E-voting worries linger as Election Day nears

After a presidential election eight years ago that seemed like it would never end, politicians pledged to prevent a second round of hanging chads, manual recounts, and U.S. Supreme Court arguments. The idea was to spend up to $3.9 billion to replace punch card voting machines of the sort that Florida accidentally made famous.

By including strict requirements that newly purchased machines "be accessible" to blind and disabled voters, Congress all but mandated electronic voting machines with touch screens. But Washington politicians--not known for their tech-savvy in the best of times--neglected to include even rudimentary security and verifiability requirements.

Call it an expensive lesson in the law of unintended consequences. That decision led to the widespread adoption of touch-screen machines, and as Election Day 2008 looms, greater concern than ever before about the machines' security and reliability. Some states responded by mandating voter-verified paper trials. Others, worried about programming errors or malicious Election Day hackers, have decided to ditch the devices entirely.

When signing the so-called Help America Vote Act (HAVA) in October 2002, President Bush claimed that it was "carefully considered" and predicted "the legislation I sign today will add to the nation's confidence."

Not quite. Ohio Secretary of State Jennifer Brunner has since requested that counties switch from e-voting machines to old-fashioned paper ballots. In April, Iowa's governor signed a law that mostly ditches touch-screen machines in exchange for paper ballots read through optical scanning. Maryland is reverting to paper as well.

No wonder that The Simpsons television show, that useful barometer of popular culture, lampooned e-voting machines in Sunday's Halloween special. (Homer tries to vote for Barack Obama instead of John McCain. The obstreperous machine responds by attacking him.)

Backtracking
The shift back to paper comes amid a deluge of criticism of touch-screen systems, mostly from computer scientists and even grandmothers-turned-activists. It's difficult to capture the depth of the concern that has swept the ranks of often-cloistered academics, starting with theoretical concerns at the time HAVA became law and ending with biting critiques once the machines' actual hardware and software have been analyzed.

One 334-page report (PDF) commissioned by the Ohio secretary of state and written by researchers at Penn State and the University of Pennsylvania lists scores of vulnerabilities in systems made by Election Systems and Software (ES&S), Hart InterCivic, and Premier Election Solutions, previously known as Diebold.

"All of the studied systems possess critical security failures that render their technical controls insufficient to guarantee a trustworthy election," the researchers wrote. They reached that conclusion after evaluating the source code and finding ways that an attacker could insert viruses, erase logs, produce incorrect vote totals, or block some or all voters from voting.

This follows a top-to-bottom review in 2007 of California's voting systems conducted by University of California computer scientists for the state government. They reached similar conclusions as the Ohio researchers did, noting that viruses inserted in one machine (by, for instance, a voter inserting a memory card) could "spread throughout the voting system."

No wonder that California Secretary of State Debra Bowen gave a speech at a computer security conference in July titled: "Dr. Strangevote or: How I Learned to Stop Worrying and Love the Paper Ballot." (After the report she commissioned came out, Bowen decertified the voting equipment that was analyzed unless substantial security enhancements were made.)

To be sure, manufacturers of voting machines stress that the problems that have been identified are either overly theoretical or have been fixed with hardware and software updates. They also argue that that there has never been a documented case of a successful attack against an electronic voting system.

In the 2004 primaries, for instance, which represented the first real test of e-voting, no major glitches were reported. An error in Ohio in November 2004 favoring Bush was nowhere near substantial enough to affect the outcome of the election. Problems in November 2006 were more minor than major.

In addition, some researchers, like Carnegie Mellon University's Michael Shamos have claimed that the push for voter-verified paper trails on touchscreen machines is misguided and may serve to thwart more promising research in the area.

"Parallax" problem
This year, with millions of voters casting their votes early, scattered reports of electronic voting machine problems have already cropped up in states like Florida and West Virginia.

Most of these problems are the result of "vote flipping," or touch-screen parallax--when the spot the user looks at does not match up with the part he or she touches. This is a result of the way the screen appears due to the machine's light source or due to the angle from which the voter is looking at the machine. It's the sort of problem that is most likely to impact younger and older voters--those with the least experience with computers and touch-screen technology.

