Recording and tabulating votes in elections is a natural, straightforward, easy to implement, computer application. Right? In a world without ingenious bad guys, this might indeed be the case. Unfortunately, that's not where we live. While it is not too hard to design, implement, and operate computer-based ATM and EZ-Pass systems that will keep the bad guys at bay, this is almost impossible for the seemingly simpler problem of election systems. Below, I will first explain why I believe this, and then I will proclaim the good news, which is that we can get along very nicely without such systems.
Consider the operation of an ATM (automated teller machine). When you key in a request for cash from your bank account, the money comes out along with a printed slip describing the transaction. At the end of the month, the transaction is listed on your bank statement. Those of little faith count the money carefully, verify that the transaction slip is correct, and, at the end of the month, reconcile their bank statements against the transaction slips and perhaps their own records. The chances of customers catching errors that short-change them and demanding redress are substantial. Clearly, the insiders (the banks), cannot profit by cheating ATM users. They must defend their system against attacks by outsiders trying to defraud them and their customers. In this struggle they have been moderately successful .
In the case of elections, the political entities fielding candidates (parties or factions within parties) have much to gain by cheating. They can do so by the traditional, crude, retail means used by Boss Tweed types, e.g., bribing or intimidating individual voters, or hiring people to vote multiple times . The problem with such tactics is that a large number of criminal acts are necessary to influence an election significantly, and many people have to be involved. The job can be done much more efficiently from the inside, i.e., by controlling the vote recording and counting processes. Then they can simply generate votes at will. In either case, what is going on is obvious to any interested observer. If you are buying votes, for example, you have to make many offers. Since there is not much point in approaching people already on your side, there are bound to be a lot of people reporting bribe offers.
Now look at computer-based voting systems. Opportunities for wholesale cheating are limitless if you can get the cooperation of the insiders: the manufacturers of the systems and the governmental entities running the elections . Actually, it would be sufficient to enlist a relatively small number of people within these organizations. Since vote counting in a computerized system takes place "under the hood", outsiders, even experts, cannot effectively monitor the work of the insiders running the system. While it is easy for an ATM user to determine if the ATM did what it was supposed to do—supply the money requested and record the transaction correctly—there is no way individual voters can verify that their votes have been correctly recorded and counted by an e-voting system. More about this later, but first let's look at a better way to handle elections.
But wouldn't using HCPB be a step backwards, a Luddite act? It certainly looks that way on the face of it! At the very least, isn't it obvious that replacing the use of computers by the primitive act of manual counting would slow things down and increase costs? Taking the latter point first, the surprising answer is that e-voting costs more than HCPB, not less  ! The fundamental reason is that, unlike ATMs, for example, which are on duty 24-7, voting machines are used about one day per year. Furthermore, for each election, they must be programmed, tested, and possibly repaired by specialists. There are also transportation and storage costs. All these and other costs are replaced in the HCPB case by the time of citizens serving an important public function, some as volunteers, others for nominal compensation. In New Hampshire, high school students (17 and older) are included in election teams along with retirees and other adults of all ages. Some European countries replace or supplement ad hoc paid election workers with regular civil service workers on detached duty. In Douglas County, Nebraska, people are called to serve as election workers in a manner analogous to jury duty.
With respect to speed, it is indeed true that an e-voting system can spit out election results within seconds after poll closure, as compared with anywhere from an hour to more than twelve hours for HCPB systems, depending on the complexity of the election, and the number of voting teams used. How important is this? Not very. For close elections, the likelihood of challenges leading to recounts undermines the significance of the initial reports. Where margins are greater, exit polls quickly and reliably indicate the winners.
What about under-votes (a voter not voting in some contest) and over-votes (a voter casting more than one vote in a contest)? Most e-voting systems can alert voters to such conditions in time for them to take corrective action. This feature is of some value, but not much, since over-votes are rare and most under-votes are deliberate. Also, since such errors usually affect the candidates in a random manner some cancellation take place, thereby further reducing the already small consequences.
Item-3 is more challenging, since it entails a game situation in which security experts devise defenses against anticipated methods of attack, the penetrators develop new ways of overcoming the defenses, and so forth. We see such unending contests with spammers and malicious hackers. Item-4 presents the most difficult problem. Whereas item-3 entails bad guys trying to surmount barriers in a framework erected by the good guys, here it is the bad guys who establish the framework and then conceal features that the good guys have to search for. Much has been written about how hard it is find surreptitious software features. Difficult as this is, I believe it is still harder to identify concealed features on a computer chip, with perhaps several hundred million transistors on it. Concern about this problem in another context is manifested in a DOD funded research project to develop methods for detecting trapdoors in computer chips sold to the military . Consider also the possibility of camouflaged chips hidden in a system.
