Jump to content

DRE voting machine: Difference between revisions

Add links
From Wikipedia, the free encyclopedia
Browse history interactively
← Previous editNext edit →
Content deleted Content added
VisualWikitext
Taintain (talk | contribs)
496 edits
Undid merge from DRE voting machine, see discussion
Taintain (talk | contribs)
496 edits
more merge
Line 6: Line 6:


==Security and Concerns==
==Security and Concerns==
Critics{{weasel-name}} of DRE Machines claim that there is an increased risk of [[electoral fraud]] and if the security of the DRE [[software]] is compromised, election results could be tampered with in an undetectable fashion. Other critics charge that foreign [[hardware]] could be inserted into the machine, using a [[man in the middle attack]] technique, and call for DRE machines to be physically sealed.<ref>[http://www.wijvertrouwenstemcomputersniet.nl/images/9/91/Es3b-en.pdf Nedap/Groenendaal ES3B voting computer a security analysis (chapter 7.1)]</ref> These claims are countered by the position that review and testing procedures can detect fraudulent code or hardware, if such things are present, and that a thorough, verifiable [[chain of custody]] would prevent the insertion of such hardware or software. Concerns like these have prompted the use of [[Voter Verified Paper Audit Trail]]. However these measures are often not or not properly taken.<ref> [http://arstechnica.com/news.ars/post/20061101-8131.html Jon Stokes, ars technica 2006] </ref> Another method to detect fraudulent voting machines are parallel test elections which are conducted on the election day with randomly picked machines. (The [[Association for Computing Machinery|ACM]] published a study showing that, to change the outcome of the 2000 U.S. Presidential election, only 2 votes in each precinct would have needed to been changed.<ref>Di Franco, A., Petro, A., Shear, E., and Vladimirov, V. 2004. Small vote manipulations can swing elections. Commun. ACM 47, 10 (Oct. 2004), 43-45. DOI= http://doi.acm.org/10.1145/1022594.1022621 </ref>)
Critics of DRE Machines claim that there is an increased risk of [[electoral fraud]] and if the security of the DRE [[software]] is compromised, election results could be tampered with in an undetectable fashion.<ref>[http://www.notablesoftware.com/evote.html Rebecca Mercuri, Ph.D. on Electronic Voting]</ref><ref>[http://www.blackboxvoting.org/presskit.html#hack Blackboxvoting]</ref><ref>[http://www.schneier.com/blog/archives/2004/11/the_problem_wit.html Bruce Schneier: The Problem with Electronic Voting Machines, November 2004]</ref> This claim is countered by the position that review and testing procedures can detect fraudulent code, if such things are present, and that a thorough, verifiable [[chain of custody]] would prevent the insertion of such software.
Other critics charge that foreign [[hardware]] could be inserted into the machine, using a [[man in the middle attack]] technique, and call for DRE machines to be physically sealed.<ref>[http://www.wijvertrouwenstemcomputersniet.nl/images/9/91/Es3b-en.pdf Nedap/Groenendaal ES3B voting computer a security analysis (chapter 7.1)]</ref> These claims are countered by the position that review and testing procedures can detect fraudulent code or hardware, if such things are present, and that a thorough, verifiable [[chain of custody]] would prevent the insertion of such hardware or software. Concerns like these have prompted the use of [[Voter Verified Paper Audit Trail]]. However these measures are often not or not properly taken.<ref> [http://arstechnica.com/news.ars/post/20061101-8131.html Jon Stokes, ars technica 2006] </ref> Another method to detect fraudulent voting machines are parallel test elections which are conducted on the election day with randomly picked machines. (The [[Association for Computing Machinery|ACM]] published a study showing that, to change the outcome of the 2000 U.S. Presidential election, only 2 votes in each precinct would have needed to been changed.<ref>Di Franco, A., Petro, A., Shear, E., and Vladimirov, V. 2004. Small vote manipulations can swing elections. Commun. ACM 47, 10 (Oct. 2004), 43-45. DOI= http://doi.acm.org/10.1145/1022594.1022621 </ref>)


A workgroup of the [[National Institute of Standards and Technology]] (NIST) stated in a discussion draft, "''Simply put, the DRE architecture’s inability to provide for independent audits of its electronic records makes it a poor choice for an environment in which detecting errors and fraud is important.''"<ref>[http://vote.nist.gov/DraftWhitePaperOnSIinVVSG2007-20061120.pdf Requiring Software Independence in VVSG 2007: STS Recommendations for the TGDC]</ref> The report does not represent the official position of NIST, and misinterpretations of the report has led NIST to explain that "''Some statements in the report have been misinterpreted. The draft report includes statements from election officials, voting system vendors, computer scientists and other experts in the field about what is potentially possible in terms of attacks on DREs. However, these statements are not report conclusions.''"<ref>[http://www.nist.gov/public_affairs/factsheet/draftvotingreport.htm R Questions and Answers on the Draft Report: "Requiring Software Independence in VVSG 2007: STS Recommendations for the TGDC"]</ref>
A workgroup of the [[National Institute of Standards and Technology]] (NIST) stated in a discussion draft, "''Simply put, the DRE architecture’s inability to provide for independent audits of its electronic records makes it a poor choice for an environment in which detecting errors and fraud is important.''"<ref>[http://vote.nist.gov/DraftWhitePaperOnSIinVVSG2007-20061120.pdf Requiring Software Independence in VVSG 2007: STS Recommendations for the TGDC]</ref> The report does not represent the official position of NIST, and misinterpretations of the report has led NIST to explain that "''Some statements in the report have been misinterpreted. The draft report includes statements from election officials, voting system vendors, computer scientists and other experts in the field about what is potentially possible in terms of attacks on DREs. However, these statements are not report conclusions.''"<ref>[http://www.nist.gov/public_affairs/factsheet/draftvotingreport.htm R Questions and Answers on the Draft Report: "Requiring Software Independence in VVSG 2007: STS Recommendations for the TGDC"]</ref>
Line 18: Line 20:


