Re: Re: Request for technical opinion on EBIs

From: charlie strauss <cems_at_earthlink_dot_net>
Date: Mon May 24 2004 - 18:38:01 CDT

Arthur's disection of the issue is spot on: Audits of EBI's can NOT detect or remedy errors if the electronic ballot is misrecorded or lost. Thus there are two issues, Detection of errors and recovery after errors.

I'd like to add a couple nuances to this theme. One theme is fault tolerance. It is going to be the case that errors in software will happen or be suspected. Thus the design goal needs not to be perfect software but a system that will tend to be reliable even when faults occur. Consider two recent "harmless" errors: for example the 2003 Miami-Dada memo in which an EBI audit found that the bulit-in ballot counting software was doing such bizarre things as attributing votes to the wrong machines. Miraculously even though the totals for individual machines were incorrect, the sum as far as the EBIs could determine actually appeared to be correct. Next consider the Bernalillo NM election in which 12,000 votes were temporarily lost when the vote accumulating database ran out of buffer memory and silently discarded 1/3 of the votes sent to it. In both cases two things can be said 1) one should have a queasy feeling that bugs in one peice of software might be shared with other more critical areas making th
e EBIs and hence the whole election uncertain till an extensive autopsy is performed 2) That the machines be taken out of service untill recertified software is available. In both cases it could be months before one was satisfied the errors were isolated and the vote was correct, and it also might not be possible to re-certify the systems for use in time for an upcoming election. And of course in the worst case outcome is that the bug did affect the results and EBIs were irretreivable misrecorded or lost. In either case, correct or incorrect outcome, this is not a "fail-safe" or "fault-tolerant" system.

Another theme is that the whole notion of adversarial or indendent vote couting is lost. That is to say, the genius of the Australlian Secret ballot, that is the basis of our current election system, rests on two pillars: 1) secret (anonymous) voting 2) adversarial counting process that allows non-trusting parties to agree on the final count. Everything else since then has been improvements to efficiency, access, and tampering. With computerized counting systems, the precint level adversrial process of "many eyes" is lost. In effect, the person who counted the votes was the guy that wrote the software. This is thus a major paradigm shift, not just an acadmeic fight over software security and accounting methods. This concern should rightfully trump desiderata like efficiency and bussiness models.

The final nuance I'd like to raise is transparency and suspiscion. Analogous to the "fault-tolerant" case, there are inevitably going to be cases where there uncomfortable events occur including anomolies on election day (e.g. voting machine seals myseriously broken, lightning strikes) or statistically improbale events ("Dewey beats Truman"), or unoffical returns that disagree with official canvassing results. In all case, a transparent vote recording process, a physical chain of custody, and independent recount mechanism are promote voter confidence and can quickly resolve disputes. Consider two simple cases. In the recent Florida special election the machines showed 132 voters who went to polls did not cast a vote in a single question ballot. The machines could have lost cast votes, or, quite likely, the voters might not have voted--but both possibilites have been know to happen and neither can be satifactorially ruled out. Second, under/overvote rates suggest that a large fraction of voters mis-mark
 their ballots and vote for a different candidate than they intended. On the other hand voting machines have been found to toggle votes from one candidate to another. How would one resolve a case where a voter later insisted they voted for a candidate who had no votes recorded? It is highly desirable to be able to recount a physcial ballot whose markings, even if they were a voter mistake, are not subject to question.

EBIs satisfy none of these nuances, nor Arthur's larger point.

Charlie Strauss
Verifed Voting New Mexico

-----Original Message-----
From: Arthur Keller <>
Sent: May 24, 2004 1:39 PM
To: Jeremy Manning <>
Cc: [redacted],,
        Arthur Keller <>,
        David Dill <>,
Subject: [voting-project] Re: Request for technical opinion on EBIs

Dear Jeremy,. et al.,

Thanks for your message. I had a hand in the development of OVC's
system, but it was a larger group that designed it. I've copied
David Dill and the OVC mailing list on my reply, so that others
knowledgeable on this issue can chime in too.

With electronic voting machines, there are two primary questions that
arise with the counting. First, are the ballots correctly and
faithfully recorded as EBI's. And second, are the ballots correctly
and faithfully tabulated in the canvassing process. The short answer
is that the printing of EBI's addresses only the second question, and
only partially. It has no bearing on the first question. It is
possible that due to software glitches or even fraud, the EBI does
not faithfully represent the voter's intent as specified to the EVM.
This is possible even if the voter has "verified" what has appeared
on the screen---what's written to permanent media for tabulation may
in fact be different. Furthermore, how does the proposal address the
potential that EBI's can be lost?

One problem in using EBI's is that knowing the time of the vote can
be used to reconstruct the votes cast by individual voters.

I suggest that recounts (including those done on a spot check basis
after the election as well as full recounts) be done using media that
has directly been verified by the voter. Paper is ok; even Ted
Selker's audiotape approach is ok; but bits on a disk are not.

Best regarrds,

At 1:04 PM -0700 5/24/04, Jeremy Manning wrote:
>i have copied arthur keller on this email. he designed the Open
>Voting Consortium's elections system, and it has special provision
>for the sequence and timing by which the EBI is created. i believe
>they paid careful attention to this issue for reasons of reliability
>and security. arthur can you give us your opinion?
>i'm sure dave dill would have some thoughts as well.
>as for my two cents on the technical/systems issue, it seems to me
>that the question is whether we should place full trust in the
>computer-generated representation of voter intent, or whether a
>recount or audit is more legitimately and more reliably conducted by
>standard and well-accepted and proven accounting procedures -- all
>of which involve using paper. since every judge is probably
>familiar with Enron and the Arthur Anderson blow up, i think the
>analogy between good accounting practices, and bad, might be useful
>here. (on the other hand, if you type in "EBI" and "ballot" into
>google, you'll come up with a couple papers that seem to support the
>EBI approach, but only with tight computerized audit trail
>functionality and a "triple unit" systems approach to creating,
>retaining and retrieving the EBIs. at minimun, it would seem you
>could get expert testimony on the question of whether the systems
>for creating, storing and retr! ieving the EBIs meet the appropriate
>standards from a software design standpoint.)
>for MD, however, the legal issue may well be resolved in the
>statutory definition of "ballot," or other terms found in the
>legislation/regs governing elections. for instance, in the proposed
>NY legislation, "Ballot" was initially defined purely as the EBI.
>these "Ballots" were to be that which was subject to recount. i
>believe the proposed statute has been amended to insure that
>"Ballot" = the electronic display + the paper hardcopy of the
>displayed image. it's just a guess, but i imagine that similar
>statutory definition issues and analysis might help (or hurt
>:-(...) in MD.
>i'll think about this some more, but i think arthur and dave may
>have a lot more to say...jeremy
>Evote-litigation mailing list
>Jeremy F. Manning
>Make sure your vote counts!
>Support H.R.2239
>Do you Yahoo!?
>Friends. Fun. <>Try the all-new Yahoo! Messenger

Arthur M. Keller, Ph.D., 3881 Corina Way, Palo Alto, CA  94303-4507
tel +1(650)424-0202, fax +1(650)424-0424
= The content of this message, with the exception of any external 
= quotations under fair use, are released to the Public Domain    
Received on Mon May 31 23:18:02 2004

This archive was generated by hypermail 2.1.8 : Mon May 31 2004 - 23:18:17 CDT