Posted on 02/19/2003 8:22:16 PM PST by csprof
Warning of programming error, equipment malfunction and malicious tampering, computer scientists from around the country, led by Stanford Professor David Dill, say computerized voting machines should provide a voter-verifiable audit trail.
"The problem is not really with computerized voting systems per se," Dill says. "The problem is really that there is no way to double-check the results. It's really a problem of accountability."
More than 110 computer scientists and technologists from universities and laboratories across the nation have signed Dill's "Resolution on Electronic Voting," which states that it is "crucial that voting equipment provide a voter-verifiable audit trail, by which we mean a permanent record of each vote that can be checked for accuracy by the voter before the vote is submitted, and is difficult or impossible to alter after it has been checked."
The full text of the resolution and list of endorsers, including 22 from Stanford, are available online at http://verify.stanford.edu/evote.html.
Aftermath of 2002 election
Computerized voting has been a focus of discussion in many jurisdictions, especially since the Florida results of the 2000 presidential election spawned a movement to replace punch cards with high-tech systems. But high-tech solutions may bring new problems to the polls. On Jan. 31, a subcommittee of the Santa Clara County Board of Supervisors met to consider a recommendation from the County Registrar to purchase Sequoia direct recording electronic (DRE) voting machines, which Dill says do not provide a voter-verifiable audit trail. With the issue still unresolved, the full board met Feb. 4 as Stanford Report was going to press. Santa Clara is one of nine California counties under court order to replace punch-card voting systems by March 2004.
Paperless, touch-screen voting machines are used by nearly one in five voting precincts nationwide. "They pose an unacceptable risk that errors or deliberate election-rigging will go undetected, since they do not provide a way for the voters to verify independently that the machine correctly records and counts the votes they have cast," says Dill, an expert in finding design errors in computer systems. In 2001, he was named a Fellow of the Institute of Electrical and Electronics Engineers (IEEE) for his contributions to verification of circuits and systems.
When voters use touch-screen machines, they walk into voting booths, touch screens to select candidates and check their results on the screens. Voters can make changes if they've made a mistake or if their machines have problems. Then they touch a notation saying "cast the vote." At that point, the vote has never been anywhere except on the screen and in the memory of the computer. The vote is recorded internally in the computer, and then after the polls close, the votes are counted electronically, and, if desired, paper ballots can be printed from memory.
"The problem with this whole process is that nobody can really determine what's happening between when you push the button on the screen saying that you want to cast your vote and what vote is actually recorded," Dill says. "So we don't know if the votes are being accurately recorded. And as a computer scientist, I know that there are many, many ways that there could be unexpected errors, things you couldn't even predict, and even tampering, possibly even in the writing of the program, that could alter those votes."
No effective recounts
The risk is that in the event of a machine failure or suspect result, voters have no recourse. This may have been the case in a Florida 2002 primary, Dill says, where many problems with touch screens were documented. "You've got an election producing funny results, and you can't do an effective recount because the only thing you can recount is the votes that you've recorded electronically. About the only thing you can do is have a re-vote."
He adds: "The worst scenario ... is where we have the machines apparently working fine -- we have elections going smooth as silk -- and the only problem is that the wrong candidate was elected. Nobody even knows it, or people suspect it but they have no way of showing that there was an error in the election. At that point you have democracy itself threatened."
While some voting equipment vendors and government officials say that paperless, computerized voting systems are reliable, Dill and his colleagues disagree. "Without a voter-verifiable audit trail, it is not practical to provide reasonable assurance of the integrity of these voting systems by any combination of design review, inspection, testing, logical analysis or control of the system development process," the resolution says.
The resolution is being circulated at a time when many states and counties are seeking to upgrade their voting equipment. In response to problems with elections in recent years, funding is being made available at all levels of government to upgrade election equipment.
"Unfortunately, if available funds are spent on fatally flawed 'high-tech' voting equipment, it will be a long time before there is more funding to adopt truly superior voting technology," the statement says.
A paper solution?
In the future, Dill says, sophisticated voting equipment, certified by authorities, could be completely paperless and provide greater security and integrity than today's machines. But for those racing to upgrade systems before 2004, the solution ironically requires paper: "There has to be a paper ballot where the voter can look at the ballot and check that it has the right stuff on it. The voter then turns that in like they would any other paper ballot. So it's important that this paper ballot be anonymous for voter privacy so that voters can't be intimidated. And it's important that the voter not be able to keep the ballot because otherwise they could use that as a proof of vote in vote-buying schemes."
