American Voice 2004:  Can electronic voting machines be trusted?

American Voice 2004: Can electronic voting machines be trusted?

Date: 1 Jun 2004 | posted in: From the Desk of David Morris, The Public Good | 0 Facebooktwitterredditmail

Q. My precinct will use electronic voting machines in November. Can I trust that my vote will be counted? Is there anything I can do to ensure it will be?

Answer:

Yours is a question very much on the minds of the 30 million or so Americans who will use electronic voting machines this fall. The decision to upgrade voting system technologies was made by hundreds of voting districts in the aftermath of the 2000 presidential election snafu in Florida. In most cases, the decision was made by your county government with a big prod from the federal government in the form of a carrot and a stick.

A little history might be useful here to set the stage.

In the beginning, there was the paper ballot. A voter made a mark next to the preferred candidate’s name and deposited the marked ballot into a box. Ballots were counted by hand. This system is still used in parts of the U.S. and in many other countries.

At the end of the l9th century the mechanical lever machine was introduced. The voter stepped into a steel booth and flipped switches next to the preferred candidates. When finished, the voter pulled a large lever, which registered the vote on a counter located at the back of the machine. When polls closed the tallies from each of the machines were recorded. This machine directly recorded the vote. There was no paper ballot.

By 1930, mechanical vote counters were used in almost all major metropolitan areas.[1]

In the 1960s and 1970s, voting technology advanced on two tracks. One improved the speed with which paper ballots could be counted. The other improved the speed and ease of electronic voting.

The punch card helped speed up the counting of paper ballots. Voters use a metal stylus to punch out the perforated rectangle, or chad, next to the name of the candidate of choice. This allows the cards to be counted mechanically

Optical scanning systems use special ballots that are marked by voters and read by a laser. They reduce errors and speed up vote counting relative to punch cards.

On the other technological track, the mechanical lever machine gave way to the electronic machine. As Stephen Ansolabeher points out, the first direct recording electronic device was made by Shoup, a major lever machine manufacturer. The Shouptronic 1242 was modeled on the lever machine. Push buttons replaced levers next to the candidates’ names. In the late 1990s, touch screens were introduced.

Between l988 and 2000 nearly half of all counties adopted new voting technologies. The proportion of voting districts using mechanical lever machines plummeted from 44 percent to 18 percent. Most of the districts that abandoned mechanical lever machines adopted optically scanned ballots (27 percent). Eleven percent used electronic vote counters. Those who had not switched mostly continued using punch cards. [2]

The 2000 election marked a watershed in U.S. electoral history. The collapse of the Florida election system, played out on national and international television, focused the nation’s attention on the need to upgrade voting systems.

In the aftermath of the 2000 election, Florida banned the use of punch cards and insisted that new voting technology be in place by the 2002 election. Most Florida voting districts chose to introduce touch-screen electronic systems.

The American Civil Liberties Union sued to force Georgia to upgrade its voting system after finding empirical evidence of racial voting disparities in the 2000 election.[3] Georgia was the first state to convert its entire election system to electronic voting machines.

In 2002 the U.S. Congress enacted HAVA (Help America Vote Act).[4] HAVA mandates that all mechanical lever and punch card voting systems be replaced by November 2004, and makes $700 million available for this purpose. [5] New systems must allow voters to verify their votes on the ballot before it is cast, and give them the opportunity to correct any errors on their ballots. By 2006 states must ensure that people with disabilities can vote privately and independently (by providing at least one accessible electronic voting machine per polling station), and enable voting by non-English readers. And by 2006, voting systems must “produce a permanent paper record with a manual audit capacity” available for the official record and any recounts.

