E-voting predicament: Not-so-secret ballots

Ohio's method of conducting elections with electronic voting machines appears to have created a true privacy nightmare for state residents: revealing who voted for which candidates.

Two Ohio activists have discovered that e-voting machines made by Election Systems and Software and used across the country produce time-stamped paper trails that permit the reconstruction of an election's results--including allowing voter names to be matched to their actual votes.

Making a secret ballot less secret, of course, could permit vote selling and allow interest groups or family members to exert undue pressure on Ohio residents to vote a certain way. It's an especially pointed concern in Ohio, a traditional swing state in presidential elections that awarded George Bush a narrow victory over John Kerry three years ago.

Ohio law permits anyone to walk into a county election office and obtain two crucial documents: a list of voters in the order they voted, and a time-stamped list of the actual votes. "We simply take the two pieces of paper together, merge them, and then we have which voter voted and in which way," said James Moyer, a longtime privacy activist and poll worker who lives in Columbus, Ohio.

Once the two documents are merged, it's easy enough to say that the first voter who signed in is very likely going to be responsible for the first vote cast, and so on.

"I think it's a serious compromise," said David Dill, a Stanford University computer science professor who has followed electronic voting issues closely. "We have a system that's very much based on secret ballots. If you have something where voters are involuntarily revealing their votes, it's a very bad practice."

Moyer and fellow activist Jim Cropcho tested this by dropping by the election office of Delaware County, about 20 miles north of Columbus, and reviewing the results for a May 2006 vote to extend a property tax to fund mental retardation services (PDF). Their results indicate who voted "yes" and who voted "no"--and show that local couples (the Bennets, for instance) didn't always see eye-to-eye on the tax.

Patrick Gallaway, communications director for Ohio Secretary of State Jennifer Brunner, a Democrat, said on Friday that his boss had already been planning to begin a "comprehensive" review of e-voting machines as part of a campaign pledge she made before taking office in January. He said the review now is likely to include a look at the ES&S voter privacy concern as well.

ES&S machines are used in about 38 states, according to the Election Reform Information Project, created by the Pew Center on the States. Of those states, Arkanasas, Iowa, North Carolina, Ohio, and West Virginia are among those using ES&S iVotronic machines with paper audit trails.

Other suppliers of electronic voting machines say they do not include time stamps in their products that provide voter-verified paper audit trails. Sequoia Voting Systems and Hart Intercivic both said they don't. A spokesman for Diebold Election Systems (now Premier Election Solutions), said they don't for security and privacy reasons: "We're very sensitive to the integrity of the process."

An ES&S spokeswoman at the Fleishman-Hillard public relations firm downplayed concerns about vote linking. "It's very difficult to make a direct correlation between the order of the sign-in and the timestamp in the unit," said Jill Friedman-Wilson. (ES&S iVotronic machines are used in 10 Ohio counties, mostly in the center of the state, according to a map on the BlackBoxVoting.org watchdog site.)

"That is so fatally flawed," Friedman-Wilson said about Moyer's and Cropcho's analysis. "It doesn't take into consideration any of the times that there would be interaction with a voter and a poll worker before the ballot is activated." As for the interaction of Ohio open records law with ES&S logs, she said that "it is most appropriate that the secretary of state's office and others who are responsible for carrying out elections respond to questions regarding Ohio election law and procedure."

Timestamps + Ohio law = trouble

One explanation is ES&S had never expected that the paper with the time stamps, known as a voter verified paper audit trail, or VVPAT, would be made public under state open records laws.

A report evaluating ES&S security prepared by Compuware auditors two years for the Ohio secretary of state--marked "Confidential" but available on the Internet (PDF)--does warn about keeping electronic time stamps. It says that the electronic representation of votes, called the Cast Vote Records, "should not have time stamp associated with it" and must be randomized to protect privacy.

