Discussion:
Why We Shouldn't Count Votes with Machines
Kathy Dopp
2008-08-12 23:47:05 UTC
Permalink
Date: Tue, 12 Aug 2008 01:16:29 -0400
Subject: [EM] Why We Shouldn't Count Votes with Machines
Responses concentrate on fact that present DREs and paper
ballots have problems, and do not consider fixing the DREs.
As virtually all (all I know) independent computer scientists (who do
not profit from certifying or working for VVV's - vulture voting
vendors) agree, it is *not* possible to "fix" DREs because their
fundamental design is flawed. I.e. Any machine cast or machine printed
record of ballots is not going to work.

The flaws of DRE paper roll ballot printers include (there is a much
longer list):

Studies show that fewer than 30% of voters check machine-printed paper
ballot roll records and fewer than 30% of voters who check (or about
10% of all voters) accurately proofread their machine-printed paper
ballot roll records to detect any errors, so that a programmer can
switch up to 90% of available target votes in a way that no audit can
detect. Also there is a "two strikes and you are out" rule that
prevents the most diligent voter from having a machine-printed paper
ballot record that matches the voter's choices. A voter can only
cancel ballot casting twice due to an incorrect printed paper roll
record. On the third try, the voter receives an error message on the
screen warning that the voter has only one more chance to cast their
ballot. On the third try, the paper roll ballot record whizzes
quickly inside the canister WITHOUT GIVING THE VOTER A CHANCE TO SEE
THE PAPER RECORD!

--

Any machine-printed paper ballot record will have the same flaws, and
electronic video, audio, or pictorial verification systems are even
worse.

Shamos is considered a rogue among computer scientists and I am fairly
certain that Shamos does not have any degree in computer science, as
is true of most "experts" who support DREs.

The persons who rebutted Shamos' articles *do* have formal training
and degrees in computer science.

Cheers,

Kathy
----
Election-Methods mailing list - see http://electorama.com/em for list info
rob brown
2008-08-13 01:17:49 UTC
Permalink
Post by Kathy Dopp
As virtually all (all I know) independent computer scientists (who do
not profit from certifying or working for VVV's - vulture voting
vendors) agree, it is *not* possible to "fix" DREs because their
fundamental design is flawed. I.e. Any machine cast or machine printed
record of ballots is not going to work.
The flaws of DRE paper roll ballot printers include (there is a much
Studies show that fewer than 30% of voters check machine-printed paper
ballot roll records and fewer than 30% of voters who check (or about
10% of all voters) accurately proofread their machine-printed paper
ballot roll records to detect any errors, so that a programmer can
switch up to 90% of available target votes in a way that no audit can
detect. Also there is a "two strikes and you are out" rule that
prevents the most diligent voter from having a machine-printed paper
ballot record that matches the voter's choices. A voter can only
cancel ballot casting twice due to an incorrect printed paper roll
record. On the third try, the voter receives an error message on the
screen warning that the voter has only one more chance to cast their
ballot. On the third try, the paper roll ballot record whizzes
quickly inside the canister WITHOUT GIVING THE VOTER A CHANCE TO SEE
THE PAPER RECORD!
The "two strikes you are out" rule is not inherent to machine voting -- that
is fixable, obviously.

Regardless, are you suggesting that a programmer could steal an election by
just hoping that that every one of the people who had it fail twice in a row
is going to simply say "oh well" and go home, rather than raise holy hell
about it?

As a programmer myself, I can tell you that any non-stupid (but evil)
programmer would have it do it correctly the second time....I mean, you know
they are looking that time, so why push your luck for one vote? So the "2
strikes and you're out", silly as it may be, is hardly the issue.

I can also tell you that much of the issue here is far out of the field of
computer science, and is more in the area of sociology/psychology with a
little game theory and economics thrown in.

I don't disagree that there are problems with machine voting, some easier to
fix than others. (a paper trail is an absolute necessity, for instance, as
is open source code) Still I think you are blowing things out of
proportion -- to a large enough degree that your propoganda has pulled me
out of my typical lurk mode on the list.
Post by Kathy Dopp
Shamos is considered a rogue among computer scientists and I am fairly
certain that Shamos does not have any degree in computer science, as
is true of most "experts" who support DREs.
And I am fairly certain that you didn't spend two minutes researching, as
you'd have easily found that he does indeed have a phD in computer science
from Yale. Which gives me one more reason to suspect the facts you
present. (don't take this as an endorsement of what Shamos says, just a
reaction to your logically and factually unsound propaganda)

-rob
Dave Ketchum
2008-08-13 02:53:13 UTC
Permalink
Post by Kathy Dopp
Date: Tue, 12 Aug 2008 01:16:29 -0400
Subject: [EM] Why We Shouldn't Count Votes with Machines
Responses concentrate on fact that present DREs and paper
ballots have problems, and do not consider fixing the DREs.
As virtually all (all I know) independent computer scientists (who do
not profit from certifying or working for VVV's - vulture voting
vendors) agree, it is *not* possible to "fix" DREs because their
fundamental design is flawed. I.e. Any machine cast or machine printed
record of ballots is not going to work.
"fundamental design is flawed"? If so, obvious response is to redo
the design.
Post by Kathy Dopp
The flaws of DRE paper roll ballot printers include (there is a much
Studies show that fewer than 30% of voters check machine-printed paper
ballot roll records and fewer than 30% of voters who check (or about
10% of all voters) accurately proofread their machine-printed paper
ballot roll records to detect any errors, so that a programmer can
switch up to 90% of available target votes in a way that no audit can
detect.
I do not see how an auditor could know of and tailor the audit to the
particular ballots the programmer did not switch.
Post by Kathy Dopp
Also there is a "two strikes and you are out" rule that
prevents the most diligent voter from having a machine-printed paper
ballot record that matches the voter's choices. A voter can only
cancel ballot casting twice due to an incorrect printed paper roll
record. On the third try, the voter receives an error message on the
screen warning that the voter has only one more chance to cast their
ballot. On the third try, the paper roll ballot record whizzes
quickly inside the canister WITHOUT GIVING THE VOTER A CHANCE TO SEE
THE PAPER RECORD!
What does it matter? How come the redesign failed to attend to
properly recording the vote?
Post by Kathy Dopp
--
Any machine-printed paper ballot record will have the same flaws, and
electronic video, audio, or pictorial verification systems are even
worse.
Huh? There seems to be general agreement that present DREs need
replacing. I only ask that we try for usable replacements.

I also cannot get excited over the machine-printing you mention -
proper equipment should work correctly and not need such (except,
perhaps, to please nervous voters).
Post by Kathy Dopp
Shamos is considered a rogue among computer scientists and I am fairly
certain that Shamos does not have any degree in computer science, as
is true of most "experts" who support DREs.
The persons who rebutted Shamos' articles *do* have formal training
and degrees in computer science.
Crane's paper does not explicitly mention Shamos or its authors having
such a degree - it does mention involvement in voting.

For one Crane author, Edward Cherlin, I read of working on affordable
software and hardware for voting around the world.
Hopefully he is intending such to be adequate.

Do not know if such a degree was available when I was in college -
could not have learned much presently usable. Remember a tidbit about
weather forecasting. Could give a computer data to predict for
tomorrow - by the time program was done you could look out the window
and see if it got it right.
Remember a problem later at work - too much data for Fortran to
fit in available memory. Heard of a new language - Jovial. Available
staff was engineers who could hardly spell "program" and assembly
programmers who could hardly spell "compiler". I successfully
installed compiler and taught staff for project to use.
Later - task could not execute in available time - invented new,
faster, instructions then used in available computers.
Post by Kathy Dopp
Cheers,
Kathy
--
***@clarityconnect.com people.clarityconnect.com/webpages3/davek
Dave Ketchum 108 Halstead Ave, Owego, NY 13827-1708 607-687-5026
Do to no one what you would not want done to you.
If you want peace, work for justice.



----
Election-Methods mailing list - see http://electorama.com/em for list info
Kathy Dopp
2008-08-13 03:34:56 UTC
Permalink
"fundamental design is flawed"? If so, obvious response is to redo the
design.
Hi David,

The only "design" that is *not* flawed (that I know of) is
voter-marked paper ballots because it provides voter-verifiED ballots.

However the optical scanning machines that count them today are very
flawed and use no modern security, encryption, or open standard data
formats that have been available for many years. They're your basic
cheap junk, but far superior to today's basic cheap e-ballot junk.
Post by Kathy Dopp
The flaws of DRE paper roll ballot printers include (there is a much
Studies show that fewer than 30% of voters check machine-printed paper
ballot roll records and fewer than 30% of voters who check (or about
10% of all voters) accurately proofread their machine-printed paper
ballot roll records to detect any errors, so that a programmer can
switch up to 90% of available target votes in a way that no audit can
detect.
I do not see how an auditor could know of and tailor the audit to the
particular ballots the programmer did not switch.
Huh!? I said: "so that a **programmer** can switch up to 90% of
available target votes in a way that no audit can detect."

Valid audits require manually counting ballots of randomly selected
reported unofficial vote counts.

The problem is that because only 10% of voters may accurately check
machine-printed paper ballot records, ALL MACHINE PRINTED ballots will
match erroneous electronic vote totals because 90% of the
machine-printed paper ballots can be printed to match erroneous
electronic touchscreen ballot records, and the voters would not notice
it; and no audit can detect the fraud.

Voters *could* detect the fraud, but the 10% of voters who notice that
their first ballot did not match their choices and cancels their first
ballot, may think that they made a mistake rather than the machine
when the second time they try to cast their ballot after canceling it
on the first try when they notice the erroneous paper ballot, their
paper ballot then *does* match their choices. As I said, 10% of the
ballots can *not* be switched by the programmer (only 90% of target
paper ballots and their e-ballots can be switched by the programmer),
but ALL the printed ballots will match the erroneous e-ballot totals.

This particular DRE hack was published back around May 2005 in the
Brennan Center Report "The Machinery of Democracy" and is why
virtually all (everyone I know and I have written papers with dozens
of PhD computer scientists on voting system topics) computer
scientists oppose using e-ballot voting systems with machine-printed
paper ballot records.
Post by Kathy Dopp
Also there is a "two strikes and you are out" rule that
prevents the most diligent voter from having a machine-printed paper
ballot record that matches the voter's choices. A voter can only
cancel ballot casting twice due to an incorrect printed paper roll
record. On the third try, the voter receives an error message on the
screen warning that the voter has only one more chance to cast their
ballot. On the third try, the paper roll ballot record whizzes
quickly inside the canister WITHOUT GIVING THE VOTER A CHANCE TO SEE
THE PAPER RECORD!
What does it matter? How come the redesign failed to attend to properly
recording the vote?
I do not get your question. If you want to know more about this
particular "Two Strikes You're Out" flaw of DRE-printed paper ballot
records, either:

1. If you personally vote on a DRE, try cancelling your ballot twice
and then see what happens when you cast your ballot on the third try.
(Take a picture of the warning screen with your cell phone before
pushing the button, and then watch the ballot quickly roll up before
you can see what is on it.)

or

2. Read the NJ Institute of Technology studies of DRE printers which
caused NJ to refuse to certify any of the DRE paper printers.

Without a limit on the number of times a voter can try to print a
matching paper ballot record, and without a way for the voter to bail
out of casting a vote on a DRE which refuses to create an accurate
paper ballot record, then obviously there would be other problems,
like running out of paper in the paper rolls (poll workers frequently
have problems loading the paper, load it backwards so it does not
print, and the papers frequently jam while printing, or keep the
covers closed so voters don't see the paper ballot records, or voters
can easily sabotage the paper so that it appears to work during the
elections but all the records are erased at the end of the election.
(See the CA SoS study of voting systems.)

Sigh, so the FLAW is the inanity and expense and hassle of trying to
keep a printer running in every polling booth during elections rather
than using a less costly paper ballot, and more importantly the fact
that the machine, rather than the voter is marking the paper ballot
record.

Fix that cannot be done without switching to voter marked optical scan
paper ballots.
Huh? There seems to be general agreement that present DREs need replacing.
I only ask that we try for usable replacements.
Over 60% of US election jurisdictions already implemented "usable
replacements" - the optical scan paper ballot system.
Crane's paper does not explicitly mention Shamos or its authors having such
a degree - it does mention involvement in voting.
Not surprising.

ANY SYSTEM can be assumed to be inaccurate if it lacks a routine
method for detecting and correcting errors that is independent of the
software. Since voting is much more difficult to secure than banking
due to the secret ballot, the only method of providing software
independence is a paper ballot.

You certainly would not expect me to deposit my vote anonymously
without a receipt into a bank, so why would anyone want me to use such
an insane method for voting which would make it trivially easy for any
insider to alter the election outcomes undetectably?
For one Crane author, Edward Cherlin, I read of working on affordable
software and hardware for voting around the world.
Hopefully he is intending such to be adequate.
Many good folks are working on affordable, open source optical scan
voting equipment because most of today's optical scanners are also
hackable junk.

As Ion Sancho of Florida said (paraphrased), "It will take a long time
to fix our voting systems, in the meantime we need to push for
AUDITS."
Do not know if such a degree was available when I was in college -
How long ago were you in college? Computer science degrees have been
around since atleast 1969 and I believe long before then. That's when
I took my first computer science course. I have a couple of friends
who learned to program when they had to hard wire computers to program
them.
could not
have learned much presently usable.
I first programmed with punch-cards.
Remember a tidbit about weather
forecasting. Could give a computer data to predict for tomorrow - by the
time program was done you could look out the window and see if it got it
right.
:-) Well that used to be true, but weather prediction programs are
much more sophisticated and faster nowadays.
Remember a problem later at work - too much data for Fortran to fit in
available memory.
It is easy to overrun computer memory with data and programming
instructions, depending on the application and the skill (or lack of
it) of the programmer. I would imagine that the new weather programs
take a huge amount of memory to run.
Heard of a new language - Jovial. Available staff was
engineers who could hardly spell "program" and assembly programmers who
could hardly spell "compiler". I successfully installed compiler and taught
staff for project to use.
Later - task could not execute in available time - invented new, faster,
instructions then used in available computers.
Yes, well the Internet was invented so that various researchers could
use others' faster computers at different locations to run
long-running programs.

Cheers,

Kathy
----
Election-Methods mailing list - see http://electorama.com/em for list info
Dave Ketchum
2008-08-13 05:23:59 UTC
Permalink
Somehow we are not connecting, but I will try one more time.
Post by Kathy Dopp
"fundamental design is flawed"? If so, obvious response is to redo the
design.
Hi David,
The only "design" that is *not* flawed (that I know of) is
voter-marked paper ballots because it provides voter-verifiED ballots.
I SAID: "redo the design"! Looking around at other known failures
DOES NOT COUNT, beyond perhaps learning better what to avoid.
Post by Kathy Dopp
However the optical scanning machines that count them today are very
flawed and use no modern security, encryption, or open standard data
formats that have been available for many years. They're your basic
cheap junk, but far superior to today's basic cheap e-ballot junk.
Ditto!
Post by Kathy Dopp
Post by Kathy Dopp
The flaws of DRE paper roll ballot printers include (there is a much
Studies show that fewer than 30% of voters check machine-printed paper
ballot roll records and fewer than 30% of voters who check (or about
10% of all voters) accurately proofread their machine-printed paper
ballot roll records to detect any errors, so that a programmer can
switch up to 90% of available target votes in a way that no audit can
detect.
I do not see how an auditor could know of and tailor the audit to the
particular ballots the programmer did not switch.
Huh!? I said: "so that a **programmer** can switch up to 90% of
available target votes in a way that no audit can detect."
Valid audits require manually counting ballots of randomly selected
reported unofficial vote counts.
The problem is that because only 10% of voters may accurately check
machine-printed paper ballot records, ALL MACHINE PRINTED ballots will
match erroneous electronic vote totals because 90% of the
machine-printed paper ballots can be printed to match erroneous
electronic touchscreen ballot records, and the voters would not notice
it; and no audit can detect the fraud.
Voters *could* detect the fraud, but the 10% of voters who notice that
their first ballot did not match their choices and cancels their first
ballot, may think that they made a mistake rather than the machine
when the second time they try to cast their ballot after canceling it
on the first try when they notice the erroneous paper ballot, their
paper ballot then *does* match their choices. As I said, 10% of the
ballots can *not* be switched by the programmer (only 90% of target
paper ballots and their e-ballots can be switched by the programmer),
but ALL the printed ballots will match the erroneous e-ballot totals.
This particular DRE hack was published back around May 2005 in the
Brennan Center Report "The Machinery of Democracy" and is why
virtually all (everyone I know and I have written papers with dozens
of PhD computer scientists on voting system topics) computer
scientists oppose using e-ballot voting systems with machine-printed
paper ballot records.
I give up on deciphering most of this.

I do agree on opposing such "machine-printed paper ballot records".
Post by Kathy Dopp
Post by Kathy Dopp
Also there is a "two strikes and you are out" rule that
prevents the most diligent voter from having a machine-printed paper
ballot record that matches the voter's choices. A voter can only
cancel ballot casting twice due to an incorrect printed paper roll
record. On the third try, the voter receives an error message on the
screen warning that the voter has only one more chance to cast their
ballot. On the third try, the paper roll ballot record whizzes
quickly inside the canister WITHOUT GIVING THE VOTER A CHANCE TO SEE
THE PAPER RECORD!
My point, again, was DO the needed redesign, don't cry over present
spilt milk.
Post by Kathy Dopp
What does it matter? How come the redesign failed to attend to properly
recording the vote?
I do not get your question. If you want to know more about this
particular "Two Strikes You're Out" flaw of DRE-printed paper ballot
1. If you personally vote on a DRE, try cancelling your ballot twice
and then see what happens when you cast your ballot on the third try.
(Take a picture of the warning screen with your cell phone before
pushing the button, and then watch the ballot quickly roll up before
you can see what is on it.)
or
2. Read the NJ Institute of Technology studies of DRE printers which
caused NJ to refuse to certify any of the DRE paper printers.
Without a limit on the number of times a voter can try to print a
matching paper ballot record, and without a way for the voter to bail
out of casting a vote on a DRE which refuses to create an accurate
paper ballot record, then obviously there would be other problems,
like running out of paper in the paper rolls (poll workers frequently
have problems loading the paper, load it backwards so it does not
print, and the papers frequently jam while printing, or keep the
covers closed so voters don't see the paper ballot records, or voters
can easily sabotage the paper so that it appears to work during the
elections but all the records are erased at the end of the election.
(See the CA SoS study of voting systems.)
Sigh, so the FLAW is the inanity and expense and hassle of trying to
keep a printer running in every polling booth during elections rather
than using a less costly paper ballot, and more importantly the fact
that the machine, rather than the voter is marking the paper ballot
record.
Fix that cannot be done without switching to voter marked optical scan
paper ballots.
Huh? There seems to be general agreement that present DREs need replacing.
I only ask that we try for usable replacements.
Over 60% of US election jurisdictions already implemented "usable
replacements" - the optical scan paper ballot system.
Crane's paper does not explicitly mention Shamos or its authors having such
a degree - it does mention involvement in voting.
Not surprising.
ANY SYSTEM can be assumed to be inaccurate if it lacks a routine
method for detecting and correcting errors that is independent of the
software. Since voting is much more difficult to secure than banking
due to the secret ballot, the only method of providing software
independence is a paper ballot.
To create a software independent fix for software sounds like magic.
Post by Kathy Dopp
You certainly would not expect me to deposit my vote anonymously
without a receipt into a bank, so why would anyone want me to use such
an insane method for voting which would make it trivially easy for any
insider to alter the election outcomes undetectably?
For one Crane author, Edward Cherlin, I read of working on affordable
software and hardware for voting around the world.
Hopefully he is intending such to be adequate.
Many good folks are working on affordable, open source optical scan
voting equipment because most of today's optical scanners are also
hackable junk.
As Ion Sancho of Florida said (paraphrased), "It will take a long time
to fix our voting systems, in the meantime we need to push for
AUDITS."
Do not know if such a degree was available when I was in college -
How long ago were you in college? Computer science degrees have been
around since atleast 1969 and I believe long before then. That's when
I took my first computer science course. I have a couple of friends
who learned to program when they had to hard wire computers to program
them.
So I graduated in 50 (should have been 46, but I came back for a last
term).
Post by Kathy Dopp
could not
have learned much presently usable.
I first programmed with punch-cards.
I remember such. That Jovial compiler was delivered on such.
Post by Kathy Dopp
Remember a tidbit about weather
forecasting. Could give a computer data to predict for tomorrow - by the
time program was done you could look out the window and see if it got it
right.
:-) Well that used to be true, but weather prediction programs are
much more sophisticated and faster nowadays.
Remember a problem later at work - too much data for Fortran to fit in
available memory.
It is easy to overrun computer memory with data and programming
instructions, depending on the application and the skill (or lack of
it) of the programmer. I would imagine that the new weather programs
take a huge amount of memory to run.
This was not weather. Topic was that Fortran, at least then, was
unable to pack data as tightly as was needed, and task was too complex
to expect success if done in assembly language.
Post by Kathy Dopp
Heard of a new language - Jovial. Available staff was
engineers who could hardly spell "program" and assembly programmers who
could hardly spell "compiler". I successfully installed compiler and taught
staff for project to use.
Later - task could not execute in available time - invented new, faster,
instructions then used in available computers.
Yes, well the Internet was invented so that various researchers could
use others' faster computers at different locations to run
long-running programs.
This was not research; this was preparing display images in real time
for working air traffic controllers. Computer speed was what was
available at the time.
Post by Kathy Dopp
Cheers,
Kathy
--
***@clarityconnect.com people.clarityconnect.com/webpages3/davek
Dave Ketchum 108 Halstead Ave, Owego, NY 13827-1708 607-687-5026
Do to no one what you would not want done to you.
If you want peace, work for justice.



----
Election-Methods mailing list - see http://electorama.com/em for list info
Kathy Dopp
2008-08-13 04:01:40 UTC
Permalink
Message: 2
Date: Tue, 12 Aug 2008 18:17:49 -0700
Subject: Re: [EM] Why We Shouldn't Count Votes with Machines
The "two strikes you are out" rule is not inherent to machine voting -- that
is fixable, obviously.
How? Do we want an infinite loop of a voter running paper through a
cheap printer trying to obtain an accurate ballot record and the
machine refusing to print one while it switches a vote wrongly? Or do
we want the voter to be able to cancel the ballot and let the poll
workers know that he needs a paper ballot instead that he can mark
himself? If so, why not let the voters vote on a paper ballot to
begin with?

Any ideas?
Regardless, are you suggesting that a programmer could steal an election by
just hoping that that every one of the people who had it fail twice in a row
is going to simply say "oh well" and go home, rather than raise holy hell
about it?
No. Obviously it is trivially easy for any programmer of a voting machine to:

a. make the printed ballot record match an erroneous e-ballot record
on the voters first try

b. in the 10% of cases when a voter notices the error on the paper
ballot and cancels the ballot, the programmer than makes the paper
printout and the electronic record match exactly what the voter wants.

Recall that I said that the programmer would only be able to switch up
to 90% of the target votes without any audit able to detect it.

The voter would either think that he must have made a mistake on the
first try, or complain about his vote being switched.

We have already seen hundreds or thousands or cases of voters in the
last two election cycles complaining that their votes have been
switched to the wrong candidates with DREs and election officials have
mostly ignored the problem or chalked it up to "touchscreen
callibration" problems (which does cause similar behavior)
As a programmer myself, I can tell you that any non-stupid (but evil)
programmer would have it do it correctly the second time....I mean, you know
they are looking that time, so why push your luck for one vote? So the "2
strikes and you're out", silly as it may be, is hardly the issue.
Huh?

I mentioned TWO SEPARATE ISSUES:

1. the programming hack that can switch 90% of target votes without
audits being able to detect it.

2. the 2 strikes you're out rule that *all* DREs currently use today
that prevents even the 10% of diligent voters who detect errors in
their paper printed records from being able to generate a correct
machine-printed paper ballot record.

If you prefer not have *any* paper ballot record, then ofcourse there
is no way to check the accuracy of the machine counts independent of
the programming.
I can also tell you that much of the issue here is far out of the field of
computer science, and is more in the area of sociology/psychology with a
little game theory and economics thrown in.
Really? OK, but *all* independent computer scientists (that I know)
oppose the use of e-ballot voting systems for very solid logically
correct reasons.

It is true that e-ballots with machine printed paper records *might*
work (although still expensive and subject to DOS attacks) *IF* you
could train all voters and election officials and poll workers
adequately how to handle doing elections with them, but that seems
like a very remote possibility unless you want to begin lessons in how
to use e-ballot paper trail voting systems in grammar school as a
course and have paper ballots as backup available in every polling
location and train pollworkers and voters to recognize when the
machines look like vote fraud may be going on, etc. Human factors
must be considered realistically.
I don't disagree that there are problems with machine voting, some easier to
fix than others. (a paper trail is an absolute necessity, for instance, as
is open source code)
Again, virtually all *independent* computer scientists who are voting
system experts disagree with you and believe that voter-marked paper
ballots are essential and that "paper trails" are inadequate as I've
tried to explain some of their flaws here.
Still I think you are blowing things out of
proportion -- to a large enough degree that your propoganda has pulled me
out of my typical lurk mode on the list.
Well using words like "propaganda" and "blowing things out of
proportion" are very skillful ways to try to discount real facts, but
do not impress me, or most people as much as concrete facts do.
Post by Kathy Dopp
Shamos is considered a rogue among computer scientists and I am fairly
certain that Shamos does not have any degree in computer science, as
is true of most "experts" who support DREs.
And I am fairly certain that you didn't spend two minutes researching, as
you'd have easily found that he does indeed have a phD in computer science
from Yale. Which gives me one more reason to suspect the facts you
present. (don't take this as an endorsement of what Shamos says, just a
reaction to your logically and factually unsound propaganda)
OK. I am mistaken on that point then. Thank you for correcting me.

It still remains true though, that Michael Shamos is considered a
rogue computer scientist and that Michael Shamos financially profits
handsomely by certifying DRE voting systems for the state of PA which
can not be shown to be inaccurate since they are paperless and there
is no software independent method to audit their output.

Again, I know of *no* PhD computer scientist who does not profit from
VVV who supports e-ballot voting machines.

Cheers,

Kathy
-rob
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.electorama.com/pipermail/election-methods-electorama.com/attachments/20080812/6455dfc1/attachment-0001.htm>
------------------------------
Message: 3
Date: Tue, 12 Aug 2008 22:53:13 -0400
Subject: Re: [EM] Why We Shouldn't Count Votes with Machines
Content-Type: text/plain; charset=us-ascii; format=flowed
Post by Kathy Dopp
Date: Tue, 12 Aug 2008 01:16:29 -0400
Subject: [EM] Why We Shouldn't Count Votes with Machines
Responses concentrate on fact that present DREs and paper
ballots have problems, and do not consider fixing the DREs.
As virtually all (all I know) independent computer scientists (who do
not profit from certifying or working for VVV's - vulture voting
vendors) agree, it is *not* possible to "fix" DREs because their
fundamental design is flawed. I.e. Any machine cast or machine printed
record of ballots is not going to work.
"fundamental design is flawed"? If so, obvious response is to redo
the design.
Post by Kathy Dopp
The flaws of DRE paper roll ballot printers include (there is a much
Studies show that fewer than 30% of voters check machine-printed paper
ballot roll records and fewer than 30% of voters who check (or about
10% of all voters) accurately proofread their machine-printed paper
ballot roll records to detect any errors, so that a programmer can
switch up to 90% of available target votes in a way that no audit can
detect.
I do not see how an auditor could know of and tailor the audit to the
particular ballots the programmer did not switch.
Post by Kathy Dopp
Also there is a "two strikes and you are out" rule that
prevents the most diligent voter from having a machine-printed paper
ballot record that matches the voter's choices. A voter can only
cancel ballot casting twice due to an incorrect printed paper roll
record. On the third try, the voter receives an error message on the
screen warning that the voter has only one more chance to cast their
ballot. On the third try, the paper roll ballot record whizzes
quickly inside the canister WITHOUT GIVING THE VOTER A CHANCE TO SEE
THE PAPER RECORD!
What does it matter? How come the redesign failed to attend to
properly recording the vote?
Post by Kathy Dopp
--
Any machine-printed paper ballot record will have the same flaws, and
electronic video, audio, or pictorial verification systems are even
worse.
Huh? There seems to be general agreement that present DREs need
replacing. I only ask that we try for usable replacements.
I also cannot get excited over the machine-printing you mention -
proper equipment should work correctly and not need such (except,
perhaps, to please nervous voters).
Post by Kathy Dopp
Shamos is considered a rogue among computer scientists and I am fairly
certain that Shamos does not have any degree in computer science, as
is true of most "experts" who support DREs.
The persons who rebutted Shamos' articles *do* have formal training
and degrees in computer science.
Crane's paper does not explicitly mention Shamos or its authors having
such a degree - it does mention involvement in voting.
For one Crane author, Edward Cherlin, I read of working on affordable
software and hardware for voting around the world.
Hopefully he is intending such to be adequate.
Do not know if such a degree was available when I was in college -
could not have learned much presently usable. Remember a tidbit about
weather forecasting. Could give a computer data to predict for
tomorrow - by the time program was done you could look out the window
and see if it got it right.
Remember a problem later at work - too much data for Fortran to
fit in available memory. Heard of a new language - Jovial. Available
staff was engineers who could hardly spell "program" and assembly
programmers who could hardly spell "compiler". I successfully
installed compiler and taught staff for project to use.
Later - task could not execute in available time - invented new,
faster, instructions then used in available computers.
Post by Kathy Dopp
Cheers,
Kathy
--
Dave Ketchum 108 Halstead Ave, Owego, NY 13827-1708 607-687-5026
Do to no one what you would not want done to you.
If you want peace, work for justice.
------------------------------
Message: 4
Date: Tue, 12 Aug 2008 21:34:56 -0600
Subject: Re: [EM] Why We Shouldn't Count Votes with Machines
Content-Type: text/plain; charset=ISO-8859-1
Post by Kathy Dopp
"fundamental design is flawed"? If so, obvious response is to redo the
design.
Hi David,
The only "design" that is *not* flawed (that I know of) is
voter-marked paper ballots because it provides voter-verifiED ballots.
However the optical scanning machines that count them today are very
flawed and use no modern security, encryption, or open standard data
formats that have been available for many years. They're your basic
cheap junk, but far superior to today's basic cheap e-ballot junk.
Post by Kathy Dopp
The flaws of DRE paper roll ballot printers include (there is a much
Studies show that fewer than 30% of voters check machine-printed paper
ballot roll records and fewer than 30% of voters who check (or about
10% of all voters) accurately proofread their machine-printed paper
ballot roll records to detect any errors, so that a programmer can
switch up to 90% of available target votes in a way that no audit can
detect.
I do not see how an auditor could know of and tailor the audit to the
particular ballots the programmer did not switch.
Huh!? I said: "so that a **programmer** can switch up to 90% of
available target votes in a way that no audit can detect."
Valid audits require manually counting ballots of randomly selected
reported unofficial vote counts.
The problem is that because only 10% of voters may accurately check
machine-printed paper ballot records, ALL MACHINE PRINTED ballots will
match erroneous electronic vote totals because 90% of the
machine-printed paper ballots can be printed to match erroneous
electronic touchscreen ballot records, and the voters would not notice
it; and no audit can detect the fraud.
Voters *could* detect the fraud, but the 10% of voters who notice that
their first ballot did not match their choices and cancels their first
ballot, may think that they made a mistake rather than the machine
when the second time they try to cast their ballot after canceling it
on the first try when they notice the erroneous paper ballot, their
paper ballot then *does* match their choices. As I said, 10% of the
ballots can *not* be switched by the programmer (only 90% of target
paper ballots and their e-ballots can be switched by the programmer),
but ALL the printed ballots will match the erroneous e-ballot totals.
This particular DRE hack was published back around May 2005 in the
Brennan Center Report "The Machinery of Democracy" and is why
virtually all (everyone I know and I have written papers with dozens
of PhD computer scientists on voting system topics) computer
scientists oppose using e-ballot voting systems with machine-printed
paper ballot records.
Post by Kathy Dopp
Also there is a "two strikes and you are out" rule that
prevents the most diligent voter from having a machine-printed paper
ballot record that matches the voter's choices. A voter can only
cancel ballot casting twice due to an incorrect printed paper roll
record. On the third try, the voter receives an error message on the
screen warning that the voter has only one more chance to cast their
ballot. On the third try, the paper roll ballot record whizzes
quickly inside the canister WITHOUT GIVING THE VOTER A CHANCE TO SEE
THE PAPER RECORD!
What does it matter? How come the redesign failed to attend to properly
recording the vote?
I do not get your question. If you want to know more about this
particular "Two Strikes You're Out" flaw of DRE-printed paper ballot
1. If you personally vote on a DRE, try cancelling your ballot twice
and then see what happens when you cast your ballot on the third try.
(Take a picture of the warning screen with your cell phone before
pushing the button, and then watch the ballot quickly roll up before
you can see what is on it.)
or
2. Read the NJ Institute of Technology studies of DRE printers which
caused NJ to refuse to certify any of the DRE paper printers.
Without a limit on the number of times a voter can try to print a
matching paper ballot record, and without a way for the voter to bail
out of casting a vote on a DRE which refuses to create an accurate
paper ballot record, then obviously there would be other problems,
like running out of paper in the paper rolls (poll workers frequently
have problems loading the paper, load it backwards so it does not
print, and the papers frequently jam while printing, or keep the
covers closed so voters don't see the paper ballot records, or voters
can easily sabotage the paper so that it appears to work during the
elections but all the records are erased at the end of the election.
(See the CA SoS study of voting systems.)
Sigh, so the FLAW is the inanity and expense and hassle of trying to
keep a printer running in every polling booth during elections rather
than using a less costly paper ballot, and more importantly the fact
that the machine, rather than the voter is marking the paper ballot
record.
Fix that cannot be done without switching to voter marked optical scan
paper ballots.
Post by Kathy Dopp
Huh? There seems to be general agreement that present DREs need replacing.
I only ask that we try for usable replacements.
Over 60% of US election jurisdictions already implemented "usable
replacements" - the optical scan paper ballot system.
Post by Kathy Dopp
Crane's paper does not explicitly mention Shamos or its authors having such
a degree - it does mention involvement in voting.
Not surprising.
ANY SYSTEM can be assumed to be inaccurate if it lacks a routine
method for detecting and correcting errors that is independent of the
software. Since voting is much more difficult to secure than banking
due to the secret ballot, the only method of providing software
independence is a paper ballot.
You certainly would not expect me to deposit my vote anonymously
without a receipt into a bank, so why would anyone want me to use such
an insane method for voting which would make it trivially easy for any
insider to alter the election outcomes undetectably?
Post by Kathy Dopp
For one Crane author, Edward Cherlin, I read of working on affordable
software and hardware for voting around the world.
Hopefully he is intending such to be adequate.
Many good folks are working on affordable, open source optical scan
voting equipment because most of today's optical scanners are also
hackable junk.
As Ion Sancho of Florida said (paraphrased), "It will take a long time
to fix our voting systems, in the meantime we need to push for
AUDITS."
Post by Kathy Dopp
Do not know if such a degree was available when I was in college -
How long ago were you in college? Computer science degrees have been
around since atleast 1969 and I believe long before then. That's when
I took my first computer science course. I have a couple of friends
who learned to program when they had to hard wire computers to program
them.
Post by Kathy Dopp
could not
have learned much presently usable.
I first programmed with punch-cards.
Post by Kathy Dopp
Remember a tidbit about weather
forecasting. Could give a computer data to predict for tomorrow - by the
time program was done you could look out the window and see if it got it
right.
:-) Well that used to be true, but weather prediction programs are
much more sophisticated and faster nowadays.
Post by Kathy Dopp
Remember a problem later at work - too much data for Fortran to fit in
available memory.
It is easy to overrun computer memory with data and programming
instructions, depending on the application and the skill (or lack of
it) of the programmer. I would imagine that the new weather programs
take a huge amount of memory to run.
Post by Kathy Dopp
Heard of a new language - Jovial. Available staff was
engineers who could hardly spell "program" and assembly programmers who
could hardly spell "compiler". I successfully installed compiler and taught
staff for project to use.
Later - task could not execute in available time - invented new, faster,
instructions then used in available computers.
Yes, well the Internet was invented so that various researchers could
use others' faster computers at different locations to run
long-running programs.
Cheers,
Kathy
------------------------------
_______________________________________________
Election-Methods mailing list
http://lists.electorama.com/listinfo.cgi/election-methods-electorama.com
End of Election-Methods Digest, Vol 50, Issue 15
************************************************
--
Kathy Dopp

The material expressed herein is the informed product of the author
Kathy Dopp's fact-finding and investigative efforts. Dopp is a
Mathematician, Expert in election audit mathematics and procedures; in
exit poll discrepancy analysis; and can be reached at

P.O. Box 680192
Park City, UT 84068
phone 435-658-4657

http://utahcountvotes.org
http://electionmathematics.org
http://electionarchive.org

How to Audit Election Outcome Accuracy
http://electionarchive.org/ucvAnalysis/US/paper-audits/legislative/VoteCountAuditBillRequest.pdf

History of Confidence Election Auditing Development & Overview of
Election Auditing Fundamentals
http://electionarchive.org/ucvAnalysis/US/paper-audits/History-of-Election-Auditing-Development.pdf

Voters Have Reason to Worry
http://utahcountvotes.org/UT/UtahCountVotes-ThadHall-Response.pdf
----
Election-Methods mailing list - see http://electorama.com/em for list info
rob brown
2008-08-13 05:28:13 UTC
Permalink
Post by Kathy Dopp
Message: 2
Date: Tue, 12 Aug 2008 18:17:49 -0700
Subject: Re: [EM] Why We Shouldn't Count Votes with Machines
The "two strikes you are out" rule is not inherent to machine voting --
that
is fixable, obviously.
How? Do we want an infinite loop of a voter running paper through a
cheap printer trying to obtain an accurate ballot record and the
machine refusing to print one while it switches a vote wrongly? Or do
we want the voter to be able to cancel the ballot and let the poll
workers know that he needs a paper ballot instead that he can mark
himself?
I'm fine with the latter. Actually that seems like a reasonable thing to
do.
Post by Kathy Dopp
If so, why not let the voters vote on a paper ballot to
begin with?
Any ideas?
Cost?

