A long form look on the Estonian iVoting experience and our thoughts on why it’s not feasible here at home.
Viewing entries tagged
…not much we think.
Yesterday’s news of Microsoft co-founder billionaire Paul Allen’s investing $40M in the Spanish election technology company Scytl is validation that elections remain a backwater of innovation in the digital age.
But it is not validation that there is a viable commercial market for voting systems of the size typically attracting venture capitalists; the market is dysfunctional and small and governments continue to be without budget.
And the challenges of building a user-friendly secure online voting system that simultaneously protects the anonymity of the ballot is an interesting problem that only an investor of the stature of Mr. Allen can tackle.
We think this illuminates a larger question:
To what extent should the core technology of the most vital aspect of our Democracy be proprietary and black box, rather than publicly owned and transparent?
To us, that is a threshold public policy question, commercial investment viability issues notwithstanding.
To be sure, it is encouraging to see Vulcan Capital and a visionary like Paul Allen invest in voting technology. The challenges facing a successful elections ecosystem are complex and evolving and we will need the collective genius of the tech industry’s brightest to deliver fundamental innovation.
We at the TrustTheVote Project believe voting is a vital component of our nation’s democracy infrastructure and that American voters expect and deserve a voting experience that’s verifiable, accurate, secure and transparent. Will Scytl be the way to do so?
The Main Thing
The one thing that stood out to us in the various articles on the investment were Scytl’s comments and assertions of their security with international patents on cryptographic protocols. We’ve been around the space of INFOSEC for a long time and know a lot of really smart people in the crypto field. So, we’re curious to learn more about their IP innovations. And yet that assertion is actually a red herring to us.
Here’s the main thing: transacting ballots over the public packet switched network is not simply about security. Its also about privacy; that is, the secrecy of the ballot. Here is an immutable maxim about the digital world of security and privacy: there is an inverse relationship, which holds that as security is increased, privacy must be decreased, and vice-verse. Just consider any airport security experience. If you want maximum security then you must surrender a bunch of privacy. This is the main challenge of transacting ballots across the Internet, and why that transaction is so very different from banking online or looking at your medical record.
And then there is the entire issue of infrastructure. We continue to harp on this, and still wait for a good answer. If by their own admissions, the Department of Defense, Google, Target, and dozens of others have challenges securifying their own data centers, how exactly can we be certain that a vendor on a cloud-based service model or an in-house data center of a county or State has any better chance of doing so? Security is an arms race. Consider the news today about Heartbleed alone.
Oh, and please for the sake of credibility can the marketing machinery stop using the phrase “military grade security?” There is no such thing. And it has nothing to do with an increase in the 128-bit encryption standard RSA keys to say, 512 or 1024 bit. 128-bit keys are fine and there is nothing military to it (other than the Military uses it). Here is an interesting article from some years ago on the sufficiency of current crypto and the related marketing arms race. Saying “military grade” is meaningless hype. Besides, the security issues run far beyond the transit of data between machines.
In short, there is much the public should demand to understand from anyone’s security assertions, international patents notwithstanding. And that goes for us too.
The Bottom Line
While we laud Mr. Allen’s investment in what surely is an interesting problem, no one should think for a moment that this signals some sort of commercial viability or tremendous growth market opportunity. Nor should anyone assume that throwing money at a problem will necessarily fix it (or deliver us from the backwaters of Government elections I.T.). Nor should we assume that this somehow validates Scytl’s “model” for “security.”
Perhaps more importantly, while we need lots of attention, research, development and experimentation, the bottom line to us is whether the outcome should be a commercial proprietary black-box result or an open transparent publicly owned result… where the “result” as used here refers to the core technology of casting and counting ballots, and not the viable and necessary commercial business of delivering, deploying and servicing that technology.
Long lines at the polling place are becoming a thorn in our democracy. We realized a few months ago that our elections technology framework data layer could provide information that when combined with community-based information gathering might lessen the discomfort of that thorn. Actually, that realization happened while hearing friends extol the virtues of Waze. Simply enough, the idea was crowd-sourcing wait information to at least gain some insight on how busy a polling place might be at the time one wants to go cast their ballot.
Well, to be sure, lots of people are noodling around lots of good ideas and there is certainly no shortage of discussion on the topic of polling place performance. And, we’re all aware that the President has taken issue with it and after a couple of mentions in speeches, created the Bauer-Ginsberg Commission. So, it seems reasonable to assume this idea of engaging some self-reporting isn’t entirely novel.
After all, its kewl to imagine being able to tell – in real time – what the current wait time at the polling place is, so a voter can avoid the crowds, or a news organization can track the hot spots of long lines. We do some "ideating" below but first I offer three observations from our noodling:
- It really is a good idea; but
- There’s a large lemon in it; yet
- We have the recipe for some decent lemonade.
Here’s the Ideation Part
Wouldn’t it be great if everybody could use an app on their smarty phone to say, “Hi All, its me, I just arrived at my polling place, the line looks a bit long.” and then later, “Me again, OK, just finished voting, and geesh, like 90 minutes from start to finish… not so good,” or “Me again, I’m bailing. Need to get to airport.”
And wouldn’t it be great if all that input from every voter was gathered in the cloud somehow, so I could look-up my polling place, see the wait time, the trend line of wait times, the percentage of my precinct’s non-absentee voters who already voted, and other helpful stuff? And wouldn’t it be interesting if the news media could show a real time view across a whole county or State?
Well, if you’re reading this, I bet you agree, “Yes, yes it would." Sure. Except for one thing. To be really useful it would have to be accurate. And if there is a question about accuracy (ah shoot, ya know where this is going, don-cha?) Yes, there is always that Grinch called “abuse.”
Sigh. We know from recent big elections that apparently, partisan organizations are sometimes willing to spend lots of money on billboard ads, spam campaigns, robo-calls, and so on, to actually try to discourage people from going to the polls, within targeted locales and/or demographics. So, we could expect this great idea, in some cases, to fall afoul of similar abuse. And that’s the fat lemon.
But, please read on.
Now, we can imagine some frequent readers spinning up to accuse us of wanting everything to be perfectly secure, of letting the best be the enemy of the good, and noting that nothing will ever be accomplished if first every objection must be overcome. On other days, they might be right, but not so much today.
We don’t believe this polling place traffic monitoring service idea requires the invention of some new security, or integrity, or privacy stuff. On the other hand, relying on the honor system is probably not right either. Instead, we think that in real life something like this would have a much better chance of launch and sustained benefit, if it were based on some existing model of voters doing mobile computing in responsible way that’s not trivial to abuse like the honor system.
And that lead us to the good news – you see, we have such an existing model, in real life. That’s the new ingredient, along with that lemon above, and a little innovative sugar, for the lemonade that I mentioned.
Stay tuned for Part 2, and while waiting you might glance at this.
