The election process is a pillar of democracy. It is critical that the votes be honestly and accurately tallied, and that it be obvious to all that this is the case. Once reasonable doubts can be raised as to the legitimacy of an election, these translate into suspicion that our government is illegitimate, and this can have very serious consequences.
Decision making by a relatively small group of people, perhaps 30, with similar values, can be by consensus, after a reasonable amount of discussion. Where the group is larger, and/or less compatible, a vote, such as a show of hands is necessary. For much larger groups, such as the citizens of Colorado, we need formal elections. How best to carry out political elections is the subject of this essay.
In olden times, say before about 1895, political elections in the US, were all based on the use of hand-marked, hand-counted paper ballots [1]. Where the local government was reasonably honest, this worked just fine. But, where the local government, and therefore the election process, was in the hands of crooks such as Boss Tweed, Tammany Hall, or the Daley Machine, a variety of crude cheating techniques were used, such as hiring people to vote multiple times using different names, casting ballots for dead people, or for people who had moved elsewhere [2]. But, in most election districts in the country, the actual voting and tabulation part of elections went quite well, generating valid results.
Purely mechanical voting machines came into use in some jurisdictions early in the 20th century. They were huge, clunky monsters, but were conceptually simple, and performed fairly well. Beginning in the latter part of the twentieth century, punched card machines, and more sophisticated electronic voting machines (e-voting) came into use. This is where real problems surfaced.
All these machines are subject to manipulation, as well as to malfunction, and it is seldom possible to distinguish between the two. Malfunction may be due to physical failures of components, including wiring, or it may be the consequence of design errors, or manufacturing errors. More sinister is the possibility that there are built-in, hidden, features that can be used to corrupt the output. The complexity of modern computer hardware and software is such that ruling out the existence of cheating features in a particular machine is virtually impossible. Fairly simple ways to get an e-voting system to cheat have been found in every case where experts made the effort [3]. However, no governmental agency has an established procedure for examining voting machines for clandestine features.
In order to make clear the problem of ensuring that a sophisticated voting machine is operating properly, consider a familiar electronic system of comparable complexity: an automated teller machine, or ATM, operated by a savings bank. Suppose you wish to make a withdrawal via an ATM. You insert your bank card, key in the personal identification number (PIN) associated with the account, touch a button specifying "withdrawal", and key in the desired amount. Assuming all is well, the requested cash then appears in the withdrawal slot, along with a printed description of the transaction specifying the exact amount. You verify the accuracy of the transaction slip, which you retain, and, when you receive your monthly statement, use it to verify that no errors have been made.
Banks have every incentive to keep these systems working accurately as it would not take many instances of patrons being swindled to get the bank into serious trouble. The banks do have to put a lot of effort into protecting themselves against efforts by thieves to manipulate the system to rob the bank. In general, ATMs work very well, to everyone's advantage. So why should there be a problem with voting machines? Let's see how they differ.
While the e-voting problem, might seem similar to the ATM problem, it is actually quite different. If the ballot were not secret, then something like the following scheme for ensuring that votes are properly recorded and counted might be feasible. In each voting place, typically servicing no more than about 1000 voters, voters would key in their names, and then their votes, receiving printed receipts specifying this information. There would be a public display, listing the voters and how they voted, so voters could verify that their votes have been correctly recorded. Anybody willing to do the counting can determine if the announced vote totals are correct. Presumably, various political parties and organizations, including the news media, would do this. But this scheme would be effective only to the extent that a substantial number of voters took the trouble to determine whether their votes were properly listed, and to report any discrepancy.
A degree of secrecy can be obtained by modifying the above scheme. Replace the voter's name with a code number known only to the voter. Then voters wind up with receipts containing their votes and code numbers, and could match these against the public display of votes, also using the code numbers in place of names, to verify that their votes were correctly recorded. This provides a degree of privacy.
However, an employer, a spouse, or other family member, might insist on seeing the vote slip. People could sell their votes, using the vote slips to prove delivery. So both intimidation and bribery would be feasible. There is a trade-off between ballot secrecy and the ability to verify the accuracy of the voting machine output. I am not aware of any US elections that have used such a feedback method to validate votes. What is actually done is simply to accept results produced by the computer. Voters have no way to verify that their votes were counted correctly--if at all.
The machines are operated by the people employed by the voting machine company. Local people have no way to effectively monitor the process.
Apart from falsifying vote counts, it is easy for the voting machine operators (and/or designers) to cause machine breakdowns in the midst of the voting process. If this is done at a time when many people are arriving to vote, it can lead to long delays, during which many people will give up waiting and leave without voting. This cheating method would, of course, be used in precincts where a large majority of the voters are expected to vote against the candidates favored by the cheaters. Short of a confession by a participant, it would be almost impossible to prove that such a breakdown was deliberate.
