The debate over electronic voting is more contentious than presidential politics. Proponents believe that e-voting, in which votes are cast, recorded and counted electronically, will ensure the integrity of our election system, streamline election administration, and finally deliver on the promise of the secret ballot to the blind and other Americans who have not been able to vote unassisted at many polling places. But a vocal group of computer scientists is sounding the alarm that e-voting is too rife with security gaps, software bugs and procedural lapses to entrust with the linchpin of our democracy.
The only point the two sides seemingly agree on: E-voting is coming soon to a polling place near you. According to Election Data Services, close to 20 million registered voters used electronic voting systems in 2000. That number will leap to more than 50 million this November. That rollout will not be without incident, however. In April, California Secretary of State Kevin Shelley banned the use of a touch-screen system from Diebold Election Systems Inc. in four counties that recently purchased the machines, citing the use of uncertified software. For all other touch-screen machines, California is requiring vendors to adhere to a new set of regulations, including providing a voter-verified paper audit trail and access to source code upon request. In addition to more stringent standards from vendors, California will require polling places to provide paper ballots to voters who request them.
The mess in Florida following the 2000 presidential election shone an unforgiving light on the problems with existing voting systems, down to the last hanging chad. In Palm Beach County alone, more than 29,000 punch-card ballots were thrown out; 19,000 from citizens who unwittingly selected more than one presidential candidate, and another 10,000 from people who either didn’t select a candidate or didn’t clearly punch out a vote. That was a monumental failure in a race that was ultimately decided by a margin of 537 votes out of nearly 6 million cast. Congress responded with the Help America Vote Act of 2002 (HAVA), legislation that authorizes up to US$3.9 billion (US$2.3 billion of which has already been appropriated) for overhauling the federal election system. Concerned computer scientists say that pot of money is fueling a rush of vendors to offer e-voting technology without paying sufficient heed to principles of creating secure software systems.
The United States’s standing in the world as the beacon of democracy is being undermined by our antiquated voting systems. When Secretary of State Colin Powell criticized Russia’s March election because media access was denied to challengers of President Vladimir Putin, Putin was quick to refer to flaws within our own election process. “Four years ago,” he said, “we watched in bewilderment how the U.S. election system was failing.” With the stakes high — the current presidential race is shaping up to be as closely fought as the 2000 contest — we can’t afford to rely on systems that do not accurately convey the intent of the voters.
As Election Day 2004 approaches, the rhetoric surrounding e-voting and its main points of contention will only increase. At the heart of the matter is ensuring that each voter’s intentions are accurately captured, tallied and preserved. Florida and subsequent fiascos prove the old methods have failed in this, and electronic voting offers a possible solution to the problem. But first, three key challenges must be addressed: how to provide reliable audit trails that will help prevent fraud and ensure an accurate recount (should one be necessary); the security risks associated with software and electronic transmission of data; and the enormous challenge of training approximately 173 million registered voters of wildly varying education levels and technical sophistication in how to use the new systems. While proponents and critics disagree on how best to implement e-voting systems, there are clear front-runners to fixing the most worrisome problems.
Challenge #1: Create a Reliable Audit Trail
What’s at stake: The ability to verify votes in the event of a recount
Best fix: Provide a paper trail to accompany electronic votes
“The big issue in any election is auditability,” says Doug Jones, associate professor of computer science at the University of Iowa. As he describes it, an auditable election is one in which the results are verifiable both to independent observers and any other interested party. The problem with e-voting is that there’s no tangible evidence that votes were recorded as voters intended.
When votes are cast and recorded electronically, the way to conduct a recount (and to tally in the first place) is to run a tape off each individual machine and then compare those totals against the number of people who checked in to vote. While that method will reveal discrepancies in the event of some types of voter fraud — multiple voting, for example — there’s no way to ensure that the votes were recorded the way that voters actually cast them. “In a fully electronic system, I can’t confirm my vote, and that’s not a proper democratic election,” says Rebecca Mercuri, a research fellow at Harvard University’s John F. Kennedy School of Government who wrote her doctoral dissertation on electronic voting systems. Mercuri is one of the most outspoken critics of e-voting and the vendors that sell the equipment. She and many other computer scientists believe the best way to mitigate the audit problem is to combine electronic machines with good, old-fashioned paper by including a voter-verified paper ballot.
