Staff Writer, CNET News.com
If electronic voting were to face an international referendum, it would almost certainly lose.
Once the province of a small group of election officials and equipment sellers, e-voting has exploded into the popular consciousness because of a spreading controversy over security and verifiability. Thanks to a concerted effort by opponents and to the missteps of voting machine vendor , most of the news has been bad.
The fight is being waged around the world—in and , on newspaper editorial pages and over the Internet—as voting rights advocates and computer scientists hash out the technology's merits and risks in an increasingly polarized debate.
Some voting rights advocates call touch screen inherently unreliable and insecure, while others say they provide the fairest results for the disabled, for racial minorities and for people facing a ballot in a second or third language. Some computer scientists say the machines provide the most accurate and theft-proof method of voting yet devised, while others warn that they pave the way for vote thieves to steal whole elections undetected.
To help navigate the digital electoral divide, CNET News.com invited four experts on e-voting to make their best cases for and against the technology.
Defending e-voting from a security perspective is Michael Shamos, a computer science professor at Carnegie Mellon University who has inspected and certified voting systems for Pennsylvania and Texas. Also defending e-voting, but from a civil rights perspective, is Daniel Tokaji, assistant professor at Ohio State University's Moritz College of Law.
Arguing against e-voting machines in their present form are David Dill, a computer science professor at Stanford University and founder of VerifiedVoting.org, a group that advocates mandatory paper-based audit systems for electronic ballots. Also arguing against e-voting is Cindy Cohn, legal director for the Electronic Frontier Foundation.News.com: David, electronic voting machines have been demonstrated to prevent people from voting for more candidates than they should. They've given many people with disabilities or language limitations their first chance at a secret ballot. And they've eliminated punch card ballots and their notorious chads. Why don't these real benefits outweigh the potential harms of today's e-voting machines?
Dill: The harms are not potential; they are real. The obvious harm is that no sensible person will have confidence in a system that cannot be meaningfully audited. Electronic voting in its current form is morally equivalent to handing over the counting of votes to private groups who count the ballots behind closed doors—and then destroy them before anyone else can do a recount.
Apparently, many people learned the wrong lesson from Florida 2000—that recounts are bad. The right lesson is that we need to be able to do good recounts. Electronic voting has the advantage for some—of eliminating the ability to do a recount altogether. To paraphrase (California Voter Foundation President) Kim Alexander, that's like eliminating fraud by eliminating the accounting department.
Shamos: Electronic voting machines are not unauditable. The software that is used in them is available before, during and after the election to be examined. I do not discount the possibility that in isolated instances, someone might tamper with a machine and reset it to its original state before being discovered. There is no systematic, undiscoverable way to do this, however.
It is not true that we insist on auditable original records as a matter of course. Electronic banking (accessing your bank account over the Internet from home) produces no auditable records in the sense meant by David Dill. Yet 91 percent of banks in the United States offers online banking, and it is perfectly well-accepted. Let us not hear the old argument that you get a statement at the end of the month, so you will find out if something is wrong. You might indeed learn that something is amiss, but you will have no examinable records to prove your case.
The analogy that a DRE (touch screen direct recording electronic machine) is like having private parties count your vote in secret is not apt. The machine and its software survive to be investigated. In any event, having anyone touch a paper ballot, during which time they might alter it, destroy it, lose it or add more ballots is much more like putting the count in the hands of private parties than is a DRE.
Dill: Mike's banking analogy supports my point. Why do people trust electronic banking? The first reason is that if customers are ripped off, they would know it. That's the old but very important point about seeing their bank statements. If there were major losses from electronic banking, it would be widely known.
Electronic voting has neither accountability nor recoverability. There is no way to determine if your vote was lost or stolen—and certainly no way to recover. It is like anonymous online banking with no receipts or statements, where the customer bears all the risk.
Dan, DRE opponents have assembled a long list of problems these machines have encountered in real elections. In California alone, the list is long enough, marring recent elections in San Diego, Orange County and Alameda County. Don't these malfunctions concern you?
