Strengths and Weaknesses of Voting Systems

Part of the Voting and Elections web pages
by Douglas W. Jones
THE UNIVERSITY OF IOWA Department of Computer Science

Copyright © 2004. This work may be transmitted or stored in electronic form on any computer attached to the Internet or World Wide Web so long as this notice is included in the copy. Individuals may make single copies for their own use. All other rights are reserved.

Keynote address at the
Second Inter-American Meeting on Electoral Technology
Organization of American States
Panama City, Panama
March 1, 2004



Here is a joke that I first heard in the 1970s: "In the old days, a clerk might make one or two mistakes a day, but now, with computers, we can make thousands of mistakes per second."

Here is a serious maxim from the same era: "In the field of computer security, we worry as much about the careless user as we worry about the malicious attacker. For each attacker, there may be hundreds of honest but careless users, and whatever an attacker may do intentionally, some careless user is bound to do by accident."

Anyone interested in the use of computerized voting systems should keep both of these lessons in mind. Conventional systems of election administration are prone to a variety of errors, and if we simply automate the current manual procedures, we risk serious increases in the error rate while, at the same time, creating new opportunities for election fraud.

Because of this, I strongly urge election officials to concentrate first on creating voting procedures that are inherently secure and error resistant before seeking to automate those procedures. At the same time, I urge you to resist the temptation to be modern purely for the sake of modernity. Voters and election officials should view with suspicion any technology for election administration that they do not fully understand.

A Word of Caution

I should note that I speak with certain biases that result from the context in which I work. I am an academic computer scientist who has served for a decade on the Board of Examiners for Voting Machines and Electronic Voting Systems in the state of Iowa. This means that I take hypothetical threats to the security of our voting systems very seriously. In contrast, if I was building and trying to sell such machines, I might dismiss these threats as mere academic speculation.

I live in Iowa, a state of the United States, so I see elections from that perspective. When viewed from the perspective of other democratic nations, elections in the United States seem extremely complex. It is an old joke that a California voter casts more votes in one election than a British voter casts in a lifetime. We elect judges, sheriffs, local government councils, and local school officials, where in England, most of these would be appointed by the central government.

In the United States, we frequently have four elections a year, with 40 or more issues on the ballot for the general election in November. One general election ballot will frequently list candidates for minor offices such as the local county governing board on the same page as major national offices such as president. As far as I know, only the voters of Switzerland vote this frequently, but even they would be surprised by the number of distinct issues on a general election ballot from the United States.

A second factor that makes elections in the United States distinctive is our federal system. Elections in the US are conducted largely under state law, although national laws require that the states meet certain standards. In most states, the conduct of elections is delegated to the counties; Iowa, for example, is made up of 99 counties, each of which has an election office. In Canada, in contrast, national elections are run by Elections Canada, a national agency, while provincial elections are run by provincial election authorities and local elections are run by the local government.

Distributing the authority to conduct elections over thousands of counties makes it very difficult for a corrupt central government to falisfy the results of an election, but it also means that, at any time in our history, there have usually been counties that were controlled by criminals. We find it easy to point to examples of this from 50 or 100 years ago, even when we confidently assert that most county election administrators in the United States today are very honest.

Our system of distributed election administration makes it difficult for any one election office to obtain great depth of technical expertise. Voluntary groups such as the National Association of State Election Directors (NASED, and the International Association of Clerks, Recorders, Election Officials and Treasurers (IACREOT, provide some assistance with this, but the primary responsibility lies with the state and national governments, and it is extremely difficult to convince legislators to provide adequate funding for offices that merely oversee elections and do not actually conduct them.

The complexity of elections in the United States led to widespread use of mechanical voting machines over a century ago, and by 1930, these voting machines were in use in most urban areas. Their use was so universal that, by 1950, the expression to pull the lever had becom a synonym for the verb to vote. While there was great public confidence in these old machines, I do not believe it was justified, and in fact, many of the threats posed by newer election technologies were also present in these old machines.

General Principles

It is not possible to evaluate a voting mechanism without taking into account its human context. Therefore, when I speak of voting systems, I am speaking of the entire system, including not only a machine, but the voters, the local election administrators at the polling place, the technicians who prepare the machine for an election, the auditors who certify the result, and the observers from the parties and the public who help assure that the election is honest.

