Hi all,
Hope you don’t mind me dropping in… but I was one of the millions in line for an iPhone 4 the other day in Cincinnati… (pics below) and was telling the people around me about the last time I stood in line for a product launch… 11:50 pm – October 23, 2003.
Quite the product launch for Panther in Huntsville, ON
Meg and Jamie waiting for us inside...
Thousands flood the store!! 
It was a slightly different story this week…
Outside the Apple store in Cincinnati with 500-600 of my closest friends
Hope all is well – and that you survived the G8!
Thinking of you …
Rod
Further message from Grant.
Here’s the link you could post for anyone wanting to chat about it:
http://groups.yahoo.com/group/e-Voting/join
Regards – Grant
At our recent meeting we had a guest named Grant Hallman who made an impassioned presentation about the dangers of e-voting and why we should be very concerned about the current trend towards e-voting at the municipal level. I have copied below the notes that Grant handed out. Please spread this information far and wide.
Democracy vs. Electronic Voting
My name is Grant Hallman. I have spent a career in the software development business, and I am alarmed and utterly appalled at the trend to move the process of voting, away from paper ballots at supervised polling stations, and onto the Internet, touch-tone phones, or electronic voting machines. This trend has now arrived in Huntsville. Your right to a secret, verifiable paper ballot for the October 2010 municipal election, was quietly revoked at a November council meeting. It will be replaced by an electronic voting system supplied by Intelivote, a Halifax-based commercial software supplier. If you care about your democratic right to vote, here are a few things you might want to consider about electronic voting.
• The counting of electronic ballots is removed from human oversight. That means the counting is left to a commercial entity having no direct accountability to voters, and a recount is impossible. Instead of counting physical ballots under the scrutiny of candidates and election officials, Intellivote will run a computer program and then simply announce who our new mayor and councilors are. Whether the results seem fair or totally unreasonable, we have no choice but to believe them.
• Your ballot is no longer guaranteed secret. To vote electronically, you will be required to enter a personal PIN number, followed by your vote. Thus your personal identity and your vote will be known to the same computer, which can keep a log of your voting history.
For those unfamiliar with the world of software, here are a few backgrounds facts which should be a concern:
• All software has “bugs” – errors which may produce inaccurate results. The errors may be obvious or very subtle.
• Software systems can be incredibly easy to subvert and tamper with.
• All processes using the Internet are vulnerable to attack, spying and subversion.
• Electronic voting is particularly vulnerable in that, should any of the above occur, there is virtually no way to detect it.
There are several versions of electronic voting, from voting machines at polling booths to unmonitored voting by Internet or phone. The latter requires that voters enter a PIN number and then their vote, so the system can determine that no one votes twice. These PINs are mailed to registered voters in advance. There are a number of negative implications, most prominently that:
• the counting of ballots is removed from human oversight, hence reliability is left to a commercial entity having no direct accountability to voters, and verifiability (recounts) is made impossible.
• for Internet or telephone voting, the same computer will receive a person’s PIN and their vote, hence ballot secrecy is fatally compromised.
At a November 2009 Council meeting, the Town of Huntsville voted to run the October 2010 municipal election entirely electronically, using a system provided by Intelivote, a Halifax-based commercial enterprise. But this isn’t just about that election. It has also become apparent that Elections Canada is planning the use of e-voting in a Federal by-election(1), as a test, presumably with an eye to going country-wide with it. E-voting intrinsically removes our guarantee of a secret and a verifiable ballot. To my surprise and dismay, neither I nor my MP nor my MPP’s staff can identify any law in any Canadian jurisdiction which explicitly requires an election meet those fundamental democratic guarantees of secrecy and verifiability.
Issues
This concern goes far beyond the Huntsville election, but here are a few of the issues which have come to light in discussions with Huntsville staff and representatives of Intelivote. The following comments are not uniquely relevant to the Huntsville municipal election or the Intelivote system, but apply more generally to the concept of non-verifiable, non-secret, that is, electronic voting.
