US Voting Machines Standards Open To Public

Online Voting writes "The U.S. Election Assistance Commission has published new voting systems testing and certification standards for 190 days of public comment. For all the critics of electronic voting, this is your opportunity to improve the process. This will be the second version of the federal voting system standards (the first version is the VVSG 05). To learn more about these Voluntary Voting System Standards see this FAQ."

I wanted to read it...

[houstonbofh (602064)]

I just could not vote for any of the links. We need a strong voting standard to show some leadership.

How about

[SamP2 (1097897)]

- Printed voting receipt
- All code open source, all architecture fully documented and publicly available
- No person-vote information recorded in database (database lists people as "voted" or "not voted", as soon as person enters a vote it changes to "voted" and won't allow another vote, while a separate database increments a counter for a particular candidate. These two databases are NOT linked together.
- No timestamps to ensure manual matchmaking between people and votes are not possible.

Ah hell. I could come up with lots of other reasonable suggestions, but its not like any of this will ever be implemented.

Re:

[heinousjay (683506)]

I don't like the receipt, and I have a hard time wondering why people would want it. It couldn't be used for anything related to the process because of the ease of counterfeiting.

Counterfeiting voting receipt

[Harmonious Botch (921977)]

It could be PGP tagged.

Re:How about

[megaditto (982598)]

Receipt is a great idea.
For one, you could get a discount on your union dues with a Democrat on your voter receipt.
Or you could use it to secure your job (since your boss won't fire you if he can see you voted Republican).
Or you could sell it to the highest bidder: exchage your Billary/Osama receipt for a $20 gift card (for example). Buying votes otherwise is a real pain: people take your money but can still vote for the other guy if you don't watch them.

Problems, not solutions

[michaelmalak (91262)]

You've violated the golden rule of specifying requirements:

- Printed voting receipt

The requirement is:

1. Individual vote verifiable by the voter's unassisted eye at the time of voting as to the vote selection and whether or not it has been tampered.
2. All votes verifiable by auditors' unassisted eyes after voting is complete as to the vote selections and whether or not they have been tampered.

Re:

[SamP2 (1097897)]

Your second option is not possible (as stated) unless the database links individual people to individual votes, which in turn violates ballot secrecy (with traditional voting, when you enter a ballot, you don't write your name on it, and while the auditor can count the number of votes, they can never know who voted for them).

The digital voting controls should be similar to traditional voting (count how many people entered/left and compare to number of votes), but NEVER record the voters identity on the ball

Re:Problems, not solutions

[peragrin (659227)]

um with the 1930 electonric voting machines you could do both of those with out comprimising data personal data.

It means the voter doesn't log into the voting booth. the voter should only walk up to the both press a few buttons get a confirmation receipt and then stick said receipt in another box. The voting machine then is reset for another voter.

Electronic voting should only make counting faster not a complex database system that records everything about the voter.

Indeed a regular computer system is a waste in such a case. no more than powerful than the newton, or early palm is needed, no full oS is needed. the least complex the better.

Re:How about

[Conspiracy_Of_Doves (236787)]

Yes, print the voting receipt, but don't let the person take it with them. They can see it in the machine to verify that was who they voted for, but it stays in the polling place in case a manual recount is needed.

Re:

[mOdQuArK! (87332)]

Why do you need to print a voting receipt then? If the voter isn't going to take anything with them (not a good idea anyway), and they're going to leave something behind, then the ballot is the voting "receipt".

The only valid reason for checking peoples' IDs at the voting place is try and make sure that each person is eligible to vote, and gets one and only one ballot. Beyond that, there is no reason to keep track of any voter's ID.

Re:How about

[mithras invictus (1084169)]

No, the receipt should be the ballot, not the other way around. One machine is meant to help the voter produce a human and machine readable vote, the voter can check the produced ballot unassisted and decide whether or not to submit it.

Re:

[utopianfiat (774016)]

Or how about... a paper ballot?

Re:

[aynoknman (1071612)]

Yes, print the voting receipt, but don't let the person take it with them. They can see it in the machine to verify that was who they voted for, but it stays in the polling place in case a manual recount is needed.

