Forum Navigation
Topics
Log In
Log Out
Forum Search
New Today
New This Week
Advanced Search
Tree View
Forum Account
Edit Profile
Register
Forgot Password
Forum Tools
Help/Instructions
Contact Moderators
Administration
|
| 6-15-06: Solutions through citizen ov... |
|
| Author |
Message |
    
Bev Harris
Board Administrator
Username: Admin
Post Number: 5203
Registered: 12-2004
Best of Black Box? 
Votes: 7 (A keeper?) | | Posted on Thursday, June 15, 2006 - 07:50 am: | 
|
Have
you seen the "whack-a-mole" game in arcades? Using a mallet, every time
a mole pops out of a hole you whack it down, faster and faster. The
moles always win in the end.
Catching security holes in computerized voting machines is a lot like whack-a-mole. There's got to be a better solution.
A new way to use optical scan voting machines:
This
concept is the brain child of Harri Hursti, who in addition to doing
security tests has been giving a lot of thought to citizen-friendly
practical solutions.
Most people don't know that some voting
machines take digital photos of each ballot, and that you can get those
ballot photographs through public records requests. This tactic is
available to reporters, candidates, and every citizen!
Here's a small copy of the digital photo produced by the Diebold high speed scanner voting machine:
Click
the following link for an actual ballot image from a Diebold High Speed
scanner, full size, just as it is stored in the voting system:
http://www.blackboxvoting.org/ballot.tif
Let's
look at old-fashioned optical scan voting first: You fill out a ballot
and run it through a scanner. Optical scan voting machines are the most
widely used system in the US.
With a few tweaks, a certain
kind of optical scan system could fundamentally change your right to
oversee your own electoral system.
What you're about to see
works for optical scan systems only -- you cannot use this system with
the vendors' favorite cash cow, the touch-screens (or DREs).
This
solution is cheaper than DREs and can use existing, already certified
voting systems. Diebold and Hart Intercivic make these kinds of
machines. Perhaps one reason they aren't telling us about this neat
idea is that other companies, like Xerox and Hewlett-Packard also make
scanners that capture digital photographs. In fact, the machines are
somewhat generic -- altogether depressing for voting machine
profiteers.
For citizens, the media, candidates, and
lawmakers however, this solution is truly exciting. It's less expensive
than anything that's been proposed so far. It allows elections
officials to keep their machines. In a sane world, Diebold's "c'mon in
boys" security-defective machines would be pulled out of service faster
than you can say "Who really won?" Here's a realistic solution that
would allow public officials to carry on with their elections while
Diebold recalls its defective voting machines, replacing them with a
model it doesn't make so much money on.
Best yet, this solution brings the people back into "We, the People."
Here are the tweaks:
1. Use scanners that produce digital photographs at the time they scan the ballots.
2. These digital photographs are automatically saved by certain optical scan models. Most people don't know that you can get these ballot photos for any election already on CD or DVD. Legally, they are a public record.
But
we must do better than that, because certain public officials are using
all kinds of obstructionist tactics -- trying to force us to sue to get
the ballot photos, stalling, and generally getting in the way of
transparency and citizen oversight of elections.
Obfuscating public officials:
Colorado Secretary of State Gigi Dennis
Orange County (CA) California ROV Neil Kelley
Yakima County (WA) County Counsel Terry Austin
Travis County (TX) Elections chief Dana DeBeauvoir
The
above locations are obstructing the public from obtaining copies of the
ballot photograph files, claiming the image (an electronic file which
sits on a hard drive) is a legal ballot. They are trying to pretend it
is illegal to make a copy of electronic files stored on the hard drive,
citing laws that require them to protect paper ballots (all the while,
the paper ballots ARE being kept in a vault, protected). This contorted
position will not stand up in court but it forces citizens to sue, an
effective way to block citizen oversight.
3. All we need to do is change procedures -- which does not require changing the law -- to release
CDs/DVDs with the ballot photographs immediately, as soon as the polls
close and in increments for ballots scanned afterwards.
Election
officials make copies of results reports every half hour or so on
Election Night. Simply require them to make the CDs with ballot photos
available every half hour or so as well, beginning as soon as the polls
close and continuing until all ballots are scanned.
The Rush Holt Bill suggests a 2 percent audit. This is a 100 percent audit -- at a fraction of the cost!
That's
not to say there should be no audits. We should still have hand audits,
publicly and properly selected. But those are getting bogged down right
now with arguments over which statistician has the best audit selection
model, who gets to do them, going out for "bid", how the results get
released and so forth.
Digital ballot photographs change everything. Simply by releasing 100 percent of the digital photographs of our ballots, everyone --citizens, candidates, the media -- gets access to every ballot photo. And this is already possible!
No
statistician is necessary, because we are entitled to them all -- 100
percent of them -- under current public records law. No one needs to go
out for bid or be approved. A DVD costs less than five dollars. The
only argument left is how soon the digital ballot photos have to be
released to the public.
We have a mess right now. Our voting
machines are riddled with security holes and we just can't whack the
moles quickly enough to have much faith in our elections. Here's a way
to restore citizen trust -- quickly, cheaply, in a way that is
practical and efficient for elections officials.
Suggestions to make this a reality
Every
jurisdiction with Hart Intercivic optical scanners already has digital
photographs. The Diebold high speed optical ballot scanner also
produces digital photographs automatically. These machines are already
available.
All we need to do is add a procedure to copy the photographs onto CD (or DVD, for large jurisdictions).
What procedures are needed?
1. Immediate release, beginning as soon as the polls close and continuing incrementally until all ballots are scanned.
Immediate release is one way to reduce opportunities to manipulate ballot photo CDs.
2. Public viewing of all scanning and CD/DVD copying.
3. The cost of a DVD is under five dollars. Reasonable charges -- no more than $10 per CD or DVD should apply.
Anti-tampering measures
Any
system can be tampered with. The idea is to make it risky and difficult
to tamper. Here are some procedures and technical tweaks that will make
it significantly harder to tamper with the digital photos:
1. Ballot printing: Ballots should be serial-numbered and serial number assignments should be logged.
Note that serial-numbering of ballots has been done in some locations
for decades, and does not have any effect on voter privacy.
2. Ballot printing: Ballots should contain some sort of difficult to replicate authentication mark,
like a watermark that migrates from place to place with different
serial numbers, which will also show up in the scanned photograph of
the ballot. This will make it more difficult to create counterfeit
ballots.
3. Machine settings: The current voting
machine optical scanners that produce digital photos can be set to scan
in black and white or gray scale. Some vendors choose the black and
white setting -- instead, all voting machines should use gray scale. This provides a more precise image and also makes it more difficult to counterfeit ballots and/or ballot images.
4. Authentication of the ballot photos: Non-techie citizens -- this is an optional step. Leave it to the geeks if you like. You can still look at all the ballots!
For computerheads -- Hursti has conceptualized a simple overlay (don't even need the vendor for this). It's called a "hash mark" -- basically, it fingerprints each ballot at the moment it is scanned.
- When you magnify a digital image, at its largest magnification the image becomes a collection of dots called "pixels."
-
Especially when scanned in gray-scale, when filled out by hand by the
voter, there will be variations in the pattern of dots in each ballot.
Each ballot will have a unique dot pattern.
- A "hash code"
assigns a unique number to each ballot based on its unique set of dots.
The hash code is not something proprietary to any vendor. As I
understand it, you can check ballot image hash codes provided by your
elections office with your own hash code, which you can obtain by
putting the same ballot photograph on your computer and applying a
publicly available hash code program you get off the Internet.