In the evaluation of a voting system, we must ask: Who must we trust if this system is to give a correct result? An ideal voting system will not rely on any trusted entity, because if we extend our trust to any person or institution, we create the temptation to abuse that trust. If, for example, we trust the voter to insert a single ballot in the ballot box, the voter may be tempted to insert two, or twenty. If we trust the technician to correctly program our voting machine for an election, the technician may be tempted to fix the machine to favor the candidate of one political party. Our slogan should therefore be, trust nobody!

If we cannot trust any individual, we must make sure that our system provides safeguards. It is easy to subdivide these safeguards into two categories. The first category involves oversight. Ideally, every step in the process, from ballot preparation before the election up to the final count of the votes should be open to public inspection, limited only by the requirement that there must be no way to connect a particular voted ballot with a particular voter.

The second category of safeguards centers on audit requirements. If there is ever a question about the correctness of the count in any election, the election system should retain sufficient information that the count can be repeated. It is essential that the authenticity of this information be provable. In effect, the source materials on which the count is based must be treated as evidence in a court case, and just as we demand that the authenticity of the evidence used in a criminal case be proven before that evidence is accepted, we must demand that the evidence in an election recount, that is, the ballots and other records, be proven to be authentic.

An important principle to keep in mind is the military doctrine of defense in depth; the Duke of Wellington was a strong advocate of this doctrine during the Napoleanic wars, and it remains important today: In building any defense, we should assume that our opponent will find our weaknesses and exploit them. Therefore, we should always have secondary and tertiary lines of defense.

In the realm of voting systems, we can define administrative defenses, for example, the rule that ballots may not be touched unless members of opposing parties are present. We can add a layer of technical defenses, such as the requirement that ballots be printed on special paper, and we can add a layer of physical defenses, such as the requirement that the ballot box be very strong with a good lock. We should look with suspicion at any claim that a strong defense at one of these levels makes defense at one of the other levels unnecessary.

Election Technologies

Paper Ballots

Before we consider modern technologies, it is worth considering the classical Australian paper ballot, as used in democracies around the world for over a century. The basic idea of printing paper ballots at government expense and distributing them at polling places was invented in Australia in 1858. Before this, elections were commonly carried out by voice vote or using paper ballots provided by the voter.

The Australian ballot relies on numerous safeguards to guarantee the honesty of the election. Outside observers, called scrutineers in much of the former British empire, are required at the polling place from before the polls open until the ballot box is sealed, and they are required again from before the ballot box is unsealed for counting until the end of the count. As the polls are opened, the officials must demonstrate to the scrutineers that the ballot box is empty.

It is obvious that procedures are required to ensure that each voter puts only one ballot in the box. What is less obvious is the need to assure that this is the very same ballot that was given to the voter, blank, only minutes before. If this is not done, a crook could give the voter a ballot that is already marked for a candidate before the voter goes to the polling place, offering to pay for a blank ballot when the voter returns. This is called chain voting in the United States, and it has been widely reported from some regions. Defenses against chain voting vary; one defense involves numbering the ballots, recording the number of the ballot given to the voter, and then verifying the number of the ballot returned by the voter. In order to ensure voter privacy, the numbers can be printed on numbered stubs that are torn from the ballots before the ballots are deposited in the ballot box.

Auditing is greatly simplified if there is a record, outside the ballot box, of the number of ballots that should be found in the box. The scrutineers can record this independently, but an official count is useful. For example, the number of signatures in the election register can be counted, the number of ballots issued to voters can be counted, and the number of stubs torn from ballots can be counted. All of this information should be stored as part of the official record of the election. For example, these numbers can be counted when the polls close and publically posted at the polling place, so that observers can verify these numbers and compare them with the official count of ballots from that location published later.

Transport of the ballot box to the counting center must be done in a way that prevents anyone from tampering with the box. The standard procedure here is to require that the box be carried by two officials, each one carrying one handle of the ballot box. Ideally, these officials should represent opposing parties, so that neither official trusts the other and so that they are unlikely to cooperate in any effort to change the contents of the box.

When the time comes to count the votes, it is very important to assure that no person who touches the ballots has any access to pens, pencils or anything else that could leave a mark on the ballot. One classical approach to election fraud is for one of the ballot counters to have a small piece of pencil lead under a fingernail, so that, when the ballot counter sees a ballot that contains an undesirable vote, that counter can add a mark to the ballot in order to invalidate it. It makes good sense to allow the scrutineers to inspect the fingers of the ballot counters before they are allowed to touch the ballots. Some states in the United States require this precaution.

Ballots should be dumped from the ballot box onto the counting table, so that their order is guaranteed to be random. Carefully lifting them out of the box in a way that preserves their order would allow observers to reconstruct how the voters voted.