"It turns out you can engineer around this," said David Wallach, associate director for Accurate, which stands for "A Center for Correct, Usable, Reliable, Auditable, and Transparent Elections."

For instance, Wallach said, ATMs have large buttons with ample space around them.

"Our voting machine vendors haven't figured this out yet," Wallach said. "The technology is fundamentally designed wrong in terms of the hardware, software, and ballot layout."

While the machine vendors have yet to address this problem, the poll workers can at least mitigate its impact by calibrating the machines on a regular basis. The nonprofit Verified Voting Foundation sent a joint letter last week to 31 secretaries of state across the country to have poll workers double-check that Premier machines are properly calibrated (there can be a conflict with antivirus software). While the problems reported so far may be anecdotal, Verified Voting President Pamela Smith said the problems are significant because voters could lose confidence in the system.

"It's so disconcerting to the voter," she said. "You're all excited about your choices, and then it shows somebody else's name--that's the thing we want to avoid at all costs because it casts doubt," she said. (See this video of a buggy voting machine in West Virginia.)

Tracking trouble
To keep track of voting problems, Verified Voting collaborated with the Electronic Frontier Foundation to launch Our Vote Live, an open-source project that records election-related problems called in by voters. The site categorizes the problems, lists them in a variety of ways, and provides information about what voting equipment is used in each state. The voting equipment problems recorded so far on the site are far outnumbered by reports of registration and absentee voting problems.

While the problems may not be widespread, they persist largely because the standards for voting machines set by the Election Assistance Commission (EAC) are voluntary, Wallach said.

"This is a deep problem that the voting system industry has been underregulated," Wallach said. "To the extent that there's a certification and testing process, it hasn't been a very stringent one."

Even though new standards were developed in 2005 and 2007, all voting machines in use today are only certified to the 2002 standards, according to Wallach.

Meanwhile one of the five independent U.S. centers that tests voting systems, SysTest Labs in Colorado, lost its accreditation with the EAC on Thursday for its "failure to create and validate test methods, improper documentation of testing, and unqualified personnel," according to the EAC.

A handful of bills have been introduced in the 110th Congress to address voting machine problems, but none have passed. A failed bill introduced in the House this year would have reimbursed jurisdictions for the cost of paper ballot voting systems to be used in the November elections, as well as the costs of conducting audits or hand counting the results of federal general elections. Legislation was introduced in 2007 in the Senate and the House that would have amended 2002's Help America Vote Act to require a voter-verified permanent paper ballot--something endorsed by Verified Voting. But the legislation never made it out of a committee.

A return to paper
Maryland's solution is to start using paper ballots in 2010, even though it will continue to pay for its $65 million electronic machines through 2014. Wallach said this was the right move. Recent studies (PDF) have shown paper ballots to be "the great equalizer," as Wallach put it.

"No matter your age, income or education, people are uniformly competent at filling in bubbles," he said.

The way paper ballots work is simple: a voter enters the polling place and is verified as able to vote. He or she is given a blank paper ballot, which is filled in with a pen or pencil. The ballot is then read by an optical scanner, either at the time of voting or at the local government office at the end of the day.

"Even though the paper scanners are just as much of a security disaster (as electronic machines), you've still got the paper, so you can conduct audits," Wallach said. "With electronic voting machines, you don't have that fallback."

Thirty-one states now require a paper record of every vote, according to Verified Voting. That's a great improvement from the seven or eight that had such a requirement in 2004, Smith said. Both Democrats and Republicans have taken up voting reform, she said.

"Some people think the voter-verified paper ballot is a one-party issue, but that's not the case," Smith said.

While many states are trying to preempt any major problems, some public interest groups are taking legal action to compel states to do more. A federal judge on Wednesday agreed with the National Association for the Advancement of Colored People that the polling places in Pennsylvania must distribute emergency paper ballots when 50 percent or more electronic voting machines become inoperable.

