E-Voting Threatens Election Integrity

By Timothy B. Lee
This article appeared on on May 23, 2007.

Rush Holt’s bill, which was recently approved by a House committee, would be a big improvement.

Americans love new technology. We buy ever-smaller gadgets and ever-larger televisions. Many of us have computers in our cars, our telephones, and our music players. But our fetish for all things high-tech has not served us well when it comes to elections. We began wide-scale adoption of touch-screen voting machines after the 2000 elections in the hope that they would make our elections more secure. Unfortunately, the opposite has occurred: Voting machines have proven to be buggy, error prone, and less reliable than the low-tech systems they replaced.

And unfortunately, these problems are not just growing pains. The fundamental problem with computerized voting machines is their lack of transparency. In order to ensure that elections are conducted fairly and accurately, it is important that election officials, candidates, and members of the general public be able to observe and verify every stage of the election process. Computerized voting machines make independent verification of election procedures extremely difficult because important steps of the election process, including recording, tallying, and reporting votes, occur unseen inside a computer chip.

That’s not the only reason e-voting is dangerous. One of the important safeguards in the traditional election process is that it is extremely labor-intensive. Thousands of people are involved in the process of collecting and counting votes. As a result, stealing an election almost always requires a large, organized conspiracy that would be hard to keep secret. In contrast, e-voting can allow a single, well-placed individual to tamper with the software of numerous voting machines at once, potentially altering the outcome of an election in an entire congressional district or state. Indeed, this is more than a hypothetical scenario. Last fall, Princeton computer science professor Ed Felten obtained a widely-used e-voting machine and created a virus that could be used to steal an election. The virus would spread from machine to machine through the memory cards that install software upgrades. (Of course, Felten didn’t use his virus on any real voting machines or release the software to the public.)

In order to ensure that elections are conducted fairly and accurately, it is important that election officials, candidates, and members of the general public be able to observe and verify every stage of the election process.And although it might be possible to close the specific security vulnerabilities that Felten discovered, there is no way to be sure that others won’t crop up. A vote-stealing virus could be designed to evade pre-election testing procedures. It might only steal votes at a particular date and time, for example, or only after a thousand votes have been cast. It’s not feasible to design a testing regime that could detect all of the clever ways a hacker might manipulate the outcome of an election.

Therefore, the safest course of action is to return to a tried and true technology: paper ballots. There are a variety of ways to mark and tally paper ballots, but probably the best choice is optical-scan machines. These have a proven track record, and many state election officials have decades of experience with them.

The Holt Proposal

The House is expected to take up legislation which would limit the use of computerized machines. The Voter Confidence and Increased Accessibility Act, sponsored by Rush Holt (D-NJ), doesn’t ban e-voting entirely, and some activists have rejected it for that reason. But the Holt bill would be a large step in the right direction. Most importantly, it bans the use of computerized voting machines unless they are equipped to “produce an individual voter-verified paper ballot.” Having the voter verify the printed ballot before submitting it is crucial because it ensures that compromised software can’t undermine the integrity of an election. And requiring individual (“voter verified”) paper ballots which can be mixed together in a ballot box, as opposed to a single paper tape that records each vote in sequence, helps preserve the right to a secret ballot by ensuring that individual voters’ choices cannot be reconstructed from the order in which ballots were cast.

The Holt legislation mandates that the paper records be the authoritative source in any recounts, and requires prominent notices reminding voters to double-check the paper record before leaving the polling place. It mandates automatic audits of at least three percent of all votes cast to detect discrepancies between the paper and electronic records. And it bans voting machines that contain wireless networking hardware and prohibits connecting voting machines to the Internet.

Another good idea in the Holt legislation is requiring disclosure of voting machine source code. This is important because source code in a computerized voting machine is analogous to the election procedure manual for a traditional paper-based election. Voters have the right to examine the process by which their votes are recorded and counted, regardless of whether the process is performed by a human being or a computer.

The legislation approved earlier this month by the Committee on House Administration mandates source code disclosure but limits the mandatory disclosure to government officials, litigants, and security researchers. It requires these people to sign a non-disclosure agreement in order to examine the source code. That’s certainly an improvement over the status quo—today, the source code for many of these machines is entirely secret. But it’s not as good as the original Holt proposal, which had required that the source code be made available to anyone who asks.

Making source code widely available will increase the number of people who have the opportunity to examine it, making it more likely that security problems will be identified and brought to the attention of election officials well in advance of the election.Some people worry that mandating source code disclosure will make voting machines more vulnerable to hackers. But limiting disclosure is not likely to be a serious obstacle for a hacker with the resources and motivation required to steal an election. After all, Felten obtained a voting machine from a private party, and developed his vote-stealing virus without access to the machine’s source code. Moreover, the most dangerous hackers will always be those with inside connections: employees of the government or a voting machine vendor. They would not only have access to source code, but would also have the physical access to voting machines required to install the malicious software.

On the other hand, making source code widely available will increase the number of people who have the opportunity to examine it, making it more likely that security problems will be identified and brought to the attention of election officials well in advance of the election. Requiring people to sign non-disclosure agreements before they’re given access to source code could give vendors a pretext for legal harassment of security researchers who find embarrassing information about their products.

Implementation Challenges

The Holt proposal has detractors. In a March hearing, several state election officials testified about the practical challenges of implementing the new requirements. Chris Nelson, South Dakota’s secretary of state, warned that many of the requirements in the legislation would conflict with the states’ own election procedures. Donald F. Norris, a professor of public policy at the University of Maryland, questioned the reliability of the printers used to produce paper audit trails. He cited a Las Vegas survey in which fewer than 40 percent of voters had actually checked the paper record of their vote before leaving the polling place. An election official in North Carolina reported that there were hundreds of printer failures in that state during the 2006 election.

The pleas of state officials for more flexibility in implementing the law’s requirements deserve serious consideration, but the Holt bill does give states some options. For example, states are allowed to use auditing procedures other than those spelled out in H.R. 811, as long as the National Institute for Science and Technology certifies that they will be no less effective. As for concerns about printer jams, there is a simple solution: states can decline to use computerized voting machines entirely. The Holt bill gives states the option of ditching touch-screens entirely and going back to traditional paper ballots.

Computerized voting machines have some superficial appeal. They can speed up the vote-counting process and reduce some kinds of human errors. But by hiding the details of the voting process in a literal black box, they open the door to much more serious problems. We should not let our fascination with new technologies blind us to the fact that once in a while the old technology is actually better.

Timothy B. Lee is an adjunct scholar at the Cato Institute.