Once the count has been completed, the totals for each candidate in a simple "vote for one" election plus the number of ballots that did not express a preference in that election should add up to the total number of ballots counted, and this number should be the same as the number of ballots that were supposed to be in the ballot box, as recorded at the polling place. If these numbers do not match, there has been some error. Sadly, this simple check on the accuracy of the count is rarely possible because many election authorities do not publish the number of voters who voted, nor the number of ballots counted, but only the number of votes recorded for each candidate. Historically, this failure has made it difficult to assess the honesty or accuracy of election counts in many districts within the United States.

The biggest weakness of paper ballots lies in the fact that human observers must interpret each mark on each ballot. There will usually be a few ballots where voters failed to follow the instructions or where smudges and printing defects confuse the interpretation. Subjective or biased interpretations are always possible; to minimize this, we typically demand that witnesses be able to see the ballots as they are being interpreted, so that obvious bias will be visible, and we demand that the official interpretation of each ballot be determined by teams composed of members of opposing parties. If we record, as part of the official count in the election, the number of ballots where the interpretation was disputed, we can hope to expose the extent of subjective and biased interpretation. Unfortunately, I have never heard of a jurisdiction where this is done on a routine basis.

Mechanical Lever Voting Machines

Mechanical lever voting machines displaced paper ballots in most urban areas of the United States over 50 years ago. These machines have an array of hundreds of small levers on the face of the machine, and voters vote by pulling the lever down beside each candidate they prefer. These machines solved many problems. For example, they eliminated all issues of subjective ballot interpretation, but they introduced new problems:

With a lever machine, the mechanism behind each lever is sealed inside an opaque box. Outside observers cannot see this mechanism, and it is extremely complex, containing hundreds of counters, one per lever, where each counter has three digit wheels, two gears, a spring, and other mechanical parts. Even if this mechanism was visible, it would be hard for an observer to determine if it was working correctly, and in fact, the mechanism is so complex that complete testing was rarely done.

With a lever machine, the correctness of the election rests, in large part, on the technicians who maintain and test these mechanisms. If these technicians are honest and thorough, the machines will report honest results, but what if the technicians are dishonest or lazy? We know several ways that the technicians could rig lever machines to report dishonest totals, and Roy Saltman has reported that a disturbing fraction of all mechanical voting machines had at least one lever that would not properly record votes.

Lever machines maintain an independent count of the number of voters using the machine, and it is nearly impossible to make changes to this count, so we can easily measure the fraction of the voters who either did not vote on some issue or whose vote on that issue was not properly recorded. This allows a statistical analysis of the vote totals to identify machines that may have failed, but I am not aware of any jurisdictions that have done this, and even if it has been done, it is hard to see what could be done, after an election, to account for such a failure.

The single biggest weakness of lever voting machine technology is that the machine retains no record of the ballots cast by individual voters. This ballot exists briefly, as a pattern of levers on the face of the machine, but as the voter opens the curtain to leave the voting booth, the machine erases this ballot as it increments the mechanical counters behind each lever. As a result, the machine literally destroys the evidence that would be required to perform a recount of the election if a candidate found evidence of some irregularity. Because these machines have been used for a century in the United States, the courts have accepted this as normal, and this has set a dangerous precedent for cases involving challenges to newer voting technologies.

Punched-Card Ballots

Punched cards were applied to data processing in the 19th century, and by the 1950s, they had become the symbol of the new computer age. It was natural to consider using punched cards as ballots, and after IBM developed the inexpensive Port-A-Punch it was not long before it was adapted for voting as the Votomatic system. By 1965, IBM was aggressively selling this new computer-based vote tabulating technology.

Punched card voting is a modified form of the Australian paper ballot, but with holes in the cards replacing the pencil or pen marks used on conventional paper ballots. As such, all of the standard precautions applying to paper ballots apply equally to punched cards.

In a routine count, punched card ballots are counted by machine. These machines can objectively determine the difference between an unpunched card and a card where a clean punch was made, but they cannot interpret marginal conditions such as a ballot where punching was done incompletely.

Unfortunately, while almost everyone has years of experience making marks on paper, most of us are not familiar with interpreting punches in paper, so voters cannot easily verify that their ballots are properly punched, and if there is a hand count of punched-card ballots, the counters cannot easily interpret improperly made punches. The recounts in Florida in 2000 were excellent demonstrations of this.