Presumably they don't use the paper ballot to begin with because then they
have to be hand counted or have an optical reader at each station. Hand
counting a few is reasonable (or sending them in to be counted on an optical
reader), hand counting all, or having modern optical machines at each
polling station, can be very expensive.

But honestly, the big problem I have with paper ballots filled out by hand
is that they make the transition to a ranked system a lot harder, both in
terms of difficulty filling in the ballot and difficulty counting them. As
you probably know, I am a big advocate of ranked systems (especially
condorcet), as plurality is (among other sins) the source of partisanship
which I consider the biggest problem of government.
Post by Kathy Dopp
Regardless, are you suggesting that a programmer could steal an election by
just hoping that that every one of the people who had it fail twice in a
row
is going to simply say "oh well" and go home, rather than raise holy hell
about it?
You'll note that I said it is essential that the source code be open for
viewing by all. Not so trivially easy in that case. Not at all.
Post by Kathy Dopp
a. make the printed ballot record match an erroneous e-ballot record
on the voters first try
b. in the 10% of cases when a voter notices the error on the paper
ballot and cancels the ballot, the programmer than makes the paper
printout and the electronic record match exactly what the voter wants.
But to do this, an awful lot of people are going to see the error,
especially if you simply leave it on screen when you print the paper copy.
And they are going to talk about it. And the next year, people will be a
lot more likely to notice.

Still, with an open source system, I have no clue how a programmer is going
to do this at all. If there is someone that smart (and lacking of ethics),
he is probably very, very rich, as he probably has already put undetected
code in the linux kernel that is giving him back doors to an awful lot of
servers out there moving an awful lot of money.

Most likely though, no one is able to hide such devious stuff in code
visible to security researchers.
Post by Kathy Dopp
Recall that I said that the programmer would only be able to switch up
to 90% of the target votes without any audit able to detect it.
Only if every single voter got a wrong ballot printed. You really think
this would go unnoticed? Your scenario is absurd, at least on the scale
you talk about.

The voter would either think that he must have made a mistake on the
Post by Kathy Dopp
first try, or complain about his vote being switched.
Yes, and a lot of people complaining would draw more attention to it, and
more people would start checking. If it happened on a large scale, the
problem would be tracked down, and the programmer would be put away for a
long time.

But if it is open source, even that scenario is (for all intents and
purposes) impossible.
Post by Kathy Dopp
We have already seen hundreds or thousands or cases of voters in the
last two election cycles complaining that their votes have been
switched to the wrong candidates with DREs and election officials have
mostly ignored the problem or chalked it up to "touchscreen
callibration" problems (which does cause similar behavior)
Not if the UI is done reasonably. The touch screen should show what you
selected, very clearly, in big bold letters so you know you did it right,
and allow you the opportunity to change it before printing out the paper.
If it then prints out a different thing, that is obviously not "touchscreen
calibration", and if it does it for a significant number of people that
isn't going to last long before you have the townspeople carrying torches.
Post by Kathy Dopp
As a programmer myself, I can tell you that any non-stupid (but evil)
programmer would have it do it correctly the second time....I mean, you
know
they are looking that time, so why push your luck for one vote? So the
"2
strikes and you're out", silly as it may be, is hardly the issue.
Huh?
Ok, well you complained loudly about the two strikes then you're out rule,
which doesn't seem relevant or at least doesn't seem to be a necessity. It
could just be eliminated, and let you do it until you get it right. I know,
that doesn't solve the problem for people who don't check their ballots, but
still...
Post by Kathy Dopp
1. the programming hack that can switch 90% of target votes without
audits being able to detect it.
2. the 2 strikes you're out rule that *all* DREs currently use today
that prevents even the 10% of diligent voters who detect errors in
their paper printed records from being able to generate a correct
machine-printed paper ballot record.
If you prefer not have *any* paper ballot record, then ofcourse there
is no way to check the accuracy of the machine counts independent of
the programming.
For the record, I absolutely do prefer a paper ballot record. Along with
open source.
Post by Kathy Dopp
I can also tell you that much of the issue here is far out of the field
of
computer science, and is more in the area of sociology/psychology with a
little game theory and economics thrown in.
Really?
Yes, certainly the aspect of whether humans will notice that large scale
fraud is happening, the media will take an interest, etc, is not a computer
science issue.

OK, but *all* independent computer scientists (that I know)
Post by Kathy Dopp
oppose the use of e-ballot voting systems for very solid logically
correct reasons.
It is true that e-ballots with machine printed paper records *might*
work (although still expensive and subject to DOS attacks)
DOS attacks? Really? Are you talking about voters coming in and using up
all the paper, or what? (which is a stretch of the definition of DOS
attack)

*IF* you
Post by Kathy Dopp
could train all voters and election officials and poll workers
adequately how to handle doing elections with them, but that seems
like a very remote possibility unless you want to begin lessons in how
to use e-ballot paper trail voting systems in grammar school as a
course and have paper ballots as backup available in every polling
location and train pollworkers and voters to recognize when the
machines look like vote fraud may be going on, etc. Human factors
must be considered realistically.
Well human factors is my profession (degree in industrial design, working
for ~20 years doing UI design / programming). Seems to me a solvable
problem, and not a particularly hard one.
Post by Kathy Dopp
I don't disagree that there are problems with machine voting, some easier to
fix than others. (a paper trail is an absolute necessity, for instance, as
is open source code)
Again, virtually all *independent* computer scientists who are voting
Post by Kathy Dopp
system experts disagree with you and believe that voter-marked paper
ballots are essential and that "paper trails" are inadequate as I've
tried to explain some of their flaws here.
You keep saying that, I'm not convinced. But as I said, I'm also not
convinced that computer science degrees makes such a difference, as I don't
think most of the issues are computer science issues.
Post by Kathy Dopp
Still I think you are blowing things out of
proportion -- to a large enough degree that your propoganda has pulled me
out of my typical lurk mode on the list.
Well using words like "propaganda" and "blowing things out of
proportion" are very skillful ways to try to discount real facts, but
do not impress me, or most people as much as concrete facts do.
I'm into concrete facts as well, which is why I called you on the Shamos
thing. I think you are blowing things out of proportion in this discussion
and even more so regarding IRV.
Post by Kathy Dopp
It still remains true though, that Michael Shamos is considered a
rogue computer scientist and that Michael Shamos financially profits
handsomely by certifying DRE voting systems for the state of PA which
can not be shown to be inaccurate since they are paperless and there
is no software independent method to audit their output.
I don't agree with Shamos at all, for the record. I think a paper trail is
absolutely necessary. I just don't think sticking with hand-filled paper
ballots (except as a fallback) is the solution.

(but I would suggest that if you are going to talk smack about someone on a
public list, Google is your friend)
Kathy Dopp
2008-08-13 16:16:39 UTC
Permalink
Post by rob brown
Post by Kathy Dopp
How? Do we want an infinite loop of a voter running paper through a
cheap printer trying to obtain an accurate ballot record and the
machine refusing to print one while it switches a vote wrongly? Or do
we want the voter to be able to cancel the ballot and let the poll
workers know that he needs a paper ballot instead that he can mark
himself?
I'm fine with the latter. Actually that seems like a reasonable thing to
do.
I agree, but that is not happening on all of todays' voting systems.
Election officials seem to be hopelessly slow to grasp the problem or
the solution.
Post by rob brown
Post by Kathy Dopp
If so, why not let the voters vote on a paper ballot to
begin with?
Any ideas?
Cost?
Wrong answer. Paper ballot optical scan systems are so much more
economical than e-ballot systems that if you purchase all-new optical
scan systems, the on-going cost savings totally pay for the initial
purchase within four years and then begin saving taxpayers lots of
monies. See http://electionmathematics.org and click on Voting
Systems for links to cost comparison studies.
Post by rob brown
But honestly, the big problem I have with paper ballots filled out by hand
is that they make the transition to a ranked system a lot harder, both in
terms of difficulty filling in the ballot and difficulty counting them. As
That is a good argument against using any ranked ballot systems then
since the integrity of e-ballot systems cannot be adequately ensured,
given the secret ballot and the difficulty of implementing systems to
detect and correct errors with a secret ballot.
Post by rob brown
You'll note that I said it is essential that the source code be open for
viewing by all. Not so trivially easy in that case. Not at all.
Making the source code for the voting programs open source does not
make all the myriad of other programs, drivers, OS, etc on the voting
system open source - that could be used to rig the vote. Also of
course election officials do not have the resources to verify software
and it would take years to set up systems to verify the software on
voting systems *and* require trusted technicians to do so.

While I support using open source programs for other reasons, it is
*not* the answer to ensuring the accuracy of vote counts.

You might want to read this article on the topic, that I wrote with
help from dozens of technologists and some voting system experts:
http://electionmathematics.org/em-voting-systems/VotingSystemSoftwareDisclosure.pdf

and read this recent article:
http://nandigramunited.blogspot.com/2008/08/soumitra-and-sitanshu-particularly.html
Post by rob brown
But to do this, an awful lot of people are going to see the error,
Well, perhaps 5% of voters would *see* the error (because no fraudster
is stupid enough to switch *all* target votes available), but most
might think they made a mistake on the first try.

The ones who complain, in our experience over the last couple of
election cycles, will be soundly ignored.
Post by rob brown
especially if you simply leave it on screen when you print the paper copy.
Huh? Try doing that yourself. I do not know if the summary *screen*
version of the ballot appears at the same time as you get a chance to
check the paper version of the ballot. I don't think that is
necessarily an option you would have.
Post by rob brown
And they are going to talk about it. And the next year, people will be a
lot more likely to notice.
If you followed the voting news nationwide like I do, you would know
that people have been talking about it a lot since the November 2004
presidential election, in particular there was lots of vote switching
reported in Ohio. Congress even certified the election of a
Representative from Florida that everyone knows was not elected by the
people there, simply because the machine results had dropped over
14,000 votes from the candidate that everyone knows probably really
won the election, and lots of people complained about the screen
switching their votes, but it does not matter. The wrong person will
still be elected no matter how many people complain about vote
switching.
Post by rob brown
Still, with an open source system, I have no clue how a programmer is going
to do this at all.
Anyone could easily switch out any open source or not program that is
compiled into machine language during some routine maintenance and no
one would know the difference. Do you really think that election
administrators are going to have the funds and that VVV's are going to
cooperate to put together a list of all compilers, switches, hardware
and firmware versions for every piece of software on their machines so
that the versions can be checked after the elections? In Utah, the
VVV shipped us atleast three different versions of the voting system
software alone, and who knows how many unique versions of hardware,
firmware, drivers, and hardware. If you believe that these VVs are
standardized, you are quite mistaken.

And which technicians and programmers do you want the public to
*trust* to ensure that all the software on the VV is doing what it
should?
Post by rob brown
Most likely though, no one is able to hide such devious stuff in code
visible to security researchers.
Yes. Of course with all of today's VV's you can simply take 30 secs to
1 min to use any of the easily accessible back doors to simply change
the vote counts on the central tabulators, without even installing any
malicious software on them at all.

This is why audits of voter created paper ballots are the only
reliable method to check vote count accuracy IF the paper ballots are
secured and reconciled.
Post by rob brown
Post by Kathy Dopp
Recall that I said that the programmer would only be able to switch up
to 90% of the target votes without any audit able to detect it.
Only if every single voter got a wrong ballot printed. You really think
this would go unnoticed? Your scenario is absurd, at least on the scale
you talk about.
OK. You don't believe the research. Any particular reason you are so
certain that more than 30% of voters bother to check their paper
ballot record? Any particular reason you think that all the research
that shows that deliberately introduced errors in the ballots during
tests are only discovered by 30% of those who *try* to find the
errors?

I.e. I think you had better come up with some facts to show why you
believe that all the research is wrong that shows that fewer than 10%
of voters are accurately proofing their machine printed ballot
records, not just say you don't believe the research which sounds very
plausible to me and no one has claimed is wrong up until yourself now.
Not even the VVV's or the DRE supporters have attacked this research
to my knowledge.
Post by rob brown
Post by Kathy Dopp
The voter would either think that he must have made a mistake on the
first try, or complain about his vote being switched.
Yes, and a lot of people complaining would draw more attention to it, and
more people would start checking. If it happened on a large scale, the
problem would be tracked down, and the programmer would be put away for a
long time.
And *how* pray tell, would that programmer be *tracked down*? Magic? Voodoo?

Current voting systems provide no method to track down who did anything on them.

I suppose that you are right that vote switching does bring attention
to these problems because FL, NM, MD, TN, and CA have already decided
to begin scrapping DRE e-ballot voting machines and go back to paper
ballots - again going back to paper ballots IS the solution.

So what are YOU suggesting be done if many voters notice that their
votes have been switched by DREs during an election? REDO THE ELECTION
and hope it doesn't happen again during the second election since no
manual audit can recover the accurate vote counts?

I'm sorry but I don't have any time to continue this today. Maybe tomorrow.

Cheers,

Kathy
----
Election-Methods mailing list - see http://electorama.com/em for list info
rob brown
2008-08-14 05:00:06 UTC
Permalink
Post by Kathy Dopp
Post by rob brown
Post by Kathy Dopp
How? Do we want an infinite loop of a voter running paper through a
cheap printer trying to obtain an accurate ballot record and the
machine refusing to print one while it switches a vote wrongly? Or do
we want the voter to be able to cancel the ballot and let the poll
workers know that he needs a paper ballot instead that he can mark
himself?
I'm fine with the latter. Actually that seems like a reasonable thing to
do.
I agree, but that is not happening on all of todays' voting systems.
Election officials seem to be hopelessly slow to grasp the problem or
the solution.
Post by rob brown
Post by Kathy Dopp
If so, why not let the voters vote on a paper ballot to
begin with?
Any ideas?
Cost?
Wrong answer. Paper ballot optical scan systems are so much more
economical than e-ballot systems that if you purchase all-new optical
scan systems, the on-going cost savings totally pay for the initial
purchase within four years and then begin saving taxpayers lots of
monies. See http://electionmathematics.org and click on Voting
Systems for links to cost comparison studies.
Post by rob brown
But honestly, the big problem I have with paper ballots filled out by
hand
Post by rob brown
is that they make the transition to a ranked system a lot harder, both in
terms of difficulty filling in the ballot and difficulty counting them.
As
That is a good argument against using any ranked ballot systems then
since the integrity of e-ballot systems cannot be adequately ensured,
given the secret ballot and the difficulty of implementing systems to
detect and correct errors with a secret ballot.
Well here is where you and I differ. I think if electoral fraud in the US
were eliminated, it would be a good thing, but not dramatically change
things, any more than eliminating shoplifting would dramatically change our
economy. I do not believe that such fraud changes the outcome of a large
percentage of elections, and in those it does, it was pretty close anyway.

If plurality voting were replaced with a ranked system such as a condorcet
method, I beleive it WOULD dramatically change the entire dynamic of
politics, in a very, very good way, by nearly eliminating the polarized
nature of government due to partisanship. That is huge, comparitively.

So my priorities are different.

Giving up on fixing a huge problem because it makes it more difficult to fix
a much smaller problem is not something I can support.

(and btw, I believe this list is about reforming the voting methods, not so
much about fixing security problems.....so if you are willing to abandon all
attempts at reform because you don't think you can solve your particular
problem as easily on a reformed system, it seems unlikely to fly here)

Making the source code for the voting programs open source does not
Post by Kathy Dopp
make all the myriad of other programs, drivers, OS, etc on the voting
system open source - that could be used to rig the vote. Also of
course election officials do not have the resources to verify software
and it would take years to set up systems to verify the software on
voting systems *and* require trusted technicians to do so.
The whole system top to bottom should be open source. This is not
particularly hard....plenty of people run "pure" boxes, on commodity
hardware. The obvious choice for OS would probably be Linux, with freeBSD
being another option.

The whole point of open source is that if the "officials" don't verify it
satisfactorily, someone will. A security researcher could make themselves
famous for discovering something malicious in voting software.

The only thing that is immune to checking would be the compiler itself,
since the compiler needs a compiler to compile itself....but someone would
have had to have done something evil (and very, very brilliant) a long time
ago to pull that off....good for a sci fi novel anyway, but not so much in
the real world.

Well, perhaps 5% of voters would *see* the error (because no fraudster
Post by Kathy Dopp
is stupid enough to switch *all* target votes available), but most
might think they made a mistake on the first try.
Then it is a UI problem.
Post by Kathy Dopp
Post by rob brown
especially if you simply leave it on screen when you print the paper
copy.
Huh? Try doing that yourself. I do not know if the summary *screen*
version of the ballot appears at the same time as you get a chance to
check the paper version of the ballot. I don't think that is
necessarily an option you would have.
What is so hard about that? The point is, if the UI is designed reasonably
well, a large percentage of voters will *know* if the machine is cheating.
Post by Kathy Dopp
Post by rob brown
And they are going to talk about it. And the next year, people will be a
lot more likely to notice.
If you followed the voting news nationwide like I do, you would know
that people have been talking about it a lot since the November 2004
presidential election, in particular there was lots of vote switching
reported in Ohio.
Yes but this is different. This is like going to the store, and having one
thing on the cash register and another on the credit card receipt. A store
might get away with that for a day or two, but people will catch on quickly,
and suddenly word will get out that the store is cheating people, and a
larger percentage of people will check, etc. Most likely though, the store
will know they will be out of business soon if they try this on anything
more than the tiniest of scales, and just not try it.

Completely different from what may have happend in florida or ohio, where
people might suspect something is up, but it isn't blatant and it is hard to
know.

Anyone could easily switch out any open source or not program that is
Post by Kathy Dopp
compiled into machine language during some routine maintenance and no
one would know the difference. Do you really think that election
administrators are going to have the funds and that VVV's are going to
cooperate to put together a list of all compilers, switches, hardware
and firmware versions for every piece of software on their machines so
that the versions can be checked after the elections?
It isn't that hard, if designed to be done this way.

In Utah, the
Post by Kathy Dopp
VVV shipped us atleast three different versions of the voting system
software alone, and who knows how many unique versions of hardware,
firmware, drivers, and hardware. If you believe that these VVs are
standardized, you are quite mistaken.
Then it is a design problem.
Post by Kathy Dopp
And which technicians and programmers do you want the public to
*trust* to ensure that all the software on the VV is doing what it
should?
Fact is, you've gotta trust someone, whether it is hand counted, optical
read, or whatever. This is not a new problem.
Post by Kathy Dopp
Post by rob brown
Most likely though, no one is able to hide such devious stuff in code
visible to security researchers.
Yes. Of course with all of today's VV's you can simply take 30 secs to
1 min to use any of the easily accessible back doors to simply change
the vote counts on the central tabulators, without even installing any
malicious software on them at all.
Then that is a design problem.
Post by Kathy Dopp
OK. You don't believe the research. Any particular reason you are so
certain that more than 30% of voters bother to check their paper
ballot record? Any particular reason you think that all the research
that shows that deliberately introduced errors in the ballots during
tests are only discovered by 30% of those who *try* to find the
errors?
I.e. I think you had better come up with some facts to show why you
believe that all the research is wrong that shows that fewer than 10%
of voters are accurately proofing their machine printed ballot
records, not just say you don't believe the research which sounds very
plausible to me and no one has claimed is wrong up until yourself now.
Not even the VVV's or the DRE supporters have attacked this research
to my knowledge.
I don't discount that most people don't check the results. I do think its
absurd that someone could change a significant number of votes this way
without drawing intense attention from the few that notice, and after than a
lot more people will notice. This is emergent phenomena, that is hard for a
simple study to directly measure.

It is like any other security issue, that if people don't think it is a
problem they are less likely to be vigilant. If you live in a town with
little burglary, you may not lock your doors. If burglary starts to be a
problem, people lock their doors, install alarms, buy firearms, etc.

Is it possible that most people today don't check this stuff carefully
because they think it is not a huge problem, and that enough other people
will be monitoring the system.....and they just might be right? I'm sure
you are the type that carefully balances your checkbook to make sure the
bank isn't cheating you. I don't. I assume there are lots of other people
making sure that banks don't regularly steal people's money, and
statistically, it's not worth my time to monitor it so closely.

Same thing here. By your logic, banks could steal 60% of peoples money
because only 40% of people balance their checkbooks. But that is crazy.
Post by Kathy Dopp
Post by rob brown
The voter would either think that he must have made a mistake on the
Post by Kathy Dopp
first try, or complain about his vote being switched.
Yes, and a lot of people complaining would draw more attention to it, and
more people would start checking. If it happened on a large scale, the
problem would be tracked down, and the programmer would be put away for
a
Post by rob brown
long time.
And *how* pray tell, would that programmer be *tracked down*? Magic? Voodoo?
Or....a basic source code control system?
Post by Kathy Dopp
So what are YOU suggesting be done if many voters notice that their
votes have been switched by DREs during an election? REDO THE ELECTION
and hope it doesn't happen again during the second election since no
manual audit can recover the accurate vote counts?
I don't think it would get to that point, at least not on a large scale, for
reasons I have pointed out.

I'm sorry but I don't have any time to continue this today. Maybe tomorrow.
Likewise, I'm out of time for this. I think I've said my piece.

-rob
Dave Ketchum
2008-08-15 06:01:45 UTC
Permalink
Post by rob brown
Post by rob brown
Post by Kathy Dopp
How? Do we want an infinite loop of a voter running paper through a
cheap printer trying to obtain an accurate ballot record and the
machine refusing to print one while it switches a vote wrongly?
Or do
Post by rob brown
Post by Kathy Dopp
we want the voter to be able to cancel the ballot and let the poll
workers know that he needs a paper ballot instead that he can mark
himself?
I'm fine with the latter. Actually that seems like a reasonable
thing to
Post by rob brown
do.
I agree, but that is not happening on all of todays' voting systems.
Election officials seem to be hopelessly slow to grasp the problem or
the solution.
This is a possible place for some new, clear, thinking - the Election
officials likely couldn't fix this by themselves.

We are in trouble - failures have been proved too often, and there is
good reason to believe most failures do not even get proved.

Even working correctly, Plurality voting is not adequate. While there
are many competing methods, Condorcet is discussed here:
Ballot is ranked, as is IRV's.
Plurality voting is permitted, and can satisfy most voters most
of the time - letting them satisfy their desires with no extra pain
while getting their votes fully credited.
Approval voting is likewise accepted, satisfying a few extra voters.
Fully ranked voting is Condorcet's promise, giving full response
to those desiring such when desired.

Open source is ESSENTIAL:
While it encourages quality programming by those who do not want
to get caught doing otherwise, it also encourages thorough testing by
the community.
But, there is a temptation for copying such without paying:
Perhaps the law should provide a punishment for such.
Perhaps customers should pay for such code before it
becomes open - and get refunds of such payments if the code, once open,
proves to be unreasonably defective.

The community should be demanding of Congress such support as may help.

While "open source" could be thought of as just the voting program,
proper thinking includes the hardware, protecting the program against
whatever destructive forces may exist, and verifying what happens.

Secret ballot is essential. While voter should be able to verify the
vote before submitting such, this is only to verify - goal above is
election programs that REALLY DO what they promise.
Post by rob brown
Post by rob brown
Post by Kathy Dopp
If so, why not let the voters vote on a paper ballot to
begin with?
Any ideas?
Cost?
Wrong answer. Paper ballot optical scan systems are so much more
economical than e-ballot systems that if you purchase all-new optical
scan systems, the on-going cost savings totally pay for the initial
purchase within four years and then begin saving taxpayers lots of
monies. See http://electionmathematics.org and click on Voting
Systems for links to cost comparison studies.
Post by rob brown
But honestly, the big problem I have with paper ballots filled
out by hand
Post by rob brown
is that they make the transition to a ranked system a lot harder,
both in
Post by rob brown
terms of difficulty filling in the ballot and difficulty counting
them. As
That is a good argument against using any ranked ballot systems then
since the integrity of e-ballot systems cannot be adequately ensured,
given the secret ballot and the difficulty of implementing systems to
detect and correct errors with a secret ballot.
Well here is where you and I differ. I think if electoral fraud in the
US were eliminated, it would be a good thing, but not dramatically
change things, any more than eliminating shoplifting would dramatically
change our economy. I do not believe that such fraud changes the
outcome of a large percentage of elections, and in those it does, it was
pretty close anyway.
Most elections do not inspire the fraudsters. The few they care about
may be near ties, responding to minimum fraudulent effort.

Thus, a few false wins can be big trouble.
Post by rob brown
If plurality voting were replaced with a ranked system such as a
condorcet method, I beleive it WOULD dramatically change the entire
dynamic of politics, in a very, very good way, by nearly eliminating the
polarized nature of government due to partisanship. That is huge,
comparitively.
Could be BIG - Plurality NEEDS primaries. Condorcet does not need
such, but could not object if parties chose to do them anyway for
other reasons.
Post by rob brown
So my priorities are different.
Giving up on fixing a huge problem because it makes it more difficult to
fix a much smaller problem is not something I can support.
(and btw, I believe this list is about reforming the voting methods, not
so much about fixing security problems.....so if you are willing to
abandon all attempts at reform because you don't think you can solve
your particular problem as easily on a reformed system, it seems
unlikely to fly here)
Making the source code for the voting programs open source does not
make all the myriad of other programs, drivers, OS, etc on the voting
system open source - that could be used to rig the vote. Also of
course election officials do not have the resources to verify software
and it would take years to set up systems to verify the software on
voting systems *and* require trusted technicians to do so.
The whole system top to bottom should be open source. This is not
particularly hard....plenty of people run "pure" boxes, on commodity
hardware. The obvious choice for OS would probably be Linux, with
freeBSD being another option.
The whole point of open source is that if the "officials" don't verify
it satisfactorily, someone will. A security researcher could make
themselves famous for discovering something malicious in voting software.
The only thing that is immune to checking would be the compiler itself,
since the compiler needs a compiler to compile itself....but someone
would have had to have done something evil (and very, very brilliant) a
long time ago to pull that off....good for a sci fi novel anyway, but
not so much in the real world.
Compilers do not have to be that complex - since voting programs need
not be that complex, such as would need a high powered compiler.
Post by rob brown
Well, perhaps 5% of voters would *see* the error (because no fraudster
is stupid enough to switch *all* target votes available), but most
might think they made a mistake on the first try.
Then it is a UI problem.
Post by rob brown
especially if you simply leave it on screen when you print the
paper copy.
Huh? Try doing that yourself. I do not know if the summary *screen*
version of the ballot appears at the same time as you get a chance to
check the paper version of the ballot. I don't think that is
necessarily an option you would have.
What is so hard about that? The point is, if the UI is designed
reasonably well, a large percentage of voters will *know* if the machine
is cheating.
Post by rob brown
And they are going to talk about it. And the next year, people
will be a
Post by rob brown
lot more likely to notice.
If you followed the voting news nationwide like I do, you would know
that people have been talking about it a lot since the November 2004
presidential election, in particular there was lots of vote switching
reported in Ohio.
Yes but this is different. This is like going to the store, and having
one thing on the cash register and another on the credit card receipt.
A store might get away with that for a day or two, but people will catch
on quickly, and suddenly word will get out that the store is cheating
people, and a larger percentage of people will check, etc. Most likely
though, the store will know they will be out of business soon if they
try this on anything more than the tiniest of scales, and just not try it.
Completely different from what may have happend in florida or ohio,
where people might suspect something is up, but it isn't blatant and it
is hard to know.
Anyone could easily switch out any open source or not program that is
compiled into machine language during some routine maintenance and no
one would know the difference. Do you really think that election
administrators are going to have the funds and that VVV's are going to
cooperate to put together a list of all compilers, switches, hardware
and firmware versions for every piece of software on their machines so
that the versions can be checked after the elections?
It isn't that hard, if designed to be done this way.
In Utah, the
VVV shipped us atleast three different versions of the voting system
software alone, and who knows how many unique versions of hardware,
firmware, drivers, and hardware. If you believe that these VVs are
standardized, you are quite mistaken.
Then it is a design problem.
And which technicians and programmers do you want the public to
*trust* to ensure that all the software on the VV is doing what it
should?
Fact is, you've gotta trust someone, whether it is hand counted, optical
read, or whatever. This is not a new problem.
Post by rob brown
Most likely though, no one is able to hide such devious stuff in code
visible to security researchers.
Yes. Of course with all of today's VV's you can simply take 30 secs to
1 min to use any of the easily accessible back doors to simply change
the vote counts on the central tabulators, without even installing any
malicious software on them at all.
Then that is a design problem.
OK. You don't believe the research. Any particular reason you are so
certain that more than 30% of voters bother to check their paper
ballot record? Any particular reason you think that all the research
that shows that deliberately introduced errors in the ballots during
tests are only discovered by 30% of those who *try* to find the
errors?
I.e. I think you had better come up with some facts to show why you
believe that all the research is wrong that shows that fewer than 10%
of voters are accurately proofing their machine printed ballot
records, not just say you don't believe the research which sounds very
plausible to me and no one has claimed is wrong up until yourself now.
Not even the VVV's or the DRE supporters have attacked this research
to my knowledge.
I don't discount that most people don't check the results. I do think
its absurd that someone could change a significant number of votes this
way without drawing intense attention from the few that notice, and
after than a lot more people will notice. This is emergent phenomena,
that is hard for a simple study to directly measure.
It is like any other security issue, that if people don't think it is a
problem they are less likely to be vigilant. If you live in a town with
little burglary, you may not lock your doors. If burglary starts to be
a problem, people lock their doors, install alarms, buy firearms, etc.
Is it possible that most people today don't check this stuff carefully
because they think it is not a huge problem, and that enough other
people will be monitoring the system.....and they just might be right?
I'm sure you are the type that carefully balances your checkbook to make
sure the bank isn't cheating you. I don't. I assume there are lots of
other people making sure that banks don't regularly steal people's
money, and statistically, it's not worth my time to monitor it so closely.
Same thing here. By your logic, banks could steal 60% of peoples money
because only 40% of people balance their checkbooks. But that is crazy.
Post by rob brown
Post by Kathy Dopp
The voter would either think that he must have made a mistake on the
first try, or complain about his vote being switched.
Yes, and a lot of people complaining would draw more attention to
it, and
Post by rob brown
more people would start checking. If it happened on a large
scale, the
Post by rob brown
problem would be tracked down, and the programmer would be put
away for a
Post by rob brown
long time.
And *how* pray tell, would that programmer be *tracked down*?
Magic? Voodoo?
Or....a basic source code control system?
So what are YOU suggesting be done if many voters notice that their
votes have been switched by DREs during an election? REDO THE ELECTION
and hope it doesn't happen again during the second election since no
manual audit can recover the accurate vote counts?
I don't think it would get to that point, at least not on a large scale,
for reasons I have pointed out.
I'm sorry but I don't have any time to continue this today. Maybe tomorrow.
Likewise, I'm out of time for this. I think I've said my piece.
Perhaps my 2-cents will inspire a response. I agree, in general, with
Rob that we have a fixable problem that NEEDS fixing.
Post by rob brown
-rob
--
***@clarityconnect.com people.clarityconnect.com/webpages3/davek
Dave Ketchum 108 Halstead Ave, Owego, NY 13827-1708 607-687-5026
Do to no one what you would not want done to you.
If you want peace, work for justice.



