VOTING SYSTEM INTEGRITY: A SIMPLE SOLUTION

Posted on October 27, 2003 by Dave Pollard

ballotKriselda at Different Strings, Rob at Emphasis Added and Fiona have been blogging about the threat to democracy posed by new, inadequately tested and suspect electronic voting technologies already adopted in some states and planned for broader use in 2004. This post of Rob’s has a huge comments thread that discusses most of the critical issues. This article from the UK Independent on irregularities in last year’s US midterm elections explains what’s at stake. The Verified Voting website provides detailed background (including an excellent FAQ) and explains HR2239, the Voter Confidence Act, calling for a requirement that voting technologies provide a verifiable paper audit trail. This link at Kriselda’s presents the opinion of independent experts at Johns Hopkins & Rice Universities on the technologies currently offered by the voting machine ‘big 3′ suppliers (all with strong,  worrisome connections to the Republican Party). The experts’ troubling conclusion (emphasis mine):

We found significant security flaws: voters can trivially cast multiple ballots with no built-in traceability, administrative functions can be performed by regular voters, and the threats posed by insiders such as poll workers, software developers, and even janitors, is even greater. Based on our analysis of the development environment, including change logs and comments, we believe that an appropriate level of programming discipline for a project such as this was not maintained. In fact, there appears to have been little quality control in the process. For quite some time, voting equipment vendors have maintained that their systems are secure, and that the closed-source nature makes them even more secure. Our glimpse into the code of such a system reveals that there is little difference in the way code is developed for voting machines relative to other commercial endeavors. In fact, we believe that an open process would result in more careful development, as more scientists, software engineers, political activists, and others who value their democracy would be paying attention to the quality of the software that is used for their elections… Alternatively, security models such as the voter-verified audit trail allow for electronic voting systems that produce a paper trail that can be seen and verified by a voter. In such a system, the correctness burden on the voting terminalís code is less extreme because voters can see and verify a physical object that embodies their vote. Even if, for whatever reason, the machines cannot name the winner of an election, then the paper ballots can be recounted, either mechanically or manually, to gain progressively more accurate election results. The model where individual vendors write proprietary code to run our elections appears to be unreliable, and if we do not change the process of designing our voting systems, we will have no confidence that our election results will reflect the will of the electorate.

The HR2239 proposal to require that all electronic voting machines provide a voter-verifiable paper audit trail would reassure voters that their vote has been correctly recorded, and provide a mechanism to count paper ballots manually as a back-up and verification of the computer-produced totals. It’s an excellent bill, but is unlikely to succeed because it lacks bi-partisan support.

There is a simpler solution, one which would cost less, and take the time pressure off states trying to replace other unreliable voting technologies. This solution is also unarguably non-partisan:

  1. Require an audit of all voting technologies before each election. That audit would focus on any new technologies introduced since the previous audit, and would certify that these technologies meet established controls to prevent and detect error and fraud, and provide an audit trail that verifies the results and can be used in case of technology failure to re-produce the votes.
  2. In cases where the auditor is unable to certify that new technologies meet the above standards, the affected jurisdictions would be required to use previously certified technologies or the Standard Ballot Paper methodology*.
  3. The tabulation, compilation and reporting of results would likewise be supervised and certified by an independent auditor, much the same way that lotteries and awards voting is supervised and certified.

Computer auditing firms are highly experienced at conducting computer security audits, and have well-developed standards for doing so. They are also experienced at supervising and certifying results of voting processes.

The alternative of using the Standard Ballot Paper methodology would be extremely appealing for states concerned about the high cost of voting technologies, the risks of new voting technologies, or the shortage of time to introduce and verify new technologies. My bet would be that this simple, manual process would gradually replace more complex technologies, as its reliability, low cost and low risk became apparent.

I’m a great believer in technology. In many cases it makes things cheaper, safer, and faster, especially in applications that involve millions of transactions every day. But in voting, a process critical to democracy that occurs only once a year or less, technology offers none of these benefits. In this process, simpler is better.