Slate Magazine posted an article this week, which in sum and substance suggests that trade secret law makes it impossible to independently verify that voting machines are working correctly. In a short, we say, "Really, and is this a recent revelation?" Of course, those who have followed the TrustTheVote Project know that we've been suggesting this in so many words for years. I appreciate that author David Levine refers to elections technology as "critical infrastructure." We've been suggesting the concept of "critical democracy infrastructure" for years.
To be sure, I'm gratified to see this article appear, particularly as we head to what appears to be the closest presidential election since 2000. The article is totally worth a read, but here is an excerpt worth highlighting from Levine's essay:
The risk of the theft (known in trade secret parlance as misappropriation) of trade secrets—generally defined as information that derives economic value from not being known by competitors, like the formula for Coca-Cola—is a serious issue. But should the “special sauce” found in voting machines really be treated the same way as Coca-Cola’s recipe? Do we want the source code that tells the machine how to register, count, and tabulate votes to be a trade secret such that the public cannot verify that an election has been conducted accurately and fairly without resorting to (ironically) paper verification? Can we trust the private vendors when they assure us that the votes will be assigned to the right candidate and won’t be double-counted or simply disappear, and that the machines can’t be hacked?
Well, we all know (as he concludes) that all of the above have either been demonstrated to be a risk or have actually transpired. The challenge is that the otherwise legitimate use of trade secret law ensures that the public has no way to independently verify that voting machinery is properly functioning, as was discussed in this Scientific American article from last January (also cited by Levine.)
Of course, what Levine is apparently not aware of (probably our bad) is that there is an alternative approach on the horizon, regardless of whether the government ever determines a way to "change the rules" for commercial vendors of proprietary voting technology with regard to ensuring independent verifiability.
As a recovering IP lawyer, I'll add one more thing we've discussed within the TrustTheVote Project and the Foundation for years: this is a reason that patents -- including business method patents -- are arguably helpful. Patents are about disclosure and publication, trade secrets are, be definition, not. Of course, to be sure, a patent alone would not be sufficient because within the intricacies of a patent prosecution there is an allowance that only requires partial disclosure of software source code. Of course, "partial disclosure" must meet a test of sufficiency for one "reasonably skilled in the art" to "independently produce the subject matter of the invention." And therein lies the wonderful mushy grounds on which to argue a host of issues if put to the test. But ironically, the intention of partial code disclosure is to protect trade secrets while still facilitating a patent prosecution.
That aside, I also note that in the face of all the nonsense floating about in the blogosphere and other mainstream media whether about charges of Romney's ownership interest in voting machinery companies being a pathway to steal an election or suggesting a Soros-Spanish based voting technology company's conspiracy to deliver tampered tallies, Levine's article is a breath of fresh air deserving the attention ridiculously lavished on these latest urban myths.
Strap in... T-12 days. I fear a nail biter from all view points.
Some feedback on a couple recent blogs showed that I didn't do such a great job on defining how our OVR work creates public benefit. So let me try again, with thanks to a canny reader who pointed out the subtlety involved. But first, let me restate what our OVR work is: online voter registration assistance technology for NGOs like RockTheVote and government organizations like state and local boards of election. Through our work with RockTheVote, a large and expanding number of good government groups and other NGOs can quickly get an OVR system of their own, without deploying software or operating computers; and some can take advantage of options to largely re-work the appearance of the OVR web application, and/or integrate with mobile clients and social media. We're also helping drive registrants to the government organizations as well, for those states with a strong online voter registration systems, who have requested that the Rocky OVR system give users the option of registering with the state board of elections. Then, out at the bleeding edge, it is even possible for local or state election officials to piggyback on the OVR system to have their own 100% election-official-managed online voter registration assistance system, with the same look and feel as other county or state web sites, and all without any procurement or deployment.
So, fair enough, we're the technology provider in a mix of many organizations who either want to help people register to vote (NGOs) or are have a basic mission of helping people register -- county registrars and state election officials. So where is the public benefit? And where is the subtlety that I mentioned? Many people would say that in a broad way, the public as a whole benefits when more eligible voters are registered and participate in elections -- but not all. In fact, that is a political issue that we at OSDV want to steer clear of, especially given the political conflicts between some, who wish to aggressively register people in droves and who are more concerned about participation than eligibility, and others who are concerned about possible fraud and are more concerned about eligibility that participation. The debate about voter registration practices goes from one extreme where an election is tainted if it seems that a single eligible voter was barred from participation, to the the other extreme where an election is tainted if there is a suspicion about a single ineligible person having cast a ballot.
So where do public benefits arise separately from these political issues? In a word: access, from a citizen perspective; and duty, from an election official perspective. Every eligible citizen deserves and is entitled to access to elections. It is the duty of election officials to provide that access to the eligible citizens who demand access, and to fairly and expeditiously assess every request for eligibility. Whether or not one is a fan of voter registration drives, or of voter roll purging, there is this shared value: eligible citizens who are trying to participate in elections should not have the access blocked by election officials. Yet in many cases that does occur because well-meaning public officials simply lack the resources, staff, or budget to be responsive to citizen needs. In OSDV's wheel-house, the lack that we address is lack of election technology, or lack of an effective way to acquire and deploy relevant technology.
And the technology angle is particularly important for younger citizens, who have been using computers and smart phones for practically everything for their whole lives. And network and mobile technology is in fact appropriate for registration and all manner of other voter services -- unlike voting which has unique anonymity and integrity requirements -- and so people expect it. Many election officials use technology to help them more effectively carry out their duties, meeting those expectations -- including those relating to voter registration. But for other election officials, there is gap between what they need, and what they are actually able to do within limitations of budget, procurement, staff; or products that simply don't provide the functions appropriate to their jurisdiction. So the gap has multiple dimensions, but across them all, government officials are doing less than they could, in performance of their duties to provide election access to those who are actively seeking it and are eligible.
So when we or anyone else helps to fill that gap with new or better or more available technology, then we have enabled public benefit: election officials can do more in spite of having less resources every year; entitled voters can vote; and thirdly and often overlooked, good government groups and watchdog agencies have more visibility to assess how well the election officials really are doing their job. And that third factor is quite important. Just look at the horror-show of suspicion, vituperation, conspiracy theory, litigation, and Internet-speed dis- or mis-information that spun up recently in Talahassee and Memphis and elsewhere, over removal of people from voter rolls. It may be that nefarious people really were rigging the poll books, or it may be the electronic voter records are in significant dis-array, or it may be voter record databases are antique and prone to administrative error. But we'll never really know. Resource constrained election organizations, that run old election technology with demonstrated flaws, and little or no self-record-keeping, find it extremely difficult to demonstrate to interested and entitled observers, exactly what is going on inside the computers, when one of these election year firestorms brews up.
And when the firestorm is big enough, it essentially prevents election officials from delivering on a fundamental duty: performing accurate and trustworthy elections. In other words, those firestorms are also a detriment to public confidence in elections. We, in addition to helping election officials perform their duties, are also passionate about delivering technology that can help with the transparency that's part of firestorm prevention, and reducing their public detriment.