A number of analyses were done right after the 2000 election to guide the buying decisions of local and state governments. The most widely disseminated was by Cal Tech/ MIT. Its July 2001 report, Voting: What Is, What Could Be concluded, “Optical scanning has the best track record of all equipment types currently in use…We recommend replacing punch cards, lever machines and older electronic machines with optical scanned ballot systems.”[6] A number of other studies found that optical scanned paper and hand counted paper ballots result in the least number of votes not counted. [7]

Despite the consultants’ reports, most states shifted from punch card to Direct Recording Electronic (DRE) systems, for a number of reasons. Although more expensive than optical scanned ballots to purchase, DRE systems were expected to be less expensive to operate because they avoided the need to print paper ballots. People were comfortable with touch screens. They were easy to use. And they met the HAVA requirement regarding the need to allow non-English reading people to vote and the need to permit access to people with a wide range of disabilities.

Since 2000 the number of electronic touch screen installations has tripled, although as of mid-2004 more voting districts still use optical scanning.[8]

Beginning with the 2002 elections, voting districts with the new touch screen electronic machines began to experience problems. [9] They found that the testing and verification and start up-related tasks significantly increased maintenance and operating costs. For example, in November 2002 Miami Dade discovered that the long verification and start-up time required that the machines be powered up the day before the election. This required them to be guarded by police until the polling place opened. The additional cost to the county was $3.8 million.[10]

In a November 2002 election in Wake County, North Carolina, 436 votes at two precincts were not recorded or could not be determined because of a flaw in the electronic voting system.[11]

In the November 2003 school board election Fairfax County, Virginia officials tested a machine in response to complaints and found that it subtracted about 1 out of every 100 votes for a candidate.[12]

In the November 2003 election, the electronic voting machines in Hinds County, Mississippi were not working. No backup paper ballots were available. People were still standing on line at 8 pm. On January 21, 2004 the Mississippi Senate declared the results from the election invalid and scheduled a new election.

In March 2004, in the Florida Democratic presidential primary, touch screen voting machines had an undervote rate 8 times higher than the optical scanned ballots.[13] Kurt Browning, elections supervisor of Pasco County worried that Florida’s rush to embrace a new technology was creating an impossible situation. “It was like Florida was trying to change a tire on a car going 100 miles an hour.”

Independent computer experts who have evaluated electronic voting systems are concerned about the security of the systems. In 2003 Diebold, one of the largest sellers of DRE systems, inadvertently allowed access to the source code of one of its electronic systems via the Internet. Computer scientists from Johns Hopkins University analyzed the program and discovered “significant and wide-reaching security vulnerabilities”.[14]

In response to the Johns Hopkins’ findings, the state of Maryland hired two independent analysts to evaluate more recent versions of Diebold’s system along with the procedural systems in place for elections. The first evaluation, done by Science Applications International Corporation (SAIC) was issued in September 2003. It concluded, “The system, as implemented in policy, procedure and technology, is at high risk of compromise.”[15]

A second analysis by RABA Technologies included an attempt to break into the machines. The report, completed in January 2004 confirmed SAIC’s conclusions.[16]

However, the analysts believed the vulnerabilities could be mitigated by adopting security measures, such as eliminating network access. They recommended a number of significant software changes and noted that a truly secure system requires not only better software but also a greater understanding of the system by those who run elections.

The simplest and most effective answer, they concluded, is to require paper print outs of cast ballots that voters can verify before they leave the polling place. “The number of software vulnerabilities such receipts mitigate, the amount of savings they introduce by lowering the procedural requirements, and the trust they garner are likely to be just as cost effective in the long run as a fully locked-down all-electronic system.”[17]

There is a distinction between voter verified paper audit trails and the audit capacity that most direct recording electronic systems provide. At least five companies now make DRE systems that print a copy of each voter’s ballot when it is recorded. The voter can view the printed ballot. Then it is stored in a secure ballot box for use in a recount.

