After a presidential election eight years ago that seemed like it would never end, politicians pledged to prevent a second round of hanging chads, manual recounts, and U.S. Supreme Court arguments. The idea was to spend up to $3.9 billion to replace punch card voting machines of the sort that Florida accidentally made famous.
By including strict requirements that newly purchased machines "be accessible" to blind and disabled voters, Congress all but mandated electronic voting machines with touch screens. But Washington politicians--not known for their tech-savvy in the best of times--neglected to include even rudimentary security and verifiability requirements.
Call it an expensive lesson in the law of unintended consequences. That decision led to the widespread adoption of touch-screen machines, and as Election Day 2008 looms, greater concern than ever before about the machines' security and reliability. Some states responded by mandating voter-verified paper trials. Others, worried about programming errors or malicious Election Day hackers, have decided to ditch the devices entirely.
When signing the so-called Help America Vote Act (HAVA) in October 2002, President Bush claimed that it was "carefully considered" and predicted "the legislation I sign today will add to the nation's confidence."
Not quite. Ohio Secretary of State Jennifer Brunner has since requested that counties switch from e-voting machines to old-fashioned paper ballots. In April, Iowa's governor signed a law that mostly ditches touch-screen machines in exchange for paper ballots read through optical scanning. Maryland is reverting to paper as well.
No wonder that The Simpsons television show, that useful barometer of popular culture, lampooned e-voting machines in Sunday's Halloween special. (Homer tries to vote for Barack Obama instead of John McCain. The obstreperous machine responds by attacking him.)
Backtracking
The shift back to paper comes amid a deluge of criticism of touch-screen systems, mostly from computer scientists and even grandmothers-turned-activists. It's difficult to capture the depth of the concern that has swept the ranks of often-cloistered academics, starting with theoretical concerns at the time HAVA became law and ending with biting critiques once the machines' actual hardware and software have been analyzed.
One 334-page report (PDF) commissioned by the Ohio secretary of state and written by researchers at Penn State and the University of Pennsylvania lists scores of vulnerabilities in systems made by Election Systems and Software (ES&S), Hart InterCivic, and Premier Election Solutions, previously known as Diebold.
"All of the studied systems possess critical security failures that render their technical controls insufficient to guarantee a trustworthy election," the researchers wrote. They reached that conclusion after evaluating the source code and finding ways that an attacker could insert viruses, erase logs, produce incorrect vote totals, or block some or all voters from voting.
This follows a top-to-bottom review in 2007 of California's voting systems conducted by University of California computer scientists for the state government. They reached similar conclusions as the Ohio researchers did, noting that viruses inserted in one machine (by, for instance, a voter inserting a memory card) could "spread throughout the voting system."
No wonder that California Secretary of State Debra Bowen gave a speech at a computer security conference in July titled: "Dr. Strangevote or: How I Learned to Stop Worrying and Love the Paper Ballot." (After the report she commissioned came out, Bowen decertified the voting equipment that was analyzed unless substantial security enhancements were made.)
To be sure, manufacturers of voting machines stress that the problems that have been identified are either overly theoretical or have been fixed with hardware and software updates. They also argue that that there has never been a documented case of a successful attack against an electronic voting system.
In the 2004 primaries, for instance, which represented the first real test of e-voting, no major glitches were reported. An error in Ohio in November 2004 favoring Bush was nowhere near substantial enough to affect the outcome of the election. Problems in November 2006 were more minor than major.
In addition, some researchers, like Carnegie Mellon University's Michael Shamos have claimed that the push for voter-verified paper trails on touchscreen machines is misguided and may serve to thwart more promising research in the area.
"Parallax" problem
This year, with millions of voters casting their votes early, scattered reports of electronic voting machine problems have already cropped up in states like Florida and West Virginia.
Most of these problems are the result of "vote flipping," or touch-screen parallax--when the spot the user looks at does not match up with the part he or she touches. This is a result of the way the screen appears due to the machine's light source or due to the angle from which the voter is looking at the machine. It's the sort of problem that is most likely to impact younger and older voters--those with the least experience with computers and touch-screen technology.
"It turns out you can engineer around this," said David Wallach, associate director for Accurate, which stands for "A Center for Correct, Usable, Reliable, Auditable, and Transparent Elections."
For instance, Wallach said, ATMs have large buttons with ample space around them.
"Our voting machine vendors haven't figured this out yet," Wallach said. "The technology is fundamentally designed wrong in terms of the hardware, software, and ballot layout."
While the machine vendors have yet to address this problem, the poll workers can at least mitigate its impact by calibrating the machines on a regular basis. The nonprofit Verified Voting Foundation sent a joint letter last week to 31 secretaries of state across the country to have poll workers double-check that Premier machines are properly calibrated (there can be a conflict with antivirus software). While the problems reported so far may be anecdotal, Verified Voting President Pamela Smith said the problems are significant because voters could lose confidence in the system.