===Auditing and VVAT===
===Auditing and VVAT===
{{See also|Voter Verified Paper Audit Trail}}

A fundamental challenge with any [[voting machine]] is assuring the votes were recorded as cast and tabulated as recorded. Because there is no tangible ballot and the voter cannot check the computers memory by themselves, [[Voting_machine#Non-document_ballot_voting_system|Non-document ballot voting system]] can have a greater burden of proof, and are even referred to as [[Black Box Voting]] machines by critics. This is often solved with an independent audit-able system that can also be used in recounts. These systems can include the ability for voters to verify how their votes were cast, or further to verify how their votes were tabulated.
A fundamental challenge with any [[voting machine]] is assuring the votes were recorded as cast and tabulated as recorded. Because there is no tangible ballot and the voter cannot check the computers memory by themselves, [[Voting_machine#Non-document_ballot_voting_system|Non-document ballot voting system]] can have a greater burden of proof, and are even referred to as [[Black Box Voting]] machines by critics. This is often solved with an independent audit-able system that can also be used in recounts. These systems can include the ability for voters to verify how their votes were cast, or further to verify how their votes were tabulated.


Line 31: Line 35:


To successfully audit any voting machine a strict [[chain of custody]] is required.
To successfully audit any voting machine a strict [[chain of custody]] is required.

{{See also|Voter Verified Paper Audit Trail}}

===Public Source Code===
Security experts, such as [[Bruce Schneier]], have demanded that voting machine [[source code]] should be publicly available for inspection.<ref>[http://www.schneier.com/blog/archives/2004/11/the_problem_wit.html The Problem with Electronic Voting Machines]</ref> Others have also suggested publishing voting machine software under an [[free software license]] like it is done in [[Australia]].<ref>[http://www.elections.act.gov.au/Elecvote.html The electronic voting and counting system]</ref> Publicly reviewable [[source code]] would not in itself be enough to determine if the code running on the machine differs from the original inspected code. The [[operating system]], [[BIOS]], [[firmware]] and other [[computer chips|hardware]] can also be used to hide malicious code and need to be inspected. In Australia the software used is open source, but the other sources of error have caused the government to insist on a voter verifiable paper ballot.


==Benefits of DRE voting machines==
==Benefits of DRE voting machines==

Revision as of 11:17, 10 November 2007

File:Urna eletrônica.jpeg
Direct recording voting machine developed in Brazil and used in 100% of Brazilian elections
Part of a series on
Election technology
Technology
Terminology
Testing
Manufacturers
Related aspects

A direct-recording electronic (DRE) voting machine records votes by means of a ballot display provided with mechanical or electro-optical components that can be activated by the voter (typically buttons or a touchscreen); that processes data by means of a computer program; and that records voting data and ballot images in memory components. After the election it produces a tabulation of the voting data stored in a removable memory component and as printed copy. The system may also provide a means for transmitting individual ballots or vote totals to a central location for consolidating and reporting results from precincts at the central location.

In 2004, 28.9% of the registered voters in the United States used some type of direct recording electronic voting system, up from 7.7% in 1996.

Security and Concerns

Critics of DRE Machines claim that there is an increased risk of electoral fraud and if the security of the DRE software is compromised, election results could be tampered with in an undetectable fashion.[1][2][3] This claim is countered by the position that review and testing procedures can detect fraudulent code, if such things are present, and that a thorough, verifiable chain of custody would prevent the insertion of such software.

Other critics charge that foreign hardware could be inserted into the machine, using a man in the middle attack technique, and call for DRE machines to be physically sealed.[4] These claims are countered by the position that review and testing procedures can detect fraudulent code or hardware, if such things are present, and that a thorough, verifiable chain of custody would prevent the insertion of such hardware or software. Concerns like these have prompted the use of Voter Verified Paper Audit Trail. However these measures are often not or not properly taken.[5] Another method to detect fraudulent voting machines are parallel test elections which are conducted on the election day with randomly picked machines. (The ACM published a study showing that, to change the outcome of the 2000 U.S. Presidential election, only 2 votes in each precinct would have needed to been changed.[6])