Tokaji: I don't for a moment dispute that it's possible to have problems with any type of voting equipment, paper-based or electronic, if proper procedures aren't followed. There's a much longer and more extensive history of problems with paper-based voting systems—from ballot stuffing in (Lyndon Johnson's) 1948 senatorial election, to ballot box lids floating in San Francisco Bay in 2001, to the miscalibration of the optical scan counters used in Napa County's 2004 election. Paper is no guarantee against fraud or error.
It's certainly true that there have been problems in the implementation of electronic voting in some jurisdictions. But there's a disconnect between the problems and the solution that (Cohn) and some others propose—namely, requiring a contemporaneous paper replica (CPR) or, more euphemistically, voter-verified paper trail. The CPR wouldn't have done one bit of good for the PCM (Precinct Control Manager voting machines) that malfunctioned in Alameda and San Diego; nor would it prevent voters from being given the wrong ballot, as reportedly occurred in Orange.
There are things we can do to make electronic voting better. These include better certification standards, more thorough testing, better procedures and improved poll worker training. But the CPR is a solution for a hypothetical problem. (Editors' note: Diebold's PCM-500 is a computer smart card that brings up the appropriate ballot on the touch screen machine.)
Michael, what's wrong with the paper audit that so many e-voting critics propose? And shouldn't there be something at the end of the election for the purposes of a recount?
Shamos: Paper trail advocates consistently misrepresent the true purpose of a recount, which is to see whether humans have reported votes properly. It has never been a requirement—and still is not—that a voter record her preferences on paper so it can be recounted. Lever machines, for example, which were installed in New York City in 1925 to curb flagrant abuses of the paper ballot system, do not and have never produced any such record. A recount of lever machines consists of opening up their back panels and re-reading the counters, then adding up the votes again to guard against misreporting by precinct officials.
If a DRE is working properly, it produces redundant ballot images that can be recounted ad infinitum. If the machine is not working properly, votes will be lost—no question about that. Whether a machine is working can be tested.
The reason I know that is that in absolutely every other walk of life where we use machines, we verify them by testing and inspecting them. If it were really true that computer systems couldn't be tested, we would be fools to rely on them for electronic banking, lotteries, medical imaging, launching nuclear weapons, etc.
The receipt issue is temporary. There are elegant cryptographic methods that enable a voter to be assured from purely public records that her vote has counted—yet without being able to prove that fact to a vote buyer.
Dill: Mike says recounts were only intended to detect human error. If so, it's because they haven't caught up with technology. Recounts are used routinely in practice to double-check systems where ballots are counted by computer. California election law requires a manual tally of 1 percent of the precincts in each county specifically to double-check electronic counting. Regardless of the intent of election law, we need to do manual recounts to check the results of computers.
Mike says lever machines don't have a (voter-verified paper trail). True—and they have been tampered with, and they fail, losing votes irretrievably. Lever machines are not as bad as DREs for various reasons that I won't go into, but we should get rid of them.
Cindy, a practical question: Granted that electronic voting systems are not perfect, with the presidential election six months away, is it really wise to start requiring counties to implement voting systems that not only aren't on the market but don't have certification systems set up yet? Isn't the movement for paper audits imperiling the upcoming election with legal chaos?
Cohn: In the big picture of this debate, it seems to me that many of those who maintain that DREs do not need voter-verified paper trails seem to be assuming a perfect electronic voting system and defending that. What time has been teaching us with each election is that many of these systems, and certainly Diebold's, are far from perfect—they are in fact closer to prototypes than production machines.
The push for voter-verified paper ballots and more openness and independent research into voting systems are two ways to ensure that these machines make it to the place where they are actually ready for prime time.
There are already two systems federally certified that have (voter-verified paper trails), and Sequoia (Voting Systems) has one in the final stages of certification, so it's not the case that we need to rush things through. Nevada has asked for them and has been promised them from Sequoia by November. Optical scan systems are all certified, and they have built-in paper backups.