Hash code concept in a nutshell:
The
hash code fingerprints each ballot the moment it is scanned. Because
the hash code is just a number, it doesn't tell you how the person
voted. Which leads us to the next step:
5. (Non-techies, you can skip this part; it's optional, for tech-fans): Release the hash codes instantly
-- Once a hash code overlay is in place, there is absolutely no reason
not to release it contemporaneously with each ballot scanned. Since it
doesn't tell you the vote, you can release hash codes before polls
close (and for absentee ballots, before election day). The only purpose
of the hash code is to match up to the hash code from the digital photo
of the ballot once it's released.
6. To reduce potential for manipulation of the ballot photos, they need to be released to the public as quickly as possible.
It
would be best (if logistics can be solved) to release ballot photo CDs
at the polling place as soon as the polls close. Hash codes should be
produced during scanning and available for anyone to see, even while
the election is in progress. Ballot photos should be released on CD
upon poll closing.
People can take the ballot photo CDs home
(along with the hash code fingerprints if they like). Anyone can look
at every ballot one by one, or can use publicly available software to
conduct their own ballot count automatically, do forensics, compare
hash codes.
7. There are concerns that ballot photos could be
manipulated. One scenario would be simple substitution -- for example,
providing hash codes from a bogus batch of ballots, along with a disk
containing the matching bogus images. Immediacy of hash code release
and immediacy of ballot photo release, combined with serial-numbered
watermarked ballots and doing everything in full public view will make
it harder to compromise the files (but won't eliminate all risk).
The VotoScope
To
prove this is viable, Harri Hursti created a public source software
that gives you an independent ballot count using ballot photographs. He
did this for Black Box Voting, so that we can distribute it for free to
anyone who gets ballot photos!
We call this the "VotoScope"
because it provides very nice diagnostics as well. For example, if a
ballot is just weird for some reason -- such as having an "X" through
the oval instead of filling in the oval -- VotoScope flags that ballot
so you can look at it one-on-one.
Obstacles to using ballot photos to check elections
-
Vendors don't make as much money selling these systems as they do when
they sell touch-screens. Also, any glitches or flaws in their software
will be more readily visible to the taxpayers who paid for their
machines. Neither Diebold nor Hart Intercivic (the two vendors that
already make digital image optical scan voting machines) are anxious to
tell citizens that this feature exists, and both vendors urge election
officials to buy DREs instead.
- Disability groups will still need other options.
- Some elections officials will feel uncomfortable about the increased transparency this provides.
-
This kind of citizen oversight requires a shift in thinking for the
elections industry, from "trust the experts" to "let everyone see for
themselves."
- This system is no good unless the ballot
photos are released immediately. It will require the explicit change in
procedures, to copy the files to disk and make them available (at
perhaps $5 or $10 each) to anyone who wants them.
- Some
elections officials will worry that people won't understand the normal
variations in accuracy that occur during elections. For example,
machines that were not calibrated properly may miss some votes; some
voters don't mark their choices properly. (This objection
underestimates citizen common sense, however. A simple printed
instruction sheet can be provided with the ballot photos; besides, if
votes are being missed, the situation should be identified so it can be
corrected.)
- A whole industry, not to mention a stack of
academic resumes and a burgeoning Help Yourself to HAVA money movement
has sprung up, full of experts who (for a fee) will evaluate security,
audit your election, test your machines, create new standards, and seek
government grants to analyze the election system. This simple solution
potentially throws a lot of people out of work, or at the very least,
could make some experts irrelevant.
- Some in the scientific
community have their hearts set on other solutions, which may be
scientifically valid but are certainly less transparent. Other
proposals include the Microsoft-driven solution
previously code-named "Palladium." (Google "trusted computing" also).
This kind of solution would place Microsoft as the gatekeeper of
identification and authentication.
Other solutions may promote cryptography, or faith in open source code.
Black Box Voting
has taken the position that since digital photos are available, cheap,
practical and provide wide-open citizen oversight, any solution that is
not equally transparent cannot suffice. Citizens and members of the
media who want to see ballot photographs should anticipate resistance
due to turf wars among competing scientific experts.
In the
end, you shouldn't have to trust experts. Trust your common sense. You
don't have to be a lawyer to sit on a jury, and you shouldn't have to
be a computer scientist to count a vote.
Other objections
- Some of the voting machine examiners are horrified at this concept. (Their oversights will be exposed.)
-
Vendors particularly dislike this level of citizen oversight. (Their
flaws will be exposed and this type of system is much, much cheaper for
the taxpayer -- less profits available for voting machine companies.)
- Some election officials would rather have convenient elections than accurate elections.
-
Some candidates (incumbents, mainly) aren't crazy about making ballot
photos available because they want the election to be over on election
night, no questions asked.
But in fact, elections are never
over until the canvass is done, which takes at least a week. And in
fact, if the count is incorrect, it needs to be corrected during the
canvass -- not after the election is already certified. And in fact,
making ballot photos available to the public won't delay election
"finality" at all as long as the machines are counting accurately.
-
The ballot photo idea is less satisfactory than public hand counts in
some ways, but better in other ways. It allows more scrutiny of every
ballot image by many more people, for as long as we want, and preserves
evidence that will sometimes have historic significance. It allows
scrutiny without putting the actual ballots at risk. At the same time
-- what we would be looking at would be a photograph of a ballot, not
the ballot itself.
More ways to build trust
- Random hand count audits, especially if performed in public and at the precinct
-
VotoScope-style forensics: Hursti's VotoScope program contains some
interesting forensics. For example, the white content of ballot images
will actually vary depending on the temperature of the machine while
the ballot is being scanned. This free software will help users
identify anomalies in the white space.
- Hursti's free
software concept also identifies when the ovals are too identical.
After all, people scribble in those votes. When magnified, the dot
pattern will not be identical, nor will the ink be identical on
absentee votes. Especially when scanned in gray scale, it will be
obvious (using the right publicly available free software) to spot
ballots that contain identical dot patterns in any particular race. If
you have to manipulate 1,000 votes in a hurry, you couldn't just make a
bunch of copies -- those would produce identical dot patterns, easily
spotted by the free publicly available software. You wouldn't want to
use the same writing implement.
The bottom line: This
kind of approach will have the effect of quickly improving the overall
accuracy of electronic voting equipment due to increased scrutiny. It
will allow citizen oversight that can act as a massive new quality
control team.
PERMISSION TO EXCERPT OR REPRINT GRANTED, WITH LINK TO http://www.blackboxvoting.org |
Mike Myhre
BBV Citizen Watchdog
Username: Mike_myhre
Post Number: 51
Registered: 02-2006
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Thursday, June 15, 2006 - 09:13 am: |
|
I think it's a great idea!!
Redundancy built-in to a good portion of the voting system.
Is
there a way to extend the idea where these optical scan photo machines
are not currently used? What if voters rights groups purchased their
own scanners for areas that are all mail-in ballots and citizens had
the option to have their ballot scanned there before mailing it in. It
may not have a watermark or serial number, but may have enough of a
signature to verify it was the same ballot. If the private group could
scan the serial number before it was detached, now you have a unique
number to link to it. Sure, someone along the way could replace the
ballot with a new one, but what would it take to verify this? Multiple
Notary Publics observing? If everyone in the world witnessed it, we
would probably win in court. How could this private group trump the
elections officials copy? In addition; one ballot in dispute, not a big
thing, 10,000 in dispute, a big problem.