Nevada is the only state that by law is requiring all DRE machines to have the capacity to print a voter verifiable paper audit trail in the November election. Other states have the ability to do recounts, but they use printouts made after the polls have closed, from records of ballots stored in the machines.[18] In addition there are audit logs and other reports that show how the machines operated during voting hours.[19]

Maryland went ahead with its $55 million purchase of the electronic touch screen system from Diebold without requiring a voter verified paper trail.[20] Two bills that would have required voter verified paper trails subsequently failed in the Maryland legislature. The Campaign for Verified Voting filed a lawsuit in April 2004, requesting the courts to decertify Maryland’s voting machines until the manufacturer fixed security flaws and added the capacity to print ballots at each terminal.[21]

Ohio also hired an independent security analyst, Compuware Corporation, to review the security of voting machines from the four top vendors: Diebold, Election Systems & Software (ES&S), Sequoia Voting Systems and Hart InterCivic. Their report identified security flaws similar to the Johns Hopkins report in all four systems, with Diebold registering the most high-risk problems and ES&S the least.

Like the Maryland study, the Johns Hopkins study, and a 2001 joint study by Cal Tech and MIT, the Ohio report recommended a paper trail to verify votes.[22] In July the Ohio Secretary of State announced that counties will not be allowed to switch to electronic voting systems before the November elections because of outstanding security issues.[23] All Ohio counties are required to have electronic systems with paper receipts by May 2006.[24]

In April California Secretary of State Kevin Shelley banned electronic voting in 14 counties.[25] He relied on the recommendation of a panel that reviewed the use of electronic voting systems in the March primaries.[26] Four counties and several disabled groups sued to overturn his ruling. In July a federal district court judge in Los Angeles upheld Shelley’s ban, ruling that the concerns of the disabled were “substantially outweighed by the advancement of the public interest.”[27]

In July a former Riverside County Board of Supervisors candidate, Linda Soubirous and the national organization, VerifiedVoting.org sued Riverside County over what it called the County’s refusal to conduct a proper recount of a March 2004 election.[28]

California has also issued a requirement that all electronic voting systems purchased after June 2004 have voter verified paper audit trail systems, and that all previously purchased machines have such systems by July 2006.

Given this brief (OK it wasn’t all that brief) history, what is to be done?

First, all DRE systems should have paper receipts that allow for a voter verifiable paper audit trail. [29] All newly purchased machines should have this capacity and machines already owned by counties should be retrofitted. In DRE systems, this is the only way to provide a certain record of voters’ intentions. And if a machine fails during voting hours, the voter verified paper ballots are there as a back up. End of the election day printouts from digital records of ballots do not provide the same level of assurance.

In a recent special election for the State House in Broward County, Ellen Bogdanoff won by 12 votes out of 10,844 cast. One hundred thirty four ballots showed no votes recorded, even though there was no other race on the ballot. A recount of the ballots recorded by the machines is meaningless in this case, because the machines provide no indication of voter intention for votes they did not record.

Since the March 2004 primaries, California law requires that l percent of ballots, randomly selected, be counted and matched against the results reported by the machines to verify the count. This provides confirmation that the machines correctly tally the ballots they record. But again, there is no record of voter intent or insurance against lost votes.[30]

Another need is for us to move away from private source code. Vendors of electronic systems maintain that their source code is a trade secret. The federal certification process is secretive as well – neither the analysis for certification nor the source code is made available for third-party analysis.[31]

Experts in computer security have uniformly rejected the argument that secrecy serves a security purpose.[32]

In Australia, a private company designed the software based on specifications established by independent election officials. The source code was posted on the Internet for everyone to evaluate. The system uses Linux, an open source operating system.[33]

In the United States, the Open Voting Consortium is well along in developing open source software that can run on standard computers. It expects to have it certified by early 2005. It will be distributed free of charge.[34]

A coalition of civil rights groups and computer security experts recently issued a list of recommendations for counties that adopt electronic voting machines. [35] Among the recommendations are extensive training programs for election workers on security for every step of the voting process.

Optical scanners have a good track record but they fail to meet one of HAVA’s requirements: access for the disabled. Recently manufacturers have introduced a ballot-marking device that is accessible to voters with visual and other disabilities and can be programmed in multiple languages.[36] Once the voter’s preference is recorded, it is printed onto a standard optical scan ballot. Thus it is a paper system with an electronic interface.

