Half an E-Voting Debate
Oct 28, 2004 5:00 AM PT
A few weeks ago, I wrote a commentary on electronic voting for the Washington Dispatch in which I argued that what makes it possible for conspiracy theorists to use e-voting as the basis of an attack on the legitimacy of an expected Bush victory on November 2 is the client-server architecture, not the specific failures of the technologies used within it.
Conspiracy theorists, I said pointing at the technology proposed by the open voting consortium as an example of the best in client-server technology, are not constrained by practicality. As long as there's a programmable device or data transfer step under local control somewhere in the elections process, conspiracy theories cannot be conclusively disproven.
Needless to say, not everyone agreed. One of those who disagreed, Tom Mereckis of votehere.com, offered to debate the issue in the pages of LinuxInsider but backed out at the last minute.
Prior to that, we had agreed to discuss how each of five main issues expected to arise from the current election would have been avoided had our preferred technologies been available and adopted for universal use during this election.
That, of course, is a "gedanken experiment" but, just for fun and in support of the congressional committees that will be investigating this election's IT fiascos, I thought I'd present just my half anyway -- so here we go, starting with a reprise of two earlier LinuxInsider columns on what that ideal voting technology would look like.
Ideal E-voting Technology (the Murphy view)
Imagine a system that has Sunrays in the voting booths, connected directly to state level data centers, with two national data centers linking the state centers. Within each state, voters can go to any polling place, identify themselves and their place of residence, and see only the ballot appropriate to their home address. When they use the software to vote, three things happen: a paper ballot is printed and automatically dropped in the right ballot box; their votes are added to the totals at the state and national levels; and the combination of name and address used is marked as "already voted" in the database.
As I've discussed in previous LinuxInsider columns, there are lots of legislative and other "paper" issues associated with making this happen, but there are no technical showstoppers and costs can reasonably be expected to be far below those of the current systems.
Notice that there is no programmability at the local level, no way to add unauthorized devices to the network, and no obvious way for someone trying to commit voting fraud to simultaneously corrupt the voter list, the paper ballots and the electronic count.
This approach doesn't eliminate all opportunities for vote cheating, but it does remove most of them from the local level and all of them from the polling place.
Fraudsters, for example, will generally have to go after the weakest element in the chain: trying to get their people multiple voting opportunities through the use of multiple identities. Notice, however, that most such frauds now operate by stuffing the ballot box with ballots from the dead or otherwise ineligible, and that can't happen because votes are taken, and recorded, one at a time. Thus someone with three in-state and one out-of-state addresses might be able to vote four times, but it will take four trips to the voting booth to do it -- and the person involved is virtually certain to be caught if an auditor compares actual voters against a national identity database, such as that maintained by Acxiom.
Issue One: Real Failings Empower Conspiracy Theorists
This election is marked by a bitterness verging on the pathological among leading Democrats. As a result, they've announced their willingness to do whatever it takes to win -- including intimidating election officials and contesting every Republican victory through the courts.
The Kerry campaign, for example, has recently announced its intent to have 2,000 lawyers among the 7,000 party representatives attending polling places just in Florida. The campaign had earlier promised 10,000 lawyers on standby across the nation. Some Democrats in Congress, meanwhile, invited the UN to supervise an American election.
Assuming Bush wins, we can expect that these people, many of whom maintain against all evidence that Al Gore won in 2000, will respond bitterly, viciously and without consideration for the consequences to democracy.
Conspiracy theorists are not constrained by reality; if vote cheating is remotely possible, and a Republican wins, vote cheating will be alleged. The electoral officials involved will then find their records subpoenaed, their every action and motive questioned and themselves facing trial by media. That might sound exaggerated, but the groundwork is already in place. For example, in the October 22 Toronto Globe and Mail, Alan Freeman has this to say:
Florida's creaky election system may have been studied, reformed and remodeled, but Sharon Pynchon is still convinced the Republicans would steal the election on Nov. 2 if given a chance.
"We feel there's absolutely no basis for trust because they've shown that if there's an opportunity, they'll circumvent the law," said Ms. Pynchon, a volunteer running the local Democratic headquarters in DeLand, the sleepy seat of Volusia County.
"We can sit and stare at an electronic voting machine all day, but have no idea what is happening in the technology part of it," she continued, speculating that the machines can still be tampered with remotely.
Opinions like these are unburdened by supporting evidence, but there is an underlying reality to them -- today's e-voting machines and the processes within which they are used have systemic weaknesses. Although these problems are serious, I think that their biggest impact will come not from vote rigging, but from the effects on public opinion when well intentioned but technologically illiterate judges react to expert testimony about these weaknesses by finding reasonable grounds to doubt the legitimacy of at least some election outcomes.
It would take a Bush landslide (or a Kerry victory) to limit the effect for this election, but the long-run right answer is to put in place a system in which local cheating is truly impossible. Not difficult or implausible, but impossible.
That's what the Sunray solution offers: you can't cause it to cheat, because there's nothing programmable on it that can interact with the application used to deliver the ballot and record the vote.
With the very best of the present e-voting technologies, any expert testifying in court would have to say that cheating would be so hard to do that it probably wasn't done often -- and that equivocation makes it impossible for election officials to ever prove Pynchon wrong. In contrast, any expert on the Sunray solution could slam the door on her by testifying that no cheating took place because no cheating is possible. It can't be done, therefore it wasn't done. Period.
