"The right of voting for representatives is the primary right by which all other rights are protected. To take away this right is to reduce a man to slavery." -Thomas Paine [1]

Introduction

The Florida 2000 voting fiasco created a widespread demand for improved voting technology. A new generation of electronic voting machines has appeared that promises simplicity, security, accuracy, and equal access. Many states have purchased these new machines, but it has become increasingly clear that these new devices are not trustworthy. Now aware of the problems, many legislatures are looking for ways to save their investments. If these insecure voting machines are used in their present configurations, the 2004 presidential elections could suffer from a loss of confidence that would make Florida 2000 look like a casual, friendly disagreement.

In this informal document I'll review today's electronic voting machines, discuss their problems, look at some proposed solutions, and then offer my conclusions for Washington State.

Electronic Voting Machines

In 2000 Congress passed the Help America Vote Act, or HAVA [2]. One of its many provisions offered states $3.65 billion to replace their aging voting equipment with modern machines. The money had to be spent by April 2003 or it would be forfeit [3], so many states went shopping [4].

There are three general types of electronic voting machines in widespread use today. Punch-card counters do automatically what humans did for a while in the Florida recount. Optical scanners read paper ballots in which voters have filled in circles to indicate their choices; many absentee ballots are counted this way. The most modern machines are called direct recording electronic systems, or DREs, and they will be our focus here. A typical DRE is a computer with a touchscreen for input and output, and a memory for storing voter's ballots.

DREs offer a number of highly desirable features. The ballots may be laid out by a graphic designer who can use visual elements like color and a variety of typefaces to create legible, easily-understood ballots (thus avoiding the sort of trouble caused by Florida's clumsy butterfly ballot). DREs can warn voters if they vote for too many people in a race (called over-voting) or too few or even none (called under-voting). DREs can offer ballots in a wide variety of languages. They can even offer ballots that use pictures, sounds, and animation to serve illiterate and visually-impaired voters. DREs allow voters to change their minds until the moment they commit their vote (called second-chance voting). DREs offer the promise of eliminating ambiguous votes, forever freeing us from another hanging chad. Finally, voters who are used to ATMs and supermarket scanners are comfortable with these kinds of devices, and trust them to be accurate and reliable.

Note that these are all features of the user interface of the system, and have nothing to do with vote storage. Conceptually, a DRE could present all of these features to a voter, and then save the voter's choices on punch cards rather than an internal memory.

The Problems of Electronic Voting Machines

DREs are not like ATMs and other such machines. The essential distinction is that voters do not take home a receipt. We trust ATMs because they're generally accurate, and we can always take our receipt back to the bank if we discover an error. But voting machines must not issue take-home receipts. Votes are secret, and any record that a voter takes out of the polling place can result in vote buying and all the evils that come with it. Since a DRE doesn't issue a receipt, we must trust that its vote storage is fair and honest. Is such trust warranted?

DREs typically store votes on a hard disk (like those used in home computers), or a cartridge (like those used in digital cameras). At the end of a voting day, poll workers add up the votes in that memory (either on the DRE itself, or by connecting the vote memory to another machine). The data written by the computer is the only record of the voter's intent. If that data is wrong, the totals will be wrong. Compare this to a punch-card system, where the cards (called the medium of record) can always be re-counted. In DREs, the machine's own memory is the medium of record, so if you doubt what's been recorded on that medium, there's no way to confirm or deny your concerns. For these reasons, many critics of DREs correctly assert that these machines cannot perform a meaningful recount.

A DRE's record of the votes could be wrong in several ways. It could contain extra votes that were never cast, it could fail to record votes that were cast, votes could be recorded incorrectly, or they could be altered after they were saved. In terms of the final totals, it doesn't matter if errors are due to a malicious programmer or hacker, or to an accidental flaw in the software or hardware: every missing or incorrect vote disenfranchises the voter who cast it, and too many such errors make a mockery of the election.

Inspired by HAVA and the money it provided, many states have bought DREs (as of August 2004, 675 counties, representing 30 percent of the registered voters in the US, have purchased DREs [5]). Four manufacturers dominate the market: Election Systems and Software (ES&S), Sequoia Voting Systems, Diebold Election Systems, and Hart InterCivic, all of whom safeguard the software that drives their machines as tightly-held trade secrets. It's estimated that out of the expected 115 million voters this November, 36 million of them will vote on DREs that have no record other than what is stored in their memory [6]. In other words, one-third of America's voters in this Presidential race will trust their votes to computers running secret programs whose records cannot be verified or audited.