A workgroup of the National Institute of Standards and Technology (NIST) stated in a discussion draft, "Simply put, the DRE architecture’s inability to provide for independent audits of its electronic records makes it a poor choice for an environment in which detecting errors and fraud is important."[7] The report does not represent the official position of NIST, and misinterpretations of the report has led NIST to explain that "Some statements in the report have been misinterpreted. The draft report includes statements from election officials, voting system vendors, computer scientists and other experts in the field about what is potentially possible in terms of attacks on DREs. However, these statements are not report conclusions."[8]

Demonstrated Laboratory Attacks

See also: 2004 U.S. presidential election controversy and irregularities

Auditing and VVAT

See also: Voter Verified Paper Audit Trail

A fundamental challenge with any voting machine is assuring the votes were recorded as cast and tabulated as recorded. Because there is no tangible ballot and the voter cannot check the computers memory by themselves, Non-document ballot voting system can have a greater burden of proof, and are even referred to as Black Box Voting machines by critics. This is often solved with an independent audit-able system that can also be used in recounts. These systems can include the ability for voters to verify how their votes were cast, or further to verify how their votes were tabulated.

Systems that allows the voter to prove how they voted have not been used in U.S. public elections, and are prohibited by most state constitutions. Voter intimidation and vote selling are the chief concerns that have led to prohibition of receipts.

This is a Diebold Election Systems, Inc. model AccuVote-TSx DRE voting machine with VVPAT attachment.

Various technologies can be used to assure voters that their vote was cast correctly, detect possible fraud or malfunction, and to provide a means to audit the original machine. Some systems include technologies such as cryptography (visual or mathematical), paper (kept by the voter or only verified), audio verification, and dual recording systems (other than with paper).

Dr. Rebecca Mercuri, the creator of the voter verified paper audit trail (VVPAT) concept (as described in her Ph.D. dissertation in October 2000 on the basic voter verifiable ballot system), proposes to answer the audit-ability question by having the voting machine print a paper ballot or other paper facsimile that can be visually verified by the voter before being entered into a secure location. Subsequently, this is sometimes referred to as the "Mercuri method").

An audit system can be used in measured random recounts to detect possible malfunction or fraud. With the VVPAT method, the paper ballot is often treated as the official ballot of record. In this scenario, the ballot is primary and the electronic records are used only for an initial count. In any subsequent recounts or challenges the paper not electronic ballot would be used for tabulation. Whenever a paper record serves as the legal ballot, that system will be subject the same benefits and concerns of any paper ballot system.

To successfully audit any voting machine a strict chain of custody is required.

Benefits of DRE voting machines

A Hart eSlate DRE voting machine with jelly buttons for people with manual dexterity disabilities.

Like all voting machines DRE systems increase the speed of vote counting. They can also incorporate the most broad assistive technologies for the largest classes of handicapped people, allowing them to vote without forfeiting the anonymity of their vote. These machines can use headphones and other adaptive technology to provide the necessary accessibility. DRE's can also provide the most robust form of immediate feedback to the voter detecting such possible problems as undervoting and overvoting which may result in a spoiled ballot. This immediate feedback can be helpful in successfully determining voter intent.

Additionally, with DRE voting systems there is no risk of exhausting the supply of paper ballots, and remove the need for printing of paper ballots, a significant cost.[13] When administering elections in which ballots are offered in multiple languages (in some areas of the United States, public elections are required to by the National Voting Rights Act of 1965), DRE voting systems can be programmed to provide ballots in multiple languages on a single machine. For example, King County, Washington's demographics require them under U.S. federal election law to provide ballot access in Chinese. With any type of paper ballot, the county has to decide how many Chinese-language ballots to print, how many to make available at each polling place, etc. Any strategy that can assure that Chinese-language ballots will be available at all polling places is certain, at the very least, to result in a lot of wasted ballots.

See also

References

  1. ^ Rebecca Mercuri, Ph.D. on Electronic Voting
  2. ^ Blackboxvoting
  3. ^ Bruce Schneier: The Problem with Electronic Voting Machines, November 2004
  4. ^ Nedap/Groenendaal ES3B voting computer a security analysis (chapter 7.1)
  5. ^ Jon Stokes, ars technica 2006
  6. ^ Di Franco, A., Petro, A., Shear, E., and Vladimirov, V. 2004. Small vote manipulations can swing elections. Commun. ACM 47, 10 (Oct. 2004), 43-45. DOI= http://doi.acm.org/10.1145/1022594.1022621
  7. ^ Requiring Software Independence in VVSG 2007: STS Recommendations for the TGDC
  8. ^ R Questions and Answers on the Draft Report: "Requiring Software Independence in VVSG 2007: STS Recommendations for the TGDC"
  9. ^ Security Analysis of the Diebold AccuVote-TS Voting Machine
  10. ^ Nedap/Groenendaal ES3B voting computer, a security analysis
  11. ^ Dutch citizens group cracks Nedap's voting computer
  12. ^ Use of SDU voting computers banned during Dutch general elections (Heise.de, 31. October 2006)
  13. ^ "http://post-journal.com/articles.asp?articleID=6218". The Post-Journal
Retrieved from "https://en.wikipedia.org/w/index.php?title=DRE_voting_machine&oldid=170528532"