April 27, 2007 1:59PM

The Case Against E‐Voting

By Timothy B. Lee

Ars Technica has an article about problems created by e-voting machines in the French elections on Sunday. Apparently, technical problems caused long lines, causing some voters to be turned away from the polls.

France's problems are not an isolated incident. In November's U.S. election, one county in Florida (ironically, the one Katherine Harris was vacating) seems to have lost about 10,000 votes, which happens to be smaller than the margin of victory between the candidates. And there were numerous smaller examples of e-voting problems all over the United States in the 2006 elections.

Those incidents by themselves would be a good argument for scrapping computerized voting. But the most important argument is more fundamental: e-voting is not, and never can be, transparent. The most important goal of any election system is that the voting process be reliable and resistant to manipulation. Transparency is a critical part of that. Transparency makes it more likely that any tampering with the election process will be detected before it can do any damage.

With e-voting, the process of recording, tabulating, and counting votes is opaque, if not completely secret. Indeed, in most cases, the source code to the e-voting machines is a trade secret, not available for public inspection. Even if the source code were available, there would still be no way to ensure that the software on a voting machine wasn't tampered with after it was installed. This means that if someone did install malicious software onto a voting machine, there would likely be no way for us to find out until it was too late.

This isn't just a theoretical concern. Last fall, Princeton computer science professor Ed Felten obtained an e-voting machine (a Diebold Accuvote-TS, one of the most widely used models in the United States) and created a virus that could be used to steal an election. The virus would spread from machine to machine through the memory cards that are inserted into the machines to install software upgrades. (Of course, Felten didn't use his virus on any real voting machines or release the software to the public)

Although it may be possible to close the specific security vulnerabilities that Felten discovered, there's no way to be sure that others wouldn't be found in the future. Indeed, after being infected with Felten's virus, a voting machine would behave exactly the same as a normal voting machine, except that it would innaccurately record some of the votes. Moreover, the virus could easily be designed to evade pre-election testing procedures. For example, it could be programmed to only steal votes at a particular date and time, or to only start stealing votes after a hundred votes have been cast. It would be very difficult — probably impossible — to design a testing regime that would ensure that a voting machine has not been compromised.

Therefore, the safest course of action is to stop using e-voting machines entirely, and to return to a tried-and-true technology: paper ballots. There are a variety of technologies available to count paper ballots, but probably the best choice is optical-scan machines. These have a proven track record and many state election officials have decades of experience working with them.

E-voting supporters point out that paper ballots have their own flaws. And it's true: paper is far from perfect. But there's an important difference between paper ballots and e-voting: stealing a paper-ballot election is extremely labor-intensive. To steal even a relatively minor race would involve stationing people at multiple precincts. Except in extremely close races, stealing a major race like Congress, governor, or president would require dozens, if not hundreds, of people. It's very difficult to keep such a large conspiracy secret. As a result, voter fraud with paper ballots will almost always be small-scale. Occasionally, someone might get away with stealing an election for city council or a state representative, but races higher up the ticket won't be affected.

In contrast, just one person can steal a computerized election if he's in the right place. For example, a technician who serviced Diebold Accuvote-TS in the months before the 2006 elections could easily have developed a version of Felten's virus and discreetly installed it on all voting machines in his service territory, which could have encompassed a county or perhaps even an entire state. In fact, he wouldn't even have needed access to all the machines; simply by putting the software on one memory card in 2005 or early 2006, he could have started the process of spreading the virus from machine to machine as other technicians transferred memory cards among them.

The idea of a single person being able to steal a major election is much more frightening than the prospect of a larger group of people being able to steal a minor election. Of course, we should do whatever we can to prevent either scenario, but the risks posed by e-voting are clearly much more worrisome.

Fortunately, Congress is on the case, and may pass legislation restricting the use of e-voting machines during this session. In my next post, I'll take a look at that legislation and consider some arguments for and against it.