Ongoing Challenges in Voting System Certification
Presented at the
Innovations in Election Technology Conference
Hubert H. Humphrey Institute of Public Affairs
Center for the Study of Politics and Governance
May 28, 2009
States have been writing voting system standards since 1892, when New York law was first amended to permit use of voting machines. Throughout the past century, vendors have attempted to play a game called regulatory capture, attempting to influence the rules so that they lock in their own products at the expense of their competitors.
Consider the 1972 Mississippi law on voting machines. This contains an innocent looking provision that "... if used in primary elections, [voting machines] shall be so equipped that the election officials can lock out all rows except those of the voter's party ..."
This is only innocent until you notice that Shoup voting machines had party columns, while AVM voting machines had party rows.
The regulatory capture game continues today. Consider, for example, the habit of referring to DRE machines as "touch screen voting machines." When this phrase is used in laws authorizing their use, it poses a problem because Hart Intercivic makes a promising DRE machine that uses a dial to input votes instead of a touch screen. While some voters dislike the dial, objective studies show that the dial actually works pretty well.
The Federal Role in regulating voting technology began with the Federal Election Campaign Act of 1971. This set the ball rolling with a study of election technology by the National Bureau of Standards. In 1975, Roy Saltman of the NBS issued his first report on voting technology, where he recommended the creation of minimum federal standards for federal elections.
In 1980, Congress directed the Federal Election Commission to investigate setting voluntary voting system standards. In 1984, the FEC concluded that this was practical and they initiated the drafting of standards, releasing a first draft in 1984 and the first federal standards in 1990.
These standards were and remain officially voluntary, but by 2000, enough states had mandated some degree of conformance that the word voluntary belongs in quotes. These standards were revised in 2002 and have since been superceded by the 2005 Election Assistance Commission Voluntary Voting Systems Guidelines, with standards updates issued every few years.
The idea that these are voluntary guidelines is window dressing for those who oppose a federal role in elections. Enough states require conformance to these that they are, in fact, mandatory standards.
There are several lessons here: Our standards are and will continue to evolve, and this revision process is slow. Standards don't change in a nimble way. The vendor community resists change in the standards even as they make technical innovations that require changes.
We expect electronics to be reliable, long lived and inexpensive, but inexpensive consumer electronics is not that reliable and is generally designed to last only 3 to 7 years. Instead of doing extensive quality control, this job is frequently left to the customer.
Consumer software doesn't come with a warranty, it comes with a disclaimer saying that there is no warranty express or implied. Some consumer software license agreements explicitly forbid use of the software in any critical applications.
Reliable trustworthy electronics is not cheap. The software that flies our airplanes, runs pacemakers, nuclear reactors and military systems is all quite expensive. For such applications, vendors routinely spend ten times as much on certification and testing as they spend on development.
Given the high cost of development, safety critical electronics is generally designed to last 20 to 40 years. There would be no way to recoup development costs if the product life-cycle was as short as it is for consumer electronics. This means that safety critical electronics routinely uses technology that is 10 to 20 years behind the technology that is current in the consumer electronics marketplace.
The current generation of DRE machines are generally built to consumer electronics standards, yet some states are issuing 20-year bonds to pay for the equipment. Many of the machines purchased with HAVA funds are already nearing the end of their expected lives.
We ought to be asking the following question of our voting technology: What is the amortized cost per ballot cast over the lifetime of the equipment. It is very difficult to get answers to this question because we need to take into account everything from debt service to maintenance and warehouse costs, not just the initial purchase cost.
There is a remarkably long delay between the introduction of new voting technologies and the scientific experiments we need to determine how to use that technology.
For example, the Votomatic punched card voting system was introduced in 1962, based on IBM's Portapunch technology from 1958. From the very start, patent after patent proposed alternative solutions to the problem of dangling chad. The persistence of this problem in the patent record makes it clear that there were no simple solutions to the chad problem.
In a recount of punched card ballots, how do you deal with dangling chad? Is there an objective way to determine voter intent from the evidence remaining on a piece of chad? Yes, as it turns out. The research needed to determine this was done in response to the Florida recounts of the year 2000, and as a result, it was never used in any recount laws for punched card ballots. Recounts actually conducted on such ballots, over almost 40 years, used rules that had no scientific basis.
Mark-sense ballots are based on educational test scanning technology developed around 1958. Modern optical mark-sense ballot scanners date back to 1968. Over the past 40 years, there have been numerous recounts, and there is considerable folklore about voters using glitter pen and voting with smiley faces.
But, it was only in 2002 that HAVA finally asked states to set standards for "what is a vote". Furthermore, nobody has done the science to ask "what do naive voters think is a vote?" This is a hard question to answer. Well over 99 percent of all voters make clear unambiguous marks on their ballots, so we need to look at thousands of ballots in order to get a significant sample of the problem ballots.
Without doing this science, we cannot scientifically compare ballot scanners to ask which one counts ballots in a way that most accurately approximates the judgement of the voters who marked those ballots. Without doing this science, we cannot evaluate laws governing "what is a vote" to see which law disenfranchises the fewest voters.
Our current voting system standards are silent on this issue. They require only that ballot scanners perfectly count ballots that were perfectly marked in accordance with the vendor's specification. All issues involving how real voters mark real ballots are ignored.
Legally speaking, the same ballot marked identically in two different states could be counted as a vote under one state's "what is a vote" law and discounted in another. Furthermore, these state rules are rarely used in testing the scanners themselves.
Here is another example. Under HAVA, voters are required to be able to verify their votes and have a second chance to correct mistakes. Most interpreters of these rules have concluded that this requires DRE machines to present a "verification screen" at the end of the voting session summarizing the voter's choices.