But the auditors viewed timestamps on the physical printout, called the audit log, as needed to detect "tampering" with the ES&S iVotronic hardware. "All actions to the iVotronic are recorded in the audit log with a time stamp," the report said. "This includes opening and closing the polls, voting, inserting invalid voting cards, loss of power, and supervisor access."

David Wagner, a professor of computer science at the University of California, Berkeley, said electronic storage of votes in the order that voters cast them is a recurring problem with e-voting machines.

"This summer I learned that Diebold's AV-TSX touchscreen voting machine stores a time stamp showing the time which each vote was cast--down to the millisecond--along with the electronic record of that vote," Wagner said in an e-mail message. "In particular, we discovered this as part of the California top-to-bottom review and reported it in our public report on the Diebold voting system. However, I had no idea that this kind of information was available to the public as a public record."

The July 20 report on Diebold (PDF), written by Wagner and five Princeton University researchers for the California secretary of state, cites the electronic time stamp as a voting privacy concern. "If the time when each voter checks in is recorded in the poll log book, an attacker with access to the log book could correlate this data with the timestamps to determine how voters voted," the report says. "Alternatively, observers in the polling place could note the time when target voters cast their votes and find the corresponding vote records in the ballot results file."

Ohio law allows just this. Section 3501.13 of state law says "the records of the board and papers and books filed in its office are public records and open to inspection." Anyone who interferes with the public's right to inspect the records, in fact, is guilty of a misdemeanor.

[elhs]

Ohio voting not so secret

Assumption is flawed, with multiple voting machines and time taken to vote differences, matching sign in records to time stamped records doesn't provide proof of that individual's vote.

[WDS2]

But...

"...with multiple voting machines and time taken to vote differences, matching sign in records to time stamped records doesn't provide proof of that individual's vote."

It doesn't NECESSARILY prove but it COULD. If you looked when the polls weren't busy you might be able to correlate 100% the person to the vote.

In any case even the vendor saw that this could be a problem.

[declan00]

actually

Did you actually read the full story, or just the first paragraph or two?

See this excerpt:

Of course, the correlation may not be perfect. If Voter No. 1 signs in but gives his space in line to Voter No. 2 who's in a hurry, a reconstruction of the votes based on public records will incorrectly identify their votes.

Having multiple machines and multiple lines can also create a randomization effect, but Moyer says that in his experience as a poll worker there's only one line that feeds into multiple machines. In addition, he says, poll workers log the voter into the ES&S iVotronic, which starts the time-stamped entries and means there's no additional randomization of voters taking different amounts of time to start the process.

[Thrudheim]

don't make excuses

You are likely right when it comes to very busy polling stations at
busy times of the day, but one should NEVER be able to figure out
how ANYBODY voted, ever. The ability to cast a secret ballot is at
the core to our system of elections. As this study shows, the votes
of particular people were able to be identified.

The system is flawed. All kinds of academic experts have been
talking about this for years, but they were ignored.

[stlwest]

Don't record voter sign in times, Ohio, shame on you!

Either change the law so this is not public information or change the system so voter sign in times are not recorded, only the date and an affirmation that they signed in while the polling place was open. If worried about insider records then the latter solution is most viable.

[Claudia Kuhns]

Ballots subject to Open records

Colorado ballots are subject to the Colorado Open Records Act so the same situation could happen in Colorado. The county clerk's association tried to change this law in the last legislative session, but were defeated by election integrity activists. The solution is getting rid of DRE's. They are not good for democracy. There are other solutions for voters with disabilities.

[georgiarat]

Concerned?

You should be but also should be concerned that the unions in
Ohio also want to destroy a secret ballot for union elections. If
the unions can tell how their members are voting in elections god
help us....

[Razzl]

Only partially valid

I agree that it would be very difficult to make valid identifications of how individual voters voted. In a circumstance where voters are entering and exiting quickly, you would only be entitled to make that identification if all of the nearby timestamps voted the same way, because the voter was part of that sequence; or, if there's a big gap in time between voters, that would also allow you to assign where the voter is in the sequence with confidence. And knowing party affiliation would provide a clue to unraveling the order in certain sequences.

