With the 2008 presidential election fast approaching, and primaries already upon us, concerns for the integrity of America's election process continue to mount. I suspect that most voting activists, and there are now many thousands of them, and computer experts who have concerned themselves with issues of the operation and security of electronic voting machines, would put the probability of widespread election fraud in November 2008 at or very near 100%.
Though HAVA's author, Congressman Bob Ney (R-Ohio) has been disgraced and jailed, the havoc of this Diebold-inspired bill lives on and enables whole new fields of election fraud, or "glitches" as they are usually referred to.
HAVA-mandated statewide voter registration databases, developed and operated in complete secrecy, make it trivial to conduct voter purges on an unprecedented scale and Republicans have developed quite a reputation for using this method to keep those dirty Democrats from voting. Combined with a widespread push by election officials to increase, or mandate the use of mail ballots, it has become virtually impossible to establish whether a "name" in the voter database is corporeal, making it trivial for dead and imaginary "citizens" to vote once they mail in their voter registration forms. That is generally encouraged by Democrats to overwhelm cheating Republicans.
Even the New York Times is now (August 3, 2008) editorializing that "Voters cannot trust the totals reported by electronic voting machines; they are too prone to glitches and too easy to hack." Kim Zetter recently (July 14, 2008) published an article in Wired Magazine documenting that in New York State 50% of the new Sequoia voting machines are flawed. However, Sequoia has simply ignored all the critiques of electronic voting machines and simply produced more junk. Thus it is entirely appropriate to hear from the computer science department at Columbia University in New York City on why we should simply junk electronic voting machines.
The mantra of voting machine vendors and election officials when questioned about the manifold disasters, catastrophes, and security breaches (typically referred to as "glitches" rather than fraud) so evident since the widespread implementation of electronic voting is that the "election process" will protect the votes and voters against the weaknesses of the electronic voting machines and guarantee an honest and accurate election. Possibly someone besides election officials still believes that but even the voting machine vendors must be incredulous by now. I also note that when election officials or vendors deign to respond to the multitude of criticisms they use bluff, bluster, and outright lies, and rarely if ever provide any references or studies to substantiate their outrageous claims. More commonly it is claimed the information is "proprietary" or the release would compromise "security."
Prof. Stephen Unger presents a clear, concise argument below for why it is imperative that we return to hand-counted paper ballots if the integrity of elections is to be restored and our republic is to survive.
August 5, 2008 Recording and tabulating votes in elections is a natural, straightforward, easy to implement, computer application. Right? In a world without ingenious bad guys, this might indeed be the case. Unfortunately, that's not where we live. While it is not too hard to design, implement, and operate computer-based ATM and EZ-Pass systems that will keep the bad guys at bay, this is almost impossible for the seemingly simpler problem of election systems. Below, I will first explain why I believe this, and then I will proclaim the good news, which is that we can get along very nicely without such systems.
Consider the operation of an ATM (automated teller machine). When you key in a request for cash from your bank account, the money comes out along with a printed slip describing the transaction. At the end of the month, the transaction is listed on your bank statement. Those of little faith count the money carefully, verify that the transaction slip is correct, and, at the end of the month, reconcile their bank statements against the transaction slips and perhaps their own records. The chances of customers catching errors that short-change them and demanding redress are substantial. Clearly, the insiders (the banks), cannot profit by cheating ATM users. They must defend their system against attacks by outsiders trying to defraud them and their customers. In this struggle they have been moderately successful .
In the case of elections, the political entities fielding candidates (parties or factions within parties) have much to gain by cheating. They can do so by the traditional, crude, retail means used by Boss Tweed types, e.g., bribing or intimidating individual voters, or hiring people to vote multiple times . The problem with such tactics is that a large number of criminal acts are necessary to influence an election significantly, and many people have to be involved. The job can be done much more efficiently from the inside, i.e., by controlling the vote recording and counting processes. Then they can simply generate votes at will. In either case, what is going on is obvious to any interested observer. If you are buying votes, for example, you have to make many offers. Since there is not much point in approaching people already on your side, there are bound to be a lot of people reporting bribe offers.
Now look at computer-based voting systems. Opportunities for wholesale cheating are limitless if you can get the cooperation of the insiders: the manufacturers of the systems and the governmental entities running the elections . Actually, it would be sufficient to enlist a relatively small number of people within these organizations. Since vote counting in a computerized system takes place "under the hood," outsiders, even experts, cannot effectively monitor the work of the insiders running the system. While it is easy for an ATM user to determine if the ATM did what it was supposed to do supply the money requested and record the transaction correctly there is no way individual voters can verify that their votes have been correctly recorded and counted by an e-voting system. More about this later, but first let's look at a better way handle elections.