And lastly that brings me to a related point for another day: how the technology that we're developing now can help deliver that transparency, along with the improvement in the technical infrastructure for U.S. elections. The next chunk is still in the oven, but I really look forward to sharing it here, when it is fully baked.
Here is some interesting news from Spokane WA, where ballot counting has been seriously delayed because election officials are hand copying tens of thousands of ballots. It's an interesting lesson in how vote-by-mail (Spokane is an all-VBM county in WA) creates higher operational requirements for accountability, transparency, and election integrity. Some readers may not be familiar with the practice of hand-copying VBM ballots, and ask: what's going on? The situation is that for some reasons (read the news article for speculation on why), thousands of Spokane voters did not follow instructions on marking their ballot, for example, putting a check mark over a bubble rather than filling the bubble. If a paper ballot has even one of these mistakes anywhere, the ballot can't be machine counted -- the optical counting device kicks the ballot back out. And because this is vote-by-mail where the voter is not present during counting, there is no voter to ask to re-do the ballot. Instead, local election officials (LEOs) have to simply guess what the voter meant.
This is called "interpreting the voter's intent" in order to count every vote that the LEOs think that the voter cast on the ballot. After making such an interpretation of a ballot, an LEO marks a new blank ballot, copying all the voter's marks to tidy filled-in bubbles that the scanners will count. After all the uncountable ballots have been copied to a countable ballot-copy, the voting counting can finally proceed.
I've said many times that election technology should provide (and as our efforts at TTV bear fruit, will provide) support for such interpretation, and do so with as much logging and transparency as possible. I think that most people would agree that confidence in an election result depends in part on knowing how many votes were created by LEOs on behalf of a voter, rather than the mark of a voter that is so unambiguous that a machine can recognize it. Such automation might also reduce the need for laborious copying, preserving for all to see, an image of the original ballot together with the interpretation provided by LEOs during the counting process.
But the scale of Spokane operation really has me squirming. Tens of thousands! I mean, sure, I believe that the process is being done diligently, with intense scrutiny by people independent of the LEOs (members of the public, good government groups, political party people). But over days and days of efforts, under pressure to get the election results out, I fear that exhaustion and human error may take a toll. And unless the public (or at least auditors) have access to each ballot in all 3 forms (what the voter provided, what an LEO transcribed, what the scanner counted) it is going to be very hard determine whether this large-scale transcription process introduced errors. If this process were happening, for example, in New York with several very close contests, I could see people pushing for hand re-count. Let's hope that in WA the margins of victory are larger that the errors that could have been introduced by transcription.
And in the meantime, I wish the best to Spokane LEOs plowing through this mound of uncountable paper, and I continue squirm, wishing we had already finished the TTV central-count technology that could really help today.
It should come as no surprise that this month's election activities included claims of voting machine malfunction and related investigation and litigation. In many parts of the U.S., the voting systems used this month are the same flakey systems that in the past have created controversy and legal wrangling. (I promise to define "flakey".) But are the new lessons learned? or is this more of the same underwhelming voting technology experience that observers have come to expect? I think that, yes, there are new lessons learned. North Carolina the source for one set of teachable remarks, shown in two statements made in the context of North Carolina's voting machine controversy in this election.
The background is that in some parts of NC there were numerous reports of touch-screen voting machines apparently malfunctioning, swapping voter selections from what the voter intended, to selections that they hadn't made. (Some people call this "vote flipping" but I find it to be a misleading term that doesn't cover the extensive range of odd touch-screen behavior.) The NC RNC claimed that these glitches seemed to favor Democratic candidates over Republican candidates, and started some interesting litigation.
The first notable statement was from NC GOP chair Tom Fetzer in the context of starting the litigation:
We cannot have an election where voters in counties where the machines are used have less confidence that their votes are being accurately counted than in counties where optical scan ballots are used …
The second is form Johnnie McLean, deputy director of the State Board of Elections, at the conclusion of the litigation:
I hope this is the end of the issue. We have every confidence in the voting systems North Carolina has and I've seen no evidence that we should feel differently.
I really find these to be curious statements that nevertheless cast some new light on the existing decades-old touch screen systems. With respect to Mr. Fetzer, I don't think that one kind of voting machine is inherently more reliable than another -- though people may have a more confident feeling about one over the other. Both the optical scanners and the touch-screen DREs are computers running software with bugs, and it's possible that either could be mis-counting votes. Both can and should be cross-checked in the same way with statistical audits using hand-counting of either the scanned paper ballots, or the paper record produced by the DRE.
Old news: every kind of voting machine is a computer that should not be blindly trusted to operate correctly. New news: that fact is not altered if some people think that one system is more flakey than others. With respect to Ms. McLean, people will unavoidably "feel differently" if they see touch screens mis-behaving.
Next time … "flakey" defined, and a full response to Ms. McLean.
A couple of weeks ago I presented at OSCON and during the conference had an opportunity to sit down with Mac Slocum, Managing Editor for the O’Reilly Radar. We had about a half an hour conversation, for which we covered ~20 minutes of it on camera. You can find it here if you want to watch me jaw. But perhaps simpler below, I’ve listened to the tape, and captured the essence of my answers to Mac’s questions about what the Foundation is about and working on and the like. I promised Matt Douglass, our Public Relations Director I’d get this up for interested followers; apologize it took me a couple of weeks. So, here it is; again not an official transcript, but a compilation of my answers after watching and listening to the video interview about a dozen times (so you don't have to) combined with my recollection as close as I recall my remarks – expressed and intended.
O’Reilly: How are voting systems in the U.S. currently handled? In other words, where do they come from; procurement process; who decides/buys; etc.?
Miller: Voting systems are currently developed and delivered by proprietary systems vendors, and procured by local election jurisdictions such counties and townships. The States' role is to approve specific products for procurement, often requiring products to have completed a Federal certification process overseen by the EAC. However, the counties and local elections jurisdictions make the vast majority of elections equipment acquisition decisions across the country.
O’Reilly: So how many vendors are there? Or maybe more to the point, what's the state of the industry; who are the players; and what’s the innovation opportunity, etc.?
Miller: Most of the U.S. market is currently served by just 3 vendors. You know, as we sit here today, just two vendors control some 88% of America’s voting systems infrastructure, and one of them has a white-knuckled grip on 75% of that. Election Systems and Services is the largest, after having acquired Premier Systems from its parent company, Diebold. The DoJ interceded on that acquisition under a mandatory Hart-Scott-Rodino Act review to consider potential anti-trust issues. In their settlement with ES&S, the Company dealt off a portion of their technology (and presumably customers) to the Canadian firm Dominion Systems. Dominion was a small player in the U.S. until recently when it acquired those technology assets of Premier (as part of the DoJ acquisition, and acquired the other fomer market force, Sequoia. And that resulted in consolidating approximately 12% of the U.S. market. Most of the remaining U.S. market is served by Hart-Intercivic Systems.
