1. A.W. - September 5, 2008 at 8:56 am

   Call me stupid, but jeez how hard can this be? This is basic calculation. Its 1+1 times however many voters.

   I have long proposed a solution, though. We are each given a unique “voter number.” That is a number for our eyes only. Then on election day, the votes of every person is posted online, by that voter number. In other words, if you are 725782342, then you can see that you voted for McCain for president, Amanda Hugankiss for Governor, and so on. Thus you literally get the best of both worlds: the verifiability of an open ballot, with the secrecy of a secret ballot.

   Then next time we have a bush v. Gore circumstance, we don’t have to debate chads and the like, and try to guess who they wanted. you can in essence recreate the election.

2. Danielle Citron - September 5, 2008 at 9:18 am

   That is a great idea, and one I have read about, but what might be the counterarguments against such an approach, from a security perspective or otherwise? It would be terrific to hear your thoughts on that–much thanks.

3. Blake Reid - September 5, 2008 at 10:21 am

   Danielle, it’s a tad unreasonable to compare voting machines to air traffic control systems. Air traffic control systems are permanent infrastructure running 24/7 with life and death ramifications for their failure. They are hardened by design and bugs are readily apparent and fixed immediately. Contrast these with voting machines, which are (relatively) cheap, portable, deployed by an army of volunteers, and generally used no more than twice a year. In my opinion, it’s too difficult to make voting machines both affordable for the most cash-strapped counties in the nation and hardened to the degree that their efficacy is guaranteed, particularly because conducting a test on the system that will replicate conditions on voting day is practically impossible.

   A.W. – though the mentioned error in vote counting logic is truly inexcusable, the problem is more complicated than you suggest. You’re looking at a massively distributed system, combined with complex technology to accommodate disabled voters, different ballots at every precinct, different voting rules in every county, etc.

   The “voter number” solution has two problems. First, there are serious privacy issues. Based on who you vote for in a local election, I can now determine roughly where you live and see how my national candidate did there. Furthermore, I can track who you voted for last time around and look at your voting patterns. Also, because you have to identify yourself either at the polling place or via absentee ballot to verify that you’re only voting once, there’s now a necessary link between your name and your “secret” number sitting on a database somewhere. All it takes is a malicious or sloppy county employee to acquire this data, and now your voting records can be easily searched.

   Second, there is a logistical IT problem collating this nationally distributed information into a centralized database. Sure, you could require all counties to implement a local database, but where does the money and oversight come from?

   Fixing the voting system isn’t hard because there frankly was no problem with the way we used to do it. Using paper ballots supplemented with mail-in ballots for disabled voters and a bipartisan army of volunteers to collect and count the votes is a time-tested way of maintaining anonymity, keeping a paper trail, and essentially eliminating the possibility of wholesale voter fraud. It’s low-tech, but it works and smart county commissioners are moving back in this direction. I’m a computer scientist and I’ve never, ever seen or heard of an e-voting implementation that works as well as the paper method.

   On a related note, we should eliminate stringent ID requirements that essentially amount to a poll-tax. Individual voter fraud is a statistically non-existent problem and trying to eliminate it unfairly disenfranchises minority voters.

4. Blake Reid - September 5, 2008 at 10:22 am

   Danielle, it’s a tad unreasonable to compare voting machines to air traffic control systems. Air traffic control systems are permanent infrastructure running 24/7 with life and death ramifications for their failure. They are hardened by design and bugs are readily apparent and fixed immediately. Contrast these with voting machines, which are (relatively) cheap, portable, deployed by an army of volunteers, and generally used no more than twice a year. In my opinion, it’s too difficult to make voting machines both affordable for the most cash-strapped counties in the nation and hardened to the degree that their efficacy is guaranteed, particularly because conducting a test on the system that will replicate conditions on voting day is practically impossible.

   A.W. – though the mentioned error in vote counting logic is truly inexcusable, the problem is more complicated than you suggest. You’re looking at a massively distributed system, combined with complex technology to accommodate disabled voters, different ballots at every precinct, different voting rules in every county, etc.

   The “voter number” solution has two problems. First, there are serious privacy issues. Based on who you vote for in a local election, I can now determine roughly where you live and see how my national candidate did there. Furthermore, I can track who you voted for last time around and look at your voting patterns. Also, because you have to identify yourself either at the polling place or via absentee ballot to verify that you’re only voting once, there’s now a necessary link between your name and your “secret” number sitting on a database somewhere. All it takes is a malicious or sloppy county employee to acquire this data, and now your voting records can be easily searched.

   Second, there is a logistical IT problem collating this nationally distributed information into a centralized database. Sure, you could require all counties to implement a local database, but where does the money and oversight come from?

   Fixing the voting system isn’t hard because there frankly was no problem with the way we used to do it. Using paper ballots supplemented with mail-in ballots for disabled voters and a bipartisan army of volunteers to collect and count the votes is a time-tested way of maintaining anonymity, keeping a paper trail, and essentially eliminating the possibility of wholesale voter fraud. It’s low-tech, but it works and smart county commissioners are moving back in this direction. I’m a computer scientist and I’ve never, ever seen or heard of an e-voting implementation that works as well as the paper method.

