FEDERAL STATUTE, WHICH JUST HAPPENS TO BE TWO MONTHS PRIOR TO THE NEXT FEDERAL ELECTION, EVEN THOUGH HISTORICAL RAW DATA WOULD BE INVALUABLE TO RESEARCHERS. But few know this except for geek researchers meeting Australopithecus officialus electorus, a special subspecies of bureaucrat.

2. Holt says "In the event of any inconsistencies or irregularities between any electronic records and the individual permanent paper records, the individual permanent paper records shall be the true and correct record of the votes cast."

... and that Equals =
IF THE NEARLY IMPOSSIBLE HAPPENS AND YOU GET ACCESS TO THESE RECORDS, GOOD LUCK ARGUING THAT YOUR COUNT IS BETTER THAN OUR SOS-CERTIFIED, OATH-ADMINISTERED, OFFICIAL COUNT PRIOR TO CERTIFICATION OF THE SAME. LIKE BALLOTS, THESE RECORDS ARE GOVT PROPERTY TO BE TREATED LIKE SACRED RELICS, YET NOT TRULY USED OTHER THAN AS APPROVED BY THE CHURCH-GOVERNMENT.

3. Holt says These records "shall be the true and correct record of the votes cast and shall be used as the official records for purposes of any recount or audit conducted with respect to any election for Federal office ..."

... and that Equals =
YEAH, YEAH WE'LL LET THESE BE USED ONLY IF YOU HAVE ENOUGH DOUGH FOR A RECOUNT AND ONLY IF THE SHENANIGANS IN THE ELECTION WERE ONLY ENOUGH TO KEEP THE ELECTION WITHIN RECOUNT TERRITORY. ALSO EVEN THOUGH STATES WOULD HAVE TO FOLLOW OUR LEAD TO USE THESE VVPR'S AND THEY WOULDN'T HAVE TO BE USED AT ALL IN NON-FEDERAL ELECTIONS WHICH ARE MOST ELECTIONS.

4. The Holt bill says: "Not later than 24 hours after a State announces the final vote count in each precinct in the State, the Commission shall determine and then announce the precincts in the State in which it will conduct the audits."

... and that Equals =
AFTER THE GAME IS OVER BECAUSE THE TOP STATE ELECTIONS OFFICIAL HAS ANNOUNCED A FINAL COUNT, A 2% AUDIT WILL BE IDENTIFIED FOR FEDERAL ELECTIONS, TO BE PERFORMED BY THE INCUMBENT ADMINISTRATION'S EAC REGARDLESS OF WHETHER THE PRESENT ADMINISTRATION IS SEEKING RE-ELECTION OR NOT. WITH ANY LUCK AT ALL, PRESIDENTIAL ELECTORS WILL BE CERTIFIED BEFORE THE EAC EVEN GETS AROUND TO FINALIZING ITS RESULTS.

Question: WHERE'S THE 'GOLD STANDARD' PART OF THE BILL? Where's the openness part? the independent auditors? the citizens' rights?

i haven't read it all but i don't see that much there, and what i do see is the Feel Gold bill of 2005.

And there's quite a bit of state legislation on that, though I haven't reviewed any to know if it's for better or for worse. I suspect the latter with decreased access and increased costs, at least.

Dial up "recounts" on this page:

National Conference of State Legislature - State Legislative Directory
http://www.ncsl.org/programs/legman/elect/elections.cfm


As for the "Gold Standard", I think it was given to say that it was the most thorough bill with regard to it's treatment of the technology. Which it is. For what that's worth.

that basket. Although Gregoire succeeded in Washington (subject to an election contest now) the availability of a recount process is somewhat akin to the availability of US supreme court review should someone else wrong you (in a federal way...). it's there, it's possible, it's difficult and hazardous....

That's why I want to watch the changes proposed to recount law. My fear is that, for one, they'll be "priced" out of reach.

legislation is a bad idea:

Secret vote counting is already illegal; to pass legislation to "fix" an insecure system that is already illegal

1.)in effect legitimizes it, and

2.) we run into the problem of passing laws that impair an existing contract, which is not allowed by the constitution, which then places us in a position of the voting systems companies being able to sue us for impairment of contract, so we have to buy our democracy back from them after they stole it from us.

So sue them on the grounds Land Shark has; that their contracts are void from the beginning because they are illegal, because secret vote counting is illegal, etc. etc. all the other reasons in Land Shark's lawsuit why their contracts are illegal.

which penalize voters. It's good to hear arguments against the possibility of tampering, but there's the additional arguement that DREs are not conducive to a smooth operation of an election when compared to my preferred option, a tabulator system with a voter marked ballot. Why?

1) DREs WILL CAUSE VOTER WAITS AND LONG LINES Let's say it's a complicated election like the ones California has with many ballot initiatives. It takes a voter 5-10 minutes to vote a ballot on a DRE. DREs are not cheap (let's say $4,000 each) so a county will not have a lot of spares. 5 DREs at a precinct, 5-10 mins per voter, 30-60 voters per hour processed. Backlogs during peak periods, voters give up in disgust. NOW compare this to tabulators. One tabulator at a precinct, $5000 each. The day starts with 5 voting booths ($50-$100 each, cheap, yes?) same situation, 5-10 mins per voter, 30-60 voters per hour processed. The election officials call the county, "we're swamped, people are waiting!" County mis-estimated, but they recover and bring out 15 extra spare voting booths. Now 120-240 voters are being processed an hour. More are possible with extra cheap booths.

2) OH NO, THE POWER'S OUT! DREs have backup batteries as do tabulators. But what happens in a prolonged power outage at a precinct? Pat of a County? Or countywide? If a tabulator battery goes out there's a reserve ballot container on the side of the ballot box where these ballots go until power is restored. Then ballots can be run through the tabulator. The important part is that voting can continue as normal in a power outage. With DREs the only option once battery power is gone is to have election officials rush out with a jerry rigged ballot box and paper ballots from photocopies. Not the best for election security.

3) OH NO, WE WERE HIT BY LIGHTNING AT 7:45 PM AND THE ELECTION EQUIPMENT IS DEAD! The memory gets fried on the DREs at a precinct and the data is probably lost forever. Those votes are gone! Same thing with a tabulator memory card, but the paper ballots are still in the ballot box and can be rerun on another machine. All is not lost. Slim odds on this scenario? Well, in NC in 2004 a situation occurred in NC where the votes were lost in one precinct and th state ag race was close enough that that precinct would make the difference between the winner and the loser. It can happen.

4) ELECTION OFFICIALS WILL BE FACING PROBLEMS WITH DREs Not every county goes out and sets up precinct equipment. This is normally left to volunteer election officials who are likely to be in their 60s or 70s. Tabulators can be complicated. DREs can be beyond complicated with setup.

I saw a count (perhaps from the late '90's) that said there were 192 THOUSAND precincts in the nation.

Even 1 DRE in each precinct suggests there will be a lot of trouble, and/or a lot of expense minimizing it.

that some precincts tested in the primaries (Lucas County did) -- believing that they would SHORTEN vote time from punch card machines/optical scan machines. If the reality of DREs is a longer time at the machine -- it wasn't anticipated by the Ohio SOS or govenor.
http://www.portlandphoenix.com/features/other_stories/multi1/documents/04258174.asp

But Republican governor Bob Taft and Blackwell did prepare: they reduced the number of polling places, ensuring long lines.

As noted above, the state had been anticipating the purchase of DRE machines, which are both more expensive and — at least in theory — quicker. That meant, according to Blackwell, that counties could make do with fewer machines without affecting the lines, and fewer faster machines meant that counties could merge small precincts together to share them. The Republican-led legislature helped encourage precinct consolidation by raising the maximum allowable number of registered voters per precinct. So, some counties merged their polling places, cutting as many as 48 percent in some cases.

When the state suddenly nixed the new machines, those counties were left with fewer polling places for more voters, with the old slow machines, and about the same number of poll workers. Erie County consolidated 101 precincts in 2000 into just 62 this year. As a result, the average number of voters per precinct in Erie nearly doubled, from 355 to 640.

"Our county was in a budget crunch," says Ruth Leuthold — Republican — director of the Crawford County Board of Elections, which went from 67 precincts to 46. "We did it due to budgetary reasons, and to go to electronic voting."

So here's the short version:

Open software does NOT protect the election from deliberate or accidental misconfiguration of the DREs by administrative users of the election management system (commonly referred to by its misnomer, the "tabulator").

Ballot, race, jurisdictional and all other definitions including straight party and preference (i.e. open primary) controlling races, which control the votes of other races on the ballot MUST be audited by trained bi- or multi- partisan observers before the election data is downloaded to the DREs or Optical Scan voting systems. This is especially important where straight party and preference races are illegal. Only 17 states allow straight party voting; I do not know how many allow open primaries. Since election management system software is generally not state-specific, it is essential to audit its configuration to prevent exploitable and/or illegal features from being implemented in order to alter the results of the election in advance.

I'm sure others will raise the VVPAT post-election auditing issue, the disabled voter access issue, and the preference for paper ballots that are hand marked and therefore inherently voter-verified.

Being opposed to DREs for many reasons at this point, I can only suggest that if disabled voters insist on using them even after being given all the facts, that these machines produce paper audit records that must be 100% hand counted so that the DRE is simply an expensive touch screen ballot marking assist device (i.e., accessible vote casting device) rather than a vote counting device. Anything less would disenfranchise the disabled by making their votes inherently less verified.

because

a) People check their optical-scan ballots. People can theoretically check the ballot printed by a DRE with VVPAT, but most don't.

b) It's cheaper to buy one optical-scanner then numerous DREs. That means shorter lines for voters per dollars spent, when optical scan ballots are used.


