[link to index of press clippings]

CIO Online

E-Democracy: The Lowdown on E-Voting

Recent elections have highlighted flaws in U.S. voting procedures and prompted a push to apply IT to the casting and counting of votes. Critics worry we're going from bad to worse in adopting the new technology without working out all the bugs. We explore the challenges and what it will take to fix them.
June 1, 2004

THE DEBATE over electronic voting is more contentious than presidential politics. Proponents believe that e-voting, in which votes are cast, recorded and counted electronically, will ensure the integrity of our election system, streamline election administration, and finally deliver on the promise of the secret ballot to the blind and other Americans who have not been able to vote unassisted at many polling places. But a vocal group of computer scientists is sounding the alarm that e-voting is too rife with security gaps, software bugs and procedural lapses to entrust with the linchpin of our democracy.

The only point the two sides seemingly agree on: E-voting is coming soon to a polling place near you. ...

The mess in Florida following the 2000 presidential election shone an unforgiving light on the problems with existing voting systems, down to the last hanging chad. ...

The United States's standing in the world as the beacon of democracy is being undermined by our antiquated voting systems. ...

As Election Day 2004 approaches, the rhetoric surrounding e-voting and its main points of contention will only increase. At the heart of the matter is ensuring that each voter's intentions are accurately captured, tallied and preserved. Florida and subsequent fiascos prove the old methods have failed in this, and electronic voting offers a possible solution to the problem. But first, three key challenges must be addressed: how to provide reliable audit trails that will help prevent fraud and ensure an accurate recount (should one be necessary); the security risks associated with software and electronic transmission of data; and the enormous challenge of training approximately 173 million registered voters of wildly varying education levels and technical sophistication in how to use the new systems. While proponents and critics disagree on how best to implement e-voting systems, there are clear front-runners to fixing the most worrisome problems.

Challenge #1: Create a Reliable Audit Trail
What's at stake: The ability to verify votes in the event of a recount

Best fix: Provide a paper trail to accompany electronic votes

"The big issue in any election is auditability," says Doug Jones, associate professor of computer science at the University of Iowa. As he describes it, an auditable election is one in which the results are verifiable both to independent observers and any other interested party. The problem with e-voting is that there's no tangible evidence that votes were recorded as voters intended.

When votes are cast and recorded electronically, the way to conduct a recount (and to tally in the first place) is to run a tape off each individual machine and then compare those totals against the number of people who checked in to vote. While that method will reveal discrepancies in the event of some types of voter fraud --multiple voting, for example-- there's no way to ensure that the votes were recorded the way that voters actually cast them. "In a fully electronic system, I can't confirm my vote, and that's not a proper democratic election," says Rebecca Mercuri, a research fellow at Harvard University's John F. Kennedy School of Government who wrote her doctoral dissertation on electronic voting systems. Mercuri is one of the most outspoken critics of e-voting and the vendors that sell the equipment. She and many other computer scientists believe the best way to mitigate the audit problem is to combine electronic machines with good, old-fashioned paper by including a voter-verified paper ballot.

How it would work: With touch-screen systems, voters activate ballots using a PIN or smart card given to them by election workers at the polling place; they activate the screen, select their candidates, verify their choices via a paper printout and then electronically cast their votes. To preserve anonymity and protect against fraud, voters leave the paper behind, either at the machine itself or in something that could resemble an old-fashioned ballot box. The machines capture, tally and transmit the data, but the paper provides a backup.

Pros and cons: Proponents of paper duplicates say they are an essential addition to e-voting for two reasons: They provide voters with a physical confirmation of their vote, and election officials can use them in the event of a recount.

The vendor community doesn't like it. "We oppose the idea of a voter-verified paper trail," says Harris Miller, president of the trade group Information Technology Association of America. ...

Ted Selker, an MIT associate professor of media arts and sciences who works with the CalTech/MIT Voting Project, sides with Miller on this. ...

Alternatives: One possible alternative Selker and his colleagues are researching is a write-once memory card that serves as the official ballot. Cryptographer David Chaum is also working on a verification system that involves encrypted codes that voters can verify over the Web. ...