The e-voting debate increasingly divides groups claiming rights—those arguing for the right to have votes counted in a secure and verifiable way; and those arguing for the voting rights of the disabled and others whom traditional voting technologies have failed. How do we reconcile the competing demands of accountability and accessibility?
Dill: Optical scan systems can be made accessible by several methods. There is a device that provides a touch screen interface to optical scan ballots so that people with disabilities, non-English readers and others who cannot deal with the ballot directly can cast a private, unassisted vote.
Also, I just saw a system that prints optical scan ballots "on demand," via a printer in the polling place. A disabled voter can use the computer to fill out the ballot, so it is printed with the votes already on it. And low-tech cardboard templates and audio tapes are used by disabled voters in several countries with some success.
E-voting is vastly oversold, perhaps because so much money and effort goes into selling it. How successful are disabled and foreign-language voters at voting on these machines in real elections? From what I hear anecdotally (and I know of no systematic studies), results have been rather dismal. Paper is not going be our biggest problem in making voting accessible.
Daniel Tokaji, what's wrong with the system David mentions—where the voter uses a touch screen interface to print out an optical scan ballot? Isn't that better, for accessibility and accountability, than a direct recording electronic machine?
Tokaji: David suggests the possibility that jurisdictions could move to precinct count optical scan systems. While I agree that precinct count optical scan systems are an improvement over other paper-based systems, at least in terms of accuracy, they create problems of their own.
They don't provide the secret and independent voting that touch screens do, particularly for people with disabilities and linguistic minorities. Voters need assistance in using them—specifically in putting the ballot through the reading device and receiving instructions on what to do if the mechanical reader indicates an overvote.
Precinct count optical scans aren't generally programmed to notify voters of undervotes, especially on down-ticket races, since that would slow down the voting process too much—and put further strain on scarce poll worker resources. By contrast, touch screens not only prevent overvoting but also have a verification screen that easily allows voters to see whether they've undervoted on any race on the ballot.
The "low-tech cardboard templates and audio tapes" is a lousy system for people with visual impairments, compared to touch screens. It's a slight improvement over blindfolding someone, strapping a Walkman on her head and describing to her where to throw darts at a dartboard—but only slight. It does not allow visually impaired voters to verify their choices, as touch screens do. And it does nothing for voters with other disabilities.
There is a prototype optical scan system out there that supposedly allows visually impaired voters to vote independently. But as I think we can agree, experience teaches us to be skeptical of the claims made by voting equipment vendors. Not every system that looks good on paper works well in a real election environment.
Dan, what evidence is there that suggests that DREs help bridge the racial gap at the polling place?
Tokaji: As far as the social-science evidence goes, I don't think that there's any serious question that punch cards produce a racial gap in residual votes. Nor am I aware of any evidence that contradicts the study's finding that touch screens virtually eliminate the racial gap that exists with punch cards and central-count optical scan systems—although there is evidence that precinct count optical scans reduce the racial gap as well.
I don't claim that electronic voting is perfect. No voting system is. There are clearly improvements that can be made, particularly when it comes to implementation. But from a voting rights perspective, electronic voting is better than the available alternatives—and certainly better than the punch card equipment that's still being used in many parts of the country.
Michael, a lot of the opposition to DREs stems from concerns that a voting company employee could easily tamper with an election, swinging just enough votes here and there to sway a close election without eliciting suspicion of fraud. Why isn't that a valid concern?
Shamos: DREs have been used in the United States for more than 20 years without any credible evidence of tampering with the votes. In 2000, they were used to count about 12 percent of the popular vote, and no one even whimpered, except for the usual percentage of losing candidates who are willing to latch on to any reason they might have lost except that the voters didn't want them.
The fact that some DREs have failed to start up properly or have failed on Election Day does not imply in any way that they are unsafe or have been tampered with. It is likewise difficult to see how they have been oversold over such a long time period. One of the few states that did not allow DRE voting in 2000 was Florida, and we now know how that turned out.