On the one hand, I’d argued that the voting systems marketplace is so dysfunctional and malformed that there is no incentive to innovate, and at worst, there is a perverse disincentive to innovate and therefore really not much opportunity. At least that’s what we really believed when we started the Foundation in November 2006. Seriously, for the most part any discussion about innovation in this market today amounts to a discussion of ensuring spare parts for what’s out there. But really what catalyzed us was the belief that we could inject a new level of opportunity… a new infusion of innovation. So, we believe part of the innovation opportunity is demonstrated by the demise of Premier and Sequoia and now the U.S. elections market is not large or uniform enough to support a healthy eco-system of competition and innovation. So the innovation opportunity is to abandon the proprietary product model, develop new election technology in a public benefits project, and work directly with election officials to determine their actual needs.
O’Reilly: So what is the TrustTheVote Project, and how does that relates to the Foundation?
Miller: The Open Source Digital Voting Foundation is the enabling 501.c.3 public benefits corporation that funds and manages projects to develop innovative, publicly owned open source elections and voting technology. The TrustTheVote Project is the flagship effort of the Foundation to design and develop an entirely new ballot eco-system.
What we’re making is an elections technology framework built on breakthrough innovations in elections administration and management and ballot casting and counting that can restore trust in how America votes. Our design goal is to truly deliver on the four legs of integrity in elections: accuracy, transparency, trust, and security.
The reason we’re doing this is simple: this is the stuff of critical democracy infrastructure – something far too much of a public asset to privatize. We need to deliver what the market has so far failed to deliver. And we want to re-invent that industry – based on a new category of entrants – systems integrators who can take the open source framework, integrate it with qualified commodity hardware, and stand it up for counties and elections jurisdictions across the country.
We’re doing this with a small full time team of very senior technologists and technology business executives, as well as contractors, academia, and volunteer developers.
We’re 4 years into an 8 year undertaking – we believe the full framework will be complete and should be achieving widespread adoption, adaptation, and deployment by the close of 2016 – done right it can impact the national election cycle that year. That said, we’re under some real pressure to expedite this because turns out that a large number of jurisdiction will be looking to replace their current proprietary systems over the next 4 years as well.
O’Reilly: How can open source really improve the voting system?
Miller: Well, open source is not a panacea, but we think it’s an important enabler to any solution for the problems of innovation, transparency, and cost that burden today’s elections. Innovation is enabled by the departure from the proprietary product model, including the use of open-source licensing of software developed in a public benefits project. Transparency, or open-government features and capabilities of voting systems are largely absent and require innovation that the current market does not support. Cost reduction can be enabled by an open-source-based delivery model in which procurements allow system integrators to compete for delivery license-free voting systems, coupled with technical support that lacks the vendor lock-in of current procurements. Open source software doesn't guarantee any of these benefits, but it does enable them.
I should point out too, that one of our deepest commitments is to elections verification and auditability (sic). And our framework, based on an open standards common data format utilizing a markup language extension to XML called EML is the foundation on which we can deliver that. Likewise, I should point out our framework is predicated on a durable paper ballot of record… although we haven’t talked about the pieces of the framework yet.
O’Reilly: Well our time is limited, but you must know I can’t resist this last question, which is probably controversial but our audience is really curious about. Will online voting ever be viable?
Miller: Well, to be intellectually honest, there are two parts to that loaded question. Let me leave my personal opinion and the position of the Foundation out of it at first, so I just address the question in a sterile light.
First, online voting is already viable in other countries that have these 3 policy features:  a national ID system,  uniform standards for nationwide elections, and  have previously encouraged remote voting by mail rather than in-person voting. These countries also fund the sophisticated centralized IT infrastructure required for online voting, and have accepted the risks of malware and other Internet threats as acceptable parts of nationwide online voting. For a similar approach to be viable in the U.S., those same 3 policy features would likely require some huge political innovations, at the 50-plus state level, if not the Federal level. There really isn’t the political stomach for any of that and particularly national ID although arguably we already have it, or creating national elections and voting standards, let alone building a national elections system infrastructure. In fact, the National Association of State Secretaries recently passed – actually re-upped an earlier resolution to work to sunset the Federal Elections Assistance Commission. In other words, there is a real Federalist sense about elections. So, on this first point of socio-political requirements alone I don’t see it viable any time soon.
But letting our opinion slip into this, the Foundation believes there is a more important barrier from a technical standpoint. There are flat out technical barriers that have to be cleared involving critical security and privacy issues on the edge and at the core of a packet-switched based solution. Furthermore, to build the kind of hardened data center required to transact voting data is far beyond the financial reach of the vast majority of jurisdictions in the country. Another really important point is that online elections are difficult if not impossible to audit or verify. And finally, there is a current lack of sophisticated IT resources in most of the thousands of local elections offices that run elections in the U.S.
So, while elections remain a fundamentally local operation for the foreseeable future, and while funding for elections remains at current levels, and until the technical problems of security and privacy are resolved, nationwide online voting seems unlikely in the U.S.
That said, we should be mindful that the Internet cloud has darkened the doorstep of nearly every aspect of society as we’ve moved from the 2nd age of industrialism to the 3rd age of digitalism. And it seems a bit foolish to assume that the Internet will not impact the conduct of elections in years to come. We know there is a generation out there now who is maturing having never known any way to communicate, find information, shop, or anything other than online. Their phones exist in an always-on society and they expect to be able to do everything they need to interact with their government online. Whether that’s a reasonable expectation I don’t think is the issue.
But I think it will be important for someone to figure out what’s possible in the future – we can’t run and hide from it, but I believe we’re no where near being able to securely and verifiably use the Net for elections. There is some very limited use in military and overseas settings, but it needs to be restricted to venues like that until the integrity issues can be ironed out.
So, we’re not supporters of widespread use of the Internet for voting and we don’t believe it will be viable in the near future on a widespread basis. And honestly, we have too much to do in just improving upon ballot casting and counting devices in a polling place setting to spend too many cycles thinking about how to do this across the Internet.
(Part 2 of 2: What's My Ballot?) Today, I'm continuing on from a recent post, which compared my in-person voting experience with one method of Internet-based voting: return of marked ballots by fax or email. Next up is a similar comparison with another form of Internet-based voting: Internet voting from home using a PC's Web browser.
Let's briefly recall the result at the end of the day in my polling place: 1. Some paper ballots in a ballot box. 2. Some digital vote totals in a computer, and set of paper rolls that provide a ballot-like paper trail of each voter's activity that led to those vote totals. The paper trails can be used to check the correctness of the digital vote totals. Let's also recall the result at the end of the day with email ballot return: 1. Some printed versions of faxed/emailed ballots, which are treated as ballots for counting purposes. While we're at it, let's recall the results of the old lever machines too: 1. Some mechanical vote totals in one or more machines 2. A hand-recorded paper transcription of the "odometer" readings. (Those machines were a lot harder to move than a computer is! So the transcriptions were the basis for vote totals.)
