Last modified: June 30, 2004 4:00 AM PDT
E-voting: Nightmare or nirvana?
The fight is being waged around the world--in legislative chambers and state agencies, on newspaper editorial pages and over the Internet--as voting rights advocates and computer scientists hash out the technology's merits and risks in an increasingly polarized debate.
Arguing against e-voting machines in their present form are David Dill, a computer science professor at Stanford University and founder of VerifiedVoting.org, a group that advocates mandatory paper-based audit systems for electronic ballots. Also arguing against e-voting is Cindy Cohn, legal director for the Electronic Frontier Foundation.News.com: David, electronic voting machines have been demonstrated to prevent people from voting for more candidates than they should. They've given many people with disabilities or language limitations their first chance at a secret ballot. And they've eliminated punch card ballots and their notorious chads. Why don't these real benefits outweigh the potential harms of today's e-voting machines?
To help navigate the digital electoral divide, CNET News.com invited four experts on e-voting to make their best cases for and against the technology.
Defending e-voting from a security perspective is Michael Shamos, a computer science professor at Carnegie Mellon University who has inspected and certified voting systems for Pennsylvania and Texas. Also defending e-voting, but from a civil rights perspective, is Daniel Tokaji, assistant professor at Ohio State University's Moritz College of Law.
Dill: The harms are not potential; they are real. The obvious harm is that no sensible person will have confidence in a system that cannot be meaningfully audited. Electronic voting in its current form is morally equivalent to handing over the counting of votes to private groups who count the ballots behind closed doors--and then destroy them before anyone else can do a recount.
Apparently, many people learned the wrong lesson from Florida 2000--that recounts are bad. The right lesson is that we need to be able to do good recounts. Electronic voting has the advantage for some--of eliminating the ability to do a recount altogether. To paraphrase (California Voter Foundation President) Kim Alexander, that's like eliminating fraud by eliminating the accounting department.
It is not true that we insist on auditable original records as a matter of course. Electronic banking (accessing your bank account over the Internet from home) produces no auditable records in the sense meant by David Dill. Yet 91 percent of banks in the United States offers online banking, and it is perfectly well-accepted. Let us not hear the old argument that you get a statement at the end of the month, so you will find out if something is wrong. You might indeed learn that something is amiss, but you will have no examinable records to prove your case.
Electronic voting has neither accountability nor recoverability
computer science professor
Dill: Mike's banking analogy supports my point. Why do people trust electronic banking? The first reason is that if customers are ripped off, they would know it. That's the old but very important point about seeing their bank statements. If there were major losses from electronic banking, it would be widely known.
Electronic voting has neither accountability nor recoverability. There is no way to determine if your vote was lost or stolen--and certainly no way to recover. It is like anonymous online banking with no receipts or statements, where the customer bears all the risk.
Dan, DRE opponents have assembled a long list of problems these machines have encountered in real elections. In California alone, the list is long enough, marring recent elections in San Diego, Orange County and Alameda County. Don't these malfunctions concern you?
It's certainly true that there have been problems in the implementation of electronic voting in some jurisdictions. But there's a disconnect between the problems and the solution that (Cohn) and some others propose--namely, requiring a contemporaneous paper replica (CPR) or, more euphemistically, voter-verified paper trail. The CPR wouldn't have done one bit of good for the PCM (Precinct Control Manager voting machines) that malfunctioned in Alameda and San Diego; nor would it prevent voters from being given the wrong ballot, as reportedly occurred in Orange.
There are things we can do to make electronic voting better. These include better certification standards, more thorough testing, better procedures and improved poll worker training. But the CPR is a solution for a hypothetical problem. (Editors' note: Diebold's PCM-500 is a computer smart card that brings up the appropriate ballot on the touch screen machine.)
Michael, what's wrong with the paper audit that so many e-voting critics propose? And shouldn't there be something at the end of the election for the purposes of a recount?
Shamos: Paper trail advocates consistently misrepresent the true purpose of a recount, which is to see whether humans have reported votes properly. It has never been a requirement--and still is not--that a voter record her preferences on paper so it can be recounted. Lever machines, for example, which were installed in New York City in 1925 to curb flagrant abuses of the paper ballot system, do not and have never produced any such record. A recount of lever machines consists of opening up their back panels and re-reading the counters, then adding up the votes again to guard against misreporting by precinct officials.
An occasional series on the controversy surrounding electronic voting.
Part 3: Evoting: Nightmare or nirvana?
Part 4: Global lessons in e-voting
If a DRE is working properly, it produces redundant ballot images that can be recounted ad infinitum. If the machine is not working properly, votes will be lost--no question about that. Whether a machine is working can be tested.
The reason I know that is that in absolutely every other walk of life where we use machines, we verify them by testing and inspecting them. If it were really true that computer systems couldn't be tested, we would be fools to rely on them for electronic banking, lotteries, medical imaging, launching nuclear weapons, etc.
