Log in

No account? Create an account

Saw a movie last night...

... entitled "Hacking Democracy". It's a documentary about blackboxvoting.org and its attempts over the past six years to expose and fix problems in the way our elections run, most especially the Diebold touch-screen and optical-scan voting machines.

One scene shows a candidate, after the election she lost, visiting the warehoused touch-screen machines, pressing the button for her name, and seeing her opponent's name show up on the screen at the bottom.

Much more dramatically, in the climactic sequence at the end of the film, an election supervisor in Florida sets up a mock election with one yes/no ballot question to test whether a Diebold memory card really can be hacked. He inserts the allegedly-hacked, and allegedly-passive, memory card into a randomly-chosen voting machine, runs its startup self-test according to standard procedure, and confirms that the initial vote totals are 0 "yes" and 0 "no". Then we watch on camera as six people mark "no" and two vote "yes" on their optical-scan ballots and the ballots are fed into the machine one by one. The supervisor follows standard procedure to close the election and print out the final results, which show seven "yes" and one "no" vote. The memory card is then removed from the machine, following standard procedure, and inserted into a central tallying machine, which again shows seven "yes" and one "no" vote. As the election supervisor says, "If I hadn't seen these wrong answers with my own eyes, I would have certified this as a flawlessly-run election." Diebold, on hearing about the exploit, criticized the election supervisor for trying to test his own machines without being a certified testing agency. :-)

In a news story this morning, New York State is bragging about saving hundreds of millions of dollars by not complying with the Help America Vote Act by its deadline of two years ago; the states that did comply bought hundreds of millions of dollars worth of voting machines that they now don't trust. (I like to think I can claim a tiny bit of credit for this, as I wrote to my state legislators several years ago with a list of criteria any voting machine must have, including a voter-verifiable paper trail.)

If we're going to have faith that the election reflects the votes of the people,
1) there has to be an independent record that can be recounted, to confirm that things were counted and added correctly; and
2) this independent record has to be verifiable by the voter, or the election machine itself could be hacked to produce skewed records. (We currently don't have this assurance in New York's lever machines.)

In my letters to legislators, I also suggested
3) the machines have the capability to record not only a single-choice vote but a ranking, so state and local governments can at least experiment with other aggregation systems such as Borda, Condorcet, or Instant Runoff. (I happen to favor Borda, but any of these would be an improvement on the single-choice vote.)
4) small-random-sample recounts be not on request, when there's a known irregularity with a particular election, but rather routine and mandatory so you can discover irregularities. If the small random sample shows significant discrepancies, there must be a larger random-sample recount. If that shows significant discrepancies, there must be a complete recount.

Some scientists have suggested the following solution to the trust issue:
1) You cast your vote using a touch-screen machine (with accommodations for the blind, the physically handicapped, etc.) It produces a punch card.
2) You carry this punch card across the room to another machine, not connected to the first, and feed it through. It shows on a little screen (or says through an earphone) how it thinks you voted. If this doesn't match how you thought you had voted, you tear up the punch card and go back to step 1, perhaps at a different touch-screen machine :-)
3) If they do match, you carry this punch card across the room to a third machine, not connected to the first two, and feed it through. (Or maybe you just press an "Accept" button on the second machine.) It counts your vote and stores the punch card with all the others for potential recounting.

If somebody hacks just the first machine, voters can detect (using the second machine) that it's punching votes incorrectly. To hide this, the bad guys need to hack both the first and second machines so if you vote for A, the first machine punches your vote as for B, but the second tells you reassuringly that it was for A. This is difficult because, since the two machines aren't connected, there's no obvious way for the first machine to tell the second who you think you voted for. (It's important that the punch cards have no "spare" fields in which the first machine could hide this information... although if it did, it would at least be detectable in a recount. It's also important that there be more than one of each kind of machine in the room, and that each voter can pick any one of each kind of machine, to make it harder for them to synchronize with one another.)

So how do you ensure that the two machines aren't connected, in these days when everything has a wireless card in it? The device manufacturers will probably want wireless cards in their machines, for ease of software distribution. I guess you would have to design the machines so the wireless cards can be physically and visibly removed or disabled, and part of the election protocol is to disable all the wireless cards immediately after installing updated-and-certified software, not to be re-enabled until after the election is over.


It's a great film. Should be required viewing for High School Civics Classes.