The important scientific question is, does this idea work? In 2007, Sarah Everett at Rice University asked this question. For her PhD research, she built a DRE machine that cheated and presented incorrect summaries of the voters choices. What she found is that only 1/3 of the voters noticed this! Press reports from Nevada in 2004 showed that a similar fraction of voters checked the VVPAT printout on the new Sequoia voting machines in that state.
Some observers have suggested that the solution is to urge voters to proofread their ballots, but this is wrong. As human-factors experts like Ted Selker have long told us, the only voter verification that really works is immediate feedback. If the selection lights up when you touch it, or if ink flows from your pen as you mark a ballot, you notice that. People are really bad at proofreading.
Our voting system standards are remarkably silent on some key issues. Nowhere in our standards, for example, does it ask: Does this voting system provide a secret ballot? The reason for this is simple: The nature of a secret ballot is set by state law. We have 50 states and 4 territories that all define things slightly differently.
Furthermore, the words used in the law frequently offer very little guidance. Consider the secret ballot requirement in the Washington State Constitution, that requires that the state "secure to every elector absolute secrecy in preparing and depositing his ballot."
Washington's constitution seems clear enough. It makes the state flatly responsible for secrecy, and certainly seems to make secrecy an absolute requirement, no something soft that a voter might be allowed to waive. It turns out that looking at the words is misleading. Overseas voters in Washington are allowed to vote by fax or E-mail so long as they send a waiver of their right to a secret ballot. Furthermore, essentially all ballots in Washington are cast by mail, despite the well known secrecy problems with postal ballots. Everyone who votes by mail is responsible for the secrecy of their own ballot and therefore the state has no way to "secure absolute secrecy."
Here is another example: Reel to reel VVPAT printers on DRE machines are widely used in many states. On these machines, a reel of cash-register tape is used to store the paper record of the votes, in the order they were cast.
John McTammany, a 19th century inventor, patented the player piano and then a series of voting machines that recorded votes on player-piano rolls. In an 1893 patent, he observed that "it is possible to identify a man's vote, by counting voters as they go in and afterward counting the rows of marks on the sheet."
McTammany's observation clearly applies to any reel-to-reel vote recorder. As Michael Shamos of Pennsylvania has long said, reel-to-reel VVPAT printers are a threat to voters' secret ballot rights.
There is a new class of cryptographic "end to end" voting technologies that offers a new challenge to ballot secrecy. These include technologies from Vote Here, as well as schemes based on David Chaum's work. They are known by names such as Pret-a-voter, Punchscan and Scantegrity II. Of these, Scantegrity II will be used this fall in Tacoma Park Maryland. It uses mark-sense ballots marked with invisible ink, where the invisible ink marker causes invisible pre-printed marks on the ballot to turn visible in the voting targets.
This strange complexity has a very good reason: When you vote, if you write down the marks that appeared, you can verify that your vote was counted. This is the "end to end" property. Yet, each voter sees different marks, so you can't use the marks you got to prove to anyone how you voted.
The problem is, to make this scheme work, each ballot must be printed with a unique serial number. The secret ballot laws of many states explicitly forbid any identifying marks on the ballot, and a serial number is certainly an identifying mark.
Curiously, some secret ballot laws actually require serial numbers. The British Ballot Act of 1872, still in effect, requires serial numbers. How is it possible that such a ballot could be a secret ballot? It depends on how you define secret. The British model makes the connection between voter and ballot a state secret. Only by court order or an order of parliament can the numbers be inspected.
Fundamentally, all of the end-to-end verifiable cryptographic voting technologies use a British notion of secret ballot rights. They declare the link between voter and ballot to be a state secret protected by cryptographic barriers that are very strong, but nonetheless weakter than the absolute secrecy required by rules that forbid any identifying mark on a ballot.
There is a fundamental question we must ask in all of these cases. What do we want from secret ballot laws? The answer depends on the nature of the corruption we fear, and in this regard, it is worth noting that the most recent indictment of election officials for voter coercion was just this year.
In the US, we have an established habit of ignoring international law. The international law I am concerned with is created by treaties, for example, the human rights treaties associated with the Organization of American States and the Organization for Security and Cooperation in Europe. These treaties guarantee free and fair elections, secret ballots and universal suffrage in member states, all of the Americas in the case of the OAS, and all of NATO and the former Soviet Block in the case of the OSCE.
What is a free and fair election? In a free election, voters cannot be coerced or intimidated into voting a particular way. The guarantee of a right to a secret ballot is one mechanism to do this. In a fair election, the results actually reflect the votes of the electorate and each vote has equal weight. Furthermore, the fact that an election was free and fair must be observable. A skeptical observer, whether a citizen or an outsider, must be able to assess the election and determine that it was free and fair without trusting the election authorities.
We want these international standards to apply to emerging democracies in Central and South America, and we want them to apply in the former Soviet Union. Unfortunately, we have avoided applying them to ourselves. We claim that these treaties only bind the Federal government, but that elections in the United States are conducted by the states. Unfortunately, when we ignore these requirements, the emerging democracies take this as a license to do the same.
The OSCE has sent observing missions to the United States in several recent elections. The reports of those observing missions are interesting reading. Observers have questioned a number of aspects of US elections, including such things as whether widespread vote by mail assures free elections, whether disparities between states are unfair, and whether or voting systems are sufficiently observable.
International observers have also noted that the diversity of different voting systems used in the United States offers significant protection from any attempt at nationwide election fraud. The situation is quite different in countries with a single approved election technology, where a single crook with access to the software could take complete control.