Maybe the voter has
the ability to scan his vote at multiple locations (GOP, Dems, Green,
Schriners, MoveOn, etc.) before mailing it in. If each of the locations
compared their copy of votes (matching the serial number stub and
actual votes) would that be enough to trump the elections departments
offial copy (if they disagreed)?
Another approach: What about
the all mail-in ballots just using multiple counting places (one per
precinct) with each precinct having a different mailing address? They
could do the counts in parallel and increase accountability and reduce
time. These precincts would need the units that can burn DVDs.
I
am trying to figure out a way to use this idea where officials don't
want it to happen. Given time and citizen pressure, we should be able
to convert all precincts, but we need something that will allow
citizens to take charge and implement a solution now.
BTW: I pay about $1 per DVD for single layer (4.7 Gig) |
Bev Harris
Board Administrator
Username: Admin
Post Number: 5204
Registered: 12-2004
Best of Black Box?
Votes: 1 (A keeper?) | | Posted on Thursday, June 15, 2006 - 09:27 am: |
|
Mike
- Thanks, on behalf of Harri Hursti, who came up with the idea. Really,
our nation owes Finland a keg of beer, at the very least, for Hursti's
amazing contributions to clean up our electoral system.
quote: Is there a way to extend the idea where these optical scan photo machines are not currently used?
I
think so. In the short run I'd like to see the Diebold TSx machines
recalled and replaced by pilot testing this concept (preferably with
precinct-based digital image scanners as well as their high-speed
central count machine, but we'll take what we can get).
In the long run this approach makes a whole lot more sense than the Rush Holt bill -- though that was well intended.
But
why settle for a crappy "VVPAT" that hides behind a brown door (gray in
Mississippi), makes you view the machine-generated toilet paper roll
through a Crackerjack toy magnifying lens, and jams, which will take
'til 2008 to recount and makes you struggle for even a two percent
audit when we can have the whole ball of wax, real ballots, filled out
by our own hand, which everyone can look at (while retaining our
privacy) for less money?
quote:
What if voters rights groups purchased their own scanners for areas
that are all mail-in ballots and citizens had the option to have their
ballot scanned there before mailing it in.
The
thing is, we need to be able to evaluate 100 percent of the ballots.
The digital image scanners are fairly pricey, not easy for citizens to
afford.
No procedure should be advocated that ties a vote to
a voter (removing voter privacy). Avoid anything that sounds like that,
or they'll use it to block this kind of citizen oversight.
quote:BTW: I pay about $1 per DVD for single layer (4.7 Gig)
Yep.
The media is cheap, but it might take elections officials, say, one
minute to push the buttons to copy the files. Then they can go away and
get a cup of coffee while it writes the files to DVD. I have no problem
paying a couple bucks for the time it takes them to push a button and
walk the CD over to the counter. |
Joshua Spotts
New BBV Member
Username: Spotts
Post Number: 1
Registered: 06-2006
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Thursday, June 15, 2006 - 10:46 am: |
|
This
is an excellent idea. I would like to suggest one way to even further
increase transparency and open involvement (and thusly increase
scrutiny and security). These DVDs and CDs should then be made
available via the Web immediately as well(and in fact this can be done
for far less then using physical media). It would be great to be able
to have a central repository and add CRC image verification hashs so
that duplicates can be verified as matching the originals.
Taking this a step futher, if there were say a central government site (or multiple idependant run sites) maybe called www.verifiedvotes.gov
where all of the states and counties would have to send these images
for archival, sharing and processing. This site would then have a few
additional functions. On the backside it would use OCR software to
count votes for an additional comparison audit. On the front side it
would allow groups to download the votes for their state, county or
city (or whatever) to allow them to process as they pleased. If these
copies somehow get digitally tampered with, then their CRC codes would
change and it would be known immediately.
More on the
backside processing, the system could also detect voting sheets that
didn't get counted right and batch them together for a humans to
process and tabulate. So say for example you have a city where they had
100 votes cast using this system described above. After being scanned
in by the optical machine the CD or DVD is either sent to a processing
center or immediately uploaded to this verifiedvoter.gov site and made
immediately available. The backside starts processing the votes
immediately and provides a count and a list of "error" ballots. It
reports all of this on the front side for all of the world to see. This
kind of processing, even on a country-wide scale can be done pretty
quickly, and will provide the press and the public with an instant vote
verification process that they can use to compare numbers against what
is coming out of each voting precinct. The error votes would also be
displayed and if the all of the numbers don't match up then it should
force a manual recount to take place.
Even better would be to
make sure that the software that processes the votes is released so
that anyone can setup a system of their own to process votes and verify
the results themselves. The Dems and Reps would each be able to have
their own processing server if they wanted, and by either getting
CDs/DVDs for the vote images or getting the vote images from a central
repository they could be allowed to also idependently verify the votes
for their own parties.
I do see possible problems with this
in that someone could try to throw a monkey wrench into the system by
making the software count wrong, but at most it would just force a hand
recount and in the end, I'd personally rather we did everything in our
power to verify an accurate vote then just "assume" that no games were
being played.
Oh and by the way this is my first post after being a reader for so long. I hope its ok. |
Bev Harris
Board Administrator
Username: Admin
Post Number: 5209
Registered: 12-2004
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Thursday, June 15, 2006 - 11:14 am: |
|
You are "Spott on" (sorry, couldn't resist). Thanks very much, Joshua, for an informative post.
Welcome to Black Box Voting!
Bev Harris
Founder
Black Box Voting |
Patrick J. Kobly
BBV Action Crew
Username: Pkobly
Post Number: 24
Registered: 12-2004
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Thursday, June 15, 2006 - 11:29 am: |
|
G'day,
First, this clearly helps in reducing the footprint of unaudited process in elections.
BBV
is, however, not the place to provide peer review of this technology.
Before it is publicly pushed as a solution, it ought to be put forward
(as the Mercuri and other methods have before) to the scientific
community for appropriate, public peer review. There are a number of
journals accepting (and actively seeking) articles on the subject.
However, it introduces other issues:
-
Vote privacy - If hashes are publicly released through the day, it
allows a timing attack that can compromise voter privacy, in much the
same way that the toilet paper roll, or any sequential ballot storage
system does. Whether the image is released at that time or not is
irrelevant. Ultimately, the auditability of the system requires that
the hashes be matched against ballot images. If we know when a hash was
generated, or in what sequence, we compromise privacy (we just wait
until after the polls close to do so).
If the hashes are not
released publicly until after the polls close, but are provided to the
voter when he casts his ballot, it allows proof-of-vote. This is
undesirable for the reasons raised in other locations (generally
related to coercion and vote-buying).
- If the county
election process is central-count, central-scan, this provides almost
no additional protection, even if there are scanners in the precincts
that produce hashes. This is because the file hash will differ on a
subsequent scan of the ballot. (For the same reason, Mike's private
scanner approach would not work. Each scan of a ballot will produce a
slightly different image file, which will, in turn, produce a different
hash)
- This does nothing to address stuffing attacks, and
nothing to address associated chain-of-custody issues in central-count,
central-scan systems.
- This is likely to increase trust in
the systems in a manner not commensurate with the actual increase in
verifiability and security. This will have the effect of luring
officials and voters into a false sense of security. This will allow
officials to feel more justified in the white band-aid and pencil-in
approach to recount sampling that we saw in some OH Op-scan counties.
