|
11.07
E-Voting:
A High-Tech Headache
By Stephen H. Unger
Today, computers are embedded in
everything from automobile engine ignition
systems, to watches, to aircraft navigation
systems. When used for work that was formerly done
manually — for example, ATMs (Automated Teller
Machines) — computers almost invariably yield
substantial cost savings and faster operation,
usually with no deterioration in quality. So, it
would appear obvious that using computers
to handle the seemingly simple data collection
and processing involved in election systems
would be a straightforward matter.
Unfortunately, a peculiar combination of
characteristics distinguishes elections from
other applications. To date, e-voting system vendors have
been unable to satisfy effectively three key
requirements: transparency to justify the public's
confidence; tight security measures to
counter both
break-ins and inside corruption; and a unique
type of privacy to guard against coercion and
bribery.
Elections are the
bottom line of a democracy, so the most crucial
requirement in any election system is that it correctly record
and report the votes. A long, dismal
history of election fraud, in both rural areas
and big cities, is telling of the election system's legacy of
susceptibility to corrupt elements.
Such characters as Boss Tweed bring back
memories of stolen ballot boxes, voter
intimidation, votes cast by cemetery residents,
multiple voting, creative vote counting, and
routine vote buying. Classic election fraud
tactics can all be used in conjunction with
e-voting systems. But, additionally, there is an
unbounded set of new cheating techniques that
can be employed on a wholesale basis with e-voting.
If a voting precinct is organized
properly, with all operations transparent to
the public — usually represented by poll watchers
from competing political organizations — classic cheating techniques cannot be executed
effectively to any significant degree, regardless
of the technology used. However, wholesale e-voting cheating methods can be
used with little risk of detection, even under
the best polling conditions. Replacing low-tech
systems with e-voting systems can add new
cheating methods, but it will not eliminate any.
An important problem with
e-voting systems involves the process of recounting to verify
the results of disputed elections. In the case
of optical scan systems (OS), the paper ballots
manually marked by voters can be hand counted
and compared to the machine outputs. Such a
comparison might
be conducted for all the machines used, or for some
randomly selected subset. Consider standard
touch screen systems, often referred to as
direct
recording electronic (DRE) systems, where votes
are cast by touching symbols on a display and
are stored only in machine memory. Since no
paper ballots are involved, recounting consists
of checking if the results announced by each
machine have been correctly transmitted to a
collating center and correctly added. This
method is
not very satisfying, if the accuracy of the
machine tallies is the issue. The response to
this problem is to augment the DREs with a
system showing completed ballots on DRE screens.
Upon voter approval, the ballots are printed on
paper tapes and displayed (under glass). If the
voter agrees that this is correct, the tape is
advanced into the ballot box. If a voter
indicates that the printout is erroneous, it is
voided and a corrected printout is produced. This
process is referred to as a voter verified paper audit
trail (VVPAT).
Serious problems exist with DRE VVPATs. First, both in the laboratory and in
the field, relatively few
voters actually verify the printouts before
approving them. So, if, for example, a machine
changes 20 out of 100 A-votes to B-votes,
perhaps seven of these changes will be noticed by
voters, in which case the machine would correct
the output. Most voters who notice the problem
would take no further action, assuming either
that they themselves had erred or that a random
glitch had occurred. A small number of
complaints would almost certainly be ignored. In
addition, a corrupted machine might void a
ballot with a vote for A after the voter leaves
the booth, and then print a new ballot with a
vote for B. Cheating programs could also cause
printer problems, such as running out of ink, or
even complete breakdowns, that would prevent the
paper record from being an adequate check on the
(easily falsified) electronic record. This type
of cheat is a
variation of a denial-of-service attack,
whereby machines in precincts expected to
produce large majorities for the cheater's
opponents are made to crash, resulting in a
scenario where many people
to go home without voting.
There are two general approaches
to defending against e-voting fraud. One is to inspect
and test the software and hardware very
carefully in an effort to detect surreptitious
features that could corrupt election results.
