E-voting predicament: Not-so-secret ballots

Ohio's method of conducting elections with electronic voting machines appears to have created a true privacy nightmare for state residents: revealing who voted for which candidates.

Two Ohio activists have discovered that e-voting machines made by Election Systems and Software and used across the country produce time-stamped paper trails that permit the reconstruction of an election's results--including allowing voter names to be matched to their actual votes.

Making a secret ballot less secret, of course, could permit vote selling and allow interest groups or family members to exert undue pressure on Ohio residents to vote a certain way. It's an especially pointed concern in Ohio, a traditional swing state in presidential elections that awarded George Bush a narrow victory over John Kerry three years ago.

Ohio law permits anyone to walk into a county election office and obtain two crucial documents: a list of voters in the order they voted, and a time-stamped list of the actual votes. "We simply take the two pieces of paper together, merge them, and then we have which voter voted and in which way," said James Moyer, a longtime privacy activist and poll worker who lives in Columbus, Ohio.

Once the two documents are merged, it's easy enough to say that the first voter who signed in is very likely going to be responsible for the first vote cast, and so on.

"I think it's a serious compromise," said David Dill, a Stanford University computer science professor who has followed electronic voting issues closely. "We have a system that's very much based on secret ballots. If you have something where voters are involuntarily revealing their votes, it's a very bad practice."

Moyer and fellow activist Jim Cropcho tested this by dropping by the election office of Delaware County, about 20 miles north of Columbus, and reviewing the results for a May 2006 vote to extend a property tax to fund mental retardation services (PDF). Their results indicate who voted "yes" and who voted "no"--and show that local couples (the Bennets, for instance) didn't always see eye-to-eye on the tax.

Patrick Gallaway, communications director for Ohio Secretary of State Jennifer Brunner, a Democrat, said on Friday that his boss had already been planning to begin a "comprehensive" review of e-voting machines as part of a campaign pledge she made before taking office in January. He said the review now is likely to include a look at the ES&S voter privacy concern as well.

ES&S machines are used in about 38 states, according to the Election Reform Information Project, created by the Pew Center on the States. Of those states, Arkanasas, Iowa, North Carolina, Ohio, and West Virginia are among those using ES&S iVotronic machines with paper audit trails.

Other suppliers of electronic voting machines say they do not include time stamps in their products that provide voter-verified paper audit trails. Sequoia Voting Systems and Hart Intercivic both said they don't. A spokesman for Diebold Election Systems (now Premier Election Solutions), said they don't for security and privacy reasons: "We're very sensitive to the integrity of the process."

An ES&S spokeswoman at the Fleishman-Hillard public relations firm downplayed concerns about vote linking. "It's very difficult to make a direct correlation between the order of the sign-in and the timestamp in the unit," said Jill Friedman-Wilson. (ES&S iVotronic machines are used in 10 Ohio counties, mostly in the center of the state, according to a map on the BlackBoxVoting.org watchdog site.)

"That is so fatally flawed," Friedman-Wilson said about Moyer's and Cropcho's analysis. "It doesn't take into consideration any of the times that there would be interaction with a voter and a poll worker before the ballot is activated." As for the interaction of Ohio open records law with ES&S logs, she said that "it is most appropriate that the secretary of state's office and others who are responsible for carrying out elections respond to questions regarding Ohio election law and procedure."

Timestamps + Ohio law = trouble

One explanation is ES&S had never expected that the paper with the time stamps, known as a voter verified paper audit trail, or VVPAT, would be made public under state open records laws.

A report evaluating ES&S security prepared by Compuware auditors two years for the Ohio secretary of state--marked "Confidential" but available on the Internet (PDF)--does warn about keeping electronic time stamps. It says that the electronic representation of votes, called the Cast Vote Records, "should not have time stamp associated with it" and must be randomized to protect privacy.

But the auditors viewed timestamps on the physical printout, called the audit log, as needed to detect "tampering" with the ES&S iVotronic hardware. "All actions to the iVotronic are recorded in the audit log with a time stamp," the report said. "This includes opening and closing the polls, voting, inserting invalid voting cards, loss of power, and supervisor access."

David Wagner, a professor of computer science at the University of California, Berkeley, said electronic storage of votes in the order that voters cast them is a recurring problem with e-voting machines.

"This summer I learned that Diebold's AV-TSX touchscreen voting machine stores a time stamp showing the time which each vote was cast--down to the millisecond--along with the electronic record of that vote," Wagner said in an e-mail message. "In particular, we discovered this as part of the California top-to-bottom review and reported it in our public report on the Diebold voting system. However, I had no idea that this kind of information was available to the public as a public record."