Regarding the handicapped, they can fill out an optical scan-ballot with the help of the AutoMark.

More on the AutoMark here:
http://www.moveleft.com/moveleft_essay_2005_01_18_voting_rights_tuesday_i_went_to_a_demonstration_of_the_automark.asp

Ideally, every ballot would be hand-counted.

to the same extent they check their paper receipt after self-scanning their groceries (little)

the care being taken with the input (scanning or typing in grocery prices), most people don't care to do the double check on the paper. Those that do, tend to do it in the car or at home, but then it's too late (for voting, but not for groceries)

What evidence is there that a majority will check their DRE paper record?

Also, with less famous races, a voter may not remember who or why they chose in a particular race, thus it will create confusion as to those races where the voter was more or less choosing out of a hat and doesn't remember which rabbit they pulled out.... then asks for assistance from the pollworkers, etc.

MOST IMPORTANT: this process of checking and amending admits and provides a process for assumed 'correction'. Yet getting something different to print doesn't have to mean that something different was SAVED. In the end, either a process that is very full of error, or eles a fraudulent process, can send through lots of printouts with scattershot errors, and surely some of them are going to get through.

Therefore, whatever rate of true VOTER error we have is *amplified* by an *additional* rate of machine error or fraud, some of which necessarily is not caught by the VVPAT process.

Any voter who did not check the paper audit trail would be in the same position as a voter who did not check the review screen on a paperless DRE.

By using a "default to Bush" configuration on the machine, a fairly predictable percentage of fraudulent votes would filter through without being caught by the voter. These fraudulent votes could not be caught even on a recount since the paper audit trail would reflect the incorrect vote just like the DRE did.

With opscan ballots marked by hand it is impossible for anyone to program or configure a default.

Bill Board has reported OpScan does have some vulnerabilities including how it's configured to read undervotes.

He says, too though, that a "Test Deck" could be used to check the machine ahead of the election.

http://ideamouth.com/floridacounties.htm

There needs to be a way in order to ensure the ballots are tabulated correctly. Random hand count precinct ck??

what would make Holt's bill better.

VVPAT systems are only a very small improvement on DREs without PAT printers. Why? Isn't it obvious? The paper just sits there and is never counted. The DRE could still very easily cast the wrong vote and no one would ever know. Sure, the printouts come in handy when there's a recount, but when was the last time there was a recount?

Recounts only happen when the results are very close. So basically that means if they steal it by a lot, they have a better chance of not getting caught.

I don't think people realize how easy it would be to make a DRE machine cast a vote for "A" and print a receipt that says "B". It's actually no more difficult than casting the correct vote. One line of code. So if you voted for "B" you to see your "paper record" that says "B" on it, but you have absolutely no idea what the machine told the system your vote was, and that's the one that really counts.

They should call that piece of paper, a "recount ballot" to accurately describe what it is. It has nothing to do with the real election, it's only there to ensure your vote is correct if there is a recount.

In regards to Holt's bill and the mandatory audits, I agree, they are certainly better than having no audits. Having paper trails and no audits is absolutely ridiculous. It's almost like a slap in the face to the voter, saying "here's who you voted for... we don't care what it says unless there's a recount."

But I believe that even with the 2% mandatory audit, this is inadequate to ensure the accuracy of the DREs. There is a problem in ensuring that the audits are selected randomly. We saw problems with randomness in the Ohio recount, as we know. Several parts of the recount were supposed to be randomly hand counted, and they clearly weren't. It was illegal, but they got away with it.

The real point is, that we shouldn't be relying on recounts, or audits, or randomness to ensure the sanctity of our democracy. Any legislation that aims to fix the loopholes and problems with our election system should focus on getting the first count right. I shudder at the thought of leaving up to 98% of the votes completely unverified, particularly in light of what we've seen in the last election. Why can't they just count the actual votes, the ones that have been verified by the voters? It's not that hard and the technology is readily available.

In case you haven't seen it, I wrote an article explaining the differences between Audit Trails (also called paper records) and real ballots, which sheds some more light on your question. There is an illustration in the article that shows why VVPAT systems still allow DRE machines to easily cast the wrong vote without anyone knowing.

Here's a link to the article, published on Free Press:

http://www.freepress.org/departments/display/19/2005/1201

To answer the second part of your question - how could Holt's bill be better...

The answer is simply, "count the votes." The piece of paper that the voter verifies should be actually counted in the first count of the election. If you really love techology and computers, then use a scanner to count the ballots. I'd like to believe there are ways to make opscan systems safe and I know of a few that have been discussed. One thing I know, all the experts agree, DRE systems are much more open to fraud and manipulation. It should be obvious. Modems and internet aren't really the issue, because anyone can walk up to a voting machine, appear to be voting, and who knows what they're doing? They are tapped into the system. As Dr. Avi Ruben, one of the country's leading experts on computer security has stated, a teenager could manufacture "smart cards" on their home computer that could enable people to vote multiple times on a DRE. And Clint Curtis and others have explained that there could be hidden keys on the touchscreen enabling all kinds of things.

Opscan systems do not allow the citizen such access to the voting system. They also ensure that the piece of paper verified by the voter is actually used in the first count of the election. To me that would certainly be an improvement over a piece of paper that really is meaningless unless there is a recount. I want to get the first count right, not rely on recounts and audits.

Opscan systems are far cheaper anyway. I see no logical reason why all these BOEs are going for DREs.

One thing I will say about Holt's bill, at least it doesn't call itself the "Count Every Vote Act" like Hillary's. To me, that is not only an insult to our intelligence, it is misleading, if not simply an outright lie. It does not require in any way that all the votes be counted. Like Holt's it only call for 2% of them to be counted.

As far as I can tell Holt's bill doesn't have any misleading language like that. It is pretty clear what it calls for. I just think it falls short in fixing our broken democracy, because VVPAT systems only achieve one thing - making a recount possible. They do not ensure the accuracy of the first count, which is much more important.

Gary

------------------------------------
the solar bus
ELECTION JUSTICE CENTER
your home for updated information on the fight for democracy in America
http://election.solarbus.org
------------------------------------

If every voter checked the printed ballot, it would be different.

But the fact that most didn't in Nevada in 2004 supports what you wrote.

to my knowledge, none of the paper receipts were checked. there were no audits, and there was not a recount. we have no idea if any of the DRE machines cast the correct vote. this is eactly why VVPAT systems are ineffective at ensuring the accuracy of the first count.

I heard about nevada, do you have a link on that fact?

Have you seen www.votersunite.org (April 7 lawsuit) both Nevada and this lawsuit concern sequoia.

I may be the only one, or one of only a small handful of people outside voting companies and elections officials that know this:

Nevada has a case law rule that nothing except the ballot can ever impeach the ballot. So at the very least that creates substantial risk that any use of the vvpAT would be struck down in nv, particularly if the recount authorization is by administrative regulation, and even if by statute, statutes in derogation of the common law are construed strictly, meaning that the whole process would be attacked in court.

It's something I read several months ago, which an elections observer from another state who watched the Nevada voting observed.

Unfortunately the analogy of a chain's weakest link applies here. It is highly probable that we will achieve some improvements in the system but leave at least one weak link that can be exploited.

Here is a chain designed to achieve transparency and verifiability. Every link in this chain has got to work or else the goal is not met:

• A paper ballot that is verified by the voter


• An unbroken and verifiable chain of custody of the ballots


• A system of multi-party observers (where we can be sure the observers are not ringers and are not inept) to guarantee the chain of custody and other steps in the process


• A truly random audit process (where we explicitly define what is meant by random for those who have difficulty understanding the word)


• A right of any citizen to inspect and count ballots upon request and at nominal cost, if any


• Posting of the precinct-level official vote count of every precinct in the country so that citizens can verify the count in their own precinct and then see that the roll-up of individual precincts into the statewide totals is accurate


• A right of any citizen to challenge the count based on inspection


• A time-line that permits the audit and citizen inspection and challenge rights to be substantive rights that are taken into account before the result is final

if your list is outlining how to make a DRE/VVPAT system secure, please be aware, the paper printout on a DRE machine is not a ballot and should not be called a ballot. Ballots are only ballots if they are actually counted. The prinout on a DRE is usually called a VVPAT or a paper record.

But I love your list. One would think these things would be assumed in a democracy but obviously we have a lot of work to do to achieve open and fair elections in our country.

I agree totally with everything you say.

My list was intended more as a way to make paper ballots with precinct opscan a more secure system.

I think of this approach as a compromise that may realistically be the best we can do.

The best system would be paper ballots counted by hand. The ballot box, including its contents, would be observable both by interested citizens and by partisan observers for the entire time from when it is empty at poll opening until the count begins immediately upon poll closing. The counting process would be open and witnessed and the results would be immediately posted. The statewide result would consist of a list of the precinct results so that any citizen could verify the roll-up of the precincts into the state totals. This system is almost foolproof due to its simplicity and transparency.

The opscan approach, even if every item on my previous list is implemented, is still less foolproof because it is more complicated. Every complication that is added to the system makes it more likely that fraud can sneak in.

In particular, there is a serious risk, if not a certainty, that the opscan count would become presumptive and the hand counting of ballots would be either thwarted or ignored. Especially given the legal atmosphere in some states where it is dubious to even claim that we operate under the rule of law.

Regarding touch-screens, the only way they should be used is as ballot markers, never as DREs.