Still, this isn't what should happen and should be fixed...

[chash360]

A potenital answer

Issue random and unique numbered voter memory cards that actually store the vote you make on them (but does not in anyway have any personally identifiable info on it). Voters can sign in presenting only their Valid ID (not the voting card). Make and record their votes. Each vote has a randomly generated unique number, that combined random-unique number of the card creates a recorded vote stored on the card, and to the voting machine. Then, and here's the cool part, after polls close, votes are verified, by voters comparing their vote recorded on the card (underwrite protection), with the vote recorded at the poll, through anonymous connection. At no time is the card identifiable to a person ever, and the system can not be tampered with since you retain a copy of the vote that must be verified afterwards. Distribution of the cards should be at random (drawn from a bucket, bin, etc.) providing only Valid Registered Voter ID (at the DMV in my state) or at the polling place. With proper encoding the system can preserve complete privacy, and provide a level of trust that e-voting today can not.

[chash360]

P.S.

The cards should have a built-in write protect, access pin number, and erase function such that it prevents snooping of the card if you do happen to trace it to someone.

[RPWill]

Good general idea.

Something along these general lines would be good.

However, the voter must never be able to "read" their vote off the card because this would facilitate vote selling ("If you vote X and show me you did so, I'll give you $10") and coercion (such as one dominate spouse "urging" the other to vote a particular way and expecting verification that they did so). Also, techniques involving rarely used physical tokens is difficult to administer because they would get misplaced and have to be reissued -- which is cumbersome and costly (and charging for the 100th replacement for an absent minded person would probably be construed as an illegal "poll tax").

A properly traceable system needs to have a way to verify that a particular vote was recorded correctly. In some areas, your "voter receipt" (torn off the ballot) could be used to verify that your ballot was recorded correctly - but it's just your word that you didn't actually punch out both candidates for one office (i.e., invalidating the vote by "overvoting") and that someone else must have done so later.

I believe there are schemes that would leverage technology to solve these problems.

One such scheme might be to provide the voter with a paper receipt containing an encrypted representation of their vote as well as a unique (but randomly generated) identification "vote id", and a random bit of key material. The encrypted representation would be stored along with the vote in the voting system EXCEPT that the randomly generated key would not be stored. The encryption key (simplistically here - the actual implementation would be more complicated but the inclusion of all this key material is the point) would include a voter supplied portion (this material would be provided by the voter at the time of voting - they must remember it if they want to challenge how their vote was counted), a randomly generated key (not stored, but displayed on the receipt in cleartext), additional key material would be from a public key of each member of an M member non-partisan panel - probably composed in part of judges. The encryption would be done in such a way that N of the M (where N<M) panel members' private keys would also be required to decrypt the vote (this is one area my description is simplistic - there might be a bunch of session keys and what not to support this).

If a voter wanted to verify/prove that their vote was/was not counted correctly, they would make a request to examine their recorded vote. The examination would take place at a secure facility using a secure system. The examination would require the voter (and the key they entered when voting), their receipt (containing the unique id for this "vote instance" as well as the randomly generated key saved only on the receipt), and "N" of the panel members present to enter their private key material. The secure system would scan the receipt, take all the provided key material, and look up the vote (by "vote id") in the database, verify that the stored encrypted vote matched that on the receipt (helping validate that the receipt IS a real rather than forged receipt), and then reveal the recorded vote to the voter in a secure shielded area with NO ONE ELSE in the secure area (disabled individuals would be accommodated by having a randomly selected trusted person - perhaps a judge - available to assist the voter by reading the vote etc). If the votes don't match, and the voter wishes to pursue the mismatch, there would be a process to examine the source of the discrepancy (this would probably require that the voter reveal their key to a trusted group of investigators).

