Comments on: Shamos: Why e-voting paper trails are a bad idea

Michael Shamos, a computer scientist at Carnegie Mellon, says concerns over voter-verifiable paper trails are overblown and electronic systems are safer than paper ones.

[RickRussellTX]

If paper trails are broke, fix them.

He comes up with all kinds of arguments to indicate that broken e-voting is OK as long as everybody is committed to fix it. But we're supposed to dump the concept of a verified printout because "they use cheap printers?"

This argument strains credulity. Cash registers all over the world -- at far lower cost than voting machines -- are keeping accurate records of the purchases punched into them. Is the failure rate something like 20%? Ridiculous.

Creating a verifiable paper trail is popular because it's the easiest of the authentication mechanisms for both voters and politicians to understand. Dr. Shamos can talk about the benefits of multiply-redundant flash memory all day long, but that gives no way for a *voter* to know that the vote is correct and secure.

[fredmenace]

what a moron

This interview is proof positive that being a computer scientist with a PhD doesn't make one even remotely intelligent.

"Every manipulation of elections that's been proven has involved the manipulation of paper."

This kind of blows a hole right through his entire argument. His "point" that no fraud has been proven for electronic voting is unfortunately an admission that it would be nearly impossible to prove that fraud IS occurring in electronic voting (at least as electronic voting is set up now) even when it does occur.

And I think we have pretty good reason to believe that electronic voting fraud on a pretty large scale (far larger than with paper ballots any time in the last 50 years) has occurred in every election since 2000. (We have evidence of very significant, election-altering irregularities, and we have means, motive, and opportunity in every case.)

That he hasn't found any actual offending code to prove the fact is again evidence that he's not very bright, as many of the successful hacks (which would be most likely to be used) don't involve changing source code on the machines at all, and all the evidence would be long-gone by the time the election even begins.

No, we don't want to stop progress in the development of electronic voting machines, of which the most critical point is not to accept any electronic voting machine that is not 100% open-source software, which would then also expose poor-quality coding, as well as being verifiable in its security and correctness, and better enabling verification tests and sample attacks to probe for vulnerabilities. But in the meantime, they are SO unreliable and bug-ridden and SO prone to manipulation and SO unknown and unknowable by both the public and election officials, that it's unconscionable that we could continue relying on them without some simple checks and balances.

That leads us back to paper copies of ballots, which do have problems (the most trivial of which to fix is that they use "cheap Chinese printers" that create illegible printouts much of the time - this may be the "reality" of how elections are run, but it's such a BS justification I can hardly believe he actually used it), but they are KNOWN problems for which we have developed various safeguards over the years, and difficult to tamper with on a large scale.

[pegdashfab]

excellent points

and when shamloss pulls the "cheap chinese printers" canard out of his backside, he is transparently resorting to a racist, xenophobic argument.

ok, mike, we'll use AMERICAN printers, ok? ok?

[dnyc_1999]

What an idiot!

You're a mouth piece of the establishment! How much did they pay you in grants to tote the party line? Why don't we throw away voting all together? Let's just let the corporations PICK the candidate! Oh wait, they already do! Man I hope I never see you in class, one of us will be VERY unhappy!

Moron

[rmercuri]

Paperless DREs are an even worse idea

Attorney Shamos, in his position as election equipment
inspector for the PA Secretary of State, has practically
single-handedly ensured that the majority of PA's votes
cannot be independently recounted. He certainly
knows that the DREs are flawed -- the Commonwealth
has a set of videos showing him examining various of
the machines, one of which even performed a D to R
vote-flip while he was performing the testing. He
passed the machine anyway. He could insist on
integrity and auditability for election equipment, fail all
of the DREs, and make PA an opscan state, like many
others (like PA and Florida) now are. But no, instead he
chooses to rail on about why e-voting paper trails are a
bad idea in any forum that will give him some airtime,
while he turns a blind eye to the real problem -- trade
secret, faulty, unauditable DREs. Thanks to Mike's
efforts, PA is the next Florida.

[rmercuri]

Oops I meant OH and FL

(like OH and FL) now are....

[T543212345]

nothing against the secret ballot...

...but it's not a "cornerstone" of our democracy. It was an Australian innovation adopted by Progressives in the early twentieth century. Perhaps the new challenges of the twenty-first century electronic voting require we modify our voting practices again.