-
Image manipulation - if this is properly implemented (and that is a
VERY big "if"), potential points of attack for image manipulation will
be minimized. However, a vulnerability point still exists in the
process between the physical scanning and the display of the hash. Even
if the ballot is scanned/counted in precinct and the hashes are
published throughout the day (and we ignore or somehow address the
privacy concerns), the image could be manipulated between when it is
scanned and when the hash is displayed (either in scanner firmware, or
in the software of the computer that generates the hash). If the
process allows for scanning or re-scanning of the ballots after the
voter leaves the polling place (i.e. a determination was made that a
scanner malfunctioned or otherwise provided unusable images), the
hashes collected during the initial process are no longer usable as
audit mechanisms - the new scans will generate new images, and thus new
hashes. This allows for more potential manipulation points.
As
for forensics, whitespace examination, etc. used for manipulation
detection - if the attacker knows that these mechanisms are in place,
he can work around them. Whitespace can be sampled from other areas of
the ballot or from other ballots (and color-balanced to match heat
differences). Fill-in patterns can be sampled from other places on the
ballot, and possibly randomly manipulated so as to avoid similarity
checks (we are, after all, feeding the system a large amount of data
that can be used as an entropy source). Vote swaps can be even easier,
just pulling the filled-in oval from the choice the voter actually
made.
Watermarks that are ballot-specific (and verifiable as
belonging to the specific ballot in question) will be cost-prohibitive
to print. While serial numbers can be used for some purposes, great
care must be taken in the design of the process to ensure that they
don't leak information that can tie a vote to a specific voter. |
Bev Harris
Board Administrator
Username: Admin
Post Number: 5210
Registered: 12-2004
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Thursday, June 15, 2006 - 11:37 am: |
|
Dear Patrick,
Harri Hursti has not only discussed this solution, but demonstrated it among many of the most prestigious scientists.
The
bottom line, though, is that we cannot keep turning the process that
belongs to us over to "experts." That's how we got into this situation
in the first place.
I'll read through your post very
carefully and will probably do a more detailed response, but it seems
rather elitist to say "Black Box Voting" is not the correct place to
discuss a solution that we initiated which was conceptualized by an
individual who has made history in U.S. voting security circles. |
Bev Harris
Board Administrator
Username: Admin
Post Number: 5211
Registered: 12-2004
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Thursday, June 15, 2006 - 12:07 pm: |
|
Okay,
back to Patrick. You make some good points, especially about timing of
releasing the hash marks. Chain of custody is a very significant
concern, especially in mail-in voting situations. It's a different
issue, of course, just like voter authentication is a different issue.
There are many facets to improving the system, this is just one.
You appear to have a solution of your own in mind. What is it?
quote:
This will allow officials to feel more justified in the white band-aid
and pencil-in approach to recount sampling that we saw in some OH
Op-scan counties.
Hardly.
In fact, since 100 percent of all ballots would already be in the hands
of the media and the voters, it would be crazy to use pencil ins and
white bandaids for anything.
quote: Vote swaps can be even easier, just pulling the filled-in oval from the choice the voter actually made.
Well,
you have to be a master graphic designer, on top of being a master
hacker, to even approach this. Pulling the oval also leaves distinct
tracks.
quote:
While serial numbers can be used for some purposes, great care must be
taken in the design of the process to ensure that they don't leak
information that can tie a vote to a specific voter.
Serial numbered paper ballots have been widely used all over the country for several decades. |
Joshua Spotts
New BBV Member
Username: Spotts
Post Number: 2
Registered: 06-2006
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Thursday, June 15, 2006 - 01:59 pm: |
|
Just to add a small point - with CRC - http://en.wikipedia.org/wiki/Cyclic_redundancy_check
- You generate a very unique checksum that will show if changes are
made to an image after it is scanned. Effectively you need to create
the CRC right away at the time of scanning. If someone changes even a
single pixel in the scanned ballot image it will change the CRC
checksum and raise an instant flag. The key will be to gaurd the
checksum against being changed which can be done by having the checksum
key list printed off onto paper when the CDs are made (or the files
transmitted) and having them signed by the election judge and an
observer from both parties (or whatever makes people feel safest). This
paper trail itself becomes a sort of legal and physical protection for
the checksums to prevent them from being tampered with. And if a
checksum is found to be "off" then it will require a hand recount. |
Mike Myhre
BBV Citizen Watchdog
Username: Mike_myhre
Post Number: 52
Registered: 02-2006
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Thursday, June 15, 2006 - 02:32 pm: |
|
Joshua,
A CRC is commonly used to ensure data has not been corrupted during transmision, but is not as robust as a hash algorythm - http://en.wikipedia.org/wiki/Cryptographic_hash_function
in detecting malitious attacks. A CRC typically has a 16 bit result (0
- 65535) or 32 bit (0 - 4 billion) as a result. A hash function does an
encryption on the input data with a much larger result. It would be
possible to tamper with the ballot and still arive at the same CRC, but
no one could tamper with a ballot and arive at the same hash.
In
other words: Changing one pixel would change the CRC but if you you
changed many pixels (the ones you want and a bunch of others) you could
get the same CRC. |
John Washburn
BBV Activist
Username: Johnwashburn
Post Number: 138
Registered: 02-2006
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Thursday, June 15, 2006 - 02:40 pm: |
|
CRC is not sufficient to authenticate. You need a crypto-hash (MD5, SHA1, SHA-256, SHA-384, or SHA-512).
Patrick's
info leaking by releasing hashes in real time is a problem. I know
there is a solution to creating the information during the day but to
prevent the realease until the close of polls. E.g. digitally signed
and encrypted and the final key to look at the intermediate has files
is not released until the close of polls?
I will have to think about the protocol.
Professors
Davida and Yao here at UW-Milwaukee are experts on an obscure field
called zero-knowlege transfers. The exchange of information (e.g. poker
hand) without leaking any information until the transfer is complete. |
Patrick J. Kobly
BBV Action Crew
Username: Pkobly
Post Number: 25
Registered: 12-2004
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Thursday, June 15, 2006 - 03:00 pm: |
|
Bev,
RE: Peer review
You
are presenting a technological system that has a number of opaque
elements that the general public does not have the capacity to
evaluate. I don't suggest that the process ought to be "turned over to
the experts," but rather, the experts need to evaluate it , _and_ the
public needs to evaluate it. I am not saying that it is inappropriate
to discuss the technology on BBV, but rather that the technology also
needs to be formally peer-reviewed. The proper forum for peer-review of
technological systems is the journals. Peer-review does not take place
in demonstrations to prestigious scientists. The role that BBV carries
out in this is quite different (though not less valuable) from
peer-review.
You are proposing a process that the general public cannot verify to function correctly.
This process is less opaque than we currently have, but it is still opaque to the general public.
Re: Solution already in mind
Paper
ballots, hand-counted. Paper ballots, machine counted for early
returns, hand counted for final tally. Paper ballots, machine counted,
with a random full precinct sampling hand counted, with any divergence
leading to a full hand recount. Paper ballots, machine counted with a
random sampling of ballots hand counted, with statistically significant
divergences instigating a full hand count.
All of the above
cause the audit source to be the same as the voting instrument. There
are no translation steps applied to this instrument, and its physical
and logical properties are well understood and verified by the general
public. The same cannot be said for a digital image of the ballot. We
must trust that the digital image is a faithful translation of the
information on the ballot, while the general public has no way to
assure that this is the case.
RE: Band-aids
You're
right about the band-aid issue raised. My concern here is that if
officials do not understand _what_ advantages are actually gained by a
system, they may become lax in ways that will compromise the system.
The response to challenges will be an exasperated "WHAT more do you
want? We ALREADY implemented the system that BBV pushed as the paragon
of security!" (even if BBV pushes this as an incremental approach, and
does not characterize it as the paragon of security)
RE: graphic designer
This
task would have nothing to do with graphic design skills. It would
require strong image manipulation skills and some knowledge of the
ballot characteristics, but not extraordinarily so. Is it something I
can do? Probably not. Is it something somebody with a budget of a
couple million $ may be able to pull off? Maybe.