• Public trust is dramatically weakened:
- to tamper with paper ballot tabulation would require collusion between all of a number of scrutineers and election officials with conflicting interests. When the counting process is visible and transparent, voters can rely on candidates’ self-interest to prevent tampering.
- to tamper with e-vote ballots requires just one person, of many people with access to the software, or any one of many people able to hack into the process at any point from home computer to local ISP to Intelivote servers.
• Accountability for running an honest and secret ballot is removed from government representatives responsible to citizens, and is given to a commercial entity not responsible to citizens. Why should citizens be forced to trust Intelivote? Suppose Intelivote is acquired by a company with a subsidiary wanting to do real estate development, or bid on municipal contracts, or a foreign company. Will there be a declaration of conflict of interest? If not, who would know? If yes, then what do we do to vote? Democracy is too important to outsource!
-
• There is no standard or oversight for ownership of, or minimum security requirements for, a company offering e-voting systems. Our next election, at any level, could be run by a subsidiary of Exxon, or AIG, or a California-based startup company operated by three university students, or a Chinese-owned software supplier, or a Canadian subsidiary of a Saudi company fronting for al Queda. There is simply no standard or protection of any kind.
-
• Verifiability of the ballots, including recounts, is lost. Intelivote, or whichever e-voting supplier is running an election, will in fact be the ones who tell us who will run our town. Or later, our federal government. Whatever this company tells us, we have no choice but to believe.
-
• Secrecy of an individual’s voting history is no longer guaranteed. With paper ballots, secrecy is obvious – the marked ballot cannot be traced to the voter. Instead with e-voting, a voter must enter a self-identifying PIN along with their vote. There is absolutely no technical reason that computer cannot keep a log of everyone’s voting history. We have nothing more than assurances from Intelivote, in the form of a list of “features” of a commercial product, that this will not happen. The validity of those assurances cannot be verified by a voter, by election officials, or in truth by Intelivote.
-
• Privacy of voting is lost. The door is wide open for coercion or theft of PINs within a household. Whoever opens the mail first, can make a note of the PINs for every other voter in the house, and having the PINs, can cast all the votes. Or imagine someone standing behind a family member in a polling booth, watching as they vote. That would be intolerable, yet that scenario is just what is enabled by e-voting.
-
• Because privacy and secrecy are lost, the outright purchasing of votes becomes viable. With a secret, supervised voting procedure, no one attempting to buy a vote can be sure they got their money’s worth. But if someone purchases 100, or 10,000 PINs from voters, those votes can be cast by whoever has the PINs at election time, guaranteeing the result – and there is absolutely no way an e-voting system, or election officials, or voters, could detect it.
-
• All software has bugs. There is no test for “no bugs”. If Intelivote’s software accidentally produces a wrong result that tips an election, there is absolutely no way to know, and nothing to recount.
• If an e-voting company, or any one of their staff with access to the software, or any hacker who has penetrated their security, sells an election to the highest bidder, again, there is no way to know, and nothing to recount. Every surprise election result becomes questionable.
-
• Intelivote and all e-voting suppliers will explain how secure their system is, both at their computer center, and in the “securely encrypted” communication between their servers and a voter’s home computer. But no matter how well tested and secure Intelivote software may be, internet voting must also enlist home computers, local ISPs etc. as integral parts of the overall voting system, thus is vulnerable to attack at these other, unsecured places, including:
- Anyone’s home computer may be compromised by malware, spyware etc.
- Home computers use various versions of operating system and internet browser, both integral to e-voting, both of which may be outdated, buggy and insecure. Consider the number of patches released by Microsoft to remedy security issues alone – a monthly occurrence.
- Local ISPs, also integral to e-voting, may be compromised, affecting the votes of all their customers.
- Intelivote’s servers are not immune. No one’s are. Even military computers are regularly and successfully attacked over the Internet (2), (3). There is an ongoing competition between Internet security and infiltration, with no clear winner.
