Safeguarding the Vote by Doug Pibel

Last November, I voted. At least I think I did. When I got to my polling place, instead of the familiar ballot where I drew a fat, black line to connect two parts of an arrow, I was handed what looked like a blank credit card. I plugged that into one of the spiffy new touch-screen voting machines and started touching the screen. When I was done, the machine showed me a summary of the votes I'd cast. I returned the magnetic card, and that was it.

It was a bit spooky. No ballot, nothing tangible, just a momentary display on a screen. But I'm a guy who has a seven-year-old computer with a dial-up internet connection. A Luddite. Who but a Luddite could possibly object to the very latest whiz-bang computer voting technology?

That's what the Supervisors of Santa Clara County, California, thought when they solicited bids for direct recording electronic (DRE) voting equipment. They discovered that a group of high-powered computer professionals think paperless voting is a bad idea, too. Computer folk, a group not noted for political engagement, are warning that a technology now being adopted nationwide threatens trust in the election process and is open to manipulation on an unprecedented scale. They are raising the disquieting idea that this faulty technology endangers the very core of democracy—the right to cast a vote that counts.

Nobody denies that touch-screen voting has advantages. In one machine, you can have ballots in multiple languages, enlarged type, audible ballots, voice-activation—it's an accessibility dream. You also have huge savings in paper and printing costs; with a full DRE system, those costs are zero. Voters can correct errors without the fuss of getting a new ballot.

So why do the computer professionals have problems with DRE voting? Because they know, even better than most of us, the vulnerability of computers to error or downright sabotage.

The dark worry about unverifiable voting is that with machines all centrally programmed, vote fraud on a large scale becomes, not merely conceivable, but easy. It may already have happened.

One of those sounding the alarm is Rebecca Mercuri, an assistant professor of computer science at Bryn Mawr College and founder of Notable Software, Inc. a computer security firm, who wrote her Ph.D. dissertation on electronic voting machines. A losing candidate in the 2002 Florida elections retained Mercuri to examine the DRE machines used in Palm Beach County. During litigation, Theresa LePore, still directing Palm Beach County elections post-butterfly-ballot, testified that, under the contract with the voting machine manufacturer, it would be a felony for her to allow Mercuri to examine the computer code running the machines.

Even basic checks of machine function are impossible. The machines are programmed to lock in results at the end of election day; they do not leave that mode until they are programmed for the next election.

While the reason for locking the tally is clear, there is no known way, once the tally is recorded, to set the machine in election-day mode, simply for the purpose of determining whether the machine properly records what is touched on the screen.

Mercuri does not claim any specific instance of vote fraud. But she says that, without paper ballots, there's simply no way to know.

She notes, too, that voters recently lost another check of vote tally accuracy. Since 1964, Voter News Service (VNS), owned by a consortium of broadcast and print media, provided exit polling election-night projections. Following the election fiasco of 2000, VNS undertook a complete redesign of its computers. On election day 2002, VNS announced that, due to computer problems, it would produce no projections. VNS has never released its exit-polling data from the 2002 elections. In January 2003, the owners of VNS announced that they were disbanding the service, which has a historical record of remarkable accuracy.

A growing number of people see a sinister trend in these computer difficulties.

Glitches, miscounts, and odd results
A multitude of websites collects accounts of glitches, miscounts, odd results, and other problems with computerized voting equipment. In the 2002 Florida governor's race, people reported touching the screen in the area designated for McBride, and having the computer show that they voted for Bush. In Comal County, Texas, three Republican candidates in different races received precisely the same number of votes, 18,181.

Other oddities include a Florida election clerk who said she and her poll workers kept a hand count of voters—713—but the machines reported 749 voters. When she reported this to her superiors, she was told, she says, that this was within the 10 percent error range they considered acceptable. In Pennsylvania, a voter reported that he had voted Libertarian. When he reviewed the results for his precinct, though, the Libertarian candidate received zero votes.

In 2002, Georgia became the first state to use all-electronic voting. Georgians elected their first Republican governor since the end of the Civil War, although every pre-election poll showed the Democratic candidate leading. In the senatorial race, although polls the day before election day showed the Democratic incumbent, Max Cleland, leading by two to five points, he lost to Republican Saxby Chambliss by seven.

Many of these stories have been unearthed by Bev Harris, a Seattle-area writer and literary publicist, who has written extensively on preventing embezzlement. When stories began to surface of the secrecy surrounding DRE equipment, alarms went off in her head. “In accounting you look for checks and balances,” Harris says. DRE voting equipment “doesn't even have minimal safeguards.”

