precedence: bulk Subject: Risks Digest 21.12 RISKS-LIST: Risks-Forum Digest Saturday 11 November 2000 Volume 21 : Issue 12 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at and by anonymous ftp at ftp.sri.com, cd risks . Contents: Sanity in the Election Process (Lauren Weinstein and Peter Neumann) Statement by Don A. Dillman on Palm Beach County Florida Ballot (Rob Kling) Florida vote counts (PGN) The end of the Multics era (PGN) Excessive bounce activity and lost messages (PGN) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Sat, 11 Nov 2000 13:29:47 -0800 (PST) From: Lauren Weinstein Subject: Sanity in the Election Process Lauren Weinstein Co-Founder, PFIR - People For Internet Responsibility Moderator, PRIVACY Forum Member, ACM Committee on Computers and Public Policy Peter G. Neumann Co-Founder, PFIR - People For Internet Responsibility Moderator, RISKS Forum Chairman, ACM Committee on Computers and Public Policy FOR IMMEDIATE RELEASE "Sanity in the Election Process" November 11, 2000 The continuing controversies over the results of the recent U.S. Presidential election, particularly concerning the vote in Florida, have now apparently begun to hinge on technical issues relating to voting systems and ballots, especially in terms of machine vs. manual recounts, voting irregularities, voter confusion and complaints, and other related issues. We feel that several critical points are being misunderstood or misrepresented by some parties to these controversies, particularly in light of Governor George W. Bush's campaign having taken federal court actions attempting to block manual recounts of the vote in several Florida counties. Regardless of the outcome of those particular court actions, the following points are crucial to consider. 1) As is well known to election officials and voting system vendors, but historically not advertised to the public at large, all voting systems are subject to some degree of error -- electronic and mechanical systems alike. Punchcard-based systems are no exception, for which a variety of known problems can occur. These include poor ballot layout (currently a major issue regarding the "butterfly" Palm Beach County ballot), machine reading errors (often relating to incompletely punched ballot selections, usually in the form of "hanging chad"), paper fatigue, and other problems. In general, so long as the interested parties both have observers participating in manual recounts to assure a consensus on the interpretation and tabulation of the cards, manual recounts provide the MOST reliable mechanism for counting these cards accurately, particularly due to the common hanging chad problem which often reads as "closed" (no vote) when processed through automatic reading machines. Indeed, manual counting is still prevalent today in England and Germany. It is true that manual recounts tend to boost the number of votes counted, again due to hanging chad and other problems noted above. This suggests that if concerns are present regarding the fairness of a manual recount only in particular counties, the obvious solution is to manually recount in ALL Florida counties, and to manually count ALL votes (not just a sampling). Yes, this will be slow, and potentially expensive. But if the will of voters is not to be subjugated to technical flaws over which they have no control, this would be the only fair course. 2) While all voting systems have "normal" error rates, these errors typically are not of great significance so long as the margin of victory is significantly larger than the error rate, which is usually the case. However, this does NOT suggest that systemic errors in the voting process are of insignificance and can simply be discarded in close elections where the error rate DOES matter. In particular, the Palm Beach situation from the VERY START of election day showed all the earmarks of systemic problems. Voters complained of ballot confusion in great numbers, harried precinct workers provided conflicting and apparently often inaccurate information to voters about the ability or inability to correct spoiled ballots or other ballot errors, and warnings regarding the confusing ballot situation failed to even reach all affected precincts, among other obvious problems. These problems occurred all through election day in Palm Beach County. The statistically anomalous results of the voting in that area regarding votes received by the Reform Party candidate Pat Buchanan would appear to further validate this analysis -- the dramatic vote skew observed clearly does not result from "normal" voting errors that can be reasonably discounted or ignored. Unlike the typical error rate expected in most elections where significant quantities of voter complaints are not received, the Palm Beach situation, with its extremely atypical and alarming set of complaints and problems throughout election day, would appear to put those votes in a category that cannot be simply swept under the rug, and that appear to be deserving of immediate redress, adjustment, and/or revoting. These widespread voting problems in Palm Beach County were clearly not the fault of "inept" or "moronic" elderly voters, as some persons have arrogantly suggested. 