Shamos: Why e-voting paper trails are a bad idea
Carnegie Mellon's Michael Shamos, pictured here in his home in Pittsburgh, says that paper trails are hardly the solution to worries about the security of electronic voting machines, and when mandated by law, stifle further research.
(Credit: Declan McCullagh/News.com)PITTSBURGH--Many computer scientists have been arguing for years that electronic voting machines absolutely must sport paper trails that can be verified by the voter and subsequently used in manual recounts.
It's a formal policy position of the U.S. arm of the Association for Computing Machinery, the professional organization of computer scientists. Stanford University's David Dill even created the pro-paper-trail Verified Voting Foundation and has co-authored an article for us that argues against Internet voting, too.
But support of paper trails is not unanimous. Michael Shamos, a professor of computer science at Carnegie Mellon University who teaches an e-voting class and has been a consultant to the Pennsylvania government since 2004, believes that electronic methods of tabulating votes actually tend to be more secure than paper-based ones.
In addition to reviewing the source code of some electronic voting systems under nondisclosure agreements, Shamos has been an e-voting consultant for Texas and Nevada. An April 2004 paper he wrote says that e-voting systems do have risks but paper isn't the answer (and suggests alternatives). In it, he quips that out of a million or so computer scientists and mathematicians, only 100 or so have signed a statement calling for paper trails; it drew an angry response posted at Verified Voting's Web site.
I sat down with Shamos on Friday at his home near Pittsburgh's Shadyside neighborhood, a few blocks from campus, to talk about e-voting and the Pennsylvania primary that is scheduled to take place on April 22. Following is a lightly edited (I abbreviated some of my questions and some of his answers) transcript of our conversation.
Q: How many different e-voting systems does Pennsylvania use?
Shamos: The number of different systems we use in Pennsylvania has gone down one because one was decertified. We're down to 9 or 10. We have one of the most diverse voting systems of any state in the country. We have only 67 counties.
It means that if you were to mount a statewide manipulation, you couldn't do it. There's some security in numbers.
How many voting machines in Pennsylvania produce voter-verified paper trails?
Shamos: We don't have paper trail systems in Pennsylvania. Please don't use the term "paperless." It's a construction of the advocates and it's false and misleading. They're not paperless. They just don't produce a contemporaneous paper that the voter can view.
The word "paperless" is really insidious. The word "less" is meant to imply that they're thereby missing something. Whoever decided to come up with the term "paperless" deserves a left-handed prize for their imagination. It's wonderful for them. Paperless.
Would you agree that a paper trail is important?
Shamos: I wouldn't agree to that. No. Why is it important?
Should I try to answer that?
Shamos: You'll give me an answer. It won't be a good answer.
If you have voter-verified paper audit trails, voters can actually look at a physical representation of their cast vote, which provides a check against election fraud or malfunction. Without that paper trail, an intentional or unintentional glitch in the machine can skew the election and not be detected.
Shamos: The theory of the voter verified paper trail is that, at the time the voter is in the booth, the voter sees double. They're assured that their correct choices are recorded on the physical medium. Regardless of what's on the machine, it's on the paper. The paper drops into the box, nobody has any clue what's in the box, how many pieces of paper are going to be added to the box, subtracted to the box.
Every manipulation of elections that's been proven has involved the manipulation of paper.
And in every election, we see paper ballots that don't match up. It's much worse with paper trails. This creates a severe legal problem in states where the paper trail is the official ballot, Ohio for example. Such states always ignore the law. They have to ignore the law. Twenty percent of paper trails (tend to be) missing or illegible.
If they're a computer printout, why would they be illegible?
Shamos: The real reason is that the printers are made in China and as you saw recently with Ed Felten, they can't even produce legible numbers. They're crap.
(Often what happens) is that it jams and the printer overprints. The voters don't notice because they're not used to this. Another thing that happens is that the bag (of printouts is returned and can be manipulated).
Over and over again, some number around 20 percent doesn't exist or can't be read. What the law requires is that the electronic count, presumed accurate, must be discarded, and 20 percent of the electorate must be disinfranchised. Yet advocates claim that a paper trail is the most reliable mechanism. How can it be reliable if 20 percent is lost?
I'm not saying you can't make a reliable paper trail. You can use ATM technology. The reason we don't use ATMs is that they cost 10 times as much as voting machines.