I'm in Miami-Dade County and am hoping that the powers that be here will follow through on their recent discussions of throwing out the DREs. We seem to be ahead of the curve in terms of making every mistake that can possibly be made and (I can only hope) eventually arriving at a system that is fair and trustworthy.

PROBLEM WITH HOLT BILL:

It is federal legislation - If we can learn anything, it is that effective quality legislation will not come from the federal government. HAVA is a clear and shining example of what we can expect. From the first Carter-BS commission hearing, we know the RNC wants to centralize and federalize our community controlled election systems: centralizing voter registration, national ID cards, centralized secret electronic vote tabulating. They want to consolidate and solidify control of our elections while throwing us an appeasing bone of giving us a holiday for powerless voting? All I can say is: BEWARE!

There is only one true solution to our election fraud problem: hand counted paper ballots. Any bill that does not stipulate this is unworthy of support. Eliminate technology and you eliminate the potential for technical means making fraud easy, untraceable, and massive. Any bill that stipulates paper records, receipts, ballots, trails used only in the event of recounts or test mode machine audits is wholly naive and denies th reality that recounts were stopped in their tracks in Florida (2000), Ohio and New Mexico (2004). Can we learn our lessons here too, folks?

UNDERSTAND WHAT YOU ASK FOR!
Anyone who advocates Optical Scan electronic vote processing systems over DRE-based systems needs to do their homework. First, both systems rely on interpreting voter input to derive a data record purported to reflect the intent of the voter, which, in turn, is the actual "ballot" that is counted. Please get this: with any electronic vote processing system, the ballot counted is INTERPRETED AND DERIVED from voter input, it is NOT a paper ballot that is NEVER physically inspected by a human and NEVER gets counted. ALL electronic vote processing introduce BOTH hidden ballots AND secret counting. For those who think Optical scanning has the safeguards of a paper ballot, learn your lessons from history (no successful recounts). Paper ballots used to audit machines works securely only if audits occur in real-time production mode (during voting). An audit performed i "test mode" is useless and subject to wholesale deception.

IF YOUR STATE IS REALISTICALLY STUCK ON ELECTRONIC VOTING, INSIST on seeing your ballot that is counted (your unnormalized vote data record). Anything less is not only illegal, it is wide open to massive vote tampering, manipulation, and rigging. The ONLY solution to electronic vote processing is changing the structure of those systems as follows:

SUNSHINE VOTING PROPOSAL
Offer voters choice: vote by hand counted paper ballot or any of a variety of voting machines offered.

Count machine-cast votes directly from an unnormalized state-owned master vote database open for read-only public inspection and independent counting

All voting machines must provide a piece of paper, voter-verified at the time of voting, kept by precincts for vote error resolution and providing the voter and the master vote database with a ballot identification number as a paper tear-off the voter may choose to take with which voters may verify their data record that is counted.

Provide means (phone system, Internet, county level kiosks) and time (10 days) for voters to look up and inspect their data record that is counted.

Provide means for voters to challenge and correct their vote data record. Where voters identify errors, election officials will pull the voter's paper receipt, comparing the voter supplied ballot identification number and compare the paper record to the data record. It either matches or doesn't - easy!

Hand tabulate the number of paper records by precinct and publish the totals. This limits the opportunity for nefarious election officials to "stuff" the electronic ballot box (master vote database) with phony data-records.

Under this system, election officials reduce their exposure/opportunity to electronic fraud and simplify their jobs. Voting machine vendors are tasked with populating the state's master vote database accurately. If they fail to deliver accurate votes, they lose their contracts. Competition returns as a vendor constraint, and election officials are freed up to offer a VARIETY of voting options to the voter. This is because, with a sunshine, open, inspectable, independently countable voter-verifiable vote database that is counted, the voting machine becomes an irrelevant tool for fraud.

WHAT DO WE LOSE WITH SUNSHINE ELECTRONIC VOTE COUNTING?
Hidden ballots
Secret counting
Single source vote processing
Absolute vote anonymity

This Sunshine system does expose voters to the possibility for vote selling and demands to "reveal your vote to a 3rd party. This is a risk but it is an illegal risk. As a risk, it can be mitigated with voter education and states providing expedited and severe recourse for any voter subject to such illegality. When offering the voter the option to receive a ballot identifying number, inform the voter of its use, inform the voter it is illegal for anyone to ask see their ballot I.D. number, and provide a toll free number for voters who are subjected to any such request or demand, providing counseling and legal protection should protection be determined to be necessary. There's no question loss of absolute anonymity is a compromise and a risk. But, giving up a little anonymity, saves our election processes from massive manipulation. Its a trade-off but a small loss with a huge gain: we don't ban guns or bullets because people break the law with them; we vigorously prosecute the lawbreakers.

We must be vigilant and careful of what we ask for and where we compromise, especially when considering electronic vote processing.

This is mostly in general, not all is specifically only in response to HR 550. My $.07....

1) Call the paper a BALLOT, or have a clear clause making the "paper record" into the equivalent of a ballot (and specifying when and how). If there ends up being two "ballots" (the paper and the electronic "image" in the machine), clearly specify which ballot takes precedence and when. Certainly at minimum the paper ballot would have to take precedence (i.e. be the "ballot of record") in case of discrepancy, or in case of audit or recount.

2) In the case of the disabled, why CAN'T paper be produced? I have heard blind advocates say that they are not able to SEE the paper, well OK, but they CAN have audio read-back of it, just as they will have for an electronic "ballot". Either way (paper or electrons) they are going to have to have the same level of trust that the audio is reading them a true and correct version of their choices.

3) People checking (or not checking) the paper.... I think they could be highly influenced to check it if they had proper education and/or reminders from people at the poll. Warn them that if they do not check their vote, it may not be counted as they intend. (Contrary to popular belief, voters DO worry about this; I had one woman almost in tears at my poll in November because she was so worried that her vote would not be counted!)

4) People "forgetting" to deposit the VVPB in the ballot box before leaving... would not be an issue with proper warning that their vote may not be counted if they don't deposit their ballot. (see #3) Also a full-sized sheet of paper as opposed to a narrow scrap of printout tape would help with this, IMHO.

5) Unless DREs were totally outlawed, which is unlikely at this point, right now ANYthing requiring some kind of voter-verified paper to come out of DREs is better than nothing, IMHO. Talking and listening to many Election Directors, their minds are made up they are going to buy DREs. They will probably buy paperless unless somehow FORCED (legislation or public pressure) to buy machines which produce voter-verified paper. Actually strong public pressure might be our best chance given the time frame involved to the HAVA deadline.

6) If DRE is used (or even machine-counted optical scan) ABSOLUTELY some level of audit is needed. Two percent (HR 550) seems awfully, AWFULLY low to me, and I would like it to be a percentage of all jurisdictions, not a percentage taken at the state level -- would remove chance of the audit sample coming from only one area of a state.

7) Absolutely need precinct-level counting and posting of results under ANY system or any legislation. All other obvious reasons for this aside, my own personal reason is that I work all day in the poll and actually I LIKE knowing that the results of my long day's labor are taped to the door that evening for all to see -- and check up on!

I like everything you said except #1.

The printout on a DRE machine should not be called a ballot under any circumstances. It is not a ballot and it would only confuse the issue.

A DRE casts an electronic ballot; the paper record can be called a record, audit trail, etc, but it should not be called a ballot.

To call it a ballot would change the terminology that has been adopted by the legislators and the voting machine companies. They are consistent in not using the word "ballot" unless it is a real ballot that is actually counted.

To call the paper printout from a DRE a ballot would completely change the meaning of the word ballot and confuse the issue. People need to know that thing is NOT a ballot and the only way to get the idea across is to not call it a ballot. If we start calling that thing a ballot it will confuse people even more on this important issue.

There is wording in most of the bills that specifies if there is a difference between the electronic ballots and the paper records, the paper record takes precedence and becomes the "ballot of record." I think this is an accurate way to describe how the DRE/VVPAT systems are designed to work.

Seem to confuse the use and/or definition VVPT vs VVPB.

The lack of proper definition of "WHat is the ballot?" is problematic.

Holt says that in the case of irregularities, the "PAPER RECORD" shall be the pre-emanate record. If this is so--then Its not a VVPT it is "the ballot"---but you are only counting 2% of the ballots. That would be illegal. AS someone already said.

Also the Moot point is SOOOO big. Non of this crap is going to see the light of day in DC.

In NJ if we start Town resolutions Banning DRE;s--- use that as a stepping stone to County banning of DRE's. Eventually there will be no DRE's in NJ >Roj crosses fingers<

With DRE's banned--- why consider VVPT/VVPB legislation at the State Level or the national level.

NO 2% or 3% audit law will be an effective tool against fraud. If you have 100 precincts, & I commit fraud in 5---you get to pick (RANDOM=roll the dice) 2 maybe 3 precincts. I did this exercise at a local meeting 3 weeks ago, we did it 3 times, 3 times the fraud went un-audited. Thats 3 elections in a row--where fraud was not uncovered by the VVPT audit. The efficacy of an audit starts to get good around: 10% audit. At 25% efficacy is now relevant. If we are going to audit/count 25% of the so called paper--why not just count all of them and ship the DRE's back to the vendor, that will save untold 100's of millions of dollars nation wide.

>Roj starts making paper-mache DRE to burn in effigy<

a printout on a DRE is never called a ballot.

only if there is a discrpancy does it become the "ballot of record." that is a rare and unexpected outcome. under normal circumstances, that piece of paper is not a ballot and can't be called a ballot.