"It's so disconcerting to the voter," she said. "You're all excited about your choices, and then it shows somebody else's name--that's the thing we want to avoid at all costs because it casts doubt," she said. (See this video of a buggy voting machine in West Virginia.)
Tracking trouble
To keep track of voting problems, Verified Voting collaborated with the Electronic Frontier Foundation to launch Our Vote Live, an open-source project that records election-related problems called in by voters. The site categorizes the problems, lists them in a variety of ways, and provides information about what voting equipment is used in each state. The voting equipment problems recorded so far on the site are far outnumbered by reports of registration and absentee voting problems.
While the problems may not be widespread, they persist largely because the standards for voting machines set by the Election Assistance Commission (EAC) are voluntary, Wallach said.
"This is a deep problem that the voting system industry has been underregulated," Wallach said. "To the extent that there's a certification and testing process, it hasn't been a very stringent one."
Even though new standards were developed in 2005 and 2007, all voting machines in use today are only certified to the 2002 standards, according to Wallach.
Meanwhile one of the five independent U.S. centers that tests voting systems, SysTest Labs in Colorado, lost its accreditation with the EAC on Thursday for its "failure to create and validate test methods, improper documentation of testing, and unqualified personnel," according to the EAC.
A handful of bills have been introduced in the 110th Congress to address voting machine problems, but none have passed. A failed bill introduced in the House this year would have reimbursed jurisdictions for the cost of paper ballot voting systems to be used in the November elections, as well as the costs of conducting audits or hand counting the results of federal general elections. Legislation was introduced in 2007 in the Senate and the House that would have amended 2002's Help America Vote Act to require a voter-verified permanent paper ballot--something endorsed by Verified Voting. But the legislation never made it out of a committee.
A return to paper
Maryland's solution is to start using paper ballots in 2010, even though it will continue to pay for its $65 million electronic machines through 2014. Wallach said this was the right move. Recent studies (PDF) have shown paper ballots to be "the great equalizer," as Wallach put it.
"No matter your age, income or education, people are uniformly competent at filling in bubbles," he said.
The way paper ballots work is simple: a voter enters the polling place and is verified as able to vote. He or she is given a blank paper ballot, which is filled in with a pen or pencil. The ballot is then read by an optical scanner, either at the time of voting or at the local government office at the end of the day.
"Even though the paper scanners are just as much of a security disaster (as electronic machines), you've still got the paper, so you can conduct audits," Wallach said. "With electronic voting machines, you don't have that fallback."
Thirty-one states now require a paper record of every vote, according to Verified Voting. That's a great improvement from the seven or eight that had such a requirement in 2004, Smith said. Both Democrats and Republicans have taken up voting reform, she said.
"Some people think the voter-verified paper ballot is a one-party issue, but that's not the case," Smith said.
While many states are trying to preempt any major problems, some public interest groups are taking legal action to compel states to do more. A federal judge on Wednesday agreed with the National Association for the Advancement of Colored People that the polling places in Pennsylvania must distribute emergency paper ballots when 50 percent or more electronic voting machines become inoperable.
On October 23, the NAACP joined the Election Reform Network and a group of individual voters in a lawsuit against Pennsylvania to compel it to change its protocol. Previously, the state would have provided paper ballots only if all machines had broken down, even though some precincts only have two machines to begin with.
Smith said a state like Pennsylvania could create the perfect storm for voting fiascos: the state has not conducted early voting, many areas do not have paper records, and as a potential swing state, Pennsylvania's votes could prove to be critical.
"You're compressing all your pressure on the system into that one day," she said. "If machines break down, what will happen?"
This article was co-authored by CNET's Declan McCullagh and Stephanie Condon.
Carnegie Mellon's Michael Shamos, pictured here in his home in Pittsburgh, says that paper trails are hardly the solution to worries about the security of electronic voting machines, and when mandated by law, stifle further research.
(Credit: Declan McCullagh/News.com)PITTSBURGH--Many computer scientists have been arguing for years that electronic voting machines absolutely must sport paper trails that can be verified by the voter and subsequently used in manual recounts.
It's a formal policy position of the U.S. arm of the Association for Computing Machinery, the professional organization of computer scientists. Stanford University's David Dill even created the pro-paper-trail Verified Voting Foundation and has co-authored an article for us that argues against Internet voting, too.
But support of paper trails is not unanimous. Michael Shamos, a professor of computer science at Carnegie Mellon University who teaches an e-voting class and has been a consultant to the Pennsylvania government since 2004, believes that electronic methods of tabulating votes actually tend to be more secure than paper-based ones.