3) Attempts to short-circuit the process of correcting the injustices and technical problems discussed above, through calls for rapid "closure" or the simple accepting of inaccurate and unjust results (particularly in Palm Beach County) "for the sake of the country" should be rejected. We should not attempt to resolve this situation through quick "solutions" or calls for concessions. These same issues would be present even if the candidates' current positions were reversed. The critical questions shouldn't even be focused on the candidates at all, but rather on the VOTERS themselves, who appear to have been shortchanged by technical issues, procedural problems not under their control, and now by attempts by politicians to hurriedly dispose of this mess through vague references to the public good -- a route that would leave the affected voters effectively disenfranchised. There are two efforts that need to take place. First, the problems of this particular election, as discussed above, need to be dealt with in a deliberate and fair fashion. If that involves courts, manual recounts, and revoting, both inside and perhaps outside Florida, so be it -- they're all part of the procedures that we have in place. Let's get it right -- we should not be treating voters as disposable peons. If we do not take a proper course, whoever ends up in the White House will be viewed by at least half of the U.S. population, and probably much of the world, as not wholly legitimate. Secondly, we need to look long and hard at the election process around this country, taking note that calls for radical departures from current widely-used systems must be viewed with extreme care and skepticism. In particular, Internet voting must be considered to be extremely problematic (please see the PFIR Statement on Internet Voting - http://www.pfir.org/statements/voting, and "Hacking the Vote" - http://www.vortex.com/reality/2000-11-08). One major reason to look skeptically upon these hi-tech systems is that their potential reduction in voter privacy and lack of rigorous audit trails fail to allow true recounts to occur when the integrity of the voting process is called into question, and such questions can arise in electronic as well as mechanical voting environments. We stand at a crossroads where the existence of fundamental flaws in our election system have finally been exposed to the public. It is no longer tenable for the powers that be, with a gentleman's agreement or a nod and a wink, to steamroll over these flaws -- and the will of voters -- for the sake of convenience and expediency. We can start down the path toward ensuring genuine fairness and integrity in the voting process by making sure that the election of last Tuesday is resolved in a manner that not only serves the candidates, but more importantly the will of the voters themselves. = = = = Lauren Weinstein lauren@pfir.org (818) 225-2800 Co-Founder, PFIR - People For Internet Responsibility - http://www.pfir.org Moderator, PRIVACY Forum - http://www.vortex.com Member, ACM Committee on Computers and Public Policy Peter G. Neumann neumann@pfir.org (650) 859-2375 Co-Founder, PFIR - People For Internet Responsibility - http://www.pfir.org Moderator, RISKS Forum - http://catless.ncl.ac.uk/Risks Chairman, ACM Committee on Computers and Public Policy http://www.csl.sri.com/neumann ------------------------------ Date: Fri, 10 Nov 2000 16:49:44 -0500 From: Rob Kling Subject: Statement by Don A. Dillman on Palm Beach County Florida Ballot Statement by Don A. Dillman on Palm Beach County Florida Ballot November 9, 2000 Several people have asked for my opinion on whether the format of the November 7, 2000, general election ballot in Palm Beach County, Florida, resulted in more people voting for Buchanan that had intended to do so. This statement is in response to those requests. I cannot say with certainty whether the format of this ballot affected a certain number of people who thus voted by mistake for Pat Buchanan, while intending to vote for another candidate. That would require knowledge of what specific people did in the voting booth Tuesday, which I don't have. However, based on my experiences and past research concerning how the visual format of questionnaires affects respondents to surveys, I believe it is likely that certain visual features of the ballot resulted in some individuals who wished to vote for Gore inadvertently punching the second hole in the column, thus resulting in a vote for Buchanan. These visual attributes may also have resulted in double punches as people attempted to correct their error. However, I do not think that voters who intended to vote for Bush were similarly affected. I believe this outcome occurred because of the joint effects of several undesirable features of the Palm Beach County ballot, rather than a single attribute. These factors include: (1) the listing of some candidates for President on the left-hand page of the ballot, while others were listed in a separate group on the right-hand page; (2) use of a single column of circles between the pages to register one's vote, regardless of which page contained the candidate's name; (3) the lack of familiarity some people may have had with how to answer a punch ballot printed in this format; (4) the likelihood that most people knew which candidate they wanted to vote for prior to seeing any of the choices on the ballot; (5) the location of the presidential choices on the first pages of the ballot; and (6) the visual process people typically follow when registering preferences on a survey questionnaire or election ballot when it is unnecessary to read all choices (names of presidential candidates, for example) before registering one's vote. In order to mark their ballot, it was necessary for people to insert their paper ballot underneath the booklet that showed the ballot choices. They were then required to use a stick-pin answering device to punch through a circle on the ballot to make a hole in the paper ballot. When people open and/or begin to read material printed in a booklet format, they tend to look first at the left-hand page and focus their attention there. Because this is a ballot in which most people expect to vote on most or all of the choices, it is also likely that they would expect to answer the questions in order. It is therefore likely that many voters began reading the left-hand page without first looking at the second page and seeing what material was printed there. Thus, they may have been unaware that some of the candidates for president were