|Volume 19, Number 1||The CPSR Newsletter||Winter 2001|
|Why Has Voting Technology Failed Us?||
by Erik Nilsson
Florida was a wake up call. In the aftermath of the last presidential election, there seems to be general agreement that America's current election systems are inadequate, and something must be done. It seems likely that something will be done. Laws will be passed. Money will be spent on new elections systems. Hopefully, carefully-considered actions will result in elections systems that are markedly more secure and accurate than the systems we use today. But this happy outcome is anything but certain.
Study Undermines Faith In Technology
In December, 2000, the presidents of MIT and Caltech announced a joint "Caltech/MIT Voting Project" to study voting systems and develop a new "voting machine" to prevent future debacles like we saw in Florida. This was one of many announcements around that time promoting various initiatives, technologies, and companies. Each claimed to have the technological fix for our election woes. Many of these announcements, like Caltech/MIT's, assumed that careful application of technology should result in the best election system possible. Some, like the Caltech/MIT announcement, combined this confidence with statements of obvious ignorance of how elections systems work and how they fail. But many of us in the voting community may have been too quick to write off Caltech/MIT's project. On February 1, 2001, the project released its first piece of research: a study on the accuracy of elections systems, nationwide, in the last four presidential elections . The study uses a clever methodology to mine deep results from available election statistics. The results were surprising, even to many elections experts. The study measured the "residual vote": the number of ballots that did not end up having a vote for president counted, either because of undervote, overvote, or some other problem such as a stray mark. The residual vote is an estimate of a voting system's accuracy, probably the best such measure we will ever have on past elections. The average residual votes found were as follows:
With lever voting machines, the voter sets small levers or switches to indicate their choices, then pulls a master lever to make their vote. With optically-scanned ballots, the voter fills in a box or makes some other mark on a paper ballot; an optical scanner then reads the votes. Vote-O-Matic ballots are the type that produce the now-famous chad. With a DRE machine, the voter votes on a computer that usually resembles an ATM, picking candidates from a screen; the votes are recorded in the DRE's computer memory. DataVote punch cards are similar to Vote-O-Matic, except the candidates' names are printed on the ballot, and a different method is used to punch a hole in the ballot. The study does not attempt to identify the causes of residual vote in each system. Rather, the study correctly assumes that any failure to capture voter intent is an inaccuracy in the voting system, or perhaps a fraud. To guard against the possibility that, for example, DRE machines are concentrated in counties where more people tend to have no opinion on the presidential race, the researchers studied counties where the voting system had changed. The above results stand:
"Levers and paper and scanned ballots appear to offer similar rates of reliability.... Paper ballots, lever machines, and optically scanned ballots produce lower residual vote rates [than] punch card and electronic methods.... Paper might even be an improvement over lever machines."
The startling result is, with the exception of optical, older technologies were significantly more accurate than newer technologies .
These results are a stark warning of how difficult it is to implement new voting technologies. People worked hard to develop these new technologies. Election officials carefully evaluated the systems, with increasing attentiveness over the last decade. The result: our best efforts applying computer technology have decreased the accuracy of elections, to the point where the true outcomes of many races are unknowable.
Many technologists and technology enthusiasts will read the above words and refuse to believe them. "There must be some other explanation," they will say. "Nothing has been proven," they will say. "Future technology will be better," they will say.
But there is no other plausible explanation: new technology may have reduced the cost of elections, and certainly has increased counting speed, but the above results show no statistically significant progress in elections accuracy over people counting paper ballots, one at a time, by hand. This data is not a proof, but enthusiasts of punchcard and DRE technologies in particular are not given much solace . Furthermore, accuracy is only part of the problem: we must also worry about the security of voting systems. It's hard to measure security objectively, but there is no reason to think that newer systems are more secure than older ones. On the contrary, there is good reason to suspect that, since newer technologies have a more complex chain of activities between the voter and the outcome, newer technologies present more opportunities for fraud than older systems.
Will Yet More Technology Help?
Some suggest Internet-based voting will solve our problems. Tens of millions of dollars have been poured into Internet-voting startup companies. Some companies have already failed, but several remain. These companies try to create an electronic "ballot" with homomorphic encryption  or similar techniques. Their mantra seems to be, "if we can do e-commerce, we should be able to do e-voting." But the problems of e-voting are radically different from e-commerce. For example, you get a balance statement from your bank each month telling you what happened to your money. But, you don't get a statement from your county telling you how you voted, so you can't verify that your vote was correctly handled. You cannot get such a statement, because it could be used to buy votes or pressure voters.
A bank statement provides a real-world check on e-commerce, as well as buying by credit card over the phone, sending checks through the mail, and similar transactions that otherwise wouldn't be sufficiently trustworthy. Without the equivalent of a bank statement, e-voting requires a fantastical technological infrastructure. Ultimately, with or without fancy encryption tricks, e-voting requires a secure networked voting application. As Bruce Schneier points out, "A secure Internet voting system is theoretically possible, but it would be the first secure networked application ever created in the history of computers" . Clearly, such a system could not use any current operating systems or browsers, since none of these is secure when used with a network. Thus, it is not even theoretically possible to develop a secure voting system where people vote from home, using their insecure browser on their insecure PC.
