Split Decision

E-voting machines perform well in November election, but glitches remain.

by / January 29, 2007 0
The 2000 presidential election crisis sent states scrambling to buy direct-recording electronic (DRE) voting machines to eliminate hanging chads and other paper ballot hazards.

Yet several states endured a recent barrage of bad publicity from DRE voting malfunctions and security vulnerabilities. DRE voting typically allows a citizen to vote by touch-screen. The machine records and counts the votes electronically, which, according to advocates, makes it stunningly accurate and eliminates most voter errors.

DREs potentially resolve common paper-ballot errors, such as voters not voting in a particular race, or voters selecting numerous candidates for one position. However, before the 2006 midterm elections, poll workers in several states had trouble running the machines and often reported voting irregularities.

These difficulties lowered expectations for DRE voting in some communities, but the midterm elections passed without major problems.

DRE machines performed admirably across the nation in most cases, said Doug Lewis, director of the National Association of State Election Directors. Local election managers declared the machines a triumph, and the topic disappeared from most news pages.

Polls nationwide appear to have seen the worst of the DRE transition, but some observers say election officials may be resting too easily now.

Maryland's 2006 primary in September endured so many technical failures with its Diebold voting machines that Gov. Robert Ehrlich Jr. announced he'd vote absentee in the November general election. Thousands of voters followed suit. And in Sarasota County, Fla., polls reported glaring irregularities with a high-profile congressional race.

Numerous computer scientists continue to warn against the vulnerability of DRE machines to malicious software that could fix elections.

Eliminating Errors
A vote people can't see or touch still makes many nervous. Much criticism of DRE machines revolves around the lack of a paper trail or tangible documentation. But inaccuracy and fraud have plagued paper ballot tabulation for ages. Problems typically grab voters' attention after close or controversial elections.

The federal Help America Vote Act of 2002 (HAVA) gave states funding to update their voting equipment. The law sent states scrambling to buy DRE machines.

The concept wasn't exactly new, however. Some voters have used certain forms of e-voting machines since 1979, said Michael Shamos, computer science professor at Carnegie Mellon University.

"We've been using them in Pennsylvania since 1984," Shamos said. "The advocates who argue against DRE voting make it sound as if it's a brand new thing that we rushed into because of HAVA. They don't tell you that we've been using them for a very long time."

Fairfax County, Va., introduced the Shouptronic voting machine in 1981 and used it until 2002. This early DRE system looked like a traditional lever machine except voters pushed a button next to a candidate's name on a backlit screen. The machine then recorded the choice to a computer hard drive. The machines used memory cartridges, backup batteries and they printed paper tallies to protect the votes.

Most say a DRE voting machine's primary selling point is that it drastically reduces voter error -- the source of the 2000 Florida crisis.

"Electronic voting machines provide a tremendous amount more guidance through the ballot," Shamos said. "They can warn you that you haven't voted for a sufficient number of candidates by giving you a message flashing things in red. They give you a chance in the end to review your whole ballot and alert you that you've made a mistake. They can present the ballot in very large type for people who are visually impaired. They can display the ballot in multiple foreign languages -- all kinds of things just not possible with paper."

Florida ... Again
Still, some counties reported irregularities with DRE voting machines after both the 2004 and 2006 elections. Observers emphatically profess the need to identify the remaining weaknesses before election officials get too comfortable and those weaknesses become accepted as par for the course.

Sarasota County, Fla., voters challenged the results of a congressional race between Democrat Christine Jennings and Republican Vern Buchanan in the November election. Buchanan won by a paper-thin margin, but voting irregularities were reported in the county, which uses DRE machines.

The Florida Elections Canvassing Commission certified Buchanan the winner of the 13th Congressional District race by 363 votes. But the county's DRE machines tallied a surprising 18,000 undervotes -- a term used to describe when a voter selects neither candidate on the ballot.

The Electronic Frontier Foundation (EFF), a nonprofit freedom of speech advocacy group, said the undervote rate in Sarasota County was 16 percent, compared to 2.5 percent for the same election's paper absentee ballots and 1 percent in the U.S. Senate race on the same electronic ballot.