Also, they can't verify who they voted for to a vote buyer.

Re:

[cheater512 (783349)]

Reciepts are a bad idea. They kill the point of the secret ballot.

Also there should be timestamps but on the voted database and not the votes database.
So Mr XXX voted at 1:15pm but not who they voted for.

I certainly much better now!

[e9th (652576)]

From the EAC's FAQ:

Q: Will the source code be available to the public? A: No.

Re:

[Baricom (763970)]

The FAQ makes me believe these standards are essentially useless. No source code, no independent verification (the voting machine manufacturer pays its choice of testing lab), and most importantly, no mandate to adopt these rules for any election.

Why the continued paranoia?

[grahamsz (150076)]

Where does this fear of opening source code come from? Is there really a concern that some competing software vendor will copy their "tally up the votes" routine. I can see why banks and private companies want closed source, but why here?

The only answer I can see is that the machines are badly programmed or they have been rigged in some way.

Vote counting research

[slashqwerty (1099091)]

Dear grahamsz,

In response to your question, "Is there really a concern that some competing software vendor will copy their 'tally up the votes' routine", we here at Diebold take great pride in the quality of our product. Our "tally up the votes"TM routine is a prized trade secret developed through extensive research and experimentation. If our competitors could simply copy our unique technique for counting votes they could develop the same product without incurring the significant costs of researching how to count.

I'm sure you can appreciate the sensitive technical know-how at the core of our product. Only a few vendors have discovered the secret to counting votes. If this knowledge became public anyone could count see how we count votes which would take away our incentive to create a much valued product which serves to protect democracy.

God Bless America,
Tom Swidarski
CEO of Diebold, Inc.

Re:

[cheater512 (783349)]

Its more likely to be a fear of people not contributing.
They could find flaws and then exploit them at the next election to make their candidate automatically win.

Of course its nonsense,
If it went through a standard *nix development cycle with alphas, betas and release candidates along with a x86 compatible testing program and allowing (audited) patches then it would be very secure.
Many people (especially conspiracy nuts) would be reading over the code.

Re:

[Comatose51 (687974)]

So it's less of a FAQ and more of, say..., a slap across the face? One might even call it a bitch slap. Or perhaps one can call it "Kim Jong-Il's Playbook" instead of a FAQ.

Re:

[Tim C (15259)]

Serious question - how would having access to the source code help?

Re:

[Tim C (15259)]

at least people could verify the integrity of the systems

How would they do that?

Access to the source of the code running on your own PC is an excellent thing. It lets you modify it, confirm that it does only what it claims to do, find and fix bugs, and so on.

Access to the source of the code running on a machine that you have no control over is useless. You cannot confirm that it is the source of the running code. You cannot confirm that there are no hardware issues - intentional or otherwise - that are affe

Re:

[slashqwerty (1099091)]

The machine could have hardware that computes a cryptographic hash on the data on disk and displays it on the front of the machine. That can be circumvented, but it would be much more difficult. Having the source code (to the whole system) you can compile according to prepared instructions and compute your own checksum to verify they are the same.

Re:I certainly much better now!

[Rob the Bold (788862)]

Access to the source of the code running on a machine that you have no control over is useless. You cannot confirm that it is the source of the running code. You cannot confirm that there are no hardware issues - intentional or otherwise - that are affecting the correct operation of the code.

Amen to that. I worked for a temp firm for a contractor to ES&S when they were prepping the code for audit by a 3rd party under the previous version of the voting machine audit standards. The code needed major cleanup to comply with the coding standards (for readability), and we were in a time crunch, so everyone dropped what he was doing and worked on sanitizing the iVotronic code. After it was done, we had beautiful code. All variables were declared at the top of functions and names that made sense. No more globals. Functions had meaningful names and headers describing purpose, input, output, method, etc., etc., etc. We sent that software off to be audited for use in US elections. Of course, that code was never compiled. And it never made it back into the production s/w vault.

big problem

[ILuvRamen (1026668)]

Has anyone else noticed that more money and time and effort has been spent trying to make and use good, fair, electronic voting machines than it would have taken to just keep using paper ballots and have them counted like usual? Isn't the point to save money and time and make it more efficient? I think another point was to make elections less riggable and more accurate but Diebold killed that dumb idea behind a long time ago lol.