The Votomatic mechanism itself poses some problems. It is easy to fix this mechanism to prevent successful punching in some position on the ballot, and it may be difficult for voters to detect that this has been done. Pre-election testing to detect such problems is made difficult by the very conditions that make it difficult to hand count punched-card ballots: such tests rely on visual inspection of the test ballots, and few people are skilled at this. The Palm Beach Post reported on December 9, 2001 that in the 2000 general election in Palm Beach County, Florida, the pre-election testing was entirely inadequate. Many of the 4,867 test ballots had dimples and other evidence of difficulty making proper punches, but not a single Votomatic machine was removed from service for cleaining or maintenance because of these tests.

Optical Mark-Sense Ballots

Starting in the late 1950s, a new ballot tabulating technology emerged, the optical mark-sense ballot tabulating machine. These machines only came into common use in the 1980s, but today, they are very common in the United States and several other countries. As with punched-card voting, this system is based on a modified Australian paper ballot system.

In the case of optical mark-sense scanning, the ballot tabulating machine reads pen or pencil marks on the paper ballot. As such, it is reading the type of mark that most people can easily interpret, so it is far easier for people to understand both the testing of the machine and the visual interpretation of the ballots in case the machine count is subject to question.

Early mark-sense vote tabulators were not very good at distinguishing between deliberate marks, smudges, erasures and printing defects, but today's mark-sense tabulators are remarkably good at this. Nonetheless, there will always be some ballot markings that the machine cannot reliably interpret. Simple and clear instructions to the voter can reduce the frequency of such marks to very near zero, but there always remains the possibility that some ballot markings will be counted by the vote tabulator in a way that human interpreters will agree is wrong.

Optical mark-sense vote tabulators come in two forms, one suitable for use in a central location, and the other designed for use at the voting site. Central-count systems have the lowest initial cost, but use of vote tabulators at the precinct has several advantages. First among these is the fact that the ballot tabulating machine can detect many invalid markings on the ballot and give the ballot back to the voter for remarking. Because of this, United States law now requires the use of such machines when optical mark-sense ballots are used. Faster tabulation is also an advantage; the count is available immediately when the polls close, and it can be posted in public at the polling place before transport or transmission to the election office.

Optical mark-sense ballot tabulators designed for use in the polling place are more expensive; one must be purchased for each polling place, and each machine must be securely attached to a ballot box. In addition, these machines must survive the harsh environment of the polling place instead of the relatively comfortable environment of a government office. Reliable electric power cannot be assured in polling places, even in the United States, so these machines always include emergency batteries, and even these might fail, so an emergency compartment is always added to the ballot box to hold ballots that have not yet been tabulated.

Direct-Recording Electronic Voting Machines

With the microprocessor revolution of the 1970s, it was obvious that microcomputers could be used as voting machines, and starting in the 1980s, various companies began to build voting machines based on this idea. Officially, in the United States, these are called direct-recording electronic voting machines, abbreviated DRE machines. Today, most of these machines are based on touch-screen technology where the ballot is presented on a computer display screen, and votes are entered by touching the screen.

These machines offer the possibility of paperless elections where the totals are instantly available when the polls close and where the vote totals are entirely objective, without any questionable human interpretation and without any possibility of clerical error. There are, however, some serious problems:

In the first place, the use of computers does not guarantee that there will be no errors. In one notorious case from Florida in the 2000 general election, a computerized voting system recorded negative 16,022 votes for Al Gore in a district with only 585 voters (Volusia County precinct 216). This problem occured with an optical mark-sense ballot tabulator, so a recount of the paper ballots was possible, but there have been reports of similarly strange numbers from direct-recording electronic voting machines. In sum, computers can and do make occasional mistakes, and we must defend against this.

Another problem is the simple matter of display size. It is easy to fit 36 names onto one column of an optical mark-sense ballot, but most computer displays with touch-screen data input cannot easily present this many candidates on the display at one time. Once a race is split across multiple columns on paper, or across multiple screens on a computer, the rate of voter confusion goes up significantly. This led to serious problems in the 2000 Florida election where several Florida counties made ballot design errors that resulted in the presidential race being split across two columns on mark-sense ballots. Of course, no sane political system will allow an election with so many candidates, but the recent California recall election had almost 150 candidates on the ballot.

The initial cost of these systems is higher than for optical mark-sense systems because one machine is needed for each voting booth instead of one per polling place or one per regional election office, but they promise long-term savings because of the ballot printing costs that are avoided. These savings may be illusory, however, because of the high storage cost for direct-recording electronic voting systems. All voting systems require secure storage, and all electronic systems require at least some climate control. Long-term storage of systems that use rechargable batteries adds to the storage costs because of the special requirements of the batteries themselves.