RE: serials
Absolutely,
serials have been used elsewhere for some time. Remember though, when
tools or techniques previously used safely are used in the context of a
different process, they may be subject to different hazards, and should
be reexamined in their new context.
All of this
notwithstanding. I think the timing of the release of the hash marks is
the most severe flaw here. If you publish continuously, before the
polls close, you compromise privacy through timing and correlation
attacks. If you provide the hash to the individual voters, you allow
proof of vote. If you publish the hashes only after close of polls, you
lose the auditability benefits that the hashes are supposed to give you. |
Bev Harris
Board Administrator
Username: Admin
Post Number: 5221
Registered: 12-2004
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Thursday, June 15, 2006 - 04:02 pm: |
|
Patrick,
I agree that timing of hash mark release is a thorny issue. We'd have to hash that out further (sorry for the pun, groan.)
You
make good points. By the way, hand counted paper ballots, and machine
counts (preliminary) hand counts (final) are solutions I'd get behind
in a heartbeat. The random sampling ideas are not something I support,
unless in conjunction with something like the 100% ballot image release
as described here.
The chain of custody is STILL a huge
problem. In my county, King County WA, they want to take a million
voters to mail-in with pretty awful chain of custody issues.
The
best chain of custody solutions are to have it all precinct-based
voting (no absentee, which Lynn Landes makes a case for) and to hand
count at the precinct.
As we all know, there are many
problems with any solution. The key will be to find a solution that
gets ordinary citizens fully involved that we can persuade
decisionmakers to embrace. Very tough to do. |
Brant Lamb
BBV Leadership Team
Username: Brantl
Post Number: 618
Registered: 01-2005
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Friday, June 16, 2006 - 10:13 am: |
|
Why
is hash mark releasing a thorny issue? If you can't recreate the ballot
from the hash and you can't tie the ballot to the voter directly, it
would seem that while you could see that a small pool of votes might
have been one cast by an individual, you still couldn't be sure of
which one was cast by which specific individual, unless you've noted
the time that you issued a serial numbered ballot and then that helps
narrow it down some, but still does not directly identify the voter.
Publish an hour's worth of data after two hours elapsed voting then
publish hour-old lumps of hashes thereafter, or when a minimum number
of people have voted since you last published them.
The way
to cheat this method is to make duplicate serial-numbered ballots
before the election and capture the hash for later substitution (of
both the ballot and the hash) for opposition ballots. You also have to
get to the physical ballots or stop comparisons between the ballot
image and the physical ballot. You make sure that likely opposition
voters get the ballot serial number you have a substitute for (probably
by party registration) and the machine has to do a serial number
comparison to find that it's a ballot to subvert and do it as the
ballot is scanned ( there has to be a table of the to-be-substituted
ballots and their data in each machine if it's standalone) , with
physical ballot substitution to take place later.
Dangerous,
risky, pretty complicated, and if you can't complete the physical
ballot substitution, some hashes don't match the actual votes so you'd
have to stop the physical recount and comparison attempts.
This needs complimentary strong, unsubvertable recount laws to stop this kind of fraud.
All
that being said, this is certainly the best scheme that can work with
current equipment that I've heard. If you add a random sampling to
check that hashes are being calculated correctly (voters volunteer to
have the hash re-calculated as a check). If the percentage of error
exceeds .5 %, mandatory manual hand recount, maybe? |
John Washburn
BBV Activist
Username: Johnwashburn
Post Number: 140
Registered: 02-2006
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Friday, June 16, 2006 - 11:26 am: |
|
The
hash realease is a thorny issue because (once the ballot images ARE
released) it is possible to state THIS ballot image was scanned at some
point between Time A and Time B.
This is because the hash value of the ballot image was not released at time A or earlier but WAS release at time B.
Depending
on the traffic at the polling location at the time and the narrowness
of time window this could lead to the reasonable inference of how an
elector cast his ballot.
1) John Washburn is known to have voted at 10:15 am
2) Only one additional hash value was in the 11:00 am batch of hash and not in the hash values releasesd at 10:00 am or prior.
3) that hash value was X
4) there is a ballot image with a hash value of X (actually there MUST be such an image and only ONE such image)
Thus the reasonable inference is John Washburn ballot was this one pictured here. |
Brant Lamb
BBV Leadership Team
Username: Brantl
Post Number: 620
Registered: 01-2005
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Friday, June 16, 2006 - 11:36 am: |
|
That requires extremely low numbers of voters, avoidable as I stated above. |
Mike Myhre
BBV Citizen Watchdog
Username: Mike_myhre
Post Number: 53
Registered: 02-2006
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Friday, June 16, 2006 - 12:15 pm: |
|
I didn't see it mentioned that time was part of the hash.
In
small precincts, the elections officials would probably want to
generate CDs based on the number of voters instead of elapsed time. If
I were making a rule, I would say time or ballot count, whichever is
greater. Some small precincts could go all day before needing to
generate a CD. |
Bev Harris
Board Administrator
Username: Admin
Post Number: 5253
Registered: 12-2004
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Friday, June 16, 2006 - 12:18 pm: |
|
Have
gotten very good (but negative) feedback on authenticating ballots with
serial numbers. The proper way to do it and still keep them anonymous
is to have the serial number on a detachable stub. The serial number is
logged for which ballot is given to each voter, creating a one-to-one
inventory. The voter votes, then detaches the serial number and puts it
in one box, and the now-anonymous ballot in another.
Putting the serial number on the ballot image would jeopardize voter privacy, if done this way.
Colorado
handles serial numbers on ballots this way -- Colorado prohibits any
mark on a ballot that could tie a ballot to a voter -- however,
Colorado also allows use of Hart Intercivic scanners which reportedly
use ballots that have an affixed serial number, not detachable, which
violates Colorado law. This issue was taken to court but dismissed.
More thought needs to go into the hash mark timing and to the ballot authentication timing on this solution.
However -- since machines are ALREADY IN USE that produce digital images, we need to get those digital images, don't you agree?
I'll
talk to Hursti about the white paper he's been thinking of writing on
this issue, and this kind of feedback is very helpful. |
Mike Myhre
BBV Citizen Watchdog
Username: Mike_myhre
Post Number: 54
Registered: 02-2006
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Friday, June 16, 2006 - 12:33 pm: |
|
You
definatly want to get the images. Even better if there is a way to
'lock' those images with something like a hash we are much better off.
Who
would be processing the hash on the images? would that be the elections
worker? How accepting are they to running Hursti code on their
machines? If it is an MD5 type encryption, the program may already
exist on the elections computer, it may just be a mater of using it
(simple batch file or script). |
Patrick J. Kobly
BBV Action Crew
Username: Pkobly
Post Number: 26
Registered: 12-2004
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Friday, June 16, 2006 - 12:58 pm: |
|
Brant:
You
can tie a hash to a ballot directly. You can tie a group of hashes to a
time period. You can tie a time period to a group of people. Thus, you
can tie a (less than full precinct) group of people to a group of
ballots. If you can tie a couple of hashes to individuals (because,
perhaps, those people were given their hashes to allow for auditing and
they provided you with the hashes), you can get even finer granularity
information about the remaining voters. It's the same issue as with the
toilet paper roll VVPAT.