Despite Miller's assertion that paper trails are unnecessary, voter-verified ballots are gaining support. Depending on pending legislation, California may require them this November, and Rep. Rush Holt of New Jersey has introduced a bill that would require them nationwide.

Challenge #2: Mitigate Security Risks
What's at stake: The integrity of elections; preventing fraud

Best fixes: Locked, tamper-proof computers; one-time, quick transmission of results; trained poll workers When Avi Rubin got a look at some of the source code for the Diebold AccuVote-TS machine, he was disturbed by what he found. Rubin, a professor of computer science at Johns Hopkins University, detailed his findings (along with three colleagues) in a document known as "The Hopkins Report." ...

The heart of the problem: The most serious issue with current e-voting systems, scientists say, is source code that's riddled with vulnerabilities. Of all the systems out there, Diebold's AccuVote-TS has received the most scrutiny because some of its source code was accidentally posted on the Internet. "The Hopkins Report" spawned three other studies, each of which found various vulnerabilities. ...

Some of the fixes recommended in the Raba report are fairly simple. Tamper-proof tape can secure the bays, and updated security patches from Microsoft can be installed on the servers that collect and tally precinct results. However, the real security problem, scientists claim, is that the source code is proprietary. Essentially, says Rubin, "several companies are controlling all the voting and tallies." ...

Reality check: David Bear, a spokesman for Diebold, says the security issues raised by computer scientists aren't practical when viewed in the context of how elections --complete with trained poll workers and procedural checks and balances-- are run. "There's always an ongoing balance between security concerns and disenfranchising voters," Bear says. ...


Challenge #3: Minimize Voter Confusion
What's at stake: The ability of every citizen to cast the vote he or she intends to cast

Best fixes: National ballot design guidelines; usability standards; training for election workers and voters

In January 2003, Palm Beach County was the setting for yet another election mess, albeit on a much smaller scale than in 2000. With 12 votes separating two candidates for state representative, The Miami Herald reported that 134 electronic ballots were cast without votes for either candidate. In addition to reinforcing the need for a paper audit trail, the situation suggested to critics that voters were confused by the system interface, the ballot design or both. With no other races in contention, they argue, it's unlikely that voters went to the polls with the intention of not voting.

The University of Iowa's Jones says that election officials and vendors need to pay more attention to ballot and interface design, respectively. While touch screens eliminate the danger of overvoting (because voters can't select more than one candidate in any one race), they can apparently contribute to undervoting. "There are some really bad touch-screen interfaces out there that allow voters to do things they don't intend," Jones says. One system he's familiar with from ES&S has a prominent red "Vote" button at the top of the machine, potentially drawing voters to push it before they've scrolled through an entire ballot. A lack of clear, concise instructions and poor ballot layout also contribute to confusion. Jones has found that the error rate among voters is directly correlated to the quality of the instructions they receive from either the machines or poll workers (the better the instructions, the lower the error rate). And voters are less prone to make mistakes with one-column ballots than with two.

Work to be done: To date, not much research has been conducted on e-voting and usability. In conjunction with HAVA, the National Institute of Standards and Technology (NIST) is charged with helping set standards for everything from certification testing and security practices to interface design. Among the recommendations suggested at a February meeting of The National Association of Secretaries of State, Susan Zevin, acting director of NIST's IT Lab, specifically mentioned the establishment of ballot design guidelines. She also recommended that election officials run usability pilot tests with actual voters, poll workers and ballots, and that vendors adhere to common usability standards-standards that are yet to be defined.

With the 2004 election looming, no one wants to repeat the experience of 2000. All interested parties agree that we need to improve our voting system, but there's not much consensus around how best to do that. Thanks to HAVA (see "The Help America Vote Act"), touch-screen systems are the most viable option at the moment, even though there's a tremendous amount of debate regarding their security and reliability. As with politics itself, both sides-the vendors who are promoting their wares and the computer scientists and other concerned citizens who worry about election integrity-are digging in, determined to sway public opinion to their way of thinking. The upcoming November election will put millions of touch-screen systems to their biggest test yet.

Senior Editor Megan Santosus can be reached at santosus@cio.com.