E-voting is vulnerable to all the corruption techniques associated with traditional elections based on strictly manual operations. In addition, there is an open-ended collection of e-cheating methods that can be implemented on a large scale by relatively few people, despite well monitored election-day operations. Even under ideal conditions, it would be extremely difficult to detect many of the conceivable e-cheating methods. The testing and certification procedures prevalent today in every state are grossly inadequate and are frequently violated. Hence there is little assurance that elections held under these conditions are generating results corresponding to the actual votes cast. The ostensible motivation for using e-voting stems largely from the dramatic 2000-election problems that were associated with punched card voting systems. A better approach is to have teams of poll workers and poll watchers manually count ballots manually marked by voters. This simple, time-tested method, used in most industrialized countries outside the US, seems to work very well. When did you last hear about election fraud in Canada, Germany, or Sweden, for example? The bottom-line argument is that, except for elections with a very large number of contests on the ballot there are no advantages of e-voting over the manual approach that come anywhere near compensating for the great increase in the likelihood of fraud and error. In the exceptional cases where e-voting is deemed necessary, optically scanned manually marked paper ballots should be used. There should be strict, strongly enforced, measures to ensure transparency with respect both to programing and design of the optical scanners, and to election procedures. Certification of systems should be under the control of governmental agencies operating openly, and there should be clear, strongly enforced, rules for investigating indications of fraud or malfunction.
There has been ample discussion of the vulnerability of e-voting systems to corruption, e.g., [ BRENNAN, CRANE, DILL, EJF, HERRIN, MYTH, NIST, ODELL], so I will only survey the ground. As I see it, the major threat posed by e-voting systems is not from faulty systems and break-ins (tho these are significant secondary problems) but from systems with built-in cheating mechanisms. While e-voting software is not in the most complex class, it certainly is far from trivial. Hidden features of such software cannot be detected by simply applying various inputs and checking the responses, because the program might be designed to recognize some special out-of-spec input as a signal to change its mode of operation into or out of the cheating mode.
So examinations of programs are necessary. At present, there is no serious effort to check e-voting designs for surreptitious capabilities. Vendors refuse to make public their source code and circuit designs. The "certification" of e-voting technology by so-called "Independent Testing Authorities", borders on the comical [ RUBIN, SHAMOS-1]. The ITA's are private companies, hired by the vendors and reporting back only to the vendors, who keep the reports confidential. The widespread failures of e-voting machines suggest that the ITA's do a poor job finding ordinary design errors [ VTU]. They are not even expected to search for surreptitious features of these systems. The programs incorporating ballot design (ballot definition files) are not certified. Commercially available hardware and software (e.g., compilers) used in conjunction with e-voting systems are also not certified. Furthermore, rules against using uncertified software are routinely violated, often in connection with program patches inserted on or near election day.
But even in principle, the job of unmasking fraudulent designs is so formidable as to border on the impossible. Depending on whether compilation takes place in the e-voting machine or outside, it may be the object code or both source code and compiler (also assembler, linker, loader, etc.) that must be analyzed. Analyses of this kind are, at best, very difficult. The Ken Thompson 1984 Turing Award lecture [ THOMPSON] suggests what is involved. He discusses techniques for injecting into programs surreptitious features that do their jobs and then erase themselves, leaving no footprints.
Following is a quote from his conclusions:
The moral is obvious. You can't trust code that you did not totally create yourself. (Especially code from companies that employ people like me.) No amount of source-level verification or scrutiny will protect you from using untrusted code. In demonstrating the possibility of this kind of attack, I picked on the C compiler. I could have picked on any program-handling program such as an assembler, a loader, or even hardware microcode. As the level of program gets lower, these bugs will be harder and harder to detect. A well installed microcode bug will be almost impossible to detect.
But the problem doesn't end with software. Given a specific IC chip, with millions, or hundreds of millions of transistors on it, how could we determine if it does what it is supposed to do--and no more? A black box approach doesn't work here either, since some special input could change the internal state so as to alter the chip's response to normal inputs. Assuming we could somehow generate a map of what is on the chip and convert that to a transistor level circuit diagram, how many years would it take to figure out what it actually does?
And then there is the possibility that, somewhere inside the unit, perhaps buried in the power supply or even within some plastic knob, or camouflaged as a piece of glue logic, there is hidden a chip, perhaps including some flash memory and/or a radio receiver, as well as some logic intended for nefarious purposes.