The problem is it reduces the
granularity that you can identify groups of people to a finer level
than precinct level. One of the challenges that we have up here in the
great white north is "ethnic electioneering." I'm sure you've got
similar issues. There is often a great deal of pressure from leaders of
certain ethnic groups to vote a certain way. If you push 100 people
from one of these groups through the polls at once, you now have more
information about how they voted as a group, which can allow you to
intensify the intimidation.
Remember also, if the hash is not
given to the voter when they vote, its utility as an audit mechanism
goes away. The hash only protects from manipulations that took place
_after_ it was generated and either published or provided to the voter.
Mike:
Time (or sequence, or rough sequence) is implicitly part of the hash due to when and in what order the hash is published.
Bev:
Yes,
given that machines are in use that (can) produce digital images, we
should get those images. However, you seem to be arguing that this
system will allow us to avoid the necessity of doing (or reduce the
negative effects of not doing) either full or sampled hand counts of
the original, physical ballots. You say "This is a 100 percent
audit...But those are getting bogged down right now with arguments over
which statistician has the best audit selection model... Digital ballot
photographs change everything. Simply by releasing 100 percent of the
digital photographs of our ballots, everyone ... gets access to every
ballot photo... The only argument left is how soon the digital ballot
photos have to be released to the public... Here's a way to restore
citizen trust -- quickly, cheaply, in a way that is practical and
efficient for elections officials." I posit that (even with "We should
still have hand audits, publicly and properly selected", which _will_
get cut in any press release / news copy) this undermines the
importance of a count of all or a subset of the original, physical
ballots, in exchange for a count of a translation (that may or may not
be faithful) of said ballots.
Yes, this is an audit over 100
percent of the ballots. This is, however, an audit that covers well
less than %100 of the process. The lesser the manipulations or
translations done to the control data in the audit, the more complete
and conclusive the audit is.
It is _FAR_MORE_IMPORTANT_ to
cover the whole process in an audit than to cover the whole collection
of data (if you can obtain a representative selection of control and
processed data). |
Patrick J. Kobly
BBV Action Crew
Username: Pkobly
Post Number: 27
Registered: 12-2004
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Friday, June 16, 2006 - 01:00 pm: |
|
Mike:
The
only way a hash "locks" files is if the hash is published. And it only
provides protection against manipulation subsequent to publication of
the hash. |
Bev Harris
Board Administrator
Username: Admin
Post Number: 5254
Registered: 12-2004
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Friday, June 16, 2006 - 01:27 pm: |
|
quote:However,
you seem to be arguing that this system will allow us to avoid the
necessity of doing (or reduce the negative effects of not doing) either
full or sampled hand counts of the original, physical ballots.
No.
I'm saying that JUST doing a sampled hand count will never suffice, in
my book. Doing a sampled hand count in combination with immediate 100%
access to the ballot images gets closer to what is acceptable. |
Mike Myhre
BBV Citizen Watchdog
Username: Mike_myhre
Post Number: 56
Registered: 02-2006
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Saturday, June 17, 2006 - 09:19 am: |
|
Patrick,
Not all hash algorhythms include a time or sequence id. Many will
generate the same hash for the same data every time they are applied.
Including time is necessary if you don't get the hash until a later
time, but that introduces another factor in trusing the time/sequence
source. Immediacy of the hash release eliminates the need for the time
factor.
I agree that publishing the hash is required to
"lock" the files. It would be ideal to get the hash after each vote,
but that would reveal votes. Waiting until the end of the day would
allow too much opportunity for tampering in large precincts. We are
looking for the right middle ground where we guarantee the voters
privacy and have maximum citizen oversight of 100% of the ballots. |
Joseph Hall
BBV Citizen Watchdog
Username: Joehall
Post Number: 96
Registered: 01-2005
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Sunday, June 18, 2006 - 03:51 pm: |
|
I
don't see a link to where to get Votoscope... am I missing something?
What flavor of software license will it be released under? (I also
don't see it on SourceForge with a quick search)
(I only seem to get email on threads to which I've posted to...) |
Patricia Gracian
New BBV Member
Username: Patinsd
Post Number: 1
Registered: 06-2006
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Sunday, June 18, 2006 - 04:54 pm: |
|
Bev,
Would
it be easier to get through obstructionist election officials by
requesting the hard drive where the ballot pictures are stored rather
than stating we want the pictures of the ballots? Perhaps if they do
not know that the hard drive contains these pictures, they will not be
so nervous nor reluctant to release them and perhaps we can get them
easily.
Also, since we in the Busby-Bilbray area could really
benefit from doing what you suggest, could you specify any details you
already know- such as what forms, letters to send, whom to address them
to with cc's to whom? Does one need a lawyer to request such? Can one
specify a deadline or a time requirement for response?
Thanks for any guidance you can provide.
P.S.I
was one of the "Assistant Precinct Inspectors- Equipment" (stupid name)
for the Busby-Bilbray race and so I had 2 of the devil's machines in my
own home. Too bad I was too ignorant to know what to check or
photograph. BUT, I do have the procedures booklet and the training
videotape which could be used by knowledgeable folk to exploit the
procedures for chinks in the obstructionists' armor. Just say the word.
This is the last chance we get for oversight in California because for November Bruce McPherson has our goose cooked.
- Pat |
Nancy Tobi
BBV Action Crew
Username: Ntobi
Post Number: 16
Registered: 01-2006
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Sunday, June 18, 2006 - 08:07 pm: |
|
Bev,
I
am confused about the availability of this option. Do Diebold Accuvote
optical scanners already have this feature enabled (to record the
image) or is this an add-on?
-NT |
Bev Harris
Board Administrator
Username: Admin
Post Number: 5275
Registered: 12-2004
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Sunday, June 18, 2006 - 09:43 pm: |
|
Joe
-- We will release the program to the first citizen who gets ballot
images. The current version supports Diebold ballot images.
The initial releases of the software will be beta testing.
We've
discussed the license, frankly, Black Box Voting doesn't want to be in
the business of software distribution/upkeep; we don't want to be in
the middle of reviewing changes, etc. No interest in that, no funding
for that, no infrastructure for that.
So, we first have to
get hold of images and experiment with the concept. As that becomes a
reality we'll need to explore with our membership some ideas for
distributing this and getting out from under the ongoing
responsibilities.
Patricia and Nancy:
Bruce Sims
did some wonderful work earlier in San Diego and helped to determine
that San Diego was not using the Diebold model that produces digital
images.
Diebold has three versions of optical scan machines (2 are basically the same hardware but with a variation in the program):
1. Precinct based optical scanner, using 1.94x and 1.96x firmware. This does not produce digital images.
2.
Central count optical scanner version 2.0.12, which does not produce
digital images. This is basically the same as #1 but does not use
memory cards nor produce a poll tape. It is a highly dangerous method
of scanning ballots because it does not retain any record of the
ballots scanned and is entirely dependent on the GEMS tabulator program
which is not secure.
3. Diebold High Speed Central Count
verion 2.0.12 - This is the model that produces digital images. It is
annoying that Diebold uses the same version number and nearly the same
name for two entirely different machines. Internally, they appears to
call the one without digital images "CC 2.0.12" and the one with
digital images "HSCC 2.0.12"
To find out which is which in
the field, apply the "bigger than a breadbox?" test. The one without
digital images is about 6 inches high, the one with digital images is
about 2 feet high.
I'll post photos at some point, to help people differentiate more easily.
One
more thing: Joe Hall -- you collect our information for projects you
are working on. Yet, in more than a year, I've never seen a single
thing go public.