The July 20 report on Diebold (PDF), written by Wagner and five Princeton University researchers for the California secretary of state, cites the electronic time stamp as a voting privacy concern. "If the time when each voter checks in is recorded in the poll log book, an attacker with access to the log book could correlate this data with the timestamps to determine how voters voted," the report says. "Alternatively, observers in the polling place could note the time when target voters cast their votes and find the corresponding vote records in the ballot results file."

Ohio law allows just this. Section 3501.13 of state law says "the records of the board and papers and books filed in its office are public records and open to inspection." Anyone who interferes with the public's right to inspect the records, in fact, is guilty of a misdemeanor.

[elhs]

Ohio voting not so secret

Assumption is flawed, with multiple voting machines and time taken to vote differences, matching sign in records to time stamped records doesn't provide proof of that individual's vote.

[stlwest]

Don't record voter sign in times, Ohio, shame on you!

Either change the law so this is not public information or change the system so voter sign in times are not recorded, only the date and an affirmation that they signed in while the polling place was open. If worried about insider records then the latter solution is most viable.

[Claudia Kuhns]

Ballots subject to Open records

Colorado ballots are subject to the Colorado Open Records Act so the same situation could happen in Colorado. The county clerk's association tried to change this law in the last legislative session, but were defeated by election integrity activists. The solution is getting rid of DRE's. They are not good for democracy. There are other solutions for voters with disabilities.

[georgiarat]

Concerned?

You should be but also should be concerned that the unions in
Ohio also want to destroy a secret ballot for union elections. If
the unions can tell how their members are voting in elections god
help us....

[Razzl]

Only partially valid

I agree that it would be very difficult to make valid identifications of how individual voters voted. In a circumstance where voters are entering and exiting quickly, you would only be entitled to make that identification if all of the nearby timestamps voted the same way, because the voter was part of that sequence; or, if there's a big gap in time between voters, that would also allow you to assign where the voter is in the sequence with confidence. And knowing party affiliation would provide a clue to unraveling the order in certain sequences.

Still, this isn't what should happen and should be fixed...

[chash360]

A potenital answer

Issue random and unique numbered voter memory cards that actually store the vote you make on them (but does not in anyway have any personally identifiable info on it). Voters can sign in presenting only their Valid ID (not the voting card). Make and record their votes. Each vote has a randomly generated unique number, that combined random-unique number of the card creates a recorded vote stored on the card, and to the voting machine. Then, and here's the cool part, after polls close, votes are verified, by voters comparing their vote recorded on the card (underwrite protection), with the vote recorded at the poll, through anonymous connection. At no time is the card identifiable to a person ever, and the system can not be tampered with since you retain a copy of the vote that must be verified afterwards. Distribution of the cards should be at random (drawn from a bucket, bin, etc.) providing only Valid Registered Voter ID (at the DMV in my state) or at the polling place. With proper encoding the system can preserve complete privacy, and provide a level of trust that e-voting today can not.

[dnysuperstarnumberone]

this is bunkum

The critic of this theory was right - the FIRST PERSON who spends any time loitering between sign-in and time of vote cast will throw off the ENTIRE REST of the list, and there is no way to tell whether that person loitered long enough to offset the count by one or two or a dozen. the list will again be offset by each subsequent loiterer. so basically, the first X% will match-up, but X won't be higher than 10 I'd say.

However, if they were able to get copies of video surveillance film from any public/private security cameras used in the larger settings...

[jesup]

The sign-in log doesn't matter

This affects a lot more states than Ohio, as any good security analyst would tell you. The date-ordered poll log (available on request) merely makes it easier to match them after-the-fact. Anyone who wants to know how people vote merely has to watch and record the order/time of voter sign-ins. And guess what - most states have people from each party there, and in many states they record all the voters separately already. (Pennsylvania is an example.)

This is also why roll-based paper trails are badly flawed. Even scanned-paper ballots need to be handled carefully - the order of votes needs to not be recorded electronically (just the total), and when the voting boxes that hold the scanned ballots are opened, the (nicely stacked) ballots in the box need to be randomized. (Note that simply "cutting" the stack is probably enough.)

[The Die Hard]

What Did You Expect?

Look up the history of ESS / Diebold. The
brother companies were started by wealthy
partisan BushDick contributors, are run by
wealthy partisan BushDick contributors, were
forced on the voters (via that nonsensical
BushDick partisan "Help America Vote Act" after
the piecemeal debacle they pulled off in 2000)
with the sole purpose of flipping votes from D
to R, and made millions for the few while
disenfranchising the many. The SINGLE AND ONLY
solution is to send ALL the DREs back, demand a
refund, and go back to the mark-on-paper
standard ballot that first-graders use to
advance to second grade. If the BushDicks claim
they can't get optical scanners in place before
the primaries, point out that they can always
borrow them from the schools for a day.