----
Election-Methods mailing list - see http://electorama.com/em for list info
rob brown
2008-08-15 06:42:29 UTC
Permalink
On Thu, Aug 14, 2008 at 11:01 PM, Dave Ketchum <***@clarityconnect.com>wrote:

(most of Dave's comments snipped out, I responded to only a few)
While it encourages quality programming by those who do not want to get
caught doing otherwise, it also encourages thorough testing by the
community.
Perhaps the law should provide a punishment for such.
The law already does.
http://ap.google.com/article/ALeqM5iR9T2USlbjJbHOl7sIgiE9RCx33gD92IB4900

Well here is where you and I differ. I think if electoral fraud in the US
Post by rob brown
were eliminated, it would be a good thing, but not dramatically change
things, any more than eliminating shoplifting would dramatically change our
economy. I do not believe that such fraud changes the outcome of a large
percentage of elections, and in those it does, it was pretty close anyway.
Most elections do not inspire the fraudsters. The few they care about may
be near ties, responding to minimum fraudulent effort.
Thus, a few false wins can be big trouble.
However, if they are near ties, that isn't quite so big trouble because both
candidates are pretty popular anyway. While it may offend our notion of
democracy to have someone win (a two person election) who had only 49.99
percent of the vote....its really not that huge a deal....not nearly the
same scale of a problem as one where a truly unpopular candidate could get
himself elected by fraud.

Like with everything else in the world, we want to minimize the ability of
criminals to profit from their crimes, but how much are we willing to give
up to reduce the chance to zero?
If plurality voting were replaced with a ranked system such as a condorcet
Post by rob brown
method, I beleive it WOULD dramatically change the entire dynamic of
politics, in a very, very good way, by nearly eliminating the polarized
nature of government due to partisanship. That is huge, comparitively.
Could be BIG - Plurality NEEDS primaries. Condorcet does not need such, but
could not object if parties chose to do them anyway for other reasons.
Yes, although maybe it would be more accurate to say that candidates that
want to win need primaries under plurality.

The only thing that is immune to checking would be the compiler itself,
Post by rob brown
since the compiler needs a compiler to compile itself....but someone would
have had to have done something evil (and very, very brilliant) a long time
ago to pull that off....good for a sci fi novel anyway, but not so much in
the real world.
Compilers do not have to be that complex - since voting programs need not
be that complex, such as would need a high powered compiler.
Well, even a basic C compiler has this issue, since the compiler itself is
written in C, so there is a chicken egg problem. But this is really not a
real world concern (and if it was, someone would have been using it to steal
money from banks, etc). It's an amusing theoretical concept, but not much
more.

Perhaps my 2-cents will inspire a response. I agree, in general, with Rob
that we have a fixable problem that NEEDS fixing.
Cool. :) Indeed, while I think that voting security is important, lets not
throw the baby (fixing the problems with plurality) out with the bathwater
(fraud).

-r
Andrew Myers
2008-08-15 13:12:15 UTC
Permalink
Readers of this list may be interested in our paper on a secure
electronic voting system published at the IEEE Symposium on Security and
Privacy this May. The system, Civitas, supports secure remote voting. As
described in the accompanying technical report, it also supports
Condorcet voting.

Civitas: Toward a Secure Voting System
<http://www.cs.cornell.edu/andru/papers/civitas.html>
Proceedings of the 2008 IEEE Symposium on Security and Privacy
(Oakland), pages 354–368, May 2008.
Michael R. Clarkson, Stephen Chong, Andrew C. Myers.
http://www.cs.cornell.edu/people/clarkson/papers/clarkson_civitas.pdf

More information, including the software and the technical report, can
be found at http://www.cs.cornell.edu/projects/civitas/

-- Andrew


----
Election-Methods mailing list - see http://electorama.com/em for list info
Kristofer Munsterhjelm
2008-08-15 14:01:10 UTC
Permalink
Post by Dave Ketchum
Post by Kathy Dopp
Post by rob brown
Or do we want the voter to be able to cancel the ballot and let
the poll workers know that he needs a paper ballot instead that
he can mark himself?
I'm fine with the latter. Actually that seems like a reasonable
thing to do.
I agree, but that is not happening on all of todays' voting systems.
Election officials seem to be hopelessly slow to grasp the problem or
the solution.
This is a possible place for some new, clear, thinking - the Election
officials likely couldn't fix this by themselves.
We are in trouble - failures have been proved too often, and there is
good reason to believe most failures do not even get proved.
Even if the voting machine would be perfect - have no flaws at all -
having a backup paper balloting option would be a good idea, I think. To
the extent that democracy is not only about who won, but also about the
losers (and their voters) being confident that they lost in a fair
manner, any voter who doesn't trust the machine can request a paper
ballot instead; and candidates that distrust the machinery can tell
their voters to use the paper ballot backup.

If the machine works correctly, and candidates and voters know that, the
load on the backup system will be minimal. However, if the machines are
untrusted or haven't earned the reputation for being fair, the backup
will at least limit fraud somewhat.

A possible problem with the solution may occur if many more voters use
"backup ballots" than was predicted, and the infrastructure (parties'
counters, and so on) can't keep up with the load. This weakness is the
consequence of that the load is going to be dynamic (depending on
voters' trust in the machines), and in the worst case, the backup might
be neglected completely.
Post by Dave Ketchum
Even working correctly, Plurality voting is not adequate. While there
Ballot is ranked, as is IRV's.
Plurality voting is permitted, and can satisfy most voters most of
the time - letting them satisfy their desires with no extra pain while
getting their votes fully credited.
Approval voting is likewise accepted, satisfying a few extra voters.
Fully ranked voting is Condorcet's promise, giving full response to
those desiring such when desired.
From a purely technical point of view, I agree. I think the "good" (at
least cloneproof) Condorcet methods to focus on here would be either
Ranked Pairs (easy to explain) or Schulze (seems to be gaining momentum
for non-governmental purposes, e.g MTV and Debian), both wv as their
definitions state. That shouldn't keep us from trying to find things
like good burial-resistant Condorcet methods, though.
Post by Dave Ketchum
While it encourages quality programming by those who do not want to
get caught doing otherwise, it also encourages thorough testing by the
community.
Perhaps the law should provide a punishment for such.
Perhaps customers should pay for such code before it
becomes open - and get refunds of such payments if the code, once open,
proves to be unreasonably defective.
The community should be demanding of Congress such support as may help.
While "open source" could be thought of as just the voting program,
proper thinking includes the hardware, protecting the program against
whatever destructive forces may exist, and verifying what happens.
Secret ballot is essential. While voter should be able to verify the
vote before submitting such, this is only to verify - goal above is
election programs that REALLY DO what they promise.
Let's look at this again. What does a voting machine do? It registers
votes. Surely, that can't be a difficult task, so why use a computer?
Why not (for Approval or Plurality) just have a simple chip connected to
a PROM, with the chip in turn connected to a bunch of switches, one for
each candidate, with a matrix display next to each switch, and a final
switch to commit the ballot? Such a machine would be provably correct:
as long as you have a PROM that hasn't been preprogrammed (this can be
checked at the beginning), and the machine hasn't been compromised
(rewired switches, backdoor chips), then it'll work as promised.

Reading off the PROMs would require more complex machinery, but it's
really just an adder. In a Condorcet election, it's a two-loop adder
(for each candidate, for each ranked below, increment vote_for[a][b]).
That, too, is not too difficult a task and it should be possible to
prove that it'll work in all cases.

One might also have to take TEMPEST sniffing and similar things into
account, but the point is that both actually registering ballots and
counting the votes is a simple task, and therefore one can inspect the
device or program to see that it works properly, and more than that,
that it'll always work properly within the constraints given (no rogue
machines, or whatever).

The voters, approaching the machine like a black box, can't verify that
the machine does what it says it does, but they can't do that with
ordinary computers either. If that problem is one that damns
computerized voting, then it damns it no matter what the black box is.
If not, then since the computer program or device (in the case of a
simple machine) can be known, at least by some, that there's no possible
way it can go wrong unless it was sabotaged from the start or influenced
by external effects (theft, PROM replacement, etc).

Similarly, cost also hits all forms of computerized voting. A
purpose-built machine may even turn out to be cheaper in the end, since
it doesn't need gigahertz CPUs, high resolution displays, or the likes.
----
Election-Methods mailing list - see http://electorama.com/em for list info
Jonathan Lundell
2008-08-15 23:00:33 UTC
Permalink
Apropos voting machines, the current xkcd: http://xkcd.com/463/
Dave Ketchum
2008-08-16 05:04:16 UTC
Permalink
Post by Kristofer Munsterhjelm
Post by Dave Ketchum
Post by Kathy Dopp
Post by rob brown
Or do we want the voter to be able to cancel the ballot and let
the poll workers know that he needs a paper ballot instead that
he can mark himself?
I'm fine with the latter. Actually that seems like a reasonable
thing to do.
I agree, but that is not happening on all of todays' voting systems.
Election officials seem to be hopelessly slow to grasp the problem or
the solution.
This is a possible place for some new, clear, thinking - the Election
officials likely couldn't fix this by themselves.
We are in trouble - failures have been proved too often, and there is
good reason to believe most failures do not even get proved.
Even if the voting machine would be perfect - have no flaws at all -
having a backup paper balloting option would be a good idea, I think. To
the extent that democracy is not only about who won, but also about the
losers (and their voters) being confident that they lost in a fair
manner, any voter who doesn't trust the machine can request a paper
ballot instead; and candidates that distrust the machinery can tell
their voters to use the paper ballot backup.
As I say above, we are in trouble. Until we both fix the machines and
demonstrate success of the repairs, such use of paper backups makes sense.

Complicating all this, paper ballots have their own problems.
Post by Kristofer Munsterhjelm
If the machine works correctly, and candidates and voters know that, the
load on the backup system will be minimal. However, if the machines are
untrusted or haven't earned the reputation for being fair, the backup
will at least limit fraud somewhat.
A possible problem with the solution may occur if many more voters use
"backup ballots" than was predicted, and the infrastructure (parties'
counters, and so on) can't keep up with the load. This weakness is the
consequence of that the load is going to be dynamic (depending on
voters' trust in the machines), and in the worst case, the backup might
be neglected completely.
Post by Dave Ketchum
Even working correctly, Plurality voting is not adequate. While there
Ballot is ranked, as is IRV's.
Plurality voting is permitted, and can satisfy most voters most
of the time - letting them satisfy their desires with no extra pain
while getting their votes fully credited.
Approval voting is likewise accepted, satisfying a few extra voters.
Fully ranked voting is Condorcet's promise, giving full response
to those desiring such when desired.
From a purely technical point of view, I agree. I think the "good" (at
least cloneproof) Condorcet methods to focus on here would be either
Ranked Pairs (easy to explain) or Schulze (seems to be gaining momentum
for non-governmental purposes, e.g MTV and Debian), both wv as their
definitions state. That shouldn't keep us from trying to find things
like good burial-resistant Condorcet methods, though.
Post by Dave Ketchum
While it encourages quality programming by those who do not want
to get caught doing otherwise, it also encourages thorough testing by
the community.
Perhaps the law should provide a punishment for such.
Perhaps customers should pay for such code before it
becomes open - and get refunds of such payments if the code, once open,
proves to be unreasonably defective.
The community should be demanding of Congress such support as may help.
While "open source" could be thought of as just the voting program,
proper thinking includes the hardware, protecting the program against
whatever destructive forces may exist, and verifying what happens.
Secret ballot is essential. While voter should be able to verify the
vote before submitting such, this is only to verify - goal above is
election programs that REALLY DO what they promise.
Let's look at this again. What does a voting machine do? It registers
votes. Surely, that can't be a difficult task, so why use a computer?
Why not (for Approval or Plurality) just have a simple chip connected to
a PROM, with the chip in turn connected to a bunch of switches, one for
each candidate, with a matrix display next to each switch, and a final
as long as you have a PROM that hasn't been preprogrammed (this can be
checked at the beginning), and the machine hasn't been compromised
(rewired switches, backdoor chips), then it'll work as promised.
I will use "zillion", a stretchable value, below:

A zillion precincts each set up for a few of the zillion races voted
on in the US.

A zillion personnel who must do all the manual labor and guidance of
voters. This is a sideline, thus hard to justify learning complex
skills, rather than a full-time career for these.

A zillion voters, who BETTER be provided a simple interface for voting.

At end of election the counts for the zillion races better get
attended to.

I really see it easier to do well effectively if you take advantage of
what computers can do (and have them do better than the failures we
have experienced).
Post by Kristofer Munsterhjelm
Reading off the PROMs would require more complex machinery, but it's
really just an adder. In a Condorcet election, it's a two-loop adder
(for each candidate, for each ranked below, increment vote_for[a][b]).
That, too, is not too difficult a task and it should be possible to
prove that it'll work in all cases.
For Condorcet you must recognize, for A vs B, how many ranked A>B and
how many B>A. Must do this for every pair of candidates. If
write-ins are permitted (better be), they are more candidates to
attend to.
Post by Kristofer Munsterhjelm
One might also have to take TEMPEST sniffing and similar things into
account, but the point is that both actually registering ballots and
counting the votes is a simple task, and therefore one can inspect the
device or program to see that it works properly, and more than that,
that it'll always work properly within the constraints given (no rogue
machines, or whatever).
The voters, approaching the machine like a black box, can't verify that
the machine does what it says it does, but they can't do that with
ordinary computers either. If that problem is one that damns
computerized voting, then it damns it no matter what the black box is.
If not, then since the computer program or device (in the case of a
simple machine) can be known, at least by some, that there's no possible
way it can go wrong unless it was sabotaged from the start or influenced
by external effects (theft, PROM replacement, etc).
We know that failing is possible with defective computer systems.

I claim that those willing should be allowed to demonstrate, and
deliver if they demonstrate ability, good computer systems.

Agreed the average voter cannot demonstrate quality of systems, though
a few have failed so miserably that even they should notice.
Post by Kristofer Munsterhjelm
Similarly, cost also hits all forms of computerized voting. A
purpose-built machine may even turn out to be cheaper in the end, since
it doesn't need gigahertz CPUs, high resolution displays, or the likes.
Big expense for proper computerized voting is the programming but,
supply a reasonable part of the zillion precincts and this becomes
trivia for each one.

Big equipment item would be cost of preventing various destructive
acts at each of the zillion machines.

Some talk of printing copies of the ballot:
Certainly voter should have aid in verifying the ballot.
But I do not see need for printing such.
I am for a record on disk of each ballot, but done in a maner to
not destroy secrecy. Disk records should also report what, of a
suspicious nature, may have been done to the system.
--
***@clarityconnect.com people.clarityconnect.com/webpages3/davek
Dave Ketchum 108 Halstead Ave, Owego, NY 13827-1708 607-687-5026
Do to no one what you would not want done to you.
If you want peace, work for justice.



----
Election-Methods mailing list - see http://electorama.com/em for list info
Kristofer Munsterhjelm
2008-08-16 07:54:28 UTC
Permalink
Post by Dave Ketchum
As I say above, we are in trouble. Until we both fix the machines and
demonstrate success of the repairs, such use of paper backups makes sense.
Complicating all this, paper ballots have their own problems.
Hopefully the paper ballot problems won't be the same as the machine
problems, so that fraud is complicated rather than made easier.
Post by Dave Ketchum
Post by Kristofer Munsterhjelm
Let's look at this again. What does a voting machine do? It registers
votes. Surely, that can't be a difficult task, so why use a computer?
Why not (for Approval or Plurality) just have a simple chip connected
to a PROM, with the chip in turn connected to a bunch of switches, one
for each candidate, with a matrix display next to each switch, and a
final switch to commit the ballot? Such a machine would be provably
correct: as long as you have a PROM that hasn't been preprogrammed
(this can be checked at the beginning), and the machine hasn't been
compromised (rewired switches, backdoor chips), then it'll work as
promised.
A zillion precincts each set up for a few of the zillion races voted on
in the US.
A zillion personnel who must do all the manual labor and guidance of
voters. This is a sideline, thus hard to justify learning complex
skills, rather than a full-time career for these.
A zillion voters, who BETTER be provided a simple interface for voting.
At end of election the counts for the zillion races better get attended to.
I really see it easier to do well effectively if you take advantage of
what computers can do (and have them do better than the failures we have
experienced).
So you're saying that computers are better than specialized machines?
I'm not sure that's what you say (rather than that machines are better
than paper ballots), but I'll assume that.

Because the specialized machines are simpler than computers, once mass
production gets into action, they should be cheaper. The best here would
probably be to have some sort of independent organization or open-source
analog draw up the plans, and then have various companies produce the
components to spec.

The simplicity of voting could also count against general-purpose
computers as far as manual labor is concerned. If the machine has been
proved to work, you don't need to know what Access (yes, Diebold used
Access) is to count the votes, and you don't need a sysadmin present in
case the system goes to a blue screen.

You could also do these kind of proofs on general purpose computers, but
then you'd have to design the complete software system from the bottom
up, which includes what one'd traditionally consider the OS; and if it's
general purpose, you also have to ensure that the vendors don't patch
the systems after they've been deployed.
Having the kind of programmable ROM infrastructure with a limiter on
per-voter might be good in the general-purpose computer case as well, in
which case the computer just act as a GUI. Then it can't mass vote - the
worst (which is pretty bad) it can do is alter the ballot as the voter
votes.
Post by Dave Ketchum
For Condorcet you must recognize, for A vs B, how many ranked A>B and
how many B>A. Must do this for every pair of candidates. If write-ins
are permitted (better be), they are more candidates to attend to.
That's true, but it's still fairly simple. Assume the ranked ballot is
in the form of rank[candidate] = position, so that if candidate X was
ranked first, rank[X] = 0. (Or 1 for that matter, I just count from zero
because I know programming)

Then the simple nested loop goes like this:

for (outer = 0; outer < num_candidates; ++outer) {
for (inner = 0; inner < num_candidates; ++inner) {
if (rank[outer] < rank[inner]) { // if outer has higher rank
condorcet_matrix[outer][inner] += 1; // increment
}
}
}

It's less than instead of greater than because lower rank number means
the rank is closer to the top.

Write-ins could be a problem with the scheme I mentioned, and with
transmitting Condorcet matrices. One possible option would be to prepend
the transmission with a lookup list, something similar to:

Candidate 0 is Bush
Candidate 1 is Gore
Candidate 2 is Nader
Candidate 3 is Joe Write-In
Candidate 4 is Robert Write-In, etc

and if the central gets two condorcet matrices that have the same
candidates in different order (or share some candidates), it flips the
rows and columns to make the numbers the same before adding up.

"Writing in" with the switches-and-display GUI would still be very
difficult, however; I recognize that problem.
Post by Dave Ketchum
We know that failing is possible with defective computer systems.
I claim that those willing should be allowed to demonstrate, and deliver
if they demonstrate ability, good computer systems.
Agreed the average voter cannot demonstrate quality of systems, though a
few have failed so miserably that even they should notice.
I don't really like computerized voting, since I think it solves a
problem that isn't there while complicating things a lot. But if voters
insist upon computerized/machine voting, then we might as well do the
best of it, and in my opinion, it would be better to prove positively
(that everything it's supposed to do, it'll do correctly no matter what
happens) than negatively (that it won't err), because there's so much
more potential for something to fall between the cracks in the latter
case than in the former.

The specialized conclusion follows from this, because in the general
purpose computer case (without your own OS or something with a security
microkernel or similar to ensure the validity of the proofs) you have to
prove that the display driver doesn't mess with memory it shouldn't,
that the keyboard driver doesn't, and that basically the entire OS works
as specified.
Post by Dave Ketchum
Certainly voter should have aid in verifying the ballot.
But I do not see need for printing such.
One idea that came to mind when considering this and Kathy Dopp's
statement that voters don't check their ballots, is this: have the
machine print the ballot (underneath glass) on a transparency. The
system is set up so that the screen is monochrome in one color and the
printer is monochrome in another. Then overlay, very precisely, the
printed ballot on top of the monitor. If there are any discrepancies,
then those will stand out because there'll be a color mismatch. The
printed ballot is what counts - no in-memory count is kept.

It would require very precise alignment and wouldn't do anything for
colorblind voters, and the GUI would have to look (if not act) just like
the paper ballot so that the confirmation isn't on a separate screen
(which would defeat the purpose). Those requirements may be too strict
for the method to work, but I mention it anyway in case it isn't.

The point of using the printed ballots as what counts is that as long as
the voter checks the result, there's no way for the computer to "keep
two books" - to tell the voter the ballot registered was for X while
secretly registering one for Y instead.
Post by Dave Ketchum
I am for a record on disk of each ballot, but done in a maner to
not destroy secrecy.
You have to be very careful when doing so, because there are many
channels to secure. A vote-buyer might tell you to vote exactly at noon
so that the disk record timestamp identifies you, or he might, in the
case of Approval and ranked ballots, tell you to vote for not just his
preferred candidate, but both the low-support communist and the
low-support right extremist as well, so that he can tell which ballot
was yours and that you voted correctly.

Perhaps one could have a compromise by repeatedly record the Condorcet
matrix so far (or Approval counts, in the case of Approval) once they've
changed sufficiently. That idea may have more subtle flaws, but those
may also be fixable; I don't know if either is the case.

Finally, the disk record won't help if the machine is compromised. If
pre-election polls show the incumbent at 47% and the challenger at 53%,
and the machine changes challenger ballots to incumbent ballots at a
rate of 7%, prior to those ballots being written to disk, nobody will be
any wiser. Even an individual ballot record would just show that 7% of
those that in reality voted for the challenger, voted for the incumbent
instead, as if having changed their minds just before the election.

(If you go further in this vein, trying to fix that attack, you
eventually end up at cryptographic zero-knowledge proofs, which aren't
really "disk records", but more than that.)
Post by Dave Ketchum
Disk records should also report what, of a
suspicious nature, may have been done to the system.
That's a good idea, but it should probably be network based instead of
disk based so that the virus (if one is introduced) can't just wipe its
tracks afterwards. Or use some non-erasable medium like aforementioned
PROMs (or a CD-R for that matter).
----
Election-Methods mailing list - see http://electorama.com/em for list info
Jonathan Lundell
2008-08-16 14:27:10 UTC
Permalink
Post by Kristofer Munsterhjelm
Post by Dave Ketchum
I am for a record on disk of each ballot, but done in a maner
to not destroy secrecy.
You have to be very careful when doing so, because there are many
channels to secure. A vote-buyer might tell you to vote exactly at
noon so that the disk record timestamp identifies you, or he might,
in the case of Approval and ranked ballots, tell you to vote for not
just his preferred candidate, but both the low-support communist and
the low-support right extremist as well, so that he can tell which
ballot was yours and that you voted correctly.
In the US, at least, voting by mail has become so prevalent that I
wonder whether it's worthwhile making voting machinery absolutely
impregnable to vote-buying. All else being equal, sure, why not, but
if we trade off other desirable properties to preserve secrecy, and
leave the vote-by-mail door unlocked....


----
Election-Methods mailing list - see http://electorama.com/em for list info
Dave Ketchum
2008-08-17 00:24:11 UTC
Permalink
Post by Jonathan Lundell
Post by Kristofer Munsterhjelm
I am for a record on disk of each ballot, but done in a maner to
not destroy secrecy.
You have to be very careful when doing so, because there are many
channels to secure. A vote-buyer might tell you to vote exactly at
noon so that the disk record timestamp identifies you, or he might,
in the case of Approval and ranked ballots, tell you to vote for not
just his preferred candidate, but both the low-support communist and
the low-support right extremist as well, so that he can tell which
ballot was yours and that you voted correctly.
In the US, at least, voting by mail has become so prevalent that I
wonder whether it's worthwhile making voting machinery absolutely
impregnable to vote-buying. All else being equal, sure, why not, but if
we trade off other desirable properties to preserve secrecy, and leave
the vote-by-mail door unlocked....
There are two topics here:
I LIKE the secret ballot, have had it most of my life, and know
many others have similar desires for good reason. That thought
inspired my words at the top.
Vote buying needs discouraging, but I concede perfection is less
essential here.

Voting by mail requires humans obeying rules. I believe the rules in
NY still require placing the ballots in an anonymous stack without
humans reading their content while having the voter's identity associated.
--
***@clarityconnect.com people.clarityconnect.com/webpages3/davek
Dave Ketchum 108 Halstead Ave, Owego, NY 13827-1708 607-687-5026
Do to no one what you would not want done to you.
If you want peace, work for justice.



----
Election-Methods mailing list - see http://electorama.com/em for list info
Jonathan Lundell
2008-08-17 00:49:37 UTC
Permalink
Post by Dave Ketchum
Post by Jonathan Lundell
Post by Kristofer Munsterhjelm
Post by Dave Ketchum
I am for a record on disk of each ballot, but done in a maner
to not destroy secrecy.
You have to be very careful when doing so, because there are many
channels to secure. A vote-buyer might tell you to vote exactly
at noon so that the disk record timestamp identifies you, or he
might, in the case of Approval and ranked ballots, tell you to
vote for not just his preferred candidate, but both the low-
support communist and the low-support right extremist as well, so
that he can tell which ballot was yours and that you voted
correctly.
In the US, at least, voting by mail has become so prevalent that I
wonder whether it's worthwhile making voting machinery absolutely
impregnable to vote-buying. All else being equal, sure, why not,
but if we trade off other desirable properties to preserve
secrecy, and leave the vote-by-mail door unlocked....
I LIKE the secret ballot, have had it most of my life, and know
many others have similar desires for good reason. That thought
inspired my words at the top.
Vote buying needs discouraging, but I concede perfection is less
essential here.
Voting by mail requires humans obeying rules. I believe the rules
in NY still require placing the ballots in an anonymous stack
without humans reading their content while having the voter's
identity associated.
California, too, or a method to that effect. It's vote-buying (or
coercion) that vote-by-mail enables.

The Civitas system has something to say about that, but it requires
quite a few other conditions to make it work.
----
Election-Methods mailing list - see http://electorama.com/em for list info
Juho
2008-08-17 05:08:15 UTC
Permalink
Post by Jonathan Lundell
Post by Dave Ketchum
Post by Jonathan Lundell
Post by Kristofer Munsterhjelm
Post by Dave Ketchum
I am for a record on disk of each ballot, but done in a
maner to not destroy secrecy.
You have to be very careful when doing so, because there are
many channels to secure. A vote-buyer might tell you to vote
exactly at noon so that the disk record timestamp identifies
you, or he might, in the case of Approval and ranked ballots,
tell you to vote for not just his preferred candidate, but both
the low-support communist and the low-support right extremist
as well, so that he can tell which ballot was yours and that
you voted correctly.
In the US, at least, voting by mail has become so prevalent that
I wonder whether it's worthwhile making voting machinery
absolutely impregnable to vote-buying. All else being equal,
sure, why not, but if we trade off other desirable properties to
preserve secrecy, and leave the vote-by-mail door unlocked....
I LIKE the secret ballot, have had it most of my life, and
know many others have similar desires for good reason. That
thought inspired my words at the top.
Vote buying needs discouraging, but I concede perfection is
less essential here.
Voting by mail requires humans obeying rules. I believe the rules
in NY still require placing the ballots in an anonymous stack
without humans reading their content while having the voter's
identity associated.
California, too, or a method to that effect. It's vote-buying (or
coercion) that vote-by-mail enables.
I wonder what kind of a vote-by-mail system is in use there. If it is
just based on ordinary mail that one can send from one's home or
anywhere (and doesn't offer any way to cancel and replace the vote)
then that seems to offer opportunities for coercion and vote buying.

The early voting system that I'm used to (and that is very popular)
is however one where you vote under the observation of an election
official (that can be e.g. a post office worker that takes care of
early voting) that then puts your secret vote that you have put in
one envelope into another envelope (under your eyes) that he will
send to your local election authorities.

This method offers the election officials some more chances to
violate your privacy if they so wish (since your name will appear in
the papers inside the outer envelope) (not probable though) but
coercion and vote buying (without the involvement of the election
officials) is about as difficult as with traditional voting at the
official voting site on the election day.

Juho
Post by Jonathan Lundell
The Civitas system has something to say about that, but it requires
quite a few other conditions to make it work.
----
Election-Methods mailing list - see http://electorama.com/em for list info
___________________________________________________________
Now you can scan emails quickly with a reading pane. Get the new Yahoo! Mail. http://uk.docs.yahoo.com/nowyoucan.html

----
Election-Methods mailing list - see http://electorama.com/em for list info
Jonathan Lundell
2008-08-17 05:32:30 UTC
Permalink
Post by Juho
I wonder what kind of a vote-by-mail system is in use there. If it
is just based on ordinary mail that one can send from one's home or
anywhere (and doesn't offer any way to cancel and replace the vote)
then that seems to offer opportunities for coercion and vote buying.
The early voting system that I'm used to (and that is very popular)
is however one where you vote under the observation of an election
official (that can be e.g. a post office worker that takes care of
early voting) that then puts your secret vote that you have put in
one envelope into another envelope (under your eyes) that he will
send to your local election authorities.
This method offers the election officials some more chances to
violate your privacy if they so wish (since your name will appear in
the papers inside the outer envelope) (not probable though) but
coercion and vote buying (without the involvement of the election
officials) is about as difficult as with traditional voting at the
official voting site on the election day.
In California, something like 35-40% of voters vote by mail (the
percentage is increasing), and it's just like mailing a letter. One's
ballot comes in the mail, you mark it at home, and drop it in a
mailbox to return it. I assume that Oregon has a similar method, but
I'm not personally familiar with it.
----
Election-Methods mailing list - see http://electorama.com/em for list info
Kristofer Munsterhjelm
2008-08-17 07:14:21 UTC
Permalink
Post by Jonathan Lundell
Post by Kristofer Munsterhjelm
Post by Dave Ketchum
I am for a record on disk of each ballot, but done in a maner to
not destroy secrecy.
You have to be very careful when doing so, because there are many
channels to secure. A vote-buyer might tell you to vote exactly at
noon so that the disk record timestamp identifies you, or he might, in
the case of Approval and ranked ballots, tell you to vote for not just
his preferred candidate, but both the low-support communist and the
low-support right extremist as well, so that he can tell which ballot
was yours and that you voted correctly.
In the US, at least, voting by mail has become so prevalent that I
wonder whether it's worthwhile making voting machinery absolutely
impregnable to vote-buying. All else being equal, sure, why not, but if
we trade off other desirable properties to preserve secrecy, and leave
the vote-by-mail door unlocked....
I think it'd be better to lock the vote-by-mail door. One simple way of
doing that has already been given, with the two envelopes under a
verified setting. If you like technology, you can achieve the same
effect, without the need for the physical verified setting, by using
blind signatures. However, that runs into the same problem where the
voters may not know what's going on.

The fingerprinting vulnerability of ranked ballots is annoying, because
I like ranked methods (rated ones would have even greater a
vulnerability). I can think of a crypto solution where the recording is
done under k of n secret sharing, and the secret-holders don't disclose
their key parts unless it becomes necessary to do a recount. But yet
again, how could the voters know that'll actually work? Even if they
don't, it may still be better than nothing, though.
----
Election-Methods mailing list - see http://electorama.com/em for list info
Dave Ketchum
2008-08-17 02:32:07 UTC
Permalink
Kristofer
Post by Dave Ketchum
Me
Kristofer
As I say above, we are in trouble. Until we both fix the machines and
demonstrate success of the repairs, such use of paper backups makes sense.
Complicating all this, paper ballots have their own problems.
Hopefully the paper ballot problems won't be the same as the machine
problems, so that fraud is complicated rather than made easier.
Post by Dave Ketchum
Let's look at this again. What does a voting machine do? It registers
votes. Surely, that can't be a difficult task, so why use a computer?
Why not (for Approval or Plurality) just have a simple chip connected
to a PROM, with the chip in turn connected to a bunch of switches,
one for each candidate, with a matrix display next to each switch,
and a final switch to commit the ballot? Such a machine would be
provably correct: as long as you have a PROM that hasn't been
preprogrammed (this can be checked at the beginning), and the machine
hasn't been compromised (rewired switches, backdoor chips), then
it'll work as promised.
A zillion precincts each set up for a few of the zillion races voted
on in the US.
A zillion personnel who must do all the manual labor and guidance of
voters. This is a sideline, thus hard to justify learning complex
skills, rather than a full-time career for these.
A zillion voters, who BETTER be provided a simple interface for voting.
At end of election the counts for the zillion races better get attended to.
I really see it easier to do well effectively if you take advantage of
what computers can do (and have them do better than the failures we
have experienced).
So you're saying that computers are better than specialized machines?
I'm not sure that's what you say (rather than that machines are better
than paper ballots), but I'll assume that.
Your specialized machines can each do a fragment of the task.
However, dependably composing a capable whole from them requires big
efforts from humans.
Composing the same capability whole from a computer and adequate
programming can be easier.
Because the specialized machines are simpler than computers, once mass
production gets into action, they should be cheaper. The best here would
probably be to have some sort of independent organization or open-source
analog draw up the plans, and then have various companies produce the
components to spec.
They can be cheaper by not doing the complete task - make the task an
election system and the cost goes up and dependability becomes expensive.
The simplicity of voting could also count against general-purpose
computers as far as manual labor is concerned. If the machine has been
proved to work, you don't need to know what Access (yes, Diebold used
Access) is to count the votes, and you don't need a sysadmin present in
case the system goes to a blue screen.
You need equivalent of a sysadmin to sort out getting a whole composed
of your specialized machines.

