Fwd: JFM legal actions based on EBI technical opinions

From: Arthur Keller <arthur_at_kellers_dot_org>
Date: Mon May 24 2004 - 20:27:23 CDT

--- begin forwarded text

Date: Mon, 24 May 2004 17:14:22 -0700 (PDT)
From: Jeremy Manning <jmanning_us_at_yahoo_dot_com>
Subject: JFM legal actions based on EBI technical opinions
To: charlie strauss <cems@earthlink.net>, voting-project@lists.sonic.net
Cc: [redacted];, evote-litigation@eff.org,
         David Dill <dill@cs.stanford.edu>,
         voting-project@lists.sonic.net

seems to me that arthur and charlie's points could form the basis for
expert testimony. perhaps an analysis of the DRE computer system
from a qualified expert with a schematic that shows how the DRE
creates, records, stores and retreives EBIs. the expert could show
the places where errors could occur, and, using Charlie's examples,
where we know they have occurred.

i also think charlie's "post-election autopsy by forensic computer
experts" is a good point, given the need for legitimate and timely
(see Bush v. Gore) results. perhaps an accounting expert could
testify about the demands of forensic computer systems analysis
and how paper is simpler and faster and more reliable and less open
to dispute.
jeremy

charlie strauss <cems@earthlink.net> wrote:

Arthur's disection of the issue is spot on: Audits of EBI's can NOT
detect or remedy errors if the electronic ballot is misrecorded or
lost. Thus there are two issues, Detection of errors and recovery
after errors.

I'd like to add a couple nuances to this theme. One theme is fault
tolerance. It is going to be the case that errors in software will
happen or be suspected. Thus the design goal needs not to be perfect
software but a system that will tend to be reliable even when faults
occur. Consider two recent "harmless" errors: for example the 2003
Miami-Dada memo in which an EBI audit found that the bulit-in ballot
counting software was doing such bizarre things as attributing votes
to the wrong machines. Miraculously even though the totals for
individual machines were incorrect, the sum as far as the EBIs could
determine actually appeared to be correct. Next consider ! the
Bernalillo NM election in which 12,000 votes were temporarily lost
when the vote accumulating database ran out of buffer memory and
silently discarded 1/3 of the votes sent to it. In both cases two
things can be said 1) one should have a queasy feeling that bugs in
one peice of software might be shared with other more critical areas
making the EBIs and hence the whole election uncertain till an
extensive autopsy is performed 2) That the machines be taken out of
service untill recertified software is available. In both cases it
could be months before one was satisfied the errors were isolated and
the vote was correct, and it also might not be possible to re-certify
the systems for use in time for an upcoming election. And of course
in the worst case outcome is that the bug did affect the results and
EBIs were irretreivable misrecorded or lost. In either case, correct
or incorrect outcome, this is not a "fail-safe" or "fault-tolerant"
system.

Another theme is that! the whole notion of adversarial or indendent
vote couting is lost. That is to say, the genius of the Australlian
Secret ballot, that is the basis of our current election system,
rests on two pillars: 1) secret (anonymous) voting 2) adversarial
counting process that allows non-trusting parties to agree on the
final count. Everything else since then has been improvements to
efficiency, access, and tampering. With computerized counting
systems, the precint level adversrial process of "many eyes" is lost.
In effect, the person who counted the votes was the guy that wrote
the software. This is thus a major paradigm shift, not just an
acadmeic fight over software security and accounting methods. This
concern should rightfully trump desiderata like efficiency and
bussiness models.

The final nuance I'd like to raise is transparency and suspiscion.
Analogous to the "fault-tolerant" case, there are inevitably going to
be cases where there uncomfortable events occur including anomo! lies
on election day (e.g. voting machine seals myseriously broken,
lightning strikes) or statistically improbale events ("Dewey beats
Truman"), or unoffical returns that disagree with official canvassing
results. In all case, a transparent vote recording process, a
physical chain of custody, and independent recount mechanism are
promote voter confidence and can quickly resolve disputes. Consider
two simple cases. In the recent Florida special election the machines
showed 132 voters who went to polls did not cast a vote in a single
question ballot. The machines could have lost cast votes, or, quite
likely, the voters might not have voted--but both possibilites have
been know to happen and neither can be satifactorially ruled out.
Second, under/overvote rates suggest that a large fraction of voters
mis-mark their ballots and vote for a different candidate than they
intended. On the other hand voting machines have been found to toggle
votes from one candidate to another. How would on! e resolve a case
where a voter later insisted they voted for a candidate who had no
votes recorded? It is highly desirable to be able to recount a
physcial ballot whose markings, even if they were a voter mistake,
are not subject to question.

EBIs satisfy none of these nuances, nor Arthur's larger point.