On October 23, the NAACP joined the Election Reform Network and a group of individual voters in a lawsuit against Pennsylvania to compel it to change its protocol. Previously, the state would have provided paper ballots only if all machines had broken down, even though some precincts only have two machines to begin with.

Smith said a state like Pennsylvania could create the perfect storm for voting fiascos: the state has not conducted early voting, many areas do not have paper records, and as a potential swing state, Pennsylvania's votes could prove to be critical.

"You're compressing all your pressure on the system into that one day," she said. "If machines break down, what will happen?"

This article was co-authored by CNET's Declan McCullagh and Stephanie Condon.

[n3td3v]

if john mccain wins it there will be a public outcry as it will be obvious that the election was rigged by bush admin.

there isn't really any other ifs and buts, if mccain wins we know the election was rigged.

[sanenazok]

You mean Senator McCain I think. I live in Chicago and if McCain wins then there will be a riot of Obama supporters.

[Penguinisto]

@netdev:

If McCain loses a close election that goes against the obvious media biases, folks like you will sheepishly follow what the media says and claim fraud - no matter how accurate or inaccurate the machines' performance.

If Obama wins (which is likely), then folks with your ideological blinkers on will claim that the system works perfectly, and will not question the crap machinery that folks like Diebold have knowingly pushed onto the masses.

I'll happily stick with Oregon's system of voting by mail, thanks.

/P

[n3td3v]

it don't matter if you vote by mail, because if the government want to rig the election they rig the electronic side of it and not the mail side. cheers.

[Penguinisto]

Indeed - any election can be rigged with enough effort. But again, there are systems that are more secure than others. The existing optical scanners are monitored by both parties and require a lot of people to agree towards breaking the thing in one direction or another. Too much conspiracy required, and too much work.

OTOH, the touch-screens can be broken by the simple act of inserting a USB key (and in some models, by sitting in the parking lot with a WiFi connection).

/P

[ClaBR]

Brazil uses electronic voting for over 10 years. It's a standard voting machine, simple and the same in the whole country.

The system is secure (very, very few cases of fraud) since every single voting machine has a digital signature to prevent tampering, reliable and fast.

On Oct, 25th, we had elections for mayor on all cities in the country. The voting ended at 5 pm and counting started shortly after. By 9 pm, almost all of the 100 million votes were counted. The results for each voting machine, each of the thousands around the country (totals only, since identifying each individual vote is impossible since the information is not stored) can be seen online for anyone to verify.

[mooney101]

What is sad is that we can't vote online yet. Its ridicules! I know there is a way that it could be done correctly maybe an online from you had to fill out then send in ID for confirmation or something but either way this should be the way voting is done. This is suppose to be the future.

[timeforchange]

If electronic voting machines have no paper receipt we will not be able to verify whether or not someone is tampering with the vote. Just to note this is the only device made by 'Premier Election Solutions, previously known as Diebold' that doesn't produce a paper receipt. As a software programmer I say let's go one step futher and go back to using paper ballots with optical scanning devices. Otherwise kiss democracy goodbye.

[chash360]