Computers get cheaper and cheaper - think of what is hidden inside a
cell phone.
You could also do these kind of proofs on general purpose computers, but
then you'd have to design the complete software system from the bottom
up, which includes what one'd traditionally consider the OS; and if it's
general purpose, you also have to ensure that the vendors don't patch
the systems after they've been deployed.
Having the kind of programmable ROM infrastructure with a limiter on
per-voter might be good in the general-purpose computer case as well, in
which case the computer just act as a GUI. Then it can't mass vote - the
worst (which is pretty bad) it can do is alter the ballot as the voter
votes.
I do say "general purpose computers", with no funny stuff buried inside.
And all the contents open source.
And recording - CD-R sounds right.
Post by Dave Ketchum
For Condorcet you must recognize, for A vs B, how many ranked A>B and
how many B>A. Must do this for every pair of candidates. If
write-ins are permitted (better be), they are more candidates to
attend to.
That's true, but it's still fairly simple. Assume the ranked ballot is
in the form of rank[candidate] = position, so that if candidate X was
ranked first, rank[X] = 0. (Or 1 for that matter, I just count from zero
because I know programming)
for (outer = 0; outer < num_candidates; ++outer) {
for (inner = 0; inner < num_candidates; ++inner) {
if (rank[outer] < rank[inner]) { // if outer has higher rank
condorcet_matrix[outer][inner] += 1; // increment
}
}
}
What ran this loop outside a computer?
It's less than instead of greater than because lower rank number means
the rank is closer to the top.
Write-ins could be a problem with the scheme I mentioned, and with
transmitting Condorcet matrices. One possible option would be to prepend
Candidate 0 is Bush
Candidate 1 is Gore
Candidate 2 is Nader
Candidate 3 is Joe Write-In
Candidate 4 is Robert Write-In, etc
and if the central gets two condorcet matrices that have the same
candidates in different order (or share some candidates), it flips the
rows and columns to make the numbers the same before adding up.
Do you concede central having a computer - or offer more magic?
"Writing in" with the switches-and-display GUI would still be very
difficult, however; I recognize that problem.
Post by Dave Ketchum
We know that failing is possible with defective computer systems.
I claim that those willing should be allowed to demonstrate, and
deliver if they demonstrate ability, good computer systems.
Agreed the average voter cannot demonstrate quality of systems, though
a few have failed so miserably that even they should notice.
I don't really like computerized voting, since I think it solves a
problem that isn't there while complicating things a lot. But if voters
insist upon computerized/machine voting, then we might as well do the
best of it, and in my opinion, it would be better to prove positively
(that everything it's supposed to do, it'll do correctly no matter what
happens) than negatively (that it won't err), because there's so much
more potential for something to fall between the cracks in the latter
case than in the former.
I don't insist on computerized voting, but believe that if we are
willing to accept valid systems, they can be produced economically.
The specialized conclusion follows from this, because in the general
purpose computer case (without your own OS or something with a security
microkernel or similar to ensure the validity of the proofs) you have to
prove that the display driver doesn't mess with memory it shouldn't,
that the keyboard driver doesn't, and that basically the entire OS works
as specified.
Remember I specified, and insist on, open source.
Post by Dave Ketchum
Certainly voter should have aid in verifying the ballot.
But I do not see need for printing such.
One idea that came to mind when considering this and Kathy Dopp's
statement that voters don't check their ballots, is this: have the
machine print the ballot (underneath glass) on a transparency. The
system is set up so that the screen is monochrome in one color and the
printer is monochrome in another. Then overlay, very precisely, the
printed ballot on top of the monitor. If there are any discrepancies,
then those will stand out because there'll be a color mismatch. The
printed ballot is what counts - no in-memory count is kept.
I want:
Display completed ballot, for voters to review and redo any
problems.
Record ballot on CD-R.
Open source, so the programs SHOULD be 100% correct.
Care in system design.
See no value in above printout.
It would require very precise alignment and wouldn't do anything for
colorblind voters, and the GUI would have to look (if not act) just like
the paper ballot so that the confirmation isn't on a separate screen
(which would defeat the purpose). Those requirements may be too strict
for the method to work, but I mention it anyway in case it isn't.
The point of using the printed ballots as what counts is that as long as
the voter checks the result, there's no way for the computer to "keep
two books" - to tell the voter the ballot registered was for X while
secretly registering one for Y instead.
AGAIN, OPEN source.
Post by Dave Ketchum
I am for a record on disk of each ballot, but done in a maner to
not destroy secrecy.
You have to be very careful when doing so, because there are many
channels to secure. A vote-buyer might tell you to vote exactly at noon
so that the disk record timestamp identifies you, or he might, in the
case of Approval and ranked ballots, tell you to vote for not just his
preferred candidate, but both the low-support communist and the
low-support right extremist as well, so that he can tell which ballot
was yours and that you voted correctly.
More important is to preserve secrecy for voters who desire exactly that.
Perhaps one could have a compromise by repeatedly record the Condorcet
matrix so far (or Approval counts, in the case of Approval) once they've
changed sufficiently. That idea may have more subtle flaws, but those
may also be fixable; I don't know if either is the case.
Finally, the disk record won't help if the machine is compromised. If
pre-election polls show the incumbent at 47% and the challenger at 53%,
and the machine changes challenger ballots to incumbent ballots at a
rate of 7%, prior to those ballots being written to disk, nobody will be
any wiser. Even an individual ballot record would just show that 7% of
those that in reality voted for the challenger, voted for the incumbent
instead, as if having changed their minds just before the election.
AGAIN, OPEN source!
(If you go further in this vein, trying to fix that attack, you
eventually end up at cryptographic zero-knowledge proofs, which aren't
really "disk records", but more than that.)
Post by Dave Ketchum
Disk records should also report what, of a suspicious nature, may have
been done to the system.
That's a good idea, but it should probably be network based instead of
disk based so that the virus (if one is introduced) can't just wipe its
tracks afterwards. Or use some non-erasable medium like aforementioned
PROMs (or a CD-R for that matter).
I get nervous about network connections while polls are open - more
code to validate.
--
***@clarityconnect.com people.clarityconnect.com/webpages3/davek
Dave Ketchum 108 Halstead Ave, Owego, NY 13827-1708 607-687-5026
Do to no one what you would not want done to you.
If you want peace, work for justice.



----
Election-Methods mailing list - see http://electorama.com/em for list info
Kristofer Munsterhjelm
2008-08-17 09:14:34 UTC
Permalink
Post by Kristofer Munsterhjelm
So you're saying that computers are better than specialized machines?
I'm not sure that's what you say (rather than that machines are better
than paper ballots), but I'll assume that.
Your specialized machines can each do a fragment of the task. However,
dependably composing a capable whole from them requires big efforts from
humans.
Composing the same capability whole from a computer and adequate
programming can be easier.
Each does a fragment of the task, yes; that's the point of modular
design, so that you can treat the local units differently from the
central units and don't have to prove everything everywhere.

Consider a general computer. Even for general computers, it makes little
sense to have the district joining software - that counts the results
from various districts and sum them up in the case of a summable method
- on the individual units. As such, the general-purpose computers are
already specialized, only in software instead of hardware.
Post by Kristofer Munsterhjelm
Because the specialized machines are simpler than computers, once mass
production gets into action, they should be cheaper. The best here
would probably be to have some sort of independent organization or
open-source analog draw up the plans, and then have various companies
produce the components to spec.
They can be cheaper by not doing the complete task - make the task an
election system and the cost goes up and dependability becomes expensive.
By extension, they can be cheaper by, in concert, doing just enough and
no more. One doesn't need Turing-completeness to count an election.
(Perhaps unless it's Kemeny.)
Post by Kristofer Munsterhjelm
The simplicity of voting could also count against general-purpose
computers as far as manual labor is concerned. If the machine has been
proved to work, you don't need to know what Access (yes, Diebold used
Access) is to count the votes, and you don't need a sysadmin present
in case the system goes to a blue screen.
You need equivalent of a sysadmin to sort out getting a whole composed
of your specialized machines.
The way I would set up the system, there would be different counting
units. The group of units would need a person to "unlock" them each time
a new voter wants to vote; that could be included in the design so that
you don't need a system administrator for it. Then, once the election
day is over, gather the read-only media (CD or programmable ROM), and
either send them or the summable result (given by a second machine) to
the central. Count and announce as you get higher up in the hierarchy.

If the components are constructed correctly, and proved to be so (which
can be done because of the units' relative simplicity), then there won't
be any bluescreens and little need for maintenance - except for cases
where the machines simply break.

In this manner, the setup is more like paper balloting than it is to
ordinary computer systems. The read-only media take the place of the
ballot box, and the aggregating machines the place of the election count
workers.
Computers get cheaper and cheaper - think of what is hidden inside a
cell phone.
That's true. Maybe a compromise could be using cheap computer hardware
with read-only software, standardized components, and have the software
not be a full OS, but instead just enough to get the job done and be
provable. You'd have to rely on that there are no hardware backdoors,
but the existence of such would be very unlikely, and the entire thing
would have to be put inside some sort of tamper-resistant enclosure so
hackers can't attach keyloggers or do similar things.
Post by Kristofer Munsterhjelm
That's true, but it's still fairly simple. Assume the ranked ballot is
in the form of rank[candidate] = position, so that if candidate X was
ranked first, rank[X] = 0. (Or 1 for that matter, I just count from
zero because I know programming)
for (outer = 0; outer < num_candidates; ++outer) {
for (inner = 0; inner < num_candidates; ++inner) {
if (rank[outer] < rank[inner]) { // if outer has higher rank
condorcet_matrix[outer][inner] += 1; // increment
}
}
}
What ran this loop outside a computer?
A chip with just enough transistors to do this task. I'm not a hardware
expert, but I think it could be done by the use of a HDL like Verilog.
Post by Kristofer Munsterhjelm
It's less than instead of greater than because lower rank number means
the rank is closer to the top.
Write-ins could be a problem with the scheme I mentioned, and with
transmitting Condorcet matrices. One possible option would be to
Candidate 0 is Bush
Candidate 1 is Gore
Candidate 2 is Nader
Candidate 3 is Joe Write-In
Candidate 4 is Robert Write-In, etc
and if the central gets two condorcet matrices that have the same
candidates in different order (or share some candidates), it flips the
rows and columns to make the numbers the same before adding up.
Do you concede central having a computer - or offer more magic?
Central could have a computer or another kind of machine.
Post by Kristofer Munsterhjelm
The specialized conclusion follows from this, because in the general
purpose computer case (without your own OS or something with a
security microkernel or similar to ensure the validity of the proofs)
you have to prove that the display driver doesn't mess with memory it
shouldn't, that the keyboard driver doesn't, and that basically the
entire OS works as specified.
Remember I specified, and insist on, open source.
Open source software can still have unintended bugs that could be
exploited by a hacker. Open source is at an advantage because "many eyes
make bugs shallow", but that advantage is still finite, more so because
the coders aren't going to use voting machines on a regular basis
(unlike, say, Linux).

I'll grant the point, though, regarding malicious machines. If the
entire standard is public, and the machines can be rigorously tested to
be sure no tricks are being done by the manufacturers, then deliberately
malicious holes should not exist. I still hold that one should engineer
defensively and as simple as possible, so that the system is transparent
to as many people as possible, and so that bugs either are fixed very
quickly or (preferrably) don't have the room to exist at all.
Display completed ballot, for voters to review and redo any problems.
Record ballot on CD-R.
Open source, so the programs SHOULD be 100% correct.
(Just a note: if the programs are simple enough, one can *know* they are
correct. With provisions for unexpected OS bugs unless the OS itself is
equally simple, and so on.)
Care in system design.
See no value in above printout.
Post by Kristofer Munsterhjelm
It would require very precise alignment and wouldn't do anything for
colorblind voters, and the GUI would have to look (if not act) just
like the paper ballot so that the confirmation isn't on a separate
screen (which would defeat the purpose). Those requirements may be too
strict for the method to work, but I mention it anyway in case it isn't.
The point of using the printed ballots as what counts is that as long
as the voter checks the result, there's no way for the computer to
"keep two books" - to tell the voter the ballot registered was for X
while secretly registering one for Y instead.
AGAIN, OPEN source.
Granted, if the machine isn't hacked due to an unexpected bug.
Printout-based machines could be useful even if we have provably correct
machines (strongest sense of security) if the voters are very
distrustful. Counting only based on the printout ensures the voter that
nothing fishy is going on - because nothing fishy *can* be going on.
Post by Kristofer Munsterhjelm
Post by Dave Ketchum
I am for a record on disk of each ballot, but done in a maner to
not destroy secrecy.
You have to be very careful when doing so, because there are many
channels to secure. A vote-buyer might tell you to vote exactly at
noon so that the disk record timestamp identifies you, or he might, in
the case of Approval and ranked ballots, tell you to vote for not just
his preferred candidate, but both the low-support communist and the
low-support right extremist as well, so that he can tell which ballot
was yours and that you voted correctly.
More important is to preserve secrecy for voters who desire exactly that.
Yes, that's why channels that can link voters to their votes (destroying
secrecy) should be either obscured or removed.

Obviously, it's possible to make voting machines with even more channels
than I mentioned here, like something that produces name-labeled
receipts. I wouldn't want that, either, but the channels I gave are less
obvious and shows that one has to be careful when making records; things
that seem to give no link between voters and ballots may turn out to do
so under certain conditions anyway.
Post by Kristofer Munsterhjelm
That's a good idea, but it should probably be network based instead of
disk based so that the virus (if one is introduced) can't just wipe
its tracks afterwards. Or use some non-erasable medium like
aforementioned PROMs (or a CD-R for that matter).
I get nervous about network connections while polls are open - more code
to validate.
Use a LED with a photoresistor on the other (logging machine) end. No
data can move from the voting machine to the logging machine, and so
would reduce complexity significantly. Or have two in different colors,
one of which is always on to detect broken cables.

There'd still be some code to verify, though: make sure that the voting
machine don't leak ballot data to the logging machine, for instance.
----
Election-Methods mailing list - see http://electorama.com/em for list info
Dave Ketchum
2008-08-21 03:58:59 UTC
Permalink
Post by Kristofer Munsterhjelm
Post by Kristofer Munsterhjelm
So you're saying that computers are better than specialized machines?
I'm not sure that's what you say (rather than that machines are
better than paper ballots), but I'll assume that.
Your specialized machines can each do a fragment of the task. However,
dependably composing a capable whole from them requires big efforts
from humans.
Composing the same capability whole from a computer and adequate
programming can be easier.
Each does a fragment of the task, yes; that's the point of modular
design, so that you can treat the local units differently from the
central units and don't have to prove everything everywhere.
You claim that many fragments can be done by specialized machines.
AGREED, though I do not agree that they can do it any better than a
normal computer - which has equivalent capability.

However, the whole task involves connecting the fragments:
One way is via computer capability.
You seem to be doing without such, so What do you have other
than humans HOPEFULLY correctly following a HOPEFULLY correct and
complete script?
Post by Kristofer Munsterhjelm
Consider a general computer. Even for general computers, it makes little
sense to have the district joining software - that counts the results
from various districts and sum them up in the case of a summable method
- on the individual units. As such, the general-purpose computers are
already specialized, only in software instead of hardware.
???
Post by Kristofer Munsterhjelm
Post by Kristofer Munsterhjelm
Because the specialized machines are simpler than computers, once
mass production gets into action, they should be cheaper. The best
here would probably be to have some sort of independent organization
or open-source analog draw up the plans, and then have various
companies produce the components to spec.
They can be cheaper by not doing the complete task - make the task an
election system and the cost goes up and dependability becomes expensive.
By extension, they can be cheaper by, in concert, doing just enough and
no more. One doesn't need Turing-completeness to count an election.
(Perhaps unless it's Kemeny.)
Se my above note.
Post by Kristofer Munsterhjelm
Post by Kristofer Munsterhjelm
The simplicity of voting could also count against general-purpose
computers as far as manual labor is concerned. If the machine has
been proved to work, you don't need to know what Access (yes, Diebold
used Access) is to count the votes, and you don't need a sysadmin
present in case the system goes to a blue screen.
You need equivalent of a sysadmin to sort out getting a whole composed
of your specialized machines.
The way I would set up the system, there would be different counting
units. The group of units would need a person to "unlock" them each time
a new voter wants to vote; that could be included in the design so that
you don't need a system administrator for it. Then, once the election
day is over, gather the read-only media (CD or programmable ROM), and
either send them or the summable result (given by a second machine) to
the central. Count and announce as you get higher up in the hierarchy.
If the components are constructed correctly, and proved to be so (which
can be done because of the units' relative simplicity), then there won't
be any bluescreens and little need for maintenance - except for cases
where the machines simply break.
In this manner, the setup is more like paper balloting than it is to
ordinary computer systems. The read-only media take the place of the
ballot box, and the aggregating machines the place of the election count
workers.
Computers get cheaper and cheaper - think of what is hidden inside a
cell phone.
That's true. Maybe a compromise could be using cheap computer hardware
with read-only software, standardized components, and have the software
not be a full OS, but instead just enough to get the job done and be
provable. You'd have to rely on that there are no hardware backdoors,
but the existence of such would be very unlikely, and the entire thing
would have to be put inside some sort of tamper-resistant enclosure so
hackers can't attach keyloggers or do similar things.
Hardware backdoors can be hard to find. Still, if and when one is
found, can there not be an appropriate punishment to discourage such
crimes in the future?

Agreed defense against such as keyloggers is essential.

I still say OPEN SOURCE!
Post by Kristofer Munsterhjelm
Post by Kristofer Munsterhjelm
That's true, but it's still fairly simple. Assume the ranked ballot
is in the form of rank[candidate] = position, so that if candidate X
was ranked first, rank[X] = 0. (Or 1 for that matter, I just count
from zero because I know programming)
for (outer = 0; outer < num_candidates; ++outer) {
for (inner = 0; inner < num_candidates; ++inner) {
if (rank[outer] < rank[inner]) { // if outer has higher rank
condorcet_matrix[outer][inner] += 1; // increment
}
}
}
What ran this loop outside a computer?
A chip with just enough transistors to do this task. I'm not a hardware
expert, but I think it could be done by the use of a HDL like Verilog.
The chip needs to be able to find its data.
Post by Kristofer Munsterhjelm
Post by Kristofer Munsterhjelm
It's less than instead of greater than because lower rank number
means the rank is closer to the top.
Write-ins could be a problem with the scheme I mentioned, and with
transmitting Condorcet matrices. One possible option would be to
Candidate 0 is Bush
Candidate 1 is Gore
Candidate 2 is Nader
Candidate 3 is Joe Write-In
Candidate 4 is Robert Write-In, etc
and if the central gets two condorcet matrices that have the same
candidates in different order (or share some candidates), it flips
the rows and columns to make the numbers the same before adding up.
Do you concede central having a computer - or offer more magic?
Central could have a computer or another kind of machine.
Post by Kristofer Munsterhjelm
The specialized conclusion follows from this, because in the general
purpose computer case (without your own OS or something with a
security microkernel or similar to ensure the validity of the proofs)
you have to prove that the display driver doesn't mess with memory it
shouldn't, that the keyboard driver doesn't, and that basically the
entire OS works as specified.
Remember I specified, and insist on, open source.
Open source software can still have unintended bugs that could be
exploited by a hacker. Open source is at an advantage because "many eyes
make bugs shallow", but that advantage is still finite, more so because
the coders aren't going to use voting machines on a regular basis
(unlike, say, Linux).
No matter what you do, errors can happen. Proper target is to
minimize them, which I claim can best be via using computers for what
computers can do well.
Post by Kristofer Munsterhjelm
I'll grant the point, though, regarding malicious machines. If the
entire standard is public, and the machines can be rigorously tested to
be sure no tricks are being done by the manufacturers, then deliberately
malicious holes should not exist. I still hold that one should engineer
defensively and as simple as possible, so that the system is transparent
to as many people as possible, and so that bugs either are fixed very
quickly or (preferrably) don't have the room to exist at all.
Looks like what I am trying for.

Simple is a good word, as is defensively.
Post by Kristofer Munsterhjelm
Display completed ballot, for voters to review and redo any problems.
Record ballot on CD-R.
Open source, so the programs SHOULD be 100% correct.
(Just a note: if the programs are simple enough, one can *know* they are
correct. With provisions for unexpected OS bugs unless the OS itself is
equally simple, and so on.)
When you mention OS, remember my insistence on open source.
Post by Kristofer Munsterhjelm
Care in system design.
See no value in above printout.
Post by Kristofer Munsterhjelm
It would require very precise alignment and wouldn't do anything for
colorblind voters, and the GUI would have to look (if not act) just
like the paper ballot so that the confirmation isn't on a separate
screen (which would defeat the purpose). Those requirements may be
too strict for the method to work, but I mention it anyway in case it
isn't.
The point of using the printed ballots as what counts is that as long
as the voter checks the result, there's no way for the computer to
"keep two books" - to tell the voter the ballot registered was for X
while secretly registering one for Y instead.
AGAIN, OPEN source.
Granted, if the machine isn't hacked due to an unexpected bug.
Printout-based machines could be useful even if we have provably correct
machines (strongest sense of security) if the voters are very
distrustful. Counting only based on the printout ensures the voter that
nothing fishy is going on - because nothing fishy *can* be going on.
Our sorry history justifies distrust.

I DO NOT like printout-based machines. To start some thinking, how about:
All machines have identical valid code,
Some have video cameras recording the ballot as the voter
submits it.
Voters choose which machines to vote on.
Audit that tapes prove 100% correctness of those machines taped
- BETTER be.
Post by Kristofer Munsterhjelm
Post by Kristofer Munsterhjelm
Post by Dave Ketchum
I am for a record on disk of each ballot, but done in a maner
to not destroy secrecy.
You have to be very careful when doing so, because there are many
channels to secure. A vote-buyer might tell you to vote exactly at
noon so that the disk record timestamp identifies you, or he might,
in the case of Approval and ranked ballots, tell you to vote for not
just his preferred candidate, but both the low-support communist and
the low-support right extremist as well, so that he can tell which
ballot was yours and that you voted correctly.
More important is to preserve secrecy for voters who desire exactly that.
Yes, that's why channels that can link voters to their votes (destroying
secrecy) should be either obscured or removed.
Obviously, it's possible to make voting machines with even more channels
than I mentioned here, like something that produces name-labeled
receipts. I wouldn't want that, either, but the channels I gave are less
obvious and shows that one has to be careful when making records; things
that seem to give no link between voters and ballots may turn out to do
so under certain conditions anyway.
Post by Kristofer Munsterhjelm
That's a good idea, but it should probably be network based instead
of disk based so that the virus (if one is introduced) can't just
wipe its tracks afterwards. Or use some non-erasable medium like
aforementioned PROMs (or a CD-R for that matter).
I get nervous about network connections while polls are open - more
code to validate.
Use a LED with a photoresistor on the other (logging machine) end. No
data can move from the voting machine to the logging machine, and so
would reduce complexity significantly. Or have two in different colors,
one of which is always on to detect broken cables.
There'd still be some code to verify, though: make sure that the voting
machine don't leak ballot data to the logging machine, for instance.
--
***@clarityconnect.com people.clarityconnect.com/webpages3/davek
Dave Ketchum 108 Halstead Ave, Owego, NY 13827-1708 607-687-5026
Do to no one what you would not want done to you.
If you want peace, work for justice.



----
Election-Methods mailing list - see http://electorama.com/em for list info
Kristofer Munsterhjelm
2008-08-22 12:06:47 UTC
Permalink
Post by Dave Ketchum
You claim that many fragments can be done by specialized machines.
AGREED, though I do not agree that they can do it any better than a
normal computer - which has equivalent capability.
In a technical capacity, of course not. Since a computer is
Turing-complete, it can do anything the specialized machines can.
However, and this is the point I've been trying to make, the specialized
machines are simple enough that it's possible to formally prove that
they do only what they're intended to do, and perhaps also to convince
the voters that this is the case.

It's kind of like the difference between physics and mathematics. Doing
tests is analogous to the hypothesis testing of physics: you can say
that this particular machine does not exhibit any flaws that would
compromise security, within some margin of error. However, if the
machines are sufficiently simple, then one can use formal proving to
show, mathematically, that there are no bugs; that the Condorcet counter
will turn ballot records into Condorcet matrices and no more - that the
machine with buttons on it will register votes, register them to the
candidate shown on the display, and no more, and so on.

Now, the analogy is not total. Even a correct hardware system could be
compromised by vendors adding backdoors to their fabrication (going
outside of the spec) and so on, but those errors are much harder to
conceal than simple software tinkering. Even if the software is open
source (as you've stated that you want), knowing the full limits of the
hardware keeps hackers out. The more complex the OS, the greater the
chance that there's a bug: even Linux has had privilege escalation bugs,
although they appear much less frequently than in closed-source
software. What I'm saying here is that if you have to have machines,
have a way of saying to, first, the experts that there is no way there
can be an error, and second (if possible), the same to the ordinary
voters as well.
Post by Dave Ketchum
One way is via computer capability.
You seem to be doing without such, so What do you have other than
humans HOPEFULLY correctly following a HOPEFULLY correct and complete
script?
That's right - the links are the weak spots. The script can be devised
just as any programming can be, and it would be quite simple, and
ideally reminiscent of what one does when having a manual count regime.
The PROMs or CDs are the ballot boxes, and they're transported from one
location to another as one would ballot boxes.

That leaves the humans. The humans may do weird things, and the ensured
limits that the specialized hardware would have would obviously not
apply to them. But since the script is simple, various parties can
monitor each other. In the worst case, the transportation and
aggregation parts of the process are as insecure as they would be for
manual ballots.
If that is still too risky, the "ballot boxes" could be numbered and
digitally signed prior to being distributed to the machines for writing,
so that if any are lost or replaced, it would immediately show up as an
error. Such a process would add steps to the script, but I think it'd be
managable.
Post by Dave Ketchum
Post by Kristofer Munsterhjelm
Consider a general computer. Even for general computers, it makes
little sense to have the district joining software - that counts the
results from various districts and sum them up in the case of a
summable method - on the individual units. As such, the
general-purpose computers are already specialized, only in software
instead of hardware.
???
That was simply intended to show that you don't need the full powers of
a computer. It's convenient, but that convenience can tilt in the favor
of manipulators or hackers as well.
Post by Dave Ketchum
Post by Kristofer Munsterhjelm
That's true. Maybe a compromise could be using cheap computer hardware
with read-only software, standardized components, and have the
software not be a full OS, but instead just enough to get the job done
and be provable. You'd have to rely on that there are no hardware
backdoors, but the existence of such would be very unlikely, and the
entire thing would have to be put inside some sort of tamper-resistant
enclosure so hackers can't attach keyloggers or do similar things.
Hardware backdoors can be hard to find. Still, if and when one is
found, can there not be an appropriate punishment to discourage such
crimes in the future?
Agreed defense against such as keyloggers is essential.
I still say OPEN SOURCE!
I was thinking more of hardware keyloggers, such as those that look like
keyboard extension cords. Thus the computer should be tamper resistant
so you can't just do these things. Ideally, for the cheap computer
compromise, you'd use a cryptoprocessor (like banks use to keep their
keys, but more general purpose) to run the actual software - perhaps an
IBM 4758, though since I'm not a hardware expert I don't know if that
one is sufficiently powerful to do what you want. Searching the web says
that the 4758 has a 486 inside.
Post by Dave Ketchum
Post by Kristofer Munsterhjelm
A chip with just enough transistors to do this task. I'm not a
hardware expert, but I think it could be done by the use of a HDL like
Verilog.
The chip needs to be able to find its data.
Yes. For the sake of simplicity, I'll assume a PROM format - a CD
interface would need an IDE translator.

Then the PROM could be set up like this:

header:
uint32 number_of_candidates

then, for each ballot
uint32 rank_number[number_of_candidates].

which means that if rank_number[0] < rank_number[1], then candidate 0 is
ranked ahead of (better than) candidate 1.

Then assume that addresses contain 32-bit values. That is, you have
something like
0 1 < address
12345678901234567890123456789012 123456... < bit

First read off address 0. This gives you the number of candidates. Then
for addresses 1 to number_of_candidates, inclusive, do the Condorcet
counting algorithm. After you're done, go to address 1 + (number of
candidates) to count the next ballot. Repeat until all ballots have been
counted.
Post by Dave Ketchum
No matter what you do, errors can happen. Proper target is to minimize
them, which I claim can best be via using computers for what computers
can do well.
I think you can minimize further by removing the slack that could be
used for trickery, as you can't twist something that isn't there. Hence
my idea.
Post by Dave Ketchum
Post by Kristofer Munsterhjelm
I'll grant the point, though, regarding malicious machines. If the
entire standard is public, and the machines can be rigorously tested
to be sure no tricks are being done by the manufacturers, then
deliberately malicious holes should not exist. I still hold that one
should engineer defensively and as simple as possible, so that the
system is transparent to as many people as possible, and so that bugs
either are fixed very quickly or (preferrably) don't have the room to
exist at all.
Looks like what I am trying for.
Simple is a good word, as is defensively.
See above.
Post by Dave Ketchum
Post by Kristofer Munsterhjelm
Display completed ballot, for voters to review and redo any problems.
Record ballot on CD-R.
Open source, so the programs SHOULD be 100% correct.
(Just a note: if the programs are simple enough, one can *know* they
are correct. With provisions for unexpected OS bugs unless the OS
itself is equally simple, and so on.)
When you mention OS, remember my insistence on open source.
Yes, but try proving Linux (which is what I mean by *know*). At multiple
million lines of code, that's going to be quite a task.

The compromise option could have an open source software system that is
simple enough, and thus would get around the problem. It wouldn't be a
traditional OS, though (but perhaps it would lead to a formally secure
microkernel, something that would be very interesting in "ordinary" OS
development as well).
Post by Dave Ketchum
Post by Kristofer Munsterhjelm
Granted, if the machine isn't hacked due to an unexpected bug.
Printout-based machines could be useful even if we have provably
correct machines (strongest sense of security) if the voters are very
distrustful. Counting only based on the printout ensures the voter
that nothing fishy is going on - because nothing fishy *can* be going on.
Our sorry history justifies distrust.
All machines have identical valid code,
Some have video cameras recording the ballot as the voter submits it.
Voters choose which machines to vote on.
Audit that tapes prove 100% correctness of those machines taped -
BETTER be.
If you use this in real elections, be prepared for voters with privacy
complaints. If you let the voters decide which machine to use, the great
majority would use the untaped ones. Also, the cameras would add to the
cost of the machine. If the videotape is publically available or it's
possible to identify voters, that could leak information to vote-sellers.

If you use it for verification purposes only, you have to be sure that
the voters don't act differently than in the real election (so the test
is representative). I suppose you don't need exact correspondence since
"probabilistic flipping" algorithms would easily be detected, but it
would fail to catch things like election-day hacking.

In any case, instead of using a literal tape, I think you'd have to
record the video on a write-once storage medium so that it can't be
tampered with afterwards. You would have to compress the video stream
very heavily to fit.

What, in your opinion, is the problem with printout-based machines?
Post by Dave Ketchum
Post by Kristofer Munsterhjelm
Use a LED with a photoresistor on the other (logging machine) end. No
data can move from the voting machine to the logging machine, and so
would reduce complexity significantly. Or have two in different
colors, one of which is always on to detect broken cables.
There'd still be some code to verify, though: make sure that the
voting machine don't leak ballot data to the logging machine, for
instance.
Oops, that should have been "No data can move from the logging machine
to the voting machine". Of course data would have to move from the
voting machine to the logging machine, or there would be nothing to log.
----
Election-Methods mailing list - see http://electorama.com/em for list info
Jonathan Lundell
2008-08-15 22:20:11 UTC
Permalink
Apropos voting machines, the current xkcd: http://xkcd.com/463/
Kathy Dopp
2008-08-16 06:07:52 UTC
Permalink
Date: Fri, 15 Aug 2008 02:01:45 -0400
Subject: Re: [EM] Why We Shouldn't Count Votes with Machines
Post by rob brown
Well here is where you and I differ. I think if electoral fraud in the
US were eliminated, it would be a good thing, but not dramatically
change things, any more than eliminating shoplifting would dramatically
change our economy. I do not believe that such fraud changes the
outcome of a large percentage of elections, and in those it does, it was
pretty close anyway.
And how do you know this since elections are not subjected to
independent audits except in one state (beginning in 2006 - NM)? Do
you believe that you are psychic and *know* which elections are being
subjected to fraud in the last couple of decades since ballots have
been primarily secretly counted by private companies with easily
hackable, unaccountable voting equipment.
Most elections do not inspire the fraudsters. The few they care about
may be near ties, responding to minimum fraudulent effort.
What basis in fact could you possibly have to support such a belief?
Post by rob brown
If plurality voting were replaced with a ranked system such as a
condorcet method, I beleive it WOULD dramatically change the entire
dynamic of politics, in a very, very good way, by nearly eliminating the
polarized nature of government due to partisanship.
Really? Even if it is counted inaccurately and the new condorcet
method does not accurately determine who wins, because anyone who has
inside access can manipulate the system to put anyone in office they
want to?

So we do not care about having accurately counted elections on this
list, as long as we have the "appearance" that a new voting method is
being used to select the winners?
Post by rob brown
So my priorities are different.
Yes. Apparently.
Post by rob brown
Giving up on fixing a huge problem because it makes it more difficult to
fix a much smaller problem is not something I can support.
Ah. So you consider it a "small" problem that the public has virtually
no reason to believe that election results are accurate in 49 out of
50 states and that even the one state that subjects their election
results to independent scrutiny, does so in a wholly unscientific
manner that is insufficient to detect vote fraud in close election
contests?

And just why, pray tell, do you believe that the fact that elections
is the only major industry (I am aware of) that is not subjected to
any independent auditing, yet election winners decide who controls
budgets in the millions to trillions of dollars and make decisions on
awarding contracts worth millions to billions of dollars, is such a
"small" problem?
Post by rob brown
(and btw, I believe this list is about reforming the voting methods, not
so much about fixing security problems.....so if you are willing to
abandon all attempts at reform because you don't think you can solve
your particular problem as easily on a reformed system, it seems
unlikely to fly here)
Oh. So it is *not* "reform" to subject elections to independent
routine scrutiny to ensure accurate election outcomes for the first
time in US history? You certainly do have a very narrow definition of
"reform".

In your dictionary, what exactly does the word "reform" apply to? (I
am certainly down the rabbit hole again judging from this conversation
where you claim to know which election outcomes were and were not
fraudulently altered when you can have no possible data to make such a
claim.)
Post by rob brown
The whole point of open source is that if the "officials" don't verify
it satisfactorily, someone will. A security researcher could make
themselves famous for discovering something malicious in voting software.
Really and how pray tell would they do this - especially when today's
voting systems have so many back doors to simply change the votes in
30 secs to a minute without altering any software and without even
touching the writable log files which could be altered with the votes
anyway? Are you counting on the same kind of miracles that let you
know how many prior election contests were rigged without any access
to the data to know that?
Post by rob brown
The only thing that is immune to checking would be the compiler itself,
since the compiler needs a compiler to compile itself....but someone
would have had to have done something evil (and very, very brilliant) a
long time ago to pull that off....good for a sci fi novel anyway, but
not so much in the real world.
Really? So not the proprietary compiled video drivers or any of the
other proprietary hardware or software and of course I see you ruled
out all the back doors that simply allow persons to change the
reported vote counts on the central tabulators?

I wonder why your opinion differs so wildly from all the computer
scientists who are known to have studied voting systems for almost a
decade now and why you think you know so much more than they do? Are
you an all-seeing being?

And of course since you consider yourself to be such an expert, you
must already know that it takes at least eight years to develop, test,
certify, and bring to market any new voting system (thanks to the
idiotic federal certification process, and the long buying cycles),
and first you would have to convince all the ignorant election
officials who believe in the concept of security by obscurity (having
been duped by the voting vendors for decades) and also convince the
voting vendors to spend the million dollars or so to bring such a
voting system to market. Do you have an investor willing to do that
since you consider it to be such a "small" problem?