It makes complete sense to me. A ballot is the thing that gets counted. I think we should keep it that way and be consistent about it. If they start calling the printout on a DRE machine a ballot, I think that would be a sad day.

that's why Clinton's bill really irks me, the way it's called the "count every vote act." That is such a kick in the face.

you are completely right, that VVPATs with audits will not save our democracy. we need to hold on to that for dear life.



peaceout

http://www.freepress.org/departments/display/19/2005/1201

Problem is, if I understood Holt's office correctly, the Committee on House Administration U.S. House of Representatives are among those struggling with this very issue.

http://www.fec.gov/pubrec/cfsdd/eleccmte.htm


I don't know what the problem is. Perhaps they need only read your treatment of the matter.

I've got a feeling you've pressed the Fed bill's authors. But if you haven't...

it makes perfect sense to me.

A ballot can only be called a ballot if it is COUNTED.

Anything else can be called a paper trail , audit trail, paper record, I really don't care what they call it. Just don't call it a ballot because it isn't a ballot.

The legislation and the voting machine companies' literature seems to be in agreement with this. I just wish everyone else could get it. It's not that complicated.

I spoke informally with my own Secretary of State last week. Based on what he said, as I understand his current opinion, if law does not make the paper "trail" a ballot, the paper may not take precedence over the machine count even if there is a discrepancy between the two.

Exactly what good would the paper record be if it is not a ballot and the machine record takes precedence even if the two versions differ?

Exactly why CAN'T you legally have two forms of "ballots" with one being clearly specified in the law as the primary ballot and the other being clearly designated as the secondary ballot for use under specific circumstances?

IMHO if you call the paper a "ballot", voters will be much more likely to pay attention to it, and to deposit it in the ballot box on the way out of the poll. To most voters the term "ballot" really MEANS something. But a mere "record" is maybe something that used to play on a turntable (or something they reluctantly keep for their expense account), and a "trail" is someplace where they ride their ATV or horse.

I really want to verify my own paper BALLOT, to call it such, and to know it will be counted and used as intended!

Personally I have a much, much greater problem with calling the arrangement of electrons inside some DRE's computer chips a "ballot". To me that is a real leap of faith, and I don't have a whole heck of a lot of faith in DREs (without a paper ballot to back 'em up!)

would it automatically be cut and fall into a box co-located with each DRE?

I thought that the latter approach is what has been suggested.

Having a system that depends on the voter and the poll workers to remember to deposit each piece of paper would seem to introduce more chance of error. In any event the voter shouldn't be able to hold the piece of paper until after the vote is verified and finalized so I don't see the advantage of putting the paper into the hands of the voter.

and I don't think we should be using DREs. If we do then I think the voter should not touch the paper and it should drop into a box next to the DRE. That way you can be sure that any difference between the machine and the paper is not due to papers that were printed but didn't make their way to the ballot box.

But rather than using DREs, we should really use touchscreens, if at all, only as ballot marking devices. In that context then I think the voter should touch the ballot. It should be something like an opscan ballot and should be carried by the voter to the ballot box just like an opscan ballot.

Having seen a number of the different DREs in action at a Voting System Forum, my personal preference is to have a regular sheet of paper come out of the machine for the VVPB.

I do NOT like the rolls or tapes some of the manufacturers use. Even with supposedly trained salesmen (and women) operating the machines, they were a mess. In one case the tape flew out of the guy's hand and ended up unspooling all over the area. I can imagine myself as a pollworker trying to load one of those with a line of impatient voters waiting! And I can imagine a cutter jamming up (and with everything under glass, probably no easy way to get in there and clear the jam.)

The best way to insure that voters deposit the ballots is to print them on a paper that looks and feels important, and TELL the voters that if they don't deposit their ballot their vote won't count. THEY'LL DEPOSIT IT THEN, believe me!

All the above said, please remember that a VVPB also CAN be an Optical Scan ballot or a good old hand-marked piece of paper ballot. In areas where these are used, I don't think too many people come in and vote, then forget to deposit the ballot or turn it in to be scanned! (Think about it.)

I guess the choice between these two DRE/VVPB approaches is something I don't feel that strongly about and you make some convincing points.

As far as the various options at a high level, here's how I rank them from best to worst:

1. Hand marked paper ballot, hand counted
   
2. Ballot marker (touchscreen or other) with paper ballot, hand counted
   
3. Hand marked paper ballot with opscan counting
   
4. Ballot marker (touchscreen or other) with paper ballot, opscan counted
   
5. DRE with VVPB
   
6. DRE with VVPAT
   
7. DRE with no paper trail

One approach to legislation at the federal level (amendment to HAVA) would be simply to mandate a VVPB. That would disallow options 6 & 7 in the list. Each jurisdiction could then have their choice among options 1 through 5, all of which use a VVPB.

I just can't imagine that we will get a mandate at the federal level for total hand counting. It seems to me we could go for the VVPB amendment to HAVA and then try for full hand counting only in some specific locales (as pilots, sort of).

It helps clear up some distinctions for me.

But it muddies one. Number 5, DRE with VVPB.

Gary points out that the paper that is produced by a DRE is not a ballot unless counted. By that definition, both number 5 & 6, above, would be VVPAT, with #5 being distinguished by being Hand and/or OpScan Counted.

Perhaps Gary could help us with terminology to help differentiate between the two.

To my knowledge there is no such thing as a DRE with VVPB. I think the two are mutually exclusive. With DRE, the ballot is cast electronically. In order to have a VVPB, there has to be a paper ballot that is casting the vote. I don't see how these two can exist at the same time.

I agree that DRE with VVPB is a misnomer. Let's throw it off the list.

Is there only one form of paper produced by DRE-VVPAT?

Some schemas roll paper behind plexi-glass while others give a "paper record" to the voter that they deposit, if I got that much right.

Do you know about variations?

Let's say this bill passes and all DREs used in federal elections must have VVPATs. Then what? How do we get the voters to USE them?

A public education campaign is needed and this will cost money!

So I'd set aside some funding in the bill for public service advertisements with clever slogans to get voters to realize that:

a) if there is a recount or audit, their vote may not count unless they verify their paper record when the vote is cast;

b) the paper record IS the official count in such situations (even though we might want it to be official all the time);

c) there is no way to verify the machine count on its own.

In short, we need to teach people how to use these machines before the elections. Otherwise the VVPAT will be a waste of money.

At that time, I was naive enough to think that DREs could somehow be rehabilitated, like some sort of kleptomaniac, if provided with sufficient psychological counseling. Although now I think I was a bit too liberal about this, I think there are still some good ideas in here, if we MUST have DREs at all:

>>
I, and a number of other Internet activists, have been raising questions
about the manual random auditing and security requirements in H.R. 550
and other verified voting bills.

First of all, from where did the 2% manual random audit number originate
and why should we have confidence that this is sufficient to detect
counting fraud?

The 2% audit required by H.R. 550 could still result in up to 98% of all
precincts being un-audited in any independent way, even if discrepancies
are found in the initial 2% hand count. There is no requirement in H.R.
550 for any additional auditing in the event a discrepancy is found
in the initial 2% sample. Sec. 5, Paragraph (d) "Additional Audits If
Cause Shown", leaves this entirely up to the EAC. Would it not be better
to legislate some mandatory minimum requirements for additional audits
in the event of any (i.e., 1 vote or more) discrepancy in the initial 2%
sample?

Furthermore, what assurance is there that the initial 2% sample can
actually detect counting fraud in the first place?
Such fraud can take either of two forms at the precinct level:
a) as little as one vote shifted on many machines or
b) a larger number of votes shifted on fewer machines.

While a random 2% audit might be somewhat of a deterrent to tampering,
given the stakes, the lack of a requirement for follow-up in the law and
the possibility of tampering that could elude the auditors are still
grave concerns.

Also, I can find no provisions in H.R. 550 to detect fraud perpetrated
on central vote tabulators. Precinct totals may be 100% correct, but how
will we know that the precincts are tallied correctly at the county and
state levels? I would suggest mandating public posting of all precinct
totals so that candidates and citizen volunteers can add them up and
compare them to official tabulated counts to ensure that no fraud or
mistakes are made beyond the precinct level. Believe me when I tell you
that in light of recent events, there will be enough of us interested in
doing this as a public service (using basic Internet technology such as
web sites to tally and publish the results) that given the data from the
precincts, it will happen.

The bill says that "No component of any voting device upon which votes
are cast shall be connected to the Internet." But no votes are actually
cast on the central tabulators -- they are only counted therein.
Presumably the tabulators can therefore be exposed to Internet hacking
under this law. Not a good idea. This is a glaring deficiency in the
bill as currently written and I'm sure it is merely an oversight, given
the bill's intention to separate vote-casting and vote-counting
functions. Please fix this.

All security and auditing provisions affecting voting machines in this
bill need to be applied to tabulators as well.

H.R. 550 prohibits connection of voting machines (but not tabulators) to
the Internet, but what about the public switched telephone network
(PSTN)? Phone lines are generally considered to be secure, but we have
seen evidence of tampering and jamming of phone lines in several states
in connection with elections. In the state of Hawaii, the Carlyle Group,
with well-known ties to the Bush family, will actually purchase the
local telephone company from Verizon. Such a purchase would make
confidential phone records, including the phone numbers used to connect
voting machines and central tabulators, readily available to those with
political agendas who happen to have ownership interests in
telecommunications providers such as in Hawaii. I leave it to you to
determine how to regulate or control this legislatively without
restraining free trade and property rights, but it would seem that
connecting voting machines and tabulators via privately owned telephone
networks is neither a secure nor an impartial way to facilitate vote
counting.

