<http://www.sciam.com/print_version.cfm?articleID=00018DD5-73E7-1151-B57F83414B7F0000> Scientific American Fixing the Vote September 17, 2004 Fixing the Vote Electronic voting machines promise to make elections more accurate than ever before, but only if certain problems--with the machines and the wider electoral process--are rectified By Ted Selker Voting may seem like a simple activity--cast ballots, then count them. Complexity arises, however, because voters must be registered and votes must be recorded in secrecy, transferred securely and counted accurately. We vote rarely, so the procedure never becomes a well-practiced routine. One race between two candidates is easy. Half a dozen races, each between several candidates, and ballot measures besides--that's harder. This complex process is so vital to our democracy that problems with it are as noteworthy as engineering faults in a nuclear power plant. Votes can be lost at every stage of the process. The infamous 2000 U.S. presidential election dramatized some very basic, yet systemic, flaws concerning who got to vote and how the votes were counted. An estimated four million to six million ballots were not counted or were prevented from being cast at all--well over 2 percent of the 150 million registered voters. This is a shockingly large number considering that the decision of which candidate would assume the most powerful office in the world came to rest on 537 ballots in Florida. Three simple problems were to blame for these losses. The first, which made up the largest contribution, was from registration database errors that prevented 1.5 million to three million votes; this problem was exemplified by 80,000 names taken off the Florida lists because of a poorly designed computer algorithm. Second, a further 1.5 million to two million votes were uncountable because of equipment glitches, mostly bad ballot design. For example, the butterfly ballot of Palm Beach County confused many into voting for an unintended candidate and also contributed to another appalling outcome: 19,235 people, or 4 percent of voters, selected more than one presidential candidate. Equipment problems such as clogged punch holes resulted in an additional 682 dimpled ballots that were not counted there. Finally, according to the U.S. Census Bureau, about one million registered voters reported that polling-place difficulties such as long lines prevented them from casting a vote. Thus, registration and polling-place troubles accounted for about two thirds of the documentable lost votes in 2000. The remaining one third were technology-related, most notably ballot design and mechanical failures. In the aftermath of the 2000 election, officials across the country, at both the federal and local levels, have scrambled to abandon old approaches, such as lever machines and punch cards, in favor of newer methods. Many are turning to electronic voting machines. Although these machines offer many advantages, we must make sure that these new systems simplify the election process, reduce errors and eliminate fraud. Some countries have introduced electronic systems with great success. Brazil started testing electronic voting machines in the mid-1990s and since 2000 has been using one type of machine across its vast pool of 106 million voters. It has multiple organizations responsible for different aspects of voting equipment development as part of the safeguards. It also introduced the machines in carefully controlled stages--with 40,000 voters in 1996 (7 percent of whom failed to record their votes electronically) and 150,000 in 1998 (2 percent failure). Improvements based on those experiments reduced the failure rate to an estimated 0.2 percent in 2000. Voting Technology Voting systems have a long history of advancing with technology. In ancient Greece, Egypt and Rome, marks were made for candidates on pieces of discarded pottery called ostraca. Paper superseded pottery in the hand-counted paper ballot, which is still used by 1.3 percent of U.S. voters. Other modern technologies are lever machines, punch cards and mark-sense ballots (where each candidate's name is next to an empty oval or other shape that must be marked correctly to indicate the selection, and a scanner counts the votes automatically). The table on pages 94 and 95 summarizes the benefits and drawbacks of each of these methods and suggests ways to improve them. A lengthier discussion of nonelectronic systems is at www.sciam. com/ontheweb. Electronic voting machines have been around for 135 years--Thomas Edison patented one in 1869. Elections started testing electronic voting machines in the 1970s, when displaying and recording a ballot directly into a computer file became economical. At first, many were mixed-media machines, using paper to present the selections and buttons to record the votes. Officials had to carefully align the paper with the buttons and indicator lights. Electronic voting machines that use such paper overlays are still on the market. More modern direct record electronic (DRE) voting machines present the ballot and feedback information on an electronic display, which may be combined with audio. Such machines have many advantages: they can stop a voter from choosing too many candidates (called overvoting), and they can warn if no candidate is picked on a race (undervoting). For instance, when Georgia changed over to DREs in 2002, residuals (the total of overvotes and undervotes combined) were reduced from among the worst in the nation at 3.2 percent on the top race in 2000 to 0.9 percent in 2002. So-called ballotless voting allows the machines to eliminate tampering with physical ballots during handling or counting. (Lever machines, dating back to 1892, share many of those features.) Yet the birthing of DRE voting equipment in the U.S. has