With a little additional effort (probably using a one way hash of the encrypted vote? - I would need to think this part through a bit more) it should be possible for a voter to verify via a public web site that their vote was actually recorded (but, of course, not how it was recorded). Obviously the system which serves this web site would be working ONLY with one-way hashes of encrypted stuff extracted from the underlying (secure!) database. This would allow voters to verify their vote was cast and, coupled with the count of votes and voters, make it impractical to "insert" or "delete" votes.

Of course, all the software and the hardware design (but, of course, none of the embedded private validation keys etc.) used in this system should be available for all to examine and all of it should have verification built into the lowest levels (starting with hashing/encryption embedded on a difficult to modify chip and with high levels of hardware integration). Without this public review, the system could not be trusted.

This could perhaps be made more secure by including some biometric information to give three factor authentication for the "vote revealing" process (what I know [my key], what I have [my receipt], is this MY receipt [biometric match]) - but gathering and storage of such information is likely to be unacceptable and the benefit seems sufficiently small to be outweighed by the privacy concerns.

[dnysuperstarnumberone]

this is bunkum

The critic of this theory was right - the FIRST PERSON who spends any time loitering between sign-in and time of vote cast will throw off the ENTIRE REST of the list, and there is no way to tell whether that person loitered long enough to offset the count by one or two or a dozen. the list will again be offset by each subsequent loiterer. so basically, the first X% will match-up, but X won't be higher than 10 I'd say.

However, if they were able to get copies of video surveillance film from any public/private security cameras used in the larger settings...

[jesup]

The sign-in log doesn't matter

This affects a lot more states than Ohio, as any good security analyst would tell you. The date-ordered poll log (available on request) merely makes it easier to match them after-the-fact. Anyone who wants to know how people vote merely has to watch and record the order/time of voter sign-ins. And guess what - most states have people from each party there, and in many states they record all the voters separately already. (Pennsylvania is an example.)

This is also why roll-based paper trails are badly flawed. Even scanned-paper ballots need to be handled carefully - the order of votes needs to not be recorded electronically (just the total), and when the voting boxes that hold the scanned ballots are opened, the (nicely stacked) ballots in the box need to be randomized. (Note that simply "cutting" the stack is probably enough.)

[The Die Hard]

What Did You Expect?

Look up the history of ESS / Diebold. The
brother companies were started by wealthy
partisan BushDick contributors, are run by
wealthy partisan BushDick contributors, were
forced on the voters (via that nonsensical
BushDick partisan "Help America Vote Act" after
the piecemeal debacle they pulled off in 2000)
with the sole purpose of flipping votes from D
to R, and made millions for the few while
disenfranchising the many. The SINGLE AND ONLY
solution is to send ALL the DREs back, demand a
refund, and go back to the mark-on-paper
standard ballot that first-graders use to
advance to second grade. If the BushDicks claim
they can't get optical scanners in place before
the primaries, point out that they can always
borrow them from the schools for a day.

Nor is the "disabled" diversion anything more
than a ploy. Disabled people need assistance to
vote regardless of which system is used.

Dump the DREs. NOW. And if your county is
still run by BushDicks, you can make sure your
ballot has a paper record by voting absentee
ahead of time.

[dakiwiboid]

Which way do you want it?

Do people really want a verifiable paper trail, or don't they? These spools are verifiable and verified. Each voter sees his or her vote actually register on the spool (which is something of an improvement over most other methods. The spools are also not hackable, which should also be as an improvement over the memory cards that all of you folks keep complaining about.

In Missouri's St. Louis County, when we have to remove a paper spool, each one is initialed by the two assistant supervisors and supervisors, and the next one is inserted under their supervision as well. I don't know if it's done by a bi-partisan team in Ohio, but it's definitely done by one in Missouri. (We'd have more than two parties present here if the legislature changed the law, but at the moment it's only Democrats and Republicans.)