Almost all industrialized nations other than the US (including Canada) use hand-counted paper ballot (HCPB) systems. HCPB is also used in many US jurisdictions, very extensively in Maine and New Hampshire. The keys to success are simplicity and transparency. Ordinary people, serving as poll workers, poll watchers, or simply as interested citizens and voters, can observe and understand every step of the process. An important basic principle is that, from the time the polls open until the counting process has been completed, people from at least two competing political organizations are watching everything:
At all times, the ballot box is out in the open, observable by everybody. Counting teams include people from competing organizations. Vote totals for each precinct are made public, so anybody can verify that the overall totals for the election have been properly computed. Procedures for running HCPB elections are well established and appear to work very well , , . Note the absence of election horror stories involving such systems.
But wouldn't using HCPB be a step backwards, a Luddite act? It certainly looks that way on the face of it! At the very least, isn't it obvious that replacing the use of computers by the primitive act of manual counting would slow things down and increase costs? Taking the latter point first, the surprising answer is that e-voting costs more than HCPB, not less ! The fundamental reason is that, unlike ATMs, for example, which are on duty 24-7, voting machines are used about one day per year. Furthermore, for each election, they must be programmed, tested, and possibly repaired by specialists. There are also transportation and storage costs. All these and other costs are replaced in the HCPB case by the time of citizens serving an important public function, some as volunteers, others for nominal compensation. In New Hampshire, high school students (17 and older) are included in election teams along with retirees and other adults of all ages. Some European countries replace or supplement ad hoc paid election workers with regular civil service workers on detached duty. In Douglas County, Nebraska, people are called to serve as election workers in a manner analogous to jury duty.
With respect to speed, it is indeed true that an e-voting system can spit out election results within seconds after poll closure, as compared with anywhere from an hour to more than twelve hours for HCPB systems, depending on the complexity of the election, and the number of voting teams used. How important is this? Not very. For close elections, the likelihood of challenges leading to recounts undermines the significance of the initial reports. Where margins are greater, exit polls quickly and reliably indicate the winners.
What about undervotes (a voter not voting in some contest) and overvotes (a voter casting more than one vote in a contest)? Most e-voting systems can alert voters to such conditions in time for them to take corrective action. This feature is of some value, but not much, since overvotes are rare and most undervotes are deliberate. Also, since such errors usually affect the candidates in a random manner some cancellation takes place, thereby further reducing the already small consequences.
Back to the reasons why e-voting systems should not be trusted. If a team of experts is asked to determine whether, under the expected operating conditions, a particular e-voting system will reliably produce valid results. They would have to check for:
Items 1 and 2 are part of what engineers do all the time in the course of producing new systems. Item 3, under the heading of computer security, has become very important for safeguarding many kinds of systems, including ATMs. Item 4 also falls under the rubric of computer security, but it is off the usual path, since it implies that there might be corruption within the organization producing the product. None of these items are trivial. But the first two are well understood, and there are well established methods for carrying out such tests.
Item 3 is more challenging, since it entails a game situation in which security experts devise defenses against anticipated methods of attack, the penetrators develop new ways of overcoming the defenses, and so forth. We see such unending contests with spammers and malicious hackers.
Item 4 presents the most difficult problem. Whereas item 3 entails bad guys trying to surmount barriers in a framework erected by the good guys, here it is the bad guys who establish the framework and then conceal features that the good guys have to search for. Much has been written about how hard it is find surreptitious software features. Difficult as this is, I believe it is still harder to identify concealed features on a computer chip, with perhaps several hundred million transistors on it. Concern about this problem in another context is manifested in a DOD funded research project to develop methods for detecting trapdoors in computer chips sold to the military  . Consider also the possibility of camouflaged chips hidden in a system.
Even in principle, I can't see what procedures could be used to make possible an honest certification that an e-voting system will work properly, is safe against intrusion, and is free of clandestine cheating features .
In practice, the situation is even worse. Virtually every computer expert who has examined one or more e-voting systems has reported that their designs are of the poorest quality, particularly with respect to item 3 ,  . The numerous breakdowns and crude errors that have surfaced in actual elections testify to the failure of the agencies who purportedly checked them out with respect to items 1-3. Hardly anybody even mentions item 4. Since the certifying of e-voting machines is carried out by private companies paid by and reporting to the vendors, it would, of course, make no sense for them to pretend that they have verified the absence of concealed features. Some states contract to have e-voting systems certified, but I don't know of any that require checking for clandestine elements.
Incredibly, e-voting system designs, both hardware and software, are treated as trade secrets! So independent experts have only limited opportunities to examine in detail the systems that play such a crucial role in our democracy. This concealment has not been complete, as there have been unauthorized exposures of source code, and there have been several formal studies made by state governments and NIST. Some states require that this kind of information be placed in escrow so as to be available, under certain circumstances, for forensic purposes. There is no rational basis for such secrecy, since both the hardware and software can be protected by patents. The whole idea of the patent system, as stated in the constitution, is to give reasonable property rights to inventors, while eliminating the need for secrecy.
Perhaps implicitly acknowledging that we can't really ensure that e-voting systems are fault- and fraud-free, statistical checking has been proposed. The idea is that, after the polls close, a set of precincts, including perhaps three to ten percent of the voters (depending on the margin of victory), is randomly chosen and the votes in those precincts are recounted. If a recount fails to match machine results from a precinct, then we have an indication that something is wrong. In principle, this sounds good. The problem is in how it would work in practice.