We're very public here, and don't mind
sharing what we have. Since you've been collecting everything we
provide, can you let us know where we can find all these reports or
projects you are doing with our material? Are you using it for your
work with ACCURATE? |
Brant Lamb
BBV Leadership Team
Username: Brantl
Post Number: 624
Registered: 01-2005
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Monday, June 19, 2006 - 04:59 am: |
|
Patrick said :
"Brant:
You can tie a hash to a ballot directly. You can tie a group of hashes
to a time period. You can tie a time period to a group of people. Thus,
you can tie a (less than full precinct) group of people to a group of
ballots. If you can tie a couple of hashes to individuals (because,
perhaps, those people were given their hashes to allow for auditing and
they provided you with the hashes), you can get even finer granularity
information about the remaining voters. It's the same issue as with the
toilet paper roll VVPAT.
The problem is it reduces the
granularity that you can identify groups of people to a finer level
than precinct level. One of the challenges that we have up here in the
great white north is "ethnic electioneering." I'm sure you've got
similar issues. There is often a great deal of pressure from leaders of
certain ethnic groups to vote a certain way. If you push 100 people
from one of these groups through the polls at once, you now have more
information about how they voted as a group, which can allow you to
intensify the intimidation."
Except I don't see how you're
going to force a substantial group to go through at the same time, Nor
does it nail down exactly who voted when.
Some of the virtue
in this system was that a voter could know the serial number of his
vote and then check it. If you don't have that and substitutions of
ballot information is done on the fly (with physical ballot replacement
to take place later, if necessary) by the cheats, the voter is then
screwed.
If this seems paranoid, remember how hard it was to get physical access to the ballots in Ohio.
Since
the serial number won't be recorded as having been handed to a
particular voter, you can have the poll worker turn around to get the
voter a ballot (off the bottom of the pile) and it gets exchanged
later. If the poll worker can see who signed in and party affiliation
is known, this is easy. Having someone pre-fill out hand filled out
ballot duplicates isn't that hard, then the hash is recorded for
substitution. |
Nancy Tobi
BBV Action Crew
Username: Ntobi
Post Number: 17
Registered: 01-2006
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Monday, June 19, 2006 - 05:28 am: |
|
Thanks
for this clarification. NH just approved the use of 1.94 (I know, I
know - even after the Hursti hack and the supporting MacPherson
report).
So here are my questions:
1. Is there any way the 1.94/1.96 could be upgraded to support this feature?
2.
What -- if any -- are the implications of using a central count system
for precinct-based election administration (NH counts at the polling
place)?
3. Is there any legal basis -- consumer protection or
otherwise (short of passing new state legislation or other
requirements) -- for requiring a swap from the vendor if our current
model doesn't support this feature?
4. Any other thoughts/ideas for those of us stuck with the da*n 1.94s?
-----------------
Diebold has three versions of optical scan machines (2 are basically the same hardware but with a variation in the program):
1. Precinct based optical scanner, using 1.94x and 1.96x firmware. This does not produce digital images.
2.
Central count optical scanner version 2.0.12, which does not produce
digital images. This is basically the same as #1 but does not use
memory cards nor produce a poll tape. It is a highly dangerous method
of scanning ballots because it does not retain any record of the
ballots scanned and is entirely dependent on the GEMS tabulator program
which is not secure.
3. Diebold High Speed Central Count
verion 2.0.12 - This is the model that produces digital images. It is
annoying that Diebold uses the same version number and nearly the same
name for two entirely different machines. Internally, they appears to
call the one without digital images "CC 2.0.12" and the one with
digital images "HSCC 2.0.12" |
Bev Harris
Board Administrator
Username: Admin
Post Number: 5280
Registered: 12-2004
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Monday, June 19, 2006 - 07:06 am: |
|
Nancy:
quote:So here are my questions:
1. Is there any way the 1.94/1.96 could be upgraded to support this feature?
I don't believe so. The whole system is different -- hardware and firmware.
quote:2.
What -- if any -- are the implications of using a central count system
for precinct-based election administration (NH counts at the polling
place)?
We've
been giving some thought to that. The precinct count system is
significantly better. The Hart Intercivic optical scan provides digital
images both at the precinct and at central count, but the Diebold
precinct count models do not have digital images -- only their High Speed Central Count machine.
If using the Diebold HSCC 2.0.12 system, you would treat the precinct voting the old fashioned way:
1) Vote on paper ballots at the precinct. Put the ballots into ballot boxes.
2)
Do a well designed hand count spot check audit while still at the
precinct. Bruce O'Dell and Jonathan Simon have been developing models
that are very interesting, in this regard.
3) Bring the
ballots to the central location(under tight chain of custody and this
is traditionally an attack point that is inadequately protected)
4)
Under full citizen oversight and tight chain of custody, run all the
ballots through the High Speed Central Count machine. Immediately
release DVD with ballot images.
Note that the hash code
system which is being discussed in this thread by tech types is NOT
available at this time in any of the voting machines.
Even
without the additional protection of hash codes, the system is
implementable right now, and especially with a robust hand count audit
at the precinct, would be significantly more secure that what we've got
going right now.
quote:3.
Is there any legal basis -- consumer protection or otherwise (short of
passing new state legislation or other requirements) -- for requiring a
swap from the vendor if our current model doesn't support this feature?
Yes.
1) The machines have been misrepresented by the vendor.
2) The machines don't meet FEC standards.
Consumer protection law, exactly the same kind of case one would use if a car has a gas tank that explodes.
In
fact, in a sane world, these machines would already have been pulled
off the shelves. Instead, they are doing the equivalent of telling
everyone to drive a car with an exploding gas tank hoping there won't
ever be an accident.
quote:4. Any other thoughts/ideas for those of us stuck with the da*n 1.94s?
Yes.
Nancy, I'm going to enable you for a private area, "Solutions Group 1"
and we can discuss some other ideas there. I have a couple ideas
specifically for New England. |
Joseph Hall
BBV Citizen Watchdog
Username: Joehall
Post Number: 97
Registered: 01-2005
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Monday, June 19, 2006 - 09:50 am: |
|
Hi Bev, I keep a list of all papers and presentations I give here:
http://josephhall.org/HallJosephResume.html#publications
http://josephhall.org/HallJosephResume.html#presentations
The most recent additions that are likely to cite work that BBV has been a part of are the following:
Joseph
Lorenzo Hall, Transparency and Access to Source Code in E-Voting
(forthcoming) in USENIX/ACCURATE Electronic Voting Technology Workshop
(2006). available at: http://josephhall.org/papers/jhall_evt06.pdf
Joseph
Lorenzo Hall, "Background on Recent Diebold Election Systems, Inc.
(DESI) Vulnerabilities". NCVI Briefing for Congressmembers and Staff;
United States Congress (2006). available at: http://josephhall.org/papers/DESI_vulns_background_briefing-20060607.pdf
Erica
Brand, Cecilia Walsh, Joseph Lorenzo Hall and Deirdre K. Mulligan,
Public Comment on the 2005 Voluntary Voting System Guidelines;
Submitted to the Election Assistance Commission on behalf of ACCURATE
and listed affiliates by the Samuelson Law, Technology and Public
Policy Clinic. available at: http://josephhall.org/papers/2005_vvsg_comment.pdf
That's
just work that I've been a part of... I don't know off the top of my
head if other ACCURATE work cites BBV or the Hursti reports, but I can
imagine that they do.
The reason I ask about licensing and
availability of the votoscope code is that I wonder if it's currently
designed modularly... that is, so that someone who gets a batch of,
say, Hart ballot images could write a module that would work with Hart
images. I could probably have answered that question myself by looking
at the code, but I realized I didn't have the code an couldn't easily
find it.