With respect to source code, public disclosure is fine, but in addition,
there should be digital signatures applied to all application software
on every machine with a requirement for election officials from both
parties to verify its authenticity immediately before, during and
immediately after each election, including early voting days, which are
yet another security risk in many states and have now been proposed at
the federal level. This type of real-time software authentication is
used for such mundane purposes as secure credit card transactions via
the Internet all the time, so why should it not be applied to something
as important as our national vote-counting software? Trust but verify!

Digital signatures can be used to verify both the code itself, and the
identity of its author (usually a company) beyond doubt, and detect any
changes to the code that may have occurred. Without this relatively
simple safeguard, the integrity of the vote tallying software is only as
good as the intentions and abilities of those charged with safeguarding
it. More protection is needed.

I hope you can answer these points and that Congressman Holt and the
other co-sponsors will consider strengthening this bill to reflect the
true nature of the threat to our democracy posed by secret privatized
electronic vote counting. If the experts you've been consulting on this
haven't raised or resolved these issues, may I respectfully suggest that
you seek advice from some additional experts.

The concealed nature of the counting processes in effect in the last
election have already become the subject of numerous legal actions, and
more are on the way. With increasing public awareness of computers and
computer related fraud, the electorate will have no confidence in and
will not tolerate an electoral process without adequate safeguards and
transparency.

Thank you for taking the lead on this issue and thank you for your time
and attention. I look forward to hearing from you.
>>

Dude--when this dries, you got a match --- right?

Faux elections are a form of taxation without representation. But we digress...

Anyone wishing to learn more about DRE security threats should also read the RABA report, prepared for the state of MD.

Although these are ex-NSA guys, they totally ignored the server side of the e-voting problem. I.e., they did not look at the tabulators, which are also the election management systems used to program the DREs before each election. Some of the hacks they describe can actually be multiplied and propagated throughout a jurisdiction by doing them on the server side, instead of on the DRE itself.

They did find some problems with DREs that should be addressed though and they also reviewed the findings of two previous reports which was helpful.

See: <http://www.raba.com/press/TA_Report_AccuVote.pdf>

Its possible for touch screen software to produce a paper record like the voter desires but cast a vote otherwise- easily done; there needs to be method to prevent this

Just having paper record doesn't accomplish anything unless there is a hand recount, or some type of method for verifying that the cast vote is the same as the paper record. This is likely hard to accomplish. Touch screens are extremely hard to insure to be accurate and reliable and secure.

Similar is true of computer compilers of either touch screen votes or optical scan votes. They are trivial to hack/manipulate without being caught unless there is a hand count or extensive audit pre and post of counting software and results, and way of insuring secureness of the machine/software. Most states don't do hand counts or hand recounts in other than extreme circumstances, almost never, so having paper ballots isn't much assurance unless something further is done.

What I think is needed is a mandantory hand recount of a random sample of precincts, and also allow parties to choose some number of precincts for hand recount where results seem unusual.

and a system of hand recounts of more precincts where a party is willing to pay for it(with reasonable charges)

Do we really need DRE's?

HAVA does not require a single DRE. Nor do most of the very people it's claimed to enfranchise.

Blind or sight impaired voters can use an old fashioned magnifying glass or, at worst, a ballot marker.

Non-english language speaking people can use a ballot marker AND that probably could be restricted to large jurisdictions that use a multiple of languages.

Most mobility-limited voters could use a paper ballot or, a ballot marker. What they really need is a wheel-chair ramp. Sorry for no link but inaccessible polling places may be represented by more than 30% of the nation's precincts.

I'm less familiar with the needs of people with cognitive disabilities. And this brings us to the points already mentioned above; voter verification of a printed VVPAT from a DRE or even a ballot produced by a ballot marker, may not get properly verified by the voter.

Picture and Audio Recordings

I don't understand this feature but whatever image can be recorded, can be printed, and verified. A Ballot Marker can be voice activated, and a ballot checker can read the printed ballot and audibly report to the voter.

Some mobility-limited voters

Some mobility-limited voters can't use a currently available paper based schema. Here's the rub and some possible solutions.

If a mobility-limited voter, using a ballot marker, can't handle the completed ballot, they'll require assistance and that would violate secrecy. Here's what we could do.

In the short term, simply, and crudely, a blind fashioned such that when the completed and verified ballot comes out of the machine, it will fall into a box into which the voter can see into. There's a stash of ballot envelopes placed in the box, as well. A poll worker assists from behind the machine sticking their hand in the box to grab an envelope and stuff it with the ballot. Voter watches. And they go to the ballot box to deposit it. Crude, effective, doable, cheap.

Ballot Sleeves, http://www.votersunite.org/article.asp?id=5225, http://www.cs.uiowa.edu/~jones/voting/fec3.html#access,
may be employed to aid in such an idea.

In the long term, a machine that shuttles the ballot through a ballot verifier, and then onto the ballot box, would solve the problem for those mobility-limited voters who can't use current paper based systems. This concept was verified by a tough advocate for DRE's for the disabled.

It may be possible and reasonable to accommodate some voters with extremely specialized needs through early voting at centralized facilities they may be likely to visit.

Costs

Don't to forget to add storage costs if applicable. Some jurisdictions store the current technology in cold/damp places unsuitable for DRE's or even ballot markers and OpScan. So they have a new line item based on an interpretation of HAVA.

Budget Short Falls

Counties are reporting a lack of funds to maintain precincts and are proposing and passing law reducing the number precincts by combining them in "super-precincts". I fear this will only serve disenfranchisement.

Ease of Use?

Not for a lot of voters. But perhaps for some BoE's. I think the voters come first.

Summary

Most disabled don't need a DRE, many not even a ballot marker. A greater number are disenfranchised by inaccessible polling-places rather than polling-places. It's possible to develop non-DRE technology to assist the few mobility-limited voters who can't use current paper based systems.

In so many ways, we just can't afford them.

I agree with just about everything in your post.

BUT

The fact is that many Election Directors, BOEs, and counties already have their minds made up -- they are getting DREs come hell or high water. And they are getting them soon.

No matter what we call it, or what the details of the system are, this point I think it behooves us to make sure that any DRE we get PRODUCES PAPER that absolutely CAN be verified by the voter. Time is short and these counties are in a buying mood.

We can fight for improvements, additional legislation, or even banning the machines later. But NO buying of PAPERLESS DREs NOW, or that is what we are going to probably be stuck with for a long time. A very long time.

I'm looking over those sections of the bill that have to do with technology. Here are my comments.

Certification of Software - the Applications

First let's look at the security and certification of software applications.



My guess from this language and other paragraphs in the bill is that the authors were thinking in terms of one or more software applications that are installed on top of the operating system. But the operating system itself is software. This language should be improved to make it clear what is really intended. I believe strongly that the operating system has to be treated like any other piece of software but I will take that up in the next section. This section will focus on software applications that are installed on top of the operating system.

I believe that the bill does not go far enough in that there is no mechanism for verifying whether the version of software actually deployed on a machine in the field is the same as the version that was certified in the lab. The bill should probably require that a mechanism be developed and specified in a regulation. The mechanism could use checksums and/or digital signatures. This issue has been raised by other posters in this thread so I just add my support for this position.

Along with the checksum or digital signature mechanism, there would need to be some way to gain access to the machines to perform the check. There should be very carefully crafted language requiring audits of the machines both before and after the election. I say carefully crafted because we have seen how election officials put on a dog and pony show in place of real testing under the current regime. This step should be performed by one of the accredited laboritories mentioned in the bill. This is potentially a nightmare due to the number of DREs that could be out in the field all across the country.

Another thing lacking in the bill is any remedy. It just says the software has to be disclosed. So let's say that some vendor discloses software that has flaws that are not themselves fraudulent but are easily exploited. I think it is Bill Bored who has made the point many times that it may be the configuration that implements fraud, not the software code as such. What can we do about a vulnerability when we discover it? We will once again be left standing outside in the rain while inside the building the election is stolen by use of an exploitable feature.

A related point is that there must be disclosure and auditing of the configuration of the software, not just the software code itself.

Also, a known exploit of software is to place executable code in data. The data is read from somewhere (say a database, an http request to a web application, a smart card or wherever) and then the data is executed as code. So you need disclosure of all the data on the system too.

Where this is taking us is that you need to capture and disclose an image of the entire system including all software and all data. Only in this way can you cover all the bases.

Certification of Software - the Operating System

The literal language of paragraph (8) shown above would seem to include the entire operating system since the op sys is in fact software that is contained by and used by a voting system. However, I doubt that is what the authors intended. The language should be clarified.

The way the language should be clarified, as I see it, is to make it clear that the operating system is software and must be disclosed and certified like any other software.

You would have to include the operating system in order to know there is no fraudulent code lurking somewhere either as a modified version of a legitimate op sys component or as a bogus component given some legitimate sounding name. Since the state of the art of viruses and other malicious code is so advanced, there is significant risk in the operating system part of the voting system, not just in the software specifically intended for e-voting.

This interpretation of the operating system being software has a couple of consequences. One is that any version of Windows or any other proprietary operating system would be disallowed.

To me disallowing Windows is a good thing (actually a necessary thing) but there will surely be vendors who will not go along with this without screaming and kicking. Then there are all those counties that have already bought voting systems that run on Windows or some other proprietary operating system. I would be surprised if this interpretation of the operation system being sofware and therefore disclosable would ever make it into law. That said, I still believe it is essential.

But for the sake of argument, if Windows is ruled out and only open source operating systems are allowed then we are most likely looking at some flavor of Linux.