- Even if the source code – the human-readable version – for an e-voting system’s software were made public and found error-free, there is no way to guarantee that is the software version actually running on election day, and no way to guarantee that nothing malicious is running along with it, at any point between the home computer and the final results, and no reliable way to detect it if there is.
• Votes can also be cast with a touch-tone phone, which is far less secure and easier to tamper with even than Internet communications. Off-the-shelf equipment exists to auto-dial, generate touch tones, and spoof the caller ID.
Some Arguments used in support of e-voting:
-
“It reduces spoiled ballots”
Yes – but while reducing spoiled ballots removes ambiguity in a cast vote, it does nothing to reduce errors by a voter. It simply makes any errors invisible, and non-recountable.
“The banks use the internet all the time”
Yes – but bank transactions are known to payer and payee, and either can tell if there’s an error, and the transaction can be verified and corrected if necessary. Whereas votes are (supposedly) secret, and if an error happens, neither voter nor counter has any way to know.
“E-voting has been used in other municipalities, with little or no problems”
We can only know it’s been used. We have no way at all to know if it was accurate and secret, which is the central point of objection: e-voting makes errors, spying or tampering, undetectable.
“Paper Ballots aren’t perfect anyway!”
True – miscounts, spoiled ballots, a lost ballot box – it’s not perfect. But it’s a system which has evolved over a century to address most problems most of the time, and it does a pretty good job. And when it doesn’t, usually there is evidence of a problem, and usually there is a second chance – a judicial recount. E-voting problems will provide neither evidence nor recourse.
“E-voting makes voting more accessible”
Yes – that’s why American Idol uses it. It also makes counting, secrecy, non-coercion, vote-buying and other abuses impossible for anyone to verify. E-voting for the small minority of persons with mobility or other handicaps restricting access to polling stations, seems a reasonable tradeoff. But it makes absolutely no sense to compromise these cornerstones of the democratic process, to accommodate people simply too lazy to get out and vote. Getting more voters to participate at the expense of the integrity of the entire process is nothing more than killing democracy to save it.
“E-voting is legal”
The Ontario Municipal Elections Act seems to have omitted explicit requirements that an e-voting system be verifiable, secret and non-coercive. Instead, according to MPP Norm Miller’s office those requirements are considered “common law”. However, they simply cannot be met by any e-voting system. This legislative omission needs to be corrected before serious abuse happens, because e-voting is the perfect tool for the serious abuser. It won’t likely happen in 2010, but left unchallenged, I can guarantee that it will eventually happen, and when it does, we’ll never know it. Who will protect the integrity of basic democratic process when its inner workings are no longer accessible to citizens or their representatives?
Summary
Computers and the Internet have revolutionized our lives time after time. I am not advocating a return to a world of quill and paper and telegraphs. I have made a career of developing leading-edge software technology, including security applications, some in association with the National Research Council. I have the technical, scientific and mathematical background to appreciate the challenges involved in electronic voting. And it is painfully clear to me that in a world where hackers, spammers, spyware and viruses run rampant, where even military computers are regularly compromised, voting is simply not an appropriate application for computers and the internet. The theoretical and practical problems of verifiability, secrecy and security inherent to e-voting have not been solved, and probably cannot be solved with presently available technology. So even as we spend blood and fortune to export democracy to Afghanistan, we are in literal truth surrendering it here in Canada.
A Google search of the phrase “electronic voting problem” will find over half a million “hits”, a massive litany of both theoretical and practical problems wherever this has been tried in the past. And that’s before e-voting has become sufficiently widespread that it has attracted really serious, systematic attempts to manipulate and subvert it. So I have these two questions:
(1) Do the people advocating this technology not understand its perils, or do they simply not think the threat they pose to democracy, is important?
-
(2) Who will act to protect our most fundamental democratic right to a verifiable, recountable, and secret ballot? Because we’re about to lose it, painlessly and thoroughly. We badly need explicitly legislated minimal standards, and a technically savvy watchdog agency to protect our democracy.
