Forward to the Past: Junk the Machines, Count Votes Manually

Stephen H. Unger
8/5/08

Recording and tabulating votes in elections is a natural, straightforward, easy to implement, computer application. Right? In a world without ingenious bad guys, this might indeed be the case. Unfortunately, that's not where we live. While it is not too hard to design, implement, and operate computer-based ATM and EZ-Pass systems that will keep the bad guys at bay, this is almost impossible for the seemingly simpler problem of election systems. Below, I will first explain why I believe this, and then I will proclaim the good news, which is that we can get along very nicely without such systems.

What's So Hard About Counting Votes?

Consider the operation of an ATM (automated teller machine). When you key in a request for cash from your bank account, the money comes out along with a printed slip describing the transaction. At the end of the month, the transaction is listed on your bank statement. Those of little faith count the money carefully, verify that the transaction slip is correct, and, at the end of the month, reconcile their bank statements against the transaction slips and perhaps their own records. The chances of customers catching errors that short-change them and demanding redress are substantial. Clearly, the insiders (the banks), cannot profit by cheating ATM users. They must defend their system against attacks by outsiders trying to defraud them and their customers. In this struggle they have been moderately successful [1].

In the case of elections, the political entities fielding candidates (parties or factions within parties) have much to gain by cheating. They can do so by the traditional, crude, retail means used by Boss Tweed types, e.g., bribing or intimidating individual voters, or hiring people to vote multiple times [2]. The problem with such tactics is that a large number of criminal acts are necessary to influence an election significantly, and many people have to be involved. The job can be done much more efficiently from the inside, i.e., by controlling the vote recording and counting processes. Then they can simply generate votes at will. In either case, what is going on is obvious to any interested observer. If you are buying votes, for example, you have to make many offers. Since there is not much point in approaching people already on your side, there are bound to be a lot of people reporting bribe offers.

Now look at computer-based voting systems. Opportunities for wholesale cheating are limitless if you can get the cooperation of the insiders: the manufacturers of the systems and the governmental entities running the elections [3]. Actually, it would be sufficient to enlist a relatively small number of people within these organizations. Since vote counting in a computerized system takes place "under the hood", outsiders, even experts, cannot effectively monitor the work of the insiders running the system. While it is easy for an ATM user to determine if the ATM did what it was supposed to do—supply the money requested and record the transaction correctly—there is no way individual voters can verify that their votes have been correctly recorded and counted by an e-voting system. More about this later, but first let's look at a better way to handle elections.

Keep it Simple

Almost all industrialized nations other than the US (including Canada) use hand-counted paper ballot (HCPB) systems. HCPB is also used in many US jurisdictions, very extensively in Maine and New Hampshire. The keys to success are simplicity and transparency. Ordinary people, serving as poll workers, poll watchers, or simply as interested citizens and voters, can observe and understand every step of the process. An important basic principle is that, from the time the polls open until the counting process has been completed, people from at least two competing political organizations are watching everything: the verification that the ballot box is initially empty, the validation of voter identity, the entry of voters into booths, the deposit of ballots in the box, the emptying of the box prior to counting, and the counting process itself. At all times, the ballot box is out in the open, observable by everybody. Counting teams include people from competing organizations. Vote totals for each precinct are made public, so anybody can verify that the overall totals for the election have been properly computed. Procedures for running HCPB elections are well established and appear to work very well [4, 5, 6]. Note the absence of election horror stories involving such systems.

But wouldn't using HCPB be a step backwards, a Luddite act? It certainly looks that way on the face of it! At the very least, isn't it obvious that replacing the use of computers by the primitive act of manual counting would slow things down and increase costs? Taking the latter point first, the surprising answer is that e-voting costs more than HCPB, not less [7] ! The fundamental reason is that, unlike ATMs, for example, which are on duty 24-7, voting machines are used about one day per year. Furthermore, for each election, they must be programmed, tested, and possibly repaired by specialists. There are also transportation and storage costs. All these and other costs are replaced in the HCPB case by the time of citizens serving an important public function, some as volunteers, others for nominal compensation. In New Hampshire, high school students (17 and older) are included in election teams along with retirees and other adults of all ages. Some European countries replace or supplement ad hoc paid election workers with regular civil service workers on detached duty. In Douglas County, Nebraska, people are called to serve as election workers in a manner analogous to jury duty.

With respect to speed, it is indeed true that an e-voting system can spit out election results within seconds after poll closure, as compared with anywhere from an hour to more than twelve hours for HCPB systems, depending on the complexity of the election, and the number of voting teams used. How important is this? Not very. For close elections, the likelihood of challenges leading to recounts undermines the significance of the initial reports. Where margins are greater, exit polls quickly and reliably indicate the winners.