Apart from switching votes from one candidate to another, e-cheating can also take the form of denial-of-service attacks [ BRENNAN]. In districts largely populated by voters supporting the cheater's opponents, system crashes are induced that have the effect of slowing operations to the point where long lines of voters result and many go home without voting. In some cases, of course, crashes occur simply due to the kinds of poor quality software that we are all too familiar with in other contexts. A limited form of this technique, that can be used in the same districts, is to turn off, in a random manner, the system feature that warns voters who have under- or over-voted.
The fundamental problem is that, when we are dealing with even moderately complex digital systems, there are no bounds on what imaginative bad guys might dream up. This is an entirely different problem from that of checking out designs or actual devices for inadvertent design errors or component faults. Any particular set of techniques for ensuring program integrity can be defeated by competent cheaters. Eventually, the security people detect the fraud and devise counter-measures. The cheaters then work out methods to overcome the new safeguards, and so on ad infinitum. This is the story with respect to general computer vandalism (worms, viruses, etc.), and also for the war against spam. There is no reason to think it would be any different with respect to e-voting systems.
When questions arise about the validity of the reported results from one or more election precincts, or if a margin of victory is very small, it is necessary to have some method for checking out the numbers. In a touch-screen (DRE) system, where all the data remains in electronic form, it is not possible to recount the actual votes cast. All that can be done is to go back to the records stored in the memories of the machines. This, of course, is not a check on the validity of those records, i.e., it cannot determine if the votes were correctly recorded to begin with. This problem was recognized some time ago by computer experts such as David Dill, who urged that all systems should produce voter verified paper ballots that could be used for effective recounts.
Thus, many states now require that even DRE systems be equipped with printers. After voters have approved on-screen summaries of the votes they have cast, the machine prints out a ballot showing these choices, and displays these to the voters (under glass). Voters then approve the printout, which is deposited in a ballot box by the machine. Unfortunately, there are major problems.
MIT laboratory experiments [ SELKER] indicated that very few voters actually verify the ballots before pushing the approval button. This confirms the observed behavior of voters in the 2004 Nevada primary [ SALTMAN]. It is doubtful that education campaigns would change the behavior of most voters sufficiently. So, if the machines occasionally switch a vote from candidate A to candidate B both electronically and on the printed ballot, most voters will not notice. Of the few who do notice, most will assume it was their own error and simply correct it. Occasional complaints are unlikely to have any effect. Voter reports of machine malfunctions are common. There are important variations and elaborations of this technique [CRANE-1].
Other, less fundamental, but in practice important, problems with computer marked paper ballots include mechanical failures such as jamming of printer rolls, ink problems, and improperly labeled rolls of ballot printouts. The need for voters to check the printouts against screen images in different formats slows the voting process.
It follows then that ballots should be marked manually by voters, without machine intervention. (The situation with respect to handicapped voters requires further discussion, and there are reasonable solutions [VPAD]. But this issue should not be allowed to obscure the fact that our first priority is to get all votes counted correctly.)
Consider now manually marked ballots processed by an optical scan unit--probably the least dangerous of the existing e-voting systems. As suggested above, corruption of such units cannot be ruled out. We might try to counter this by one or more of the following:
In principle, some combination of these approaches might work. But, apart from specific problems with all these methods (e.g., optical scanning is not all that precise [ JONES-2]), there is the basic issue of what to do if evidence of errors or fraud is found. As a practical matter, it is unlikely that effective action would be taken. The conclusions of the Brennan Center task force study [ BRENNAN] include the following statement:
Both Automatic Routine Audits and Parallel Testing are of questionable security value without effective procedures for action where evidence of machine malfunction and/or fraud is uncovered. Detection of fraud without an appropriate response will not prevent attacks from succeeding. In the Brennan Center's extensive review of state election laws and practices and in its interviews with election officials for the Threat Analysis, we did not find any jurisdiction with publicly detailed, adequate, and practical procedures for dealing with evidence of fraud or error discovered during an audit, recount or Parallel Testing.
When confronted with the kinds of problems sketched above, the natural reaction of engineers is to look for fixes and for alternative technical solutions. This has been the approach taken by many e-voting critics. Proposed fixes include encryption based schemes, and the addition of audio and/or video recording and enunciating devices, e.g., [SELKER, ROBINSON]. Some of these are truly ingenious, but they tend to complicate the voting task, or are costly and increase the chances for breakdowns. I think this is the wrong way to go.
There is an obvious, simple, solution: manually marked, manually counted ballots (MMMCB). This method has been used for over a century and is currently used in most countries outside the US, including Canada, France, Germany, and Sweden (also in some parts of the US). It is certainly possible to cheat with this system. There is a long, sad history involving methods such as bribery, coercion, ballot box stuffing, and dead people voting [CAMPBELL]. But these are all labor intensive, and difficult or impossible to conceal. The average person can see what is going on, and methods for prevention are simple and well understood. These types of cheating are not eliminated by e-voting. In addition, while large scale corruption is not feasible in MMMCB elections monitored by poll watchers representing rival political groups, the same cannot be said for e-voting. Even with proper monitoring, as discussed above, there is a formidable, open-ended, array of very difficult-to-detect methods for wholesale cheating with e-voting.
