Why don't ALL voting machines get fed a test batch of ballots before the election to prevent tampering/hacking?

9

1

... run a test batch of ballots through it (voting machine)

(Source: step 6.2 of Wisconsin's official vote recount manual, courtesy of Bobson's answer here).

As a software developer, this seems like an obvious (and extremely effective) step to ensure that a voting machine has not been tampered with / hacked. If you feed a test batch of ballots, with known count of expected results, you will know for sure if the machine is deviating in how it counts.

Obviously, a hack could theoretically be sophisticated enough to circumvent that (e.g. by only starting tampering at a certain time of after a certain "deductible" # of initial ballots are counted), but that still seems like a significant upgrade to anti-hacking/tampering capability compared to doing nothing at all.

As such,

Why don't ALL voting machines get fed a test batch of ballots before the election to prevent tampering/hacking? (as a required procedure before polls open).

this works even on machines where there are no paper ballots, because the inputs can be designed beforehand so you know the expected count without the need to check paper trail.

user4012

Posted 2016-11-25T16:52:17.807

Reputation: 84 347

2Just to be clear, i'm making an assumption here that they don't do that already. If they do, and there's proof of that, it's a very valid answer. – user4012 – 2016-11-25T17:09:57.837

Related: https://en.wikipedia.org/wiki/Certification_of_voting_machines

– SJuan76 – 2016-11-25T17:12:15.563

My cynical self tells me that, if you try to ensure the public that voting machines cannot be tampered with, doing tests may sound contradictory to it. My technical self tells me that the kind of people capable of pulling this would have access to all the testing procedures (which would be public as part of the electoral process anyway) and would factor those in. – SJuan76 – 2016-11-25T17:19:00.990

I haven't researched this, but I'd guess that there's no easy way to reset the machine. If there was, someone in the polling place could reset it by accident after people have voted (thereby losing those votes). The machines probably get tested after being set up for the election, before being sent to the polling places, but wouldn't be tested on the day of. Just guesses, though. – Bobson – 2016-11-25T20:24:13.443

3Hmm, reminds me of Volkswagen and clean diesel. Testing didn't seem to work too well in that case, if I remember right. – user2309840 – 2016-11-27T05:15:08.807

3@user2309840 - however, the takeaway from that fiasco wasn't "well, guess we shouldn't test then" :) – user4012 – 2016-11-27T20:07:08.513

2-1 Why are you assuming that that they don't? There is no implication here to the contrary. The fact that they give machines additional testing during a recount does not mean they did not do it before. I too am a programmer and I run a daily batch of regtests on my code. Would you expect the test results to change day-to-day? No, but once in a blue moon something funky happens even though I tested before. – David says Reinstate Monica – 2016-12-11T05:47:12.287

2"but that still seems like a significant upgrade to anti-hacking/tampering capability" - a time check is literally a single line of code. Anyone with the resources to hack a bunch of machines will implement that. – JonathanReez – 2017-06-10T12:46:50.350

Answers

3

This seems relatively easy to defeat.

if (ELECTION_DAY == date) {
    make_my_candidate_win();
    restore_executable_from_backup();
} else {
    count_results_correctly();
}

That said, that they run test ballots during a recount does not prove or even suggest that they don't do it before the actual election. If anything, it suggests that they do do it before the actual election, as they are clearly aware of it.

The greater problem is that without a paper trail, they can't detect what actually happened. If the count is altered and the altering code is then replaced, there is no way to detect that the count was altered. Even if the altering code is still there, unless you can work backwards from the given count to the real count, the count is spoiled. But working backwards is not always possible. E.g.

if (MY_CANDIDATE == selection || my_candidate_count <= other_candidate_count) {
    my_candidate_count++;
} else {
    other_candidate_count++;
}

Since that uses the current vote balance to determine whether or not to mess up the vote, you can't even tell if the code altered the count. If the first vote is for the right candidate and that candidate leads from then on, this code has no effect on the results.