Someone who compromises a DRE design early enough in its design or manufacture can affect enormous numbers of machines; in the extreme, every machine the manufacturer ships could be flawed. For example, Diebold's central tabulating system, called GEMS, accumulates votes from many precincts. GEMS machines are typically responsible for collating and protecting millions of votes. It's recently been discovered that several versions of GEMS software, including the current one, contain a deliberately-programmed secret code that allows anyone with a modem (calling from anywhere in the world) to invisibly rewrite the machine's databases in minutes, leaving no other record or trace [7]. Because DRE software is secret, nobody can be sure what other exploits, deliberate or accidental, are on any of today's voting or tabulating machines.

Such revelations have led to a number of citizen's groups devoted to educating legislators and the public and urging action [8]. The most famous result of this growing concern so far is that the state of California has de-certified some of the DRE machines it's already purchased [9].

There is no accepted standard for evaluating DREs. Three "Independent Testing Authorities" have been set up by the National Association of Election Directors to "certify" machines, but they use the industry's own voluntary standards, and are funded by the manufacturers of the machines they're testing [10]. Most states and districts lack the expertise and finances to fully analyze these complex machines. They typically run a machine through a basic "logic and accuracy" test, and if the machine passes, they consider it safe to trust with their constituent's votes.

But these tests are neither exhaustive nor expert enough to confirm that a given DRE should be trusted. An expert review of a Diebold system concluded that it "contains considerable risks that can cause moderate to severe disruption in the election" [11]. In a famous incident, engineers from Diebold accidentally left the trade-secret source code for one of their DREs on a publicly-accessible website. A review of the software by computer scientists at Johns Hopkins and Rice Universities revealed many severe problems, leading them to warn, "Our analysis shows that this voting system is far below even the most minimal security standards applicable in other contexts." [12] For example, "A voter could cast unlimited ballots without detection."[13] They concluded, "If we do not change the process of designing our voting systems, we will have no confidence that our election results will reflect the will of the electorate." [14]

Although some states are actively trying to make their systems reliable, others are taking giant steps backwards. Missouri recently announced a system for overseas voting by military personnel that starts with optical-scan ballots and then layers on computer scanners, faxes, printers, and optical scanners to create a complex, insecure, and unsafe patchwork of devices and procedures [15].

With confidence in DREs plummeting, but the money already spent on their purchase, many states are looking for ways to salvage their investment and modify these devices to bring them up to at least some minimal standard of trustworthiness by the November 2004 election.

Proposed Solutions

Three solutions to this problem dominate the landscape today.

The first popular solution calls on the manufacturers of DREs to release to the public the software (or "code") that they've written to control the machine. Advocates of this "open-source" methodology argue that with many people analyzing the software, any errors, whether accidental bugs or deliberate cheats, can be detected and corrected [16].

In my opinion this is a good start, but only a partial solution. There are many ways independent of the source code to compromise a computer. Theoretically an exhaustive review of all hardware and software could validate a machine, but this Herculean task is impractical. Furthermore, open-source review of software does nothing to protect the system once it is in the field. Ideas have been proposed to protect deployed machines [17], but such techniques often place significant demands on poll workers.

The second popular solution involves creating a voter-approved paper record, or "trail," of every vote [18]. This technique is referred to by a wide variety of similar-sounding names, such as voter-verified paper ballot (VVPB) and voter-verified paper audit trail (VVPAT). The details of the methods vary, but the basic idea they all share is that votes are stored not only in the machine's internal memory, but also on a receipt printed by the computer. This receipt is shown to the voter where he or she cannot actually touch it (for example, under a pane of glass). The voter reads the receipt and approves or rejects it. A rejection causes the machine to solicit a new vote. Typically, approved receipts are saved in an internal receptacle, and rejected receipts are destroyed. Voters do not get a copy of the receipt.

At the day's end, poll workers can retrieve the paper receipts and count them, either by hand or with a machine, and compare the result of the paper audit with the computer's reported sums. If the numbers differ by more than a tiny amount that could be attributed to human error, the machine may have been compromised (deliberately or accidentally), and its internal record ought not to be trusted. Typically the paper receipts are then promoted to the status of ballot of record, and their total is considered the true result.

