|Some Problems With the Electronic Vote|
Guillermo Ramón Adames y Suari - PVNN
September 28, 2010
Let me list some of the most commonly brought up problems with Electronic Voting; each paragraph should be considered independently from each other paragraph. Consider the text of the article as “list”.
Computerized financial systems get most of their security from audit. If a problem is suspected, auditors can go back through the records of the system and figure out what happened. And if the problem turns out to be real, the transaction can be unwound and fixed. Because elections are anonymous, that kind of security just isn't possible, unless there could be a procedure that would allow not traceability but double independent recording.
Software can be 'hacked': someone can deliberately or accidentally introduce an error that modifies the result in favor of “his” candidate.
Open Code is certainly one of the best possibilities but a lot of money is still needed for the system to actually see the light. Many organizations are involved in this effort. The fear is that errors in the software - either accidental or deliberately introduced - can undetectably alter the final tallies. An election without any detected problems is no proof that the system is reliable and secure.
The advantages of the “open code” has two functions: it allows any interested party to examine the software and find bugs, which can then be corrected, a public analysis that improves security; and it increases public confidence in the voting process - if the software is public, no one can insinuate that the voting system has unfairness built into the code (companies that make these machines regularly argue that they need to keep their software secret for security reasons. Don't believe them. In this instance, secrecy has nothing to do with security: it is just pure business).
Changes or errors in the software can have far-reaching effects. A problem with a manual machine just affects that machine. A software problem, whether accidental or intentional, can affect many thousands of machines and skew the results of an entire election.
Surprisingly enough, the auditing that is conducted on slot machine software in the US (these concerns came up in Vegas!!!) is far more meticulous than that applied to voting software. The development process for mission-critical military software makes voting software look like a toy when the course of the nation is in the way.
Errors have nothing to do with whether the voting machines are hooked up to the internet on Election Day. The threat is that the proprietor’s computer code could be altered while it is being developed and tested, either by one of the programmers or a hacker who gains access to the voting-machine company's network. It's much easier to modify a software system than a hardware system, and it's much easier to make these modifications undetectable.
Some have argued in favor of touch-screen voting systems, citing the millions of dollars that are handled every day by ATMs and other computerized financial systems. That argument ignores another vital characteristic of voting systems: anonymity.
We should use touch-screen voting; the benefits of DRE machines are too great to throw away. But it does mean that we need to recognize the limitations, and design systems that can be accurate despite them.
Computer security experts are unanimous on what to do (some voting experts disagree, but it is the computer security experts who need to be listened to; the problems here are with the computer, not with the fact that the computer is being used in a voting application). They have two recommendations, and those are based on the Mercuri security methods that I have indicated in previous articles:
DRE machines must have a voter-verifiable paper audit trails (also called the Mercuri Security system). This is a paper ballot printed out by the voting machine, which the voter is allowed to look at and verify. He doesn't take it home with him. Either he looks at it on the machine behind a glass screen, or he takes the paper and puts it into a ballot box. This is known as double voting: electronically and physically.
Computerized systems with these characteristics won't be perfect - no piece of software is - but they'll be much better than what we have now. We need to treat voting software like we treat any other high-reliability system. The course of any nation is in this process’ hands.
If we get the technology right, it still will not be finished. If the goal of a voting system is to accurately translate voter intent. The voting machine itself is only one part of the overall system. In the 2004 US election, problems with voter registration, untrained poll workers, ballot design, and procedures for handling problems, resulted in far more votes being left uncounted than problems with technology. Let’s learn of this for Mexican elections.
If we're going to spend money on voting technology, it makes sense to spend it on technology that makes the problem easier instead of harder.
Last but certainly not least. Nobody seems to even consider other countries experiences. Brazil, Estonia, France, Venezuela and others, already vote electronically. It is unthinkable that they have not considered what I have written above and have found solutions to these problems. What is surprising is that despite that existing knowledge, nobody in the US or in the corresponding forums, nobody even considers those already existing solutions.
Guillermo Ramón Adames y Suari is a former electoral officer of the United Nations Organization. Contact him at gui.voting(at)gmail.com