The receipt issue is temporary. There are elegant cryptographic methods that enable a voter to be assured from purely public records that her vote has counted--yet without being able to prove that fact to a vote buyer.
Dill: Mike says recounts were only intended to detect human error. If so, it's because they haven't caught up with technology. Recounts are used routinely in practice to double-check systems where ballots are counted by computer.
Paper trail advocates consistently misrepresent the true purpose of a recount.
computer science professor
Mike says lever machines don't have a (voter-verified paper trail). True--and they have been tampered with, and they fail, losing votes irretrievably. Lever machines are not as bad as DREs for various reasons that I won't go into, but we should get rid of them.
Cindy, a practical question: Granted that electronic voting systems are not perfect, with the presidential election six months away, is it really wise to start requiring counties to implement voting systems that not only aren't on the market but don't have certification systems set up yet? Isn't the movement for paper audits imperiling the upcoming election with legal chaos?
The push for voter-verified paper ballots and more openness and independent research into voting systems are two ways to ensure that these machines make it to the place where they are actually ready for prime time.
There are already two systems federally certified that have (voter-verified paper trails), and Sequoia (Voting Systems) has one in the final stages of certification, so it's not the case that we need to rush things through. Nevada has asked for them and has been promised them from Sequoia by November. Optical scan systems are all certified, and they have built-in paper backups.
The e-voting debate increasingly divides groups claiming rights--those arguing for the right to have votes counted in a secure and verifiable way; and those arguing for the voting rights of the disabled and others whom traditional voting technologies have failed. How do we reconcile the competing demands of accountability and accessibility?
Dill: Optical scan systems can be made accessible by several methods. There is a device that provides a touch screen interface to optical scan ballots so that people with disabilities, non-English readers and others who cannot deal with the ballot directly can cast a private, unassisted vote.
Also, I just saw a system that prints optical scan ballots "on demand," via a printer in the polling place. A disabled voter can use the computer to fill out the ballot, so it is printed with the votes already on it. And low-tech cardboard templates and audio tapes are used by disabled voters in several countries with some success.
E-voting is vastly oversold, perhaps because so much money and effort goes into selling it. How successful are disabled and foreign-language voters at voting on these machines in real elections? From what I hear anecdotally (and I know of no systematic studies), results have been rather dismal. Paper is not going be our biggest problem in making voting accessible.
Daniel Tokaji, what's wrong with the system David mentions--where the voter uses a touch screen interface to print out an optical scan ballot? Isn't that better, for accessibility and accountability, than a direct recording electronic machine?
Tokaji: David suggests the possibility that jurisdictions could move to precinct count optical scan systems. While I agree that precinct count optical scan systems are an improvement over other paper-based systems, at least in terms of accuracy, they create problems of their own.
They don't provide the secret and independent voting that touch screens do, particularly for people with disabilities and linguistic minorities. Voters need assistance in using them--specifically in putting the ballot through the reading device and receiving instructions on what to do if the mechanical reader indicates an overvote.
Precinct count optical scans aren't generally programmed to notify voters of undervotes, especially on down-ticket races, since that would slow down the voting process too much--and put further strain on scarce poll worker resources. By contrast, touch screens not only prevent overvoting but also have a verification screen that easily allows voters to see whether they've undervoted on any race on the ballot.
From a voting rights perspective, electronic voting is better than the available alternatives.
There is a prototype optical scan system out there that supposedly allows visually impaired voters to vote independently. But as I think we can agree, experience teaches us to be skeptical of the claims made by voting equipment vendors. Not every system that looks good on paper works well in a real election environment.
Dan, what evidence is there that suggests that DREs help bridge the racial gap at the polling place?
Tokaji: As far as the social-science evidence goes, I don't think that there's any serious question that punch cards produce a racial gap in residual votes. Nor am I aware of any evidence that contradicts the Tomz & Van Houweling study's finding that touch screens virtually eliminate the racial gap that exists with punch cards and central-count optical scan systems--although there is evidence that precinct count optical scans reduce the racial gap as well.
I don't claim that electronic voting is perfect. No voting system is. There are clearly improvements that can be made, particularly when it comes to implementation. But from a voting rights perspective, electronic voting is better than the available alternatives--and certainly better than the punch card equipment that's still being used in many parts of the country.
Michael, a lot of the opposition to DREs stems from concerns that a voting company employee could easily tamper with an election, swinging just enough votes here and there to sway a close election without eliciting suspicion of fraud. Why isn't that a valid concern?
Shamos: DREs have been used in the United States for more than 20 years without any credible evidence of tampering with the votes. In 2000, they were used to count about 12 percent of the popular vote, and no one even whimpered, except for the usual percentage of losing candidates who are willing to latch on to any reason they might have lost except that the voters didn't want them.