And of course you have not given one fact yet to rebut these facts,
which show that creating an open source voting system would only be
one tiny part of assuring accurate vote counts, so do you have a plan
for convincing all the election officials to more than double the cost
of elections in order to do post-election or parallel software
verfication, and set up the systems to be able to do that? And of
course you must convince the public that they do not need to be able
to transparently verify that vote counts are correct, and that they
should either learn computer programming or trust some technicians if
they want to be able to verify the accuracy of election outcomes. Do
you have a plan for convincing the public to go along with your
solution which as of right now 92% of the public would oppose,
according to a recent Zogby poll?
Post by rob brown
Huh? Try doing that yourself. I do not know if the summary *screen*
version of the ballot appears at the same time as you get a chance to
check the paper version of the ballot. I don't think that is
necessarily an option you would have.
What is so hard about that?
So you think that it is easy to obtain the funding and spend the next
6 to ten years to develop and bring to market and sell to the public
and to hopelessly incompetent (and arrogant) election officials a new
voting system that currently 92% of the public would oppose (unless
you plan on using voter created paper ballots and optical scan
machines)?

OK Then. Why don't you take care of such a "small" problem for the
rest of us who've been struggling for five years to convince election
officials and voting machine vendors to do more competent work?
The point is, if the UI is designed
Post by rob brown
reasonably well, a large percentage of voters will *know* if the machine
is cheating.
OH. I SEE. Now you are going to change all humans as well so that they
can proofread accurately whereas only 30% of voters can accurately
proofread ANYTHING accurate currently!

What is your plan for that? And just what is your evidence that all
the prior research on the editing capacities of most people can be
quickly overcome by your own plan?

(I am certain I am down the rabbit hole.)
Post by rob brown
If you followed the voting news nationwide like I do, you would know
that people have been talking about it a lot since the November 2004
presidential election, in particular there was lots of vote switching
reported in Ohio.
Yes but this is different. This is like going to the store, and having
one thing on the cash register and another on the credit card receipt.
OH REALLY? Now having many voters report that seeing the candidate
they selected be switched to a different candidate right before their
eyes on DRE touchscreen voting machines in CA, FL, OH, and many other
states is analogous to having a cash register and credit card receipt
differ. HOW EXACTLY?

You seem very sure that you know much more about this field (of
election results accuracy) than everyone who has studied it for many
years. Could you please back up any of your claims with any evidence
or data or are we hopelessly down the rabbit hole still?
Post by rob brown
A store might get away with that for a day or two, but people will catch
on quickly, and suddenly word will get out that the store is cheating
people, and a larger percentage of people will check, etc.
Really, so reality is the opposite of reality?

Well, I suppose you are correct, in that MD, FL, TN, NM, CA, and OH
(and several other jurisdictions) have decided wisely to scrap
e-ballot voting machines and go back to paper ballot optical scan
machines after realizing that they cannot be secured - contrary to
what you say is necessary to support your favorite voting method.
Most likely
Post by rob brown
though, the store will know they will be out of business soon if they
try this on anything more than the tiniest of scales, and just not try it.
Well, if incompetence and fraud were cause for voting vendors to go
out of business, then Sequoia and Diebold and ES&S voting vendors
would be out of business by now, but they aren't by a long shot.

However, you still seem to under the illusion that vote fraud is
detectable in any way today when vote fraud is not at all detectable
in the vast majority of states today if it were to occur.
Post by rob brown
Then it is a design problem.
Yes. and such a "small" problem to get the million in funding and take
the almost ten years to bring such a better designed system to market
and sell it to integrate with all the other election systems that are
proprietary, use proprietary data formats and already are implemented
- as you claim.
Post by rob brown
And which technicians and programmers do you want the public to
*trust* to ensure that all the software on the VV is doing what it
should?
Fact is, you've gotta trust someone, whether it is hand counted, optical
read, or whatever. This is not a new problem.
That is absolutely Not True. Tell me, do you think that democracy is
based on the principle of "Trust" or the principles of "Checks and
balances".

The founding fathers of the U.S. would heartily disagree with you, as
do I, that the public should have to "trust" someone rather than
having transparently verifiably accurate election outcomes as I've
described how to do here:

http://electionarchive.org/ucvAnalysis/US/paper-audits/VoteCountAuditBillRequest.pdf

There is no one in the election integrity community who agrees with
your idea that we should "trust" someone to ensure that our votes are
counted accurately - although you do seem to be in agreement with the
majority of todays election officials and voting machine vendors who
want us to blindly trust them to count our votes secretly without any
independent scrutiny, like occurs in all other fields I am aware of.
Post by rob brown
Yes. Of course with all of today's VV's you can simply take 30 secs to
1 min to use any of the easily accessible back doors to simply change
the vote counts on the central tabulators, without even installing any
malicious software on them at all.
Then that is a design problem.
Yes, a design problem that can only be fixed in a way that makes
election outcomes publicly verifiably accurate (in an understandable
way for nonprogrammers) by using voter marked paper ballots that can
be manually audited after the election.
Post by rob brown
I don't discount that most people don't check the results. I do think
its absurd that someone could change a significant number of votes this
way without drawing intense attention from the few that notice, and
after than a lot more people will notice. This is emergent phenomena,
that is hard for a simple study to directly measure.
Yes. Well it IS absurd I agree with you - but despite the fact that
many many people have complained, election officials are certifying
election outcomes by assuming that the machine counts are correct -
and with no way to recover the accurate counts other than holding
another election and with their trying to show the public that they're
doing a good job and selected the right voting system, perhaps one can
understand why election officials ignore the complaints, tell the
media that there were no problems during the election, and certify
whatever results the machines give them.
Post by rob brown
It is like any other security issue, that if people don't think it is a
problem they are less likely to be vigilant. If you live in a town with
little burglary, you may not lock your doors. If burglary starts to be
a problem, people lock their doors, install alarms, buy firearms, etc.
Is it possible that most people today don't check this stuff carefully
because they think it is not a huge problem, and that enough other
people will be monitoring the system.....
Perhaps.
Post by rob brown
and they just might be right?
And just how do you think that "people will be monitoring the system?"
Please provide specifics since I've been studying this issue full
time for almost 5 years and do not know how I would monitor "the
system" given today's realities, and you claim that it is *not* reform
to try to achieve publicly verifiably accurate election outcomes.
Post by rob brown
Same thing here. By your logic, banks could steal 60% of peoples money
because only 40% of people balance their checkbooks. But that is crazy.
WOW. You now claim that banking is analogous to voting?

Should we begin having a paperless banking system where we all deposit
our monies into banks anonymously and then "trust" everyone in the
bank to give it back to us when we want it?

Should we stop subjecting banks to any independent audits?

Then and only then, is banking remotely similar to the problem of
securing voting.

OK. I am leaving the rabbit hole and getting back to reality for a while now.

Kathy
----
Election-Methods mailing list - see http://electorama.com/em for list info
rob brown
2008-08-17 01:48:37 UTC
Permalink
Post by Kathy Dopp
Date: Fri, 15 Aug 2008 02:01:45 -0400
Subject: Re: [EM] Why We Shouldn't Count Votes with Machines
Post by rob brown
Well here is where you and I differ. I think if electoral fraud in the
US were eliminated, it would be a good thing, but not dramatically
change things, any more than eliminating shoplifting would dramatically
change our economy. I do not believe that such fraud changes the
outcome of a large percentage of elections, and in those it does, it was
pretty close anyway.
And how do you know this since elections are not subjected to
independent audits except in one state (beginning in 2006 - NM)? Do
you believe that you are psychic and *know* which elections are being
subjected to fraud in the last couple of decades since ballots have
been primarily secretly counted by private companies with easily
hackable, unaccountable voting equipment.
I did not say I *know*, I said I *think*.

Your argument could be made to support any crazy conspiracy theory out
there. How do you know aliens aren't controlling our thoughts? You don't.
Or for that matter, how do you know your spouse isn't cheating on you
without proof? You take a reasonable, balanced perspective on things.
Which you seem unable to do on this issue.

I'm sure a degree of electoral fraud happens in the US (but much moreso in
other places). But murderers get away with murder, police are being bought
off by criminals, government employees steal office supplies. No one knows
exactly how much any of things happen. We try to limit them (balancing the
degree of the problem and the cost of addressing it), and we go on with our
lives.

I do not object to the fact that you consider it an issue of more importance
than various other issues (street crime/violence, cancer, plurality voting,
bacterial resistance to antibiotics, middle east conflict, poverty,
whatever...). I do object to your expectation that others on this list
consider it so, since that is not the core issue of the list.

What I care about, and my understanding of what this list is about, is the
problems due to plurality voting and how to fix them. Basically the math of
voting and reforming that side of it. And since you are distracting from
that, I take issue.
Post by Kathy Dopp
Post by rob brown
So my priorities are different.
Yes. Apparently.
Due to the nature of the list, isn't that expected?

This isn't an election security list. See
http://wiki.electorama.com/wiki/Election-methods_mailing_list and
http://wiki.electorama.com/wiki/Main_Index if you are confused as to what is
meant by "methods". Security and fraud prevention is at best a peripheral
topic.

I'm not saying you can't discuss this stuff here, but if you come in
expecting us to care about your pet issue as much as you do, you are being
unrealistic.
Post by Kathy Dopp
Giving up on fixing a huge problem because it makes it more difficult to
Post by rob brown
fix a much smaller problem is not something I can support.
Ah. So you consider it a "small" problem that the public has virtually
no reason to believe that election results are accurate in 49 out of
50 states and that even the one state that subjects their election
results to independent scrutiny, does so in a wholly unscientific
manner that is insufficient to detect vote fraud in close election
contests?
Well, first off, I did not say small. I said "smaller". Big difference. I
consider the problem with plurality huge, strongly affecting the shape of
our government (i.e. it has become polarized into two main parties that
spend most of their time battling each other rather than solving real
problems).

Your issue is with crime.....a fundamentally different thing.

And just why, pray tell, do you believe that the fact that elections
Post by Kathy Dopp
is the only major industry (I am aware of) that is not subjected to
any independent auditing, yet election winners decide who controls
budgets in the millions to trillions of dollars and make decisions on
awarding contracts worth millions to billions of dollars, is such a
"small" problem?
Why do you not consider the issues with plurality a larger problem than you
do? Maybe because that is your pet issue, this is mine.

I won't address the rest of your email because it is basically just more of
the same...you typing in all caps and labeling things insane and calling
this list a "rabbit hole" because others aren't as convinced as you there is
a massive conspiracy going on.

-rob
Kathy Dopp
2008-08-17 04:40:24 UTC
Permalink
Post by rob brown
Post by Kathy Dopp
Post by rob brown
I do not believe that such fraud changes the
outcome of a large percentage of elections, and in those it does, it
was pretty close anyway.
And how do you know this since elections are not subjected to
independent audits except in one state (beginning in 2006 - NM)?
Your argument could be made to support any crazy conspiracy theory out
there. How do you know aliens aren't controlling our thoughts? You don't.
Or for that matter, how do you know your spouse isn't cheating on you
without proof? You take a reasonable, balanced perspective on things.
Which you seem unable to do on this issue.
Rob,

You can tell when someone has absolutely no facts to back them up when
they attack and disparage the person rather than the issue that is
under discussion. So anyone who has done actual research on the issue
that clearly mathematically shows that the available data is
consistent with vote fraud must be a "crazy conspiracy theorist" or
lack a "balanced perspective if they disagree with your imagined
beliefs about U.S. elections?
Post by rob brown
I'm sure a degree of electoral fraud happens in the US (but much moreso in
other places).
Are you saying that if everyone is doing electoral fraud, that makes it OK?
Post by rob brown
But murderers get away with murder, police are being bought
off by criminals, government employees steal office supplies. No one knows
exactly how much any of things happen. We try to limit them (balancing the
degree of the problem and the cost of addressing it), and we go on with our
lives.
OH. So you see it as no big problem to pretend to live in a democracy
(where you can pretend to yourself that most election outcomes are
accurate) and continuing to let elections be the only major industry
where insiders have complete freedom to tamper because 49 US states
never subjected their election results to any independent checks,
except the wholly unscientific ones in NM.

Even when Utah used to use paper punch card ballots, one person did
all the programming to count all the punch cards for the entire state
of Utah, and no one ever checked after the election to make sure that
any of the machine counts were accurate.

You sure must believe in the 100% infallibility and honesty of this
one person, and all the other persons who have trivially easy access
to rig elections.

Apparently none of the plethora of evidence that election rigging has
been occurring ubiquitously in the US is of any interest or concern to
you.
Post by rob brown
I do not object to the fact that you consider it an issue of more importance
than various other issues (street crime/violence, cancer, plurality voting,
bacterial resistance to antibiotics, middle east conflict, poverty,
whatever...).
Voting is the one right that protect ALL OTHER RIGHTS. Tell me, just
how do you think that people can solve all the other problems if they
do not have the ability to select the decision-makers who spend all
our tax dollars, decide how many taxes we pay and what to spend it on,
whether or not to wage war, how many police to hire, what youth
programs to implement, and make all the laws, and so on?
Post by rob brown
I do object to your expectation that others on this list
consider it so, since that is not the core issue of the list.
I was *not* the person who began this thread. Are you claiming that my
expertise and knowledge about the issues of vote fraud which is
extensive since I have studied this issue and read widely on it and
written dozens of papers with PhD statisticians and mathematicians on
it - using actual election data - are not welcome on this list if a
thread that someone else introduces touches on a topic on which I have
considerable knowledge?
Post by rob brown
What I care about, and my understanding of what this list is about, is the
problems due to plurality voting and how to fix them.
So when the facts are not on your side then:

1. make personal attacks and

2. say that the topic should not to be discussed on this list?
Post by rob brown
Post by Kathy Dopp
Post by rob brown
So my priorities are different.
Yes. Apparently.
Due to the nature of the list, isn't that expected?
So are you claiming that an interest in seeing that votes are counted
accurately as voters intended is incompatible with discussing new
voting methods?

Really? Well that may not be true for everyone on this list Rob.
Perhaps some people on this list *may* want to consider the effects of
particular voting methods on the ability to effect transparently
verifiably accurate election outcomes.

I mean let's climb out of the rabbit hole for a few minutes and
consider the REAL world effects of some of these voting methods on the
effort to make sure that voters actually have the right to "throw the
bums out" rather than just the pretense of democracy while private
companies secretly count (and often cast) our votes for us without any
independent checks.
Post by rob brown
Post by Kathy Dopp
Post by rob brown
Giving up on fixing a huge problem because it makes it more difficult to
fix a much smaller problem is not something I can support.
Well, first off, I did not say small. I said "smaller".
Honestly, you said "MUCH smaller".
Post by rob brown
Big difference. I
consider the problem with plurality huge, strongly affecting the shape of
our government (i.e. it has become polarized into two main parties that
spend most of their time battling each other rather than solving real
problems).
Yes. I agree that polarization is a probem, but perhaps the cause has
not been plurality as much as fixed fraudulent election outcomes that
were not decided by voters, as well as the corporate/military
industrial complex which seems to be funding campaigns and then
running our government and our press rather than voters.
Post by rob brown
Your issue is with crime.....a fundamentally different thing.
More fundamentally, my issue is with accuracy of machine vote counts.
ANY system which lacks any routine method to detect and correct errors
can be safely assumed to be inaccurate. The payoff to rig elections
is control of budgets, land use and contract issues worth millions to
trillions of dollars. There is nothing in place that would even detect
vote fraud in virtually all states. There is less than nothing in
place to tell the difference between fraud or innocent error or to
catch any perpetrator if vote fraud were to occur. VotER fraud
(voters voting illegally) is easily detected using voter registration
records and poll books after an election. Vote fraud is not
detectable, given the voting systems, and procedures in place in most
states.
Post by rob brown
Why do you not consider the issues with plurality a larger problem than you
do? Maybe because that is your pet issue, this is mine.
Right. But why is it that you don't want the public verifiably KNOW
that if you use a new voting method that you support that this new
voting method is accurately applied to the actual intended votes of
the voters? I.e. You want a new method, but you don't care if the new
method is accurately counted or whether the insiders rig it
undetectably or not?

Can you explain that to me? What sense does it make to change the
voting method when you have no assurance whatsoever that either the
existing or the new method will be counted accurately or not by the
private companies that secretly count (and often cast) the ballots
today? You don't mind having virtually no public oversight over the
integrity of election results that would make sure that your "pet"
method is being accurately applied?

You really believe that voting methods should be considered only
divorced from any considerations of whether or not or how easily the
public can oversee whether or not the methods are accurately applied?

Cheers,

Kathy
----
Election-Methods mailing list - see http://electorama.com/em for list info
rob brown
2008-08-17 05:25:45 UTC
Permalink
Post by Kathy Dopp
Rob,
You can tell when someone has absolutely no facts to back them up when
they attack and disparage the person rather than the issue that is
under discussion. So anyone who has done actual research on the issue
that clearly mathematically shows that the available data is
consistent with vote fraud must be a "crazy conspiracy theorist" or
lack a "balanced perspective if they disagree with your imagined
beliefs about U.S. elections?
You came in swinging, Kathy. Your constant references to "rabbit holes"
etc. Your constant implications that everyone who doesn't consider your
issues all-important is insane.

I did not call you a crazy conspiracy theorist, either, I simply said that
your logic could be applied to justify any crazy conspiracy theory. And I
don't think that saying you are blowing things out of proportion or that you
don't have a balanced perspective is a personal attack.
Post by Kathy Dopp
I'm sure a degree of electoral fraud happens in the US (but much moreso in
Post by rob brown
other places).
Are you saying that if everyone is doing electoral fraud, that makes it OK?
No. How on earth did you get that?

I said that it is a problem like other problems, but I happen to not elevate
the problem to the level you do.

Maybe you can give me your estimate of what percentage of US elections would
have different outcomes if it were not for fraud. I would expect the number
to be very low.

Doesn't make it "ok" when it happens, obviously.

Your logic is ridiculously black and white on this. And completely full of
straw men.
Post by Kathy Dopp
But murderers get away with murder, police are being bought
Post by rob brown
off by criminals, government employees steal office supplies. No one
knows
Post by rob brown
exactly how much any of things happen. We try to limit them (balancing
the
Post by rob brown
degree of the problem and the cost of addressing it), and we go on with
our
Post by rob brown
lives.
OH. So you see it as no big problem to pretend to live in a democracy
(where you can pretend to yourself that most election outcomes are
accurate) and continuing to let elections be the only major industry
where insiders have complete freedom to tamper because 49 US states
never subjected their election results to any independent checks,
except the wholly unscientific ones in NM.
Your words "pretend top live in a democracy" pretty much show where you are
coming from. That is the kind of thing that actual tempts me to actually
call you a crazy conspiracy theorist now (but I'm not, of course...). Or at
least I feel justified in saying you are blowing things out of proportion.

Voting is the one right that protect ALL OTHER RIGHTS. Tell me, just
Post by Kathy Dopp
how do you think that people can solve all the other problems if they
do not have the ability to select the decision-makers who spend all
our tax dollars, decide how many taxes we pay and what to spend it on,
whether or not to wage war, how many police to hire, what youth
programs to implement, and make all the laws, and so on?
Yes, and are you saying that if one person cheats the system by, say, adding
a single fake vote, that the whole system falls apart? (that would be black
and white thinking) Either that, or you think that this is happening on a
much grander scale than most mainstream people do.

Either way, it still appears to me that you are blowing things way out of
proportion. And I stand by that, whether you think it is a personal attack
or not.
Post by Kathy Dopp
Post by rob brown
I do object to your expectation that others on this list
consider it so, since that is not the core issue of the list.
I was *not* the person who began this thread.
It sure appears to me that you were. Maybe not, but your name shows up
first on it for me.

Are you claiming that my
Post by Kathy Dopp
expertise and knowledge about the issues of vote fraud which is
extensive since I have studied this issue and read widely on it and
written dozens of papers with PhD statisticians and mathematicians on
it - using actual election data - are not welcome on this list if a
thread that someone else introduces touches on a topic on which I have
considerable knowledge?
I am impressed with logic and a coherent argument, not with claims of
authority.
Post by Kathy Dopp
Post by rob brown
What I care about, and my understanding of what this list is about, is
the
Post by rob brown
problems due to plurality voting and how to fix them.
1. make personal attacks and
Would you like me to paste in each and every attack you have made? You are
pretty thin-skinned for someone who likes to hurl ridicule around like you
do.
Post by Kathy Dopp
2. say that the topic should not to be discussed on this list?
I did not say that. I said that if you come in here expecting us all to
care so much about your pet issue, that is not the core topic of the list,
you are being unrealistic.
Post by Kathy Dopp
Really? Well that may not be true for everyone on this list Rob.
Perhaps some people on this list *may* want to consider the effects of
particular voting methods on the ability to effect transparently
verifiably accurate election outcomes.
I mean let's climb out of the rabbit hole
Can you stop with the rabbit hole thing? It's not cute. Really. It's
tiresome, and totally inappropriate for someone crying "personal attack" to
be using such expressions to ridicule people who don't prioritize your pet
issue as highly as you do.

-rob
Kristofer Munsterhjelm
2008-08-17 16:09:29 UTC
Permalink
Post by Kathy Dopp
Post by rob brown
But murderers get away with murder, police are being bought
off by criminals, government employees steal office supplies. No one knows
exactly how much any of things happen. We try to limit them (balancing the
degree of the problem and the cost of addressing it), and we go on with our
lives.
OH. So you see it as no big problem to pretend to live in a democracy
(where you can pretend to yourself that most election outcomes are
accurate) and continuing to let elections be the only major industry
where insiders have complete freedom to tamper because 49 US states
never subjected their election results to any independent checks,
except the wholly unscientific ones in NM.
Even when Utah used to use paper punch card ballots, one person did
all the programming to count all the punch cards for the entire state
of Utah, and no one ever checked after the election to make sure that
any of the machine counts were accurate.
You sure must believe in the 100% infallibility and honesty of this
one person, and all the other persons who have trivially easy access
to rig elections.
Apparently none of the plethora of evidence that election rigging has
been occurring ubiquitously in the US is of any interest or concern to
you.
I'm not Rob, so excuse the interruption, but some questions and ideas here:

Won't the people, as a last stop, keep fraud from being too blatant? You
don't need scientific methods to know that something's up if a state was
80-20 Democratic one cycle and then suddenly becomes 80-20 Republican
(or vice versa) the next. Fraudsters could swing 45-55 results, but it
doesn't completely demolish democracy, since the >60% (or whatever
margin) results would presumably be left alone.

Fraud corrupts results, but it seems to me that fortunately we have some
room to implement improvements that get us closer to verifiability
without having the fraud that exists plunge the society directly into
dictatorship.

New voting methods and improved fraud detection could also strengthen
the prospects of each other. If you have an election method that
supports multiple parties (since the dominant parties can't rig all the
elections everywhere), then instead of only one other party, you have
n-1 parties actively interested in keeping an eye on what rigging
attempts do occur, and a lesser chance of entrenched forces colluding to
"ignore each other's attempts", since collusion among multiple entities
become much harder as the number of entities grow.
----
Election-Methods mailing list - see http://electorama.com/em for list info
Kathy Dopp
2008-08-17 17:51:06 UTC
Permalink
On Sun, Aug 17, 2008 at 10:09 AM, Kristofer Munsterhjelm
Post by Kristofer Munsterhjelm
Won't the people, as a last stop, keep fraud from being too blatant? You
don't need scientific methods to know that something's up if a state was
80-20 Democratic one cycle and then suddenly becomes 80-20 Republican (or
vice versa) the next. Fraudsters could swing 45-55 results, but it doesn't
completely demolish democracy, since the >60% (or whatever margin) results
would presumably be left alone.
Excellent point Kristofer. Absolutely you are correct. It would be
immediately obvious if a fraudster stole 100% of the available target
votes or even 50%, so all our calculations for determining the sample
size for post-election audits assume that a vote fraudster would steal
at most, say 20% of available target votes, and then allow the
candidate to add atleast one auditable vote count to the audit that
may appear to look suspicious, or provides for calculations to
determine any suspicious-looking auditable vote counts.

In practice, when we analyze the available exit poll data that we can
obtain (in Ohio 2004 presidential election some data was made
available and state-wide data in the recent 2008 primary elections),
it looks like the exit poll discrepancies can be explained by vote
shifts from one candidate to another of under about 15% of the margin
amounts.

Audit amounts need to be based on the reported unofficial margins and
the error bounds in the auditable vote counts and the total number of
auditable vote counts. The concepts are explained in the first few
pages of this doc in lay person's terms as much as possible:
http://electionarchive.org/ucvAnalysis/US/paper-audits/VoteCountAudits-PPMEB.pdf
Post by Kristofer Munsterhjelm
Fraud corrupts results, but it seems to me that fortunately we have some
room to implement improvements that get us closer to verifiability without
having the fraud that exists plunge the society directly into dictatorship.
That is the hope, IF we can get our elected officials to agree to
implement the improvements. However, it appears that most officials
who get elected see nothing wrong with a system that elected
themselves (It must not be broken, it elected ME.)
Post by Kristofer Munsterhjelm
New voting methods and improved fraud detection could also strengthen the
prospects of each other. If you have an election method that supports
multiple parties (since the dominant parties can't rig all the elections
everywhere), then instead of only one other party, you have n-1 parties
actively interested in keeping an eye on what rigging attempts do occur, and
a lesser chance of entrenched forces colluding to "ignore each other's
attempts", since collusion among multiple entities become much harder as the
number of entities grow.
I do not believe that the number of parties in power has any effect on
whether or not publicly verifiable routine measures are in place to
detect and correct vote miscount are effective or not. However, the
voting method could effect how difficult or easy costly or not it is
to implement routine measures that detect or correct vote miscount.
For instance, the IRV counting method could make it much more
difficult and costly to implement measures to routinely detect and
correct errors, whereas other voting methods may not make routine
error detection and correction more difficult and so may make publicly
verifiable election outcome accuracy much easier to achieve. The
practical effects of the various voting methods on election
administration and in particular on as yet unimplemented but necessary
routine measures to detect and correct vote miscount, must be
considered when deciding on which voting method to promote.

Cheers,

Kathy Dopp

The material expressed herein is the informed product of the author
Kathy Dopp's fact-finding and investigative efforts. Dopp is a
Mathematician, Expert in election audit mathematics and procedures; in
exit poll discrepancy analysis; and can be reached at

P.O. Box 680192
Park City, UT 84068
phone 435-658-4657

http://utahcountvotes.org
http://electionmathematics.org
http://electionarchive.org

How to Audit Election Outcome Accuracy
http://electionarchive.org/ucvAnalysis/US/paper-audits/legislative/VoteCountAuditBillRequest.pdf

History of Confidence Election Auditing Development & Overview of
Election Auditing Fundamentals
http://electionarchive.org/ucvAnalysis/US/paper-audits/History-of-Election-Auditing-Development.pdf

Voters Have Reason to Worry
http://utahcountvotes.org/UT/UtahCountVotes-ThadHall-Response.pdf
----
Election-Methods mailing list - see http://electorama.com/em for list info
Kathy Dopp
2008-08-17 05:47:28 UTC
Permalink
Rob,

I noticed that you did not try to answer one of my sincere questions
to you (I am a highly skilled teacher whose college classes always had
the highest score of all the classes taught by all the professors and
other TA's on any department-wide final mathematics exams. I did this
by questioning my classes and making them think, although some
students reacted antagonistically by being forced to learn to think
rather than being able to simply memorize.)

Your entire email (below) disparaged me personally and
mischaracterized me rather than trying to honestly communicate on the
issue, so I will waste no more time or effort trying to teach you how
to think logically about the issues concerning how to or why to assure
the accuracy of election outcomes.

I am sorry that my teaching style of asking questions to get people to
think about the topic offends you so much.

Cheers,

Kathy


On Sat, Aug 16, 2008 at 11:25 PM, > Message: 4
Date: Sat, 16 Aug 2008 22:25:45 -0700
Subject: Re: [EM] Why We Shouldn't Count Votes with Machines
Content-Type: text/plain; charset="iso-8859-1"
Post by Kathy Dopp
Rob,
You can tell when someone has absolutely no facts to back them up when
they attack and disparage the person rather than the issue that is
under discussion. So anyone who has done actual research on the issue
that clearly mathematically shows that the available data is
consistent with vote fraud must be a "crazy conspiracy theorist" or
lack a "balanced perspective if they disagree with your imagined
beliefs about U.S. elections?
You came in swinging, Kathy. Your constant references to "rabbit holes"
etc. Your constant implications that everyone who doesn't consider your
issues all-important is insane.
I did not call you a crazy conspiracy theorist, either, I simply said that
your logic could be applied to justify any crazy conspiracy theory. And I
don't think that saying you are blowing things out of proportion or that you
don't have a balanced perspective is a personal attack.
Post by Kathy Dopp
I'm sure a degree of electoral fraud happens in the US (but much moreso in
Post by rob brown
other places).
Are you saying that if everyone is doing electoral fraud, that makes it OK?
No. How on earth did you get that?
I said that it is a problem like other problems, but I happen to not elevate
the problem to the level you do.
Maybe you can give me your estimate of what percentage of US elections would
have different outcomes if it were not for fraud. I would expect the number
to be very low.
Doesn't make it "ok" when it happens, obviously.
Your logic is ridiculously black and white on this. And completely full of
straw men.
Post by Kathy Dopp
But murderers get away with murder, police are being bought
Post by rob brown
off by criminals, government employees steal office supplies. No one
knows
Post by rob brown
exactly how much any of things happen. We try to limit them (balancing
the
Post by rob brown
degree of the problem and the cost of addressing it), and we go on with
our
Post by rob brown
lives.
OH. So you see it as no big problem to pretend to live in a democracy
(where you can pretend to yourself that most election outcomes are
accurate) and continuing to let elections be the only major industry
where insiders have complete freedom to tamper because 49 US states
never subjected their election results to any independent checks,
except the wholly unscientific ones in NM.
Your words "pretend top live in a democracy" pretty much show where you are
coming from. That is the kind of thing that actual tempts me to actually
call you a crazy conspiracy theorist now (but I'm not, of course...). Or at
least I feel justified in saying you are blowing things out of proportion.
Voting is the one right that protect ALL OTHER RIGHTS. Tell me, just
Post by Kathy Dopp
how do you think that people can solve all the other problems if they
do not have the ability to select the decision-makers who spend all
our tax dollars, decide how many taxes we pay and what to spend it on,
whether or not to wage war, how many police to hire, what youth
programs to implement, and make all the laws, and so on?
Yes, and are you saying that if one person cheats the system by, say, adding
a single fake vote, that the whole system falls apart? (that would be black
and white thinking) Either that, or you think that this is happening on a
much grander scale than most mainstream people do.
Either way, it still appears to me that you are blowing things way out of
proportion. And I stand by that, whether you think it is a personal attack
or not.
Post by Kathy Dopp
Post by rob brown
I do object to your expectation that others on this list
consider it so, since that is not the core issue of the list.
I was *not* the person who began this thread.
It sure appears to me that you were. Maybe not, but your name shows up
first on it for me.
Are you claiming that my
Post by Kathy Dopp
expertise and knowledge about the issues of vote fraud which is
extensive since I have studied this issue and read widely on it and
written dozens of papers with PhD statisticians and mathematicians on
it - using actual election data - are not welcome on this list if a
thread that someone else introduces touches on a topic on which I have
considerable knowledge?
I am impressed with logic and a coherent argument, not with claims of
authority.
Post by Kathy Dopp
Post by rob brown
What I care about, and my understanding of what this list is about, is
the
Post by rob brown
problems due to plurality voting and how to fix them.
1. make personal attacks and
Would you like me to paste in each and every attack you have made? You are
pretty thin-skinned for someone who likes to hurl ridicule around like you
do.
Post by Kathy Dopp
2. say that the topic should not to be discussed on this list?
I did not say that. I said that if you come in here expecting us all to
care so much about your pet issue, that is not the core topic of the list,
you are being unrealistic.
Post by Kathy Dopp
Really? Well that may not be true for everyone on this list Rob.
Perhaps some people on this list *may* want to consider the effects of
particular voting methods on the ability to effect transparently
verifiably accurate election outcomes.
I mean let's climb out of the rabbit hole
Can you stop with the rabbit hole thing? It's not cute. Really. It's
tiresome, and totally inappropriate for someone crying "personal attack" to
be using such expressions to ridicule people who don't prioritize your pet
issue as highly as you do.
-rob
----
Election-Methods mailing list - see http://electorama.com/em for list info
rob brown
2008-08-17 06:03:55 UTC
Permalink
Post by Kathy Dopp
Rob,
I noticed that you did not try to answer one of my sincere questions
to you (I am a highly skilled teacher

whose college classes always had
Post by Kathy Dopp
the highest score of all the classes taught by all the professors and
other TA's on any department-wide final mathematics exams. I did this
by questioning my classes and making them think, although some
students reacted antagonistically by being forced to learn to think
rather than being able to simply memorize.)
Your entire email (below) disparaged me personally and
mischaracterized me rather than trying to honestly communicate on the
issue, so I will waste no more time or effort trying to teach you how
to think logically about the issues concerning how to or why to assure
the accuracy of election outcomes.
Give me a break.....you do the exact same things you accuse me of.
Mischaracterize? Where? I advocate a balanced perspective on things, and
when I do, you constantly use the straw man of "so you are saying its fraud
is ok" when I did nothing of the kind.

I didn't address your issues in the last message because they are more of
the same, and I have already addressed them (and I don't have an infinite
amount of time). And I get tired of your habit of ridiculing anyone who
doesn't agree with you, then crying "personal attack" as soon as they argue
back.
Kathy Dopp
2008-08-17 06:42:01 UTC
Permalink
Rob,

As I said, I am not responding to any more of your unsupported
internal chatter/attacks.

Instead here is interesting news coverage today by CBS news:

Voting Machine Doubts Linger - Concerns Over Vulnerability Of
Electronic Machines Sending Many States Back To Paper Ballots

http://www.cbsnews.com/stories/2008/08/16/eveningnews/main4355733.shtml

Most of the country, thankfully *is* beginning to get the concepts
that I've been trying to explain for why only voter marked paper
ballots and routine scientific post-election audits provide a way to
publicly verify the accuracy of election outcomes in a way that the
public can comprehend and support.

This CBS article *gets it*.

For the best election auditing legislative proposal, reviewed by
election officials, and statisticians and mathematicians who are
experts in election auditing mathematics, please review this and see
how it would work for your "pet" voting method:

http://electionarchive.org/ucvAnalysis/US/paper-audits/VoteCountAuditBillRequest.pdf

You will not be able to provide information or data to support the
assertion that US election outcomes are mostly accurate today due to
the lack of any scientific independent post-election auditing in all
US states and lack of public access to election records, lack of
ballot security, lack of any public oversight over ballot security,
lack of timely public access to election records, and lack of
post-election ballot reconciliation. I know of NO state, not even one,
which employs all the fundamentals which would demonstrate the
accuracy of its election outcomes.

