As the world watched the electoral drama unfold in Florida at the end of 2000, my phone started ringing off the hook. "Wouldn't all our problems be solved if they just used Internet voting?" "Was that butterfly ballot really as confusing as they claim?" "And what exactly is the difference between a pregnant and a dimpled chad?" I spoke with numerous reporters, several state officials, and many colleagues and friends. While the actual outcome of the Presidential election remained unknown, it became clear that throughout the United States, people were soon going to be taking a hard look at their voting equipment and procedures, and trying to figure out how to improve them. After they finished scrutinizing and debating the events in Florida, what everyone really wanted to know was what new technology their state could buy that would ensure that in future elections all votes would be fairly counted. But there are no easy answers.

Mechanical lever voting machines

Mechanical lever voting machines have been in use in parts of the United States since 1892. Voters pull levers that correspond with the candidates and issues they wish to vote for. When a lever is pulled it causes a counter wheel to rotate. At the end of an election, officials open up the back of each machine to read the counter wheels and determine how many votes were cast for each candidate. By the 1960s, these machines were used by about half the voters in the US. These machines were appealing because they allowed election results to be determined quickly, and because they were able to thwart voting fraud schemes that had become widespread using paper ballots.

One of the main disadvantages of lever machines is there is no ability to audit them and to "recount" individual ballots. If the machine malfunctions and a counter wheel fails to turn, no record exists from which a proper tally can be determined. Sometimes levers are mislabeled (either accidentally or deliberately). Lever machines are also difficult to test exhaustively, as a person has to manually enter large numbers of votes into each machine that is to be tested. These machines have also been known to cause confusion when recording and tallying write-in ballots. Because of their size and weight, these machines are expensive to store and transport. Lever machines are still in use in 15% of counties in the US. However, because they are no longer manufactured, it is becoming difficult to obtain spare parts for them. During the 2000 Presidential election, New York City voters reported that levers were broken off of some machines, making it impossible for them to vote for some local offices.

Punch card voting systems

The State of Florida purchased their punch card voting system about 20 years ago to replace the lever machines they were using at the time. The Florida punch card machines are known as Votomatic machines. The cards used by these machines are printed with rows of marks where holes can be punched. The names of the candidates are not printed on the cards themselves, but rather on a ballot holder device that looks something like a book with cardboard pages. When the card is properly inserted into the ballot holder, one column of holes is visible through the "spine" of the book. Each hole lines up with the name of a candidate printed on the book's pages. Election officials try to print candidate names only on the left side of each two-page spread, so that the holes are to the right of the candidates names. But sometimes they end up with ballot layouts that use both the left and right sides of the page. Having used this system‹butterfly ballots and all‹when I lived in St. Louis, I can assure anyone who insists that the system shouldn't be that difficult to figure out, that indeed it is. Especially when two page "butterfly" layouts are used, the system can be quite confusing even to someone with 20-20 vision and good hand-eye coordination. The Associated Press recently quoted one of the inventors of the Votomatic system as saying that he had never intended it to be used with a butterfly layout.

The 2000 Presidential election was not the first time that there were lawsuits over Votomatic ballot confusion. In 1987, ballots cast in predominantly black wards of St. Louis were more than three times as likely to be improperly punched, and therefore not counted, as those cast in predominantly white wards. A federal judge subsequently ruled that the punch card system used in St. Louis "denies blacks an equal opportunity with whites to participate in the political process." The judge ordered the city to increase voter education in black wards and count improperly marked ballots by hand.

Another kind of punch card ballot system called Datavote reduces voter confusion about which hole to punch by printing the candidate names directly on the ballot. However, Datavote systems can cause problems and added expense because most elections require voters to use multiple ballot cards. In precincts where these systems are used, under votes are common when voters forget to vote in the races listed on the back of the punch cards, or neglect to vote all of the punch cards they are given. Sometimes Datavote systems also have a high rate of over votes for reasons that are not entirely clear. Datavote cards are voted using a special mechanical hole punch device that cleanly removes the chad from each hole a voter punches.

Besides the difficulty in understanding and marking punch card ballots, these ballots have also been known for a long time to be difficult to tally accurately. Votomatic systems suffer from the frequent occurrence of hanging, swinging, pregnant, and dimpled chad. These terms have now become household words in the US and the butts of many jokes. But in early November 2000, most Americans had never heard these terms. The word chad first came to my attention when I read Roy Saltman's 1988 National Bureau of Standards report Accuracy, Integrity, and Security in Computerized Vote-Tallying [ http://www.nist.gov/itl/lab/specpubs/500-158.htm ] while working on my dissertation. Saltman described a large number of problems with punch card ballots, and highlighted the chad problem in particular. Despite these warnings, punch card systems remain in use in 20% of counties in the US.