First let us make a rough estimate of the cost of manual vote counting. Assume that a counting team consists of two paid government employees (they may be regular employees or people hired just for election duty), and at least two poll watchers from rival parties (in primary elections, the term "parties" refers to election campaign organizations). Assume worker pay is $15/hr. and watchers are unpaid. For each contest on each ballot, a tick mark might be made in a box on some big chart. Assume it takes two seconds for each such mark. Then the cost per tick is $0.0167. If there are 15 contests, the cost per ballot is $0.25. For a precinct in which 1000 ballots are cast, the cost is $250. (For one counting team this would take about 8.33 hrs.) Note the sensitivity to the number of races. For monstrous California ballots, these numbers would go up considerably. On the other hand, for special elections with one or two races, the cost and time fall considerably.
Next, we consider the cost of paper ballots. There is a large range
here, depending on whether these are printed by the counties or
purchased. (Note that ballots for use in optical scan systems are more
costly than those needed when counting is manual). I will assume a
cost of $0.15 per ballot, tho they could probably be produced easily
by a computer savvy high school student for a lot less. So the total
for manual counting goes to $400. More generally, if the number of
ballots to be counted is b, the cost of a ballot is a, the hourly pay
for a poll worker is p, the number of paid workers per team is w, the
number of races is r, and the time for a tick is k seconds, then the
dollar cost of counting is
C=b(a+pwrk/3600)
If m voting teams are used, the counting time (in hours) is
T=brk/3600m
The cost C, calculated above is an estimate of the dollar cost to the
government entity administering the election. But there is also a cost
to the parties. This is not in dollars, as it is assumed that poll
watchers are volunteers, but rather in terms of the difficulty in
finding volunteers. The measure is the number of volunteer hours (for
each party) needed for counting b ballots, and this is
V=brk/3600
Now consider counting cost for e-voting. Just as e-voting is more complex, so is estimating its cost. The following is intended only as a rough estimate of minimum cost. How can we convert the purchase price of a machine into an annual cost? The problem is the same as that for computing fixed annual mortgage payments. Suppose we buy a house with no down payment and that we wish to pay off the full purchase price A in n years with fixed annual payments of P, where the interest rate is r. P corresponds to the annual cost of the machine, where n is the assumed lifetime. The appropriate formula is
P=rA/(1-(1+r)^-n)
Consider first non-printing DRE machines. Prices vary. I will use A=$3500, which, I believe, is in the lower part of the price range. Assume an interest rate of r=5%, and a life-span of n=15 years (which is, I believe a generous assumption). The formula yields an annual cost of $337. For the 1000-voter precinct considered above, current practice would mandate 5 machines. So the annual cost for the machines would be 5x337=$1685.
But that is not the whole story. Other E-voting machine costs include those for:
These costs vary considerably from place to place, and would be tedious to try to estimate here. But, at least for the first 4 items, we can get some idea from what Diebold is asking in Ohio. According to a story in the Columbus Dispatch [LANE]:
The full coverage plan offered by Diebold Election Systems to service its touch-screen voting machines in Fairfield County, for example, would cost $90,000 a year. Partial-coverage options are available at $60,000 and $21,000 a year.Fairfield County, has about 100,000 registered voters, so for our 1000 voter precinct, the charge would be $900 for full coverage.So now we are up to C=900+1685=$2585 for counting with DRE's versus $400 for manual counting. I could go on to add in more of the e-voting costs, but costs for such items as the secure storage of ballots or machines are difficult to estimate. (Note tho that it is reasonable to assume that storing 1000 paper ballots is a lot cheaper than storing five DRE machines.)
Optical scan systems are more economical than DRE machines (fewer machines are needed). A study made for NY State [NYVV] indicated that the acquisition cost for Optical scan systems would be about half of that for DRE based systems. So, we might estimate the cost for an optical scan system at about $1293 for our 1000 vote precinct (bearing in mind that not all e-voting costs were included in the above calculation).
In most, if not all states, provision is made to allow people who, for some reason, cannot vote at their local polling places on election day, to vote by mailing in "absentee" paper ballots. In recent years, some people have chosen to vote by mail because of (soundly based) concerns about e-voting fraud. In Oregon, this has been made the primary voting mechanism. The procedure is for voters to apply for ballots, by mail, receive them by mail, and then mail back the completed ballots, which are then counted in a special part of the tallying process.