Re:big problem

[mOdQuArK! (87332)]

The main advantages of using voting machines is that they can be used to print out a nice, clean ballot which can be easily counted (no misaligned filling-out of ovals or odd marks, don't worry about #2 pencils or color of pens, no hanging chads, the ballot contains only the selected choices so no "they really meant this choice!" type of counting, etc).

They're also good at providing alternative interfaces for the disabled (sound or braille) while still printing out a nice, clean ballot.

The only reason for COUNTING machines is for speed though, and since there's no easy way to make sure the counting machines haven't been compromised, we shouldn't depend on them at ALL except maybe for "preliminary results". For the final official result, we should still stick to the hand counting votes (especially if we have nice, clean, easily-readable ballots).

Re:big problem

[zcat_NZ (267672)]

You missed another advantage. Since the printed ballot is in a consistent (and preferably standard) format, those votes can be optically counted by a tallying machine built by a completely different vendor. If the preliminary count and independent OCR count agree within some agreed margin (we'll allow for misreading a vote or two per million, OCR isn't perfect). Then we can have a final, trustworthy election result within minutes of the closing of the polls. Accurate, trustworthy, _and_ fast. Wouldn't that be nice!

Re:

[Bert64 (520050)]

There shouldn't be any errors at all if the votes were printed out by a computer...
You should print the ballot on a machine, verify that it really did vote for what you wanted, and then put it in a ballot box.

Re:big problem

[gomoX (618462)]

"Classic" voting (aka paper ballot in cardboard box) has many, many problems. We just had elections, and I waited in line for 2:30 hours to vote. A big part of that time was devoted to wondering why the fuck don't they use some sort of electronic system for this.

Some problems that are typical with regular elections:
- missing ballots for a given party make the thing go slooow
- you waste time finding ballots when there are many options (most countries don't have a two-party thing going on but instead have tens of partys)
- long time to cut ballots when you have elections for more than a single position (say, president and senators) - this factor also favors "block voting" for a party
- the signed-envelope system has loopholes that allow people to buy votes anyway
- you need people to supervise the whole thing, and no one wants to volunteer
- the whole process is so troublesome and complicated that people just want to get it done instead of actually thinking about the election they are making

Of course, the electronic counterpart isn't easy to build. But it could be better, it's not really that hard. You need an easy consistent interface, solid machines that won't be easy to break, and some kind of receipt showing that you voted. That's it.

Re:big problem

[bVork (772426)]

Sounds like the problem is with your country's implementation of paper ballots, and not the general idea itself. Here in Canada, voting takes maybe half an hour at most. You show up, verify your identity, get your ballot, go behind a screen and put an X in the circle next to the candidate, fold it up, hand it to the person working the box, watch them place the ballot in the box, go home.

To supervise the whole thing, we require people from multiple parties to be present at the polling station. It's hard to fiddle with something when it has to be verified by two (or more) opposing people at the same time.

I don't understand your references to multiple ballots. Is each party on a separate ballot or something? Why in the world would it be done like that?

Re:

[CastrTroy (595695)]

That's what I was thinking. They must be doing something wrong. Using machines doesn't make the voting process any faster. The only way to move the line along faster would be to have more polling stations. Just as a reference point to any Americans, the average Canadian polling station only handles 352 people [www.cbc.ca]. The voting moves along rather quickly. And although it is possible to use ballot stuffing to rig the vote, it is very hard to do that for a large scale election, because the number of boxes you

Re:

[zestyping (928433)]

People keep saying how fast Canadian elections are. (I'm Canadian too.) But they're missing a huge difference.

In Canada you usually have one contest.

This [nist.gov] is why hand-counting doesn't work in the United States. Chicago, November 2004: 10 pages, 15 elected offices, 74 judges, one referendum. That's 90 contests.

See more at NIST's ballot collection [nist.gov].