The most widely discussed problem with direct-recording electronic voting machines is that, like the mechanical lever voting machines of the past, they destroy the evidence of the individual voter's ballot. These machines do record an electronic record of the ballot, but the accuracy of this record depends on the correctness of the software inside the voting machine. In effect, we can only trust the direct-recording electronic voting machine if we trust the programmers who wrote the software for that machine.

The electronic record of the election produced by many of these machines is stored in a PCMCIA card, an electronic storage device the size of a common playing card. While it is easy to say that the ballot box should be held jointly in the custody of two officials representing opposing parties, joint custody of a device this small is very difficult. Furthermore, many people are skilled at tricks with playing cards that can easily be applied to these small cards, and many common pocket computers can read and write PCMCIA cards!

Much of the controversy surrounding these machines centers on the question of whether software can ever be trusted in such a setting. The situation is complicated because the companies that build these machines want their software to be proprietary, unavailable for inspection by the public. Therefore, in the United States, this software is subject to inspection by independent testing authorities certified by the federal government, under a set of voluntary voting system standards promulgated by the Federal Election Commission in 1990 and revised in 2002. The testing is paid for by the company making the voting system, and the resulting detailed reports on the quality of the software are themselves confidential.

The security of national elections is a matter of national security. If the software is produced by only one or two people and then tested by only one or two people, an attacker intent on taking control could do so at the price of only a few bribes. The danger of this situation is mitigated, to some extent by the fact that, in the United States, we have multiple vendors of direct recording electronic voting machines, but there are only four that are large: Diebold, Election Systems and Software, Sequoya and Hart InterCivic. It is fair to guess that, in states such as Maryland and Georgia that have elected to rely on a single direct-recording electronic voting system statewide, the security of the system probably depends on the honesty of fewer than ten people. Can we accept this risk?

After researchers at Johns Hopkins University and Rice University released the results of an unofficial security audit of the software used in the Diebold AccuTouch direct-recording electronic voting system in late July of 2003, the states of Maryland and Ohio have each commissioned two independent studies of the security of the voting systems they used. The results of these four studies are not encouraging. The studies from Science Applications International Corporation and Compuware Corporation generally confirmed the results of the earlier unofficial study, and the Compuware study showed that the weaknesses of the Diebold system were only marginally worse than those of the systems made by three other vendors. The study by RABA Technologies demonstrated that some of the more technologically interesting weaknesses of the Diebold system could in fact be exploited, and it also found that the physical security of the Diebold system was remarkably weak. The studies by InfoSentry Services and Science Applications International both showed that state election procedures were seriously flawed.

Version control has proven to be a particularly difficult problem with software used in voting systems. If we are to trust our computerized voting systems, we must eliminate the possibility that any software will be installed on them that has not passed through rigorous certification procedures. In the software industry today, however, there is a cultural bias toward the exact opposite, favoring the right of the programmer to update the software at any time. In the United States today, most states have laws imposing strict control over voting system software, but we have evidence from several states that these rules have been routinely violated. In California, for example, the Secretary of State ordered an audit of the software versions in use for voting systems in the state on November 12, 2003; by December 16, it was discovered that all 17 counties in California that used Diebold voting machines had installed unauthorized versions of the software.

The Open Voting Consortium ( and several other groups have proposed variations on the idea of open-source voting systems, where all of the software in the voting system would be available for public inspection. Open source development does not solve all of these problems. Open source is only useful if someone actually takes the time to read the software. A single reader is unlikely to detect any particular error, unless that error is blatant, so we really need a large community of people reading the code. Furthermore, open-source software does nothing to address the issue of version control, although I have proposed some ways in which the Open Voting Consortium could address this issue through their open-source software license agreement.

Systems with a Voter Verified Paper Trail

As the use of direct-recording electronic voting systems began to increase in the United States, a number of people, mostly academic computer scientists, began to object. Rebecca Mercuri was among the first to propose an alternative system in which computer technology would be used to avoid issues of ballot interpretation, using touch-screen or similar technology, but where the actual record of the vote is a machine-printed paper ballot. The key to the security of this idea is that the voting machine presents this ballot to the voter for verification before it is dropped in the ballot box for secure storage. If there is ever a question about the correctness of the tabulating software, these paper ballots can be hand counted.