[suyts]

Maybe nitpicking

but Kentucky was the last state in the Union to embrace secret ballots in 1891.

[c|net Reader]

No Regression

Even if secret ballots haven't been with us since the beginning of the country, it would be folly to regress. Coercion will be the rule.

[My-Self]

Why do they have an IRDA port ?

Quite amazingly, those machine (Diebold so called "Accuvote" machines) have the mother of all stealth communication ports : IRDA
The IRDA port seems like the 'best' way to tamper those machines.

Here is an article with pictures :
http://www.lookingglassnews.org/viewstory.php?storyid=5139

IRDA have been a commercial failure because of the huge complexity of it's software stack. You can bet such code contains a few gems that would allow a buffer overflow execution exploit.

To create a tampering device, I would make a simple infrared dongle (shaped like a car infrared remote control). With proper timing, it would be easy to spit out the required bad packets to allow execution of downloaded code. The code would alter the result (switch 250 votes or something), then erase itself leaving no traces. It could be used in key precincts during the election, by firing it from a distance, even through light clothing. Oh, and it should also be able to spit out the unlock code for the guy's car alarm system, just in case.

Naturally, if the manufacturer, in it's willingness to "deliver Ohio for Bush" helps by planting a bug in the voting machine, the IRDA exploit is even easier to code ...

http://query.nytimes.com/gst/fullpage.html?res=9804E3DC1339F93AA35752C1A9659C8B63

When you don't have time to create an infrared bug, you can still use that little 4 minutes trick :
http://vvnm.org/wiki/bevhacked.html

[Eldritch.Ichor]

What a Convoluted Argument

What a convoluted argument Michael Shamos makes against paper trails for electronic voting machines.

Convoluted and unconvincing.

Fortunately, because his thinking is so fouled up, few who know their subject will pay much attention to it--although, of course, his position will come as welcome news to those with a profit motive in favor of electronic voting, or for those with other agendas.

Michael Shamos takes a minority position among computer scientists, like those in the U.S. arm of the Association for Computing Machinery.

Sometimes minority opinions provide a good counterpoint. Sometimes they are simple rubbish, like the opinion here of Michael Shamos.

[ktmotox]

We don't trust electronic voting....

and yet our entire worldwide financial system is based on computers (for the most part not backed-up by hardcopy documents).

[pegdashfab]

and we all know ...

how well "our entire worldwide financial system" is doing: it is in freefall! great example!

[chash360]

Its not M$ Software.....

Fortunately the core of the financial sector does not use M$ software to keep track of everything!

BG wanted this to happen many years ago when attempting to qualify for class C federal computing security rules, but did not get what they wanted, hence the complete abandonment of security, nor have they attempted such security classification again. NT3.51 was the first and last attempt at this level of security. Since they did not get what they wanted (into the finacial sector) and would not get it even if they did achieve class C (which they did not achieve while networked) they gave up completely.

Computers can provide perfect security if done properly, because they can do things people can not do, the ability to store, perfectly, a very large number and keep it from ever being shown or recorded in a fasion that a human could utilize, can keep things secure. If the critical key is never in the hands (mind) of any human, how can a human forge one? If it is so difficult to forge one, and you use new/different keys for everything, how can anyone do any kind of massive corruption?

[ifoster]

paper forever

It is really quite simple, any high school graduate can varify a paper ballot, instantly.

[Arbalest05]

So paper trails are bad because the printers are crap?

I have no doubt that Prof. Shamos is a learned man, but...where to start?
One big problem with paperless evoting machines is that there can Never be a recount. If there is election fraud, there is no evidence with paperless machines. With paperless systems, election fraud is just so darned easy.
My state went to paper ballots and optical scanning machines - since there are recount- able/verifiable ballots, fraud is much more difficult.
I'd have to say that Shamos is wrong on this issue.

[battlefella]

Where did you dig this guy up?

His arguments are so 'over the top' that they become laughable. Paper trails can't work because cheap Chinese printers are used and they always jam? "...these audits always produce a huge list of vulnerabilities" but such vulnerabilities can't "interfere with the integrity of an election" - then what exactly is his definition of vulnerability?