The U.S. currently has a voting system that is wide-open to
outcome-altering vote fraud in almost all states. It is naive to
imagine that no insiders take advantage of this susceptibility and
unaccountability. Rigging an election is much easier to do and to get
away with than robbing a bank, and the financial rewards and power
obtained from election rigging are far greater. And all the available
data is highly consistent with ubiquitous vote miscount - not
surprising without any measures to detect or correct vote miscount in
most states.

Why would you imagine that any election outcomes are accurate? Why
would you imagine that state legislative election outcomes are
accurate? Why would you imagine that any US congressional election
outcomes are accurate? There is no evidence to support any claim of
accurate election outcomes in most states.

Cheers,

Kathy
----
Election-Methods mailing list - see http://electorama.com/em for list info
Kathy Dopp
2008-08-21 22:37:32 UTC
Permalink
4. Re: Why We Shouldn't Count Votes with Machines (Dave Ketchum)
All machines have identical valid code,
Some have video cameras recording the ballot as the voter
submits it.
Voters choose which machines to vote on.
Audit that tapes prove 100% correctness of those machines taped
- BETTER be.
Just a few objections come to mind for that "solution" David:

1. potentially violates voter privacy
2. video can be digitally altered, segments deleted (is more volatile
than paper ballots)
3. another expensive toy (video cameras) that would have to be kept
running during elections, & maintained between elections, tested,
certified, etc.
4. auditing video tapes would be much slower (more administratively
burdensome) than auditing paper ballots
5. selecting the machines to be videotaped prior to the election tells
any inside fraudsters which machines can be undetectably tampered with
or have their votes altered during or after the election (valid
auditing requires only selecting the random audit units AFTER all the
auditable vote counts have been publicly posted after the polls close
(as in any field, the data must be committed prior to auditing it)

A response giving more details of why election integrity advocates
oppose such video systems is included in this post that I wrote upon
request of the Election Defense Alliance:

http://electionarchive.org/ucvInfo/US/legislation/S3212BennettFeinsteinBill2008.pdf

Cheers,

Kathy
----
Election-Methods mailing list - see http://electorama.com/em for list info
Dave Ketchum
2008-08-22 04:00:28 UTC
Permalink
Post by Kathy Dopp
4. Re: Why We Shouldn't Count Votes with Machines (Dave Ketchum)
All machines have identical valid code,
Some have video cameras recording the ballot as the voter
submits it.
Voters choose which machines to vote on.
Audit that tapes prove 100% correctness of those machines taped
- BETTER be.
First, this is not intended to be used in a zillion precincts -
just to validate the programs.
But part of the requirement on the program installation is that
it be impractical to alter it undetectably.
Post by Kathy Dopp
1. potentially violates voter privacy
That is the reason for letting voters CHOOSE whether to
volunteer for this.
Post by Kathy Dopp
2. video can be digitally altered, segments deleted (is more volatile
than paper ballots)
So there needs to be extra effort to avoid such.
Post by Kathy Dopp
3. another expensive toy (video cameras) that would have to be kept
running during elections, & maintained between elections, tested,
certified, etc.
Sounds like overkill. What more is needed than cameras that can
be borrowed for use as needed?
Post by Kathy Dopp
4. auditing video tapes would be much slower (more administratively
burdensome) than auditing paper ballots
"Auditing" is not clear to me - must read all the ballots off
the tape - part of deciding how many voting machines to do this on.
Post by Kathy Dopp
5. selecting the machines to be videotaped prior to the election tells
any inside fraudsters which machines can be undetectably tampered with
or have their votes altered during or after the election (valid
auditing requires only selecting the random audit units AFTER all the
auditable vote counts have been publicly posted after the polls close
(as in any field, the data must be committed prior to auditing it)
Then I am not proposing auditing as such.
The programs used need to make fraud difficult, and undetectable
fraud VERY difficult, wherever used, whether or not a particular
machine is taped.

Again, my purpose is validating a program, rather than a particular
election.
Post by Kathy Dopp
A response giving more details of why election integrity advocates
oppose such video systems is included in this post that I wrote upon
http://electionarchive.org/ucvInfo/US/legislation/S3212BennettFeinsteinBill2008.pdf
Cheers,
Kathy
--
***@clarityconnect.com people.clarityconnect.com/webpages3/davek
Dave Ketchum 108 Halstead Ave, Owego, NY 13827-1708 607-687-5026
Do to no one what you would not want done to you.
If you want peace, work for justice.



----
Election-Methods mailing list - see http://electorama.com/em for list info
Kathy Dopp
2008-08-22 04:22:41 UTC
Permalink
First, this is not intended to be used in a zillion precincts - just to
validate the programs.
OK. Well if you don't care about validating the election outcome
accuracy, and just want to verify the small amount of programs on
voting machines that pertain to voting, then you could do parallel
(Election Day) sampling of memory cards (memory cards unbelievably
have today interpreted code on them on most voting systems) like
the University of CT engineering dept. has designed for checking the
voting code on CT's voting systems.

My own focus is on ensuring that voters decide who governs them by
checking the accuracy of the election outcomes instead.
But part of the requirement on the program installation is that it be
impractical to alter it undetectably.
OK. So how many billions of dollars do you want to allocate to your
new voting system and voting program design?

And you do understand that it will not ensure that the election
outcomes are accurate right?
Post by Kathy Dopp
1. potentially violates voter privacy
That is the reason for letting voters CHOOSE whether to volunteer for
this.
Oh. I see, so you want voters to choose to give up their ballot
privacy. Hmmm. You do realize that could/would enable vote buying not
just for mail-in voting like today, but also for precinct voting?
Post by Kathy Dopp
2. video can be digitally altered, segments deleted (is more volatile
than paper ballots)
So there needs to be extra effort to avoid such.
Extra effort and expense and complexity and you are going to first
convince the public to double their budget for elections so that you
can remove the voter from "voter-verification" so that we can have
video verification?
Post by Kathy Dopp
3. another expensive toy (video cameras) that would have to be kept
running during elections, & maintained between elections, tested,
certified, etc.
Sounds like overkill. What more is needed than cameras that can be
borrowed for use as needed?
OK. So now you plan to change the election statutes in almost all
states too, so that federal certification and testing are no longer
required for voting systems?

Gee, does anyone on this list ever consider practical real life
situations when you devise your "solutions"?
Post by Kathy Dopp
4. auditing video tapes would be much slower (more administratively
burdensome) than auditing paper ballots
"Auditing" is not clear to me - must read all the ballots off the tape -
part of deciding how many voting machines to do this on.
I thought you already said that only some machines are selected prior
to the election for videoing, so that all the unselected machine
counts can be undetectably altered to match erroneous election
results?

Since your aim is not to ensure accurate election outcomes and only to
check some of the vote counting software on the individual machines,
and not on the central tabulator and not check the accuracy of the
election outcomes, I'm not sure how you plan to calculate the amount
of voting machines to "do this on"?

When calculating audit amounts with the goal of assuring correct
election outcomes, the mathematics depend on the reported election
results and the total number of reported auditable vote counts.
Post by Kathy Dopp
5. selecting the machines to be videotaped prior to the election tells
any inside fraudsters which machines can be undetectably tampered with
or have their votes altered during or after the election (valid
auditing requires only selecting the random audit units AFTER all the
auditable vote counts have been publicly posted after the polls close
(as in any field, the data must be committed prior to auditing it)
Then I am not proposing auditing as such.
Yes. I understand that your goal is obviously not to ensure that the
election outcomes are correct, but only to test the voting software on
some machines selected at the beginning of the election. Obviously
there are a lot of ways to fraudulently manipulate election outcomes
with using your costly administratively burdensome procedure of adding
video machines that film voters' screens while voting.
The programs used need to make fraud difficult, and undetectable fraud
VERY difficult, wherever used, whether or not a particular machine is taped.
Again, my purpose is validating a program, rather than a particular
election.
Yes. Thanks for explaining that.

I am more concerned about whether or not voters are the
decision-makers in who governs them and really am not interested in
spending gobs of money and complicating elections just to video some
individual voting machines during the election.


Cheers,

Kathy
----
Election-Methods mailing list - see http://electorama.com/em for list info
Kristofer Munsterhjelm
2008-08-22 13:01:39 UTC
Permalink
Post by Kathy Dopp
First, this is not intended to be used in a zillion precincts - just to
validate the programs.
OK. Well if you don't care about validating the election outcome
accuracy, and just want to verify the small amount of programs on
voting machines that pertain to voting, then you could do parallel
(Election Day) sampling of memory cards (memory cards unbelievably
have today interpreted code on them on most voting systems) like
the University of CT engineering dept. has designed for checking the
voting code on CT's voting systems.
That's bad design. The election machine shouldn't have code that can be
simply replaced by switching memory cards. The code should be loaded at
some time prior to the election and then locked in, and the machine
should verify that it's the right code, perhaps by checking a digital
signature. Anything less is, well, just bad.
----
Election-Methods mailing list - see http://electorama.com/em for list info
Dave Ketchum
2008-08-23 05:02:44 UTC
Permalink
Federal certification? The many horror stories tell us either:
Equipment is failing that has never been "certified" or
The certifiers are signing off without bothering to look
seriously for the many defects in the offered systems,

Thus the certification process needs overhauling.

I said nothing of such as central tabulators. Certainly quality needs
attending to here, but voter anonymity should not be a problem here.
Post by Kathy Dopp
First, this is not intended to be used in a zillion precincts - just to
validate the programs.
OK. Well if you don't care about validating the election outcome
accuracy, and just want to verify the small amount of programs on
voting machines that pertain to voting, then you could do parallel
(Election Day) sampling of memory cards (memory cards unbelievably
have today interpreted code on them on most voting systems) like
the University of CT engineering dept. has designed for checking the
voting code on CT's voting systems.
My own focus is on ensuring that voters decide who governs them by
checking the accuracy of the election outcomes instead.
I assume properly certified systems, only demonstrating to voters that
they truly behave as such.

I am not interested in memory cards, as such - if such are used, the
certifiers should have considered proper installation and use.
Post by Kathy Dopp
But part of the requirement on the program installation is that it be
impractical to alter it undetectably.
OK. So how many billions of dollars do you want to allocate to your
new voting system and voting program design?
And you do understand that it will not ensure that the election
outcomes are accurate right?
Certainly want correct outcomes. Major requirement is developers with
the right mindset, plus reasonable skill.

Do not see this costing billions - more than many present efforts, but
usable by many precincts.
Post by Kathy Dopp
Post by Kathy Dopp
1. potentially violates voter privacy
That is the reason for letting voters CHOOSE whether to volunteer for
this.
Oh. I see, so you want voters to choose to give up their ballot
privacy. Hmmm. You do realize that could/would enable vote buying not
just for mail-in voting like today, but also for precinct voting?
Needs thought. Look for needed use of the tapes while making vote
buying as impractical as possible.
Post by Kathy Dopp
Post by Kathy Dopp
2. video can be digitally altered, segments deleted (is more volatile
than paper ballots)
So there needs to be extra effort to avoid such.
Extra effort and expense and complexity and you are going to first
convince the public to double their budget for elections so that you
can remove the voter from "voter-verification" so that we can have
video verification?
Not something to do at many precincts. Do not see it as being as
expensive as you imply.
Post by Kathy Dopp
Post by Kathy Dopp
3. another expensive toy (video cameras) that would have to be kept
running during elections, & maintained between elections, tested,
certified, etc.
Sounds like overkill. What more is needed than cameras that can be
borrowed for use as needed?
OK. So now you plan to change the election statutes in almost all
states too, so that federal certification and testing are no longer
required for voting systems?
As I say above, what has been called "federal certification"
apparently needs to be replaced by testing whether the equipment
offered can really do the job.
Post by Kathy Dopp
Gee, does anyone on this list ever consider practical real life
situations when you devise your "solutions"?
I do consider. Do not know what proper equipment would cost, but
believe we could get closer than where we are now.
Post by Kathy Dopp
Post by Kathy Dopp
4. auditing video tapes would be much slower (more administratively
burdensome) than auditing paper ballots
"Auditing" is not clear to me - must read all the ballots off the tape -
part of deciding how many voting machines to do this on.
I thought you already said that only some machines are selected prior
to the election for videoing, so that all the unselected machine
counts can be undetectably altered to match erroneous election
results?
They are all supposed to be using the same programs - which are
supposed to defend against what you suggest.
Post by Kathy Dopp
Since your aim is not to ensure accurate election outcomes and only to
check some of the vote counting software on the individual machines,
and not on the central tabulator and not check the accuracy of the
election outcomes, I'm not sure how you plan to calculate the amount
of voting machines to "do this on"?
There are supposed to be proper programs everywhere. Topic here is
enough verification to satisfy voters that we are saying goodby to the
horror stories.
Post by Kathy Dopp
When calculating audit amounts with the goal of assuring correct
election outcomes, the mathematics depend on the reported election
results and the total number of reported auditable vote counts.
I am not talking of auditing.
Post by Kathy Dopp
Post by Kathy Dopp
5. selecting the machines to be videotaped prior to the election tells
any inside fraudsters which machines can be undetectably tampered with
or have their votes altered during or after the election (valid
auditing requires only selecting the random audit units AFTER all the
auditable vote counts have been publicly posted after the polls close
(as in any field, the data must be committed prior to auditing it)
Then I am not proposing auditing as such.
Yes. I understand that your goal is obviously not to ensure that the
election outcomes are correct, but only to test the voting software on
some machines selected at the beginning of the election. Obviously
there are a lot of ways to fraudulently manipulate election outcomes
with using your costly administratively burdensome procedure of adding
video machines that film voters' screens while voting.
See below.
Post by Kathy Dopp
The programs used need to make fraud difficult, and undetectable fraud
VERY difficult, wherever used, whether or not a particular machine is taped.
Again, my purpose is validating a program, rather than a particular
election.
Yes. Thanks for explaining that.
I am more concerned about whether or not voters are the
decision-makers in who governs them and really am not interested in
spending gobs of money and complicating elections just to video some
individual voting machines during the election.
Assuming we get proper programming, how would you convince voters that
the horror stories are from a regrettable past, and gone from the present?
Post by Kathy Dopp
Cheers,
Kathy
--
***@clarityconnect.com people.clarityconnect.com/webpages3/davek
Dave Ketchum 108 Halstead Ave, Owego, NY 13827-1708 607-687-5026
Do to no one what you would not want done to you.
If you want peace, work for justice.



----
Election-Methods mailing list - see http://electorama.com/em for list info
Kathy Dopp
2008-08-24 01:27:07 UTC
Permalink
Date: Sat, 23 Aug 2008 01:02:44 -0400
Subject: Re: [EM] Why We Shouldn't Count Votes with Machines
Equipment is failing that has never been "certified" or
The certifiers are signing off without bothering to look
seriously for the many defects in the offered systems,
The second scenario is true, and there are loopholes in the standards
which allow systems to be certified despite not meeting the standards.
Thus the certification process needs overhauling.
Yes, but certifying voting systems is a fundamentally flawed concept
anyway, because if the software is changed at all, then it is not
certified any longer and many states require that only certified
software is used. This makes it legally impossible to do security and
bug fixes because it can take a year (or perhaps more, but a really
long time) to get a new voting system software federally certified.
Smart State Election Officials are beginning to see that federal
certification is not a good idea, but many states would have to get
the legislatures to change state statutes to no longer require federal
certification of their voting machines.

The state with one of the best, most economical voting system is
Oklahoma who programmed their own paper ballot voting system rather
than buying one from a vendor so OK uses standard optical scanners to
count their paper ballots. I would think that this means that OK
could possibly have an open source voting system. I heard that OK
decided to forgo taking Help America Vote Act funds for a new voting
system.

Cheers,

Kathy
----
Election-Methods mailing list - see http://electorama.com/em for list info
Dave Ketchum
2008-08-24 03:10:45 UTC
Permalink
Post by Kathy Dopp
Date: Sat, 23 Aug 2008 01:02:44 -0400
Subject: Re: [EM] Why We Shouldn't Count Votes with Machines
Equipment is failing that has never been "certified" or
The certifiers are signing off without bothering to look
seriously for the many defects in the offered systems,
The second scenario is true, and there are loopholes in the standards
which allow systems to be certified despite not meeting the standards.
Thus the certification process needs overhauling.
Yes, but certifying voting systems is a fundamentally flawed concept
anyway, because if the software is changed at all, then it is not
certified any longer and many states require that only certified
software is used. This makes it legally impossible to do security and
bug fixes because it can take a year (or perhaps more, but a really
long time) to get a new voting system software federally certified.
Smart State Election Officials are beginning to see that federal
certification is not a good idea, but many states would have to get
the legislatures to change state statutes to no longer require federal
certification of their voting machines.
I accept that what has passed as certification is demonstrated as
fundamentally flawed.

However, there is need for someone other than the producer to verify
quality of what is produced.
Bug fixes, etc., do not deserve a free pass, though expedited
processing of them makes sense.
And open source can ensure both better quality programming and
quicker finding of most bugs.
Post by Kathy Dopp
The state with one of the best, most economical voting system is
Oklahoma who programmed their own paper ballot voting system rather
than buying one from a vendor so OK uses standard optical scanners to
count their paper ballots. I would think that this means that OK
could possibly have an open source voting system. I heard that OK
decided to forgo taking Help America Vote Act funds for a new voting
system.
I doubt that what they have would be usable everywhere, but they might
be able to offer some useful guidance.
Post by Kathy Dopp
Cheers,
Kathy
--
***@clarityconnect.com people.clarityconnect.com/webpages3/davek
Dave Ketchum 108 Halstead Ave, Owego, NY 13827-1708 607-687-5026
Do to no one what you would not want done to you.
If you want peace, work for justice.



----
Election-Methods mailing list - see http://electorama.com/em for list info
James Gilmour
2008-08-27 13:57:39 UTC
Permalink
Dancing on E-voting’s grave
http://blogs.zdnet.com/Murphy/?p=1227&tag=nl.e019

Election loser: touch-screen voting
http://www.newsobserver.com/politics/story/1185482.html

JG

No virus found in this outgoing message.
Checked by AVG.
Version: 7.5.526 / Virus Database: 270.6.9/1636 - Release Date: 26/08/2008 19:09


----
Election-Methods mailing list - see http://electorama.com/em for list
Dave Ketchum
2008-08-28 03:53:44 UTC
Permalink
Regrettably James is making an incorrect analysis of the problem.

Agreed that there have been some expensive disasters associated with
computers and voting.

ASSUMING computers were as unreliable as James' sources imply, we had
best retreat from our computer-based civilization, much of which
depends on computers reliably doing their part.

BETTER to accept that computers are truly as dependable as their
successful use elsewhere demonstrates, study how we stumbled into our
election disasters, and plan to do better in the future.

DWK
Post by James Gilmour
Dancing on E-voting’s grave
http://blogs.zdnet.com/Murphy/?p=1227&tag=nl.e019
Election loser: touch-screen voting
http://www.newsobserver.com/politics/story/1185482.html
JG
--
***@clarityconnect.com people.clarityconnect.com/webpages3/davek
Dave Ketchum 108 Halstead Ave, Owego, NY 13827-1708 607-687-5026
Do to no one what you would not want done to you.
If you want peace, work for justice.



----
Election-Methods ma
James Gilmour
2008-08-28 11:00:42 UTC
Permalink
Dave Ketchum> Sent: Thursday, August 28, 2008 4:54 AM
Post by Dave Ketchum
Regrettably James is making an incorrect analysis of the problem.
Oh dear! I never thought for one moment that posting a link to a relevant news item for information would be taken as necessarily
signifying my agreement with its content. If you look at my message, you will see there is no comment at all from me. But just to
make sure, beyond all peradventure of a doubt, "Inclusion of a news item should not be taken to imply endorsement by this sender".

This debate is fascinating, especially as there are such divergent and polarised views. It has surfaced in various other web groups
concerned with e-participation and e-democracy. On the one hand there are some, and some countries, completely opposed to any
electronic processing of ballot papers in public elections, never mind the use of electronic voting machines of any kind. At the
other extreme, we have countries like Estonia where e-voting for public elections has been fully embraced, apparently with few
reservations: registered electors can vote from their own laptops wherever they might be.

Here in Scotland there is a somewhat "hidden" debate that must be had. STV-PR was introduced for local government elections in
2007. The counting rules adopted (Weighted Inclusive Gregory Method for consequential transfers) make electronic counting almost
obligatory. (Manual counting to WIGM rules is possible, but long and tedious because so many ballot papers have to be sorted and
counted again and again.) So we used scanners, OCR conversion and e-counting. The Scottish Government is promoting further use of
STV-PR for various directly elected bodies. This is raising issues about the long-term provision of the equipment necessary for
e-processing of the ballot papers for all these different public elections and about the software that will be used for scanning,
OCR and counting. Concerns about "black box" processing have been somewhat muted so far, but there have been calls for all blank
ballot papers to be subject to individual adjudication by the Returning Officer under scrutiny of the candidates and their agents.
This is an example of the ridiculous double-standards that are being applied to e-processing, because straightforward blank ballot
papers would never be subject to Returning Officer adjudication in a manual count.

James

No virus found in this outgoing message.
Checked by AVG.
Version: 7.5.526 / Virus Database: 270.6.10/1638 - Release Date: 27/08/2008 19:06


----
Election-Methods mailing list - see http://electorama.com/em for list info
Raph Frank
2008-10-02 22:26:38 UTC
Permalink
On Thu, Aug 28, 2008 at 12:00 PM, James Gilmour
Post by James Gilmour
Here in Scotland there is a somewhat "hidden" debate that must be had. STV-PR was introduced for local government elections in
2007. The counting rules adopted (Weighted Inclusive Gregory Method for consequential transfers) make electronic counting almost
obligatory. (Manual counting to WIGM rules is possible, but long and tedious because so many ballot papers have to be sorted and
counted again and again.) So we used scanners, OCR conversion and e-counting.
That is similar to Abd's ballot imaging suggestion.

I assume that the images used for the OCR aren't made available to the public?
Post by James Gilmour
The Scottish Government is promoting further use of
STV-PR for various directly elected bodies. This is raising issues about the long-term provision of the equipment necessary for
e-processing of the ballot papers for all these different public elections and about the software that will be used for scanning,
OCR and counting.
This can be solved by just publishing the ballot images. This way
everyone can work out their own result.
Post by James Gilmour
Concerns about "black box" processing have been somewhat muted so far, but there have been calls for all blank
ballot papers to be subject to individual adjudication by the Returning Officer under scrutiny of the candidates and their agents.
This is an example of the ridiculous double-standards that are being applied to e-processing, because straightforward blank ballot
papers would never be subject to Returning Officer adjudication in a manual count.
A blank ballot is one that has no writing on it, or one that is not used?
----
Election-Methods mailing list - see http://electorama.com/em for list info
Terry Bouricius
2008-10-03 00:02:22 UTC
Permalink
Ralph wrote:
"This can be solved by just publishing the ballot images. This way
everyone can work out their own result."

Note that in Burlington (Vermont, USA), all of the ranked ballot images
(text file, not graphical images, unfortunately) are posted on the
Internet after the election, along with tallying software and instructions
on how to conduct your own IRV tally using any spread sheet software. You
can see the actual city web site here:
http://www.burlingtonvotes.org/20060307/

Terry Bouricius
----- Original Message -----
From: "Raph Frank" <***@gmail.com>
To: <***@globalnet.co.uk>
Cc: "Dave Ketchum" <***@clarityconnect.com>;
<election-***@lists.electorama.com>
Sent: Thursday, October 02, 2008 6:26 PM
Subject: Re: [EM] Why We Shouldn't Count Votes with Machines


On Thu, Aug 28, 2008 at 12:00 PM, James Gilmour
Post by James Gilmour
Here in Scotland there is a somewhat "hidden" debate that must be had.
STV-PR was introduced for local government elections in
2007. The counting rules adopted (Weighted Inclusive Gregory Method for
consequential transfers) make electronic counting almost
obligatory. (Manual counting to WIGM rules is possible, but long and
tedious because so many ballot papers have to be sorted and
counted again and again.) So we used scanners, OCR conversion and e-counting.
That is similar to Abd's ballot imaging suggestion.

I assume that the images used for the OCR aren't made available to the
public?
Post by James Gilmour
The Scottish Government is promoting further use of
STV-PR for various directly elected bodies. This is raising issues
about the long-term provision of the equipment necessary for
e-processing of the ballot papers for all these different public
elections and about the software that will be used for scanning,
OCR and counting.
This can be solved by just publishing the ballot images. This way
everyone can work out their own result.
Post by James Gilmour
Concerns about "black box" processing have been somewhat muted so far,
but there have been calls for all blank
ballot papers to be subject to individual adjudication by the Returning
Officer under scrutiny of the candidates and their agents.
This is an example of the ridiculous double-standards that are being
applied to e-processing, because straightforward blank ballot
papers would never be subject to Returning Officer adjudication in a manual count.
A blank ballot is one that has no writing on it, or one that is not used?
----
Election-Methods mailing list - see http://electorama.com/em for list info

----
Election-Methods mailing list - see http://electorama.com/em for list info
James Gilmour
2008-10-04 16:13:42 UTC
Permalink
Just for the record -
Raph Frank > Sent: Thursday, October 02, 2008 11:27 PM
Post by Raph Frank
On Thu, Aug 28, 2008 at 12:00 PM, James Gilmour
Here in Scotland there is a somewhat "hidden" debate that must be had.
STV-PR was introduced for local government elections in 2007. The
counting rules adopted (Weighted Inclusive Gregory Method for
consequential transfers) make electronic counting almost obligatory.
(Manual counting to WIGM rules is possible, but long and tedious
because so many ballot papers have to be sorted and counted again and
again.) So we used scanners, OCR conversion and e-counting.
That is similar to Abd's ballot imaging suggestion.
I assume that the images used for the OCR aren't made
available to the public?
Correct - the images were not made available. Those that were subject to adjudication by a Returning Officer were seen, by all
who want to look, on a computer screen, large or small, during the count. The images (and the adjudication decisions on them) are
stored on the hard drives used at each of the 32 counting centres. These disks have to be kept securely for four years - no
access to anyone except with a Court Order. All the ballot papers and all the other paper records from the elections and counts had
to be destroyed securely one year after polling day.
Post by Raph Frank
The Scottish Government is promoting further use of
STV-PR for various directly elected bodies. This is raising issues
about the long-term provision of the equipment necessary for
e-processing of the ballot papers for all these different public
elections and about the software that will be used for scanning, OCR
and counting.
This can be solved by just publishing the ballot images.
This way everyone can work out their own result.
Yes, BUT adjudication on "doubtful" images can be critical. So if you had access to the images and ran them through your own OCR
software you may well come up with different vote files. Interestingly, in one pre-election "validation test" of the electronic
processing versus manual counting for the STV-PR elections, the results were different - due only to a difference in the
adjudication decision the ROs made when they look at the on-screen image and when they looked at the actual ballot paper.
Post by Raph Frank
Concerns about "black box" processing have been somewhat muted so far,
but there have been calls for all blank ballot papers to be subject to
individual adjudication by the Returning Officer under scrutiny of the
candidates and their agents. This is an example of the ridiculous
double-standards that are being applied to e-processing, because
straightforward blank ballot papers would never be subject to
Returning Officer adjudication in a manual count.
A blank ballot is one that has no writing on it, or one that is not used?
"Blank ballot paper" here means one that came out of a sealed ballot box at the counting centre and had no vote recorded on it.
Ballot papers that are not issued to electors at a polling place (= precinct) are sealed up at the polling place by the presiding
officer at the close of the poll. When each ballot box is opened, there is a reconciliation of: 1. the numbers of ballot papers in
the box; 2. the numbers of ballot papers not used; and 3. the numbers of ballot papers issued and replaced as "spoilt" - these
should add to the total number of ballot papers issued for that polling station within that polling place. (There can be two or
more polling stations within one polling place - in Scotland.)

Those who want access to real ballot data from real elections (STV-PR) will be interested to know that the full ballot data for each
of the 21 wards (= local government electoral districts) within the City of Glasgow were published on the City Council's website at
the conclusion of the count on 4 May 2007. No other Returning Officer has published the full ballot data in this way. The file of
preference profiles was one of the automatic outputs from the eSTV counting program. It is arguable that in publishing the full
ballot data, the Glasgow Returning Officer broke the current law, but no-one has demanded that he remove the data, and the Scottish
Government is proposing to make this a requirement for all local government elections. This MAY be applied retrospectively so that
we get all the data from the 2007 STV-PR elections. Meanwhile, the Glasgow data are invaluable resources for research, as they show
what real voters do in real elections.

James



No virus found in this outgoing message.
Checked by AVG - http://www.avg.com
Version: 8.0.173 / Virus Database: 270.7.5/1706 - Release Date: 03/10/2008 18:17


----
Election-Methods mailing list - see http://electorama.com/em for list info
Raph Frank
2008-10-04 22:01:29 UTC
Permalink
Post by James Gilmour
Correct - the images were not made available. Those that were subject to adjudication by a Returning Officer were seen, by all
who want to look, on a computer screen, large or small, during the count. The images (and the adjudication decisions on them) are
stored on the hard drives used at each of the 32 counting centres. These disks have to be kept securely for four years - no
access to anyone except with a Court Order.
What is the basis for granting access?
Post by James Gilmour
Yes, BUT adjudication on "doubtful" images can be critical. So if you had access to the images and ran them through your own OCR
software you may well come up with different vote files. Interestingly, in one pre-election "validation test" of the electronic
processing versus manual counting for the STV-PR elections, the results were different - due only to a difference in the
adjudication decision the ROs made when they look at the on-screen image and when they looked at the actual ballot paper.
Abd's proposal is to apply a serial number of each ballot (after it
comes out of the ballot box).

There would probably be consensus on 99% of the ballots and then the
returning officer can check the last 1%.

A judge might be called in for 0.1%, if there still was a dispute
after the RO gave a decision on the disputed ballots.

If there was a large number of disputed ballots, it could be done on a
sampling basis.

The petitioner would submit their opinion on what the N ballots are
and the judge might check 10 of them at random. If the petitioner
only got 1 right, 1 reasonable error and 8 clearly wrong, then his
dispute could be dismissed as he is just chancing his arm.
Post by James Gilmour
Post by Raph Frank
A blank ballot is one that has no writing on it, or one that is not used?
"Blank ballot paper" here means one that came out of a sealed ballot box at the counting centre and had no vote recorded on it.
Ahh, it is a check that all ballot papers are accounted for? I
wouldn't see an issue with imaging them too.
Post by James Gilmour
Those who want access to real ballot data from real elections (STV-PR) will be interested to know that the full ballot data for each
of the 21 wards (= local government electoral districts) within the City of Glasgow were published on the City Council's website at
the conclusion of the count on 4 May 2007.
Cool, there is also data from Ireland for the 3 constituencies that
ran the pilot e-voting test.
Post by James Gilmour
It is arguable that in publishing the full
ballot data, the Glasgow Returning Officer broke the current law, but no-one has demanded that he remove the data, and the Scottish
Government is proposing to make this a requirement for all local government elections. This MAY be applied retrospectively so that
we get all the data from the 2007 STV-PR elections. Meanwhile, the Glasgow data are invaluable resources for research, as they show
what real voters do in real elections.
Sounds good. This allows theories to be tested based on real data.
The can give examples where voters vote in the same order as the
ballot for lower ranked candidates.
----
Election-Methods mailing list - see http://electorama.com/em for list info
James Gilmour
2008-10-05 23:23:49 UTC
Permalink
Raph Frank > Sent: Saturday, October 04, 2008 11:01 PM
Post by Raph Frank
Post by James Gilmour
These disks have to be kept securely for four years -
no access to anyone except with a Court Order.
What is the basis for granting access?
We do not have any precedents for access to the images of ballot papers because there were no challenges after the May 2007
elections. So we have precedents only for access to actual ballot papers, going back many years. An election court would grant an
order only if a petitioner (usually a candidate backed by a political party) had good grounds for alleging fraud. So far as I know,
we have not had any problems of that kind in the actual counting procedure in UK elections but we have had proven cases of fraud in
the handling of postal ballot. A court MIGHT also be grant access (order a recount) if a candidate had good grounds for alleging
that the Returning Officer has misinterpreted the regulations in a way that could have changed the outcome (winner) of the election.
Some party representatives did challenged the ROs adjudications on some ballot images and these disagreements were recorded in the
electronic system. But none of the parties made any challenge after the elections, although in the Scottish Parliament elections
(MMP) the numbers of rejected ballot papers considerable exceeded the winner's margin in quite a number of the single-member
constituencies.
Post by Raph Frank
There would probably be consensus on 99% of the ballots and
then the returning officer can check the last 1%.
A judge might be called in for 0.1%, if there still was a
dispute after the RO gave a decision on the disputed ballots.
This not how the process works here in the UK. The RO adjudicates on "doubtful" ballot papers and there are discussions with the
candidates an their agents. They may dispute the RO's decision, but if the RO doesn't back down, the election result is announced.
Then, after the official announcement, any aggrieved person can petition the court for an investigation which would in effect be a
recount.
Post by Raph Frank
Post by James Gilmour
A blank ballot is one that has no writing on it, or one that is not
used?
"Blank ballot paper" here means one that came out of a sealed ballot
box at the counting centre and had no vote recorded on it.
Ahh, it is a check that all ballot papers are accounted for?
I wouldn't see an issue with imaging them too.
Sorry if I didn't make this completely clear. Every ballot paper that it put into a ballot box by a voter is "counted", where that
can mean being identified as "rejected" because it is "invalid" ("informal" in Australia) for any one of several reasons, including
"is blank". The numbers of such rejected ballot papers are reported along with the numbers of valid votes and the candidates'
votes. It is the total number of papers in the ballot box (blanks and all, before such blanks have been identified) that is used in
the reconciliation against the number of papers issued to the Polling Station, when the unused (unissued) papers and any spoilt
(replaced) papers are part of that reconciliation. The numbers of unused ballot papers and the numbers of spoilt ballot papers are
not reported and there is no access to that information after the reconciliation at the opening of each ballot box has been
completed. NB "Rejected ballot papers" and "Spoilt ballot papers" are completely different animals and are both very precisely
defined in the Election Regulations though the media (and some officials!!) use the terms interchangeably - which can cause great
confusion, as it did in May 2007 when there were unprecedented numbers of "rejected ballot papers" in the Scottish Parliament MMP
elections.