In addition to reviewing the source code of some electronic voting systems under nondisclosure agreements, Shamos has been an e-voting consultant for Texas and Nevada. An April 2004 paper he wrote says that e-voting systems do have risks but paper isn't the answer (and suggests alternatives). In it, he quips that out of a million or so computer scientists and mathematicians, only 100 or so have signed a statement calling for paper trails; it drew an angry response posted at Verified Voting's Web site.
I sat down with Shamos on Friday at his home near Pittsburgh's Shadyside neighborhood, a few blocks from campus, to talk about e-voting and the Pennsylvania primary that is scheduled to take place on April 22. Following is a lightly edited (I abbreviated some of my questions and some of his answers) transcript of our conversation.
Q: How many different e-voting systems does Pennsylvania use?
Shamos: The number of different systems we use in Pennsylvania has gone down one because one was decertified. We're down to 9 or 10. We have one of the most diverse voting systems of any state in the country. We have only 67 counties.
It means that if you were to mount a statewide manipulation, you couldn't do it. There's some security in numbers.
How many voting machines in Pennsylvania produce voter-verified paper trails?
Shamos: We don't have paper trail systems in Pennsylvania. Please don't use the term "paperless." It's a construction of the advocates and it's false and misleading. They're not paperless. They just don't produce a contemporaneous paper that the voter can view.
The word "paperless" is really insidious. The word "less" is meant to imply that they're thereby missing something. Whoever decided to come up with the term "paperless" deserves a left-handed prize for their imagination. It's wonderful for them. Paperless.
Would you agree that a paper trail is important?
Shamos: I wouldn't agree to that. No. Why is it important?
Should I try to answer that?
Shamos: You'll give me an answer. It won't be a good answer.
If you have voter-verified paper audit trails, voters can actually look at a physical representation of their cast vote, which provides a check against election fraud or malfunction. Without that paper trail, an intentional or unintentional glitch in the machine can skew the election and not be detected.
Shamos: The theory of the voter verified paper trail is that, at the time the voter is in the booth, the voter sees double. They're assured that their correct choices are recorded on the physical medium. Regardless of what's on the machine, it's on the paper. The paper drops into the box, nobody has any clue what's in the box, how many pieces of paper are going to be added to the box, subtracted to the box.
Every manipulation of elections that's been proven has involved the manipulation of paper.
And in every election, we see paper ballots that don't match up. It's much worse with paper trails. This creates a severe legal problem in states where the paper trail is the official ballot, Ohio for example. Such states always ignore the law. They have to ignore the law. Twenty percent of paper trails (tend to be) missing or illegible.
If they're a computer printout, why would they be illegible?
Shamos: The real reason is that the printers are made in China and as you saw recently with Ed Felten, they can't even produce legible numbers. They're crap.
(Often what happens) is that it jams and the printer overprints. The voters don't notice because they're not used to this. Another thing that happens is that the bag (of printouts is returned and can be manipulated).
Over and over again, some number around 20 percent doesn't exist or can't be read. What the law requires is that the electronic count, presumed accurate, must be discarded, and 20 percent of the electorate must be disinfranchised. Yet advocates claim that a paper trail is the most reliable mechanism. How can it be reliable if 20 percent is lost?
I'm not saying you can't make a reliable paper trail. You can use ATM technology. The reason we don't use ATMs is that they cost 10 times as much as voting machines.
The Holt bill failed. If it hadn't failed, it would have outfitted these (voting machines) with cheap printer parts. You won't hear that from the advocates. They will never admit that a paper trail machine loses votes.
When you say "advocates," who or what do you mean?
Shamos: Let's start with VerifiedVoting.org. And we can go all the way to the EFF and the League of Women Voters. There are numerous organizations that have taken the position that paper trails are the only way to safeguard elections, no matter that they lose 20 percent of votes.
Let's assume that 100 percent of voters verify the paper trial, though experimental numbers are closer to 8 percent. How are we going to make use of the paper trail? One is with an audit (that looks at statistical sampling and discrepancies). But if a discrepancy is found, we will not accept any of the electronic totals. That works, assuming that all of those pieces of paper got created correctly, and are subject to the same kind of security safeguards that the advocates insist on for electronic machines.
The problem is that when you vote electronically, multiple copies of your ballot image are recorded in memory. (Once a memory card is removed it becomes virtually impossible to tamper with.) Those systems are perfectly safe from after-the-fact tampering. They may not be safe from before-the-fact tampering.
Compared to paper and its vulnerability to after-the-fact tampering?
Shamos: I'm not advocating that we blindly trust machines. We have to have a way to make sure the (record is correct). If anything happens to that piece of paper, if it gets substituted or lost, there's absolutely no way to reconstruct the election. that's unlike an electronic system, which is if one memory fails you have the other.