The Holt bill failed. If it hadn't failed, it would have outfitted these (voting machines) with cheap printer parts. You won't hear that from the advocates. They will never admit that a paper trail machine loses votes.
When you say "advocates," who or what do you mean?
Shamos: Let's start with VerifiedVoting.org. And we can go all the way to the EFF and the League of Women Voters. There are numerous organizations that have taken the position that paper trails are the only way to safeguard elections, no matter that they lose 20 percent of votes.
Let's assume that 100 percent of voters verify the paper trial, though experimental numbers are closer to 8 percent. How are we going to make use of the paper trail? One is with an audit (that looks at statistical sampling and discrepancies). But if a discrepancy is found, we will not accept any of the electronic totals. That works, assuming that all of those pieces of paper got created correctly, and are subject to the same kind of security safeguards that the advocates insist on for electronic machines.
The problem is that when you vote electronically, multiple copies of your ballot image are recorded in memory. (Once a memory card is removed it becomes virtually impossible to tamper with.) Those systems are perfectly safe from after-the-fact tampering. They may not be safe from before-the-fact tampering.
Compared to paper and its vulnerability to after-the-fact tampering?
Shamos: I'm not advocating that we blindly trust machines. We have to have a way to make sure the (record is correct). If anything happens to that piece of paper, if it gets substituted or lost, there's absolutely no way to reconstruct the election. that's unlike an electronic system, which is if one memory fails you have the other.
The security on ballot boxes is much lower than the security on voting machines themselves. In order to do anything with those pieces of paper, they have to be handled by people. What do you think happens?
If I want to screw up an election, all I have to do is modify five votes. Then we have to do a manual recount (which is vulnerable to tampering and ballot-stuffing).
One way to address that problem is to use some kind of cryptographic mechanism, like a digital signature, on each piece of paper.
Shamos: You have stated that one can put various cryptographic codes on the ballots to ensure their authenticity. The fundamental problem is that they're not human-readable.
When someone votes for Hillary, it prints out an invalid bogus code. We put it under a scanner later.
You could have a second machine created by a second manufacturer that validates the digital signature on a ballot.
Shamos: The voter could go over to a second machine and say, yes or no, this is a valid ballot. Then the (person who wants to throw an election) goes to the second machine and tampers with that component, too.
The fundamental difficulty with paper trails is that they're ridiculously kludgey. The problem is that once you mandate paper trails, it cuts off research. There would be no reason to use anything else because it would be illegal.
Only in the United States, or in one jurisdiction.
Shamos: What we really want are end-to-end verification systems. I want to be able to tell that my vote was counted. These paper trails do not provide end-to-end verification. No serious manufacturer is working on end-to-end verification. We're not making any progress toward that end except in the theoretical journals. Why? Because the idea of paper trails has completely gummed up the works.
We're going electronic. The next generation is convinced they're going to vote from their cell phones. (It's going to happen.)
The real problem is reliability. The systems fail. Furthermore, the code isn't good. The code is riddled with bugs, most of which don't affect the accuracy of the tally. But we don't know when those conditions occur.
Does that mean you're suggesting that we should be voting from insecure home computers even if they're running Windows 98?
Shamos: I can point you to a mechanism (in a paper by Avi Rubin and Dan Wallach) that would allow secure voting on insecure terminals. The notion that the Internet is just not secure enough to do anything important is just wrong. It's not insurmountable. The right people aren't thinking about it because you gotta have a paper trail.
Do you think an increasing number of your colleagues are coming around to your point of view?
Shamos: No. I wouldn't expect them to. (They may be very good technologists, but) they don't know anything about elections. They don't know how votes are counted.
Does that mean that you think that some of the fuss over Diebold is overblown?
Shamos: The equipment is not as reliable as it should be. The software is not designed as well as it could be. The manufacturers are secretive. I've been involved in a number of source code audits of voting systems and these audits always produce a huge list of vulnerabilities. I've never found bugs that interfere with the integrity of an election. But you don't want them there.
(Take the case of the reported problems with the Diebold GEMS tabulation system). I don't think it's utterly fatal to electronic voting machines in the United States. What the advocates will tell you is that that bug is just the tip of the iceberg and if they were granted access to the source code, they would find more. I would agree with them on that.
If the codes were published, there would be a period of time when these vulnerabilities would be found--a lot of buffer overflow errors--and then they would be fixed. And everyone would know it's fixed.