listed on the opposite page. Most people who completed the ballot knew who they wanted to vote for prior to reading the list of names. Thus, rather than attempting to read all of the answer possibilities before marking their choice, they simply looked for the name of the candidate for whom they wished to vote. The typical procedure would be to start at the top of the list and read downwards until the preferred candidate was found. After reading the first candidate's name (Bush) on the left-hand page, people who wanted to vote for him should have been guided to the answer column by the number and an arrow. That circle was also the first (or top) circle in the answer column. It therefore seems quite unlikely that the voter would by-pass the first circle and mark the second circle, thereby voting for Buchanan, by mistake. In contrast, people who wanted to vote for Gore, and had just seen Bush's name, would be expected to go straight down the page as they searched for Gore's name. After finding it, people are likely to have moved their fingers and thumb that held the stick-pin punching device to the appropriate punching location. It is likely that in the process of doing this some people (particularly those who are right-handed) did not see the number and arrow pointing to the appropriate answer circle because it was obscured by their hand. They may have also concluded that the second hole in the column was the correct one to punch, simply because Gore was the second candidate on the page. Thus, both the locational feature (being second) and mechanics of answering seem likely to have worked together in a way that led some people to inadvertently punch the second hole (Buchanan choice) rather than the third hole (Gore choice). The possibility that some circles in the column of possible answers applied to Buchanan (on the next page) is unlikely to have occurred to some respondents. It is most unusual for any ballot or questionnaire to list choices to the first page to the right of the names, while choices to the second page are listed to the left of the names, and in addition to have all of them listed in a single column. Therefore, I would expect that some respondents had no idea that any of the choices in the answer column applied to the next page instead of to the candidates on page one. This problem was accentuated by the presidential preference being listed on the first page of the ballot, before the respondent had figured out, through experience, exactly how the ballot worked. It does seem likely that some respondents who marked the second circle would have noticed that it was not aligned with the Gore box in the same way as the first circle was aligned with the Bush box. However, among those who noticed the different alignment this feature may have been discounted, because of their having to link together physically separate components (the actual paper ballot and the booklet listing candidate names) and the association of the second circle in the column with the second candidate (Gore) choice. I would also expect that some ballots were double punched (Gore and Buchanan) as voters started to punch the second circle, realized they were making an error, and attempted to recover from it. Despite the visual and mechanical problems that individually and jointly increase the likelihood that Gore preference voters unintentionally and unknowingly voted for Buchanan, the nature of the problem is such that it would not affect most voters. Most people are able to "figure-out" how to answer questions when they are presented in a visually inappropriate way, as was done in this situation. However, I am also confident that some Gore-preference voters would have made the error described above. At the same time, and for the reasons described above, Bush-preference voters were not likely to make the same mistake. Don A. Dillman is the Thomas S. Foley Distinguished Professor of Government and Public Policy at Washington State University in Pullman, Washington. The opinions expressed here are his own and should not be attributed to his employer, Washington State University, or to the American Association for Public Opinion Research, for which he now serves as Vice-President and President-Elect. Background on the theory and research that lead to the interpretations reported here are published in Chapter 3 of Dillman, Don A. 2000 Mail and Internet Surveys: The Tailored Design Method, New York: John Wiley; and Jenkins, Cleo R. and Don A. Dillman 1997 "Towards a Theory of Self-Administered Questionnaire Design," Chapter 7 of Lyberg, Lars, et al., Survey Measurement and Process Quality, (pp.165-196,) New York: Wiley Interscience. Don A. Dillman, Social and Economic Sciences Research Center and Departments of Sociology and Rural Sociology, Washington State University Pullman, WA 99164-4014 phone: 509-335-1511 fax: 509-335-0116 e-mail: dillman@wsu.edu http://survey.sesrc.wsu.edu/dillman/ ------------------------------ Date: Fri, 10 Nov 2000 10:23:07 PST From: "Peter G. Neumann" Subject: Florida vote counts The recount in Florida presents another interesting lesson in risks in the election process. * The recount in Palm Beach County increased the totals for Gore (+751) and Bush (+108). * An entire precinct had been left uncounted. The ballots had been run through the card reader, but the operator had pressed CLEAR instead of SET. (The recount gave Gore +368, Bush +23.) * In Deland, Volusia County, a disk glitch caused 16,000 votes to be subtracted from Gore and hundreds added to Bush in the original totals. This was detected when 9,888 votes were noticed for the Socialist Workers Party candidate, and a new disk was created. (The corrected results were Gore 193, Bush 22, Harris 8.) * The day after the election, an election worker discovered a sack of about 800 ballots in the back of his car that obviously had not been included in