Charlie Strauss
Verifed Voting New Mexico
vvnm.org

-----Original Message-----
From: Arthur Keller
Sent: May 24, 2004 1:39 PM
To: Jeremy Manning
Cc: [redacted],
Arthur Keller ,
David Dill , voting-project@lists.sonic.net
Subject: [voting-project] Re: Request for technical opinion on EBIs

Dear Jeremy,. et al.,

Thanks for your message. I had a hand in the development of OVC's
system, but it was a larger group that designed it. I've copied
David Dill an! d the OVC mailing list on my reply, so that others
knowledgeable on this issue can chime in too.

With electronic voting machines, there are two primary questions that
arise with the counting. First, are the ballots correctly and
faithfully recorded as EBI's. And second, are the ballots correctly
and faithfully tabulated in the canvassing process. The short answer
is that the printing of EBI's addresses only the second question, and
only partially. It has no bearing on the first question. It is
possible that due to software glitches or even fraud, the EBI does
not faithfully represent the voter's intent as specified to the EVM.
This is possible even if the voter has "verified" what has appeared
on the screen---what's written to permanent media for tabulation may
in fact be different. Furthermore, how does the proposal address the
potential that EBI's can be lost?

One problem in using EBI's is that knowing the time of the vo! te can
be used to reconstruct the votes cast by individual voters.

I suggest that recounts (including those done on a spot check basis
after the election as well as full recounts) be done using media that
has directly been verified by the voter. Paper is ok; even Ted
Selker's audiotape approach is ok; but bits on a disk are not.

Best regarrds,
Arthur

At 1:04 PM -0700 5/24/04, Jeremy Manning wrote:,
>
>i have copied arthur keller on this email. he designed the Open
>Voting Consortium's elections system, and it has special provision
>for the sequence and timing by which the EBI is created. i believe
>they paid careful attention to this issue for reasons of reliability
>and security. arthur can you give us your opinion?
>
>i'm sure dave dill would have some thoughts as well.
>
>as for my two cents on the technical/systems issue, it seems to me
>that the question ! is whether we should place full trust in the
>computer-generated representation of voter intent, or whether a
>recount or audit is more legitimately and more reliably conducted by
>standard and well-accepted and proven accounting procedures -- all
>of which involve using paper. since every judge is probably
>familiar with Enron and the Arthur Anderson blow up, i think the
>analogy between good accounting practices, and bad, might be useful
>here. (on the other hand, if you type in "EBI" and "ballot" into
>google, you'll come up with a couple papers that seem to support the
>EBI approach, but only with tight computerized audit trail
>functionality and a "triple unit" systems approach to creating,
>retaining and retrieving the EBIs. at minimun, it would seem you
>could get expert testimony on the question of whether the systems
>for creating, storing and retr! ieving the EBIs meet the appr! opriate
>standards from a software design standpoint.)
>
>for MD, however, the legal issue may well be resolved in the
>statutory definition of "ballot," or other terms found in the
>legislation/regs governing elections. for instance, in the proposed
>NY legislation, "Ballot" was initially defined purely as the EBI.
>these "Ballots" were to be that which was subject to recount. i
>believe the proposed statute has been amended to insure that
>"Ballot" = the electronic display + the paper hardcopy of the
>displayed image. it's just a guess, but i imagine that similar
>statutory definition issues and analysis might help (or hurt
>:-(...) in MD.
>
>i'll think about this some more, but i think arthur and dave may
>have a lot more to say...jeremy
>

>
>
>_______________________________________________
>Evote-litigation mailing list
>Evote-litigation@eff.org
>https://owl.eff.org/mailman/listinfo/evote-litigation
>
>
>
>Jeremy F. Manning
>Make sure your vote counts!
>Support H.R.2239
>212.243.7787
>
>
>
>Do you Yahoo!?
>Friends. Fun. Try the all-new Yahoo! Messenger

--
-------------------------------------------------------------------------------
Arthur M. Keller, Ph.D., 3881 Corina Way, Palo Alto, CA 94303-4507
tel +1(650)424-0202, fax +1(650)424-0424
Jeremy F. Manning
Make sure your vote counts!
Support H.R.2239
212.243.7787
Do you Yahoo!?
Friends. Fun. <http://messenger.yahoo.com/>Try the all-new Yahoo! Messenger
--- end forwarded text
-- 
-------------------------------------------------------------------------------
Arthur M. Keller, Ph.D., 3881 Corina Way, Palo Alto, CA  94303-4507
tel +1(650)424-0202, fax +1(650)424-0424
==================================================================
= The content of this message, with the exception of any external 
= quotations under fair use, are released to the Public Domain    
==================================================================
Received on Mon May 31 23:18:03 2004

This archive was generated by hypermail 2.1.8 : Mon May 31 2004 - 23:18:17 CDT