The naysayer thinks it's throw-the-election-to-Republicans code. That's not there. It's horrible spaghetti code, lack of software engineering. These things have to satisfy every quirk of the voting laws in all 50 states.
So you're saying it's easier to hack an election with paper ballots than it is with electronic ones?
Shamos: I say, and the advocates are forced to admit it, that there's never been any evidence that a DRE machine has been tampered with in an election. They say that doesn't mean it never happened. I agree with that. But I believe deeply that if people were out there trying to hack elections we would see evidence of failed attempts.
To believe that in the lack of evidence means that the first person who hacked an election got it right. Remember Robert Tappan Morris and the Internet worm? I would get worried if we start to see systematic evidence (of increasingly robust) attacks. But we've never seen any of those. That's what consoles me. I have to believe that a really improbable event did not occur: that someone found the perfect hack the first time.
Isn't it optimistic to think that officials and auditors will necessarily be able to detect the first real attack on e-voting machines?.
Shamos: Technology is always required in elections. The days of the hand-counted ballots are over. You can design technology in a way that makes the problems readily apparent or that they're disguised. My position is that when a problem is found, it's an engineering problem.
When a bridge collapses, do we outlaw bridges or do we inspect bridges of similar design? If the design itself is fundamentally flawed, then those bridges are going to have to be taken out of service and rebuilt. If there's a fix, however, you can add a bracing member.
What's happened (in discussions of electronic voting) is that a strong, loud populous advocacy voice said "We are computer scientists and know quite well the vulnerabilities of electronic voting systems and those vulnerabilities are so severe that the democratic process is at risk." I don't think those conclusions are justified.
Declan McCullagh, CNET News' chief political correspondent, chronicles the intersection of politics and technology. He has covered politics, technology, and Washington, D.C., for more than a decade, which has turned him into an iconoclast and a skeptic of anyone who says, "We oughta have a new federal law against this." E-mail Declan. 
ANSWER THAT QUESTION "How can voting machines tabulate NEGATIVE votes?"
Watch that movie by that grandmother who went looking for answers.
As a computer scientist myself, I would know how to rig the computer to display different results.
ITS NOT SECURE!
But if you were left alone with a Ballot Box, all you would have to do is fill out some extra ballots and stuff them in. Which do you think is an easier way to rig an election?
error. Someone used a signed int when they meant to use an
unsigned one.
Remember what Joseph Stalin said..."It doesn't matter who votes that counts. It's who counts the votes."
While you may want to trust the vote counters, you should watch them closely, and you should always have an audit trail!
Things that happen in the machine are a mystery to voters and so many things can go wrong that are never made public. Until an e-vote system has been used for a long period and validated, I think the machine readables should ALWAYS been counted after the election and made public to confirm.
Sure there are problems with paper, but most of these things are later discovered. If a machine is altered or compromised we would never know for sure.
> mystery to voters and so many things can
> go wrong that are never made public.
I say, count actual ballots by hand. I can wait a few days for the
results.
Why machine readable when you can't trust the computer in the ballot scanner/counter any more than the one in the machine that created the ballot? We need a paper trail that doesn't require insecure machines at any point in the vote.
I GUESS WE CAN NOW TRUST OTHER PEOPLE TO NOT BE DISHONEST CRIMINALS!
BECAUSE THIS IDIOT SAID SO.
I DON'T KNOW ABOUT YOU PEOPLE, BUT I'M GOING TO RIP UP EVERY RECEIPT AND FINANCIAL RECORD I HAVE. BECAUSE NOBODY WILL EVER, EVER, THINK TO USE MY LACK OF PROOF AGAINST ME.
from here with responses like these.
If "paperless" is wrong, word and deed, then what *is* right? What's
his proposed solution?
(that said, he is a brilliant scientist when he sticks to his field.)
You are also right that Ohio had more votes than they had people registered to vote in the last election, but afterwards they found out a lot of that was because people were showing up to vote and register at the same time they were voting.
bridges of similar design?"
An interesting analogy. When a bridge collapses, everyone saw
it, everyone can comment on it, everyone can discuss what
happened & make sure it doesn't happen again because it is in
the public view. The bridge designer & builder don't claim that
trade secret laws are violated by independent review.
http://www.nj.com/news/index.ssf/2008/03/voting_machine_
maker_threatens.html
Voting machines in their current form are built by secretive
companies with possible political agendas of their own, with no
independent review of machine or code. The people have no way
to verify that the machine accurately counted their vote, and an
election wasn't stolen at any point in the process. I agree that
one day a verifiable paper trail may be unnecessary, but we're
not there yet.
