Digital Democracy

Topics

Reliability of Critical Technology

Hanging Chads: Gore vs Bush, 2000

  • The 2000 US Presidential election was decided by four counties in Florida.
  • Machine counts showed a margin of just over 300 votes favoring Bush.
  • Gore supporters claimed ballots were undercounted in Gore-favoring areas due to the Votomatic key-punch technology used in those areas.
  • Ballots were rejected for Incomplete key-punches, called hanging chads.
  • Gore supporters argued a manual recount could discern the intended votes and change the outcome.
  • Florida Supreme Court ordered a manual recount.
  • US Supreme Court halted the recount.

Voting Reforms

Al Gore became the first Presidential candidate since 1888 to win the popular vote but lose the election.

These events damaged public confidence in the US electoral process; officials focused blame on the technology.

Accoring to Wikipedia:

A proposed solution to these problems was the installation of modern electronic voting machines. The 2000 presidential election spurred the debate about election and voting reform but did not end it.

In the aftermath of the election, the Help America Vote Act (HAVA) was passed to help states upgrade their election technology in the hopes of preventing similar problems in future elections. But the electronic voting systems that many states purchased to comply with HAVA actually caused problems in the 2004 presidential election.

After 2000, many countries experimented with computerized voting systems, but they were not a perfect solution.

Belgian Federal Election, 2003

  • Belgium votes are by party.

    • A voter can vote for one party,
    • or can choose preferred candidates from a list within the same party.
    • All votes for party’s list decide whether the party wins.

  • In 2003, one individual candidate got more votes than the party list, implying a machine error.

  • Possible explanations:

    • Fraud (poorly executed)
    • Software mistake
    • Electronic fault

  • An audit found no evidence of fraud or programming mistakes, so…

Photo by Lionel Scheepmans via [Wikipedia](https://commons.wikimedia.org/wiki/File:Bulletin_de_vote_communales_2012_Walcourt.JPG).

Electronic Faults

How an Error Affects Digital Information

Candidate Maria received 514 votes. In a computer, this number is split into “bits” which work sort of like an abacus.

Each “bit” is either 0 or 1, but the value of a bit increases with its position.

A bit’s value doubles with each successive position.

In this example, bits are “1” at positions 1 and 9, so we add the corresponding values, 2+512, to get the total 514.

How an Error Affects Digital Information

Suppose an error occurs in a single position – position 12 in the figure – then the total value is altered.

In this case, the vote tally is increased by 4,096, for a total of 4,610.

A single nano-scopic glitch can have major consequences for the system.

American Voting Machines

Direct Recording Electronic (DRE) Voting Machines

DRE machines typically use:

A Diebold voting machine used in 2004.

A WINvote machine used in 2004.

An iVotronic machine with paper receipt.

DRE Problems

A DRE is a computer, so it can have electronic errors like single-event upsets.

Problems specific to DREs:

  • Touch-screen miscalibration (finger is detected in the wrong place).
  • Paper errors (mechanical failure, paper runs out, etc).
  • Programming errors are not uncommon.
  • Privatized design and manufacturing inspire speculative conspiracy theories.
  • Hacking. Several security flaws have been demonstrated.

How Touchscreens Work

For heavily used public interfaces, a resistive touch screen is typically used.

It has two transparent sheets separated by a small gap.

A voltage gradient is applied to the top sheet.

A voltage meter is connected to the back sheet.

When the screen is pressed, the sheets touch. The voltage from the top sheet is measured twice at the back sheet to get the horizontal and vertical position.

Measuring the X (horizontal) position:

Measuring the Y (vertical) position:

Touchscreen Problems

Alignment: the touch sensor is attached over a screen, but they are separate devices. Software calibration is supposed to compensate for the geometry offset between the layers.

Good calibration

Bad calibration

The electrical offset can also drift over time due to:

Some changes can be fixed by periodic re-calibration.

Diebold Conspiracy Theory, 2004

In the Presidential election of 2004, polling data suggested that John Kerry would likely win, yet George W. Bush was elected by a sizeable margin, more than 3 million votes.

Some activists claimed there were irregularities in DRE voting:

  • Conflicts of interest:
    • CEO of Diebold was a Bush fundraiser.
    • Senator Chuck Hagel (a Bush ally) was former chairman of DRE maker ES&S.
  • Data anomalies:
    • Poll analysis appeared to show “excess” Bush votes in counties that used DRE machines.
    • (The discrepancy can be attributed to the polling data, not the vote tally).
  • No paper trail:
    • HAVA requires paper receipts, but the regulation was not yet implemented in 2004.
  • Felon Programmers:
    • A former executive tied to Diebold was convicted of altering records in a computerized accounting system, in an unrelated case.

