Stories
Slash Boxes
Comments

SoylentNews is people

posted by on Thursday March 16 2017, @06:37AM   Printer-friendly
from the every-vote-10101011's dept.

On Wednesday 15th of March, there are (were) general elections in the Netherlands. A vote is cast by marking the chosen candidate with a red pencil on a (large) ballot. Vote counting is manual. Below is a short history of how the Netherlands got to this point.

Background: voting in the Netherlands
First up: voting in the Netherlands is rather different than voting in the USA. In the Netherlands, every voter gets to cast one vote. There's a huge list of candidates (400-600), who are grouped into ordered lists (i.e., the various parties).
There are 150 seats in the House. To get elected, you need.... 1/150th of the total number of votes.
(that sounds almost reasonable, right?)

If you're short (or over), the votes that aren't used by you default to the party. Seats are then assigned to the folks on the party's list in the order they appear on the list. So, if after everyone was directly elected, a party receives 6 / 150th of the votes, then the first 6 persons on the list who did not win a seat themselves, win a seat.

Usually this process does not allocate all seats, and there's a process for that as well (D'Hondt method, if you want to be precise).

The TL;DR version: people vote for exactly one candidate out of a few hundred candidates. Every vote counts. Even if your candidate is not elected, by voting you've raised the total number of votes, and therefore the threshold that needs to be passed (1/150th of the vote) to win a seat.

Machine voting in the Netherlands
The Netherlands enjoyed machine voting for a long time. Prior to my existence, mechanical devices were in use. These were superseded by electronic voting machines. The machine that was used the most was the Nedap machine: sort of an extra-large checkerboard of buttons, on which a ballot with candidates was placed. You'd press the button of the candidate of your choice, a tiny LED screen on top would list the party and the candidate's name of the button you had pressed, you press the 'confirm' button next to the tiny display and you had voted.

This system facilitated vote counting enormously. To count votes, you'd just press a button and out came a "shopping receipt" with the vote count. A recount was even easier: just press the button again! Couldn't be easier.
Of course, there's a few security issues with that, but hey :)

Back to the red pencil: security issues with machine voting
Around 2007, the heat was turned up under the feet of voting machines. They suffered from various flaws: no meaningful recounts, no meaningful way to verify that the result had any relation to the voter input, etc.
At one point, Nedap claimed their machines were not computers. An opposing party countered this claim by making one of the Nedaps play chess (by inserting their own PROM chip onto the board). This effectively demonstrated that the machine could do anything whatsoever, and that verification was completely impossible.

Amazingly enough, that was not the thing that got these machines banned. What got these machines banned was the displaying of the party's name. As it happens, there was exactly one party who's name includes an accent: CDA (fully known as "christen-democratisch appèl"). That one accent was enough to get voting machines banned.
As it turns out, the emanations from the ancient, tiny LED screen depended on what was displayed. Before you say "well gosh jolly, who'dda thunk": determining what was displayed based on those emanations was *hard*.
Except for the accented character. I believe it was due to that one character using an extra bit (8-bits instead of 7 bits). At any rate, the emanations for this character could be easily distinguished from emanations lacking this character. Moreover, both types of emanations could be distinguished from when the screen was off.

A group of hacktivists (before this term was widely used), by the name of "Wij Vertrouwen Stemcomputers Niet", seized upon this. They had already shown that the Nedap could play chess, but now they constructed a simple display (converted TomTom) with a large antenna. The display would show when a vote was cast, and whether that vote was a vote for CDA or not. From outside the precinct.

That got Nedaps banned. In the ensuing fallout, security of the other manufacturers' machines was also enormously under par, so in one fell swoop all voting machines got banned. Voting was done in the traditional fashion: paper ballots, and a red pencil.

Handcounting of votes
Of course, the paper ballots had to be hand counted. You could probably design a system that is able to read this A2.5-ish ballot and determine where the mark is, but a trustworthy system that is cheap enough to deploy to all precincts (guesstimate: about 10.000), and easy and robust enough to be used accurately by folks who have never seen this before?
Yup, it's counting by hand.

Aggregation of votes
Aggregating the votes is somewhat tricky. Each precinct handcounts its results, which then need to be aggregated. This happens first at the municipal level. Up to recently, special software was used for this. Again, security was an afterthought - in the software and in the procedures used.

After completing the count, the count would be entered into a TXT file, which was saved onto a USB key. Then, someone would take the USB key to town hall. (I kid you not.) After that, the software would take over. The software, which could be installed on any system, including Windows XP (which was known to be on the way out when the software was developed). The software has its share of problems (installs a webserver but doesn't need internet, using HTTP to connect to local webserver, using SHA1, storing SHA1 hashes with the data they are "securing", emailing result-files without encryption,...). This was found out thanks to an ethical hacker, who did a teardown of this software based on a Youtube instruction video (I am not making this up!):

I am now at 03:44 minutes into this epic instruction video...

The responsible minister could do little else but hire a security company to perform a security audit of the software. Unsurprisingly, they reached more or less the same conclusions as the ethical hacker. They did state some rules under which the software could be used as a backup.