James

No virus found in this outgoing message.
Checked by AVG - http://www.avg.com
Version: 8.0.173 / Virus Database: 270.7.6/1709 - Release Date: 05/10/2008 09:20


----
Election-Methods mailing list - see http://electorama.com/em for list info
Kathy Dopp
2008-08-28 04:16:53 UTC
Permalink
Subject: Re: [EM] Why We Shouldn't Count Votes with Machines
Regrettably James is making an incorrect analysis of the problem.
I believe that is a mischaracterization because James' prior email
simply cited some recent articles.
BETTER to accept that computers are truly as dependable as their
successful use elsewhere demonstrates,
So since computers work well for problems like banking where errors
are easily detected and corrected due to a lack of anonymity and paper
receipts and banking statements, then we should use computers for
anonymously deposited e-ballots where errors can be virtually
impossible to detect and even more impossible (if that were possible)
to correct? Not good logic unless you think that we should
anonymously deposit our money into banks without any receipts or bank
statements and *trust* bankers blindly too.

Here are some recent articles on this topic (all these articles were I
believe published in August 2008):

AP & USA Today: States throw out costly electronic voting machines
Aug. 19, 2008
http://ap.google.com/article/ALeqM5jej6XIWrQn6-gw5O5bJa1ELx78DgD92LK3E00
http://ap.google.com/article/ALeqM5jej6XIWrQn6-gw5O5bJa1ELx78DgD92LLDO00
http://www.usatoday.com/news/politics/election2008/2008-08-19-electronic-voting_N.htm

Scientific American: Planning to E-Vote? Read This First, Aug. 18, 2008
http://www.sciam.com/article.cfm?id=electronic-election-day

CBS News: Voting Machine Doubts Linger, Aug. 16, 2008
Concerns Over Vulnerability Of Electronic Machines Sending Many States
Back To Paper Ballots
http://www.cbsnews.com/stories/2008/08/16/eveningnews/main4355733.shtml

NY Times: Officials Say Flaws at Polls Will Remain in November, Aug. 16, 2008
[NOTE: Officials in two states admit that their voting machines are
not accurately casting or counting votes]
http://www.nytimes.com/2008/08/16/us/politics/16vote.html
http://www.nytimes.com/2008/08/16/us/politics/16vote.html

Washington Post: Ohio Voting Machines Contained Programming Error That
Dropped Votes, Aug. 21, 2008 [Note: States like MD with paperless
voting cannot detect the errors in the vote counts via valid audits.
States like OH and UT can detect the dropped votes *if* they do valid
audits (Utah does not.)]
http://voices.washingtonpost.com/the-trail/2008/08/21/ohio_voting_machines_contained.html

Company acknowledges voting machine error, Aug. 21, 2008
http://www.ohio.com/news/ap?articleID=688274&c=y

Ohio's voting machine glitch exposed - Touch-screens can't be fixed
before election, Brunner says
Thursday, August 21, 2008 8:34 PM
http://dispatch.com/live/content/local_news/stories/2008/08/21/voting_machines.html?sid=101

Did Washington waste millions on faulty voting machines? Aug 15, 2008
http://www.mcclatchydc.com/election2008/story/48508.html

Voting System Standards: All Form and No Substance, June 12, 2008
http://washburnsworld.blogspot.com/2008/06/voting-system-standards-all-form-and-no.html

States seek workarounds for e-voting systems
http://www.securityfocus.com/brief/803

How do you compare security across voting systems?
http://www.freedom-to-tinker.com/?p=1367
http://accurate-voting.org/wp-content/uploads/2008/08/risk-eval-final.pdf
http://www.josephhall.org/nqb2/index.php/2008/08/16/nakedeval

States rush to dump touch-screen voting systems, Aug. 21, 2008
http://arstechnica.com/news.ars/post/20080820-states-rush-to-dump-touchscreen-voting-systems.html

Vote fraud, crumbling democracy's bedrock, Aug. 21, 2008
http://www.philly.com/philly/entertainment/20080822_Vote_fraud__crumbling_democracy_s_bedrock.html

Voting Machines Can Never Be Trusted Says GOP Computer Security Expert
http://freeinternetpress.com/story.php?sid=18097

VIDEOS:

Republican computer expert re need to have audited paper ballots
http://realhistoryarchives.blogspot.com/2008/08/republican-computer-expert-re-need-to.html

U-Tube UNCOUNTED CLIPS: WEEK 7: The Electronic Voting Machine Hokey
Pokey (You Put Your Right Vote In. It Spits Your Wrong Vote Out


DIEBOLD[/Premier] ADMITS TO MAJOR ACCURACY FLAWS, Aug. 2008

and
Lou Dobbs: CNN - Democracy at Risk - A voting machine company admits
to software flaws in Ohio elections. Kitty Pilgrim reports.
http://www.cnn.com/video/#/video/bestoftv/2008/08/21/ldt.pilgrim.democracy.at.risk.cnn

Diebold/Premier Actually Admits Its Machines Are Faulty! And That It
Lied About Antivirus Software...
from the wonders-never-cease dept
http://www.techdirt.com/articles/20080822/0352532064.shtml

E-voting vendor: Programming errors caused dropped votes
http://www.networkworld.com/news/2008/082208-e-voting-vendor-programming-errors-caused.html

Vote-Dropping Software Bug Could Gum Up Elections
http://www.linuxinsider.com/story/Vote-Dropping-Software-Bug-Could-Gum-Up-Elections-64259.html

Company admits voting machine error
http://www.usatoday.com/news/politics/election2008/2008-08-21-voting-machine_N.htm

Machines may have vote-dropping glitch
http://www.upi.com/Top_News/2008/08/22/Machines_may_have_vote-dropping_glitch/UPI-88811219407988/

Sarasota County [Florida]- Sarasota told of new voting machine glitch
http://www.heraldtribune.com/article/20080822/ARTICLE/310358&title=Sarasota_told_of_new_voting_machine_glitch

Cheers,

Kathy
----
Election-Methods mailing list - see http://electorama.com/em for list info
Dave Ketchum
2008-08-28 19:32:18 UTC
Permalink
Post by Kathy Dopp
Subject: Re: [EM] Why We Shouldn't Count Votes with Machines
Regrettably James is making an incorrect analysis of the problem.
I believe that is a mischaracterization because James' prior email
simply cited some recent articles.
And James says so now. Still, it was easy to assume his references
implied agreement with their obvious position.

The references that you provided below seemed to have the same slant
as his.
Post by Kathy Dopp
BETTER to accept that computers are truly as dependable as their
successful use elsewhere demonstrates,
So since computers work well for problems like banking where errors
are easily detected and corrected due to a lack of anonymity and paper
receipts and banking statements, then we should use computers for
anonymously deposited e-ballots where errors can be virtually
impossible to detect and even more impossible (if that were possible)
to correct? Not good logic unless you think that we should
anonymously deposit our money into banks without any receipts or bank
statements and *trust* bankers blindly too.
Except for the anonymity that we properly provide for voters, you have
it backwards:

That anonymity is not a license to produce election equipment:
Without attention to getting the details right, including
minimizing likelihood of trouble from human errors.
Including deliberate falsification of results.

Nor is it a license to purchase such without attention to the quality
being supplied.
Post by Kathy Dopp
Here are some recent articles on this topic (all these articles were I
...
Post by Kathy Dopp
Kathy
--
***@clarityconnect.com people.clarityconnect.com/webpages3/davek
Dave Ketchum 108 Halstead Ave, Owego, NY 13827-1708 607-687-5026
Do to no one what you would not want done to you.
If you want peace, work for justice.



----
Election-Methods mailing list - see http://electorama.com/em for list info
James Gilmour
2008-08-28 13:12:34 UTC
Permalink
Here's an alternative view from the ones I highlighted yesterday, and from the same source:
Resurrecting E-voting
http://blogs.zdnet.com/Murphy/?p=1228&tag=nl.e019

As before, with no endorsement intended, and I would not presume to comment on the technical content.
JG

No virus found in this outgoing message.
Checked by AVG.
Version: 7.5.526 / Virus Database: 270.6.10/1638 - Release Date: 27/08/2008 19:06


----
Election-Methods mailing list - see http://electorama.com/em for list info
James Gilmour
2008-10-02 20:58:39 UTC
Permalink
I thought this might be of interest:

BBC Digital Planet takes a look at Brazil's e-voting system
http://news.bbc.co.uk/1/low/technology/7644751.stm

James
No virus found in this outgoing message.
Checked by AVG - http://www.avg.com
Version: 8.0.173 / Virus Database: 270.7.5/1702 - Release Date: 01/10/2008 09:05


----
Election-Methods mailing list - see http://electorama.com/em for list info
Kathy Dopp
2008-10-03 04:58:37 UTC
Permalink
James,

Nice sales piece for electronic ballot rigging machines that fails to
mention that it is impossible to ensure that e-votes are not tampered
with.

Here is a great film done by graduate students at the University of
California, Santa Barbara in their Computer Security Group who show
how easy it is to rig elections with any e-ballot voting machines - in
four different ways that would subvert any post-election audits -
because even the voter verifiable paper ballot records are easily
rigged to match fraudulent vote totals:

http://www.cs.ucsb.edu/~seclab/projects/voting/

The graduate students' film is easy for any lay person to understand.
It requires no computer expertise to follow.

It is amazing the utter cr-- that voting machine vendors and election
officials continue to put out to the press that is contrary to all
fact and common sense.

Cheers,
Kathy
Date: Thu, 2 Oct 2008 21:58:39 +0100
Subject: Re: [EM] Why We Shouldn't Count Votes with Machines
BBC Digital Planet takes a look at Brazil's e-voting system
http://news.bbc.co.uk/1/low/technology/7644751.stm
James
----
Election-Methods mailing list - see http://electorama.com/em for list info
Dave Ketchum
2008-10-03 17:26:10 UTC
Permalink
ANYTHING cam get tampered with if enough doors are left ajar, including
paper ballots (such as discarding, editing, or replacing some).

Perhaps some classification would help the thinking:
What is simple for most anyone to do?
What requires skill in prying the doors open?

DWK
Post by Kathy Dopp
James,
Nice sales piece for electronic ballot rigging machines that fails to
mention that it is impossible to ensure that e-votes are not tampered
with.
Here is a great film done by graduate students at the University of
California, Santa Barbara in their Computer Security Group who show
how easy it is to rig elections with any e-ballot voting machines - in
four different ways that would subvert any post-election audits -
because even the voter verifiable paper ballot records are easily
http://www.cs.ucsb.edu/~seclab/projects/voting/
The graduate students' film is easy for any lay person to understand.
It requires no computer expertise to follow.
It is amazing the utter cr-- that voting machine vendors and election
officials continue to put out to the press that is contrary to all
fact and common sense.
Cheers,
Kathy
--
***@clarityconnect.com people.clarityconnect.com/webpages3/davek
Dave Ketchum 108 Halstead Ave, Owego, NY 13827-1708 607-687-5026
Do to no one what you would not want done to you.
If you want peace, work for justice.



----
Election-Methods mailing list - see http://electorama.com/em for list info
Kathy Dopp
2008-10-03 17:45:16 UTC
Permalink
Post by Dave Ketchum
ANYTHING cam get tampered with if enough doors are left ajar, including
paper ballots (such as discarding, editing, or replacing some).
True, but paper ballots must be tampered with one at a time and it
takes many many more persons to affect any election by tampering with
paper ballots. Whereas electronic ballots can be tampered with en
masse by one rogue programmer who can fraudulently alter an entire
county's or an entire state's election outcomes.

The risk is far greater for electronic fraud which is also much more
difficult to detect and secure against. Paper ballots are much easier
to secure in a way that is understandable and transparent to citizens
and far more difficult (would take a far larger conspiracy) to tamper
with.

Watch this film for an education. It's great.
http://www.cs.ucsb.edu/~seclab/projects/voting/

Cheers,

Kathy
----
Election-Methods mailing list - see http://electorama.com/em for list info
Dave Ketchum
2008-10-03 19:23:57 UTC
Permalink
Post by Kathy Dopp
Post by Dave Ketchum
ANYTHING cam get tampered with if enough doors are left ajar, including
paper ballots (such as discarding, editing, or replacing some).
True, but paper ballots must be tampered with one at a time and it
takes many many more persons to affect any election by tampering with
paper ballots. Whereas electronic ballots can be tampered with en
masse by one rogue programmer who can fraudulently alter an entire
county's or an entire state's election outcomes.
Paper ballots can be discarded a handful or a boxful at a time.

Rogue programmers SHOULD NOT be invited in, and the real programmers should
provide for noticing if such sneak in.
Post by Kathy Dopp
The risk is far greater for electronic fraud which is also much more
difficult to detect and secure against. Paper ballots are much easier
to secure in a way that is understandable and transparent to citizens
and far more difficult (would take a far larger conspiracy) to tamper
with.
Agreed that unprotected electronic ballots can suffer major theft beyond
what can happen to paper ballots.

More complete defenses are possible with electronics.

Mixed into this, Plurality is easily done with paper; better systems, such
as Condorcet, are difficult with paper, but easily handled with electronics.
Post by Kathy Dopp
Watch this film for an education. It's great.
http://www.cs.ucsb.edu/~seclab/projects/voting/
Cheers,
Kathy
--
***@clarityconnect.com people.clarityconnect.com/webpages3/davek
Dave Ketchum 108 Halstead Ave, Owego, NY 13827-1708 607-687-5026
Do to no one what you would not want done to you.
If you want peace, work for justice.



----
Election-Methods mailing list - see http://electorama.com/em for list info
Kathy Dopp
2008-10-04 00:24:09 UTC
Permalink
Post by Dave Ketchum
More complete defenses are possible with electronics.
Totally FALSE statement.

In fact there has never been even a theoretical design for an
electronic voting system or even electronic paper ballot vote counting
system that does not have known security leaks.

In fact some computer scientists just recently mathematically PROVED
that it is impossible to even verify that the certified software is
actually running on a voting machine.

You are showing a lack of knowledge in the field of computer science
by making such an obviously false, already disproven statement.

Luckily most people disagree with your incorrect opinion and another
state, KY just joined the list of states planning to scrap unauditable
e-ballot voting systems, joining, TN, IA, FL, CA, MD, and a few other
states and a lot of other counties that don't immediately come to mind
now.
Post by Dave Ketchum
Mixed into this, Plurality is easily done with paper; better systems, such
as Condorcet, are difficult with paper, but easily handled with electronics.
Well that is a very good reason to avoid implementing them - because
if they can't be easily done with paper ballots, then they cannot be
assured to be counted accurately.
Post by Dave Ketchum
Post by Kathy Dopp
Watch this film for an education. It's great.
http://www.cs.ucsb.edu/~seclab/projects/voting/
Cheers,

Kathy
----
Election-Methods mailing list - see http://electorama.com/em for list info
James Gilmour
2008-10-04 11:41:20 UTC
Permalink
Post by Kathy Dopp
Post by Dave Ketchum
Mixed into this, Plurality is easily done with paper; better systems,
such as Condorcet, are difficult with paper, but easily handled with
electronics.
Kathy Dopp > Sent: Saturday, October 04, 2008 1:24 AM
Post by Kathy Dopp
Well that is a very good reason to avoid implementing them -
because if they can't be easily done with paper ballots, then
they cannot be assured to be counted accurately.
This raises a very interesting point - how to balance the risk of failing to detect a low level of fraud against the known wasting
of very large numbers of votes by the plurality voting system. (I say "low level of fraud", because any high level should be
readily detectable.)

Of course, we don't want any fraud, and we don't want any fraud to go undetected, and we don't want the outcome of any election
determined by fraud, no matter how low the level of that fraud may be. But to use the ease of detecting fraud as the sole criterion
for selecting a voting system is almost certainly to lose sight of the much larger "losses of votes" that occur in every plurality
election.

In the UK, Canada and in most countries using plurality (except USA), the voting system discards the votes of around half of those
who vote - sometimes a little more than half, sometimes a little less. In some plurality elections large numbers of the elected
members are elected with only a minority of the votes cast in the single-member districts. The evidence on this is abundant and
worldwide. The exception is the USA, where, for example, in elections to the House of Representatives, only one-third of the votes
are wasted in this way. The reason is probably related to successful incumbent gerrymandering of the district boundaries and to the
effects of holding primary elections. But even in the USA, around one-third of the votes are wasted by the plurality voting system.

So to look at the overall picture with a voting system like plurality, should we reject any move to a voting system that would give
effect to more of the votes actually cast because it might be more difficult to detect a low level of fraud in such a voting system?

James
No virus found in this outgoing message.
Checked by AVG - http://www.avg.com
Version: 8.0.173 / Virus Database: 270.7.5/1706 - Release Date: 03/10/2008 18:17


----
Election-Methods mailing list - see http://electorama.com/em for list info
Terry Bouricius
2008-10-04 13:29:54 UTC
Permalink
To put a different slant on James Gilmour's message bout fraud vs. wasted
votes under plurality voting...

I'm sure Kathy Dopp (on this list for a few months now) will note that
"high level" fraud is possible without detection on current voting
technology, which is why systems should be universally subject to manual
audits. On the other hand, current plurality voting doesn't just "waste"
votes, it often elects the "wrong" candidate even WITHOUT any fraud.

Under Plurality voting rules, a candidate can be declared elected who
would lose in every possible one-on-one match up with each of the other
candidates (the Condorcet Loser). This "winner" would also be outside the
mutual-majority set (those candidates that a solid majority of all voters
prefer over this plurality "winner").

The point is, that even with ZERO FRAUD, the current U.S. voting system
regularly elects candidates that the majority of voters believe are the
wrong ones.

Some election integrity activists have taken the mistaken stance that no
improvement in voting methods should be pursued until the fraud issue is
perfectly fixed. But in the mean time "honest" elections, using our
defective plurality voting method, regularly elect the wrong candidate. A
bit like obsessing on fixing the rotten clapboard on the back of the barn,
while ignoring that the barn door is wide open and the cows are leaving.

Terry Bouricius

----- Original Message -----
From: "James Gilmour" <***@globalnet.co.uk>
To: <***@gmail.com>; "'Dave Ketchum'" <***@clarityconnect.com>
Cc: <election-***@lists.electorama.com>
Sent: Saturday, October 04, 2008 7:41 AM
Subject: Re: [EM] Why We Shouldn't Count Votes with Machines
Post by Kathy Dopp
Post by Dave Ketchum
Mixed into this, Plurality is easily done with paper; better systems,
such as Condorcet, are difficult with paper, but easily handled with
electronics.
Kathy Dopp > Sent: Saturday, October 04, 2008 1:24 AM
Post by Kathy Dopp
Well that is a very good reason to avoid implementing them -
because if they can't be easily done with paper ballots, then
they cannot be assured to be counted accurately.
This raises a very interesting point - how to balance the risk of failing
to detect a low level of fraud against the known wasting
of very large numbers of votes by the plurality voting system. (I say
"low level of fraud", because any high level should be
readily detectable.)

Of course, we don't want any fraud, and we don't want any fraud to go
undetected, and we don't want the outcome of any election
determined by fraud, no matter how low the level of that fraud may be.
But to use the ease of detecting fraud as the sole criterion
for selecting a voting system is almost certainly to lose sight of the
much larger "losses of votes" that occur in every plurality
election.

In the UK, Canada and in most countries using plurality (except USA), the
voting system discards the votes of around half of those
who vote - sometimes a little more than half, sometimes a little less. In
some plurality elections large numbers of the elected
members are elected with only a minority of the votes cast in the
single-member districts. The evidence on this is abundant and
worldwide. The exception is the USA, where, for example, in elections to
the House of Representatives, only one-third of the votes
are wasted in this way. The reason is probably related to successful
incumbent gerrymandering of the district boundaries and to the
effects of holding primary elections. But even in the USA, around
one-third of the votes are wasted by the plurality voting system.

So to look at the overall picture with a voting system like plurality,
should we reject any move to a voting system that would give
effect to more of the votes actually cast because it might be more
difficult to detect a low level of fraud in such a voting system?

James
No virus found in this outgoing message.
Checked by AVG - http://www.avg.com
Version: 8.0.173 / Virus Database: 270.7.5/1706 - Release Date: 03/10/2008
18:17


----
Election-Methods mailing list - see http://electorama.com/em for list info

----
Election-Methods mailing list - see http://electorama.com/em for list info
Dave Ketchum
2008-10-04 18:36:34 UTC
Permalink
THANK YOU, Terry & James.

Plurality does fine with two candidates, or with one obvious winner over
others. It is unable, even with top-two Runoffs, to satisfy voter needs to
identify:
Best - hoped for winner.
Next - hoped for if best loses.
Remainder - not as good as above.

French voters, a few years ago, talked of rioting when they saw what
Plurality offered to Runoff.

Look at the this year's competition between Obama and Clinton - something
more practically attended to in November, given a capable election method.

DWK
Post by Terry Bouricius
To put a different slant on James Gilmour's message bout fraud vs. wasted
votes under plurality voting...
I'm sure Kathy Dopp (on this list for a few months now) will note that
"high level" fraud is possible without detection on current voting
technology, which is why systems should be universally subject to manual
audits. On the other hand, current plurality voting doesn't just "waste"
votes, it often elects the "wrong" candidate even WITHOUT any fraud.
Under Plurality voting rules, a candidate can be declared elected who
would lose in every possible one-on-one match up with each of the other
candidates (the Condorcet Loser). This "winner" would also be outside the
mutual-majority set (those candidates that a solid majority of all voters
prefer over this plurality "winner").
The point is, that even with ZERO FRAUD, the current U.S. voting system
regularly elects candidates that the majority of voters believe are the
wrong ones.
Some election integrity activists have taken the mistaken stance that no
improvement in voting methods should be pursued until the fraud issue is
perfectly fixed. But in the mean time "honest" elections, using our
defective plurality voting method, regularly elect the wrong candidate. A
bit like obsessing on fixing the rotten clapboard on the back of the barn,
while ignoring that the barn door is wide open and the cows are leaving.
Terry Bouricius
----- Original Message -----
Sent: Saturday, October 04, 2008 7:41 AM
Subject: Re: [EM] Why We Shouldn't Count Votes with Machines
Post by Kathy Dopp
Post by Dave Ketchum
Mixed into this, Plurality is easily done with paper; better systems,
such as Condorcet, are difficult with paper, but easily handled with
electronics.
Kathy Dopp > Sent: Saturday, October 04, 2008 1:24 AM
Post by Kathy Dopp
Well that is a very good reason to avoid implementing them -
because if they can't be easily done with paper ballots, then
they cannot be assured to be counted accurately.
This raises a very interesting point - how to balance the risk of failing
to detect a low level of fraud against the known wasting
of very large numbers of votes by the plurality voting system. (I say
"low level of fraud", because any high level should be
readily detectable.)
Of course, we don't want any fraud, and we don't want any fraud to go
undetected, and we don't want the outcome of any election
determined by fraud, no matter how low the level of that fraud may be.
But to use the ease of detecting fraud as the sole criterion
for selecting a voting system is almost certainly to lose sight of the
much larger "losses of votes" that occur in every plurality
election.
In the UK, Canada and in most countries using plurality (except USA), the
voting system discards the votes of around half of those
who vote - sometimes a little more than half, sometimes a little less. In
some plurality elections large numbers of the elected
members are elected with only a minority of the votes cast in the
single-member districts. The evidence on this is abundant and
worldwide. The exception is the USA, where, for example, in elections to
the House of Representatives, only one-third of the votes
are wasted in this way. The reason is probably related to successful
incumbent gerrymandering of the district boundaries and to the
effects of holding primary elections. But even in the USA, around
one-third of the votes are wasted by the plurality voting system.
So to look at the overall picture with a voting system like plurality,
should we reject any move to a voting system that would give
effect to more of the votes actually cast because it might be more
difficult to detect a low level of fraud in such a voting system?
James
--
***@clarityconnect.com people.clarityconnect.com/webpages3/davek
Dave Ketchum 108 Halstead Ave, Owego, NY 13827-1708 607-687-5026
Do to no one what you would not want done to you.
If you want peace, work for justice.



----
Election-Methods mailing list - see http://electorama.com/em for list info
James Gilmour
2008-10-04 22:59:51 UTC
Permalink
Dave Ketchum > Sent: Saturday, October 04, 2008 7:37 PM
Post by Dave Ketchum
Plurality does fine with two candidates, or with one obvious
winner over others.
I am horrified to read this statement on this list. It is completely and utterly untrue. Plurality fails on almost every count
even when there are only two candidates in each electoral district and even when only two parties contest the elections.

Granted, if there are only two candidates within each district the plurality winner must have a majority of the votes within the
district. But there the "satisfactory" performance of plurality ends. Almost half the voters can be left without representation -
and that happens in large numbers of districts, even when not in all. Plurality distorts the voters' wishes and exaggerates swings
in party support, even when there are only two parties. Just look at these results from two successive general elections in
Jamaica:

1976 1976 1980 19080
%votes seats %votes seats
PNP 57 47 43 9
JLP 43 13 57 51

Even if the electoral districts have nearly equal electorates, differential turnout can mean that plurality puts the "wrong" party
in power.

No, plurality is a rotten voting system and it is a pernicious myth that it works OK when there are only two parties or only two
contesting candidates in each electoral district. We British who spread this appalling voting system around the world owe the
electors of many countries an almighty apology for this dreadful legacy!!

James
No virus found in this outgoing message.
Checked by AVG - http://www.avg.com
Version: 8.0.173 / Virus Database: 270.7.5/1706 - Release Date: 03/10/2008 18:17


----
Election-Methods mailing list - see http://electorama.com/em for list info
Dave Ketchum
2008-10-05 00:16:26 UTC
Permalink
Post by James Gilmour
Dave Ketchum > Sent: Saturday, October 04, 2008 7:37 PM
Post by Dave Ketchum
Plurality does fine with two candidates, or with one obvious
winner over others.
I am horrified to read this statement on this list. It is completely and utterly untrue. Plurality fails on almost every count
even when there are only two candidates in each electoral district and even when only two parties contest the elections.
We have to be doing different topics.

PROVIDED there are only two candidates, all there is to do is pick one -
and many methods can manage this with about equal effort.

I promote Condorcet BECAUSE I like what it does with more candidates.

Other methods have value in their environments.

....
Post by James Gilmour
No, plurality is a rotten voting system and it is a pernicious myth that it works OK when there are only two parties or only two
contesting candidates in each electoral district. We British who spread this appalling voting system around the world owe the
electors of many countries an almighty apology for this dreadful legacy!!
James
--
***@clarityconnect.com people.clarityconnect.com/webpages3/davek
Dave Ketchum 108 Halstead Ave, Owego, NY 13827-1708 607-687-5026
Do to no one what you would not want done to you.
If you want peace, work for justice.



----
Election-Methods mailing list - see http://electorama.com/em for list info
Bob Richard
2008-10-05 00:34:51 UTC
Permalink
Post by Dave Ketchum
We have to be doing different topics.
I'm afraid that Dave and James Gilmour are indeed "doing different
topics". I gather that, for Dave, it is taken for granted that elections
are held to fill a single seat (or executive branch office). The choice
between winner-take-all in single-member districts and PR just isn't
part of this discussion. I'm afraid that's true of an awful lot of
discussions held within the framework of social choice theory.

For James, I suspect that the choice between winner-take-all and PR is
fundamental. It's definitely fundamental for me.
--
Bob Richard
Marin Ranked Voting
P.O. Box 235
Kentfield, CA 94914-0235
415-256-9393
http://www.marinrankedvoting.org
Post by Dave Ketchum
Post by James Gilmour
Dave Ketchum > Sent: Saturday, October 04, 2008 7:37 PM
Post by Dave Ketchum
Plurality does fine with two candidates, or with one obvious winner
over others.
I am horrified to read this statement on this list. It is completely
and utterly untrue. Plurality fails on almost every count
even when there are only two candidates in each electoral district
and even when only two parties contest the elections.
We have to be doing different topics.
PROVIDED there are only two candidates, all there is to do is pick one
- and many methods can manage this with about equal effort.
I promote Condorcet BECAUSE I like what it does with more candidates.
Other methods have value in their environments.
....
Post by James Gilmour
No, plurality is a rotten voting system and it is a pernicious myth
that it works OK when there are only two parties or only two
contesting candidates in each electoral district. We British who
spread this appalling voting system around the world owe the
electors of many countries an almighty apology for this dreadful legacy!!
James
--
Bob Richard
Marin Ranked Voting
P.O. Box 235
Kentfield, CA 94914-0235
415-256-9393
http://www.marinrankedvoting.org

----
Election-Methods mailing list - see http://electorama.com/em for list info
Dave Ketchum
2008-10-05 01:34:26 UTC
Permalink
Post by Bob Richard
Post by Dave Ketchum
We have to be doing different topics.
I'm afraid that Dave and James Gilmour are indeed "doing different
topics". I gather that, for Dave, it is taken for granted that elections
are held to fill a single seat (or executive branch office). The choice
between winner-take-all in single-member districts and PR just isn't
part of this discussion. I'm afraid that's true of an awful lot of
discussions held within the framework of social choice theory.
For James, I suspect that the choice between winner-take-all and PR is
fundamental. It's definitely fundamental for me.
Interesting that this exchange started in a post where I began with
"Plurality does fine with two candidates, or with one obvious winner over
others. It is unable...".

I was arguing against Plurality and for Condorcet, but it seems like method
matters little when, for whatever reason, there are either:
Only two candidates to pick one from or
One candidate expects a strong majority of the votes.

I admit to spending little effort on PR, partly because I cannot now vote
in such elections - but see need to try to improve single seat, as in
electing a mayor.
--
***@clarityconnect.com people.clarityconnect.com/webpages3/davek
Dave Ketchum 108 Halstead Ave, Owego, NY 13827-1708 607-687-5026
Do to no one what you would not want done to you.
If you want peace, work for justice.



----
Election-Methods mailing list - see http://electorama.com/em for list info
James Gilmour
2008-10-05 11:22:37 UTC
Permalink
Dave Ketchum > Sent: Sunday, October 05, 2008 1:16 AM
Post by Dave Ketchum
We have to be doing different topics.
Yes, we must indeed be doing different topics.

If you are electing the City Mayor or the State Governor and there are only two candidates, plurality is as good as it gets. If
there are more than two candidates you can do better with a different voting system - some favour a Condorcet approach, some IRV,
and some promote a variety of other voting systems.

But the context in which my comment was set was much broader, following on from the general suggestion that we should not move from
plurality (with single-member districts implied) to more complex voting systems because the possibility of detecting electoral fraud
might thereby be reduced. That proposition was not specific to single-office elections, but was relevant to the discussion of more
general electoral reform on this list and under this topic (with some non-USA examples), a discussion that is taking place in both
the USA and Canada that could see city councils and state legislatures (and perhaps even the US House of Representatives and the
Senate!!) elected by voting systems that would give more representative results than the present plurality.

My problem with the statement "Plurality does fine with two candidates ..." is that I have heard it so many times over the years,
mainly from those who are opposed to any reform that would make our various assemblies more representative, but sadly also from some
who support reform of the voting system but say it would not need any change if there were only two parties. That extrapolation
from single-office elections to assembly elections is not valid. In my experience the statement is unhelpful and hinders the cause
of reform - hence my reaction to it.

James
No virus found in this outgoing message.
Checked by AVG - http://www.avg.com
Version: 8.0.173 / Virus Database: 270.7.5/1708 - Release Date: 04/10/2008 11:35


----
Election-Methods mailing list - see http://electorama.com/em for list info
Dave Ketchum
2008-10-06 00:38:42 UTC
Permalink
Post by James Gilmour
Dave Ketchum > Sent: Sunday, October 05, 2008 1:16 AM
Post by Dave Ketchum
We have to be doing different topics.
Actually we seem together on topics, but you reacted to what you took as a
cue statement without noticing what I was saying. Perhaps the following
wording would get my actual thoughts noticed by more:
While many methods, including Plurality, have no trouble correctly
picking the winner when there are only two candidates, Plurality restricts
voters unacceptably when there are more than two candidates and many voters
want to show more than one as better than the remainder - which happens often.

To clarify, assume this voter wants Tom but, knowing that Tom may not win,
wants to show preference for Dick over the remaining lemons.
Post by James Gilmour
Yes, we must indeed be doing different topics.
If you are electing the City Mayor or the State Governor and there are only two candidates, plurality is as good as it gets. If
there are more than two candidates you can do better with a different voting system - some favour a Condorcet approach, some IRV,
and some promote a variety of other voting systems.
But the context in which my comment was set was much broader, following on from the general suggestion that we should not move from
plurality (with single-member districts implied) to more complex voting systems because the possibility of detecting electoral fraud
might thereby be reduced. That proposition was not specific to single-office elections, but was relevant to the discussion of more
general electoral reform on this list and under this topic (with some non-USA examples), a discussion that is taking place in both
the USA and Canada that could see city councils and state legislatures (and perhaps even the US House of Representatives and the
Senate!!) elected by voting systems that would give more representative results than the present plurality.
My problem with the statement "Plurality does fine with two candidates ..." is that I have heard it so many times over the years,
mainly from those who are opposed to any reform that would make our various assemblies more representative, but sadly also from some
who support reform of the voting system but say it would not need any change if there were only two parties. That extrapolation
from single-office elections to assembly elections is not valid. In my experience the statement is unhelpful and hinders the cause
of reform - hence my reaction to it.
Given such a statement, might be useful to emphasize that there are often
more than two candidates and therefore voters need ability to identify
which two or more are best liked - which Plurality cannot support.
Post by James Gilmour
James
--
***@clarityconnect.com people.clarityconnect.com/webpages3/davek
Dave Ketchum 108 Halstead Ave, Owego, NY 13827-1708 607-687-5026
Do to no one what you would not want done to you.
If you want peace, work for justice.



----
Election-Methods mailing list - see http://electorama.com/em for list info
Jonathan Lundell
2008-10-06 03:08:40 UTC
Permalink
Post by Dave Ketchum
While many methods, including Plurality, have no trouble
correctly picking the winner when there are only two candidates,
Plurality restricts voters unacceptably when there are more than two
candidates and many voters want to show more than one as better than
the remainder - which happens often.
The issue is not the number of candidates, but rather the number of
seats to be filled. Yes, it would be fine to have a better method than
plurality to fill the very few necessarily single executive seats that
we vote for, but that's a minor matter compared to the different
between single-member districts and multi-member districts with PR.

Suppose we could contravene the laws of mathematics and invent a
single-seat method that was Condorcet-compliant and satisfied LNH/H in
the bargain. The degree of representation achieved by such a method is
dramatically worse than any decent PR system.


BTW, it seems to me that there's a relatively straightforward solution
in principle to the problem of computerized vote counting, based on
the use of separate data-entry and counting processes. Let voters vote
on paper, either by hand or with an electronic marking machine, enter
the ballot data, perhaps by scanning, in such a way that the resulting
ballot data can be verified by hand against the paper ballots, and
permit counting by multiple independent counting programs.

There are nontrivial details to be resolved, in particular ballot
secrecy and the resolution of conflicting results, but it seems to me
that it's a fairly contained set of problems.
----
Election-Methods mailing list - see http://electorama.com/em for list info
Kathy Dopp
2008-10-06 03:21:00 UTC
Permalink
Jonathan

Not a bad solution at all Jonathan, although there is a lack of
transparency to any electronic count for the average citizen - and
IRV/STV counting methods are virtually impossible to audit with
anything less than a 100% manual count and are virtually impossible to
accurately manually count in some election contests.