As for reconstructing how the voters voted, are they really only using one machine per polling place in Ohio? In St. Louis County, we've had three machines at the polling places where I've worked, and the voters go to them in random order. I don't think it'd be particularly easy to match them up to the voting rolls, which do not show the time the voter came in to vote. In a brisk election, I don't think I'd want to try that experiment.

During a very slow election, such as the last one I worked, you might have been able to figure out how the election was going just from the banter of the voters as they walked out the door. We could have given you a pretty close to 80% accurate guess about the ballot initiative's chance of success if we weren't sworn not to reveal the outcome of the election, even in jest.

And "observers in the polling place"? Most polling places in Missouri are in public schools. Do you think that you're going to get away with hanging around a school all day without the principal getting suspicious? They don't mind election officials. They actually like having us around, I suspect, because it gives them a chance to work elections into the syllabus, but I don't think that anyone other than an official poll watcher or challenger would get a chance to hang out at the polls all day.

[JimCropcho]

A common misconception

As data analyst for the project, I've posted a link on our blog to answers to this and other common misconceptions at

http://www.thepublicballot.org/2007/8/21/two-common-misconceptions

[wbenton]

Common Sense

Without a paper trail... it's impossible to determine whether a voter has voted only once or twice or how many times.

Duuuuhhhhhhh..... (* CHUCKLE *)

So where is the story? Or has common sense... or perhaps "lack there of"... become the story? (* GRIN *)

Walt

[RedlumJak]

Well Designed

It's possible to set up a system that makes sure someone only votes once while preserving their privacy. For example, If the poll workers check people off a list of valid voters as they come in, then it's not possible to reconstruct when they came in later from that public record.

Someone could still sit and write it down though. Which is why the ballots should be separate pieces of paper (not a paper roll) and they should not have sequential serial numbers.

[AlKolwicz]

It's worse than reported.

The secret ballot issues raised by Moyer and Cropcho http://www.thepublicballot.org/ won't be solved until the toilet-paper roles used to sequentially record voter activity are eliminated.

As a Colorado poll watcher, I have the right to record the names of people who vote. By observing the sequence in which they use a specific DRE, I know the sequence of their (supposed) votes recorded on the VVPAT. Access to the roll means access to their "ballot". The canvass board and election officials have legal access to the roll.

NO!, I do not trust the officials. Not because they are evil, but because the protection of a secret ballot is sacrosanct. If any pathway to retrieving a specific voters ballot exists, it might be used: (1) by the court, or (2) for political purposes by a partisan official, or (3) to create a "threat of disclosure" needed by vote-buyers and voter-intimidators to suggest that they can know a voter's selections.

Furthermore, HART Intercivic suffers not only the problem described above, but also uniquely identifies every PAPER and VVPAT ballot with a unique, NON-REMOVABLE, serial number and barcode. Voters can make a record of this serial number on their ballot and use it to later identify their specific ballot. Consequently, the market for vote-selling is facilitated and the opportunity for voter intimidation is supported.

The arrogance of vendors who trample on our right to use a secret ballot must be punished by immediately forcing them to meet our requirements for "privately voted anonymous ballots".

Al


Al Kolwicz
Colorado Voter Group
2867 Tincup Circle
Boulder, CO 80305
303-494-1540
AlKolwicz@qwest.net
www.AlKolwicz.net
www.coloradovotergroup.blogspot.com

[towa1]

Not True Everywhere

I'm a poll worker in Stark County, Ohio. We have to provide a list of people who voted, and that's it. The paper trail is secured in a canister and noone has access to that.

The voter list is public because a politician can call the people who hasn't voted and remind them to vote.

Matt

[beschoot]

A simple solution.....

At the next election simply record the time all our elected officials vote and then make thier votes public. This will solve the problem in short order.

[fooooot]

Absentee

Simply become an absentee voter and bypass the whole problem.