While there are hints of valid arguments in some of what he says (paper trails can be problematic), he twists facts to meet his points. He says paper can be manipulated easier than the electronic data - which is generally true, but completely ignores the fact that the dual system prevents fraud by being used to compare against each other. Manipulating BOTH the electronic and paper systems becomes nearly impossibly, so fraud is caught by the discrepancies. His point is almost "if they don't match, you can't tell which is right, so let's just trust the electronic and avoid the mismatches in the first place". Regardless of whether the electronic is actually accurate.

[Arbalest05]

Doesn't this guy work for the MPAA?

Is this the same Michael I. Shamos who is also a lawyer and has been known to work on behalf of the MPAA in the past?

[pegdashfab]

the very one

that shamos, he's a baaad mother ... SHUT YOUR MOUTH i was just talkin' about shamos!

[athayer]

Paper ballots trump electronic ones

I've been an election official in Vermont for 18 years, in two different towns, both of which use hand-counted paper ballots for all elections. As our presidential elections are also the time for state and county elections, our ballots can be very complex and involve over 15 offices. The same is true for town elections.

Rather than being a burden, hand counting of the ballots is an opportunity for community. We get to know people of opposing parties as we hand-count together. AND our results are ALWAYS verifiable.

What Shamos misses entirely is that the ONLY reliable way to verify a voter's intent is to use paper ballots and hand count them. All the computer programmers I know, including my husband assure me that programming a machine, or electronic card, to flip votes is an easy task. Computer code can be inserted to start the process after the election starts, and end just before the election ends, and the coding can be done in a manner the isn't observable by "testing" the electronic machine or electronic cards for a particular election.

I'm fascinated that there isn't more discussion about how to reclaim this essential part of democracy, and to ensure that it is used even in our largest cities. It is always possible to get public participation if the right approach is used. It seems that we are ceding the most important part of democracy to machines without analyzing whether this is really going to preserve the integrity of elections.

Paper ballots are used for federal elections in Canada. Surely the US can do as well as that in our own elections!

[rapier1]

Paper trail

How do you know the ballots you are counting are the ones that the voters actually cast?

What Samos is saying isn't that paper paper is necessarily bad - more that it isn't the panacea that many people seem to think it is. Paper ballots can be manipulated, changed, modified, and destroyed through any number of well known and commonly used methods.

Having a paper record doesn't make things secure. It can, in some cases, help, but its can introduce its own set of vulnerable points. I'd hate to see paper ballots create a false sense of security.

As for paper ballots being an 'essential part of democracy' I don't see how that plays out. Is it because you'd have a very small percentage of the population involved in the counting proceedure? How does that involve people in the process any more than being a polling place officer?

Lastly, the *only* way to verify the voter's intent is to ask the voter. I believe Florida's paper ballot in 2000 clearly indicated that just having a piece of paper does not always allow a voter to unmistakably signal their intent.

I'm not saying that paper ballots or trails are a bad idea only that they have their own, well known, problems and aren't a panacea. You can't just slap a printer onto a voting machine and pretend that you've defeated vote fraud.

[chash360]

Unless you hold the verification...

If you hold and track your own vote record for verification, it matters not how flawed the software is, what matters is what is recorded, counted and most importantly verified.

The most secure computer system is the open source system, where you can publish every detail of how it works, and (if you know programming) you can see it is secure, you do not have to rely on trust, when you have actual knowledge.....

An electronic system that requires verification by the voters is the best way to resolve the security issues. See my other posts.

[chash360]

Already hacked, by gov officials

I have seen the video on YouTube of the Florida trials involving DIEBOLD and there intentional hack of the 2004 elections didn't you?

It was gov official that asked a diebold programmer to fix the election, actual court testimony (of course that never made the mainstream news media did it?)

[chash360]

E-Voting answer, right here.....

Yes use electronic voting, with no paper trail required.

Issue uniquely (and randomly) numbered voter memory cards that will record the actual issues/measures/canidates to be voted on, how you voted on the issue/measure/canidate, when and where the vote was recorded. These cards would be issued (by random draw from a bin, by the voter) at places where you register to vote, requiring valid registered voter ID to obtain. The issueing facility is NOT allowed to track or record the unique ID of the card at all, assuring voter anonymity.

These cards must have a physical read protect and write protect, and erase switches such that the Voting machine that records your vote can not read anything else on the card. Such that the verification system can not write to your card. The erase function works without computer or external device to complete voter security. As an extra measure they should contain internal clock circuitry for independant time stamps to be recorded.