not been easy. The voting machine industry is fragmented, with numerous companies pursuing a variety of products and without a mature body of industry-wide standards in place. Deciding what is a good voting machine is still being discussed by various advocacy organizations and groups such as the IEEE Project 1583 on voting equipment standards. Allegations of voting companies using money to influence testing and purchasing of equipment are not uncommon. Complicating matters, local jurisdictions across the country have different rules and approaches to testing and using voting equipment. Some counties, such as Los Angeles, are sophisticated enough that they commission voting machines built to their own specifications. Many other municipalities know so little about voting that they employ voting companies to run the election and report the results. Polling-place practices add further hazards of insecurity and potential malfunctions. I recall walking into the central election warehouse (where the voting machines are stored and the precinct vote tallies are combined) in Broward County, Florida, when it was being used for a recount in December 2002. The building's loading dock was opened to the outdoors for ventilation. The control center for tallying all the votes was a small computer room; the door to that room was ajar and no log was kept of personnel entering and leaving. Beyond external issues, DRE machines themselves have had technological shortcomings that have slowed their adoption. Voters have found their displays confusing or challenging to use. Software bugs and difficulties in setting up DREs have also presented problems. During the 2002 Broward County recount, I was allowed to try out machines from Electronic Systems and Services (ESS), one of the country's major election machine makers. The ESS machines had an excessive undervote because the "move to next race" button was too close to the "deposit my ballot" button. An audio ballot was so poorly designed it took about 45 minutes to vote. On machines made by the company Sequoia, people who chose a straight party vote and then tried to select that party's presidential candidate were unaware that they were deselecting their presidential choice. A massive 10 percent undervote was registered in one county using Sequoia machines in New Mexico. Examining the insides of new voting machines still reveals many physical security faults. For example, some machines have a lifetime electronic odometer that is supposed to read every vote that the machine makes. But the odometer is connected to the rest of the machine by a cable that a corrupt poll worker could unplug to circumvent it without breaking a seal. Source code for voting machines made by different companies, like most commercial software, is a trade secret. Election machine companies allow buyers to show the source code to experts under confidential terms. Unfortunately, the local election officials might not know how to find a qualified expert. And when they find one, will the voting companies be required to listen? For instance, in 1997 Iowa was considering a voting machine made by Global Election Systems, which was later bought out by Diebold. Computer scientist Douglas W. Jones of the University of Iowa pointed out security issues, and the state bought Sequoia machines instead. In February 2003 Diebold left its software on unsecured servers, and DRE critics posted Diebold's code on the Internet for everyone to see. The problems that Jones saw six years earlier had not been fixed. Any person with physical access to the machines and a moderate amount of computer knowledge could have hacked into them to produce any outcome desired. The best computer security available depends on sophisticated encryption and carefully designed protocols. Yet to know the system has not been compromised requires testing. DRE machines have not received the constant testing that they require. Security of today's voting machines is wholly dependent on election workers and the procedures that they follow. Because virtually all tallies, no matter what voting method is used, are now stored and transmitted in some electronic form, computer fraud is possible with all voting systems. The advent of DRE machines potentially allows such tampering to go unchecked from the point at which the voter attempts to cast a ballot. Schemes for altering ballots have always existed, but a computerized attack could have widespread effects were it waged on a large jurisdiction that uses one kind of software on one type of machine. Using a single system allows large jurisdictions to get organized and improve their results but must be accompanied by stringent controls. The successful reduction of residuals across all of Georgia, mentioned earlier, is a case in point. Thorough tests on the DREs at Kenisaw State University found many problems, which were resolved before the machines were put into use. This rigorous testing and careful introduction of the machines were central to the state's success. Electronic Fraud How can we find all the dangers created by bad software and prevent or correct them before they compromise an election? Reading source code exposes its quality and its use of security approaches and can reveal bugs. But the only completely reliable way to test software is by running it through all the possible situations that it might be faced with. In 1983 Ken Thompson, on receipt of the Association for Computing Machinery's Turing Award (the most prestigious award in computer science), gave a lecture entitled "Reflections on Trusting Trust." In it he showed the possibility of hazards such as "Easter eggs"--pieces of code that are not visible to a reader of the program. In a voting machine, such code would do nothing until election day, when it would change how