Determining the results of the 2017 elections
Which is where we are now. Each precinct will hand-count the votes. These results are then aggregated manually at the municipal level and at higher levels. Software may be used on stand-alone, unconnected computers to validate the result of the manual aggregations. Paper is leading, meaning that if the two aggregations differ, we will turn to the paper count and recount that to verify that it is correct.

Wrapping up
So that is that: we were using machines but they were horrendously insecure. We were using software to aggregate votes in a horrendously insecure way. We are voting today (yesterday?) with red pencil and paper, hand counting votes and manual aggregation of votes.

Every once in a while, someone suggests a "better" way to do it. Usually "better" translates into "more convenient, broken security". Some folks call the current system old-fashioned. To me, old-fashioned may be a downside for clothing, but I don't mind it in a voting system.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by FatPhil on Thursday March 16 2017, @08:58AM (3 children)

    by FatPhil (863) <pc-soylentNO@SPAMasdf.fi> on Thursday March 16 2017, @08:58AM (#479711) Homepage
    I don't see the distinction you are making between accuracy and correctness, to me they are the same.
    However, you are right that verifiability is an absolutely essential attribute in any election - recounts must be possible.

    I've only just noticed the similarity between another security-related field - that of idenitfication (in particular authentication, or "authentifying" as they now seem to call it). Passwords, the something you know, seem to have fallen out of favour for situations where security is very important - and two-factor, bringing in the second factor of something you have, seems all the rage.

    Isn't an electronic ballot the computer tallying something it knows (your vote), and a paper ballot has the counters (which can be mechanical) tallying something it has (the ballot paper)? To see pressure back towards paper ballots is hardly surprising whilst thing-you-have is gaining popularity in other security fields.

    Could be bullshit, I've literally only just thought of it just now, and have never seen such a parallel drawn before.
    --
    Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
    Starting Score:    1  point
    Karma-Bonus Modifier   +1  

    Total Score:   2  
  • (Score: 2, Insightful) by Anonymous Coward on Thursday March 16 2017, @12:33PM

    by Anonymous Coward on Thursday March 16 2017, @12:33PM (#479735)

    The advantage of paper ballots is that their manipulation is subject to the rules of classical physics, which cannot be changed and to the degree needed are perfectly well known to anyone, so everyone can easily estimate the security of the vote, without requiring special knowledge. Moreover, the whole process involves only objects which are visible with the naked eye, so verification also doesn't need any tools that could themselves be manipulated.

    On the other hand, computers follow the rules of their programming, which isn't directly accessible, but only can be accessed using tools that themselves may be manipulated (think of rootkits), and which can easily be manipulated. And you need specialized knowledge to even consider verifying them.

  • (Score: 2) by Immerman on Thursday March 16 2017, @02:34PM

    by Immerman (3985) on Thursday March 16 2017, @02:34PM (#479789)

    Indeed, they seem to be confusing accuracy (correctness) and precision (amount of "detail")

    Two factor is indeed a major security upgrade as it makes security considerably more difficult to bypass - but it relies on *both* factors being used. Without the something you know, it's just a standard key-based lock - anyone who can steal the physical "something you have" can get past the security unchallenged, and if there's any "pickable" flaws in the lock they don't even need that.

    As security improves there is indeed motion towards "something you have", because it was not previously present. But importantly, there is not a corresponding motion away from "something you know", at least not among those concerned with actual security.

    I don't see that is has anything to do with voting though - electronic ballots aren't "something you know" or "something you have" - there's no "what's the password" security to get past, they're just electronic data. And electronic data is *extremely* easy to tamper with remotely without leaving traces. Especially when being handled by general purpose computers with lackadaisical security and an internet connection. The tampering can even take place long before the election by infecting the machines with vote-switching malware that deletes itself after stealing the election.

    The push back to paper ballots is simply because physical ballots are considerably more difficult to tamper with - doing so requires that actual physical ballots be "lost", and/or phony ones be "found" - tasks that require a criminal to be physically present, and can be easily guarded against by alert independent watchers (or a group of watchers with conflicting allegiances). The price - the potential for physical ballots to be improperly completed (hanging chads, mismarked sheets) is greatly outweighed by the increased difficulty in stealing the election in the face of well-understood and easily verified security, as well as the ability to do a recount.

    An electronic ballot system can eliminate mistakes (perfect precision), but can't meaningfully guarantee accuracy (votes can be silently changed wholesale) . Hybrid systems could theoretically work - using an electronic voting machine that generates a human-verified paper ballot, but that's a lot of expense to eliminate a small margin of error. Plus, it seems that once you have involved machines in the process at all, they tend to end up doing the counting, since they're so fast and precise about it. But they can't be trusted, and once they've done the job, nobody wants to count the ballots by hand to make sure nobody cheated. Involving computers at all seems to just place the entire election on a slippery slope, where human eagerness, laziness, and inclination to trust the accuracy of computers under normal circumstances, all conspire to destroy the integrity of election.

  • (Score: 0) by Anonymous Coward on Friday March 17 2017, @03:00AM

    by Anonymous Coward on Friday March 17 2017, @03:00AM (#480172)

    really? to lazy too even google ....
    http://www.diffen.com/difference/Accuracy_vs_Precision [diffen.com]

    here's with colors in case you get too tired of reading:
    http://www.mathsisfun.com/accuracy-precision.html [mathsisfun.com]