The fact that some DREs have failed to start up properly or have failed on Election Day does not imply in any way that they are unsafe or have been tampered with. It is likewise difficult to see how they have been oversold over such a long time period. One of the few states that did not allow DRE voting in 2000 was Florida, and we now know how that turned out.
Dill: I've read about hundreds of anomalies with DREs. Not once have I heard of a competent independent investigation that produced any conclusions, one way or the other. There was no serious investigation even in the case where a machine in New Orleans was videotaped changing one out of three votes.
Candidates don't challenge elections on DREs in most cases, because asking for a recount is pointless. They'll just get a reprint of the vote totals. This says nothing about the veracity of the machines.
The bottom line is that we know almost nothing about what's really been happening with the votes in DREs in all those elections.
Michael, defenders and makers of DREs complain that they have to answer for hypothetical scenarios. But why shouldn't they have to do just that?
Shamos: You can't evaluate systems based on hypotheticals any more than you can fault security at Fort Knox based on the movie "Goldfinger." Just because a novelist can conjure up a scenario doesn't mean it's realistic.
Let's even suppose that someone is able to write software that alters an election subtly so that the pollsters won't notice. No one has ever explained how this software would get into the voting machines undetected, why the software would leave no trace and how things could be arranged so that no test whatsoever would reveal that anything is wrong--either before, during or after the election.
Many of those who maintain that DREs do not need voter-verified paper trails seem to be assuming a perfect electronic voting system and defending that.
Electronic Frontier Foundation
During the 20 years that I was a voting system examiner in Pennsylvania and 13 years in Texas, every vendor was required to reveal and deposit its source code with the secretary of state, and all the examiners got to review it.
Furthermore, archival copies were retained by the state. So if anyone ever made any alteration to the software, it would be detected. (The software that controls the launching of nuclear missiles is not public, but it is extensively reviewed by responsible officials.) However, this is a nonissue, since if you ask a DRE opponent if he would drop his opposition if the code were made public, he will say no.
E-voting: Generally refers to direct recording electronic (DRE) machines that let voters make a selection by touching a computer screen. Some DRE don't have touch screens; one uses a selection wheel.
Other equipment: An optical scanner reads voter-marked paper ballots. Punch card systems work similarly, except that instead of marking the ballot with a pen, the voter punches out a piece of paper called a chad.
Audits: E-voting critics are lobbying for some kind of paper record to accompany DRE machines. These systems are most commonly called voter-verified paper audit trails. Professor Daniel Tokaji at Ohio State University's Moritz College of Law refers to them as contemporaneous paper records.
Residual votes: A term that encompasses overvoting and undervoting. Overvoting occurs when a voter selects more choices than allowed, which typically invalidates the selection. Undervoting, or choosing fewer options than allowed, does not necessarily indicate an error, because voters routinely opt to vote on some questions and not on others. But undervotes raise questions when voters bypass high-profile, "top of the ticket" races.
Until someone gives a credible way to do it, we ought not to take the possibility seriously. The DRE opponents attempt to answer this by saying that they need not prove the systems are unsafe--it's up to the vendors to prove they are safe. But this is not the test that election law requires.
Dill: An inability to do audits is not a hypothetical problem. If a business is not keeping accounting records, it's a problem--whether there is error or fraud or not.
It is not hypothetical that DREs make recounts impossible. The ability to do manual recounts is a fundamental requirement. It allows election officials to show those disgruntled candidates, and everyone else, that the election results are accurate.
Empirical statistical analysis is not the right way to approach all science and engineering. It is often better to analyze risks rationally than to do the experiments and measure the results. I know better than to play Russian roulette--even though I'll only hypothetically blow my brains out.
Bugs are not hypothetical. They are ever present in computer programs.
With something valuable, it is also prudent to consider accidental loss or theft. Control of the government is valuable (even more valuable than the gold in Fort Knox), computer security is a lot harder than guarding gold, and I'd be willing to bet that the management of Fort Knox keeps careful accounts of deposits and withdrawals and counts the assets occasionally so they can tell if gold has been lost or stolen.
Contrary to Mike's assertion, many people have spent countless hours discussing ways to corrupt election software, and they've only scratched the surface. Computer security is hard, because you have to stop all the attacks, even the ones you haven't thought of.
One programmer at one of the large vendors could hide a change in the software. This hidden code could change votes between parties without knowing the specifics of elections. Or he could simply insert a "back door" by which others, such as technicians, poll workers, voters or guys outside in a van (if the machine has wireless capability) could customize election theft to whatever is on the ballot.
A small percentage of votes can be changed in plausible ways to evade statistical analysis (although I question whether it matters much--I haven't heard of any elections being overturned because the results were inconsistent with polls).
It is not necessary to erase the hidden code, because it can be made almost impossible to find, anyway (not that anyone ever tries), although erasing it would be easy. It is extremely easy to evade many of the tests that are actually performed, such as running simulated vote scripts on the machine.