The computer scientists and technologists are urging jurisdictions that have already purchased such voting systems to replace or modify them to produce ballots that can be checked independently by the voter before being submitted and that cannot be altered after submission. They urge government officials who must replace outdated punch card voting systems to refrain from purchasing new voting equipment that does not provide a voter-verifiable audit trail.
"Election reform is now receiving much-needed attention, but we must guard against changes that inadvertently create even worse problems," Dill writes. "Unauditable voting equipment will erode confidence in our elections, causing further disillusionment of the voting public."
Please endorse the "Resolution on Electronic Voting", write your elected officials, and tell your friends.
If there is a physical ballot involved (which could be printed by the machine), there is at least a chance that people observing the ballot handling and vote counting could catch it. Citizens could insist on better election procedures to minimize this kind of fraud.
There are even ways to use cryptography with computer-printed ballot printing that can effectively prevent ballot stuffing.
With paperless electronic voting, observers and good election administration can't help. The election could be decided by an rogue programmer at the company or someone who hacked into the machine.
First off, I have experience as an election judge with both punch cards and electronic voting.
With the electronic voting in Texas, you have to print out the results summary three times and if they don't match the computer chip results, then it is fraud. Trying to cast votes on the computer after the polls closed resets the chip count. All printout data is time stamped, so if the poll was left open illegally, it shows up in the summaries. Voting before polls open is a no-no, since that summary is also time stamped. To summarise, you can be punching ballots in a car on the highway for three hours with electronic voting.
I do concur that we need more observers and election help. Vote fraud during the election hours is a problem, regardless of system used, but paper system are MORE subject to fraud outside of election hours.
Think of it this way: during a bathroom break, a dis-honest election worker can take a handful of ballots, punch the right hole (the holes are numbered), and slip them back into the election supplies. VIOLA. 15-20 votes and the person didn't even have to go to the voting booth. Multiply that by 10 in a 1000 vote precinct and ANY competitive election can be stolen.
These machines do have a lot of security measures, especially things to stop tampering by election officials or voters during the election (although there may be less than meets the eye in some cases).
The problem is that it's practically impossible to make touch-screen machines secure enough for paperless voting. How do you know the ballots printed after the election represent the votes that were cast? If the vote is changed in between the touch-screen and storage in the machine, all the counts will be consistent with each other -- but not consistent with what the voter selected.
With paperless voting, what happens if an inconsistency is detected after the election? There is no original ballot to recount. So you either have to accept the obviously bogus election results, or hold a new election.
The e-slate have several security measures: after I took the elecion judge classes, I realised that there is so much work behind the scenes regarding the election.
The e-slate does not allow the voter to cast his ballot until he/she enters and approves the "preview page(s)". It shows the voter who he/she will cast their vote for, and give them a chance to change their ballot. Also, double punching is not permitted as the previous choice is unselected.
Counters attached to groups of vote machines also tally how many total votes are cast for each machine. That is the second backup to the individual machine counts. Between the main machine, the individual machines, and the procedure required summary printouts, there should be NO inconsistencies, unless fraud is present. The printouts give a complete summary of the election.
The Texas system is secure. Paper must be re-counted manually. That is where the monkey business starts. Don't need no stinking paper. In case of discrepancy, the computer tapes govern (I think).
An open invitation to hacking and rampant voter fraud--no matter WHAT anyone says to the contrary.
I agree that hand recounts are problematic. But if there are enough observers and we get rid of the chads, it should go a lot smoother. If the ballots are computer-printed, measures can be taken to make them difficult to forge, too.
Did not intend to dodge. Now that question is very clear, time to give a straight answer.
Test the machine prior to use on election day. There is no way to hack the e-slates. They are not connected to an internet database, so there is no way to intend to vote GOP and end up voting DEM. If anyone thinks that they can be hacked, I would like to know.
To anyone out there that still likes punch cards, all you have to do to nullify a GOP vote is give them a card with a single DEM hole punched, and that GOP vote is negated.
Suppose someone in the company puts in special code that is turned on only during the election. It won't be detected by testing, because it isn't active during testing. But it can change votes arbitrarily during the actual election.
As it happens, there have been plenty of bugs in these machines that didn't show up (for some reason) in testing but do show up in elections.
Lots of computer security experts, including some of the best in the world, think the machines can be hacked. Check the endorsements.
You're right about punch cards, though. We can't get rid of them soon enough, in my opinion.
I'll stop replying publically -- don't want to bore people.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.