Now, on to home-based Web i-voting. Before doing the end-of-the-day comparison, let's start with what the experience looks like -- fundamentally, it's Web pages. You point your browser to a Web site; you type in your voter identification, a bit like the in-person poll-book signing experience; and then you get your ballot: one or more Web pages. Various Internet voting products and services differ, but they are all fundamentally similar to something that I bet many readers have seen already: online surveys. Take a look at this simple election-like survey about music in Cuyahoga County. The web page looks like a simple ballot, with contests for vocalist and guitarist instead of governor and dog-catcher. There are candidates, and you vote by selecting one with a mouse click on a radio button next to the name of your favorite.
So far, so familiar, but when I press that submit button, what happens? Where's my ballot? Let's take it step by step.
- The submit button is part of an HTML form, which is part of the Web page. (You can see the HTML form if you "View Page Source" in your browser.)
- Pressing the button tells your browser to collect up the form's data, which might include Rachel Roberts for Vocalist if you had clicked the radio button next to Rachel.
- These parts of the forms data are something that in election lingo you might call a "vote" (or "contest selection" to be precise.)
- The HTML form data, including the vote-oid data, is sent from your browser to the Web server via an HTTP POST operation.
- The HTTP transaction is typically via an encrypted SSL session, to preserve privacy en route over the Internet.
- The Web server passes the POST parameters to some election-specific Web application software, which interprets the data as votes, and stores the vote data in a database.
Now, let's be specific about that database stuff. In surveymonkey, there is a database record for each Cleveland Music survey response, and it's possible (if the survey was set up that way) that the record also includes some information about the person who responded. In actual government voting, though, of course we don't want that. So even though the i-voting server has a database of voters, and even though you had to log in to the i-voting server, and even though you were only allowed to vote if the voter record said you were allowed to vote, still your vote data shouldn't be stored with your voter record. So, the vote data is supposed to be anonymously and separately stored, becoming part of vote totals for each candidate in each contest.
Can you say "odometer"? Okay, maybe it's not that obvious, so let me juxtapose a couple images. As I recounted earlier, a much younger me is standing in the voting booth of a lever machine, looking a big bank of little switches next to candidate names, and thinking that is the ballot. Then the big lever is pulled, the little switches flip back, and it's like the ballot just evaporated! Though of course I was told that the counter dials in the back of the machine did tick over like the odometer on a car, recording each vote. The votes were stored on the odometers, but the ballot was gone without a trace. Now shift the scene to my first surveymonkey experience. I clicked some radio buttons, clicked submit, and poof! what I thought was a ballot just disappeared. I'm told that the counters in a database somewhere ticked over to record my "votes." Again, votes were supposedly recorded, but there wasn't really ever a durable ballot. Home-based web client-server Internet voting is just like that, regardless of varying technical implementation details. There's no durable ballot document.
So, at the end of the day, we have stored vote totals in a database of a system that also logged the voter logins. At that point I don't have an answer to "What's the ballot" anymore than I do for lever machines or the early paper-trail-less DREs. Unlike the (much-more-insecure) email ballot delivery, we don't really know what or where the ballots are. Recalling my experience in the Middlefield Road fire house, the vote data is similarly stored as bits on a computer, but!!! there is also the paper trail. That paper trail can be used to audit the system and detect errors and fraud, and serves as the durable record of the vote -- almost a ballot, except for being on flimsy paper with some ballot information left out. But with i-voting, there is nothing even similar. Any kind of auditing that's done, is done using data saved on the server computers, rather than looking at a ballot document that the voter also saw.
Is that so terrible? Maybe so, maybe not. A durable ballot is not a holy requirement for U.S. elections -- though in some parts of the country it almost is. And a durable ballot may not be a requirement for a voting system that is specifically and only for timely assistance of overseas and military voters. Such requirements are a matter of local election law and decisions of local election officials. But my critical observation here is about voter trust. Trust derives in large measure from comprehension. And for many voters, a voting system is comprehensible if the voter knows what the ballot is, where it goes, and what happens to it. That's why overseas voters like fax and email return. Despite the security and anonymity problems, the voter understands that ballot, how it pops out of the fax/printer on the other side of the planet, and how its counted as a paper ballot. The same can't be said for paperless home-based i-voting. As a consequence, I think that it will be harder to build trust, at least in some parts of the country that are paper-centric. However, it may be less of a big deal if limited to overseas and military voters, whose main concern is "get the the ballot home in time to be counted." The pilots are happening, and time will tell.
I was very encouraged by recent election news from Ohio's Cuyahoga County, reported in the Cleveland Plain Dealer newspaper: Reason for election machine glitch found, officials expect things to be OK for the primary. At first blush, it might seem like bad news:
All told, 89 of the Cuyahoga County Board of Elections' 1,200 machines powered down and then froze during a specific test done to ensure the optical scanners were reading paper ballots correctly.
But as the Plain Dealer's Joan Mazzoli said in her folksy headline, the point is that the Cuyahoga BOE disclosed to the public exactly the problems that they encountered, the scope of the problems, and the possible effect on the election that will be conducted with machines that they tested. In fact BOE director Jane Platten explained the specific error logging procedures that they will use to audit the election, to make sure that no votes are lost even if the machines malfunction during the election. As Mazzoli quoted Platten:
We want to ensure everyone's votes are counted.
Of course that is every election official's goal, but this news is about a bit more: making sure that everyone's votes are counted, and "making sure" in a way that the voters can see and believe in despite known problems with the election technology being used. That is what I call helping people Trust the Vote, and for that I say - Kudos to Cuyahoga!
[Today's guest post is from election technology expert Doug Jones, who is now revealed as also being an encyclopedia of U.S. elections history. Doug's remarks below were in a discussion about how to effectively use post-election ballot-count audits as a means to gain trust in the correct operation of voting machines -- particularly timely, given the news and comment about hacking India's voting machines. Doug pointed out that in the U.S., we've had similar voting-machine trust issues for many years. -- ejs] Lever machines have always (as used in the US) contained one feature intended for auditing: The public and protective counters, used to record the total number of activations of the machine. Thus, they are slightly auditable. They are less auditable than DRE machines built to 1990 standards because they retain nothing comparable to an event log and because they do not explicitly count undervotes -- allowing election officials to claim, post election, that the reason Sam got no votes was because people abstained rather than vote for him. (Where in fact, there might have been a bit of pencil lead jammed in the counters to prevent votes for Sam from registering).
One of the best legal opinions about mechanical voting machines was a dissenting opinion by Horatio Rogers, a Rhode Island supreme court judge, in 1897. He was writing about the McTammany voting machine, one that recorded votes by punching holes in a paper tape out of view of the voter. I quote:
It is common knowledge that human machines and mechanisms get out of order and fail to work, in all sorts of unforseen ways. Ordinarily the person using a machine can see a result. Thus, a bank clerk, performing a check with figures, sees the holes; an officer of the law, using a gibbet by pressing a button, sees the result accomplished that he sought; and so on ad infinitum. But a voter on this voting machine has no knowledge through his senses that he has accomplished a result. The most that can be said is, if the machine worked as intended, then he has made his holes and voted. It does not seem to me that this is enough.