How it would work: With touch-screen systems, voters activate ballots using a PIN or smart card given to them by election workers at the polling place; they activate the screen, select their candidates, verify their choices via a paper printout and then electronically cast their votes. To preserve anonymity and protect against fraud, voters leave the paper behind, either at the machine itself or in something that could resemble an old-fashioned ballot box. The machines capture, tally and transmit the data, but the paper provides a backup.
Pros and cons: Proponents of paper duplicates say they are an essential addition to e-voting for two reasons: They provide voters with a physical confirmation of their vote, and election officials can use them in the event of a recount.
The vendor community doesn’t like it. “We oppose the idea of a voter-verified paper trail,” says Harris Miller, president of the trade group Information Technology Association of America. Introducing paper into the mix, he says, defeats the improved efficiency and reliability e-voting promises. “There was never a golden age when paper ballots were accurately counted,” Miller says. Adding paper to e-voting will only make the process of administering elections more costly and time-consuming without improving accuracy, opponents assert.
Ted Selker, an MIT associate professor of media arts and sciences who works with the CalTech/MIT Voting Project, sides with Miller on this. An experiment with paper ballots during a municipal election in Wilton, Conn., resulted in confused voters who didn’t know what to do with the paper produced by the voting machines. “Voting took twice as long and required twice as many poll workers,” Selker says. In addition, town officials say the number of offices on the ballot resulted in a paper verification sheet that was difficult to read because the type face was small.
Alternatives: One possible alternative Selker and his colleagues are researching is a write-once memory card that serves as the official ballot. Cryptographer David Chaum is also working on a verification system that involves encrypted codes that voters can verify over the Web. Of course, both methods would require additional time and training of voters and poll workers.
Despite Miller’s assertion that paper trails are unnecessary, voter-verified ballots are gaining support. Depending on pending legislation, California may require them this November, and Rep. Rush Holt of New Jersey has introduced a bill that would require them nationwide.
Challenge #2: Mitigate Security Risks
What’s at stake: The integrity of elections; preventing fraud
Best fixes: Locked, tamper-proof computers; one-time, quick transmission of results; trained poll workers When Avi Rubin got a look at some of the source code for the Diebold AccuVote-TS machine, he was disturbed by what he found. Rubin, a professor of computer science at Johns Hopkins University, detailed his findings (along with three colleagues) in a document known as “The Hopkins Report.” Among the report’s most significant conclusions: Voters could fabricate smart cards to cast multiple votes without the voting machine detecting the fraud, and poll workers and outsiders could change election results by intercepting data as it is transmitted from precincts to election headquarters. “We have a very dangerous situation on our hands now,” Rubin says. “A lot of (election officials) are moving quickly towards these machines without proper scrutiny.” Of course, given the recent moves in California, other states are likely to perform more rigorous due diligence of e-voting systems up front.
The heart of the problem: The most serious issue with current e-voting systems, scientists say, is source code that’s riddled with vulnerabilities. Of all the systems out there, Diebold’s AccuVote-TS has received the most scrutiny because some of its source code was accidentally posted on the Internet. “The Hopkins Report” spawned three other studies, each of which found various vulnerabilities. Maryland, which spent US$55 million on 16,000 Diebold machines, commissioned a report from Raba Technologies that simulated use of the machines in a mock election. In addition to software problems, the Raba researchers discovered that the two locked bays on each machine (for the printer tape, and on/off switch and modem) could be opened by any one of 32,000 keys issued — keys that were duplicated at hardware stores.
Some of the fixes recommended in the Raba report are fairly simple. Tamper-proof tape can secure the bays, and updated security patches from Microsoft can be installed on the servers that collect and tally precinct results. However, the real security problem, scientists claim, is that the source code is proprietary. Essentially, says Rubin, “several companies are controlling all the voting and tallies.” Although election boards certify e-voting systems prior to their use, critics insist that voting software should be open source — or at least open to public scrutiny — so that anyone interested in the integrity of elections can look at it. With software, critics point out, it takes only one well-placed person to exploit insecure code and change the outcome of an election.