The first issue is, what exactly would be recounted? Clearly a second summation of machine outputs would be meaningless. We would need some record of voter-intent independent of the machines. The obvious source would be paper ballots marked by voters, which could then be hand-counted. Paper ballots printed by DRE (touch-screen) machines will not suffice, since it is well known that most voters do not actually verify the correctness of such printouts. (It is also possible for a machine to void a voter-approved ballot and to substitute a different one after the voter leaves the booth.) So meaningful recounts are possible only for OS (optical scan) systems, which process voter-marked ballots, but not for the substantial percentage of US votes now cast on DRE machines, with or without printers.
Suppose a proper recount of voter-marked paper ballots does not match the machine report. (Assume we can agree as to how much of a discrepancy is to be considered as a mismatch.) What should be done? I suggest that the appropriate response would be to discard the machine results for that election and to do a manual count of all the paper ballots for the contests involved to determine the winners. In addition, all machines used in those contests should be impounded and a thorough forensic investigation made to ascertain the causes of the mismatch.
Would this actually happen? Neither precedent, nor established laws and procedures in the various states are encouraging . Even well-founded complaints about election fraud or error seldom result in reversal of results. Complaining candidates are almost uniformly treated as "sore losers." Procedures for e-voting elections in most jurisdictions are so poorly specified and executed that the chances of pinning down sources of discrepancies are nil. For example, there are numerous reports of e-voting machines not being properly sequestered for the period between pre-election testing and finalization of election results. For the above reasons, plus the difficulty in distinguishing between fraud and inadvertent computer error, post-election audits would also do little to deter cheating.
OS systems, though better (and cheaper) than DREs, can just as easily be rigged for fraud, and are also vulnerable to errors and break-ins. Despite their use of voter-marked ballots, they are not a satisfactory solution because we cannot assume that the results of post-election audits will be adequately executed and acted on. We need an election system that gets it right the first time.
The obvious answer is to junk the machines and get organized for manual vote counting. If done properly, this would give people justified confidence in election results, and, as a side benefit would modestly reduce election expenses. To satisfy those who feel a great need to see high tech gadgetry in the polling place, the voting and counting processes could be videotaped and made available on line. There exist reasonable systems that can help handicapped people generate paper ballots countable with the other ballots.
Why isn't this being done? As is the case for so many other societal problems, the stumbling block is money. While there is no profit for anyone in HCPB, there are big bucks to be made in selling and servicing e-voting systems. The vendors have been generous in sharing their gains with a variety of individuals and groups in position to influence decisions about how elections should be conducted, e.g., see , , .
It does not seem possible currently to enact even minimal reform legislation, let alone bills that get at the fundamental problems. Perhaps the best that concerned people can do is to educate as many others as possible, and to encourage the adoption of hand counted paper ballot systems by local jurisdictions, possible in many states. Then, when more dramatic e-voting failures, such as the Sarasota under-vote episode  surface in the future, more people might recognize what is wrong and demand effective action.
Stephen H. Unger Is a professor of computer science and electrical engineering at Columbia University in New York City. He is a member of the Board of Governors of the Institute of Electrical and Electronic Engineers (IEEE) Society on Social Implications of Technology (SSIT) and comments can be sent by email to him at firstname.lastname@example.org.
1. Peter Ventura, ATM Theft, Nov. 22, 2000
2. Tracy Campbell, Deliver the Vote: A History of Election Fraud, an American Political Tradition, Carroll & Graf, 2005
3. Stephen H. Unger, E-Voting: Big Risks for Small Gains: Problems, Feb. 5, 2007.
6. Anthony Stevens, Hand Counting Paper Ballots (PDF), Address to Democracy Fest Annual National Convention, June 10, 2007
7. Stephen H. Unger, E-Voting: Big Risks for Small Gains: Cost, Feb. 5, 2007.
9. Stephen H. Unger, E-Voting: Big Risks for Small Gains: Problems, Feb. 5, 2007.
10. Kim Zetter, CA Releases Results of Red-Team Investigation of Voting Machines: All Three Systems Could Be Compromised, Wired.com, July 27, 2007
11. Kim Zetter, NY: 50 Percent of Sequoia Voting Machines Flawed, Wired.com, July 14, 2008
12. Lawrence Norden, et al., The Machinery of Democracy: Protecting Elections In An Electronic World, Brennan Center Report, June 28, 2006, see Rec. 6, p. 90
13. Carlos Campos, GA: Voting machine firm hires ex-elections director, Atlanta Journal-Constitution, December 23, 2006
14. The Disability Lobby and Voting, NY Times Editorial, June 11, 2004
15. Brad Friedman, Blind and Disabled Voter Advocates, Groups Call for 'Immediate Ban' of DRE Voting Systems!, Brad Blog, March 14, 2007
16. Stephen H. Unger, The Great Sarasota Undervote Mystery, July 3, 2007