E-voting equals lost votes
By Avi Rubin of The Baltimore Sun
About 50 million Americans will cast their ballots for president on touch-screen terminals Tuesday.
If my experience as an election judge is any guide, voters will love these machines, which are generally easy to use and which easily accommodate voters who have disabilities or do not speak English. And if my experience as a computer scientist is any guide, those voters will not realize just how dangerous it is to rely on these machines to conduct a free and fair election with a reliable result.
Voting on a direct recording electronic voting machine, or DRE, is in many ways similar to transferring money from one account to another at an automated teller machine. But there is one critically important difference: no receipt. There will be no physical record produced that could later be used by your local election board to prove how you intended to vote.
After you cast your ballot on a DRE, the only official record of your choices will be the electronic record within the system itself. You will not be asked to look at a piece of paper that confirms your candidate selections. You will not leave that piece of paper behind for use in case of a recount.
Why is this a problem?
Without paper ballots that can be physically examined, the only recount possible is a review of the votes recorded by the DRE system itself. And if those votes were recorded incorrectly, no recount will fix the error. The incorrect result could never be detected, much less corrected.
And incorrect results are entirely possible. Largely because of Florida’s problems in 2000, there has been a headlong rush nationwide to adopt DRE voting. Touch screens will be used in this election despite numerous studies, by my colleagues and me and by others, showing that the machines from the leading manufacturer, Diebold Election Systems, are poorly designed, with lax security and programming errors.
Nationwide, about one-third of all ballots will be cast electronically. Technical glitches and malfunctioning machines — the kinds of problems that occur with any computer system — could result in the loss of votes in unrecoverable ways. Worse, these fully electronic machines could be rigged — undetectably, because of the complexity of the software that runs them.
While we can never eliminate the possibility of tampering with elections, the impact of an attack on a DRE system would likely be more serious than the results of tampering with traditional mechanical voting machines or paper-based systems, such as optically scanned ballots. This is because a bug in the software of an electronic voting system, whether accidental or intentional, has the potential to skew results in more than an isolated polling place or two. It could impact the vote totals on many thousands of machines in hundreds of precincts.
Elections, by their nature, are adversarial. In a successful election, the loser should be as convinced as the winner that the outcome is legitimate, despite the potentially strong party loyalties of the people running the mechanics of the process.
One of our safeguards in the United States is that members of the two principal parties are present to watch each other through every facet of an election. The utility of this security measure is diminished when the votes are invisible and the counting is virtual. DREs reduce the transparency of the voting process, and traditional checks and balances become ineffective.
Even if, on Wednesday, this election appears to have been a success, there will be no way of knowing for sure whether the will of the people was accomplished.
And even if there is no problem Tuesday, that does not imply that the election was secure — only that no one chose that day to exploit the insecurity. If an apparent success in November leads to greater adoption of fully electronic voting in the future, then subsequent elections will be even more vulnerable, providing increased incentive to attackers and, at the same time, more avenues for attack.
For voters to have confidence in the election process, it should be as transparent as possible. When technology that is inherently opaque is used in elections, peoples’ confidence in the process will be justifiably shaken.
There are ways in which DREs provide an apparent advantage over butterfly ballots and hanging chads.
But there are other ways in which these systems, implemented without voter-approved paper ballots that allow meaningful recounts, are potentially much worse.
Our goal should be voting technology that is beyond reproach. That goal may never be fully attainable, but we must do better than this. The foundation of our democracy is at stake, and thus, ultimately, so is our freedom.
|