Optical-scan voting systems

One popular alternative to punch card systems are optical-scan systems, used in 40% of counties in the US. These systems are similar to the systems used to administer college entrance exams and other standardized tests. Voters use a pen or pencil to fill in an oval or connect dots on a paper ballot. A machine scans these ballots to count the votes. Both punch card and optical-scan systems suffer from the problem that voters may improperly mark their ballots, causing the ballot-counting computer to count them incorrectly or not at all. And both kinds of ballots can be tampered with during the counting process. However, in many precincts where optical-scan ballots are used, a scanner is available in each precinct so that voters can feed their ballots into the scanner themselves and check to see if it is accepted by the machine. If the machine reports that the ballot is mismarked, the voter can correct the problem and submit it again. In precincts where such a scanner is available, the percentage of uncounted ballots is often reduced by roughly a factor of five (when no scanner is available, optical-scan and punch card ballots result in similar percentages of uncounted ballots). Similar improvements might be possible if punch card readers were available at precincts as well.

Direct recording electronic systems

In the aftermath of the 2000 Presidential election, people are calling for a voting system in which every vote cast will be counted. They want systems in which it is not possible for a voter to mark a ballot in such a way that it will not be counted. And they want systems that will allow for accurate recounts without the risk of ballot tampering or the need to argue about what constitutes a vote. Vendors of computerized voting systems, often referred to as direct recording electronic (DRE) systems, claim to have an answer. A computerized voting machine that allows voters to register their votes using a touch screen, ATM-machine like terminal, or a panel with buttons and lights, could ensure that voters do not unintentionally vote for too many or too few candidates. Indeed, in the 9% of counties in the US where these machines are already in use, the feedback from voters is generally positive. Voters typically find the machines easy to use, and like the fact that the machines warn them if they fail to vote for a particular office and do not permit overvotes. I used one of these machines in New Jersey this year, and found it quite simple to use, although a carelessly designed ballot could probably render even a DRE machine difficult to use and confusing to voters.

While DRE machines may be easy to use, produce unambiguous results, and don't involve paper ballots that might be tampered with, they are not without problems. DRE machines must be trusted to accurately record each vote as the voter entered it. If the machines do not record a vote accurately, or fail to record it at all, there is no record to go back to for a recount (as with lever machines).

I tend to think that with sufficient review and oversight, we should be able to deploy DRE machines that have a very low risk of failure (through either accidental error or fraud). I don't think we can build a perfect machine, but we should be able to build a machine with risks lower than the risks associated with a paper ballot system. I do not know enough about existing DRE systems to know whether any of them are good enough today, but have heard about enough problems to be suspicious. Another problem with DRE machines is the amount of time each machine is monopolized by a single voter. When DRE machines are used, each voter must have exclusive access to a terminal for the entire time it takes to mark the ballot. Election officials with experience using DRE machines report that generally about 30 voters per hour can use a single DRE machine. (This is probably similar to the number of voters that can use a lever machine in an hour.) Thus, it takes a large number of machines to serve the voters in each county. The machines are expensive, and each must be configured and tested before every election.

Some vendors are promoting computerized systems that use off-the-shelf PCs as a much less expensive alternative to traditional DRE systems. Besides the significant cost advantage, some vendors claim that there is less of a risk of hardware tampering on such machines since they are not being manufactured for the express purpose of voting. However, because these computers are manufactured as general purpose computers, there are also a lot more areas where things may go wrong and a lot more places where malicious code may be hidden. And conducting an election on them using a general purpose operating system opens them up to a wide range of vulnerabilities. Hand-counted paper ballots

The apparent lack of a perfect voting technology has lead many people to suggest that we just go back to the old hand-counted paper ballots used in the past in the US, and still used throughout most of the world. A well-designed paper ballot would probably use a separate ballot paper for each race, and include large boxes for voters to use to mark their preferences. In most countries where this system is used, ballots can be tallied very quickly, sometimes in a matter of hours, using government employees or citizen panels. But in most of these countries voters are asked to vote in only a few races, often only one race. With the large number of races and other ballot questions on US ballots, a hand counted paper ballot system would be more cumbersome. As suggested by computer-related risks expert Peter Neumann [ http://www.csl.sri.com/users/neumann/ ], it might be practical if used for Presidential voting only, and not for other races. Even if a paper ballot system were practical, problems would remain. Voters could still accidently skip over ballot questions or vote for too many candidates on a ballot. And paper ballots can be tampered with during transport and counting, and are subject to a range of voting fraud schemes that involve vote buying and ballot box stuffing. This option should be considered along with other possible options, but it does not appear to offer a perfect solution either.

Perhaps the questions I heard most frequently following this year's election were questions about Internet voting. As the popularity of online shopping and banking increase, so does voter interest in the possibility of voting from home or work over the Internet. The first governmental election to be conducted over the Internet in the US was the 1996 Reform Party Presidential primary, in which Internet voting was offered, along with vote-by-mail and vote-by-phone, as an option to party members who did not attend the party convention. In 2000 the Arizona Democratic Party offered Internet voting as an option in their Presidential primary. And Internet voting was used in the 2000 Alaska Republican Presidential straw poll as well as in a number of non-binding shadow elections. In the November 2000 Presidential election, a few hundred over seas military personal were given the opportunity to cast their absentee ballots via the Internet.