Works just fine in the UK

[Nursie (632944)]

Walk into polling centre (these are set up in schools and community halls and are likely less than a mile from your house), pick up piece of paper, go to a booth, put your mark in the box next to a name (With a big sign up saying if you miss the box or mark two you're not going to be counted), put it in the ballot box.

Punch cards, machines, everything else, just unnecessary. I never understood the whole situation in the US where you have people queueing and some unable to vote due to being in line too long.

Sweet

[r_jensen11 (598210)]

Now all we need are some calls that query and listen to when Diebold changes people's votes, then automatically record & report the events to an independent 3rd-party.

With Diebold's incompetence, this shouldn't be too hard to do, should it?

Re:Sweet

[thatskinnyguy (1129515)]

Several generations of my family have worked for Diebold. They're a fixture in the community of Canton, Ohio. They're really good at physical security. Hell. They make most of the bank vaults and ATMs that you see.

But when it comes to voting machines, the only thing that separates the voting machines from their other products is strong bias. Tamper with an ATM at the factory, sure some FDIC bank will lose a few thousand dollars but the one doing the tampering gains nothing. Tampering with a voting machine, the perpetrator stands to influence an election in ways they see fit.

Re:

[r_jensen11 (598210)]

Many banks don't even own the ATM's. They're often owned by 3rd parties who then charge the banks service fees.

The main difference is that the ATM is there for convenience. They're everywhere and can fit in places that banks can't. They also are available 24/7. Meanwhile, voting machines are much less convenient than absentee ballots, as you have to go to the voting precinct, rather than having them sent to you, resulting in you being able to fill them out anywhere and deposit in those seemingly ubiquit

Re:

[cloricus (691063)]

Diebold ATMs are new to Australia though we seem to be getting the latest all singing dancing 'make it harder to do you banking' models that match web 2.0. Comically enough the other week I was thinking about the joke every one had here when they switched to windows for their OS tasks a good few months back. About three days later I walked past one that had a lovely blue screen of death just happily sitting there; I honestly have never fallen over laughing in my life before, let alone in the middle of a b

I for one....

[edwardpickman (965122)]

prefer our Diebold Overlords. It takes all the guesswork out of the voting process. There's something comforting knowing the outcome of an election months before the day.

What a bunch of crap

[rastoboy29 (807168)]

Too bad neither of the "major" political parties has the country's interests at heart, or we would have real, open standards for the machines themselves, and not just a voluntary fucking testing process.

Why hack a voting machine?

[jihadist (1088389)]

...When you can simply bombard the numb populace with expensive television advertising, purchase stories in the "news entertainment media," bribe them by appealing to their greedy special interests, and manipulate them through churches and synagogues?

They don't have to hack the voting machines. They've already hacked the voters. Just as Plato predicted they would!

Re:

[unitron (5733)]

Of course having a USA PATRIOT act that, effectively allows the electoral college to seize ballot boxes, without scrutiny or explanation, helps a real lot.

This is the first I'm hearing about anything in the USA PATRIOT act that has anything to do with the Electoral College. Would you have any links to a fuller explanation of these added powers you seem to think the College has been given?

Software independence is required.

[zestyping (928433)]

For those of you who have wanted voter-verifiable paper records, the new VVSG says:

Software independence means that an undetected error or fault in the voting system's software is not capable of causing an undetectable change in election results. All voting systems must be software independent in order to conform to the VVSG.

See section 2.4 [eac.gov] for a discussion of "software independence." The draft guidelines present "independent voter-verifiable records" (IVVR) as one method of achieving "software independence," though it leaves the door open for other innovative ways of achieving the same goal (such as end-to-end cryptographic verification).

I definitely recommend reading the guidelines. There's a lot of stuff in there.

My opinion on "software independence."

[zestyping (928433)]

Now for the subjective part of my comment. The concept of "software independence" is a laudable goal -- and achieving "software independence" as defined in the guidelines is certainly an improvement. Voting systems that fail to meet the guidelines' definition of "software independence" deserve little confidence, given what we know about bugs and complexity in software.