Reality check: David Bear, a spokesman for Diebold, says the security issues raised by computer scientists aren’t practical when viewed in the context of how elections — complete with trained poll workers and procedural checks and balances — are run. “There’s always an ongoing balance between security concerns and disenfranchising voters,” Bear says. In theory, having separate locks and keys for every bay makes sense until it comes down to managing those keys. “You may heighten security, but you’ll have a management nightmare and disenfranchise voters if the right key isn’t available to open the polling place,” he says.
Margaret Luca, secretary of the electoral board in Fairfax County, Va., says security concerns are overblown. Recently Fairfax County upgraded its old, 200-pound e-voting machines with 1,000 portable touch-screen models from Advanced Voting Solutions. While open for voting, the machines are not networked. Once the polls close, a master machine at each precinct phones the results in to election headquarters. At most, Luca says, a machine is networked and data is transmitted via phone or modem for about three minutes. Someone intent on hacking that line would have to know precisely when the transmission would take place.
Even Rubin admits that some theoretical security threats he’s raised seem unlikely when an election is run properly. This past March, Rubin volunteered as an election judge in Baltimore County. Based on his experience, he doesn’t think a voter could have voted multiple times using a fabricated smart card; the additional time required to cast multiple votes and the clicking noises created as each smart card got ejected from the machine would have elicited attention from election officials.
Challenge #3: Minimize Voter Confusion
What’s at stake: The ability of every citizen to cast the vote he or she intends to cast
Best fixes: National ballot design guidelines; usability standards; training for election workers and voters
In January 2003, Palm Beach County was the setting for yet another election mess, albeit on a much smaller scale than in 2000. With 12 votes separating two candidates for state representative, The Miami Herald reported that 134 electronic ballots were cast without votes for either candidate. In addition to reinforcing the need for a paper audit trail, the situation suggested to critics that voters were confused by the system interface, the ballot design or both. With no other races in contention, they argue, it’s unlikely that voters went to the polls with the intention of not voting.
The University of Iowa’s Jones says that election officials and vendors need to pay more attention to ballot and interface design, respectively. While touch screens eliminate the danger of overvoting (because voters can’t select more than one candidate in any one race), they can apparently contribute to undervoting. “There are some really bad touch-screen interfaces out there that allow voters to do things they don’t intend,” Jones says. One system he’s familiar with from ES&S has a prominent red “Vote” button at the top of the machine, potentially drawing voters to push it before they’ve scrolled through an entire ballot. A lack of clear, concise instructions and poor ballot layout also contribute to confusion. Jones has found that the error rate among voters is directly correlated to the quality of the instructions they receive from either the machines or poll workers (the better the instructions, the lower the error rate). And voters are less prone to make mistakes with one-column ballots than with two.
Work to be done: To date, not much research has been conducted on e-voting and usability. In conjunction with HAVA, the National Institute of Standards and Technology (NIST) is charged with helping set standards for everything from certification testing and security practices to interface design. Among the recommendations suggested at a February meeting of The National Association of Secretaries of State, Susan Zevin, acting director of NIST’s IT Lab, specifically mentioned the establishment of ballot design guidelines. She also recommended that election officials run usability pilot tests with actual voters, poll workers and ballots, and that vendors adhere to common usability standards-standards that are yet to be defined.
With the 2004 election looming, no one wants to repeat the experience of 2000. All interested parties agree that we need to improve our voting system, but there’s not much consensus around how best to do that. Thanks to HAVA, touch-screen systems are the most viable option at the moment, even though there’s a tremendous amount of debate regarding their security and reliability. As with politics itself, both sides-the vendors who are promoting their wares and the computer scientists and other concerned citizens who worry about election integrity-are digging in, determined to sway public opinion to their way of thinking. The upcoming November election will put millions of touch-screen systems to their biggest test yet.
Institute of Standards and Technology to assess human factors research in an effort to reduce voter error and improve access. The study of security issues also falls under the commission’s purview: On the docket is a plan to study how using the Internet in federal, state and local elections may contribute to fraud.