After a presidential election eight years ago that seemed like it would never end, politicians pledged to prevent a second round of hanging chads, manual recounts, and U.S. Supreme Court arguments. The idea was to spend up to $3.9 billion to replace punch card voting machines of the sort that Florida accidentally made famous.
By including strict requirements that newly purchased machines "be accessible" to blind and disabled voters, Congress all but mandated electronic voting machines with touch screens. But Washington politicians--not known for their tech-savvy in the best of times--neglected to include even rudimentary security and verifiability requirements.
Call it an expensive lesson in the law of unintended consequences. That decision led to the widespread adoption of touch-screen machines, and as Election Day 2008 looms, greater concern than ever before about the machines' security and reliability. Some states responded by mandating voter-verified paper trials. Others, worried about programming errors or malicious Election Day hackers, have decided to ditch the devices entirely.
When signing the so-called Help America Vote Act (HAVA) in October 2002, President Bush claimed that it was "carefully considered" and predicted "the legislation I sign today will add to the nation's confidence."
Not quite. Ohio Secretary of State Jennifer Brunner has since requested that counties switch from e-voting machines to old-fashioned paper ballots. In April, Iowa's governor signed a law that mostly ditches touch-screen machines in exchange for paper ballots read through optical scanning. Maryland is reverting to paper as well.
No wonder that The Simpsons television show, that useful barometer of popular culture, lampooned e-voting machines in Sunday's Halloween special. (Homer tries to vote for Barack Obama instead of John McCain. The obstreperous machine responds by attacking him.)
The shift back to paper comes amid a deluge of criticism of touch-screen systems, mostly from computer scientists and even grandmothers-turned-activists. It's difficult to capture the depth of the concern that has swept the ranks of often-cloistered academics, starting with theoretical concerns at the time HAVA became law and ending with biting critiques once the machines' actual hardware and software have been analyzed.
One 334-page report (PDF) commissioned by the Ohio secretary of state and written by researchers at Penn State and the University of Pennsylvania lists scores of vulnerabilities in systems made by Election Systems and Software (ES&S), Hart InterCivic, and Premier Election Solutions, previously known as Diebold.
"All of the studied systems possess critical security failures that render their technical controls insufficient to guarantee a trustworthy election," the researchers wrote. They reached that conclusion after evaluating the source code and finding ways that an attacker could insert viruses, erase logs, produce incorrect vote totals, or block some or all voters from voting.
This follows a top-to-bottom review in 2007 of California's voting systems conducted by University of California computer scientists for the state government. They reached similar conclusions as the Ohio researchers did, noting that viruses inserted in one machine (by, for instance, a voter inserting a memory card) could "spread throughout the voting system."
No wonder that California Secretary of State Debra Bowen gave a speech at a computer security conference in July titled: "Dr. Strangevote or: How I Learned to Stop Worrying and Love the Paper Ballot." (After the report she commissioned came out, Bowen decertified the voting equipment that was analyzed unless substantial security enhancements were made.)
To be sure, manufacturers of voting machines stress that the problems that have been identified are either overly theoretical or have been fixed with hardware and software updates. They also argue that that there has never been a documented case of a successful attack against an electronic voting system.
In the 2004 primaries, for instance, which represented the first real test of e-voting, no major glitches were reported. An error in Ohio in November 2004 favoring Bush was nowhere near substantial enough to affect the outcome of the election. Problems in November 2006 were more minor than major.
In addition, some researchers, like Carnegie Mellon University's Michael Shamos have claimed that the push for voter-verified paper trails on touchscreen machines is misguided and may serve to thwart more promising research in the area.
This year, with millions of voters casting their votes early, scattered reports of electronic voting machine problems have already cropped up in states like Florida and West Virginia.
Most of these problems are the result of "vote flipping," or touch-screen parallax--when the spot the user looks at does not match up with the part he or she touches. This is a result of the way the screen appears due to the machine's light source or due to the angle from which the voter is looking at the machine. It's the sort of problem that is most likely to impact younger and older voters--those with the least experience with computers and touch-screen technology.
"It turns out you can engineer around this," said David Wallach, associate director for Accurate, which stands for "A Center for Correct, Usable, Reliable, Auditable, and Transparent Elections."
For instance, Wallach said, ATMs have large buttons with ample space around them.