What about under-votes (a voter not voting in some contest) and over-votes (a voter casting more than one vote in a contest)? Most e-voting systems can alert voters to such conditions in time for them to take corrective action. This feature is of some value, but not much, since over-votes are rare and most under-votes are deliberate. Also, since such errors usually affect the candidates in a random manner some cancellation take place, thereby further reducing the already small consequences.

Looking Under the E-Voting Rock

Back to the reasons why e-voting systems should not be trusted. If a team of experts is asked to determine whether, under the expected operating conditions, a particular e-voting system will reliably produce valid results, they would have to check for:
  1. hardware or software design errors that, under certain circumstances, could produce erroneous results.
  2. defective components that could cause errors.
  3. feasible ways for outsiders to penetrate the system and alter the output.
  4. clandestine features (hardware and/or software) that insiders could use to alter the output.
Items 1 and 2 are part of what engineers do all the time in the course of producing new systems. Item-3, under the heading of computer security, has become very important for safeguarding many kinds of systems, including ATMs. Item-4 also falls under the rubric of computer security, but it is off the usual path, since it implies that there might be corruption within the organization producing the product. None of these items are trivial. But the first two are well understood, and there are well established methods for carrying out such tests.

Item-3 is more challenging, since it entails a game situation in which security experts devise defenses against anticipated methods of attack, the penetrators develop new ways of overcoming the defenses, and so forth. We see such unending contests with spammers and malicious hackers. Item-4 presents the most difficult problem. Whereas item-3 entails bad guys trying to surmount barriers in a framework erected by the good guys, here it is the bad guys who establish the framework and then conceal features that the good guys have to search for. Much has been written about how hard it is find surreptitious software features. Difficult as this is, I believe it is still harder to identify concealed features on a computer chip, with perhaps several hundred million transistors on it. Concern about this problem in another context is manifested in a DOD funded research project to develop methods for detecting trapdoors in computer chips sold to the military [8]. Consider also the possibility of camouflaged chips hidden in a system.

Even in principle, I can't see what procedures could be used to make possible an honest certification that an e-voting system will work properly, is safe against intrusion, and is free of clandestine cheating features [9]. In practice, the situation is even worse. Virtually every computer expert who has examined one or more e-voting systems has reported that their designs are of the poorest quality, particularly with respect to item-3 [10, 11]. The numerous breakdowns and crude errors that have surfaced in actual elections testify to the failure of the agencies who purportedly checked them out with respect to items 1-3. Hardly anybody even mentions item-4. Since the certifying of e-voting machines is carried out by private companies paid by and reporting to the vendors, it would, of course, make no sense for them to pretend that they have verified the absence of concealed features. Some states contract to have e-voting systems certified, but I don't know of any that require checking for clandestine elements.

Incredibly, e-voting system designs, both hardware and software, are treated as trade secrets! So independent experts have only limited opportunities to examine in detail the systems that play such a crucial role in our democracy. This concealment has not been complete, as there have been unauthorized exposures of source code, and there have been several formal studies made by state governments and NIST. Some states require that this kind of information be placed in escrow so as to be available, under certain circumstances, for forensic purposes. There is no rational basis for such secrecy, since both the hardware and software can be protected by patents. The whole idea of the patent system, as stated in the constitution, is to give reasonable property rights to inventors, while eliminating the need for secrecy.

Post-Election Fix

Perhaps implicitly acknowledging that we can't really ensure that e-voting systems are fault- and fraud-free, statistical checking has been proposed. The idea is that, after the polls close, a set of precincts, including perhaps three to ten percent of the voters (depending on the margin of victory), is randomly chosen and the votes in those precincts are recounted. If a recount fails to match machine results from a precinct, then we have an indication that something is wrong. In principle, this sounds good. The problem is in how it would work in practice.

The first issue is, what exactly would be recounted? Clearly a second summation of machine outputs would be meaningless. We would need some record of voter-intent independent of the machines. The obvious source would be paper ballots marked by voters, which could then be hand-counted. Paper ballots printed by DRE (touch-screen) machines will not suffice, since it is well known that most voters do not actually verify the correctness of such printouts. (It is also possible for a machine to void a voter-approved ballot and to substitute a different one after the voter leaves the booth.) So meaningful recounts are possible only for OS (optical scan) systems, which process voter-marked ballots, but not for the substantial percentage of US votes now cast on DRE machines, with or without printers.