My problem with the term "software independence" is that it is misnamed. The guidelines give a definition of "software independence" th

Its not that freaking hard people

[by Anonymous Coward]

I worked on the old mechanical voting machines in the early 90s. They were hard programed for with little keys that controlled the voting levers for each question. At the end, a giant summary sheet was printed out and totals were hand checked against number of people who voted and totals on the summary sheet. After the election was certified the machines had all the keys removed.

So how freaking hard is it to burn one PROM with the questions/canadates names to be displayed on the screen and a second PROM

Why not start with an open standard?

[MosesJones (55544)]

Wouldn't it be better to start with an open standard around the election process for information exchange and the like? This Already Exists [oasis-open.org] and is "recommended" by the US Government. Why only recommended? Surely this exactly the sort of thing that should be enforced as a basic requirement. Its not like the US Government could claim "we can't enforce that standard as vendors might not want to use it" its the US frigging Government legislate is what they do.

So a good start on the standards but it would be good to see compulsion come in.

Re:

[simong (32944)]

Hmmm, let me think... it's probably recommended by the US government for countries that aren't the USA.

Still no access to source code

[simong (32944)]

Bzzt. Thanks for playing. The United States of America is still a banana republic. What is so difficult about full and open scrutiny? The first principle of any electronic voting system is that it should be open. There can be no proprietary code. It doesn't matter if Joe Six-pack can't read it, as long as someone who is independent from the government and the contractor can.

Re:

[swillden (191260)]

Bzzt. Thanks for playing. The United States of America is still a banana republic. What is so difficult about full and open scrutiny? The first principle of any electronic voting system is that it should be open. There can be no proprietary code. It doesn't matter if Joe Six-pack can't read it, as long as someone who is independent from the government and the contractor can.

The reason that's not a requirement is that if the other requirements are defined correctly, access to the source code is irrelevant. If the other requirements are not defined correctly, access to the source code is also irrelevant, because there's no practical way to be sure what code is actually running on the voting machines.

The only reasonable way to do electronic voting is to define a system such that there is no way the software could manipulate the vote without being detected, no matter how mali

Code can be altered on the fly

[Catbeller (118204)]

This is utter silliness. So what if you review the code? So what if there are "open standards"? The code you review can be swapped out on election day any number of ways! I mean, you are all programmers, mostly. How can you possibly fall for this? And there is code on the point of voting, code at the accumulators boxen, running Windows may I add, code at HQ adding up the accumulators' totals. It's the work of a morons's minute to swap out vote totals, or change the code at the point of voting to simply flip the voter's choice undetectably -- printing out a "receipt" that is worthless as record of what actually happened. The code can be changed and then replaced instantly. Or more likely, why bother? Who the hell can tell what code is really running on the box? The problem here is you all have a religious belief that when you ask a computer a question, you'll get an honest answer. But these are dedicated boxen, controlled by humans who are extremely motivated to alter the results. You can't beat them. You can only remove the means. No computers system should ever come near an election.

Canada does (did? sigh) vote using a manual process with real time oversight by suspicious characters from both parties present -- you know, the process we decided was mad in Florida in 2000. Somehow they finish up their elections in hours. Although, really, what the hell is the hurry to finish an election? Why not take a week? Someone REALLY wants to alter those votes. They want it quick, unmonitored, and completely open to tampering, and somehow this is the Only Way To Do It?

This idiocy wouldn't stand if we didn't have Kourictainment for a news media... god.

120 Days + 120 Days... Don't procrastinate.

[dhj (110274)]

The press release http://www.eac.gov/vvsg/News/press/eac-seeks-public-comment-on-tgdc2019s-recommended-voluntary-voting-system-guidelines-online-comment-tool-now-available [eac.gov] says the VVSG will be open for public comment for the next 120 days. After the 120 days they will internally review/modify the document and then re-open it for comments for another 120 days. If you have posted some brilliant, insightful bit of wisdom here on slashdot for karma... PLEASE TAKE THE TIME TO LEAVE A COMMENT IN THE RELEVANT SECTION OF THE VVSG. I am guessing comments that get posted in this first 120 day period will have more influence than those posted in the second 120 day period.