Warning: Evoting Ahead

From local election officials to ordinary citizens, there's angst in the air over the security of electronic ballots.
by | July 2007

Election officials are jittery these days, and understandably so. This year marks a huge transition in how citizens cast their votes at the polls. All eyes are on the ballot box itself.

Voters will no longer have their say using lever machines with punch cards or the infamous butterfly ballots. Federal law--the Help America Vote Act, known as HAVA--requires that these old mechanisms be ditched in time for the 2006 elections and replaced with new technology: electronic voting machines. But in the midst of purchasing and installing, training and educating, setting up and testing the new machines, election officials are hearing urgent reports that the latest high-tech voting tools are vulnerable to mischief and worse-- vote tampering and fraud.

Are they?

There doesn't seem to be a simple answer. Ever since governments began holding elections, the security of the ballot box has been an issue. Ballot boxes have been stuffed; punch-card votes have been found in closets or church basements. The addition of the electronic form may be just an extension of the persistent concern over voter fraud. And that concern may be inflamed by the unknown and misunderstood: Who controls that software, anyway, and can it manipulate votes? It's also provoked by the almost-overnight conversion of thousands of systems from paper to electronic. The new "boxes" are arriving all at once to so many voting places.

Given the unease, it's not surprising that a number of vote- protection groups have made news with chilling pronouncements about the potential for election fraud through software tampering and download tinkering. "There are so many security holes," says Bev Harris, founder of blackboxvoting, a nonprofit, nonpartisan watchdog group, "it's like Swiss cheese."


The major hue and cry has been over touch-screen machines, in particular, those manufactured by Diebold Election Systems. With these machines--in use statewide in Maryland, Georgia, Mississippi and Utah and in large jurisdictions in California, among others--voters simply touch a screen "button" to indicate their choice. But vote-protection advocates charge that touch-screen machines have an "awful flaw" that was engineered into them intentionally. It is easy--possibly too easy- -to change the workings inside the machine and thereby affect the vote. Diebold says it's not a flaw but a useful functionality.

Ion Sancho, supervisor of elections in Leon County, Florida, was concerned enough about security of the Diebold touch-screen machines that he allowed two computer scientists to examine the machines without Diebold representatives present. The computer scientists found the potential vulnerability, and when Sancho's activities became public, none of the vendors certified in Florida would sell Leon County voting equipment. He also complains about a California case that led to Diebold paying a $2.6 million settlement in a lawsuit alleging the vendor made false statements about the voting equipment. Sancho says he was not told that "the company I depended on admitted lying to election officials." Diebold denies lying, acknowledging only a "misunderstanding."

While Sancho might not have chosen an optimal method for uncovering security flaws--allowing "random" people to fiddle with election software--it was a legitimate thing to do if there was a vulnerability that the vendor wasn't revealing, says Michael Shamos, professor of computer science at Carnegie Mellon University and a Pennsylvania election consultant.

Beyond security issues, many usability experts believe touch-screen design in general is inferior to that of other electronic systems in other industries and professions. Ben Bederson, an associate professor of computer science and director of the Human-Computer Interaction Lab at the University of Maryland, says the design of the touch-screen machine "is immature and not up to par with the rest of the computing industry." This stems, in part, from the requirements of confidentiality of the vote--unlike, say, an ATM machine that can have many checks and balances because transactions do not have to be kept secret from bank personnel.

Shamos agrees the touch-screen flaw is bad and that the machines need to be redesigned. But he also believes it is easy to fix for this election cycle. A security analysis requested by the California Secretary of State reached the same conclusion: The current bugs can be mitigated by proper security procedures.

Don't try telling that to Harris of Black Box. She says the security flaw is so severe that the machines should be pulled and not used until they are redesigned.

With all the agreement that the machines are poorly designed, one might wonder why they are in use at all. There are good reasons. The equipment makes it possible for blind and disabled voters to select candidates in private, using audio or other assistive devices, as required by HAVA. Previously, someone had to read the ballot and cast their vote for them. Also, the machines can be easily programmed in other languages, and there are keyboards that help those with dexterity problems. The bottom line is that, according to many election officials, voters, disabled and otherwise, really like them.

The alternative to touch screen is the optical-scan machine, which is popular with local election districts. On these systems, voters fill in circles on a sheet of paper that looks like an SAT exam answer sheet. The paper is then scanned through a machine, and a digital photo of every ballot scanned is saved onto disks.