Dill: I've read about hundreds of anomalies with DREs. Not once have I heard of a competent independent investigation that produced any conclusions, one way or the other. There was no serious investigation even in the case where a machine in New Orleans was videotaped changing one out of three votes.
Candidates don't challenge elections on DREs in most cases, because asking for a recount is pointless. They'll just get a reprint of the vote totals. This says nothing about the veracity of the machines.
The bottom line is that we know almost nothing about what's really been happening with the votes in DREs in all those elections.
Michael, defenders and makers of DREs complain that they have to answer for hypothetical scenarios. But why shouldn't they have to do just that?
Shamos: You can't evaluate systems based on hypotheticals any more than you can fault security at Fort Knox based on the movie "Goldfinger." Just because a novelist can conjure up a scenario doesn't mean it's realistic.
Let's even suppose that someone is able to write software that alters an election subtly so that the pollsters won't notice. No one has ever explained how this software would get into the voting machines undetected, why the software would leave no trace and how things could be arranged so that no test whatsoever would reveal that anything is wrong—either before, during or after the election.
It is not true that code is not reviewable—that is a fiction promulgated by DRE opponents. Just because the code is not made public does not means that it is not reviewable.
During the 20 years that I was a voting system examiner in Pennsylvania and 13 years in Texas, every vendor was required to reveal and deposit its source code with the secretary of state, and all the examiners got to review it.
Furthermore, archival copies were retained by the state. So if anyone ever made any alteration to the software, it would be detected. (The software that controls the launching of nuclear missiles is not public, but it is extensively reviewed by responsible officials.) However, this is a nonissue, since if you ask a DRE opponent if he would drop his opposition if the code were made public, he will say no.
A method by which magic, centrally distributed software would be able to selectively alter races in 170,000 different voting precincts, all with different demographics and voting procedures, varying numbers of registered voters and ballot styles, all without detection, has never even been hinted at, let alone explained.
Until someone gives a credible way to do it, we ought not to take the possibility seriously. The DRE opponents attempt to answer this by saying that they need not prove the systems are unsafe—it's up to the vendors to prove they are safe. But this is not the test that election law requires.
Dill: An inability to do audits is not a hypothetical problem. If a business is not keeping accounting records, it's a problem—whether there is error or fraud or not.
It is not hypothetical that DREs make recounts impossible. The ability to do manual recounts is a fundamental requirement. It allows election officials to show those disgruntled candidates, and everyone else, that the election results are accurate.
Empirical statistical analysis is not the right way to approach all science and engineering. It is often better to analyze risks rationally than to do the experiments and measure the results. I know better than to play Russian roulette—even though I'll only hypothetically blow my brains out.
Bugs are not hypothetical. They are ever present in computer programs.
With something valuable, it is also prudent to consider accidental loss or theft. Control of the government is valuable (even more valuable than the ), computer security is a lot harder than guarding gold, and I'd be willing to bet that the management of Fort Knox keeps careful accounts of deposits and withdrawals and counts the assets occasionally so they can tell if gold has been lost or stolen.
Contrary to Mike's assertion, many people have spent countless hours discussing ways to corrupt election software, and they've only scratched the surface. Computer security is hard, because you have to stop all the attacks, even the ones you haven't thought of.
One programmer at one of the large vendors could hide a change in the software. This hidden code could change votes between parties without knowing the specifics of elections. Or he could simply insert a "back door" by which others, such as technicians, poll workers, voters or guys outside in a van (if the machine has wireless capability) could customize election theft to whatever is on the ballot.
A small percentage of votes can be changed in plausible ways to evade statistical analysis (although I question whether it matters much—I haven't heard of any elections being overturned because the results were inconsistent with polls).
It is not necessary to erase the hidden code, because it can be made almost impossible to find, anyway (not that anyone ever tries), although erasing it would be easy. It is extremely easy to evade many of the tests that are actually performed, such as running simulated vote scripts on the machine.