Paper trails present considerable problems. They suffer from all the practical difficulties that come with handling and caring for paper. Counting paper ballots is expensive and slow. Human judgment may be required if some receipts are smudged or otherwise marred (remember those hanging chads?). The need to read and approve a paper receipt effectively eliminates many of the advantages of DREs for special-needs voters.

Paper trails are usually discussed as a statistical check. For example, at the end of a voting day poll workers could randomly count the ballots from one or two of their DREs, and compare the results to each machine's report. If the difference is more than a small threshold, then all the machines in that polling place would be manually recounted, and perhaps the frequency of paper counts on some other machines would be increased as well. As long as the machines are operating properly, then districts can budget the time and money for these spot counts. But if the totals come up wrong, then the costs can spiral out of control, because every paper ballot must be manually counted. Relying on paper trails to validate an election in the face of real or suspected widespread fraud would be a monumental task.

Paper trails have some appeal as a retrofit to provide existing DREs with a measure of accountability, but in addition to their inherent problems, paper trails themselves have yet to be proven in an actual election. There may be subtle problems that people haven't considered, or the actual physical implementation of the technique on one or more DREs may contain a flaw can be exploited [19]. And after Florida, recounts of any form are not always welcome [20].

Paper trails, when added to a DRE, result in two potentially different copies of every vote. This isn't good. Quoting Segal's Law, "A man with a watch knows what time it is. A man with two watches is never sure" [21] . If a DRE isn't trustworthy, it shouldn't be used in the first place.

The third popular solution is to devise a new generation of inherently trustworthy DREs. Such devices use cryptography [22], custom hardware [23], or write-once memories [24].

Suggestions

Happily, Washington State is not faced with the need to compensate for too many purchases of untrustworthy DREs [25] [26]. But if the old punch-card and optical systems are not so good, and the new systems aren't ready, what is the right solution for this November, and the long term?

For this election, I suggest that most voting places continue to use the equipment they've been using for the last few years, warts and all. In addition, each voting place should be equipped with a small number of DREs that are set up to serve as broad a range of voters as possible. These DREs should be fitted with some version of a paper trail. Despite paper's many problems, it's better than having no trustworthy record at all. The paper votes should be counted for every DRE, and considered the vote of record. In other words, the DRE is used only as a vote-gathering device, and its internal electronic record of the votes is ignored.

Washington State should encourage manufacturers to produce a new generation of machines that are inherently trustworthy. Such devices must be made fully open to expert scrutiny and be proven to be highly resistant to tampering during manufacture, distribution, and deployment. We should not buy today's inherently flawed and secretive equipment, but rather save our money until well-designed voting machines are available, using the power of our dollars to urge manufacturers to create machines that are worthy of our trust.

Further Reading

To say that this summary has only looked at the tip of the iceberg would be unfair to the iceberg. Every day we see more news stories, web sites, and advocacy groups focused on electronic voting machines and central tabulators. Here are three great overview documents, each of which points to many more sources. They are all available online.

A great objective overview of the history of election machines, the recent laws, and some of the recent scandals surrounding DREs, is available in this Library of Congress report: "Election Reform and Electronic Voting Systems (DREs): Analysis of Security Issues," Eric A. Fischer, Congressional Research Service / The Library of Congress. November 4, 2003, order code RL32139. Online: http://www.epic.org/privacy/voting/crsreport.pdf

A thoughtful discussion of the present technology, its social implications, and how to survive the November 2004 election can be found in: Recommendations of the Brennan Center for Justice and the Leadership Conference on Civil Rights for Improving Reliability of Direct Recording Electronic Voting Systems." Online: http://www.civilrights.org/issues/voting/lccr_brennan_report.pdf

The ACLU of California has produced an excellent discussion that covers almost every aspect of this issue in a thoughtful and informed manner. They also have a short summary of their recommendations, but the larger document is well worth your time: "Joint Report and Recommendations on Electronic Voting: ACLU of Northern California, ACLU of Southern California, and ACLU of San Diego and Imperial Counties," March 2004. Online: http://www.aclunc.org/voting/040322-voting.pdf

References and Notes

[1] Paine, Thomas, "Dissertation on the First Principles of Government," 1795. Online: http://press-pubs.uchicago.edu/founders/documents/v1ch13s40.html

[2] The text of HAVA is available online at http://www.usdoj.gov/crt/voting/hava/hava.html