"Our voting machine vendors haven't figured this out yet," Wallach said. "The technology is fundamentally designed wrong in terms of the hardware, software, and ballot layout."
While the machine vendors have yet to address this problem, the poll workers can at least mitigate its impact by calibrating the machines on a regular basis. The nonprofit Verified Voting Foundation sent a joint letter last week to 31 secretaries of state across the country to have poll workers double-check that Premier machines are properly calibrated (there can be a conflict with antivirus software). While the problems reported so far may be anecdotal, Verified Voting President Pamela Smith said the problems are significant because voters could lose confidence in the system.
"It's so disconcerting to the voter," she said. "You're all excited about your choices, and then it shows somebody else's name--that's the thing we want to avoid at all costs because it casts doubt," she said. (See this video of a buggy voting machine in West Virginia.)
To keep track of voting problems, Verified Voting collaborated with the Electronic Frontier Foundation to launch Our Vote Live, an open-source project that records election-related problems called in by voters. The site categorizes the problems, lists them in a variety of ways, and provides information about what voting equipment is used in each state. The voting equipment problems recorded so far on the site are far outnumbered by reports of registration and absentee voting problems.
While the problems may not be widespread, they persist largely because the standards for voting machines set by the Election Assistance Commission (EAC) are voluntary, Wallach said.
"This is a deep problem that the voting system industry has been underregulated," Wallach said. "To the extent that there's a certification and testing process, it hasn't been a very stringent one."
Even though new standards were developed in 2005 and 2007, all voting machines in use today are only certified to the 2002 standards, according to Wallach.
Meanwhile one of the five independent U.S. centers that tests voting systems, SysTest Labs in Colorado, lost its accreditation with the EAC on Thursday for its "failure to create and validate test methods, improper documentation of testing, and unqualified personnel," according to the EAC.
A handful of bills have been introduced in the 110th Congress to address voting machine problems, but none have passed. A failed bill introduced in the House this year would have reimbursed jurisdictions for the cost of paper ballot voting systems to be used in the November elections, as well as the costs of conducting audits or hand counting the results of federal general elections. Legislation was introduced in 2007 in the Senate and the House that would have amended 2002's Help America Vote Act to require a voter-verified permanent paper ballot--something endorsed by Verified Voting. But the legislation never made it out of a committee.
A return to paper
Maryland's solution is to start using paper ballots in 2010, even though it will continue to pay for its $65 million electronic machines through 2014. Wallach said this was the right move. Recent studies (PDF) have shown paper ballots to be "the great equalizer," as Wallach put it.
"No matter your age, income or education, people are uniformly competent at filling in bubbles," he said.
The way paper ballots work is simple: a voter enters the polling place and is verified as able to vote. He or she is given a blank paper ballot, which is filled in with a pen or pencil. The ballot is then read by an optical scanner, either at the time of voting or at the local government office at the end of the day.
"Even though the paper scanners are just as much of a security disaster (as electronic machines), you've still got the paper, so you can conduct audits," Wallach said. "With electronic voting machines, you don't have that fallback."
Thirty-one states now require a paper record of every vote, according to Verified Voting. That's a great improvement from the seven or eight that had such a requirement in 2004, Smith said. Both Democrats and Republicans have taken up voting reform, she said.
"Some people think the voter-verified paper ballot is a one-party issue, but that's not the case," Smith said.
While many states are trying to preempt any major problems, some public interest groups are taking legal action to compel states to do more. A federal judge on Wednesday agreed with the National Association for the Advancement of Colored People that the polling places in Pennsylvania must distribute emergency paper ballots when 50 percent or more electronic voting machines become inoperable.
On October 23, the NAACP joined the Election Reform Network and a group of individual voters in a lawsuit against Pennsylvania to compel it to change its protocol. Previously, the state would have provided paper ballots only if all machines had broken down, even though some precincts only have two machines to begin with.
Smith said a state like Pennsylvania could create the perfect storm for voting fiascos: the state has not conducted early voting, many areas do not have paper records, and as a potential swing state, Pennsylvania's votes could prove to be critical.
"You're compressing all your pressure on the system into that one day," she said. "If machines break down, what will happen?"
This article was co-authored by CNET's Declan McCullagh and Stephanie Condon.