If you haven't seen the movie, "Hacking Democracy," you need
to. The current election system is broken.
http://www.hackingdemocracy.com/
paper ballots are counted creates a very near 100% accuracy for
vote counts. The electronic machine have shown IN THE FIELD to be
highly inaccurate.
This is just propaganda. One of the longest and most detailed
reads I have ever seen on CNet. I WONDER WHY!!! NOT!
"very near 100% accuracy" ????
They are actually holding up the 'new' system to a standard higher than the old system.
Let's look at old fashioned paper ballets. As an example, we can use the pin punch paper ballets of hanging chad fame.
I vote on such a ballet. Then I pull the ballet out and look at it. I can't verify that my vote is correct. I have a piece of stiff paper with a bunch of holes in it. There is no way to know easily what each of those holes mean.
Now, I walk the ballot over to a box where I insert it. I have no way of knowing if my vote actually was counted. Its not just the infamous hanging chad. I've read stories about boxes of ballots that are found weeks after the election.
Furthermore, ballots are designed to be anonymous. That means that I can never find my ballot again after it is put into the system. If a random poll worker decides to substitute a bunch of ballots with votes for the green party I'll never know it. There is no 'audit trail'.
Let's say that a voting booth gets something stuck in the ballot slot so that the ballots don't align correctly, or the pages with the actual candidate names or issues are incorrectly printed or aligned on some number of machines. Once the machines are torn down all we have is a bunch of paper cards with holes. There is no way to know what the voter actually intended to mark on the ballet.
I am not saying we should accept shoddy programming filled with open back-doors. However, you should not believe that delaying the roll out of electronic alternatives means that the practice we use instead (paper) is any more secure or reliable.
Furthermore, I believe we have a lot of issues to cover before we are ready to go full bore into full electronic traceability. Today, the privacy of our vote is a fundamental factor in the voting process. Let's consider the abuses that can occur if we supply 'proof' of voting.
This proof could actually be used as coercion to force voters. Let me give several examples:
- A patriarchal culture, one where the father is the head of the household. Dad insists that everyone votes for XYZ candidate and votes against referendum ABC. Mom and the young adults must show their voting receipt.
- A religious cult. The head of the cult insists that everyone vote only his way.
- Union members pressured to vote the party line.
The point is that when votes become personally traceable and visible they also become subject to external pressures and manipulation. There is a reason that voting booths are designed with privacy.
Whether it is a paper receipt or the ability to verify your vote on the internet -- these paper trail suggestions threaten to fundamentally change the voting process.
Likewise, absentee ballots, cell phone voting, and internet voting may mean that our voters are casting their ballot with some authority figure watching over their shoulder.
I propose that the proper question is not whether electronic systems are vulnerable. Its which system that is available to us today is safest, most reliable, most efficient. And for tomorrow, we should consider which system can be improved to meet similar concerns. However, in our debate over the future we need to address the social issues and pressures of voting. First figure out if we really want to change the fundamental principle of a private ballot before we redesign the machines.
With a paper system, you can review them and get at least a close count.
With the closed electronic voting machines, the results can be anything with no way to verify.
Paper ballots are not perfect but they are hands down better then closed e-voting machines whose company CEO's give candidates assurances that they will be elected.
Perhaps a voting machine that uses open source code would be more secure. There's nothing like a million eyes on the code to find the flaws.
We should also try to simplify our voting processes. After all, it's a very simple task we're trying to perform. Vote from a multiple choice list: add up the votes. If it's more complicated than that, we're doing something wrong. It's not like trying to do your tax returns (which by the way I do using software every year with great success).
The real problem with elections is guaranteeing that only those eligible to vote are voting and voting only once. We've got to find some way to stop those dead people from voting :-).
Seriously, why does this guy have to make things so complicated. I've been doing computer engineering for almost 20 years, and this is just typical. All of those touch screen systems are a result of an over-engineered solution to a simple problem. And those optical scanning systems? The first time I ever voted (in 1990), they were already in use....