Rhode Island has been using tactile ballot templates for the blind in conjunction with the state’s optical scan system.

So what appears to be happening is that electronic systems are adding printers, and optical scan ballots are adding electronic interfaces. As this occurs, optical scanning systems will have an even greater cost advantage – each voting place needs only one optical scanner to service many booths in which people are manually filling out their ballots. Only one touch screen need be added to a voting place to meet the needs of the disabled.

A DRE terminal, however, must be in every voting booth.

The result is that the DRE systems are almost three times more expensive than the optical scanning paper ballot systems. And with printers and paper receipts it is doubtful that, even in the best of cases, the DRE system would be cheaper to operate. [37]

The reality is that millions, perhaps tens of millions of people will be voting on machines that make it difficult if not impossible to have a recount in a very close election. Some organizations are suggesting that the only way to ensure your vote counts is to vote by absentee ballot (i.e. a paper ballot).[38] Check your state’s rules on absentee voting – not all states provide absentee ballots on demand or allow you to drop off your ballot at a polling place on election day, there are different deadlines for requesting and mailing your ballot, and it is important to fill out and sign your ballot correctly.[39]

Absentee ballots may not be a long-term solution, however. There is greater potential for voter coercion and fraud when people do not vote from secure polling stations.[40] And it is time consuming – a truly secure system would require that the signature on every absentee ballot be checked against the voter’s signature on record.[41] Votes can be lost in the mail[42], and late, unanticipated changes to the ballot may nullify votes.[43]

 


[1] For a more in-depth examination of the history of voting technology see: Stephen Ansolabeher, The Search for New Voting Technology, Boston Review. September 2001

[2] Eight percent of voters voted in counties that used multiple systems. Cal Tech/MIT Voting Project, Voting: What Is, What Could Be, Appendix, July 2001. (This map shows the voting equipment used in each U.S. county in 1999.)

[3] The ACLU found that in the 2000 election, the under-vote rate was as high as 8.1 percent in black neighborhoods, compared with 2.2 percent in white neighborhoods in that state. Over-votes are when a voter votes for more than one candidate is chosen in a race, under-votes are when the voter is seen by the voting system as having chosen no candidate.

[4] Help America Vote Act of 2002.

[5] About 16.5 percent of registered voters live in the 292 counties that will use punch card systems in November 2004. HAVA allowed states to apply to extend to 2006 the deadline for system replacement with federal funds. At least one state (Ohio) applied for an extension because of concerns about Direct Recording Electronic systems.

[6] The Cal Tech/MIT Voting Technology Project, Voting: What Is, What Could Be, July 2001.

[7] For optical scanners, about 1.5 percent of the vote is not counted in a presidential contest. This rises to 2.5 percent for punch cards and 2.3 percent for electronic machines. The uncounted vote rate increases at an alarming pace; for senatorial and gubernatorial contests over the last 12 years, 3.5 percent of votes on optically scanned ballots were not counted, punch cards 4.7 percent, and electronic machines 5.9 percent. Cal Tech/MIT report, Op. Cit.

[8] Cal Tech/MIT Voting Project, Voting: What Is, What Could Be, Appendix, July 2001; and Election Data Services Inc., Expected Voting Equipment Usage in 2004, May 4, 2004.

[9] For extensive documentation of problems related to DRE systems see www.VotersUnite.org, especially their report, Mythbreakers. For the argument in favor of touch screen electronic machines compared to Optical Scanning ballots see Avante International technology. Is Buying Optical Marksense Voting Systems Today a Good Idea Until DRE Voting Systems Scrutiny is Over?

[11] Raleigh Election 2002, May 17, 2004.

[12] Washington Post, November 6, 2003

[13] Associated Press, July 11, 2004. The undervote rate was 1.09 percent for touch screen systems versus 0.12 percent for optical scan systems. Touchscreens do not permit overvoting (voting for more than one candidate). But the overvote by optical scan machines was only .01 percent.