But I like this solution for any alternative voting method that does
not have all the other severe flaws of the IRV/STV method.

Ballot level auditing does have certain challenges as you mention.

Kathy
BTW, it seems to me that there's a relatively straightforward solution in
principle to the problem of computerized vote counting, based on the use of
separate data-entry and counting processes. Let voters vote on paper, either
by hand or with an electronic marking machine, enter the ballot data,
perhaps by scanning, in such a way that the resulting ballot data can be
verified by hand against the paper ballots, and permit counting by multiple
independent counting programs.
There are nontrivial details to be resolved, in particular ballot secrecy
and the resolution of conflicting results, but it seems to me that it's a
fairly contained set of problems.
--
Kathy Dopp

The material expressed herein is the informed product of the author
Kathy Dopp's fact-finding and investigative efforts. Dopp is a
Mathematician, Expert in election audit mathematics and procedures; in
exit poll discrepancy analysis; and can be reached at

P.O. Box 680192
Park City, UT 84068
phone 435-658-4657

http://utahcountvotes.org
http://electionmathematics.org
http://electionarchive.org

How to Audit Election Outcome Accuracy
http://electionarchive.org/ucvAnalysis/US/paper-audits/VoteCountAuditBillRequest.pdf

History of Confidence Election Auditing Development & Overview of
Election Auditing Fundamentals
http://electionarchive.org/ucvAnalysis/US/paper-audits/History-of-Election-Auditing-Development.pdf

Voters Have Reason to Worry
http://utahcountvotes.org/UT/UtahCountVotes-ThadHall-Response.pdf
----
Election-Methods mailing list - see http://electorama.com/em for list info
Jonathan Lundell
2008-10-09 01:14:17 UTC
Permalink
Post by Kathy Dopp
Jonathan
Not a bad solution at all Jonathan, although there is a lack of
transparency to any electronic count for the average citizen
That's true enough, though it's also true that the average citizen
isn't going to recount (or even observe a recount of) a plurality
election. I've participated in one myself, and it requires true
dedication.
Post by Kathy Dopp
- and
IRV/STV counting methods are virtually impossible to audit with
anything less than a 100% manual count and are virtually impossible to
accurately manually count in some election contests.
That's the point of my suggestion, though: it's easy to audit, either
100% or by sampling, the ballot file, and a concerned voter could
surely find an independent counter that she trusted, even if she
couldn't manage the count on her own.

The system could easily provide a set of test files with known results
such that a prospective counter could have reasonable assurance that
their counting software was counting correctly. Of course, in order to
challenge a count, the challenger's counting software would have to be
open-source, so it could be independently confirmed that the
discrepancy wasn't due to a bug.
Post by Kathy Dopp
But I like this solution for any alternative voting method that does
not have all the other severe flaws of the IRV/STV method.
Well, we disagree on the merits of STV, but my suggestion is really
method-independent.
Post by Kathy Dopp
Ballot level auditing does have certain challenges as you mention.
Kathy
On Sun, Oct 5, 2008 at 9:08 PM, Jonathan Lundell
Post by Jonathan Lundell
BTW, it seems to me that there's a relatively straightforward
solution in
principle to the problem of computerized vote counting, based on the use of
separate data-entry and counting processes. Let voters vote on paper, either
by hand or with an electronic marking machine, enter the ballot data,
perhaps by scanning, in such a way that the resulting ballot data can be
verified by hand against the paper ballots, and permit counting by multiple
independent counting programs.
There are nontrivial details to be resolved, in particular ballot secrecy
and the resolution of conflicting results, but it seems to me that it's a
fairly contained set of problems.
--
Kathy Dopp
----
Election-Methods mailing list - see http://electorama.com/em for list info
Kathy Dopp
2008-10-09 01:26:04 UTC
Permalink
That's true enough, though it's also true that the average citizen isn't
going to recount (or even observe a recount of) a plurality election. I've
participated in one myself, and it requires true dedication.
True. But citizens should have that option, and having that option is
a deterrent to fraud.
That's the point of my suggestion, though: it's easy to audit, either 100%
or by sampling, the ballot file, and a concerned voter could surely find an
independent counter that she trusted, even if she couldn't manage the count
on her own.
Well, but its virtually impossible for an average citizen to figure
out how to count all those votes in time before the election is
certified, and also introduces problems with vote buying and loss of
ballot privacy if all the choices are publicly published. I
personally would not trust any independent counter to get it right if
I could not verify it myself - due to the complexity of the count and
the likelihood of innocent errors, even if I trusted someone, I would
not trust them to correctly write the programs to count IRV.
The system could easily provide a set of test files with known results such
that a prospective counter could have reasonable assurance that their
counting software was counting correctly. Of course, in order to challenge a
count, the challenger's counting software would have to be open-source, so
it could be independently confirmed that the discrepancy wasn't due to a
bug.
That method of trying to ensure accurate elections would do nothing
whatsoever to ensure accurate election vote counts. That is akin to
today's incompetent election officials who insist that simply because
the machines can accurately count a set of test ballots before or
after the election, that *must* mean that the election day results are
accurate. That idea is insane because anyone who has studied computer
science knows better.
Well, we disagree on the merits of STV, but my suggestion is really
method-independent.
Your method is not method-independent because the only way to check
machine counts is with hand counts and some methods are LOTS easier to
accurately and efficiently hand count than other methods, and checking
the results of running a small set of test ballots, or even a large
set, does zip to check election results accuracy.

Cheers,

Kathy
----
Election-Methods mailing list - see http://electorama.com/em for list info
Jonathan Lundell
2008-10-09 01:37:14 UTC
Permalink
Post by Kathy Dopp
Your method is not method-independent because the only way to check
machine counts is with hand counts and some methods are LOTS easier to
accurately and efficiently hand count than other methods, and checking
the results of running a small set of test ballots, or even a large
set, does zip to check election results accuracy.
My suggestion of test data sets is simply a convenience to the authors
of counting software, to provide a first-level check of their
correctness. The real verification is in the agreement of many
independent counters.

STV counting software isn't actually all that difficult to read and
understand (not for everybody, of course, but for a very large number
of people). I'd be willing to rely on a computerized count in which
many independent, open-source counting programs (which could certainly
included some written by critics of the system) agreed on the result.

That's not really necessary for IRV, of course, which is easy, if a
little tedious, to count by hand.

----
Election-Methods mailing list - see http://electorama.com/em for list info
James Gilmour
2008-10-22 10:36:11 UTC
Permalink
This MAY be of interest:
http://www.economist.com/science/tm/displaystory.cfm?story_id=12455414

JG

No virus found in this outgoing message.
Checked by AVG - http://www.avg.com
Version: 8.0.175 / Virus Database: 270.8.2/1738 - Release Date: 21/10/2008 14:10


----
Election-Methods mailing list - see http://electorama.com/em for list info
James Gilmour
2008-10-24 12:01:08 UTC
Permalink
For an Irish perspective, see:
Gormley told to scrap e-voting proposal
http://www.irishtimes.com/newspaper/ireland/2008/1024/1224715115538.html
JG


No virus found in this outgoing message.
Checked by AVG - http://www.avg.com
Version: 8.0.175 / Virus Database: 270.8.2/1742 - Release Date: 23/10/2008 15:29


----
Election-Methods mailing list - see http://electorama.com/em for list info
Terry Bouricius
2008-10-06 12:42:26 UTC
Permalink
Jonathan Lundell wrote:

"BTW, it seems to me that there's a relatively straightforward solution
in principle to the problem of computerized vote counting, based on
the use of separate data-entry and counting processes. Let voters vote
on paper, either by hand or with an electronic marking machine, enter
the ballot data, perhaps by scanning, in such a way that the resulting
ballot data can be verified by hand against the paper ballots, and
permit counting by multiple independent counting programs."

That is exactly what Burlington (VT) and San Francisco (CA) do. Optical
scan ballots are used, and the voter rankings are tallied by an official
open-source program, but can also be tallied (and has been tallied) by
other programs, because all of the ballot images are posted on the
Internet. A key element, however is a hand-audit of a random sample of
machines to assure (to a reasonable degree of confidence) that the
computer record for the ballots matches the paper record. This redundant
record is what makes these ranked-ballot elections significantly MORE
secure than traditional hand-count elections (were some ballots stolen,
added, re-marked to spoil, etc.?) and more secure than all electronic
elections (was there a bribed programmer who inserted a virus?)

Terry Bouricius


----- Original Message -----
From: "Jonathan Lundell" <***@pobox.com>
To: "Dave Ketchum" <***@clarityconnect.com>
Cc: <***@gmail.com>; <election-***@lists.electorama.com>;
<***@globalnet.co.uk>
Sent: Sunday, October 05, 2008 11:08 PM
Subject: Re: [EM] Why We Shouldn't Count Votes with Machines
Post by Dave Ketchum
While many methods, including Plurality, have no trouble
correctly picking the winner when there are only two candidates,
Plurality restricts voters unacceptably when there are more than two
candidates and many voters want to show more than one as better than
the remainder - which happens often.
The issue is not the number of candidates, but rather the number of
seats to be filled. Yes, it would be fine to have a better method than
plurality to fill the very few necessarily single executive seats that
we vote for, but that's a minor matter compared to the different
between single-member districts and multi-member districts with PR.

Suppose we could contravene the laws of mathematics and invent a
single-seat method that was Condorcet-compliant and satisfied LNH/H in
the bargain. The degree of representation achieved by such a method is
dramatically worse than any decent PR system.


BTW, it seems to me that there's a relatively straightforward solution
in principle to the problem of computerized vote counting, based on
the use of separate data-entry and counting processes. Let voters vote
on paper, either by hand or with an electronic marking machine, enter
the ballot data, perhaps by scanning, in such a way that the resulting
ballot data can be verified by hand against the paper ballots, and
permit counting by multiple independent counting programs.

There are nontrivial details to be resolved, in particular ballot
secrecy and the resolution of conflicting results, but it seems to me
that it's a fairly contained set of problems.
----
Election-Methods mailing list - see http://electorama.com/em for list info

----
Election-Methods mailing list - see http://electorama.com/em for list info
Jonathan Lundell
2008-10-06 14:40:32 UTC
Permalink
Post by Terry Bouricius
"BTW, it seems to me that there's a relatively straightforward
solution
in principle to the problem of computerized vote counting, based on
the use of separate data-entry and counting processes. Let voters vote
on paper, either by hand or with an electronic marking machine, enter
the ballot data, perhaps by scanning, in such a way that the resulting
ballot data can be verified by hand against the paper ballots, and
permit counting by multiple independent counting programs."
That is exactly what Burlington (VT) and San Francisco (CA) do. Optical
scan ballots are used, and the voter rankings are tallied by an official
open-source program, but can also be tallied (and has been tallied) by
other programs, because all of the ballot images are posted on the
Internet. A key element, however is a hand-audit of a random sample of
machines to assure (to a reasonable degree of confidence) that the
computer record for the ballots matches the paper record. This
redundant
record is what makes these ranked-ballot elections significantly MORE
secure than traditional hand-count elections (were some ballots stolen,
added, re-marked to spoil, etc.?) and more secure than all electronic
elections (was there a bribed programmer who inserted a virus?)
California has a pretty good statewide requirement for a random (by
precinct IIRC) recount.

However, I'm mildly skeptical on the above, both that SF uses open-
source counting software and that the ballots are available online.
Can you provide URLs for both? I'd love to do some counting myself.

Putting hand-marked ballot images online raises vote-buying issues.
----
Election-Methods mailing list - see http://electorama.com/em for list info
Terry Bouricius
2008-10-07 00:02:39 UTC
Permalink
Jonathan,

Burlington uses open-source free tallying software (Choice Plus Pro), not
SF.

The Burlington ballot records and software are here
http://www.burlingtonvotes.org/20060307/

As for San Francisco ballots and other election data for one of their
ranked choice voting (RCV) elections...

1. Raw first choice totals reported in all the election reports (
http://www.sfgov.org/site/elections_index.asp?id=68841 )

2. The complete set of RCV rankings, sortable by precinct (
http://www.sfgov.org/site/uploadedfiles/elections/ElectionsArchives/2007/november/BallotImage.txt )

3. The round-by-round RCV tally (in the years, unlike 2007, when an
RCV tally actually occurs) (for example,
http://www.sfgov.org/site/elections_index.asp?id=61583 ), and

4. Statement of vote showing precinct and absentee totals for all
candidates in all precincts (
http://www.sfgov.org/site/uploadedfiles/elections/ElectionsArchives/2007/november/SOV071106.txt )



All of this data is released starting on election night and updated
through the counting of absentee and provisional ballots.



[Source: http://www.sfgov.org/site/elections_index.asp ]



-Terry Bouricius

----- Original Message -----
From: "Jonathan Lundell" <***@pobox.com>
To: "Terry Bouricius" <***@burlingtontelecom.net>
Cc: "Dave Ketchum" <***@clarityconnect.com>; <***@gmail.com>;
<election-***@lists.electorama.com>; <***@globalnet.co.uk>
Sent: Monday, October 06, 2008 10:40 AM
Subject: Re: [EM] Why We Shouldn't Count Votes with Machines
Post by Terry Bouricius
"BTW, it seems to me that there's a relatively straightforward
solution
in principle to the problem of computerized vote counting, based on
the use of separate data-entry and counting processes. Let voters vote
on paper, either by hand or with an electronic marking machine, enter
the ballot data, perhaps by scanning, in such a way that the resulting
ballot data can be verified by hand against the paper ballots, and
permit counting by multiple independent counting programs."
That is exactly what Burlington (VT) and San Francisco (CA) do. Optical
scan ballots are used, and the voter rankings are tallied by an official
open-source program, but can also be tallied (and has been tallied) by
other programs, because all of the ballot images are posted on the
Internet. A key element, however is a hand-audit of a random sample of
machines to assure (to a reasonable degree of confidence) that the
computer record for the ballots matches the paper record. This
redundant
record is what makes these ranked-ballot elections significantly MORE
secure than traditional hand-count elections (were some ballots stolen,
added, re-marked to spoil, etc.?) and more secure than all electronic
elections (was there a bribed programmer who inserted a virus?)
California has a pretty good statewide requirement for a random (by
precinct IIRC) recount.

However, I'm mildly skeptical on the above, both that SF uses open-
source counting software and that the ballots are available online.
Can you provide URLs for both? I'd love to do some counting myself.

Putting hand-marked ballot images online raises vote-buying issues.

----
Election-Methods mailing list - see http://electorama.com/em for list info
Jonathan Lundell
2008-10-07 04:45:00 UTC
Permalink
Post by Terry Bouricius
As for San Francisco ballots and other election data for one of their
ranked choice voting (RCV) elections...
Thanks, that's helpful.
----
Election-Methods mailing list - see http://electorama.com/em for list info
Dave Ketchum
2008-10-04 21:51:44 UTC
Permalink
Post by Kathy Dopp
Post by Dave Ketchum
More complete defenses are possible with electronics.
Totally FALSE statement.
Sad that we cannot look at the same reality!

Conceded that rogue programmers can do all kinds of destruction if
permitted, we need to evict the rogues and proceed carefully.
Post by Kathy Dopp
In fact there has never been even a theoretical design for an
electronic voting system or even electronic paper ballot vote counting
system that does not have known security leaks.
This is not proof that quality is impossible.
Post by Kathy Dopp
In fact some computer scientists just recently mathematically PROVED
that it is impossible to even verify that the certified software is
actually running on a voting machine.
Tell us more, a bit more convincingly as to fact behind this opinion -
assuming proper defenses.
Post by Kathy Dopp
You are showing a lack of knowledge in the field of computer science
by making such an obviously false, already disproven statement.
Luckily most people disagree with your incorrect opinion and another
state, KY just joined the list of states planning to scrap unauditable
e-ballot voting systems, joining, TN, IA, FL, CA, MD, and a few other
states and a lot of other counties that don't immediately come to mind
now.
Sad that we have been afflicted with such a surplus of failures,
complicated by fact that many of them could and should have been recognized
as such, and disposed of earlier in their life.
Post by Kathy Dopp
Post by Dave Ketchum
Mixed into this, Plurality is easily done with paper; better systems, such
as Condorcet, are difficult with paper, but easily handled with electronics.
Well that is a very good reason to avoid implementing them - because
if they can't be easily done with paper ballots, then they cannot be
assured to be counted accurately.
Mixed in with this is Plurality's inability to accurately measure and count
voters' true desires - a reason for looking for a more accurate method,
even if it may be more difficult to perform.
Post by Kathy Dopp
Post by Dave Ketchum
Post by Kathy Dopp
Watch this film for an education. It's great.
http://www.cs.ucsb.edu/~seclab/projects/voting/
They truly did look for, and found, bunches of flaws.
Post by Kathy Dopp
Cheers,
Kathy
--
***@clarityconnect.com people.clarityconnect.com/webpages3/davek
Dave Ketchum 108 Halstead Ave, Owego, NY 13827-1708 607-687-5026
Do to no one what you would not want done to you.
If you want peace, work for justice.



----
Election-Methods mailing list - see http://electorama.com/em for list info
Kathy Dopp
2008-10-05 20:16:39 UTC
Permalink
Post by Dave Ketchum
Post by Kathy Dopp
In fact some computer scientists just recently mathematically PROVED
that it is impossible to even verify that the certified software is
actually running on a voting machine.
Tell us more, a bit more convincingly as to fact behind this opinion -
assuming proper defenses.
Here is the info. I have not read the proof yet myself:

"In 'An Undetectable Computer Virus,' David Chess and Steven White show
that you can always create a vote changing program (called virus
there) that no "verification software" can ever detect.

---

It seems to me that most of the persons on this list would rather have
votes fraudulently counted using some alternative voting scheme that
requires an unverifiable unauditable electronic voting system, than
accurately counted using the plurality election method.

Curious.

Cheers,

Kathy
----
Election-Methods mailing list - see http://electorama.com/em for list info
James Gilmour
2008-10-05 20:33:31 UTC
Permalink
Kathy Dopp > Sent: Sunday, October 05, 2008 9:17 PM
Post by Kathy Dopp
It seems to me that most of the persons on this list would
rather have votes fraudulently counted using some alternative
voting scheme that requires an unverifiable unauditable
electronic voting system, than accurately counted using the
plurality election method.
Curious.
No, Kathy, it is not at all curious. I, and I suspect many others, would much rather have our votes counted by a system that gave
effect to most of the votes cast but had a low risk of undetected fraud than to have them counted by plurality that routinely gives
effect to only 50% of the votes cast and still has some risk of undetected fraud. The small increase in the risk of undetected
fraud, undesirable though it may be, is totally outweighed by the massive gain in effective representation of the voters.

James
No virus found in this outgoing message.
Checked by AVG - http://www.avg.com
Version: 8.0.173 / Virus Database: 270.7.6/1709 - Release Date: 05/10/2008 09:20


----
Election-Methods mailing list - see http://electorama.com/em for list info
Kristofer Munsterhjelm
2008-10-05 22:06:08 UTC
Permalink
Post by Kathy Dopp
Post by Dave Ketchum
Post by Kathy Dopp
In fact some computer scientists just recently mathematically PROVED
that it is impossible to even verify that the certified software is
actually running on a voting machine.
Tell us more, a bit more convincingly as to fact behind this opinion -
assuming proper defenses.
"In 'An Undetectable Computer Virus,' David Chess and Steven White show
that you can always create a vote changing program (called virus
there) that no "verification software" can ever detect.
Without having read the paper, I suspect this is a reduction to the
Halting problem. Of interest regarding my earlier idea of
special-purpose machines is that most voting systems don't need full
Turing capability to find out who the winner is, so one may be able to
make a program (or chip) for counting votes that can be proven not to
have modifications (subject to the assumptions of the surrounding,
less-than-Turing, framework).
Post by Kathy Dopp
It seems to me that most of the persons on this list would rather have
votes fraudulently counted using some alternative voting scheme that
requires an unverifiable unauditable electronic voting system, than
accurately counted using the plurality election method.
Curious.
Say that the losses due to fraud is p. Also say that the losses due to
using Plurality is q. Then, if there is no fraud at all under Plurality,
and a lot of fraud under the better method, and p < q, then switching to
an alternative voting scheme, even if that would lead to fraud, is an
improvement. This is a quick and dirty argument (because surely there
can be some fraud under Plurality, and no voting method would work if
all the ballots have been subject to fraud, i.e the entire input is
garbage), but it should get the point across.
----
Election-Methods mailing list - see http://electorama.com/em for list info
Dave Ketchum
2008-10-06 03:40:26 UTC
Permalink
Post by Kathy Dopp
Post by Dave Ketchum
Post by Kathy Dopp
In fact some computer scientists just recently mathematically PROVED
that it is impossible to even verify that the certified software is
actually running on a voting machine.
Tell us more, a bit more convincingly as to fact behind this opinion -
assuming proper defenses.
"In 'An Undetectable Computer Virus,' David Chess and Steven White show
that you can always create a vote changing program (called virus
there) that no "verification software" can ever detect.
Gives headaches trying to sort out their details, but I quote one sentence:
"This paper's title, then, is deliberately somewhat provocative: while
the viruses that we present here are undetectable in the strict formal
sense of the term, there is no reason to think that it is impossible to
write a program that would detect them sufficiently well for all practical
purposes."

If this was not enough, I think of:
Build a master fox computer with special effort to keep rogue
programmers out.
Foxes ere smart enough to verify that all of them are identical with
the masters that are carefully protected, while working foxes may risk harm.
Working foxes also verify that other computers of interest remain
virus-free - or failures get detected.
Post by Kathy Dopp
---
It seems to me that most of the persons on this list would rather have
votes fraudulently counted using some alternative voting scheme that
requires an unverifiable unauditable electronic voting system, than
accurately counted using the plurality election method.
As said elsewhere, most of us are willing to endure some pain if this is
what it takes to successfully escape the Plurality world.
Post by Kathy Dopp
Curious.
Cheers,
Kathy
--
***@clarityconnect.com people.clarityconnect.com/webpages3/davek
Dave Ketchum 108 Halstead Ave, Owego, NY 13827-1708 607-687-5026
Do to no one what you would not want done to you.
If you want peace, work for justice.



----
Election-Methods mailing list - see http://electorama.com/em for list info
Mike Frank
2008-10-04 15:45:33 UTC
Permalink
Post by Kathy Dopp
In fact there has never been even a theoretical design for an
electronic voting system or even electronic paper ballot vote counting
system that does not have known security leaks.
In my design, whether or not there are security holes in the vote-counting
system itself, the certificates that it produces cannot feasibly be forged
without first solving mathematical problems that have never yet been
solved despite extreme efforts by many very smart people (namely, finding
an efficient way to invert one-way functions). So in this way, the possibility
of leaks can be rendered irrelevant, in the sense that if the security of the
system was compromised, the election outcome could still not be affected
substantially, without the forgeries being easily detected by many parties.
Post by Kathy Dopp
In fact some computer scientists just recently mathematically PROVED
that it is impossible to even verify that the certified software is
actually running on a voting machine.
Can you give me the reference to that? I'd like to take a look at their
assumptions.

Although that theorem may be true in some technical sense, it seems to me
that voters who are sufficiently paranoid ought still to be able to convince
themselves to their satisfaction of the validity of the certificates
they receive
from the system. They could use several independent computers or services
to verify the certificate. They could write the validation software
themselves
and run it on a computer fresh from the factory that has never been exposed to
a possible source of viruses. Or on several computers from independent
companies. Or if nothing else, a sufficiently intelligent and determined voter
can always carry out the mathematical checks by hand.

The fact that there will a few people who are both intelligent enough and
paranoid enough to do these checks should give the rest of the voters a
high level of confidence that there is not any widespread miscounting going
on (else it would have been noticed by these people).

The opposite problem, that a few voters could accuse the electronic system
of a misreading of their ballot that didn't actually occur, in order
to undermine
the system's credibility (motivated possibly because these people found it
easier to stuff ballot boxes themselves in a paper system) is more difficult to
solve. But one approach would be to require that physical evidence be
provided to support such claims.

For example, organizations concerned about possible miscounting could
test the accuracy of the system themselves by sending "test voters" into
public polling places; these voters could carry with them hidden video
cameras recording the entire process of entering their vote into the system.

Then later, if the certificate generated by the system for that voter did not
match the video showing the ballot selections that were actually entered, the
organization could produce the certificate and the video, and together that
could be considered to be unimpeachable physical evidence that some
miscounting really had occurred somewhere in the system.

If many organizations try to perform such checks, and are unable to produce
any such physical evidence of ballot misreading, and all voters who verify their
certificates (using multiple verification tools) find them to be
valid, it should
be possible to generate a high level of confidence in the overall system.

No system is perfectly secure (even paper balloting) and so the goal is just to
make fraud and miscounting more difficult than it is presently. I
believe this is
possible to do electronically, given the right system design.

I'll post a white paper describing my system in a later message.

-Mike
--
Dr. Michael P. Frank, Ph.D. (MIT '99)
820 Hillcrest Ave., Quincy FL 32351-1618
email: ***@gmail.com
cell: (850) 597-2046, fax/tel: (850) 627-6585
----
Election-Methods mailing list - see http://electorama.com/em for list info
AllAbout Voting
2008-10-06 15:30:29 UTC
Permalink
Post by Kathy Dopp
It seems to me that most of the persons on this list would rather have
votes fraudulently counted using some alternative voting scheme that
requires an unverifiable unauditable electronic voting system, than
accurately counted using the plurality election method.
Some have that attitude. I'm not one of them. I think that plurality is
a lousy voting method *and* that our current voting system is wide-open
to fraud. In my view both can and should be addressed. For the most
part the means of addressing them are orthogonal.

That said, voting methods that are not countable in precincts (eg. IRV)
pose a very large challenge to providing for election integrity. This,
in addition to other significant faults of IRV, causes me to oppose IRV..

I notice that some supporters of Condorcet voting (Dave Ketchum in
particular) directly argue that improving the plurality system should be
done even if it sacrifices election integrity.

So I will ask a pair of constructive questions:
1. Can Condorcet voting be compatible with precinct level optical scan
systems? (which many election integrity advocates consider to be
pretty good)
2. Can Condorcet voting be compatible with end-to-end verifiable
election integrity systems such as punchscan, 3-ballot, etc...?

I suspect that the answers to both questions is 'yes' which would make
Ketchum's dangerous arguments that software can be blindly trusted irrelevant.

-Greg Wolfe
--
I now run an election reform website.
Read my rantings here: http://AllAboutVoting.com
----
Election-Methods mailing list - see http://electorama.com/em for list info
Raph Frank
2008-10-06 18:19:58 UTC
Permalink
On Mon, Oct 6, 2008 at 4:30 PM, AllAbout Voting
Post by AllAbout Voting
1. Can Condorcet voting be compatible with precinct level optical scan
systems? (which many election integrity advocates consider to be
pretty good)
Condorcet is precinct countable. You just need an N*N grid of numbers
from each precinct.
Post by AllAbout Voting
2. Can Condorcet voting be compatible with end-to-end verifiable
election integrity systems such as punchscan, 3-ballot, etc...?
Each condorcet vote can be converted into an N*N grid with a one or
zero in each box, kinda like a single person precinct.

With the proper machine, a ranked ballot could be converted into an
N^2 Yes/No questions. This would allow 3 ballot to be used.

Ofc, it would be pretty complex as only certain arrangements are
possible and this goes against the 3-ballot requirement that the
machine be simple.
----
Election-Methods mailing list - see http://electorama.com/em for list info
Jonathan Lundell
2008-10-06 23:21:56 UTC
Permalink
Post by Raph Frank
Condorcet is precinct countable. You just need an N*N grid of numbers
from each precinct.
OTOH, that degree of compression is hardly necessary. IRV/STV ballots
could be captured at the precinct level, cryptographically signed, and
transmitted to a central counting facility (or exchanged, to count in
multiple locations).
----
Election-Methods mailing list - see http://electorama.com/em for list info
Dave Ketchum
2008-10-07 01:26:09 UTC
Permalink
Post by AllAbout Voting
Post by Kathy Dopp
It seems to me that most of the persons on this list would rather have
votes fraudulently counted using some alternative voting scheme that
requires an unverifiable unauditable electronic voting system, than
accurately counted using the plurality election method.
Some have that attitude. I'm not one of them. I think that plurality is
a lousy voting method *and* that our current voting system is wide-open
to fraud. In my view both can and should be addressed. For the most
part the means of addressing them are orthogonal.
That said, voting methods that are not countable in precincts (eg. IRV)
pose a very large challenge to providing for election integrity. This,
in addition to other significant faults of IRV, causes me to oppose IRV..
I notice that some supporters of Condorcet voting (Dave Ketchum in
particular) directly argue that improving the plurality system should be
done even if it sacrifices election integrity.
Ouch - anyway I am for integrity and am certain it can be done without
Plurality - though i am with you as to opposing IRV,
Post by AllAbout Voting
1. Can Condorcet voting be compatible with precinct level optical scan
systems? (which many election integrity advocates consider to be
pretty good)
A Plurality ballot needs only one indicator as to which candidate is voted
for, plus candidate name for a write-in.

A Condorcet ballot has the same need for ability to handle a write-in name,
plus a rank number for each of the one or more candidates voted for.

DESIRABLE for the precinct to fill in and forward the NxN array as a
summary of all the ballots counted. If anything is forwarded as to
individual ballots, this is for verification purposes.
Post by AllAbout Voting
2. Can Condorcet voting be compatible with end-to-end verifiable
election integrity systems such as punchscan, 3-ballot, etc...?
My initial reaction is that the information for verification exists, but a
systems designed for other purposes might need modification to fit
Condorcet needs.

Note that any ballot acceptable by IRV rules fits in a subset of what
Condorcet permits. The counting being different makes Condorcet countable
in precincts.
Post by AllAbout Voting
I suspect that the answers to both questions is 'yes' which would make
Ketchum's dangerous arguments that software can be blindly trusted irrelevant.
That DOES NOT sound like a true description of what I have said,

Anyway, there certainly should be better verification of the software used
than some vendors have offered.

Further, I am sure optical scan involves computer programs with the same
questions as to trusting as for others.
Post by AllAbout Voting
-Greg Wolfe
--
***@clarityconnect.com people.clarityconnect.com/webpages3/davek
Dave Ketchum 108 Halstead Ave, Owego, NY 13827-1708 607-687-5026
Do to no one what you would not want done to you.
If you want peace, work for justice.



----
Election-Methods mailing list - see http://electorama.com/em for list info
Brian Olson
2008-10-07 05:03:47 UTC
Permalink
Post by AllAbout Voting
1. Can Condorcet voting be compatible with precinct level optical scan
systems? (which many election integrity advocates consider to be
pretty good)
Yes.
Post by AllAbout Voting
2. Can Condorcet voting be compatible with end-to-end verifiable
election integrity systems such as punchscan, 3-ballot, etc...?
Aside from the NxNx3 adaption of 3-ballot to condorcet information, I
think it was suggested on this list a while ago that 3-ballot can be
adapted to 0-100 range voting by scaling up its three ballots of 0-1
voting and requiring sums of 100-200 for a valid vote instead of sums
of 1 or 2. If that sort of system was used, rankings for condorcet
counting could be extracted from the ratings votes, or a more advanced
ratings-aware system could be used. Actually, that sounds pretty
messy. NxNx3 is probably better.

Most of these methods require automatic ballot construction or
specially clueful voters. I'd expect 99% of voters to never bother
verifying that the election was actually done right if they had the
certificates with which to check it. I think probably the best defense
against electoral malfeasance is probably through the political and
legal processes, and through the vigilance of the citizenry. We'll
never make a system so mathematically perfect that we don't still need
those other things.


Brian Olson
http://bolson.org/



----
Election-Methods mailing list - see http://electorama.com/em for list info
Dave Ketchum
2008-10-07 14:17:19 UTC
Permalink
Post by Brian Olson
Post by AllAbout Voting
1. Can Condorcet voting be compatible with precinct level optical scan
systems? (which many election integrity advocates consider to be
pretty good)
Yes.
Post by AllAbout Voting
2. Can Condorcet voting be compatible with end-to-end verifiable
election integrity systems such as punchscan, 3-ballot, etc...?
Aside from the NxNx3 adaption of 3-ballot to condorcet information, I
think it was suggested on this list a while ago that 3-ballot can be
adapted to 0-100 range voting by scaling up its three ballots of 0-1
voting and requiring sums of 100-200 for a valid vote instead of sums
of 1 or 2. If that sort of system was used, rankings for condorcet
counting could be extracted from the ratings votes, or a more advanced
ratings-aware system could be used. Actually, that sounds pretty messy.
NxNx3 is probably better.
For Condorcet, N*N*3 for 3-ballot sounds like time for something more
affordable space-wise. Since all there is to record for one ballot is Y vs
N, N is absence of Y, and positions for the Ys had to be calculated from
the ballot, how many positions need recording?

Considering that C, the number of candidates voted for, is often one or
two, not many. There are LESS THAN N"C positions to record (while this N,
the number of candidates, can be many).
Post by Brian Olson
Most of these methods require automatic ballot construction or
specially clueful voters. I'd expect 99% of voters to never bother
verifying that the election was actually done right if they had the
certificates with which to check it. I think probably the best defense
against electoral malfeasance is probably through the political and
legal processes, and through the vigilance of the citizenry. We'll
never make a system so mathematically perfect that we don't still need
those other things.
Now it becomes MORE important to record for read back what the system
thinks the voter voted, rather than some foreign construction such as the
3-ballot array.

Not mentioned above is ability for those up to it to analyze the system
programming in whatever detail they see as valuable.
Post by Brian Olson
Brian Olson
http://bolson.org/
--
***@clarityconnect.com people.clarityconnect.com/webpages3/davek
Dave Ketchum 108 Halstead Ave, Owego, NY 13827-1708 607-687-5026
Do to no one what you would not want done to you.
If you want peace, work for justice.



----
Election-Methods mailing list - see http://electorama.com/em for list info
James Gilmour
2008-10-25 21:50:05 UTC
Permalink
Technology News- Internet voting starts for US citizens

Users will also have to print out a paper version of the ballot paper so that the final results can be checked. However, the move is
being questioned by many in Florida. "Taxpayers are still reeling from the costly mistake of allowing ...

<http://forum.meetthegeeks.org/forum/showthread.php?t=5900>

JG

No virus found in this outgoing message.
Checked by AVG - http://www.avg.com
Version: 8.0.175 / Virus Database: 270.8.3/1744 - Release Date: 24/10/2008 18:08


----
Election-Methods mailing list - see http://electorama.com/em for list info
Continue reading on narkive:
Loading...