   On a related note, we should eliminate stringent ID requirements that essentially amount to a poll-tax. Individual voter fraud is a statistically non-existent problem and trying to eliminate it unfairly disenfranchises minority voters.

5. Blake Reid - September 5, 2008 at 10:22 am

   Danielle, it’s a tad unreasonable to compare voting machines to air traffic control systems. Air traffic control systems are permanent infrastructure running 24/7 with life and death ramifications for their failure. They are hardened by design and bugs are readily apparent and fixed immediately. Contrast these with voting machines, which are (relatively) cheap, portable, deployed by an army of volunteers, and generally used no more than twice a year. In my opinion, it’s too difficult to make voting machines both affordable for the most cash-strapped counties in the nation and hardened to the degree that their efficacy is guaranteed, particularly because conducting a test on the system that will replicate conditions on voting day is practically impossible.

   A.W. – though the mentioned error in vote counting logic is truly inexcusable, the problem is more complicated than you suggest. You’re looking at a massively distributed system, combined with complex technology to accommodate disabled voters, different ballots at every precinct, different voting rules in every county, etc.

   The “voter number” solution has two problems. First, there are serious privacy issues. Based on who you vote for in a local election, I can now determine roughly where you live and see how my national candidate did there. Furthermore, I can track who you voted for last time around and look at your voting patterns. Also, because you have to identify yourself either at the polling place or via absentee ballot to verify that you’re only voting once, there’s now a necessary link between your name and your “secret” number sitting on a database somewhere. All it takes is a malicious or sloppy county employee to acquire this data, and now your voting records can be easily searched.

   Second, there is a logistical IT problem collating this nationally distributed information into a centralized database. Sure, you could require all counties to implement a local database, but where does the money and oversight come from?

   Fixing the voting system isn’t hard because there frankly was no problem with the way we used to do it. Using paper ballots supplemented with mail-in ballots for disabled voters and a bipartisan army of volunteers to collect and count the votes is a time-tested way of maintaining anonymity, keeping a paper trail, and essentially eliminating the possibility of wholesale voter fraud. It’s low-tech, but it works and smart county commissioners are moving back in this direction. I’m a computer scientist and I’ve never, ever seen or heard of an e-voting implementation that works as well as the paper method.

   On a related note, we should eliminate stringent ID requirements that essentially amount to a poll-tax. Individual voter fraud is a statistically non-existent problem and trying to eliminate it unfairly disenfranchises minority voters.

6. Blake Reid - September 5, 2008 at 10:27 am

   Oh, and the chad problem is simply an issue of a bad ballot design. There are many ways to design a ballot where issues of determining voter intent ex ante are no more significant than those caused by user interface confusion on e-voting machines.

7. Danielle Citron - September 5, 2008 at 1:40 pm

   Blake,

   Thank you so much for your incisive comments. I agree with the privacy concerns with databases of voter information, but might there be a way to construct a system that automatically deleted the correlated vote after a set number of days, that did not have sensitive personally identifying information attached to the number, and the system itself was open code such that structurally we had a strong measure of confidence in its accuracy and security. And voting fraud of last century largely involved the stuffing paper ballots, or loss of some, by partisan officials. There, too, we need serious control over the ballots in the same way as we do e-voting machines. How would you address that concern? In any event, thank you so much for your comments.

8. Blake Reid - September 5, 2008 at 2:09 pm

   Having open, verifiable code is a nice thought, but hiring the computer scientists to verify it is expensive – and unless you make the machines themselves subject to examination, there’s not necessarily any way to verify that code on individual machines hasn’t been modified. Regardless, there are no voting machine manufacturers willing to submit to this level of scrutiny, so it’s a bit of a moot point.

   It might be possible to devise a system that divorces the “voter ID” from the voter registration information, but it relies on printing paper copies of ballots and assuming all voters will double-check their votes. In my opinion, this is an iffy strategy.

   About the “stuffing” problem, all voting systems, paper and otherwise, are subject to bad actors on either side of the aisle because of the sheer scale of national elections. However, paper ballots are distributed in such a broad way that any meaningful impact on election results requires some kind of a coordinated conspiracy involving many people to implement, whereas a single person with the proper technical know-how can easily alter electronic voting tallies (and potentially do so in an undetected fashion).

9. Brett Bellmore - September 5, 2008 at 9:11 pm

   I distrust any voting system based on a programable, general purpose computer. They are, after all, designed so the programs can be changed. (Lest you think I’m some kind of luddite, computer engineering was my major in college.) Even if you could use some kind of encryption based system which was genuinely secure, it would be secure in a way most people couldn’t understand, and it’s important that people understand that their votes are secure.

   Paper is a long established technology, and it’s really hard to screw with the result on a large scale through application of any degree of cleverness. I’ve yet to see the advantage of computerized voting over a simple optical scan system.

Leave a Reply