Friday, December 24, 2010
Wednesday, December 1, 2010
For some close races which had substantial interest, here are my preliminary percentages compared with the official results. Please keep in mind that the variances of 1/10 of a percent are very reasonable given that my count still needs to properly resolve over-votes -- where there were too many votes in a contest -- and is still missing approximately 150 sheets which were refused by the counting software. There are also a small number of very-lightly-marked ballots from which a very few additional votes will be harvested, but these should have little effect on the percentages.
Gallegos 52.0 vs county 52.08
Jackson 47.7 vs county 47.61
Eureka Ward 3
Newman 44.3 vs county 44.18
Kuhnel 42.0 vs county 41.95
Manns 13.5 vs county 13.59
Supervisor District 5
Cleary 49.1 vs county 49.04
Sundberg 50.5 vs county 50.38
As I mentioned in an earlier update, our percentages track the official percentages, which is what you'd expect. I will post my calculations of initial race percentages here, probably later today, so any interested parties can compare them with the official results.
As the Transparency Project only received the very last of the ballots on Tuesday, I don't plan on posting absolute numbers until at least a few days from now, after I've had a chance to rerun counting software, go through ambiguous votes, and look at some of the 350 images (out of 207,000+) that didn't get processed automatically.
Sunday, November 28, 2010
We hope to have our preliminary counts available by Tuesday, when the elections office certifies their results. Our incomplete results do not disagree with the official results in who has won and who has not.
Wednesday, November 17, 2010
Friday, November 12, 2010
Friday, October 29, 2010
Click here for complete paper.
One thing we did in our experiment was to ask a number of user satisfaction questions as a followup. An important question in this batch was: "Are you confident that the machine correctly recorded your vote?" The majority of voters were very confident. Curiously, this confidence did not go down much when we rigged the machine to flip the votes for McCain and Obama.
Why? First, note that half the voters did not notice this switch (emphasis added). People felt strongly about their presidential preference, but people, in general, are not very good at proofreading. The summary screen that comes up at the end of the voting session clearly showed McCain for the Obama voters and visa versa, yet they did not notice.
Among people who did notice, the usual reaction was "Huh?" and then they went back to fix the problem. In general, people assume that the machine is right and assume that it was their error, not the machine's dishonesty. Only a small fraction of our voters
(or more properly, experimental subjects) commented on the fact that we'd flipped their votes.
This has important consequences for the real world. Most people do not complain when there is a problem. They assume that it was their mistake and go back and fix it. I assume that things would be different if the machine did not let them fix the vote flip, but if the machine lets them fix it, the fact that some voters are complaining suggests that there may be far more voters who notice the problem and are silent, and that even more voters may have had their votes flipped but didn't notice the problem.
Friday, October 8, 2010
Wednesday, October 6, 2010
University of Michigan Prof. Alex Halderman has now released some details about his successful attack on the District of Columbia's proposed Internet voting system which has been under test for the last week. (See www.freedom-to-tinker.com.) It is now clear that Halderman and his team were able to completely subvert the entire DC Internet voting system remotely, gaining complete control over it and substituting fake votes of their choice for the votes that were actually cast by the test voters. What is worse, they did so without the officials even noticing for several days.
Let there be no mistake about it: this is a major achievement, and supports in every detail the warnings that security community have been giving about Internet voting for over a decade now. After this there can be no doubt that the burden of proof in the argument over the security of Internet voting systems has definitely shifted to those who claim that the systems can be made secure.
Computer security and election experts have been saying for over 10 years that the transmission of voted ballots over the Internet cannot be made safe with any currently envisioned technology. We have been arguing mostly in vain that:
1) Remote attack: Internet voting systems can be attacked remotely by any government, any criminal syndicate, or any self aggrandizing individual in the world.
2) Effective defense virtually impossible: There are innumerable modes of attack, from very easy to very sophisticated, and if anyone seriously tried to attack an Internet election the election officials would have essentially no chance at successfully defending. The election would be compromised
3) Attackers may change votes arbitrarily: An attack need not just prevent people from voting (bad as that would be), but could actually change large numbers of votes, allowing the attackers to determine the winner.
4) Attacks may be undetected: An attack might go completely undetected. The wrong people could be elected and no one would ever know.
Prof. Halderman demonstrated all of these points:
1) Remote attack: His team of four conducted their attack remotely, from Michigan, via the Internet, without ever getting near Washington, D.C.
2) Effective defense virtually impossible: Although they were restricted from most modes of attack (which would be illegal even in this test situation), they still succeeded in completely owning (controlling) the voting system within about 36 hours after it was brought up, even though they had only 3 days of notice of when it would start. They happened to use one particular small vulnerability that they identified, but they are quite confident that they could have penetrated in other ways as well. Most likely they were the only team to even attempt to attack the system seriously; yet in a real election with something important at stake multiple teams might attack. The fact that the only team that even tried succeeded so quickly is a demonstration lots of other groups from around the world could also have done it.
3) Attackers may change votes arbitrarily:They not only changed some of the votes, they changed them all, both those cast before they took control of the system and those cast afterward. There is no way that officials can restore the original votes without the attackers' help.
4) Attacks may be undetected:The attack was not detected by the officials for several days, despite the fact that they were looking for such attacks (having invited all comers to try) and despite the fact that the attackers left a "signature" by playing the Michigan Fight song after every vote was cast!
This successful demonstration of the danger of Internet voting is the real deal. It doesn't get any better than this, people.
Alex Halderman, his graduate students Eric Wustrow and Scott Wolchok, and their colleague Dawn Isabel, all deserve enormous credit, congratulations, and thanks.
Saturday, July 3, 2010
No contests are at issue.
It may be a while before the scans are available. For many precincts, only one or two ballots were cast for some parties. Because these ballots could be used to identify an individual voter, we will need to remove them before releasing the set of scans.
Wednesday, June 23, 2010
We will scan the last ballots as they are made available to us from the elections office, which is still doing operations like checking provisional ballots.
Ballot scans and an independent count should be available around the end of June.
Sunday, June 13, 2010
These are 8.5 x 17 ballots. Although the scanner processes them at a rate of 2,500 or so double sided ballots per hour, we're finding a typical throughput of 1,000 per hour.
Saturday, February 20, 2010
The vote-buyers took advantage of some confusion caused by new voting machines the county had that year, White said. The machines had a "Vote" button that people could push to review their choices, then a second button they had to push to record the choices and finish voting.