Bill & Megan Buhler

BillAndMeganB.com

Addressing the integrity of electronic voting at the Republican State Convention 2012

Background on the new system:

For the first time in state history the Republican Party is using an electronic voting system. Each delegate will be issued a keypad that can wirelessly transmit their votes. Each keypad has a unique serial number that isn't tracked by the party (if it was tracked it would ruin the anonymous nature of the polls). When it is time for a vote the delegate will select a number corresponding with a list projected to all delegates. They will have a two minute window to make their selection. Final selection wins (in the case of hitting multiple buttons). When a button is pressed it appears on the screen of the device and a light turns on when it was successfully transmitted.

The problem:

There is no true delegate verifiable trail between the delegate's vote and how the ballot was recorded. In other words, I as a delegate have to trust that the light truly meant that my vote was received and recorded correctly, not changed or omitted by error or malicious intent. We are told to trust that everything worked correctly, despite over a decade long history of errors with voting machines of all types. This is why the Utah State government required that their voting machines print out a paper record, to create a voter verified audit trail.

The solution:

As each keypad has a unique serial number, I propose the delegates be provided the opportunity to voluntarily confirm that their vote was handled correctly. This could be by finding their serial number on a list posted somewhere, or computer stations setup for that purpose, or even a high capacity Wi-Fi network with a simple website where a delegate could key in their serial number and see the result.

This should happen after the polls close, but before the vote is certified. I suggest starting with fifteen minutes allocated for delegate ballot verification, during which speeches unrelated to that round of balloting could be given to move the agenda along. I would add that if it is a case of their being either public lists or verification stations that results shouldn't be certified until the lines have ended.

If a vote is determined to be wrong by a delegate, they will be allowed to contact a pair of election judges who will have power to record their previous ballot as invalid (spoiled), and record their new vote in its place with signatures by all involved.

If there are more spoiled ballots than the smallest margin of victory of any candidates that would either win or move forward to another round of voting, then the election judge will declare the round invalid and allow the delegates to vote by acclamation on retrying electronically, switching to paper for that round, or switching to paper for the remainder of the convention.

If using paper lists the results will be broken up across at least thirty pieces of paper to reduce that ability of any group to forecast the final results during the validation phase. This will also increase the speed for delegates checking the lists as there will be more lines.

If using computer stations each voter would indicate their serial number and see their recorded ballot. The pressure of other people wanting to use the station would discourage experimentation. If the keypads had barcode labels with their serial numbers on them the computers should consist of barcode scanners and a screen, no keyboard, making it simple for the delegates to see their result and only their result.

Finally if using wireless / a website, the website will place a cookie on each delegate's web browser to prevent multiple queries to scope out the election results early. Ideally the network would be a private Wi-Fi network with over 6,000 available IP addresses to accommodate the number of devices that delegates could bring with them (some delegates might have phones as well tablets, and laptops, which they might move back and forth on as they attempt to find their preferred device.

The results reported to the delegates would be a copy of the file the election system generated; A SHA1 hash finger print would be taken of that file when generated and certified by the election judges before it was loaded to the website. After the results are certified by the election judges the hash and file would be made available to the delegates and candidates to perform their own recounts with as soon as the round is declared, it would not include contested ballots. The use of a SHA1 hash finger print allows people to ensure their data file has not been tampered with after the election judge took the fingerprint. If a recount is called and the finger prints don't match we know there were modifications made to the initial data. A second file would be available with the spoiled ballots removed and their corrected votes included which will also be finger printed and available with the paper declarations of spoiled ballots at party headquarters if a recount is desired by a candidate or other member of the party.


FAQ:

Q.If delegates care, why not go to the Republican Headquarters' the Monday following the election and independently audit their votes

A. While it is true a delegate could take additional time from their lives to audit their votes after the fact, the ability to correct any errors in the record at that time is close to impossible. Short of having delegates nearby them witness their choices and sign affidavits, the average delegate would have no proof of what their vote was. Even with affidavits, which I recommend if they won't correct the issue, despite the violation of privacy of the vote, the only recourse is a lawsuit, which is costly to the party at a time when we should be supporting our candidates in the upcoming general election, not fighting over the convention results.

Also, delegates wouldn't know what other delegates had issues, limiting their effectiveness in the courts. The damage is done, if a candidate was incorrectly eliminated in a early round of voting how would the effects be corrected fairly? It also puts an undue burden on those who have traveled many hours to be at the convention to check their votes, or who have regular employment during the hours that headquarters is open.

In short, this policy by the party leadership could allow a election to be stolen with little recourse by the delegates. This is what makes the current e-voting system so dangerous.

Q. What if delegates want to sabotage the voting system and falsely claim that their vote was misreported or not recorded?