I think Horatio Rogers opinion applies equally to the majority of mechanical and DRE machines that have been built in the century since he published it.
-- Doug Jones
Mandatory disclaimer: The opinions expressed above are mine! The various institutions with which I am affiliated don't necessarily agree. These include the U of Iowa, and the EAC TGDC. - dj
Tomorrow night starting at 4:30PM the San Francisco Voting Systems Task Force is holding a Public Hearing to intake testimony and public comment on its draft prospective recommendations topics. [Disclosure: I am a member of this Task Force, appointed by the S.F. City & County Board of Supervisors.] We encourage everyone who can make it to attend and give us your input on these draft proposed recommendations. This is an early stage document and does not represent any final recommendations of the VSTF. The Agenda and description can be found here. The location of the meeting is:
1 Dr. Carlton B. Goodlett Place, Room 34 Lower Level San Francisco, California
If you can't make it in person, no worries as we're accepting written input through the 24th of February, which you can submit digitally if you wish to: email@example.com or by U.S. Mails (address details on site here).
For those interested in some details; I submitted a letter to the Task Force Chair with some comments of my own on our Draft recommendations under consideration document, and you may wish to have a look at them here.
Gregory Miller of the OSDV Foundation will be provide testimony during State of California Hearings on Future of Elections Systems next Monday, February 8th. CA Secretary of State Debra Bowen requested elections and voting systems experts from around the country to attend and testify, and answer questions about the current election administration landscape and how California can best prepare for the future. The Secretary noted in a prepared statement:
Demands for increased transparency and services, shrinking government budgets, and technological advances that outpace elections laws and regulations have combined to challenge what many thought were ‘permanent’ solutions developed as part of the 2002 Help America Vote Act. Many in California and across the nation are ready to move in a new direction. The question is, what should Californians seek in the next generation of voting equipment and how can new products truly serve the interests of voters?
Secretary Bowen will preside over the Hearing, joined by county elections executives from Los Angeles, Orange, Sacramento, San Joaquin, Santa Cruz and Madera counties. In addition to the testimony from OSDV, wide-ranging testimony will come from the U.S. Election Assistance Commission, Pew Center on States, the Federal Voting Assistance Program, representatives from every major voting system manufacturer with contracts in California, and more. The complete agenda is available here.
California has a strong record of thoughtful analysis of its voting systems. In 2007, Secretary Bowen led a top-to-bottom review of certified voting systems. Bowen asserted from the outset that the review:
Ensure that California’s voters cast their ballots on voting systems that are secure, accurate, reliable, and accessible.
And following the top-to-bottom review, on August 3, 2007, Secretary Bowen strengthened the security requirements and use conditions for certain systems.
So its no surprise to us that continuing developments in the elections technology industry as well as legislative initiatives are leading the Secretary to conduct this Hearing next Monday. Part of that change is best evidenced by the MOVE Act.
We'll discuss more about the MOVE Act in other posts, but in summary, President Obama signed the Military and Overseas Voter Empowerment (MOVE) Act in October 2009. The most immediate impact of the law from the State perspective has to do with the provision that establishes a 45-day deadline for States to provide ballots to voters. Because Primary results need to be certified and General ballots need to be constructed and conveyed, additional time (beyond 45 days) is required to meet the new federal guideline. And the largest impact on elections technology, processes, and practices is two principle provisions of the Act that mandate States shall provide:
- A digital means by which overseas voters can verify and manage their voter registration status; and
- A digital means by which an overseas voter can receive a digital, download ready, blank ballot (think PDF).
Success in implementing these mandates will reduce lost participation of overseas voters, which studies have shown result in approximately 1 out of every 4 overseas ballots not being counted because of failure to arrive in time.
But if it were only that easy. You see, in 2008, many States changed their Primary dates by several months to allow their voters to more heavily impact the presidential nomination process. And additional moves are likely in 2010 because 11 states and the District of Columbia have Primaries so close to the General Election that ballots may not be produced in time to comply with the new MOVE Act law. California has a very large overseas and military voting contingent, and you can imagine MOVE Act mandates are on the minds of CA elections officials, State legislatures, and the Secretary.
Of equal interest, Los Angeles County, the largest election jurisdiction in the United States, is engaged in a process known as the Voting Systems Assessment Project (VSAP) to determine the design of their next generation voting system.
Serving over 4 million registered voters, the County is examining the ways in which it can modernize its voting systems. Dean Logan, the County Registrar and Ken Bennett, the County IT Director are working to analyze the ways in which technology can ensure their ability to meet operational mandates and better serve their voters. With the VSAP underway (a project the OSDV Foundation is participating in), our "take" is that more (and possibly dramatic) change in elections technology in the great State of California is all but assured.
Stepping back, the current voting technology used in Los Angeles County and elsewhere is provided by private companies; they offer election jurisdictions proprietary technology solutions that need to be certified by the CA Secretary of State. While there is oversight at a State level, and mandates at the Federal level, each jurisdiction must purchase their own technology and do the very important business of conducting elections. Consequently, jurisdictions find themselves in multi-year contracts for technology.
This gives a jurisdiction continuity, but impairs their ability to innovate and collaborate, learning from neighboring or similar jurisdictions elsewhere in the state or country.
With L.A. County -- the largest elections jurisdiction in the nation -- considering the future of elections technology for their voters, the mandates of the MOVE Act implementation bearing down, and the complexities of the largest States' processes and regulations for selection and implementation of elections technology, the Secretary's Hearing next week is of a near essential nature.
So we are honored to be asked to testify next week. And the timing is good. As a means to developing a holistic architecture for next generation systems, one of the imperative elements is a common data format for the exchange of election event data. This is one particular element we're working on right now. In fact, we will shortly be collaborating with a group of States and jurisdictions on the testing of several framework components including: election event management, ballot preparation, and automated generation of printable ballots (watch for this announcement shortly).
Here’s the cool thing: It turns out that all of this work currently underway in the TrustTheVote Project which is leveraging this common data format and some other innovations, provides a ready-made open source freely available solution to implement the mandates of the MOVE Act.
So, we hope that this work will prove to be relevant and purposeful for the Hearings. Our opportunity to testify is timely because we believe our work is in line with the agenda driving the hearing: What do next generation systems look like and how do states like CA comply with Federal mandates? How can we develop quickly to adapt to changing needs on the ground from elections officials, voters, and federal requirements?
We're excited to participate; go Greg!
Stay tuned; more to come. -Matt
I came across an interesting article in Network World, "Open Source: How e-voting should be done", by Paul Venezia of InfoWorld. It's a good survey and review of some of the arguments in favor of Open Source in the management, conducting and tallying of elections, so I recommend reading it. A couple of thoughts. Paul says:
"Another problem of current e-voting systems is that many still in operation provide no paper trail. Americans can't fill up their cars or access their bank accounts from an ATM without being prompted to print a receipt, but in many voting precincts, we can vote with nothing tangible to show for it." (from Open Source: How e-voting should be done)
I have to say that I agree with this (at least for the next few decades.) It seems to me that with all the questions - some more legitimate than others - about election results, we need to preserve a brain-dead-simple way of doing a recount that everyone can understand, and it would seem that a piece of paper that can be re-counted is the way to go. Caveat: I know it's not really brain-dead-simple, and that conducting a recount of paper ballots can be extraordinarily complicated with lots of possible gaps and mistakes.