Suppose a proper recount of voter-marked paper ballots does not match the machine report. (Assume we can agree as to how much of a discrepancy is to be considered as a mismatch.) What should be done? I suggest that the appropriate response would be to discard the machine results for that election and to do a manual count of all the paper ballots for the contests involved to determine the winners. In addition, all machines used in those contests should be impounded and a thoro forensic investigation made to ascertain the causes of the mismatch.

Would this actually happen? Neither precedent, nor established laws and procedures in the various states are encouraging [12.] . Even well-founded complaints about election fraud or error seldom result in reversal of results. Complaining candidates are almost uniformly treated as "sore losers". Procedures for e-voting elections in most jurisdictions are so poorly specified and executed that the chances of pinning down sources of discrepancies are nil. For example, there are numerous reports of e-voting machines not being properly sequestered for the period between pre-election testing and finalization of election results. For the above reasons, plus the difficulty in distinguishing between fraud and inadvertent computer error, post-election audits would also do little to deter cheating.

OS systems, tho better (and cheaper) than DREs, can just as easily be rigged for fraud, and are also vulnerable to errors and break-ins. Despite their use of voter-marked ballots, they are not a satisfactory solution because we cannot assume that the results of post-election audits will be adequately executed and acted on. We need an election system that gets it right the first time.

What to Do?

The obvious answer is to junk the machines and get organized for manual vote counting. If done properly, this would give people justified confidence in election results, and, as a side benefit would modestly reduce election expenses. To satisfy those who feel a great need to see high tech gadgetry in the polling place, the voting and counting processes could be videotaped and made available on line. There exist reasonable systems that can help handicapped people generate paper ballots countable with the other ballots.

Why isn't this being done? As is the case for so many other societal problems, the stumbling block is money. While there is no profit for anyone in HCPB, there are big bucks to be made in selling and servicing e-voting systems. The vendors have been generous in sharing their gains with a variety of individuals and groups in position to influence decisions about how elections should be conducted, e.g., see [13, 14, 15].

It does not seem possible currently to enact even minimal reform legislation, leave alone bills that get at the fundamental problems. Perhaps the best that concerned people can do is to educate as many others as possible, and to encourage the adoption of HCPB systems by local jurisdictions, possible in many states. Then, when more dramatic e-voting failures, such as the Sarasota under-vote episode [16] surface in the future, more people might recognize what is wrong and demand effective action.

References

  1. Peter Ventura, "ATM Theft", Nov. 22, 2000
  2. Tracy Campbell, "Deliver the Vote:"A History of Election Fraud, an American Political Tradition", Carroll & Graf, 2005
  3. Stephen H. Unger, "E-Voting: Big Risks for Small Gains: Problems", Feb 5, 2007.
  4. Douglas W. Jones, "Voting on Paper Ballots", University of Iowa Computer Science Department
  5. Sheila Parks, "On-Site Observations of the Hand-Counting of Paper Ballots and Recommendations for the General Election of 2008"
  6. Anthony Stevens, Hand Counting Paper Ballots, Address to Democracy Fest Annual National Convention, June 10, 2007
  7. Stephen H. Unger, "E-Voting: Big Risks for Small Gains: Cost", Feb 5, 2007.
  8. Sally Adee, "The Hunt for the Kill Switch", IEEE Spectrum, May, 2008, pp.34-39.
  9. Stephen H. Unger, "E-Voting: Big Risks for Small Gains: Problems", Feb 5, 2007.
  10. Kim Zetter, "CA Releases Results of Red-Team Investigation of Voting Machines: All Three Systems Could Be Compromised", Wired.com, July 27, 2007
  11. Kim Zetter, "NY: 50 Percent of Sequoia Voting Machines Flawed", Wired.com, July 14, 2008
  12. Lawrence Norden, et al, , "The Machinery of Democracy: Protecting Elections In An Electronic World"Brennan Center Report, June 28, 2006, see Rec. 6, p. 90
  13. Carlos Campos , "GA: Voting machine firm hires ex-elections director", Atlanta Journal-Constitution, December 23, 2006
  14. "The Disability Lobby and Voting", NY Times Editorial, June 11, 2004
  15. Brad Friedman, "Blind and Disabled Voter Advocates, Groups Call for 'Immediate Ban' of Dre Voting Systems!", Brad Blog, 3/14/2007
  16. Stephen H. Unger, "The Great Sarasota Undervote Mystery", July 3, 2007


For more on e-voting see

  • "E-Voting: Big Risks for Small Gains",
  • "E-Voting: A Closer Look"
  • "The Great Sarasota Undervote Mystery"

    Comments can be sent to me at unger(at)cs(dot)columbia(dot)edu

    Return to Ends and Means