The Avante Vote-Trakker was the first commercially available voting system to incorporate any variant of this idea. This was certified under the voluntary Federal standards in 2002, and since then, several new companies have emerged with similar offerings and several vendors of direct-recording electronic voting systems have pledged to provide the option of adding a voter-verified paper ballot to their systems.

The storage costs of these machines is quite similar to that of direct-recording electronic voting machines, with an added element, the cost of printer maintenance. Most direct-recording electronic voting machines do include printers for printing the totals at the end of the election, but the volume of paper these printers must handle is small, so the printers used in voter-verified paper ballot systems must be faster and more flexible. Reliable inexpensive printers of the type used to print receipts in many commercial settings are available, but opponents of voter-verified paper ballots frequently express doubts about their adequacy for this application.

The Special Problem of Minority Access

In the United States, we are committed to allowing the same voting rights for voters in various minority groups, including the blind, those with physical handicaps, and those who speak languages other than English. This poses different challenges for different voting technologies.

Among the available technologies, direct-recording electronic voting machines and systems that use voter-verified paper ballots offer the most flexibility. All such machines made today use computer displays, and these can easily be customized to offer ballots in the language of the voter's preference, so one voting machine can offer ballots in English, Spanish, Vietnamese, or whatever language the voter happens to request. For blind voters and for those who speak languages that are not written, these machines offer audio interfaces, speaking the ballot to the voter. Not all available machines do this equally well, but the differences do not stem from any fundamental technological limitation.

Bilingual paper ballots, including optical mark-sense ballots, are fairly easy to print, but if a jurisdiction requires more than two languages, the extra text quickly fills all of the blank spaces on the paper and the ballots become unreadable. There is the possibility of developing what is called ballot on demand technology, where paper ballots are printed by a computer at the polling place; this would allow a voter to request a ballot printed in a particular language at the time the voter signs the election register. To my knowledge, this approach remains hypothetical.

Many people assume that the needs of blind voters can be met by printing ballots in Braille. Unfortunately, the fraction of the blind population who know Braille is quite small. While those born blind may learn Braille in special schools for the blind, those who lose their sight after childhood rarely learn this system.

For simple elections where there is just one race on the ballot with only a small number of candidates, the needs of blind voters using paper ballots, including optical mark-sense ballots, can be met at very low cost. The idea is to use a cardboard ballot marking template. The template covers the surface of the ballot, with holes over the valid marking positions, and the voter can be instructed, from outside the voting booth by a person who reads the ballot out loud. Observers and other voters who are present can easily hear if the person reads the ballot correctly, so the voter is protected against incorrect instruction, and the voter's privacy is ensured. This solution fails, however, when there are more than about seven holes in the template; there is room for considerable innovation here!

One voting system, the AutoMark Voter Assist Terminal, from Vogue Election Systems, offers the touch-screen and audio interface of a voter-verified paper ballot system, but it records the vote on a conventional optical mark-sense paper ballot. This machine allows most voters to vote using a pencil or pen, while voters who need assistance can use this machine. I hope that other machines of this type emerge as viable competitors in the voting systems marketplace because this could reduce the cost of the election.

Concluding Remarks

While I do not claim that any voting technology in use today is perfect, I do feel that the two most promising voting technologies in use today are optical mark-sense ballots and voting machines offering voter-verified paper ballots. The integrety of election systems based on these technologies can be tested without requiring great technical expertise, yet they allow the use of computer technology to avoid the clerical errors that have always plagued the conduct of elections around the world.

Whatever the technology used, a deliberate policy of defense in depth would improve the conduct of elections in most jurisdictions. For example, where direct-recording electronic voting machines are used, we can defend against the most obvious attacks from programmers by maintaining a human record of the count of the ballots that should have been recorded, and then verifying both that the machine counted this number of ballots and that the sum of the votes for each of the candidates plus the number of abstentions is the same. This kind of simple sanity check, if performed routinely, can prevent absurd numbers such as the infamous negative 16,022 votes counted by one machine in the Florida 2000 election.

California law has long required a routine hand count of the vote in precincts representing one percent of the population of each county after each election, in order to defend against inaccurate counting by voting machines. This is an excellent example of defense in depth, and it illustrates one feature of financial auditing that is rarely found in election adminisration -- the idea that auditing is a routine function and not merely a response to allegations of fraud.

If there is one lesson that I would like election administrators to remember, it is an old one. Demosthenes said it well thousands of years ago: "There is one safeguard known generally to the wise, which is an advantage and security to all, but especially to democracies as against despots. What is it? Distrust!" This applies just as well to election technology as it does to any other human institution.