This is a solvable problem. For example:

  1. Print ballot based on choices.
  2. Voter takes ballot and inserts in optical reader.
  3. Voter confirms that optical reader is showing votes as desired by voter.
  4. If not, destroy ballot and start over.
  5. If confirmed, drop ballot in box.

That can be reviewed and recounted by hand even. But it gives the advantages of computer control in making a valid selection and counting consistently.

Brythan

Posted 2016-11-25T16:52:17.807

Reputation: 86 095

Your steps for solving the issue seem straightforward, but there were reports in recent US elections that the voting machines were changing votes after the confirmatory stage, or between steps in the process.... Or were visual correct but recorded wrongly. – Moo – 2019-05-23T04:25:01.003

1Yes, which is why my system has a paper ballot that can be recounted rather than an electronic ballot that can be displayed differently than how it is recorded. To change after the confirmation step, this would require actually changing the ballot. To stop the exploit where both the ballot and reader are changed, the voter should check the ballot directly before putting it in the reader. – Brythan – 2019-05-23T07:02:17.580

1Why not just have the paper ballot and nothing else? That's how the UK does it - polling stations close at 11pm, counts go on through the night and we almost always end up with a rock solid result by around 5am. A few constituencies lag on, but the bulk are returned by 4 or 5am. – Moo – 2019-05-23T07:21:09.607

Because then someone can dispute how the ballot was counted, as happened in the US in Florida in 2000. The real problem there was bad ballot design. But since the election was close, they spent a lot of time arguing over whether voter intention was clear. A pure paper ballot can also be complicated if there are a lot of candidates, e.g. the sixteen in the 2016 Republican primary, the ten in the 2016 general election in some states, or the twenty-three at the moment in the 2020 Democratic primary. Both US and UK ballots are simpler due to first-past-the-post voting at the moment. – Brythan – 2019-05-23T07:28:24.370

Again, a problem with the approach (a machine to punch holes?! Why?!) rather than the idea of paper ballots. A simple mark in the right box should do it. We have no issues with significant numbers of ambiguous ballot papers in the UK, it just doesn't happen. – Moo – 2019-05-23T07:30:25.590

@Moo - that is patently inorrect. There are a TON of ways "mark" can be mishandled, by a combo of a marker and a reader. Look at any guide given to people taking multiple choice tests that lists like 5 "wrong" ways to mark. – user4012 – 2019-05-23T12:20:04.947

@user4012 why do we not seem to have any problem with it in the UK then? Are our electorate just not as stupid as those elsewhere or something? I don't get why British elections tend not to have problems with a manual voting process that people like you expect problems with... – Moo – 2019-05-23T19:51:05.640

@Moo - are close (and closely scrutinized, and hotly contested) elections common? US had a perfect s76storm of close election in Florida being decisive for the entire Presidency; coupled with crappy ballot design *just* where it mattered. – user4012 – 2019-05-23T19:52:51.840

@user4012 yes, we have close run districts, and I think there was a case recently where the election was won by a single vote. No drama, no legal battles, we just get on with it. – Moo – 2019-05-23T19:55:11.047

@Moo - did that election decide a single MP or a PM or party majority? Did it have a uniquely crappy ballot design at the same time? – user4012 – 2019-05-23T19:57:51.620

@user4012 a single MP, but that still matters to that MP. The US seems to have these issues regardless of whether it's a Presidential election, a congressional election or a primary, which is ... odd. – Moo – 2019-05-23T20:00:07.240

@user4012 also, define crappy ballot design - there have been complaints over ballot design before, but we have an independent electoral commission which handles all of that, and seemingly gets it right, so crappy ballot design is just another indication of a problem with the system in place, and not the overall approach. – Moo – 2019-05-23T20:01:54.823

@moo - I'm sure Florida 2000 election Wiki has particulars – user4012 – 2019-05-23T20:02:49.600

Good answer. The first part should make those that believe in voting machines very wary and the second part offers a way out. The question kind of becomes why those election system relying on voting machines are not using this paper trail scheme by default. – Trilarion – 2019-05-30T06:17:38.960