Another consequence of my interpretation is that the disclosure called for by paragraph (8) is much larger than what the authors likely envisioned. To disclose the source code, object code and executable representation of the entirety of any of the commercial distributions of Linux is a large and difficult task. So large that its usefulness would be doubtful at the same time that it is essential.

One thing that would make the disclosure of an entire operating system more feasible is to use a very minimalist version. The modularity of Linux lends itself to this approach and there are quite a number of tiny versions that were developed for various reasons such as being able to fit on a single floppy disk.

To sum up what I think about certification of the operating system - I think this is an essential element of any trustworthy system and I think it is very unlikely to happen.

Certification of Hardware:

Now to make the problem even more difficult, there is no reason we should trust the hardware either. Just like you can sneak a malicious component into the operating system, you can also sneak a malicious piece of hardware into the box. Look at paragraph (10):



The certification of hardware seems to certify only that the software it contains has been disclosed and that there is no wireless, powerline or concealed communication device (paragraphs (8) and (9)). The certification does not say that there is no other type of hardware component whose purpose is nefarious.

Now maybe you could render many types of malicious hardware components inoperable and moot if you can control the operating system. I'm not sure of what the possibilities and issues might be here. This question would need further development by someone whose expertise is operating systems (I am a software person).

Further, even if the hardware certification were comprehensive, how can you verify that the hardware in the field is the same as the hardware tested in the lab. You could check that it is the same model number or something like that but it is very common for individual components of a computer model to be changed at any point in time without changing the model number. A certifcation that the machine in the field is the same as the machine in the lab is basically not possible. You would have to perform an autopsy on the machine in the field and the patient would not survive the procedure. I really doubt that the jurisdictions buying voting equipment would agree to destructive testing.

So the conclusion on hardware certification, just like that of operating system certification, is that it is essential and very unlikely to happen, at least in any meaningful way.

General Comments and Conclusions

One issue that spans across both hardware and software is the creation of accredited labs. Is the language in the bill sufficient to make sure the accredited labs are not shills? How do we know that we can trust these certifications? We certainly can't trust the current election authorities involved in certification. We also know we can't trust the EAC as currently composed. This seems to be a serious risk in this age of fake media, fake think tanks, fake intelligence and fake commissions. We'll just add fake labs to the list.

A related problem is that election officials, including the EAC, the state officials and the county officials, do not have the knowledge necessary to evaluate and oversee the work of any accredited lab. Even if the labs are not shills, they can be imcompetent. There will be motivation to be incompetent if they are profit-based since the most profitable approach would be charging high rates for cheap labor.

While we're at it, what do we do about any of the players, from hardware sources to software vendors to accredited labs being foreign owned or having foreign connections. Witness the purchase of Sequoia by the firm in Boca Raton (sorry, I don't remember the name right now) that has connections with the Venezuelan government.

To wrap up my general conclusion about this endeavor to create a trustworthy e-voting system, I am absolutely convinced that the goal will not be met. There are just too many ways this can go wrong. It would be very difficult to accomplish even by a team of the top experts in the country who had no other motivation other than the trustworthiness of the system. Even in that case it would require a major investment in R&D and would probably be years in the making. And that's the best case scenario.

A more realistic scenario is that:

• Funding will be inadequate
  
• Oversight and direction will be incompetent
  
• Bad actors will infiltrate the process
  
• Essential elements will be ommitted
  

And finally, even if all these obstacles were miraculously overcome, the result is still a system that an ordinary person cannot reasonably trust. The trust in our election system should not be by faith. It should be by transparency and an understanding of how the system operates. This trusted computer system, if achieved, could only be understood by computer scientists and, in fact, only by computer scientists that have a spare couple of years to study the system and verify that it is trustworthy. Certainly it cannot meet the test that many have suggested that it must be understood "by my mother".

So the solution to this problem is to consider any computer system untrusted. Use touchscreens only as ballot marking devices so that there is a decoupling between the technology and the vote generated by the technology. If opscan counters are used, or if central tabulators are used, then there must be a system that allows independent, low-tech (hand counting) verification in way that is meaningful and substantive and prior to results becoming final or even presumptive.

This demonstrates a true appreciation of the problem. This is essentially why I have given up on DREs.

The Windows issue may not be mentioned because some of the academics who advise these legislators wouldn't be caught dead using Windows in the first place! They are Unix/Linux heads and with good reason. So they might overlook the obvious proprietary undisclosed nature of Windows and not even include this in their thought process. Those who are forced to work with Windows on a daily basis however, but who also know the broader realm of computer science and hence other operating systems, would be more likely to think in such terms. To them, Microsoft is just another Diebold -- no better and no worse.

The only thing one might add, and it is debatable, is that a system such as an Optical Scanner which can be tested publicly, out in the open, and independently with actual hand marked ballots of appropriate number and complexity as those used in the actual election, at the time of actual election, combined with mandatory manual random auditing of the paper ballots, would solve some (possibly all) of the problems inherent in the application software, the operating system, the configuration, the hardware and so on. This is because, unlike DREs, you can test the scanner with a large number of ballots, with hand counted outcomes known in advance or after the scan, that can also be changed in advance and re-tested, and can be seen on the machine at the time the election would actually take place (by setting the machine's clock to that date and time), etc.

To do this with a DRE, and I mean ONE DRE, would take a poll worker a full day doing nothing but simulating voters casting votes. This would have to be done on EVERY machine and would therefore take many person-days of labor to even approach the level of verification possible with an Optical Scanner. The alternative is to use the vendors' logic and accuracy tests, which do not simulate actual ballots or voting and are conducted in a completely opaque manner using the internal workings of the machine under test to test itself! Therefore, there is no practical, independent way to test a DRE. There is with Optical Scanning. It may not be perfect, but that's why you also have random audits of the hand marked paper ballots which are guaranteed to have been verified by the voters themselves upon casting their votes.

I agree that the system must be considered to be untrustworthy, but some systems are easier to test than others. With DREs, it's almost impossible as we both are saying. With Op Scans, there's at least a chance if could be done if the regulations demand it.

It's becoming increasingly obvious to me that anyone who takes a pro-DRE position is either grossly uninformed, financially interested, or simply has something they wish to hide. There is nothing open or observable about DREs at all. Anyone who says otherwise is at best living in a fool's paradise.

Does Holt go as far as most of us would like? Of course not but it closes a lot of major loopholes and is the best there is right now.

Can we think of better legislation from our point of view. Sure. Lots of us have. Can we get anything remotely better introduced, much less passed this year in this Congressional environment? Are really you serious???? Can we get legislation that will do more in the next few months (before all the HAVA money is spent on these awful machines)? Nope.

Can we get Holt in its present form? Maybe something close if we all stick together. Is it a lock? No way no how. Holt is still stalled and we're working very hard at getting Republicans to sign on as well as getting a comparable bill introduced in the Senate and then passed. Despite having an incredible amount of input throughout the process, we don't yet know exactly how good the final Senate bill will be. What it boils down to is that we have to get paper mandated nationwide NOW or we'll have 50% or more of us voting on paperless machines for the foreseeable future.

If we get the paper and a manual audit requirement mandated now, we can continue to move forward to get more. At least we'll have paper that can be counted by hand. How easily it can be done is another issue, but the fact that the election directors might have to count the paper will make the machines look less desirable, not more. Those printouts on those paper rolls can be counted by hand but it's a horrendous process compared to op scan or other human readable paper ballots.

If we don't get this much done NOW, it will take literally years to get back to this point ... if ever. Does anybody think that's a risk worth taking? After working full time on this for almost two years, and realizing that I'll probably be working on it for the rest of my life, I sure as hell don't think so.

hedda

I still support this bill, despite the fact that I don't like DREs.

As some of you know, I categorically reject any legislation that includes any form of electronic/digital technology with the exception of post-election, post-validation archival backup of the paper artifacts used in the election process.

Paper registration.

Paper poll book, or, in the case of mailin paper ballots, a paper receipt ledger.

Paper ballots ONLY.

Paper ballots counted by human beings.

Paper tally ledger at the precinct.

Paper ballots and paper tally ledger from each precinct delivered to the county.

Paper ledger used at the county to record all results from the precinct ledgers. County election official can call into the SoS the results, as recorded in the paper ledger.

All ballots and ledgers are delivered to the SoS.

For national elections, all registration logs, ballots, poll books, and ledgers are archived by the Library of Congress.

Not.One.Line.Of.Code.Between.A.Voter.And.A.Valid.Election

Peace.

www.missionnotaccomplished.us (The.Day.WE.BEGIN.......)

In georgia we are 100% diebold. The holt bill DOES NOTHING TO ENSURE a fair election for us. I have not supported it, nor will I until I see 3 key points.

1. Paper record, the ballot of record
2. Counted by hand election night
3. In full view of citizens

Why not check out Georgia's really well written legislative answer to incorporate these 3 things....
www.defendersofdemocracy.com/

*** AUDITS are counting the votes days or weeks afterward and each day adds the possibility of spoiled or 'corrupted' ballots. It's critical we count the votes election night in the precinct preferably before a citizen panel in full view of the citizens...


A BILL TO BE ENTITLED
THE GEORGIA VOTE COUNT PROTECTION ACT

To amend Chapter 2 of Title 21 of the Official Code of Georgia Annotated, relating to elections, primaries and use of electronic voting machines generally, so as to provide a permanent, tangible, paper record as the official ballot of votes recorded for each voter; to require that all electronic recording voting systems produce such paper evidence as the official ballot; to provide that each voter shall have the opportunity to verify and affirm that the official ballot has accurately recorded his or her intent before casting the ballot for counting; to restore public ballot counting procedures for all voting systems in Georgia; to require that tabulations of said paper ballots are performed at the precinct by manual counting in full view of the general public; to specify that said paper ballots are exclusively recognized as the official ballot of record for purposes of counting, auditing, recounting the vote and for election challenge proceedings;

BE IT ENACTED BY THE GENERAL ASSEMBLY OF GEORGIA:

SECTION 1.