The security on ballot boxes is much lower than the security on voting machines themselves. In order to do anything with those pieces of paper, they have to be handled by people. What do you think happens?
If I want to screw up an election, all I have to do is modify five votes. Then we have to do a manual recount (which is vulnerable to tampering and ballot-stuffing).
One way to address that problem is to use some kind of cryptographic mechanism, like a digital signature, on each piece of paper.
Shamos: You have stated that one can put various cryptographic codes on the ballots to ensure their authenticity. The fundamental problem is that they're not human-readable.
When someone votes for Hillary, it prints out an invalid bogus code. We put it under a scanner later.
You could have a second machine created by a second manufacturer that validates the digital signature on a ballot.
Shamos: The voter could go over to a second machine and say, yes or no, this is a valid ballot. Then the (person who wants to throw an election) goes to the second machine and tampers with that component, too.
The fundamental difficulty with paper trails is that they're ridiculously kludgey. The problem is that once you mandate paper trails, it cuts off research. There would be no reason to use anything else because it would be illegal.
Only in the United States, or in one jurisdiction.
Shamos: What we really want are end-to-end verification systems. I want to be able to tell that my vote was counted. These paper trails do not provide end-to-end verification. No serious manufacturer is working on end-to-end verification. We're not making any progress toward that end except in the theoretical journals. Why? Because the idea of paper trails has completely gummed up the works.
We're going electronic. The next generation is convinced they're going to vote from their cell phones. (It's going to happen.)
The real problem is reliability. The systems fail. Furthermore, the code isn't good. The code is riddled with bugs, most of which don't affect the accuracy of the tally. But we don't know when those conditions occur.
Does that mean you're suggesting that we should be voting from insecure home computers even if they're running Windows 98?
Shamos: I can point you to a mechanism (in a paper by Avi Rubin and Dan Wallach) that would allow secure voting on insecure terminals. The notion that the Internet is just not secure enough to do anything important is just wrong. It's not insurmountable. The right people aren't thinking about it because you gotta have a paper trail.
Do you think an increasing number of your colleagues are coming around to your point of view?
Shamos: No. I wouldn't expect them to. (They may be very good technologists, but) they don't know anything about elections. They don't know how votes are counted.
Does that mean that you think that some of the fuss over Diebold is overblown?
Shamos: The equipment is not as reliable as it should be. The software is not designed as well as it could be. The manufacturers are secretive. I've been involved in a number of source code audits of voting systems and these audits always produce a huge list of vulnerabilities. I've never found bugs that interfere with the integrity of an election. But you don't want them there.
(Take the case of the reported problems with the Diebold GEMS tabulation system). I don't think it's utterly fatal to electronic voting machines in the United States. What the advocates will tell you is that that bug is just the tip of the iceberg and if they were granted access to the source code, they would find more. I would agree with them on that.
If the codes were published, there would be a period of time when these vulnerabilities would be found--a lot of buffer overflow errors--and then they would be fixed. And everyone would know it's fixed.
The naysayer thinks it's throw-the-election-to-Republicans code. That's not there. It's horrible spaghetti code, lack of software engineering. These things have to satisfy every quirk of the voting laws in all 50 states.
So you're saying it's easier to hack an election with paper ballots than it is with electronic ones?
Shamos: I say, and the advocates are forced to admit it, that there's never been any evidence that a DRE machine has been tampered with in an election. They say that doesn't mean it never happened. I agree with that. But I believe deeply that if people were out there trying to hack elections we would see evidence of failed attempts.
To believe that in the lack of evidence means that the first person who hacked an election got it right. Remember Robert Tappan Morris and the Internet worm? I would get worried if we start to see systematic evidence (of increasingly robust) attacks. But we've never seen any of those. That's what consoles me. I have to believe that a really improbable event did not occur: that someone found the perfect hack the first time.
Isn't it optimistic to think that officials and auditors will necessarily be able to detect the first real attack on e-voting machines?.
Shamos: Technology is always required in elections. The days of the hand-counted ballots are over. You can design technology in a way that makes the problems readily apparent or that they're disguised. My position is that when a problem is found, it's an engineering problem.
When a bridge collapses, do we outlaw bridges or do we inspect bridges of similar design? If the design itself is fundamentally flawed, then those bridges are going to have to be taken out of service and rebuilt. If there's a fix, however, you can add a bracing member.
What's happened (in discussions of electronic voting) is that a strong, loud populous advocacy voice said "We are computer scientists and know quite well the vulnerabilities of electronic voting systems and those vulnerabilities are so severe that the democratic process is at risk." I don't think those conclusions are justified.
- prev
- 1
- next