*The Standard Ballot Paper methodology is arguably the simplest, cheapest and least risky voting system in existence, and it is a variation of the voting system used by most Western democracies. Results are reported as quickly on election night as they are in the US. It works as follows:

  • Paper ballots are used. Any clear mark in the circle for any candidate counts as a vote, and marks in the circle for more than one candidate spoils the ballot. Ideally the ballots are white letters and circles on black background, so there is no room for extraneous marks or doubt as to the voter’s intention.
  • Each constituency has a Returning Officer (RO), and each voting place has a Deputy Returning Officer (DRO). Each candidate can appoint a Scrutineer for each voting place.
  • When polls close, the DRO and the Scrutineers oversee the manual counting of the ballots by the Poll Clerks, and take notes on the totals for each Poll. The DRO telephones in and then delivers the results of each Poll to the RO, who then publishes Poll by Poll results. Ballots are sealed and delivered to the RO who keeps them in case any candidate reports a discrepancy between the totals noted by his Scrutineers and the totals published.

P.S.: This week’s Tom Tomorrow cartoon is on electronic voting machines.

This entry was posted in How the World Really Works. Bookmark the permalink.

7 Responses to VOTING SYSTEM INTEGRITY: A SIMPLE SOLUTION

  1. PI says:
    October 27, 2003 at 09:40

    Dave, once again, you make nothing but sense. I believe that the only way to get legislative traction on this issue in my country is by a bold act of civil disobedience as I outlined here. As the American legislature demonstrated when the “Do Not Call List” was threatened, they can move swiftly and decisively when the heat is on from their constituents. Someone must demonstrate to the American people just how dire the situation is. If published reports are true, then America itself, in a very real sense, is at stake.

  2. Dave Pollard says:
    October 27, 2003 at 15:35

    Your ‘civil disobedience’ is a great idea, but it would be better if hackers were given the chance to show the flaws in the system before the election was held. If people have to vote twice, the turnout will be even more pathetic the second time. Some auditors actually put a test version of systems they are asked to certify up, and ask hackers to do their worst, as part of the integrity verification process.

  3. PI says:
    October 27, 2003 at 18:10

    ” it would be better if hackers were given the chance to show the flaws in the system before the election was held. If people have to vote twice, the turnout will be even more pathetic the second time.” I don’t know. I think that ruining an actual election might be needed to demonstrate just how real the problem is. (My countrymen and our media can be pretty complacent.) That’s why I specified a primary election of some sort, maybe for a municipal office, but in a high-profile locality like LA or NY or DC. Turnout for that kind of election is sorry anyway, and in the larger scheme of things one of them wouldn’t be of vital importance, so the damage done would be minimal compared to a presidential election. I feel that it would give the best media attention to chaos ratio. Maybe your solution should be tried first, for good measure. I’m just afraid that Diebold or whoever would more easily be able to orchestrate PR damage control if the situation were not a real life one.

  4. Fiona says:
    October 27, 2003 at 23:02

    Dave — super-excellent posting. Thank you very much. As always, your intellectual energies are boundless.

  5. Rob Salkowitz says:
    October 29, 2003 at 09:27

    Great post Dave. I recently dug up an independent report from SAIS, a secure telecommunications engineering firm, that audited the Maryland electronic voting system and, well, found it wanting. It’s posted on my page.

  6. Dave Pollard says:
    October 29, 2003 at 13:20

    Rob: Thanks for the excellent work on this. I think we’re starting to learn that to be useful we bloggers need to do more than just report (though even that is more than what the mainstream media are doing), we need to investigate. Now if only someone would pay us to do it ;-)

  7. Raging Bee says:
    November 3, 2003 at 07:04

    It’s good to get paid, but sometimes it can damage one’s credibility. Think of the Cambridge Five, who made themselves both credible and indispensible to the USSR, and set themselves apart from later spies, by refusing to be paid for their work.

Comments are closed.