Paul further says:
"But the key to securing e-voting resides in making its systems open source. [...] It's time for us to make good on the promise of open elections and open our e-voting systems as well -- no black boxes, no intellectual property protections, no obfuscation, and certainly no backdoors. Doing so would require a federal mandate, one that would eliminate the use of closed source devices" (from Open Source: How e-voting should be done)
I (obviously) believe in the open source philosophy, and think it's an important way that we can improve confidence in our elections. But I don't think it's a panacea, or "the key" in any shape or form.
In fact I don't think in terms of 'the key.' There's a lot of room for improvement for sure. But there's also quite a lot more to even the technology side of elections than the software inside an optical scanning device.No doubt it's a complex, decentralized (both technically and in the way it is managed, operated and deployed.)
Check out the article and let us know your reactions too.
Thanks to erstwhile election texpert Dan Wallach for bring attention to the burglary of an early voting center in Houston, and to the Houston Chronicle's Chris Moran for coverage of the story including good quotes from Dan! But I have to add that in addition to theft of computers containing voter records, there were also voting machines (Hart InterCivic DRE devices and the central controller for them) that were not stolen, but the thieves had access to. And as I've pointed out a number of times, it's a shame that these voting systems (Hart and all the others) store vote data on re-writable media, and of course the software is equally modifiable as well. It's one thing to have these fundamentally vulnerable machines in county facilities, or temporary deployed during Election Day in polling places under the watchful eye of poll workers -- but another to leave them sitting in community center utility rooms overnight, night after night for a couple weeks. The votes (the electronic recording of e-ballots) are just sitting there protected by a lock on the door. But even more importantly, as Dan pointed out to me, the real problem is confidence in the election result. Suppose a contest in this election is close, and someone claims that the election results from this particular precinct are anomalous or suspicious. It would be impractical to prove the negative -- that the machines or the vote data were not tampered with, even though we know there was opportunity for it. Now, don't get me wrong. In this case I doubt that bad guys were trying to sway this election by jiggering a handful of DREs, using special skills to falsify the security seals on the devices, and calling attention to the deed by ripping off some PCs. But because these voting machines are vulnerable in their basic design, incidents like this one can't help but give naysayers the ability to cast doubt on the election results. We can do better -- and will.
But technology aside, I still have questions on the election officials' response to the incident. As Moran reported, yes they will check the security seals (twice!) and will assume that, absent evidence of tampering, these machines are in the same state that they left election HQ, and that the data they recorded was not effected either. But suppose that the thieves banged the machines about a bit, broke a security seal, flaked out a disk drive - or even that someone walked by with a big magnet in their pocket, and scrambled a few bits? The machines would show evidence of tampering or damage, but vote data on them might still be recoverable. Should those votes count in the election result? There is no really good answer - either way, public confidence in the election results is compromised. That can't be prevented 100% by any technology, but here is a novel idea: let's design voting technology so that we purposely avoid having it be the Achilles Heel of public confidence. OK, maybe it's not so novel, but it is what we're doing.
"Finally, the good news – because New York votes on paper, everybody’s vote was counted. When the scanner stopped working, the ballots were removed and counted, so no votes were lost. Paper ballots, a software independent record of the vote, proved their great value in their very first outing in the Empire State. " (from: No Voting Machine Virus in NY-23 Election)
Its an interesting article explaining what actually seemed to have happened in NY-23. I say "seemed" because I am sure there must be other interpreations and explanations, but the one I am citing here rings pretty realistic to me.
One of the main goals of the TrustTheVote Project is to increase voter confidence in election results, by the use of election technology that is substantially more trustworthy and transparent than similar technology in use today. One of the main reasons for the importance of this mission is the experience of some high profile close elections in the last few years. But how frequent are "close elections" really? Speaking for myself, the handful or so of very high profile close elections, taken together, is plenty enough reason for me to work toward those goals. Of course, there are thousands of local elections every election cycle, and many of them are "close" -- or at least close enough (margins low in 3 digits of votes) that voter technology error could have skewed the results.
But I recently learned that the incidence of close elections is much higher than I imagined. The state of New Jersey recently issued a report on close elections in NJ, supplemented by healthy slug of supporting data. My thanks, again, to the erstwhile Joe Hall for pointing me to it, and for this summary of a single year of close elections in NJ:
In the last year, eight elections were decided by a single vote, and 66 elections had a margin of less than 1%.
Wow! Extrapolate nation-wide, and you've got a substantial portion of the electorate residing in an electoral district with an election close enough to doubt the accuracy of the count. And local elections for local offices are often the ones that have the most local effects for voters. So, for the one third or so of people who polls report as doubtful about correctness of vote counts, I'd say a whole lot of them could conclude (if they knew the type of stats we're seeing from NJ) that at least once in their voting history, an election went the wrong way.
Now, I have no way of assessing the truth of that claim, but it is the belief that is the important part, rather than a guess at likelihood or the importance of the office elected. Putting the one-third poll results together with these stats from NJ, I see a simply un-acceptable degree of un-confidence in our election system to deliver. And where technology is part of those doubts, then I think that TrustTheVote can help. That's true both for more reliable technology, and for cases where increased transparency can increase trust in the process.
That's my motivator for the week!
Last Friday was the anniversary of Dr. Martin Luther King Jr.'s speech in Washington, DC., where so many of us remember him saying "I have a dream." The anniversary caught me by surprise when I noted it in the news, and tugged at me all day: what could Dr. King's words have to say about the work that I do? That afternoon, I walked by San Francisco's Yerba Buena Gardens. There, the Martin Luther King, Jr. Memorial has waterfalls that echo Dr. King saying Isaiah's prophetic words, now inscribed in the magnificent granite by the roaring water:
No, no, we will not be satisfied until 'justice rolls down like waters and righteousness like a mighty stream.'
I knew I wanted to say something about my dream, however geeky, inspired by Dr. King. What could election technology reform possibly have to do with justice rolling down like water? It took me a few days to figure it out. On that hot August day in 1963, immediately before those words of prophecy, Dr. King said:
We cannot be satisfied as long as a Negro in Mississippi cannot vote and a Negro in New York believes he has nothing for which to vote.
I realized that decades after the 1964 Civil Rights Act and the 1965 National Voter Rights Act, despite some real progress, there is still doubt and dismay about these same issues of access to and legitimacy of elections, for all Americans. And worse: technology now clouds these issues further. So, here is my election geek's dream, for which I ask your indulgence if my comparison of Dr. King's dream of literal justice, and my dream of digital righteousness, seems in any way to demean King's words and memory.