The problems that have actually occurred in online elections to date are relatively minor compared with the types of problems that experts fear might occur if Internet voting was used in contentious governmental elections. At an NSF sponsored e-Voting Workshop in October [ http://www.netvoting.org/ ], security experts discussed a wide range of problems. Most significant were probably the vulnerabilities of the personal computer platform and the vulnerabilities of the Internet infrastructure itself. Individuals don't currently have the ability to shield their personal computers from viruses and trojan horses that might manifest themselves on election day. Furthermore, the ability to prevent denial of service attacks against voting servers or voters' Internet connections is limited. Hackers could design attacks to take out large portions of the Internet, or focus on neighborhoods known to support a particular party. Avi Rubin [ http://www.avirubin.com/ ] wrote a short essay [ http://www.avirubin.com/e-voting.security.html ] following the NSF workshop that provides a good overview of these and other security concerns.

The conclusions reached by workshop participants about the security risks of remote Internet voting were similar to the conclusions reached by the California Internet Voting Task Force [ http://www.ss.ca.gov/executive/ivote/ ] in January 2000. The taskforce also outline security concerns, and suggested that if Internet voting was to be pursued, it should be introduced in several stages, beginning with Internet voting terminals in neighborhood polling places. This first phase would not really offer any advantage to voters, but it would provide a more controlled environment in which to gain experience with Internet voting.

People often ask me why the security risks associated with Internet voting are different from the risks associated with online banking. Some have even suggested that Automatic Teller Machines [ http://www.votebyatm.com/ ] be employed for voting, in addition to their primary banking functions. Internet voting is very different from banking applications for a number of reasons. One of the most important differences has to do with auditing and secret ballot requirements. When you do a financial transaction, generally you get a receipt. Periodically your bank sends you a statement that summarizes all of your transactions for the past month or quarter. You can compare this summary with the receipts you received, and determine whether your bank made any errors. Furthermore, every financial transaction is recorded in great detail, along with information about who was involved in the transaction. But in secret ballot elections voters do not get receipts (if they did they could sell their votes or be coerced to vote in a particular way). And audit trails are specifically designed not to reveal the voter associated with each ballot. Also, while financial transactions occur every day of the year, major elections occur on just one day. Even if we extended the voting period to several days or even a few weeks there will still be a small window of opportunity that will be the focal point for those wishing to disrupt the election.

One of the primary motivations that has been given for remote Internet voting is the possibility of increased voter turnout. However, little evidence exists to suggest that the availability of remote Internet voting would succeed in bringing substantial increases in voter turnout. And any increase in turnout is likely to impact some voter groups more than others (in particular the people who have Internet connected computers in their homes). Thus, Internet voting could serve to widen the gap that already exists in the way different socioeconomic groups are represented at the polls.

Internet voting may be a good solution for non-governmental elections, especially for organizations that already have experience with vote-by-mail balloting. These elections generally are less interesting targets for hackers, involve smaller numbers of voters, and sometimes have less stringent secret ballot requirements Internet voting has been used successfully in shareholder proxy balloting for several years. Many professional organizations are finding Internet voting to be a cost-effective alternative to vote-by-mail. Is the Will of the People Countable?

Assuming we can find a better voting technology, how much would it cost? Cost estimates vary widely. DRE machines cost approximately $5,000 per unit. A system that uses off-the-shelf personal computers might be able to reduce that cost by as much as a factor of 10. Refinements on existing systems, such as putting scanners in every precinct that uses punch card or optical-scan ballots, might be substantially cheaper. Quotes in the media indicate that most states looking into replacing their voting equipment are assuming that they will have to spend upwards of $100 million. In November 2000 when I was interviewed for ABC NightLine I had heard estimates of $20-$50 million for a large county. Replacing voting machines will cost a lot of money. Most of that money will have to come out of state and local budgets. Recently introduced Federal legislation includes $100 million in matching grants for states to upgrade their voting equipment, but this doesn't appear to be anywhere near the actual costs. As I said, there are no easy answers. It is my hope that states will proceed cautiously in adopting new voting technologies, first establishing detailed requirements and certification criteria, and rigorously evaluating each candidate technology to see whether it meets the criteria. The technology development and evaluation necessary to satisfy these goals will be expensive. But by spending the money up front, we are more likely to avoid costly law suits and recounts, as well as to maintain public confidence in our electoral process, something that is very difficult to put a price on.

December 2000, Revised 19 March 2001

Dr. Lorrie Faith Cranor [ http://lorrie.cranor.org/ ] has been studying electronic voting systems since 1994. She maintains the e-lection electronic voting mailing list [ http://lorrie.cranor.org/voting/ ] and in 2000 served on the executive committee of a National Science Foundation sponsored Internet voting taskforce. She is a senior technical staff member at AT&T Labs-Research Shannon Laboratory in Florham Park, New Jersey. Her primary research focus is online privacy. She chairs the Platform for Privacy Preferences Project (P3P) Specification Working Group at the W3C, and last year she served on the Federal Trade Commission Advisory Committee on Online Access and Security. She is also a member of the project team that developed the Publius censorship-resistant publishing system, which was honored by Index on Censorship magazine for the "Best Circumvention of Censorship."

What's inside...