Code Section 21-2-2 of the Official Code of Georgia Annotated, relating to the definition of a ballot, is amended by striking subsection (1) of Code Section 21-2-2 and inserting in lieu thereof a new subsection (1) to read as follows:

”(1) Ballot means ‘official ballot’ or ‘paper ballot’ by which an elector verifies and casts his or her votes and establishes a tangible official record of voter intent that exists externally from any voting system equipment, software or database.”





SECTION 2.

Code Section 21-2-324 of the Official Code of Georgia Annotated, relating to review of manufacturer’s electronic voting systems, is amended by striking subsection (f) of Code Section 21-2-324 and inserting in lieu thereof a new subsection (f) to read as follows:

”(f) When a voting system has been so approved, any change to the voting machine or its software shall render necessary a reexamination and re-approval of each such voting system.“



SECTION 3.

Code Section 21-2-379.1 of the Official Code of Georgia Annotated, relating to requirements for use of electronic recording voting systems, is amended by striking paragraphs (7), (8) and (9) and inserting in lieu thereof new paragraphs (7), (8) and (9) to read as follows:

"(7) It shall produce a permanent paper record as the official ballot containing a unique ballot number, each vote cast for each candidate, question or other initiative on the ballot and any additional information required to designate such record as the official record for count, audit, any recount conducted under Code Section 21-2-495 or any election challenge under Article 13 of this chapter involving a primary or election in which such system is used;

(8) It shall provide the elector with an opportunity to review the printed ballot before said ballot is accepted as final and official, and to make changes or corrections to the printed ballot, as described in the revised Code Section 21-2-379.10 (b) of the Official Code of Georgia Annotated (see Section 6 below);

(9) It shall be constructed of good quality in a neat and workmanlike manner and shall be so constructed that an elector may readily learn the method of operating it; and”





SECTION 4.

Code Section 21-2-379.2 of the Official Code of Georgia Annotated, relating to review of manufacturer’s electronic voting systems, is amended by striking all subsections (a), (b), (c), (d), (e), (f) and (g) and inserting in lieu thereof new subsections (a) and (b) to read as follows:

“(a) All existing voting machine software used by the state of Georgia and any software of electronic voting machines examined by the Secretary of State or representatives of the secretary, shall have its software source code for the operating system, vote recording and vote counting processes filed with the Secretary of State and be open for public inspection. Such software shall be available during all business hours of each day that the office of the Secretary of State is open for business and available via download from the website of the Secretary of State. Said software source code shall be open prior the examination of any system for approval and remain open for public inspection and review from the time the system is approved until said software is no longer used for vote recording or vote counting by any precinct.

(b) At any time the Secretary of State may be required to re-examine a direct recording electronic voting system in accordance with the laws for voting machine examination as defined by Georgia Code 21-2-324. Any such re-examination of a direct recording electronic voting machine will be conducted in accordance with the provisions of said Georgia Code 21-2-324.”





SECTION 5.

Code Section 21-2-379.7 of the Official Code of Georgia Annotated, relating to the preparation of polling places, is amended by inserting new subsections (e) and (f) in Code Section 21-2-379.7 to read as follows:

“(5) The superintendent will ensure that an alternative means of voting is available for all electors in the event of voting machine malfunction, power failure or any condition that may render the voting machines inoperable for a time period of more than 20 minutes during a primary, election or runoff of either.

(6) The superintendent will provide at least one voting machine with voice prompt capability for ballot verification at each precinct to assist sight impaired electors.“





SECTION 6.

Code Section 21-2-379.10 of the Official Code of Georgia Annotated, relating to procedure for electors using DRE units, is amended by striking subsection (b) and inserting in lieu thereof a new subsection (b) to read as follows:

"(b) After the summary screen is displayed and the elector desires to make no further changes to his or her votes, the elector shall choose from the summary screen to print his or her official paper ballot. When printing is complete, a verification screen shall be displayed prompting the elector to review the votes indicated on the printed ballot, and giving the elector the option to correct said votes or, alternatively, to cast his or her printed ballot as final and official. If the elector chooses to make changes to the official ballot, the voting system shall return to the summary screen and the printer shall mark the printed ballot with the word ‘Void’. When the elector chooses to cast the official ballot, the printer shall mark that ballot with the words ‘Approved by Voter’ and that ballot shall be deposited in a ballot box prior to the elector leaving the polling place. The official ballots shall be secured in sealed, locked ballot boxes at all times in a manner according to the provisions of Title 21, Chapter 2, Article 11, Part 2 and other provisions of law for handling paper ballots. Such ballot boxes shall not be opened nor shall such ballots be counted until the poll closes.





SECTION 7.

Code Section 21-2-379.11 of the Official Code of Georgia Annotated, relating to vote tabulation procedures, is amended by striking all subsections (a), (b), (c), (d), (e), (f) and (g) and paragraphs therein and inserting in lieu thereof new subsections (a), (b), (c), (d) (e) and (f) to read as follows:

”(a) In primaries, elections and runoffs, the permanent paper records produced by the electronic voting equipment shall be counted at the precinct under the direction of the poll manager immediately after the polls close. The poll manager shall cause the totals of all votes cast to be posted in full public view at the precinct in accordance with law. The poll manager shall ensure that the total of all votes cast on all permanent paper records at the precinct are delivered to, and recorded correctly, at the tabulation center.

(b) The permanent paper records shall be placed in a container that shall be transported to the tabulating center with the other election materials. The manager shall cause to be completed and signed a ballot recap form, in sufficient counterparts, showing the number of valid ballots, the number of spoiled and invalid ballots, the number of provisional ballots and the number of unused provisional ballots and any other unused ballots. The manager shall cause to be placed in a ballot supply container one copy of the recap form and any unused, defective, spoiled, and invalid ballots, each enclosed in an envelope. The manager shall collect the memory card, tapes and any other DRE items for each voting machine and enclose them in the container according to procedures established by the Secretary of State. The manager shall then seal and initial the container so that it cannot be opened without breaking the seal.

(c) The sealed container shall be transported to the tabulating center with the other election materials. The manager and one poll worker shall deliver the container to the tabulating center for the county or municipality and shall receive a receipt for said container. Copies of the recap forms, unused ballots, records, and other materials shall be returned to the designated location and retained as provided by law. The container with the permanent paper records of the precinct shall be kept unopened in a secure location by the election superintendent and shall be transferred to the appropriate officer with the other election records in accordance with Code Section 21-2-500.”

(d) The poll manager or superintendent shall deputize all persons who perform any duties at the precinct. The superintendent shall deputize all persons who perform any duties at the tabulating center. Only persons so deputized shall touch any ballot, other container content, or tabulating equipment.

(e) The precinct ballot count and all tabulating center operations shall be conducted in full view of the public, which can include representatives of political parties, journalists and individuals with audio and video recording equipment running continuously.

(f) If the Secretary of State has established a system for transmitting the election results, the poll manager shall transmit the election results counted from the permanent paper records to the tabulation center. The tabulation center shall make public the totals from each precinct immediately upon receiving them from the precinct and not later than the time they are included in the tabulation center totals. The superintendent shall ensure that the total of all votes received at the tabulation center for each candidate or ballot question are accumulated accurately and recorded correctly for certification in official statewide totals.





SECTION 8.

This Act shall become effective on July 1, 2005.





SECTION 9.

All laws and parts of laws in conflict with this Act are repealed.

###

- HOME -

Senate Bill 222
http://www.legis.state.ga.us/legis/2005_06/search/sb222.htm

the only other introduced bill is Bill 790 by Geisinger that has a randomized precinct level audit (which some activists support, but I do not)..

my problem with audits is that you are counting AFTER THE FACT and as time passes, you increase chances of 'manipulation', fraud and plain old problems with ballot counting.

NO, this bill I mentioned drawn up by a very quality activist community in Georgia never got introduced in the last session, but will likely see introduction in the next session... however, it is a MODEL as it is the only legislation I've seen nationwide that handles my 3 criteria.. see website www.defendersofdemocracy.com if you want more details...

FYI, California is also looking to the "VOTE COUNT PROTECTION ACT" as a model for it's activist recommended legislation...

House Bill 790

http://www.legis.state.ga.us/legis/2005_06/sum/hb790.htm

Electronic voting systems; require permanent paper record

Sponsor: Harry Geisinger, et. al.

does not guarantee the paper is what is counted.

That's why all these bills are 'the devils is in the details'.

I really don't spend much time in legislative issues so I'm the wrong person to even be responded.

I had the 790 bill explained to me..

that we would do a statewide audit that essentially was for EACH PRECICNT. they would write on a piece of paper the races from Pres. to Senate on down the line and put the races in a hat).

They would pick one out of the hat and then do a handcount of that race. If that race does not match the Electronic results spit out of the Diebold system, it would trigger a wider handcount. The FIGHT is between whether it triggered a county wide handcount of all races or a statewide count.

All of this seems like splitting hairs. to count anything at all is to admit that counting paper ballots that are the citizen verified vote is what matters.... if this is what matters why not count all the paper ballots by hand?

if 95% of the democracies in teh world including india with many more millions of citizens can count paper, why is it in the US we are too lazy to count paper???