Current certification procedures do not even
attempt this sort of inspection. Such tests are confined to what are
called logic and accuracy (L&A) testing, whose
purpose is to determine if a system works as
specified, given the expected inputs. Even this
function seems to be carried out carelessly, as
crude program defects have produced numerous
failures of certified e-voting systems in real
elections. Note that the so-called "independent
testing authorities" are private companies paid
by and reporting to the vendors — not an approach
likely to expose built-in fraud.
But suppose that competent,
impartial experts were charged with determining
if an e-voting system had surreptitious
fraudulent features, or was vulnerable to the
injection of such features. Inspection of
perhaps 800,000 lines of source code would be a
formidable task, but this would not be adequate,
since clandestine code could be inserted while
source code is translated into machine code. It
would also be necessary to look for hidden
hardware features — an even more daunting task. A
recent study of e-voting systems by experts
commissioned by the California Secretary of
State concluded that all three systems examined
were grossly defective.
The second approach is to look
for errors after the polls close. This method might be
completed by hand counting paper ballots (marked
directly by voters in the case of OS systems or
printed by DREs as discussed above) randomly
selected machines and
comparing the results with machine outputs.
While of questionable value for DREs, in principle at least, this
verification process
might be made to work for OS systems. But
post-election checking is useless, unless
mismatches can be relied upon to trigger strong
corrective action, including rigorous forensic
investigations with criminal indictments where
appropriate, and with the machine-generated
numbers being discarded in favor of manual
counts. Recent history offers little hope that a
preponderance of U.S. jurisdictions would
effectively implement such an approach.
What about cost? An important
feature of political elections is that they are
infrequent. In most jurisdictions, the average
number of elections per year is unlikely to
exceed one. So, the duty cycle for e-voting
systems is two orders of magnitude less than
that for computers used for just about any other
application. This discrepancy accounts for the surprising
fact that it is more expensive to record and
count votes with e-voting systems than it is to
execute these tasks manually. Note that, apart
from the amortized purchase cost of the
equipment, many other costs are associated
with e-voting. These fees include programming ballot
definition files for each district in each
election, technicians to test, initialize and
service machines before and during each
election, securely storing the machines between
elections, and transporting machines between
storage places and election precincts.
OS systems are significantly
cheaper than DREs. One reason is that, for a
given number of voters, many fewer OS units are
needed than DRE units because machine-time per
voter is much greater for DRE than for OS. The
existence of voter-marked ballots makes fraud
slightly more difficult.
Using exit polls, important
election results are usually reported accurately
on election eve, and results are never
implemented sooner than weeks after election
day. Therefore, speedy counting provides no real
advantage. Overvoting and inadvertent undervoting
are not generally considered to be important
problems in e-voting systems.
Given the considerable difficulty in
ensuring that they will not produce grossly
corrupted results, their relatively high dollar
cost, and the absence of any important
advantages, little
justification exists for using e-voting systems. The
obvious alternative is to use the hand-marked,
hand-counted ballots that are used in most
other industrialized countries and, to a small
extent, in the United States. This tried and
true approach is very
transparent, and the means for preventing
significant fraud are well understood.
And relatively simple systems exist such that handicapped
people can mark their ballots to be counted
with the others.
If hand-counting is so much
better, why have e-voting systems become
dominant? The main reason is that e-voting
vendors have a strong financial incentive to
push them. Their tactics include lobbying,
campaign contributions, enlisting the support of
organizations for the handicapped via generous
donations, subsidizing the organization of state
secretaries, and operating a revolving door
system whereby many election officials, on
retirement, get cushy jobs with machine vendors.
The only countervailing force stems from
concerned citizens, often engineers.
Several articles going more
deeply into the issues are available online at:
http://www1.cs.columbia.edu/~unger/myBlog/endsandmeansblog.html
Stephen H. Unger is a
professor of Computer Science at Columbia
University (currently on a leave-of-absence). He is an IEEE
Life Fellow, a member of Board of Governors of the IEEE Society on
the Social Implications of Technology, and a
former member of the IEEE Board of Directors.
Comments may
be submitted to todaysengineer@ieee.org. Opinions expressed are the
author's.
|
E-mail
this page to a friend