Issue Two: Threats to ballot secrecy
Ballot secrecy is critical to the democratic process because it allows voters to reject those who try to pay or frighten them into voting for favored candidates. With client-server e-voting, attacks on ballot secrecy can succeed simply by correlating information from something like a hidden camera (or just someone who takes notes) in the polling place to the vote record as recorded in a database or ballot register.
In the Sunray solution, the physical ballots dropped into the ballot box for audit and control reasons do not carry markings that could give away their sequence.
The actual vote is not recorded anywhere other than on the paper ballot. At the state level, the only thing recorded is the running total for each vote category. In the normal course of things, this means that no record of individual votes can be reconstructed.
There are some exceptional circumstances. If, for example, there are few polls applicable to a category and very few voters record a choice during a known time period, then a high likelihood reconstruction is possible. To thwart that, the system would be set up to buffer some votes -- not recording new totals until the smallest change exceeds a threshold such as five and clearing its buffers only on shutdown after the election period expires.
The Sunray solution also offers a defense against the more recent method of coercing voters to "do the right thing" by having lawyers and paralegals at the polling places to "guide" the otherwise disenfranchised. Although primarily just a thinly disguised attempt to intimidate election officials into looking the other way on this and related abuses, this is also a way to limit the effect of ballot secrecy while setting aside rules against electioneering in the polling place.
Voter training, using one or more terminals set up specifically for that purpose adjacent to, but not in, each polling place, is part and parcel of the Sunray proposal. Combined with the removal of most registration issues from the polling place, this gives the voter an opportunity to obtain training and run practice voting in a non-coercive environment while enabling electoral officials to enforce privacy in the polling booth.
Issue Three: Errors, Failures, Frauds
There are always errors, human and mechanical failures, and people who try to scam the system.
In the case of the Sunray solution, training, finance and physical hardware/network distribution for the polls are bundled issues.
As in any complex system, the likelihood of failures, particularly human and network failures, increases as non-electoral usage decreases. Thus, one of the great weaknesses of the client-server technology now used is that the gear gathers dust between elections -- meaning that the people involved have to re-invent their expertise each time an election is carried out.
If used only during elections, the Sunray system has the big advantage of simplicity in set-up and operation. The electoral officials basically just need to plug them in, lock the ballot boxes onto the printers, load paper and turn everything on -- with the more difficult telecom components provided and tested by people who work with that technology every day and therefore know what they're doing.
The Sunrays, however, don't have to gather dust between elections. The approach, which minimizes public cost while maximizing benefit (and administrative resistance to implementation), is to use them in schools during non-election periods. Doing so would, of course, also provide a large pool of knowledgeable users and technologists while debugging network issues during normal operations.
Either way there is no percentage in stealing the equipment or in trying to scam the system by inserting a few terminals -- the Sunray software will issue an alarm if devices are missing and won't accept an unauthorized device at all. Note, too, that many of the problems affecting client-server -- things like data losses or modification during transfer, virus attacks, boot or other device failure, and so on -- just don't exist in the Sunray environment.
The state and national centers, whether used only during elections or continually, represent low-risk environments because the technologies and procedures are widely used and well understood. Most importantly, there are very few of these and their operations can be made wholly transparent -- including fully open-source code -- to audit teams present during the elections.
Basically, no matter how the installation is handled, we can expect that some things will go wrong -- but also that remediation should be quick enough that the impacts, if any, are very minor.
Issue Four: Inadequate Audit Trail Threatens Legitimacy
In the Sunray solution, a voter is marked as having voted only if a ballot is produced and dropped in either the authorized or the provisional bin. Thus, for every vote increment recorded at the state or national level, there has to be a piece of paper -- whether that increment is zero and the ballot blank or not. No undervotes, no overvotes. No issues separating provisional votes, and full downstream auditability on who voted.
(Interestingly, Edward Delp and his colleagues at Perdue have recently developed a way to "fingerprint" printers -- meaning that stuffing the ballot box after the election in an attempt to upset the audit would not succeed because ballots not printed in the polling booth could be positively identified.)
Notice, however, that the paper ballots by themselves do not constitute the audit trail. What's going on here is like a three-way form of double-entry bookkeeping. The electronic count, the paper ballots and the list of voters who voted have to balance -- and if any two go out of sync, the source of the problem will be totally obvious.
Issue Five: Measurement and Getting It Right Next Time
In contrast to the client-server solutions, which require continual monitoring and effort, the Sunray solution, once installed, simply works. As a result, election officials will be able to ignore the technology to focus on the bigger picture -- things like ballot and voter list preparation.
In both cases, the Sunray solution will support rather than impede management's work. For example, ballot preparation is intended to proceed by having county officials prepare text files, which are then automatically converted to the HTML (or Java) form used during the election. Thus, the system will enable ballot debugging via practice runs while reducing the time needed to affect change.
Similarly, the voter list preparation process is expected to take months prior to the election. This, however, has unique legal and other risks for the participants that will be reduced by the system's ability to track change and record effort. Thus when, during the election, people appear "from out of thin air" (as always happens), the system's centralized record management can easily accommodate them, and areas of concern can be identified later for improvement to the process next time out.
Mereckis, of votehere.com, backed out of the debate, but I'm hoping you won't. We're five days from the election: so let's hear what you think is going to happen with e-voting.
Paul Murphy, a LinuxInsider columnist, wrote and published The Unix Guide to Defenestration. Murphy is a 20-year veteran of the IT consulting industry, specializing in Unix and Unix-related management issues.