First you vote using the speciallized machine, which records unique ID numbers for each vote issue, Vote response, Date, Time, Location and Vote Device, both on your (read protected Card) and to the recording server or vote machine hardrive etc. These GUIDs are issued from a central source on demand and recorded, so no ability to create extra votes after the fact.


Next the all important verification step, that needs to be a mandatory addition for all E-voting. Switch the card to write protect, and access through the Internet from anywhere (other than where you voted, and after votes are initially tallied), a gov operated voting verification website, and verify the vote recorded on the card was counted correctly, and the info on the gov server matches what you have on the card, before your vote is counted as official. These counts would be order dependent as well, so that even if you had complete access, you could not insert a fake vote, it would throw the counts off.

No need for fancy encryption, or unreadable data, since absolutely no personally identifying information exists on the card or is recorded with your vote. No electronic vote that is not separately verified, gets counted in the end. No means of tracking, or targeting any voter to their votes. No ability to fake votes, because you hold an electronic copy to verify against. Enables fast re-counts and re-verifications. Only registered voters, because you would still have to present valid registered voter ID to use the machine.

[galeso]

Why?

Do they make elections less secure?
I am an election judge and never had a paper jam, if so I would fix it. The paper trail, I am told, is used to verify that the machines are working. They sample a few and assume that if they match, then the other machines are probably working also.

Maybe Shamos thinks elections are a bad idea. We could have our elected officials pick their successors and save the cost of the election. If we don't trust them, why did we vote for them. :)

[watunda]

I get a receipt when I buy a pack of gum.

And I can read it no problem. When I vote electronically, I want a receipt. On this receipt is a unique identifying number. I can go to a website later and type in this number and, no big deal, I can see/verify who I voted for.

What is a big deal is that this data comes off of ONE set of physical servers. The voting results are tallied off these same servers. These servers can be (and are) constantly audited by anyone and everyone.

Now the chance of altered results and/or uncorrected errors are near zero.

Care for a piece of gum?

[chash360]

That's It!

That sounds like the fastest, easiest, most cost effective solution to the problem.

Although I would add that one physical set of servers is adding some risk, the system could easily be distributed, transparent to the user.

Additionally there probably should be 'aggregation' points to further check for tampering, by adding up votes at the Ward, then District, then County, then State levels, up to the final counting point, to look for descrepancies in tabulation. Exclude at the lowest level when descrepancies appear, until investigations discover the source, or get verified, etc.

The receipt number would need to be fairly large, so as to discourage attempts at forging. If it were as simple as an 8 or 10 digit number then the truly ambitious could attempt to invalidate votes by guessing reciept numbers, and simply claim the vote as invalid, before you validated it yourself, but this would still be a narrow opportunity to corrupt votes. Treat the reciept numbers like passwords (3 failed attempts locks out your MAC or IP address for half an hour, etc.) to further reduce tampering attempts, etc.

Basically this appears to be the best answer put forth in this forum, anybody got a better idea?

If only our government could attack and solve problems as efficiently as the masses can on the Internet....collective intelligence at its best.

[pegdashfab]

coercion and bribery

a system that allows voters to prove how they voted is open to voter coercion and bribery, which undermines democracy. this is why we have a secret ballot in the first place.

[lampietheclown]

One statement, Two ways of looking at it.

Quote: "Every manipulation of elections that's been proven has involved the manipulation of paper."

The point he is trying to make is obvious. The other point, that this same statement makes, is that if you want to be able to PROVE tampering, you better have paper.

QUOTE: "Shamos: I say, and the advocates are forced to admit it, that there's never been any evidence that a DRE machine has been tampered with in an election."

Once again...

I may be missing something, but why is it so hard to count pieces of paper?

Each voting place counts the number of ballots against the number of people who voted. They then count the votes and submit the results to the precinct. The precinct submits the totals from the voting locations to the counties, who submit their totals to the state. at every step the totals are posted publicly so that any mistakes or tampering is obvious. The polling place is the only one who has to count the actual ballots. How many people vote at any one place? I'm thinking a couple thousand at most, but even 5-6 thousand isn't that cumbersome to count.

Where's the problem?

Lampie