[14] The Johns Hopkins team found that the system used no data encryption on the voting terminals or the cards used by voters and election officials. Although data on the central server was encrypted, only one key was required to decrypt all the data – the equivalent of having one key the fit every door in an office building. A hacker who knows the language of communication between the cards, the terminals and the server could compromise the system in a number of ways – by creating false voting and election official cards, by installing a modified ballot on terminals, or by tampering with the voting software on the terminal. If the system were to use a network to install ballot files or transmit vote counts, the potential for abuse increases. In the Diebold system studied, the ballot files contain all the information necessary to allow an outside computer to pose as an inside-the-election-site voting terminal and report illegitimate vote results over the network. Tadayoshi Kohno, Adam Stubblefield, Aviel D. Rubin, Dan S. Wallach, “Analysis of an Electronic Voting System”, IEEE Symposium on Security and Privacy 2004, IEEE Computer Society Press, May 2004.

[15] Science Applications International Corporation, Risk Assessment Report: Diebold AccuVote-TS Voting System and Processes, September 2, 2003.

[16] “William A. Arbaugh, an assistant professor of computer science at the University of Maryland and a member of RABA’s team told the New York Times, “I can say with confidence that nobody looked at the system with an eye to security who understands security.” New York Times. January 29, 2004.

[17] RABA Innovative Solution Cell, Trusted Agent Report, Diebold AccuVote-TS Voting System, January 20, 2004.

[18] DREs keep a record of each voting transaction in the same way that credit card machines or ATMs do.

[19] There is currently a lawsuit in Riverside County, California over the question of access to audit logs and other reports. Computer World, July 16, 2004.

[20] Campaign for Verifiable Voting in Maryland, Independent Analyst Submits Positive Review of Diebold Machine, September 23, 2003.

[21] Baltimore Sun, April 22, 2004.

[23] Associated Press, July 17, 2004.

[24] Associated Press, May 7, 2004.

[25] California Secretary of State, Decertification of AccuVote-Tsx Voting System, Decertification and Conditional Certification for Certain DREs, April 30, 2004. Shelley later reached agreements with five counties that agreed to new security conditions, including making paper ballots available to those who want to use them.

[26] California Secretary of State, Report on March 2, 2004 Statewide Primary Election, 2004. Problems included miscounted ballots, delayed polling place openings and issuing of wrong ballots to some voters. The panel faulted Diebold for failing to obtain federal approval for the model, and for using software in the primary that had not been approved by the California secretary of state.

[27] Federal Computer Week. July 8, 2004

[28] In the March 2004 race for County Board of Supervisors the declared winner avoided a runoff by 45 votes. California election law permits any voter to request and review “all relevant election materials” pertaining to the recount. Second place candidate Soubirous requested the materials from the Registrar and the machine vendor including audit logs, the redundant memory stored in the machines, the results of “logic and accuracy” tests and the chain-of-custody records for the system components. The County and machine vendor refused. For details of the complaint see Soubirous v. County of Riverside at verifiedvoting.org

[29] Voter verified paper ballots were first proposed by Rebecca Mercuri in her Ph.D. dissertation for the University of Pennsylvania School of Engineering and Applied Sciences, “Electronic Vote Tabulation Checks and Balances”, October 27, 2000. The abstract for her dissertation and other writings are available here.

[30] The Cal Tech/MIT Voting Project points out that most new direct recording electronic machines produce an internal paper tape (like in a cash register) and an electronic recording of every voting transaction. This allows officials to reconstruct what was done on a machine. But it is not a direct recording of the voter’s intention, as a paper ballot would be. “If the machine fails between the touchscreen and the tape, the voter’s stated intentions are still lost”. CalTech/MIT Voting Project, Voting: What Is, What Could Be, Part II: The Voting System, July 2001.

[31] The National Association of State Election Directors has authorized two Independent Testing Authorities.