Harris began investigating the world of electronic voting. She turned up the connection between Senator Chuck Hagel (R-Nebraska) and ES&S, a voting equipment manufacturer that supplies all the machines for Nebraska elections. Hagel was formerly CEO of the company and retains major stock holdings in it. More disturbing was her discovery that Diebold, which supplies voting equipment to 31 states, maintained an internet site, accessible to anyone who found it, containing the computer files that Diebold machines use to count votes—meaning anyone could manipulate the software.

Harris maintains a website, www.blackboxvoting.com, and has written a book, Black Box Voting, due out in May, which details her findings.

Understanding some of these problems—such as the computer science truism that you can never prove that a computer is working correctly—requires computer knowledge. Grasping other problems—that a reasonably competent child can make a computer show one thing on the screen, record quite another to its memory, and report a third thing as output—is easy for any suspicious layperson.
The essence of the issue is verifiability. How can the voter know that the machine has recorded what the screen displayed? If there are questions about the tally, how can the numbers be verified?

Using the current crop of DRE machines, the answers to those questions are, “They can't.” The voter sees what the screen displays, but has no notion of what happens behind the screen. The vote tally is nothing more than pushing a button asking the machine to spit out a number; in case of a recount, the same button gets pushed, producing the same number.

Imagine your grocery store has just installed the latest computer cash register. The cashier scans each item from your basket, then pushes a button. The machine shows a total. You think it sounds a little high, and tell the cashier. The cashier pushes the same button; the machine shows the same total. Most people wouldn't trust a grocery purchase without a paper receipt allowing them to check the total. Increasing numbers of people are trusting their votes to machines that don't do that.

Trust, according to computer pros, is just what computers are not entitled to. Consider ATMs, which provide security at several phases—a user must produce a card and a PIN, the machine produces a receipt, the transaction is reported to customers in monthly statements, cash itself is often a check on the accuracy of the transaction, and, unbeknownst to many, almost all ATMs produce a video image of all users.

Despite all that, ATM fraud is common. In order to preserve the secret ballot, the security measures used for ATMs are impractical or impossible. The requirement for anonymity precludes photographing voters; use of such things as smart cards, PINs and receipts raise concerns of vote-selling.

A simple check
Yet there's a solution. Rebecca Mercuri has designed a simple way to verify electronic votes: the voter uses a touch screen, but is presented with a printed ballot, displayed behind glass. If the voter OKs the ballot, it drops into a ballot box. If not, it is void, and the voter re-votes.

Few knew of the problems with electronic voting or the solution to them when Santa Clara County solicited their voting machine bids. But Santa Clara County is home to Stanford University and to a big hunk of Silicon Valley. Tech-heavy is an understatement. So when David Dill, professor of computer science at Stanford, organized his colleagues to give the supervisors testimony on voting technology, he expected the county commissioners to pay attention.

Over the course of three hearings, Dill and other computer scientists, including Peter Neumann, principal scientist at Stanford Research Institute, drove home one main point: a machine that produces no “voter verifiable audit trail” (paper ballot) cannot be made secure.

The voting machine vendors disagreed, arguing that combining paper ballots with touch-screen voting was untested technology.

“The sales pitch seems quite naïve about computers,” says Dill.

Dill placed all the materials gathered by his group on a website, as a clearinghouse for anyone interested in the issue. He also drafted a “Resolution on Electronic Voting,” which calls for a moratorium on any voting system that does not provide a tangible record for the voter to examine before leaving the voting booth. The resolution is endorsed by nearly 600 computer professionals, including Rebecca Mercuri. It's a hard sell to claim that they're 600 technophobes.

At the end of the Santa Clara hearings, when Dill's group had presented all their evidence, they prevailed, at least provisionally. The county supervisors voted to buy machines that provide a voter-verifiable paper record, and to petition the secretary of state for permission to run pilot tests in the November 2003 and March 2004 elections. In addition, the machine producer agreed to make, at no charge, any modifications mandated by the state—almost simultaneously with Santa Clara County's decision, California's new secretary of state appointed a task force to study the issue of requiring that DRE machines produce paper ballots. Dill is a member of that task force.

When Harris began her investigation she assumed that public officials buying the machines had never considered the problem. The problems are now clear, yet Santa Clara County's willingness to shift course is rare. “When people know and still deny, there's something else going on,” Harris says.

Mercuri and Dill are at a loss to explain the resistance to a balloting paper trail. Dill observes that, in the wake of the 2000 Florida debacle, some election officials are wary of paper ballots. Yet the problems with paperless voting threaten to dwarf those of the 2000 election.

For more information on electronic voting, see Rebecca Mercuri's website, www.notablesoftware.com. Information on computer voting problems is collected at www.votewatch.us. Doug Pibel is a frequent YES! contributor whose opinions can be found at www.democraticunderground.comand www.onlinejournal.com.