Princeton DRE Hacking Study, 2006

From the study abstract (emphasis added):

an attacker who gets physical access to a machine or its removable memory card for as little as one minute could install malicious code; malicious code on a machine could steal votes undetectably, modifying all records, logs, and counters to be consistent with the fraudulent vote count it creates. An attacker could also create malicious code that spreads automatically and silently from machine to machine during normal election activities — a voting-machine virus. We have constructed working demonstrations of these attacks in our lab.

While there was no specific evidence that malicious hacking occurred in 2004, these findings further undermined trust in DRE machines and fueled conspiracy speculation into the next election.

Software Errors

Even updated DRE machines have major bug reports.

In a 2019 judge’s race in Northampton PA:

  • ES&S machines tallied just 164 votes for the favored candidate.

  • After a hand count, the vote increased to 26,142, winning the election.

How is this possible?

Human Error

An estimated 30 percent of the Election Systems & Software ExpressVote XL machines were improperly calibrated by the company, leading to “hypersensitivity” problems in registering some voter choices. In addition, problems with the ballot layout – also blamed on the manufacturer – led to problems electronically tabulating votes the night of the election, Nov. 5.

“I want to make clear that this was human error, and ES&S takes full accountability,” Adam Carbullido, ES&S senior vice president of product development, said during a news conference alongside county Executive Lamont McClure at the county courthouse in Easton.

He apologized to the county administration, which recommended to county council the purchase of 320 of the new machines earlier this year to comply with a state mandate to begin creating a paper-ballot trail of votes. The $2.88 million contract includes hardware, software, maintenance and support and firmware licensing.

Optical Scan Voting Machines

Optical scan ballots are widely used in vote-by-mail systems.

Prior to the 2020 election, Utah instituted universal vote-by-mail.

Benefits of Optical Scan Technology:

  • Reduces exposure to hacking.
  • Easy to audit and verify by re-count or hand-count.
  • Equipment is specialized, fewer types of failure.

Drawbacks:

  • Electronic errors: Scanners sometimes mis-read ballots.
  • Human errors: Election workers operate counting equipment incorrectly.
  • Voter failure: Voters mark ballots improperly.
  • Opaque Process: Voters cannot confirm their votes are correctly counted.

In spite of the drawbacks, mail voting is probably the most secure and reliable approach available.

Optical Scan Errors

  • Accidental marks or creases.
  • Printing errors, unreadable bar codes or QR codes.
  • Some inks not detectable by imaging scanner.
  • Votes indicated with check-marks, circles, stars, etc.
  • Ballots mis-aligned in feed mechanism.
  • Ballots fed upside down.
  • Humidity effects (e.g. paper jams, ink smears).
  • Programming errors still occur.

Surge of Conspiracy Theories

Conspiracies, 2000-Present

  • Since 2000, election challenges have become routine.

  • The dubious field of “election forensics” emerged.

  • Conspiracy theories reached an apex in 2020 (we hope).

  • Voting machine errors have always been present, but now…

    • More voters are motivated to look for them,
    • Phones make it easy to document them,
    • Social media makes it easy to broadcast them.

  • So many bug reports would be great, except that people see them as evidence of coordinated wrongdoing.

  • Conspiracy theories have targeted every type of voting process.

    • Self-styled “forensics experts” circulate lengthy documents with inflammatory accusations.
    • Some political groups are exploiting the moment.
    • Recent accusations about Dominion voting machines resemble the 2004 Diebold conspiracy theory, only the parties are switched.

This blog post promotes the Dominion conspiracy theory (it has nothing to do with Utah):

Why are Conspiracy Theories Unlikely?

A classic problem in game theory called The Prisoner’s Dilemma:

Usually someone confesses, gets a personal reward at the expense of all the others.

For an example, see the January 6 Hearings where much of Trump’s own administration testified against him.

Conspiracies do occur, but they are unlikely to stay secret.

Telecommunications and Polling Failures

Social Media and “Information Bubbles”

  • Today, people arrange their informational lives around their prior beliefs.

  • It can seem that their personal opinions represent the majority.

  • When reality doesn’t match, it can be hard to process.