I have a dream that one day all election data will be free -- freely available for us to see how elections are conducted. Today's technology has many hills and mountains, rough places and crooked places. These are the unnecessary technical barriers to election IT systems being able to record and publish a wide variety of information, the lack of which today breeds distrust, discord, and even in some cases doubt in the foundation of democracy. I want data freedom to ring out and prove or disprove beliefs that voter registration systems are used to intentionally dis-enfranchise entitled voters, that vote tabulation is done incorrectly, that electoral fraud or voter fraud is real and regular. Here is an example of such data:
- the voter registration (VR) data that defines who is allowed to vote;
- the election management (EM) data that defines where people vote, and what they are allowed to vote on;
- the VR and EM system log data that shows exactly what public servants have been doing with systems that automate the public's business of elections;
- the voting system logs that shows which systems operated correctly and reliably;
- the voting systems' ballot and vote data that can allow independent checks for errors in counting votes;
- all the reporting and data mining that could be done with all this data aggregated, in order to present real information, statistics, patterns, and more that would move the policy discussions beyond concerns about what might be happening.
Wow! That is in fact a big list, and "mighty stream" would apply to the mass of data flowing in this dream. Yes, I know that technical barriers are not the only ones, but they're big enough that privacy and other issues are largely moot. And yes, I know that many people, at local and state levels, and Federal agencies like NIST, are working on it. And of course so are we at TrustTheVote.
But this dream of the future is what motivates us to develop the technology and help with the standards that can help us really see what's really going on with the activities of our election officials and NGO activists. I believe that almost all of them are honest and well-meaning, but often it's hard to see. Visibility is part of what's needed to move forward from the present state of discord about election integrity, and the technology that aids or hinders it. Today we really do walk in darkness, in rough places and even (some despair) crooked places, in an election geeks' version of King's "dark and desolate valley" that is un-exalted and unlit by sunshine of vital public data; where that ignorance and desolation breeds discord and distrust. And we can fix it, simply by building sunshine into each new election IT system as it's built. We can and are exalting the valleys, making the crooked straight and rough places plain. And when the data is "free at last" we probably won't be joining hands and singing as in Dr. King's dream, but at least we'll be able to climb out of ignorance and decide for ourselves if the cornerstone of democracy is weak or strong.
So, yes, I have a dream today. And I have Dr. King to thank for lifting it up. And I'll have you readers to thank, if you go and read Dr. King's words with election integrity in mind, the integrity of the system of voting and voting rights that Dr. King and so many others fought and died and still fight for.
And, yes, "we will not be satisfied until" that dream of digital righteousness becomes manifest in "every village and every hamlet, from every state and every city, we will be able to speed up that day when all" our nation's people can begin to really and truly Trust The Vote.
I resisted rushing to the keyboard to post something about Senator Edward Kennedy Tuesday evening, preferring to simply absorb the loss. Having been through a string of family losses myself years ago, I knew well what the remaining members of the Kennedy family surely must have felt.
As a child I recall my Father coming home from work early, and us starring at the TV during lunch break from School as news began pouring from Dallas TX that Friday morning in November 1963. I was only five years old, but knew something really terrible had happened as my Mother openly sobbed on the couch. Then nearly five years later on June 6 1968, it happened again; this time to his brother Bobby. Finally, the passing point -- one we knew was inevitable due to the scourge of cancer -- arrived Tuesday evening for Ted. And there really wasn't much I could add in a blog post, tweet, or anything that would have done the moment any justice. It just needed time to digest.
Today, with some distance from that moment, I simply want to point out that for me personally, Kennedy will always stand for many things good about the dream of democracy, regardless of political stripes.
For our own dream, and the good fight we wage here at the OSDV Foundation and the TrustTheVote Project, I want to point out that Senator Kennedy was a lion for voting rights.
And rather than regurgitate a compilation of his accomplishments, I point you to a posting at the blog of our respected friends of Why Tuesday which does a nice job of recompiling all the efforts Ted did for voting rights.
In closing, perhaps Sen. Kennedy's words are well heeded by us here at the TrustTheVote Project:
For all those whose cares have been our concern, the work goes on, the cause endures, the hope still lives, and the dream shall never die.
Some readers may sigh relief at the news that today's post is the last (for a while at least!) in a series about the use of vote-count auditing methods to detect a situation in which an election result was garbled by the computers used to create them. Today, a little reality check on the use of the the risk-limiting audit methods described earlier. As audit guru Mark Lindeman says,
Risk-limiting audits clearly have some valuable properties, yet no state has ever implemented a risk-limiting audit.
Why not? Despite the rapid development of RLA methods (take a quick glance at this paper to get a flavor), there are several obstacles, including:
- Basic mis-conceptions: Nothing short of a full re-count will ever prove the absence of a machine count error. Instead, the goal of RLA is to reduce risk that machine count errors altered the outcome of any contest in a given election. Election result correctness is the goal, not machine operations correctness -- yet the common mis-perception is often the reverse.
- Requirements for election audits must be part of state election laws or regulation that implements them. Details of audit methods are technical, and difficult to write into law -- and detailed enough that it is perhaps unwise to enshrine in law rather than regulation. Hence, there is some tension and confusion about the respective roles states' legislative and executive branches.
- Funding is required. Local election officials have to do the work of audits of any kind, and need funding to do so. A standard flat-percent audit is easier for a state to know how to fund, rather than a variable-effort RLA that depends on election margins and voter turnout.
- The variability itself is a confusing factor, because you can't know in advance how large an audit will have to be. This fact creates confusion or resistance among policy-makers and under-funded election officials.
- Election tabulation systems often do not provide timely (or any) access to the data needed to implement these audits efficiently. These systems simply weren't designed to help election officials do audits -- and hence are another variable cost factor.
- Absentee and early-voting ballots sometimes pose large logistical challenges.
- Smaller contests are harder to audit to low risk levels, so someone must decide how to allocate resources across various kinds of contests.
As Lindeman points out, each of these problems is tractable, and real progress in RLA practice can be made without a solution to all of these problems. And in my view, one of the best ways to help would be to greatly increase transparency, including both the operations of the voting systems (not just the tabulation components!), and of the auditing process itself. Then we could at least determine which contests in an election are most at risk even after the audits that election officials are able to conduct at present. Perhaps that would also enable experts like Lindeman to conduct unofficial audits, to demonstrate effectiveness and help indicate efforts and costs for official use of RLA.
And dare I say it, we might even enable ordinary citizens to form their own judgement of an individual contest in an election, based on real published facts about total number of ballots cast in a county, total number of votes in the contest, margins in the contest, total number of precincts, precincts officially audited, and (crank a statistics engine) the actual confidence level in the election result, whether the official audit was too little, too much, or just right. That may sound ambitious, and maybe it is, but that's what we're aiming for with operational transparency of the voting system components of the TTV System, and in particular with the TTV Auditor -- currently a gleam in the eye, but picking up steam with efforts from NIST and OASIS on standard data formats for election audit data.