Grant Hallman, B.Sc., Ph.D., President (Ret.) Unilogic Systems
1156 Britannia Rd., RR2 Huntsville ON, P1H 2J3
705-635-1146
Attached exhibits marked A through D are screenshots from a brief exploration of Intelivote’s online “demo” voting system:
Exhibit A: A clear vote for “Wyseman”
Exhibit B: An apparent vote for two candidates. This screen persisted for a few moments due to slow dial-up Internet access, then disappeared.
Exhibit C: More problems caused by dial-up lag. I attempted to vote for 5 candidates where only 4 were allowed. The system caught the error (see error message in box), automatically and arbitrarily removed the 5th candidate, and left those little “clock” icons on the screen while the slow dial-up connection lagged far behind my “voting”. Looking at this screen, I can’t tell who I voted for.
Exhibit D: Due to access lag or indecision on my part, after a few minutes the system terminated my voting session.
In later conversation with Intelivote, it was suggested that I somehow “cooked” these results. I am not offended by the accusation – it only serves to make my point, that with computers, anything is possible, and no one can tell otherwise. In fact, all of these screens were visible on my computer during a brief test of the Intelivote demo system.
References:
(1) Toronto Star article: “Elections Canada backs online voting”
Allowing Canadians to vote electronically may be the remedy for the ever-dwindling percentage of voters who bother to exercise their democratic rights, Elections Canada suggests.
(2) China hacks India’s Military Computers, in the news in April 2010, see:
http://www.defence.pk/forums/world-affairs/53316-chinese-spies-hack-indian-defense-ministry-computers.html
(3) Pentagon computers hacked, 2007:
Other Internet articles:
(4) Problems with Diebold voting machines:
(5) Fascinating interview with a hacker who rigged a US electronic election in 2004:
June’s meeting is shaping up to be quite interesting.
#1 I have an iPad to show everyone and am preparing to make a little presentation about ebooks, freebooks and such.
#2 Grant Hallman is coming. (He is the gentleman (PC and Mac user) who has been working with Jamie and myself to raise consciousness about the dangers of electronic voting.
Of course we will have our usual sharing of little Mac troubles and sorting through of issues and stories of big successes.
Hope to see you there. Cheers, Meg
Two months back I mentioned Apple’s licensing change to block the use of Flash based applications on the iPhone and iPad.
Then last meeting Meg pointed out Steve Jobs open letter about flash.
Well here’s the next chapter – Abode has created a ‘we love choice’ page on their website, including Adobe’s response
I’ve read a lot of commentary on this mess.
I think maybe this post here might sum it up best.
It’s the second Monday of the month again. MMUG meeting time!!
Hope to see you with concerns and questions ready. We may have a guest/customer to speak to us about concerns about e-voting and democracy. To prepare for this topic you might be interested in reading the following article in WIRED magazine
Click here to see the page on wired.com
I found another very good article about the Canadian situation. I never even thought of the problem of “spoofing.”
See you tonight!
Meg
My but you have an eclectic reading list! This is an excellent article dealing with the macro issues of archival work. I particularly liked the author’s comment:
“the research done in my field, the history of science, offers comfort in the morbid but accurate observation—ultimately traceable to Kuhnian theory that “science marches ahead one funeral at a time.” (referring to the loss of so many libraries in antiquity.
I think the discussion we had at MMUG left us with some ability to cope with the current and pragmatic: to ensure we have copies of anything we wish to archive, and in a Plain Text format. (Which I have now done, thanks to your assistance.)
Thanks for the article.
Bill Rathbun
Gravenhurst
This relates back to our discussions in the last meeting about preserving digital data.
It’s worth the time to read.
Towards The New Alexandria
As a quick follow up to my comments in 2008 about app store approval, here’s a piece on the editorial cartoonist who won a Pulitizer rejected by Apple as inappropriate.
The rumour mill keeps flying….
IT World – adobe-vs-apple Going To Get Uglier
Gizmodo Rumor Adobe Prepping Lawsuit
Hopefully they can work this out. The iPwhatever devices need to be more open, not less to truly be world changing, instead of a premium device with small marketshare.