votes were recorded. Such code could be loaded into a voting machine in many ways: in the voting software itself, in the tools that assemble the software (compiler, linker and loader), or in the tools the program depends on (database, operating system scheduler, memory management and graphical-user-interface controller). Tests must therefore be conducted to catch Easter eggs and bugs that occur only on election day. Many electronic voting machines have clocks in them that can be set forward to the day of the election to perform a test. But these clocks could be manipulated by officials to rerun an election and create bogus voting records, so a safer voting machine would not allow its clock to be set in the field. Such machines would need to be tested for Easter egg fraud on election day. In November 2003 in California a random selection of each electronic voting system was taken aside on the day of election, and careful parallel elections were conducted to show that the machines were completely accurate at recording votes. These tests demonstrated that the voting machines were working correctly. To prepare for a fraud-free voting day requires that every effort be made to create voting machines that do not harbor malicious code. The computer science research community is constantly debating the question of how to make provably secure software. Computer security experts have devised many approaches to keep computers reliable enough for other purposes, such as financial transactions. Financial software transfers billions of dollars every day, is extensively tested and holds up well under concerted attacks. The same security techniques can be applied to voting machines. Some researchers believe that the security precautions of "open source" (making the programs available for anyone to examine) and encryption techniques can help but not completely guard against Easter eggs. Guarding votes against being compromised has always required multiple human agents watching each other for mistakes or malice. The best future schemes might include computer agents that check one another and create internal audits to validate every step of the voting process. The Secure Architecture for Voting Electronically (SAVE) at the Massachusetts Institute of Technology is a demonstration research project to explore such an approach. SAVE works by having several programs carry out the same tasks, but while using such different methods that each program would have to be breached separately to compromise the final result. The system knows to call foul when too many modules disagree. Audit Trails Some critics insist that the best way to ameliorate such attacks is by providing a separate human-readable paper ballot. This widely promoted scheme is the voter-verified paper ballot (VVPB) suggested by Rebecca Mercuri, then at Bryn Mawr College. The voting machine prints out a receipt, and the voter can look at it after voting and assure himself that at least the paper records his intention. The receipt remains behind a clear screen so no one can tamper with it during its inspection, and it is retained by the machine. If a dispute about the electronic count arises, a recount can be conducted using the printed receipts. (It is not a good idea for the voter to have a copy, because such receipts could encourage the selling of votes.) Although the VVPB looks quite appealing at first glance, a deeper inspection exposes some serious flaws. First, it is complicated for the voter. Elections in this country often have many races. Validating all the selections on a separate paper after the ballot has been filled out is not a simple task. Experience shows that even when confronted with a printout that tells voters in which race they have made a mistake, few are willing to go back and correct it. Anything that takes a voter's attention away from the immediate act of casting a ballot will reduce the chances of the person voting successfully. Every extra button, every extra step, every extra decision is a source of lost votes. The scheme is also complicated for the officials. If a voter claims fraud, what is the official to do? The voter claims she voted for Jane, but both the DRE screen and the receipt show a vote for John. Should they close the polling station? On top of this, the officials are not legally allowed to see an individual voter's ballot. VVPB addresses only a small part of the fraud problem. The paper trails themselves could be made part of a scheme for defrauding an election if a hacker tampers with the printing software. The paper can be manipulated in all the usual ways after the election. A better option would allow people to verify their selections with recorded audio feedback. An audio transcript on tape or a CD has an integrity that is harder to compromise than a collection of paper receipts. Most current electronic voting machines can be set up to speak the choices to the voter while he looks at the visual interface. The tape can be read by a computer or listened to by people. Because misreads of paper are a major difficulty with all counting machines today, the tape can be better verified than paper receipts. An audio receipt is also preferable to a paper receipt because it is hard to change or erase the audio verifications without such alterations being noticed (think about the 18-minute gap on the Watergate tapes). Also, a small number of cassette tapes or CDs are easier to store and transport than thousands of paper receipts. Other proposals for voter verification include recording the video image of the DRE and showing the ballot as it has been received by the central counting databases while the voter is in the booth. The advantage of these techniques is that they are passive--they do not require additional actions on the part of the voter. Here is how