  • A Utah County candidate speculated about fraud in last month’s primary:

Sylvia Andrew, of Provo, said she ran for a state Senate seat.

“So I know a little about running for office, I’ve gone door to door many times … And this last election just seemed fishy. I just can’t believe that every single America first, patriotic kind of person for election integrity, everyone that I know of except for Kera Birkeland lost their primary races,” he said.

“I’m not a statistician, but it doesn’t make sense. So this is vital that we have election integrity. And I don’t trust machines either, I don’t trust ’em.”

  • It’s hard to tell that you’re on the fringe when your entire media and social life are centered in the fringe.

Comparison to the Finance Industry

Voting and Financial Transactions

  • There’s a lot of commonality

    • Diebold made ATMs before getting into voting machines.
    • Need to process hundreds of millions of private transactions.
    • Lots of computers and telecommunications involved.
    • Receipts, audits and recounts are important to the process.
    • Mail is used.
    • Low tolerance for error.

  • Bank errors do happen.

  • What do banks do differently?

Highly Reliable Hardware

  • Many large financial institutions use specialized mainframe computers specifically designed to correct and recover from faults.
  • An important example is the Tandem Computer, which originated in 1974. From Wikipedia:

Tandem Computers, Inc. was the dominant manufacturer of fault-tolerant computer systems for ATM networks, banks, stock exchanges, telephone switching centers, and other similar commercial transaction processing applications requiring maximum uptime and zero data loss….

…Tandem’s NonStop systems use a number of independent identical processors and redundant storage devices and controllers to provide automatic high-speed “failover” in the case of a hardware or software failure. To contain the scope of failures and of corrupted data, these multi-computer systems have no shared central components, not even main memory.

  • The Tandem computer systems evolved into the modern HPE NonStop server products.

What is “Fault Tolerance”?

The NonStop system advertises “100% Fault Tolerance”.

There are many approaches to fault tolerant design. Here are some (that may or may not be in the NonStop system):

Checksum Example

Suppose we want to protect a number with several digits, like 37269.

As a checksum function, we can repeatedly add together the digits like so, always adding digits until we reduce the sum to a single digit:

  3 + 7   2 + 6  +  9

=   10  +   8    +  9

=       18       +  9

=      1 + 8     +  9

=        9       +  9

=                18

=               1 + 8

--------------------------
=                  9

Now append the result to our number, so it becomes 37269,9.

Now if any single digit is altered, a recalculation of the checksum will not match up.

ECC Example

The easiest way to visualize an error correcting code is with the English language.

Say we have a word, like “neighbor”.

I change one letter: “nejhbor”.

We can tell which letter is wrong. This is because the word “neighbor” has more letters than it needs. The extra letters are redundant, they allow us to detect and correct spelling errors. We could spell it “nbr”, but then a single error would make it unreadable.

In essence, ECC uses “spelling rules” for numerical data so that faults can be corrected.

Specialized Format: Binary Coded Decimal (BCD)

  • To represent currency amounts, financial systems often use a modified form of binary called “Binary Coded Decimal”.

  • This is done for a simple reason:

    • Binary denominations multiply or divide by 2.
    • Currency denominations multiply or divide by 10.

  • It turns out there’s no way to write “0.1” in binary!

    • Standard computers approximate it as “0.01111111” or something similar.

  • BCD represents decimal numbers using 4 “bits” for each digit (see the table at right).

  • So if the number is 42.15, the BCD representation is:

  4     2    .   1     5
  
 0100  0010  .  0001  0101
  • BCD numbers require specialized software and/or hardware functions to process.
Digit  |  BCD
-------|------
0      | 0000
1      | 0001
2      | 0010
3      | 0011
4      | 0100
5      | 0101
6      | 0110
7      | 0111
8      | 1000
9      | 1001

Specialized Programming Language: COBOL

The “Common Business Oriented Language” (COBOL) is a unique programming language.

The Downside to Specialized Systems

  • The banking industry has been unable to move away from COBOL.
  • Computing education has forgotten about COBOL.
  • The majority of COBOL programmers are over 50.

The Big Picture

Comparing voting systems with financial systems, we see two trajectories:

There is no right answer or best practice, there are hard tradeoffs and value judgements in every part of this problem.

Electronic systems fail all the time. They are not politically motivated. We should not blindly trust our computers, but we should try and give the benefit of the doubt to our human neighbors, institutions, election officials and volunteers.