As for the licensing question, I offer to help you
choose a licensing strategy (BSD, GPL, dual-licensed, etc.) as well as
talk about who might be able to be a project manager for votoscope
(that's the person that would have to make the decisions about what to
commit to new versions of the code). The great thing about choosing the
right license is that if someone doesn't like the decisions of the
project manager, they're free to "fork" the code and develop it in
whatever way they wish... this encourages working things out but also
leaves an option for someone who has very different ideas about where
the software development should go.
Sorry to be so long-winded. |
Bev Harris
Board Administrator
Username: Admin
Post Number: 5290
Registered: 12-2004
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Monday, June 19, 2006 - 10:09 am: |
|
Joe,
Thanks
for the valuable input on all fronts. Some of what's going on with
Votoscope is being vetted out in private forums here. What I'd like to
do is have you email me privately (bev at blackboxvoting.org) with a
short list of individuals you think would be productive in this regard.
You have identified exactly the issues we need to address. In
other private solutions groups (mostly through teleconferences so far)
we have been working on the strategic issues and the public policy
issues regarding use of the machines and obtaining the images,
respectively.
A whole other issue is the licensing, project
management and distribution. I think it is correct to say that the
VotoScope concept is a baby that Hursti and BBV gave birth to, but we
are willing to give it up for adoption because BBV itself does not have
the infrastructure to do this properly.
The ongoing care and
feeding of it needs to be vetted out by a group, and I would of course
want Hursti to be a key part of any decisionmaking on this. I will set
up a specialized and private workspace for this and would certainly
like for you to be involved. |
Joseph Hall
BBV Activist
Username: Joehall
Post Number: 106
Registered: 01-2005
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Thursday, July 20, 2006 - 08:41 am: |
|
Hi Bev and others, I never heard back on this. I'd be interested in your answers to the following questions, when available:
-Under what license will you be offering the Votoscope code to a party who have tiff ballot data?
-If
someone has complete ballot data for a county, by what procedure would
you go about offering the Votoscope software for analysis? |
Bev Harris
Board Administrator
Username: Admin
Post Number: 5416
Registered: 12-2004
Best of Black Box?
Votes: 4 (A keeper?) | | Posted on Friday, July 21, 2006 - 06:58 am: |
|
First,
let's end the secret society business. Then we'll cooperate with you,
when your group is showing the public face and the accountability that
is expected of the election reform community.
Joe, you, John
Gideon, and selected others are a member of the private "Quixote
Group," which has been operating for nearly three years now, and has
attempted to wrest the diverse "swarm" of leaders in the U.S. into one
set of individuals who are compliant with a private agenda. Those who
aren't on the right page are marginalized, discredited, shunned, or
blackballed.
Please provide a written description of the
secret society called the Quixote Group -- the set of individuals who
are funded by the Quixote Foundation who have been working on a
specific agenda that they do not reveal.
Is it true that the Quixote Group private club will soon be going by the name "EVN" (The Electronic Voting Network)?
Is that a nonprofit entity?
Wbo are its directors?
What is its mission?
Please
provide a description of the agenda and strategy of the private club
called the Quixote Group / EVN of which you are a part.
Who are its members?
Why is it a secret?
Is it true that in order to get into this secret society one must be "nominated" by the other secret members, then voted on?
Is
it true that one of the criteria for becoming nominated into the secret
club is that the person will not bring in an opposing point of view?
Is there a nondisclosure agreement in relation to your activities?
Why can't the election reform community debate the merits of your master plan in public?
It
appears to me that this entity is designed to put forth an agenda that
is not properly vetted among the election reform community.
You come here and harvest our materials -- that's basically what you do. Well, they are available to the public.
But
how do you explain the existence of a private club, with no one who can
be held accountable, accessible only through invitations and a secret
handshake, which is amassing financial support and cherry-picking
leaders in election reform with no public accountability whatsoever?
The
Quixote Foundation is invested in things like Halliburton, Eli Lilly,
and -- yes -- Diebold. I assume that they are a plaintiff in the
Diebold stockholder suits.
Is this part of the secret and private think tank set that the Washington Post recently reported on?
What
role has the Quixote organization had in the swiftboat campaigns
against those in election reform who represent a threat to the private
agenda?
Am I correct in my understanding that this secret and
never publicly vetted strategy is heavy on keeping technology in the
mix, heavy on legislation like Rush Holt, relies on certain types of
litigation (but only when it keeps technology in the solution), and
works privately with a few candidates?
That any activist organization or individual which favors hand counted paper ballots is a target?
That
the Quixote organization was involved in attempting to sabotage the
original Votergate film, preventing it from ever coming out unless it
capitulated to the Quixote "solutions"?
How much interaction has your group had with the vendor lobbying group, the ITAA?
Is
it true that a member of your group obtained and leaked the information
Hursti II report without authorization, BEFORE we released it, to all
the members of the Quixote List?
Please provide any and all
connections, communications, strategy, planning, or support of David
Allen, Roxanne Jekot, or Democratic Underground.
Please describe whether Jim Adler or Votehere has ever played any role in the Quixote endeavors.
Provide
the accountability of this group at this time, including its
governance, its solution agenda, its financials and its key members.
You
have not been forthcoming with us. You have never described your role
in the Quixote organization, or what it is, or what it is using our
materials for.
We are not interested in assisting any secret
society, private club, or secret agenda, particularly when we have
learned that it has been involved in attempts to control and manipulate
the message, and/or "swiftboat" campaigns.
Is it true that
there are two levels of planning and information sharing -- one which
invited members know about and another at a more senior level, which
most participants of the Quixote list are not aware of?
Is
Quixote involved in blackballing actions to prevent the hand counted
paper ballots people from being invited to or participating in national
conferences?
I'm sure some of what's being said about the
secret Quixote Group think tank is misinformation. It's hard to know
when the whole thing relies on a secret handshake, though, isn't it?
Now is a good time to go public or expect more intensive examination of the agenda and people behind this group.
* * * * *
"We're counting the votes. Get over it."
Be
part of the solution: Please sign up for the NATIONAL HAND COUNT
REGISTRY: Go to Home Page - Hand Count Registry is right above lead
story
Make November elections the biggest evidence gathering
action ever. EVIDENCE = videotape, audiotape and photos. Come prepared.
This time, focus on the COUNTING not just the voting.
|
Catherine Ansbro
BBV Leadership Team
Username: Catherine_a
Post Number: 3070
Registered: 12-2004
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Friday, July 21, 2006 - 09:35 am: |
|
This
is dreadful, if true. It would certainly begin explain a lot (e.g., the
unbelievable attacks that BBV, Bev Harris and others have endured).
Having
a double-tiered structure makes sense, with a relatively small group of
trusted insiders being privy to more information about the full agenda
than the general membership is. It would also give plausible
deniability to the general membership who would only be aware of part
of the picture.
I wonder if many/all members of ACCURATE are involved in the Quixote group. |
Brant Lamb
BBV Leadership Team
Username: Brantl
Post Number: 717
Registered: 01-2005
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Friday, July 21, 2006 - 10:08 am: |
|
Where can we read up on this, Bev? Why do you think Joseph Hall and John Gideon are part of this? |
Nancy Tobi
BBV Action Crew
Username: Ntobi
Post Number: 21
Registered: 01-2006
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Friday, July 21, 2006 - 10:31 am: |
|
I
don't know about Quixote or any of this stuff, but ACCURATE seems to me
to be a highly integritous group. I admire their work and their
approach. Don't know why you would lump them in with anything you view
as questionable. |
| | |