No such opportunities for fraud exist where ballots are hand-marked and hand-counted [4]. On election day, community people, generally volunteers, usually paid nominal amounts, staff the election, held in public places, such as libraries. No technicians are needed. In each precinct, the process on election day begins with observers from a variety of political organizations examining the ballot box to verify that it is empty. In full view of everyone, it is then locked (there is a slot for feeding in completed ballots). Each voter signs in publicly, is given a ballot, fills it in, folds it to conceal the entries, and hands it to a poll worker, who, in view of all, deposits it in the box. At the end of the day, when the polls close, the ballot box is unlocked and, again in full view of witnesses, the representatives of several different competing political entities jointly count the votes. The votes for each precinct are publicly announced, so that anybody can verify that the totals for each candidate are correctly reported. Opportunities for fraud are minimal.
This approach is traditional in many parts of New England, and in various places elsewhere in the country. It generally works very smoothly; there are seldom serious disputes, and it costs relatively little, mainly the cost of printing the ballots, and modest pay for poll workers. The cost is far greater where e-voting is used.
In states where there are a great many contests listed on the ballot, the tabulation process is quite tedious, and could easily take a day, or even more, to complete. Note tho, that there are never more than 4 or 5 important contests on the ballot, so these can easily be tabulated, and the results reported in a few hours. Quite apart from complicating the processing of election data, the idea of elections for positions such as member of a state university's board of trustees, or mine inspector, or auditor, doesn't make sense. There is no way any significant number of voters is likely to know enough to evaluate such candidates intelligently.
E-voting, or electronic voting, comes in two flavors. In one, optical scan, the voter fills out a paper ballot, which is then fed into a scanner, a device that reads and interprets the ballot, adding to the totals for the selected candidates. The paper ballots are kept, and can be read later by humans as a check on the machine-reading process. Unfortunately this is rarely done. The other kind of e-voting is direct recording electronic (DRE), in which voters enter their votes directly into the machine, usually without any paper record being produced.
In general, the quality of these systems is poor: errors are all too common. A contributing factor is that the companies producing these devices keep their designs as secret as possible, which means that, unlike many other important programs, such as a C++ compiler, the software associated with voting machines does not get the benefit of scrutiny by the general community of software experts.
But, more important, there is the very serious threat of cheating features that may be concealed in voting system software or hardware. It is virtually impossible to ensure that these do not exist, and, in fact, there is no serious effort being made by government at any level to deal with this issue.
There are always voters unable to come to the polls on election day. Such voters would include diplomats employed overseas, and members of the armed forces stationed abroad.
What is done now to deal with this problem violates some of the basic principles of our political system. People are allowed to mail in ballots directly to election centers. The whole idea of a secret ballot is undermined. Vote-by-mail [5] is now the standard practice for all elections in Oregon, Washington, and Colorado. Voters are vulnerable to pressure from employers and from family members, who may insist on seeing the completed ballot. Many may be invited to sell their votes. Votes in transit thru the postal system are vulnerable to interception at any point.
A better solution would be to set up satellite polling stations accessible to such people. Such a station can be quite simple: a lockable ballot box, a supply of ballots, and some pens. The ballots would be from the home districts, requested in advance by the prospective voters. Staffing would be by representatives of competing political groups, who would jointly tabulate the votes and send the results to the home districts to be combined with the results of the other district residents. Voting would have to be in advance of Election Day, so that the completed ballots could be sent from the satellite stations to the home districts. It should be possible to work out the details in a way to protect the integrity of the process.
Having spent my working life developing and refining sophisticated, computer-based, solutions for a variety of problems, and teaching others how to do this, it felt at first a bit strange to be arguing against the use of computers for facilitating elections, a vitally important part of our democracy. But, on reflection, I realized that I was adhering to a fundamental tenet of engineering, the KISS principle, "Keep It Simple Stupid". In this case, the simplest technology is indeed very simple!
[1] Sheila Parks, "Hand-Counted Paper", Election Defense Alliance, 2006
[2] Wikipedia, "Electoral fraud"
[3] Dan Goodin, "Meet the e-voting machine so easy to hack, it will take your breath away", Ars Technica, 4/15/2015
[4] Jana Nestlerode, "The Case for Hand-Counted Paper Ballots", OpEdNews, 5/7/2012
[5] Bill Sizemore, "'Vote By Mail' A Formula For Fraud", NewsWithViews.com, April 8, 2003
Comments are welcomed and can be sent to me at unger(at)cs(dot)columbia(dot)edu
Don't forget to replace (at) with @ and (dot) with the symbol .
Return
to Ends and Means to see other articles that you might find
interesting.