There is a great way to ensure accurate electronic voting involving a 2 step process. Develope and use an electronic voting machine, that you record your vote on, at an official polling place. Each machine is equiped with a GPS device, that records your individual votes, and exact time and location with each vote, but no personally identifiable information. This information gets encrypted with and stored on the device at the polling place, and is NOT transmitted over any network. It is NOT EVER hooked up to any network whatsoever. You have the option of retaining an electronic record of your own vote, on your own memory device (only while voting), and obtaining a printed reciept with a unique anonymous vote serial number. The solid state memory devices that votes are recorded on are then switched to a read-only state when full and transported by official voting officers, for upload and initial counting. The key here is that at the polling place the device can only write records, at the central uploading place they can only be read. The second step is to be able to review online (after the upload) that your vote was recorded and counted accurately using either your stored vote on your memory device, or the vote serial number the machine gives you. With this second step you verify your vote, and only verified votes are counted towards the official vote. For those without internet access the ability to verify your vote by phone using the serial number would be an option, or go to a library, or maybe even having verification stations at the polling places (you would need to come back the next day). The verification process can be repeated, for re-counts, each verification or invalidation of a vote also being recorded with a date-time stamp. By using GPS location and time, you are garrenteed a unique vote (and serial number, without networking), with a reasonable level of confidence its not tampered with (only you know where and when you voted, not some would be vote rigger). The statistics of validated or invalidated votes by demographics, could be viewed by the voters as well. As a method of further testing and verification voting officials would periodically enter 'dummy votes', enough that they would exist on every memory device containing real votes, that would be verified that they were never validated (to prevent blanket validation or invalidation of votes, through electronic means.) Another possibility is to allow you to record your vote, on your own memory device before hand, in a standard controlled format, that you upload at the polling place for faster turnaround. This would allow you to take your time with all of the issues, measures and canidates at home instead of pondering it at the poll (which is the great thing about Oregon's vote by mail). Having solid state memory devices that are locked to readonly when they are full, that are secured by voting officials, offciers, etc. is almost as good as the paper record, without the bulk, and energy required to do hand counts (not to mention materials required). Votes would be contiguous on the devices, such that if a faulty device is discovered (defective memory sectors, etc. failures happen....) announcements could be made that people who voted here, at such and such time, can recast their vote due to faulty device (provided they have their serial number to prove they were affected).

The extra hassle and time of verfied votes is worth it, to have a secure democracy. It can be done in a trustworthy way, if it were not for those in power and money who wish to continue as such, were not so easily corrupted by that very same power and money.

As someone who has worked in the tech sector for 15 years, I find it interesting that our voting systems do not have the same level of redundancy and accountability as that required by many businesses.
Having started working in the financial sector, where compliance was required by SEC regulations, to designing and implementing fail over capabilities for many firms, to SOX and HIPPA compliance rules, how is it that our voting systems do not have many of these features?
The simple ability of having a paper trail to audit when systems fail or questions of fraud arise, seems not only reasonable, but commonplace in the business world but not for one of our precious rights, the right to vote?
The time to change this is now before questions continue to arise about the validity of our elections.
I would volunteer my time to help establish a public commission to design systems of accountability in order to correct this problem. Our democracy needs our help in order to address these issues.

[JohnMcGrew]

What I don't get is how so many people honestly expect government to handle their health care, fix the economy, pay for their retirement, and impliment an alternative energy strategy when they can't do something as simple as run an election.

[declan00]

Never underestimate the power of magical thinking?

[Giovaninna]

Regardless of who wins or how close the margins, electronic voting machines should never be used in lieu of paper ballots -- especially if their source code is "proprietary" and they leave no "paper trail."

What's even more ridiculous (and outrageous) is that the media are FINALLY getting around to shining a spotlight on this issue SIX YEARS after the so-called Help America Vote Act was passed, and on the eve of such a crucial election! NOW they tell us (the American people) there are problems? Well, DUH!

The reason so many people have to stand in line for hours to vote is that voting machines -- especially electronic ones -- are far more expensive than paper ballots and little privacy cubicles
and that voting machines -- especially electronic ones -- break down a lot. If you have 10 to 20 people voting at once on paper in their little privacy booths, the lines will move at least 5 to 10 times faster than if you have only one or two operative machines at that polling pace.

Worse yet, the "results" that come from a "count" of votes from an electronic machine are inherently unverifiable.

Nobody would dream of doing bank or credit card transactions where you had to "trust" whatever the bank or credit card company said were your debits and credits, with no receipt or other ways of verifying their accuracy. Why on earth are we letting our elections be handled like this?

Giovannina

[DLWilson61]

I am all for accountability and protection against fraud but I also believe we need to join the 21st Century. I am a firm believer in using internet voting. We have access to the necessary security protocals that we didn't have even several years ago. With a majority of American families having at least one computer in the home with internet access, Access from work could be possible or even a local library. With todays technology why aren't we utilizing this approach. This could accually save the government some money in the long run because they would not have to pay for the blasted e-voting machines that people don't seem to trust.