voting might go using a well-designed audio record. Imagine you are voting on a computer. You like Abby Roosevelt, Independent. You press the touch-screen button for your choice. The name is highlighted, and the vote button on one side is replaced with an unvote button on the other side. The tab on the screen for this race shows that a selection has been made. The earphones you are wearing tell you that you have voted for "Ben Jefferson" (and these words are recorded on a backup tape). Wait a minute! "Ben Jefferson"? You realize that you must have pressed the wrong button by mistake. You study the screen and see a prominent "cancel vote" button. You press it. "Vote for Ben Jefferson for president canceled," the computer intones onto a tape and into your ears. The screen returns to its prevote state, and this time you press more carefully and are rewarded with "Vote cast for Abby Roosevelt, Independent, for president." You go on to the Senate race. The features just described are designed to give feedback in ways you are most adept at understanding. People are good at noticing labels moving, tabs changing, and contrast and texture changes. We have trouble doing things accurately without such feedback. The audio verification comes right at a time when the user is performing the action. Perceptual tasks (seeing movement and hearing the audio) are easier to perform than cognitive ones (reading a paper receipt and remembering all the candidates one intended to vote for). A tape or CD recording is a permanent, independent transcript of your vote. These features are all implementable now as ballot improvements on current voting machines. Extra work would be needed to allow sight- or hearing-impaired people to verify multiple records of their ballot as well. Some researchers are studying alternatives to DREs, in the form of Internet voting or voting using familiar devices such as the phone. Since May 2002, England has been experimenting with a number of systems intended to increase turnout. These methods include mailing in optically readable paper ballots (absentee voting), using a standard phone call and the phone's keypad, using the instant-messaging facilities on cell phones and using interactive TV that is available in English homes. Swindon Borough, for example, included more than 100,000 voters in an experiment using the Internet and telephones. A 10-digit PIN was hand-delivered to voters' homes. This PIN was used in conjunction with a password the voters had been sent separately to authorize them to vote. No fraud was detected or reported. But the effort only improved turnout by 3 percentage points (from 28 to 31 percent). In contrast, introducing the option of absentee voting increased voter turnout by 15 percentage points--but with a downside: large-scale vote buying was reported in Manchester and Bradford. (Being able to prove whom you have voted for, such as by showing the ballot you are mailing in, enables vote buying.) What Must Be Done The universal adoption of perfect voting machines will not be happening anytime soon. But quite independent of the specific machines used, much can and should be done simply to ensure that votes are collected and accurately counted in the U.S. We must be adamant about the following improvements: 1. We must simplify the registration system. The largest loss of votes in 2000 occurred because errors in registration databases prevented people from voting. Registration databases must be properly checked to make sure they include all eligible people who want to be registered. We must develop national standards and technology to ensure that people can register reliably but that they do not register and vote in multiple places. 2. Local election officials must understand the operation of their equipment and test its performance thoroughly when it is delivered and before each election. DREs should be tested on election day, using dummy precincts. 3. Local election officials must teach their workers using simple procedures to run the equipment and other processes. Ballot making, marking, collecting and counting all must be carefully set up to avoid error and fraud. Many voting officials inadvertently use procedures that compromise accuracy, security and integrity of ballots by, for example, turning off precinct scanning machines that check for overvotes and inspecting and "correcting" ballots. 4. Each step in the voting process must be resistant to tampering. Collecting, counting and storing of ballots must be done with documentation of who touches everything and with clear procedures for what to do with the materials at each stage. Multiple people must oversee all critical processes. 5. Each task in the voting process must be clear and accessible, have helpful feedback and allow a person to validate it. Perceptual, cognitive, motor and social capabilities of people must be taken into account when designing machines and ballots. Ballot designs should pass usability and countability tests before being shown for final approval to the parties invested in the election. Voters must be able to understand how to make their selections, and votes must be easy to count in mass quantities. 6. The government should invest in research to develop and test secure voting technology, including DREs and Internet voting. Rushing to adopt present-day voting machines is not the best use of funds in the long term. 7. Standards of ethics must be set and enforced for all poll workers and also for voting companies regarding investments in them and donations by them or their executives. Only when these requirements are met will we have a truly secure and accurate voting system, no matter what underlying technology is used. -- ----------------- R. A. Hettinga <mailto: rah@ibuc.com> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'