I DO NOT SUPPORT THE GEISINGER BILL because I know the GOP are strong enough to outright SHUTDOWN the RECOUNT that was supposed to happen in OH and with a nonrandom 3% audit, the GOP can wiggle inside the margin and get their way with any such audits. I can see the graft now, they get the race to be some small BOE race (board of elections) and then they tell Diebold to rig all BOE elections to be honest... I just don't trust any aspect of this , really. But some activists think Giesinger 790 gets around the 'nuisance' of full statewide recount.

I really don't care.

When my audit shows DRE machines cannot be trusted for counting our votes, the legislative will have legal precedent to contend with....

guarantees that the

Diebold DRE tapes are what will remain counted.

My statewide audit shows many things.
1. Diebold DRE tapes are not trustworthy and form no basis of reality for counting our ballots
2. I've been denied access to a CD that represents the actual ballots
3. Even in absence of CD containing records there are significant and voluminous discrepancies between Ballot Recap sheets filled out by humans, DRE tapes printed from machines and final tallies posted on SOS website.

bottom line, we cannot use computers to count votes.. we must resort to counting paper, and consider paper the only UNMODIFIABLE record worthy of the importance of our vote.

check out my website for more evidence of fraud over time.. the PPT of Fraud is a good starter...

www.countpaperballots.com

Once he excludes the DRE's that can operate without VVPAT. VVPAT is bad enough, but there is little need for DRE's, if any.

I picture a bank of DRE's in a polling place with no wheel-chair ramp.

Next, I'd need someone to tell me that the auditing schema is reasonable.

Then, I'd want to feel like we can get, eventually, hand-counts.

Add precinct counts and chain of custody for the results moving to the county, then state.

Sure. I could get a little bit more enthused.

First a quick point:

The argument that a DRE could print out one result on the VVPAT and count a different result is spurious when considering VVPAT versus VVPB (except in the case of hand-counting.) Even with VVPB, a tabulator could inject bad results. There's no real difference other than the point at which bad results get into the system -- with machine counted VVPB, the bad results come from the tabulator. The bad results still count as official unless/until there is a recount/audit.

How could a machine count VVPB system be made more secure than a VVPAT? It can't. If you centralize the tabulator and take a good deal of precaution, (running test decks at random, verifying software signatures, using open hardware/software, etc) then you might be able to prevent the fraud but you lose three important safegards that way: The precinct level count can't be posted until it is tabulated and sent back from the central office, the voter has no way of knowing whether the ballot will correctly "scan" when they cast it at the poll -- which has a demonstrated and dramatic impact on undervotes, and the ballots are physically moved to the central office before counting.

So tabulation at the precinct level must be done at the precinct, but if you want to electronically tabulate, that makes for a huge technology support/security nightmare with thousands of mini-tabulators that all need to be secured. Opscan comes the closest to doing this because the machines are more of an "appliance" than a full-blown computer, but still -- do you have any confidence that those opscan machines are not tweaking the final number that they spit out, right under the noses of the voter with their VVPB?

The issue of the scale of the operation can work to the advantage of the voter in that under some circumstances it makes "hacking" the vote more difficult if there are lots of machines that all have to be hit. But that applies to both VVPAT and VVPB.

Ergo, using VVPB offers no intrinsic benefit over VVPAT when still using machine counting. The argument that at least VVPB's are always counted is not true -- the VVPBs are fed into a machine. Whether they are actually being counted inside there is an open question.

OK, now finally to my point. Those that have already expressed a lack of confidence in federal legislation fixing this are dead on. We saw how HAVA sounded good at the time but then got warped in practice. Any change is an opportunity for mischief.

But the problem is deeper. Legislation won't fix this, period. The only thing that is going to fix this is tens of thousands of citizens that care enough to take their local processes to task. For a start, demanding of their towns that the precinct results be posted immediately on the precinct doors, and the precinct-by-precinct centralized results be posted immediately by the county and state SoS. Then proceeding towards an instantly-available citizen-initiated audit (perhaps with private funds needed to offset costs, but if so, the costs would have to be reasonable.)

Yes, legislation will have a role in getting citizens the right to do these things. But it can only be used as an aid to help citizens that are willing to do so. Without that group of people, we have nothing.

So while the Holt bill may deserve passage, it won't fix the problem. Even paper ballots won't fix the problem, since there is still an opening for fraud through dishonest workers. Only people can fix it. Lots of them, with lots of attentive eyes, each policing the system from outside on their local level. I don't see any effort to systematically organize that kind of thing happening here in my town/state, and that worries me.

P.S. Not having read the entire text, the bill seems to be vague on what happens if the voter notices a discrepancy between the paper record and what they thought they voted for -- they can have the VVPAT or VVPB corrected in the official paper record, but is it actually specified in the bill what happens next? Having the paper record corrected does not ensure that an error on a VVPB's will force any sort of audit or investigation into the cause or the general integrity of the system, or that the VVPAT will be counted and the tally adjusted... just a thought.

Here is my version of the system you described. I added just a couple of things:

• Hand-marked paper ballots
  
• Precinct-level opscan
  
• Immediate posting of precinct-level results on the polling place door
  
• Immediate posting of county and statewide results always down to the precinct level
  
• Citizen-initiated audit at a reasonable cost
  
• Some kind of remedy, probably a recount, in the event of discrepancies in the audit
  
• A requirement that results are not final nor presumptive until audits and recounts have been completed
  
• Some solution to the electoral college deadlines that collide with recount rules
  
• Special accommodation for those with disabilities
  
  

and guess what folks..

the recount in ohio, which cost the Green & Libertarian parties over $100K that they paid out of pocket, was LEGALLY SHUT DOWN.

anyone who supports audits or recounts is not
realistically looking at how the GOP can shut these remedies
down in a New York Minute.

now, guys is the time to strategize how many lawsuits we have to launch to smoke DRE vendors out of their market the good old fashioned way, with damages lawsuits that cost them more to be in the business of selling voting gear than to get out of that business....

So am I. I just get the feeling that solution will never happen.

But I certainly don't claim to have any experience or insight in political matters and I recognize that there are lots of folks here that do... so take my previous comment as my .0000002 cents worth.:)

we all act like counting paper is the plague..

get this loud and clear 95% of the world's democracies count paper and they do it efficiently and without 'ballot stuffing' or other tricks...

why don't we consider studying other countries for their counting secrets.....

Ballots counted at the precincts (be nice to do it by hand, but I digress). Results posted there and in the local newspapers.

Using a proper "chain of custody" regime, the precinct totals are delivered to the county. The total result of the county's precincts would also be posted in the newspapers.

Using a proper "chain of custody" regime, the county totals are delivered to the state. The total result of all the county's totals would be the third category posted in the newspapers.

The final category, of course, being all the states totals.


How are state totals reported now? Are they ever officially delivered to Congress? Or is the only report/accounting given the electors votes in January?

"There's much to like, and little not to.

1. A paper record is produced, but not in the case of machines designated for use by the disabled. And how will you "designate" the disabled anyhow? I thought the ADA does not permit that.

2. Audits are mandatory, but are the audit criteria adequate?

3. Software has to be "open". IT Pro's...will that safeguard the system?"

As political talking points, the above is a good statement to make: it is supported by a good number of CBC and progressive Congress people (...although, why is Jesse Jackson Jr. not on the list?), it raises good bullet points, it casts doubt on the recent election and it will die at the hands of the right enemy. Since there is little chance of it passing, it opens the debate - not closes it.

As a definitive "solution", the Bill sucks... for all the reasons many of the posters have noted.

BUT... even the ideal voting system still leaves 13000 voting jurisdictions, open conflict of interest and state's rights prerogatives, vote suppression, registration, and the thousand and one other schemes that reduce voting process reform to the same significance relative to the restoration of democracy that the Holt Bill stands in relation to a "proper" voting system...

"If it were to pass it would not assure fair elections..."

Very true, but there is little that could pass that would...

The price of Democracy, this time, is going to be higher than a single bill and we increasingly have to see it that way.

My pet concern outside of the machinery is what I call the "deprecinctification of the nation", or "steal your polling place".

Perhaps Federal legislation serves a greater purpose informing State legislation.

(Of which there's a ton.)
http://www.democraticunderground.com/discuss/duboard.php?az=view_all&address=203x361175

Perhaps Federal legislation serves a greater purpose informing State Legislatures that either they get it together, or the Fed will. :shrug:

1) Election Day Registration - As many as 8.5 million voters...

2) End of Felony Disenfranchisement - 5 million voters...

3) End of Registration "purges" - 2 million voters...

4) End of disproportionate ballot spoilage for minorities - 1.5 million voters...

5) End of the Electoral College - 2 million vote equivilants...

Then you win a huge majority and wipe out states rights forever (right to slavery? right to Jim Crowe? right to spend more on prisons than on schools in Montana? right to grow up illiterate in Alabama?)...

Then you finally get Democracy (damn, and it only took 225 years) and then you guys can have paper ballots if you want...


Just a thought;-)

that if there are mandatory VVPATs, the voters need to be educated to USE them. Some sort of public service announcements just before election day might work. Maybe the machine companies could pay for them!

While this is a little like the tobacco industry telling us how dangerous cigarettes are, it could really help the voters to verify their votes, in case a recount is actually performed. It would also help them spot more machine malfunctions or configuration errors, so bad machines could be taken out of service right away.

Paper ballots are still superior from the standpoint of voter verification, but if VVPATs are the best we can do, the voters must be told to use them.

Educating the electorate about VVPAT seems another reason to drop it and just use VVPB.