Failures that should not have happened

Three congressmen asked the GAO to investigate problems reported with e-voting. This is a good thing. When a plane crashes, crash investigators descend upon the scene to learn what went wrong so that it won’t happen again, and the results of their investigation are published for the world to learn from. We need the same mindset in electronic voting.

Some of these errors sound like the sort of failure that never should have happened with any well-designed voting system. In Ohio, news stories are reporting that close to 4000 imaginary ballots were erroneously created out of thin air as votes were transmitted to election headquarters, apparently because of a transmission error. If this is indeed what happened, it is troubling. In a well-designed computer system, undetected transmission errors should essentially never occur. Checksums and similar techniques should have been able to protect the integrity of the transmission against undetected errors. It is too soon to know what actually happened, and it would be premature to draw any conclusions, but I hope this failure will be investigated closely.

Meanwhile, in Broward County, Florida, software exhibited a surprising failure mode. Their mayor is quoted as saying: “The software is not geared to count more than 32,000 votes in a precinct. So what happens when it gets to 32,000 is the software starts counting backward.” Pretty wild stuff. (There aren’t enough details to know what is going on here, but could the real threshold be 32,767 (not 32,000) votes, could it be that the number wraps around after that to -32,768 rather than counting “backwards”, or could it be that the count was stored a signed 16-bit int variable? This sounds like a pretty odd failure mode.) Meanwhile, the vendor is being blamed for not fixing this defect – apparently the same thing happened two years ago in a Broward County mayoral race. This is exactly the reason we need public investigations into e-voting failures. If we don’t investigate failures, then those failures will keep recurring, and eventually they may cause real harm.


The URI to TrackBack this entry is:

  1. the Ohio 4000 votes issue reminds me of the spontaneous bit-flip that led
    to 4096 votes being added to a single candidate’s votes in Belgium last year:
    details are at

Comment by Justin Mason — Friday November 05, 2004 @ 10:30 pm PST

  1. It could be that negative votes are incrementally added to the tallies… that is, the incrementor is 1 until it gets to the upper bound and then the incrementor becomes -1. It’s probably the signed int overflow, though…

Either way, the device should have refused to scan any more ballots and displayed a meaningful error message.

Comment by joe — Saturday November 06, 2004 @ 12:51 pm PST

  1. Sure sounds like a signed int overflow – if the display doesn’t show a minus sign (or if nobody knows what the little ‘-’ next to the number means), the count will appear to increment to 32768 and then count backwards.

Changing it to unsigned int only doubles the threshold – this really needs to be a long int. Computer memory’s not that precious!

Comment by Mathwiz — Tuesday November 09, 2004 @ 2:58 pm PST