The very imperfect security of banking systems is acceptable, because we can catch their mistakes. The same level of security (or even vastly better security) is intolerable in voting systems, because the results can't be checked. E-commerce doesn't provide us with the technology to conduct e-voting. A secure voting system isn't sufficient, anyway. The system also needs to prevent votes from being altered or destroyed, in case of fraud by one or several people. With systems that have a physical ballot, altering a large number of ballots to change an election requires unsupervised access to the ballots, skill, and time to make the alterations. Since electronic records can be changed almost instantly by a surreptitious computer program, an acceptable technology would have to be able to create and manage an electronic ballot that can't be forged or altered. It must be possible to determine that a ballot came from a single voter, but there must be no way to know who that single voter is. If one had such a powerful technology, why apply it first to the small and often unprofitable elections market? Surely, this technology would be applied first to more lucrative ends. For example, a technology that enabled secure electronic ballots might also enable unforgeable electronic cheques, an unbreakable copyright enforcement scheme, or unforgeable digital cash that requires no trusted third party. These more lucrative applications would provide revenue to develop and prove the new technology. Later, the mature technology would find application in elections.
Thus, unproven technologies should not be applied first to voting. We should not risk democracy on unproven technology. Also, since applying an unproven technology first to voting normally makes no economic sense, there is good reason to suspect both the viability of the technology and the wisdom of the technologists.
Still, there are many proponents of Internet voting. Some of the proponents have a grasp of the preceding issues, yet remain convinced that, for some reason, a good Internet voting system must be possible. Some seem to believe that anything which can be done in the real world can be done analogously on the Internet at a cost that trends toward zero. The battering of dot-com companies over the last year has tempered rhetoric, but many of the plainly ignorant statements by smart people about Internet voting can be attributed to a quasi-religious belief that good java programmers can replace any activity in the real world with a better version on-line. As we've seen, this is just not the case for voting. This suggests there may be other plausible-sounding projects that begin with an "e" and a dash that are also unworkable. Why not vote with paper ballots, counted one at a time? There are disadvantages to hand counting, primarily speed and cost. But it's now clear that much of the cost savings of most newer systems came from their lower accuracy and greater vulnerability to fraud, a tragic false economy. The performance of optical systems give us some hope. They are faster and more economical than hand count, and preserve the option of a hand count to verify machine-count results. Caltech/MIT's results suggest that, today, optical systems are nearly as accurate as hand-counted ballots. With careful work, they can probably be made as accurate as hand-counted ballots. Carefully-designed procedures for random recounts by hand can probably bring the likelihood of fraud in machine ballot counting down to acceptable levels, at least for optical ballots.
Beyond convenience for the news media and our natural desire to know results immediately, speed has an advantage: the longer counting goes on, the more likely errors are. Thirty-six hours is about the longest a person can stay continuously alert. If an election continues for more than 36 hours, either the operation must be stopped then restarted, or all responsibilities must be handed over from one person to the next. Errors thrive in such moments of confusion. Naturally, where there is potential for error, often there is potential for fraud. The ideal vote-counting system is swift as well as accurate.
But while we are waiting for that better system, it would be better to use hand counting in places that currently use punch-card or DRE systems. Optical systems that use the highest-quality optical readers and statistically-meaningful random hand recounts should continue to be used, for the time being. Mechanical voting machines have in inherent weakness, in that each individual's ballot is not recorded, only totals of votes for all people who used the machine, so a meaningful recount down to the level of the individual ballot is not possible. This problem makes mechanical lever machines undesirable. However, it would be a wrenching change for counties using mechanical voting machines to stop using them all at once. Mechanical lever machines should be retired, over time. That said, it would still make me uncomfortable to vote on a mechanical lever machine.
It will take years at a minimum to develop new, better systems. Meanwhile, reliable elections depend on us recognizing that our efforts so far to improve voting with technology have been an almost unmitigated disaster. The money spent on various automated systems to strengthen our democracy has instead weakened it. Voting technology has failed us because we regarded vote counting as a simple problem. We assumed that competent application of commercially-available technology to elections would naturally improve elections. We were wrong.
The author is grateful for the assistance of Dave Bilgray and Lawrence Hecht and the CPSR Working Group on Voting in the preparation of this article.
Erik Nilsson <firstname.lastname@example.org> chairs the CPSR Working Group on voting. He has published various articles on voting systems, written elections software, and observed elections. He is based in Seattle.
 The "year of introduction" column is my addition and wasn't in the Caltech/MIT report. Source: http://inventors.miningco.com/science/inventors/library/weekly/aa111300b.htm , or as noted.
 The modern paper ballot was introduced in Australia in 1856. It gradually displaced an older paper ballot technology.
 The study is unable to control for one source of bias that may make DRE and mechanical lever machines look better than they are. Some states allow party-line voting, where a voter can vote for all or at least many races by making a single indication. On lever machines, this is usually done by pulling one large lever for the chosen party. All of the above systems can support party-line voting, but party-line voting has traditionally been used with lever machines. Lever machines users have shown the most interest in DRE machines. Since voting straight-party never creates a residual vote, jurisdictions with party-line voting should have lower residual votes, independent of the technology used. If party-line voting is correlated with lever and DRE machines, the study would overstate their accuracy. Another possible bias is that optically-scanned ballots are used in two different ways. In some areas, the optical ballots are pre-scanned in the polling place, to check for overvotes. If there is an overvote, the ballot is rejected and the voter is given another chance on a new ballot. Some studies have shown this practice significantly reduces overvotes, so optical ballots without precinct pre-scan may by statistically worse than lever or hand-count, but that would seem to make optical with precinct pre-scan statistically better than lever or hand-count.
 The Caltech/MIT study ends with a note of optimism regarding DRE machines that is at odds with the rest of the report.
 A homomorphic encryption scheme is a public-key cryptosystem with the special property than one can compute an operation on plaintexts, say addition, by manipulating only ciphertext. Therefore, someone without knowledge of the private key can compute simple functions of the encrypted data. (Source: http://www.zurich.ibm.com/~sti/g-kk/mobile/homomorphic.html )
© Computer Professionals for Social Responsibility
|[ top ]||Newsletter Index|
Created before October 2004