More than half the counties have purchased optical-scan systems to replace their outdated voting machines. And although there are still some security issues with this form of e-voting, protect-the-vote advocates have more confidence in the approach. In part, that's because the disk provides the equivalent of a paper trail.

Many legislators, feeling that no one knows what's behind the curtain of electronic machines, want a paper trail for proof of votes cast electronically. David Dill, a computer science professor at Stanford University and founder of, says electronic voting is an "opaque" technology, that people "can't see the results or watch ballots being placed inside the ballot box. It's all happening invisibly in the machines."

That's why more than half the states have passed laws requiring that the voting machines spit out paper proof. Then voters can take a look at their completed ballot and check that their vote was recorded as they meant it to be. In most cases, that does not mean actually handling the paper.

Not everyone thinks a paper trail is the way to go. Paper trails solve one small problem but may create others. "It's a kindergarten solution to an important problem," Shamos says. His reasoning goes like this: Software engineers should be doing research to develop better electronic voting machines. But once a state adopts a paper- trail solution in statute, research comes to a halt. The state thinks the problem is solved.

There are other problems with the paper solution. Voting machines in general have a tendency to break down 10 percent of the time. Printers for a paper trail compound the problem, adding a second machine that can break down and doubling the chance that a voter's vote won't be counted. In a stress test of 99 Diebold machines in one county, 20 percent of them failed, and in the vast majority of cases, the printer was at issue.


Ask paper-trail advocates such as Dill whether the new electronic voting machines can ever be made 100 percent secure, and the short answer you get is no. "Even if you spend hundreds of millions of dollars on making them secure," he says, "you could never make them trustworthy. It's going to be an unending series of unpleasant surprises."

But there's no going back to the "safety" of old-fashioned voting. Butterfly ballots and punch cards, with their potential for hanging and pregnant chads, are prohibited. They contributed to the electoral difficulties of the 2000 presidential election, and it was the political chaos of that event that spurred the U.S. Congress to pass HAVA.

There's also a strong argument to be made about how difficult it might be to tamper with the heart of a new machine. There is a difference between what is possible, what is probable and what has actually happened. Hacking into an electronic voting machine is a "what-if scenario based on the premise that you have election officials willing to commit a felony to corrupt an election," says David Bear, a spokesman for Diebold Election Systems. Bear says the machines are only one aspect of elections. There are also processes and procedures jurisdictions have in place to guard against monkey business.

Electronic voting machines have been used in some places in this country for a quarter of a century. For all of the current hoopla about security, "there has never been a single verified incident of tampering with an electronic voting machine," Shamos points out. "By contrast, there have been hundreds of convictions of people for paper- ballot fraud during that time."

He compares the situation to giving an average citizen access to the bridge of an aircraft carrier. Would a layman know how to turn that carrier around? For people to sway election results by fiddling with the machinery, he points out, they would need expertise, access to a lot of machines, confederates to help them out and enough time and access to complete the task. And all of it would have to be done in secret. "It's a set of circumstances no one has been able to create yet," he says.

It's a point seconded by Michael Vu, director of the Board of Elections in Cuyahoga County, Ohio. He thinks electronic voting might actually be more secure than paper ballots. Just about everyone has the skills necessary to stuff a ballot box or throw a bunch of punch cards into Lake Erie. "When you move to electronic," he says, "you have only a certain population base with the knowledge to do that and the time to do that."

Cuyahoga County faced a slew of problems when it used electronic voting machines in a primary vote in May, but none of those woes had anything to do with high-tech hacking. Machines broke down. Power outlets didn't work. Adapters for the sockets weren't available. The printer providing the paper trails jammed. And 17,000 absentee ballots didn't work with the Diebold scanners that the county bought. They had to be counted by hand.

It may be that the real problems with electronic voting today are reliability and usability. That means election officials need to stay on top of the job they have always been required to do: checking the equipment for problems, sealing and locking away the equipment until the day it needs to be used and controlling who has access to it. Precincts also are supposed to check vote counts throughout the day, making sure the number of people who register on Election Day equals the number of people who actually vote.

One bright side to the angst and fear of mayhem for the November elections is this: At least it is not a presidential election year.


More from Technology