Unfortunately, as currently implemented, there are serious problems with mail ballots [ CORRY]. These include making vote buying and ballot box stuffing easy, facilitating coercion (both by outsiders and by family members), and making it easy to steal ballots in bunches, for example those sent to old-age or nursing homes. Because provision for absentee voting is necessary, it is important to develop procedures that allow it without opening a door to major corruption. One possible solution is to mimic, as closely as possible, conditions at a regular polling place. Voters should be able to go, perhaps by appointment, to satellite polling stations set up in such places as post offices, schools, libraries, on military bases (including overseas), consulates, etc., where there are representatives of various political entities as well as government officials. There they identify themselves, receive and mark their ballots, observed by poll watchers, and put the ballots in sealed envelopes. These are endorsed by at least two poll watchers and an official, and then sent by registered mail to the home precincts. (This is just a rough sketch of what might be done. More work is needed to develop various detailed, alternative protocols.)
A secondary advantage of e-voting is that, at least for some such systems, voters can be warned that they have over-voted or under-voted (under-votes are often intentional) in some races and given a chance to make changes. Such warnings do have some value. But not much, since these errors are not very common and the effects on candidate totals balance out to some extent.
A third advantage of e-voting surfaces in cases where there are a great many races on the ballot, and, to a lessor extent, where the number of candidates is very large. E-voting systems should be able to handle such cases in stride, altho preparing the ballot data files would clearly be more time consuming. For DRE machines, organizing the material on the screen would be a problem, and voters would have to deal with serially presented multiple screens. But the dollar cost for manual counting increases with ballot size and, at some point, would exceed that for optical scan systems, and then for DRE systems. More important, the burden on political parties of finding enough volunteer poll watchers might be considered excessive. For elections with reasonable sized ballots, MMMCB elections are cheaper than e-voting elections with respect both to equipment and labor costs (no technicians required.)
As is the case for any election system, it is critical that the entire MMMCB process be transparent, with proper attention to chains of custody (for the ballots), and observation of the entire voting and counting process by representatives of various election campaign entities and others [ JONES-1]. There must be enough poll workers and poll watchers assigned to each precinct so that nobody has to work on election day to the point of exhaustion. Subsequent to the closing of the polls, it is important that there be wide-awake poll watchers to monitor the counting and the secure storage of the ballots. It is unfortunate that there are states--California is prominent in this class--in which voters are expected to make election day decisions on a large number of referendum issues, and to choose people to fill numerous obscure--tho sometimes important--government positions. While, at first glance, appearing to be very democratic, I believe it is quite the opposite, as very few people can spend the time necessary to make these decisions in a thoughtful manner. Of course the main reason we have a representative government is to have people directly responsible to the citizenry make secondary appointments and make decisions on various fiscal matters. Apart from leading to bad decisions, a consequence of these bloated ballots is that they may necessitate the use of electronic devices.
In such cases (and I do not know how many jurisdictions are in this category) we should insist on the use of hand-marked ballots counted by optical scanners whose designs and programs are open source, and which pass stringent qualification tests conducted openly by publicly-funded agencies. Strong provisions for random checking via manual recounts should also be mandated, with clear, strictly enforced procedures for thoro forensic investigations if the machine outputs do not check out.
E-voting venders often defend their products by claiming that no hard evidence of e-voting fraud has been developed, so that there is no proof that these systems are vulnerable. Actually, there are numerous instances of highly suspicious situations involving these systems, but the circumstances in which they are deployed, the lack of adequate security procedures, the secrecy imposed by the vendors about their products, and the complexity of the systems are all factors that make it extremely difficult to produce clear evidence of deliberate fraud. (It is, incidentally, characteristic of computer-based systems that it is often difficult, if not impossible, to distinguish between unintended and malicious malfunction.) In general, when a new system is proposed for an application in which malfunction--regardless of cause--can result in very serious harm, the proponents should bear the burden of proof that the system is safe. Critics should be expected only to point out potential problems, not to prove that the system is unsafe. Proposed new systems, unlike people accused of crimes, should not be considered innocent until proven guilty. An interesting pair of essays dealing with the issue of burden of proof, among other points, is in [SHAMOS-2] and [ CRANE-3].
Except for jurisdictions where the number of items on the ballot is exceptionally large, there is no sound reason to make a critical aspect of our democracy vulnerable to corruption via costly, complex technology that offers no important benefits, when there exists a simple, inexpensive, time-tested alternative. This is an unusual case in which low-tech trumps hi-tech. It is important that computer experts point this out to "civilians", and particularly to election officials, overly impressed by technological glitz.