the official results. * Voting cards failed to fit properly in the slots of some voting machines in Osceola County, giving 300 votes to the Libertarian candidate (where only 100 Libertarian voters are registered). Misaligned card machines have long been a source of errors. * In Pinellas County, election workers were conducting a SECOND recount after the first recount gave Gore more than 400 new votes. Some cards that were thought to have been counted were not. [Source: Democrats tell of problems at the polls across Florida, *The New York Times*, 10 Nov 2000, National Edition A24] Punched cards are inherently subject to differences on successive recounts. Hanging chad is clearly a problem, and successive mechanical recounts normally change the results each time. Human inspection is typically necessary to resolve conflicts. Although electronic voting systems reduce the mechanical uncertainty that sometimes makes recounts necessary in punched-card elections, they also introduce different uncertainties in the integrity of the election process, and particularly in the integrity of the computer systems. Certainly, hanging chad problems, paper fatigue, and tampering with punch cards would disappear, and recounts would be unnecessary: votes could be tabulated only as originally entered. But many new problems are also introduced. The opportunities for accidents and fraud are transformed into different categories -- such as tampering with software development and operation. And the desire for voter privacy is fundamentally in conflict with any requirements for accountability (e.g., audit trails). In the Florida case, we still have to wait for the absentee ballots, and any possible further recounts in other states. ------------------------------ Date: Wed, 8 Nov 2000 20:09:31 PST From: "Peter G. Neumann" Subject: The end of the Multics era Now that the very last Multics system has been decommissioned (last month, the Canadian Department of National Defense 5-processor configuration in Halifax), I am reminded of the primary goals of Multics expressed in the 1965 Fall Joint paper by Corbato' and Vyssotsky, in which nine major goals were stated (courtesy of a note from John Gintell): * Convenient remote terminal use. * Continuous operation analogous to power & telephone services. * A wide range of system configurations, changeable without system or user program reorganization. * A highly reliable internal file system. * Support for selective controlled information sharing. * Hierarchical structures of information for system administration and decentralization of user activities. * Support for a wide range of applications. * Support for multiple programming environments & human interfaces. * The ability to evolve the system with changes in technology and in user aspirations. These principles became fundamental to the Multics development and operation for the 35 years from 1965 until 2000. They are still relevant today, and they are still not as widely observed as they should be. So, to commemorate the final resting place of Multics, it seems appropriate to reiterate them here. For background, check out Tom Van Vleck's Multicians Web site: http://www.multicians.org PGN ------------------------------ Date: Fri, 10 Nov 2000 16:28:53 PST From: "Peter G. Neumann" Subject: Excessive bounce activity and lost messages Excessive bouncemail activity from RISKS-21.11 (despite the fact that I had just removed over one hundred apparently bad addresses in the previous days resulting from bounces on previous issues) apparently blew our mail system for a while. In addition, while trying to cope with the many hundred new bounces, I inadvertently deleted some RISKS messages received on 9 November; those that I know about included Ed Reid, Joyce Scrivner, John Mainwaring, Peter Campbell, Tim Panton, Peter Smith, and Richard Cochran, although there were undoubtedly others. Apologies. PLEASE try to use majordomo to UNSUBSCRIBE from an address that is about to go away BEFORE it goes away. Also, please check the RISKS Web sites if you have not received a message for a very long time and fear that your subscription might have been terminated -- especially if your own mailer has had a long outage (in which case you may indeed have been removed). (I have not yet installed the majordomo automated list-pruning facility, concerned for risks of overagressive removal.) PGN ------------------------------ Date: 15 Aug 2000 (LAST-MODIFIED) From: RISKS-request@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The RISKS Forum is a MODERATED digest. Its Usenet equivalent is comp.risks. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. Alternatively, via majordomo, SEND DIRECT E-MAIL REQUESTS to with one-line, SUBSCRIBE (or UNSUBSCRIBE) [with net address if different from FROM:] or INFO [for unabridged version of RISKS information] .MIL users should contact (Dennis Rears). .UK users should contact . => The INFO file (submissions, default disclaimers, archive sites, copyright policy, PRIVACY digests, etc.) is also obtainable from http://www.CSL.sri.com/risksinfo.html ftp://www.CSL.sri.com/pub/risks.info The full info file will appear now and then in future issues. *** All contributors are assumed to have read the full info file for guidelines. *** => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line. => ARCHIVES are available: ftp://ftp.sri.com/risks or ftp ftp.sri.comlogin anonymous[YourNetAddress]cd risks [volume-summary issues are in risks-*.00] [back volumes have their own subdirectories, e.g., "cd 20" for volume 20] http://catless.ncl.ac.uk/Risks/VL.IS.html [i.e., VoLume, ISsue]. http://the.wiretapped.net/security/textfiles/risks-digest/ . ==> PostScript copy of PGN's comprehensive historical summary of one liners: illustrative.PS at ftp.sri.com/risks . ------------------------------ End of RISKS-FORUM Digest 21.12 ************************