I trust a secure computer system that can produce an instantaneous count far more than I trust a bunch of political government workers and observers to tabulate an election.
This still leaves us with the problem of verifying that only those who are eligible to vote are voting and voting only once.
How much did Karl Rove pay this guy, I wonder.
able to have a HARD copy of my vote is a bad idea? Right. This
guy even looks like a Republican and smells like a Republican.
Why is it only the Republicans that are fighting the paper trail
voting, or paper ballet voting? I'll tell you why, . . because then
they can't hack an election and flip the numbers in 3 minutes
like they ca on the Dibold machines. Shame on this guy for
taking the American public for suckers, and SHAME on Cnet for
giving this guy face time.
Stick to facts and on-topic ideas, please.
Dammit people, how long until the rank and file realize that the Neo-con goal is to create The Fascist States of America (or the United States of Haliburton). Bush... Cheney... Rove... now Shamos. Lie upon lie upon lie upon lie.
Republican shenanigans usurped the true winner of the 2000 election and gave us 8 years of the worst stewardship this country has ever known. Any semi-intelligent mammal knows the the GOP rigged that election. Dibold is under the neo-cons control. but we are supposed to trust that they will "do the right thing"? Bah.
Shamos, where'd you get a degree from? Bob Jones University? Bah, I say!
And boo to C-net for giving this crudball any patina of legitimacy.
There are those who want to preserve the status quo. This is because they want to rig the elections as they have in the past.
In the 2004 election in the state of Washington there was massive election fraud, paricularly in King county. Measures were proposed in the state legislature to correct the problems, but the Democrats gutted the measures to preserve the status quo and kill any real reform.
My theory - Democrats want to preserve the current paper elections so that they can keep maniuplating them and getting themselves elected by fraud. They're so afraid someone may take away the right of illegal aliens to vote - one of their main constituencies.
You want proof? Just look at our country today. The biggest voter fraud of all time occured in Florida in 2000.
The GOP! Gutting the Constitution daily!
better straighten your aluminum foil hat -- illegal aliens are beaming stupid-waves at you.
need a paper trail.
Hacking Democracy
http://www.imdb.com/title/tt0808532
1. Security is not a fundamental problem with existing systems; reliability is a problem, rooted in poor engineering that Dr. Shamos refers to.
2. Security concerns are a fundamental problem. Once people see (or hear about in the press) that voting systems are flaky black boxes, people's personal experiences with PCs naturally lead to a concern that they could be hacked.
The real issue here is how to feasibly approach the ideal of a trustworthy election system, whether it is a pure paper system (known to be hard), a pure electronic system (plenty of controversy), or some mix.
More thoughts on the matter in a longer article in my blog:
http://osdv.org/blog/jsebes/security_problem
-- John Sebes, Open Source Digital Voting Project
Regardless of whether these machine are super-secure, (which I refuse to believe), one cannot ignore the impact of a dubious public, who has vast experience in having their own computers and devices hacked or compromised in some way. Even government website servers have been hacked. Of course, the claim is that sensitive information was never at risk. But, we (the public) wouldn't hear of any high security compromises or infiltrations -- would we?
These e-Voting machines were a bad, impulsive response to a bad experience in 2000. My sense is that these machines put our democracy at too high a risk. A different, non-computerized approach must be taken.
Then it does not matter how secure it is or if it can be hacked. Oversight needs to occur at the collection servers, that votes are being verified by the actual voters at unpredictable locations, at unpredictable times, and not by a script, or worm. Large numbers of invalidated votes or un-validated votes should be cause for alarm of tampering.
As long as only validated votes are counted, then vote tampering should be so difficult it would not be feasible to actually affect the outcome.
People talk about hacking which is a real threat... but how about intentional reprogramming by the gov?
- Even paper trails are not enough
- by jeffreylebowskijr April 21, 2008 6:21 PM PDT
- How hard would it be to program a machine to cast a vote the way it's programmed to record it and deliver a receipt saying you voted differently (as you thought you did) but bar coded to be read as a vote for the pre-programmed winner?
- Reply to this comment
-
Showing 1 of 2 pages (116 Comments)Now look, I'm not trying to be paranoid, but with what's at stake and with how easy it would be to game such a system (even within margins of error based on latest poll results), why on earth would we trust our democracy to electronic voting?
Criminy! Let me drop a red or blue marble in a box and count that way and I'll feel a ton safer.