[32] Tadayoshi Kohno, Adam Stubblefield, Aviel D. Rubin, Dan S. Wallach, “Analysis of an Electronic Voting System”, IEEE Symposium on Security and Privacy 2004, IEEE Computer Society Press, May 2004. Michael Shamos, a professor at Carnegie Mellon University and a strong advocate of paperless electronic voting, finds flaws in all of the arguments against using electronic voting systems. But he acknowledges “there is no reason that the ballot setup, display, tabulation and reporting sections of voting system code should be kept secret, and manufacturers would be wise to accede to public demand in this regard.” Michael Ian Sharmos, Paper v. Electronic Voting Records – An Assessment, April 2004.

[33] Australia does not require paper receipts. This was rejected over the opposition of the lead engineer for the project for cost cutting reasons. The engineer insists that a paper trail is the only way to definitively prove the system’s integrity. Kim Zetter, “Aussies Do It Right: E-Voting”, Wired, November 3, 2003.

[34] www.openvotingconsortium.org

[35] Recommendations of the Brennan Center for Justice and the Leadership Conference on Civil Rights for Improving Readability of Direct Recording Electronic Voting Systems, June 2004. The report suggests that software be decertified if companies withhold their source code. Each company’s level of cooperation should be publicly documented on websites. Prior to hiring independent experts, election officials should commit to implement all reasonable recommendations on a pre-established timetable, and to provide a public explanation if they should decide not to implement recommendations. The report also suggests parallel testing, which involves selecting a random sample of terminals to be used in the elections and setting them up in mock precincts. Using the same hours and procedures as a real election, trained personnel and regular voters would conduct a mock election that is videotaped, including what happens on the screens of the voting machines. At the end of the day, the mock results are reconciled with what the videotape shows they should have been. This type of testing can detect bugs not found in laboratory testing, and check for the possibility of a malicious code designed to modify votes during a real election. The report contains procedural recommendations as well. These include requiring locks with unique keys or passwords that prevent modifications of voting terminals and no network access of any kind between terminals or the server

[36] Electronic Frontier Foundation, Accessibility and Auditability in Electronic Voting, May 17, 2004.

[37] The 2001 report of Cal Tech/MIT Voting Project, based on a paperless DRE system, estimated that over a 15-year period, the cost per voter is $32.75 for electronic systems and $29.50 per voter for optical scanning systems. Cal Tech/MIT Voting Project, Voting: What Is, What Could Be, Estimated Cost of Buying and Operating Voting Equipment, July 2001.

[39] With the exceptions of Maine and Wisconsin, states in the Midwest, South and Southeastern half of the United States, as well as Texas, Utah and South Dakota do not issue absentee ballots on demand. California has the fewest restrictions, issuing absentee ballots for any reason and allowing voters or a family member to drop off the ballot on election day or the week before elections. Lori Minnette and David Callahan, Securing the Vote – An Analysis of Election Fraud, Demos, 2003.

[40] Washington Post, December 6, 2000.

[41] Cal Tech/MIT Voting Project, Op Cit. A General Accounting Office survey found that only two-thirds of jurisdictions check absentee ballots applications against their records to determine whether applicants have previously applied for a ballot by mail. Only about half of jurisdictions verify that signatures on absentee ballots match the applicant’s signature on record. U.S. General Accounting Office, Voting: Perspectives on Activities and Challenges Across the Nation, GAO 02-3, October 2001.

[42] Two absentee ballots posted from the U.S. turned up in Denmark. CNN, November 13, 2000.

[43] After Senator Paul Wellstone died less than two weeks before the November 2002 election, some absentee voters were unable to change their vote to the replacement candidate. Minnesota Public Radio, October 29, 2002.

 

Facebooktwitterredditmail
David Morris
Follow David Morris:
David Morris

David Morris is co-founder of the Institute for Local Self-Reliance and currently ILSR's distinguished fellow. His five non-fiction books range from an analysis of Chilean development to the future of electric power to the transformation of cities and neighborhoods.  For 14 years he was a regular columnist for the Saint Paul Pioneer Press. His essays on public policy have appeared in the New York TimesWall Street Journal, Washington PostSalonAlternetCommon Dreams, and the Huffington Post.