Even in principle, I can't see what procedures could be used to make possible an honest certification that an e-voting system will work properly, is safe against intrusion, and is free of clandestine cheating features . In practice, the situation is even worse. Virtually every computer expert who has examined one or more e-voting systems has reported that their designs are of the poorest quality, particularly with respect to item-3 [10, 11]. The numerous breakdowns and crude errors that have surfaced in actual elections testify to the failure of the agencies who purportedly checked them out with respect to items 1-3. Hardly anybody even mentions item-4. Since the certifying of e-voting machines is carried out by private companies paid by and reporting to the vendors, it would, of course, make no sense for them to pretend that they have verified the absence of concealed features. Some states contract to have e-voting systems certified, but I don't know of any that require checking for clandestine elements.
Incredibly, e-voting system designs, both hardware and software, are treated as trade secrets! So independent experts have only limited opportunities to examine in detail the systems that play such a crucial role in our democracy. This concealment has not been complete, as there have been unauthorized exposures of source code, and there have been several formal studies made by state governments and NIST. Some states require that this kind of information be placed in escrow so as to be available, under certain circumstances, for forensic purposes. There is no rational basis for such secrecy, since both the hardware and software can be protected by patents. The whole idea of the patent system, as stated in the constitution, is to give reasonable property rights to inventors, while eliminating the need for secrecy.
The first issue is, what exactly would be recounted? Clearly a second summation of machine outputs would be meaningless. We would need some record of voter-intent independent of the machines. The obvious source would be paper ballots marked by voters, which could then be hand-counted. Paper ballots printed by DRE (touch-screen) machines will not suffice, since it is well known that most voters do not actually verify the correctness of such printouts. (It is also possible for a machine to void a voter-approved ballot and to substitute a different one after the voter leaves the booth.) So meaningful recounts are possible only for OS (optical scan) systems, which process voter-marked ballots, but not for the substantial percentage of US votes now cast on DRE machines, with or without printers.
Suppose a proper recount of voter-marked paper ballots does not match the machine report. (Assume we can agree as to how much of a discrepancy is to be considered as a mismatch.) What should be done? I suggest that the appropriate response would be to discard the machine results for that election and to do a manual count of all the paper ballots for the contests involved to determine the winners. In addition, all machines used in those contests should be impounded and a thoro forensic investigation made to ascertain the causes of the mismatch.
Would this actually happen? Neither precedent, nor established laws and procedures in the various states are encouraging [12.] . Even well-founded complaints about election fraud or error seldom result in reversal of results. Complaining candidates are almost uniformly treated as "sore losers". Procedures for e-voting elections in most jurisdictions are so poorly specified and executed that the chances of pinning down sources of discrepancies are nil. For example, there are numerous reports of e-voting machines not being properly sequestered for the period between pre-election testing and finalization of election results. For the above reasons, plus the difficulty in distinguishing between fraud and inadvertent computer error, post-election audits would also do little to deter cheating.
OS systems, tho better (and cheaper) than DREs, can just as easily be rigged for fraud, and are also vulnerable to errors and break-ins. Despite their use of voter-marked ballots, they are not a satisfactory solution because we cannot assume that the results of post-election audits will be adequately executed and acted on. We need an election system that gets it right the first time.
Why isn't this being done? As is the case for so many other societal problems, the stumbling block is money. While there is no profit for anyone in HCPB, there are big bucks to be made in selling and servicing e-voting systems. The vendors have been generous in sharing their gains with a variety of individuals and groups in position to influence decisions about how elections should be conducted, e.g., see [13, 14, 15].
It does not seem possible currently to enact even minimal reform legislation, leave alone bills that get at the fundamental problems. Perhaps the best that concerned people can do is to educate as many others as possible, and to encourage the adoption of HCPB systems by local jurisdictions, possible in many states. Then, when more dramatic e-voting failures, such as the Sarasota under-vote episode  surface in the future, more people might recognize what is wrong and demand effective action.
For more on e-voting see
Comments can be sent to me at unger(at)cs(dot)columbia(dot)edu
Return to Ends and Means