Nor is the "disabled" diversion anything more
than a ploy. Disabled people need assistance to
vote regardless of which system is used.

Dump the DREs. NOW. And if your county is
still run by BushDicks, you can make sure your
ballot has a paper record by voting absentee
ahead of time.

[dakiwiboid]

Which way do you want it?

Do people really want a verifiable paper trail, or don't they? These spools are verifiable and verified. Each voter sees his or her vote actually register on the spool (which is something of an improvement over most other methods. The spools are also not hackable, which should also be as an improvement over the memory cards that all of you folks keep complaining about.

In Missouri's St. Louis County, when we have to remove a paper spool, each one is initialed by the two assistant supervisors and supervisors, and the next one is inserted under their supervision as well. I don't know if it's done by a bi-partisan team in Ohio, but it's definitely done by one in Missouri. (We'd have more than two parties present here if the legislature changed the law, but at the moment it's only Democrats and Republicans.)

As for reconstructing how the voters voted, are they really only using one machine per polling place in Ohio? In St. Louis County, we've had three machines at the polling places where I've worked, and the voters go to them in random order. I don't think it'd be particularly easy to match them up to the voting rolls, which do not show the time the voter came in to vote. In a brisk election, I don't think I'd want to try that experiment.

During a very slow election, such as the last one I worked, you might have been able to figure out how the election was going just from the banter of the voters as they walked out the door. We could have given you a pretty close to 80% accurate guess about the ballot initiative's chance of success if we weren't sworn not to reveal the outcome of the election, even in jest.

And "observers in the polling place"? Most polling places in Missouri are in public schools. Do you think that you're going to get away with hanging around a school all day without the principal getting suspicious? They don't mind election officials. They actually like having us around, I suspect, because it gives them a chance to work elections into the syllabus, but I don't think that anyone other than an official poll watcher or challenger would get a chance to hang out at the polls all day.

[JimCropcho]

A common misconception

As data analyst for the project, I've posted a link on our blog to answers to this and other common misconceptions at

http://www.thepublicballot.org/2007/8/21/two-common-misconceptions

[wbenton]

Common Sense

Without a paper trail... it's impossible to determine whether a voter has voted only once or twice or how many times.

Duuuuhhhhhhh..... (* CHUCKLE *)

So where is the story? Or has common sense... or perhaps "lack there of"... become the story? (* GRIN *)

Walt

[AlKolwicz]

It's worse than reported.

The secret ballot issues raised by Moyer and Cropcho http://www.thepublicballot.org/ won't be solved until the toilet-paper roles used to sequentially record voter activity are eliminated.

As a Colorado poll watcher, I have the right to record the names of people who vote. By observing the sequence in which they use a specific DRE, I know the sequence of their (supposed) votes recorded on the VVPAT. Access to the roll means access to their "ballot". The canvass board and election officials have legal access to the roll.

NO!, I do not trust the officials. Not because they are evil, but because the protection of a secret ballot is sacrosanct. If any pathway to retrieving a specific voters ballot exists, it might be used: (1) by the court, or (2) for political purposes by a partisan official, or (3) to create a "threat of disclosure" needed by vote-buyers and voter-intimidators to suggest that they can know a voter's selections.

Furthermore, HART Intercivic suffers not only the problem described above, but also uniquely identifies every PAPER and VVPAT ballot with a unique, NON-REMOVABLE, serial number and barcode. Voters can make a record of this serial number on their ballot and use it to later identify their specific ballot. Consequently, the market for vote-selling is facilitated and the opportunity for voter intimidation is supported.

The arrogance of vendors who trample on our right to use a secret ballot must be punished by immediately forcing them to meet our requirements for "privately voted anonymous ballots".

Al


Al Kolwicz
Colorado Voter Group
2867 Tincup Circle
Boulder, CO 80305
303-494-1540
AlKolwicz@qwest.net
www.AlKolwicz.net
www.coloradovotergroup.blogspot.com

[towa1]

Not True Everywhere

I'm a poll worker in Stark County, Ohio. We have to provide a list of people who voted, and that's it. The paper trail is secured in a canister and noone has access to that.

The voter list is public because a politician can call the people who hasn't voted and remind them to vote.

Matt

[beschoot]

A simple solution.....

At the next election simply record the time all our elected officials vote and then make thier votes public. This will solve the problem in short order.

[fooooot]

Absentee

Simply become an absentee voter and bypass the whole problem.