A. Each delegate is there to have a voice, and I expect that all have a vested interest in which candidates are elected, or they wouldn't waste their time at the convention. However if they desired to cause problems, allowing them to certify what their vote was supposed to be takes away any later ability they have to challenge the results as they certified their choice to two election judges. It would take a fair number of people to cause the balloting to be thrown, since each person will be around 1/4000th to 1/5000th of the total voice of the delegates, or 0.025 percent, in other words forty to fifty delegates per percentage point.

Q. Do you realize how prone to tampering paper ballots are, why are you demanding a higher level of assurance than paper voting has ever given us?

A. It is true that paper ballots have been tampered with in the past, and that is one of their flaws. Electronic voting can add a higher level of assurance, but only if it is completely transparent so we know that our vote truly counts, with voluntary certification by the delegates we have a chance for true confidence that the results are accurate. Without it we are being told to blindly trust a system. At least with a paper ballot we can do some observations. With this form of electronic voting it is opaque until the results are declared. That is not a good system to put trust in.

Q. Won't this just waste a lot of time at the convention? We could have voting take just two minutes per round.

A. Many delegates are suspicious of this new technology, after seeing their votes recorded accurately they will probably only verify results they care the most about, minimizing the amount of time taken up by independent verification. Even if each delegate took many seconds to find their result on a list we would still have faster results than the paper system took. The fact that they can view the results gives a strong disincentive to manipulate the data in the back room; the availability of verification will increase faith in the system and the desire to contest everything.

Q. You propose trusting a quickly written program to be accurate when you don't trust the machines and software written by a large corporation?

A. I trust the website to show me what was in a file. If the website had a bug and showed the wrong results we could quickly ascertain that the spoiled ballots are really incorrect responses from the website. We don't suggest having any voting happen on the website, or certification by the delegate that their ballot was spoiled on the website. That should be done in person, and with the delegate's signature as well as election judge's signature. Thus the website needs to accurately display, not record information. This is a much lower bar. As far as a large corporation writing perfect software, how many patches are released each year by Apple, Cisco, IBM and Microsoft? Software has bugs, and mistakes are made, to suggest otherwise would be irresponsible.

Q. Why do you suggest a wireless network, not every delegate will have access to the equipment necessary to confirm their vote?

A. If the network were up to the challenge and delegates came prepared, no system would work faster as the delegates could verify from their seats. I propose that the website allow a limited number of queries per device so that delegates with devices could look up results for the delegates around them (probably five to ten queries per ballot).

Q. We are talking thousands of delegates, is it even possible to build a network / website that could handle the load of all of the delegates checking their results?

A. Many wireless systems would have trouble, but it is possible to build a managed Wi-Fi network that could accommodate that many private nodes. Such a network should not have Internet connection to minimize traffic, and the website should be made a light as possible, if it was text only, or had only non-changing graphics, the load of four to six thousand devices is actually achievable over a few minutes.

A text based query form would use from 10KB worth of total bandwidth. With around 5000 delegates that's 51.2MB, an 802.11b network can easily push 30MB per minute (figuring a two bit per byte overhead, or ten bits per byte), it would take 1 minute 42 seconds. If you were to setup multiple network access points then the bandwidth would increase in proportion to the number of access points. If you used more advanced clients (such as 802.11g and 802.11n devices the bandwidth would increase even more. So it is possible to build a dedicated Wi-Fi network that could serve this purpose within a minute. The key is limiting traffic on the network to just ballot verification, which is achieved by not connecting it to the Internet. It is also key to have reliable network access points, but there are one or two commercial systems that could handle the large number of connections and provide good performance such as Meru Networks technologies.

It is possible if we acted quickly that one of the big dogs in corporate wireless arena would be willing to loan a demo network to prove how robust they are. I have a vendor that claims to be perfect for this, and I suspect I could get them to put their money where their mouth is

Finally, a Wi-Fi network is just one way to solve this issue. Honestly, paper is cheap and easy if they were to split the votes over multiple pages and let us walk over and check the appropriate list. A Wi-Fi network would simply be the fastest way to verify the info.

Q. If everyone can look at the results before they are officially declared wouldn't it violate the integrity of the election?

A. This is why I suggest the verification phase coming after the polls are closed. It is also why a website would require you to enter the serial number you want to check, and limit the number of results returned. In the case of paper, the number of delegates means a list will be twenty to thirty pages, which will prevent someone from easily counting votes and calculating a winner manually during the verification phase.

Q. Isn't it too late to implement the fix?

A. I believe it will soon be too late, hence my speaking about it now. Adding vote verification can be done many ways and I've volunteered to donate my company's resources to assist, but I will need a few days to execute if they want to use them.

It is better to attempt something now than do nothing.