Joi Ito's Web

Joi Ito's conversation with the living web.

Mercury News
E-voting panel wants to dump troubled system

SACRAMENTO - Less than seven months before the presidential election, an advisory panel Thursday unanimously recommended an unprecedented ban of touch-screen election equipment used in four California counties.

The panel also urged Secretary of State Kevin Shelley to seek a criminal or civil investigation into the conduct of Diebold Election Systems, the Ohio-based firm that manufactured the troubled voting system.

Yes! We really need to get rid of e-voting. It's such a bad idea and until now, I thought we were losing the battle. We need to make sure this doesn't end with just Diebold.

via Dan Gillmor


Remember that e-voting is not all bad. The people at OVC ( have put together a really nice system. The user votes on a touchscreen. The voting station then prints out a paper ballot with the voter's votes in text format and a barcode representing the vote. (The barcode is protected through XOR'ing with the ballot number and random padding.)

The voter puts the ballot into a special envelope so that the barcode is exposed, but the text representation of the votes is hidden. Votes are tallied by machines reading the barcodes. A random sample of ballots are drawn for manual verification.

This system gives all the benefits of an electronic system -- ease of use when you have a huge number of elections/choices on the ballot as is usual in the US, and fast electronic counting.

Um, wanna explain why e-voting is bad?

There is a lot of work done on the risks of e-voting, but I'll list several of the risks of the types that are being tested now. (I think the type that Guan is talking about may be better.)

1. No paper trail so you can't recount easily or audit. Logs are too easy to tamper with and do not trustworthy.

2. It is difficult for citizen to audit or visibly tell if there is any monkey business going on at the ballot box. It's hard to be sure whether what you are doing on the screen is actually going to get counted properly.

3. The system could be attacked with a DoS or some other type of hacker attack. Imagine a vote schedule getting stuck and a country not having a head of state for some period.

4. One of the biggest problems is that the company that makes the machine has to be trusted. In the case of Diebold, it's clear that they were not trustworthy. It adds another possibly partisan group into the system that in the best case, can be mistrusted and damage the validity of a close count and in the worst case could throw the vote one way or another.

Vote rigging/fraud already exists. There is a LOT OF MONEY behind those who would like to throw the vote one way or another. There are many other ways to game a system where there is less transparency and e-voting may make voting more efficient, but it adds a lot of additional black boxes into the system.

Guan. And I just thought about your system and yes... it is better, but I can imagine ways to game the system. The "random" samples could be rigged not to be random and hide monkeying around. It would be difficult for the human being to tell whether the barcode really does represent what they voted for and if the fraudulent barcodes were set to be created not to coincide with the random samples, you could get away with it.

Again, you can do stuff like this in real life, but introducing stuff to this system allows it to scale more easily than a physical hack.

By the way, I think there are some videos floating around of discussions with Diebold. I'll have to dig them up. I think I saw them at ETcon. They will make you wince.

Joi, you are wrong on all points, but I'll assume it is because of a lack of research on your part. Check out the Evox Voting System for the theory and VoteHere for the implementation of the first possible way to circumvent the rigging of elections in their long and sordid history.

Check out the Evox system [..] for the first possible way to circumvent the rigging of elections in their long and sordid history.

Well, I suppose it boils down to this:

- pieces of paper are visible and countable by everybody, and rigging votes requires significant &mdash and hopefully detectable &mdash physical effort

- Systems like Evox based on public key cryptosystems are believed trustworthy, but only because it's assumed that nobody knows yet how to crack them, or that e.g. the systems &mdash and select few humans ? &mdash protecting the private key(s) are secure and tamper-proof.

1) Pieces of paper are certainly not countable by everyone, not in any practical sense.

2) Of course there is no such thing as a totally secure implementation of a theoretically totally secure system, but you can get damn close. Voter privacy can be breached in many ways, such as compromising the private key like you suggest. However compromising the integrity of the election is much more difficult, and is not dependent on securing the private key.

The amount of misinformation and misunderstanding surrounding this issue boggles the mind, but I guess cryptography is an abstruse topic for most people. The activism surrounding the Diebold case is a text-book example of good intentions gone awry.