The American Civil Liberties Union, EFF and other organizations are representing Sarasota County voters in a lawsuit for a revote. The suit hinges on whether the legal team can prove the machines were defective.

"The circumstantial evidence is very strong that something happened with the machines or with the procedure surrounding the machines. The first task is to look inside the machines, inside the procedures and figure out what happened," said Matthew Zimmerman, attorney for the EFF, explaining that the e-voting process suffers from a lack of transparency.

"The technology and procedures are so closed that it's hard for anyone on the outside to tell what happened," Zimmerman continued. "If there was a problem with the machines, the thousands of votes that weren't cast are not going to be recoverable. At the end of the day, as we said in the complaint, it may lead to a requirement for the election to be rerun. It's hard to know what that would look like."

Zimmerman said his clients would request for the revote to happen on optical scan machines, which they consider more accurate. He said asking voters to revote on the same machines that failed them in the first election would be bad public relations, even if the possible error were fixed.

"It's going to be hard to go back to the voters in Sarasota and tell them to use the machines over again," Zimmerman said.

With the potential timeframe already shrinking, Zimmerman said the court would need to mandate a certain amount of lead-time to publicize the revote. Election officials would need to publicize instructions particularly clearly because the revote would only include voters who voted in the original 2006 election.

"We're really trying to be as fair as possible," Zimmerman said.

If the presiding state judge gives the EFF's legal team time to examine the machines, all parties involved will need to negotiate over which and how many experts participate, Zimmerman said. That pool is already expanding because the Christine Jennings campaign filed its own lawsuits. At press time, the Jennings campaign had lost all attempts in court at evaluating the machines. House Speaker Nancy Pelosi agreed to seat Buchanan on a provisional basis until the conflict was resolved. Activists are demanding further court proceedings and a congressional investigation before Buchanan is permanently seated.

"The Jennings camp is pushing its own suits. They have their experts. We have our experts. The defendants in the case have either in-house people or experts they will bring in," Zimmerman said. "ES&S [Elections Systems & Software] was just named as a defendant to the Jennings case, so ES&S will have their technicians involved."

Sarasota County used ES&S voting machines in the 2006 election.

Zimmerman said he is pushing for an agreement that limits the number of participating experts. He said the judge already limited the time allocated for discovering defects, which would likely accelerate the process.

"I don't think anyone wants to get to a point where Buchanan is sworn in and is the new congressman," Zimmerman said, "and then we find out later that there was a problem and have to have a new election."

Testing, Testing
Zimmerman said he didn't want to definitively judge the performance of DRE voting machines nationally until more information emerged. Still, he said it certainly wasn't the triumph some claimed. "We saw at least eight or nine states where polling places opened late because of one snafu or another with these machines," he said. "A lot of them appear to have been based on the failure to either deliver passwords or hardware components that would allow the machines to turn on, or some other kind of nonfatal problem. Needless to say, it was still important, and it led to many polling places being closed several hours. That is not insignificant."

Zimmerman said requirements allowing vendors to conceal the machines' proprietary code so other vendors can't copy their work makes holding vendors and election officials accountable difficult. Not allowing outside organizations to analyze the code that records and tabulates votes destroys transparency in government, he added.

"The problems we're really concerned about are what we can't see. The evidence that would allow us to figure out what could happen still isn't generally available to the public for analyzing. It's only by going through public record requests and fighting election officials across the country that we get a better idea of what kind of performance these machines have," Zimmerman said.

In 2006, a research team at Princeton University's Center for Information Technology Policy created and demonstrated Trojan horse software it claimed was capable of altering results on a Diebold machine. The researchers received a Diebold voting machine to experiment on from an undisclosed source.

Because the machines often get downloaded with updated software from the vendor, the Princeton researchers said a person could use one of those occasions to insert malicious software similar to the software they created.

Edward Felton, professor of computer science and public affairs director of the Center for Information Technology Policy, brought a Diebold machine before Congress. He fed the machine his software, then conducted a fictional election between George Washington and Benedict Arnold. After George Washington received the majority of Felton's votes, the machine named Benedict Arnold the winner. Felton announced that his software was completely undetectable and could erase evidence of its existance in the machine after altering voter results.

But not all agree the software is completely undetectable. "The biggest problem with these allegations is that the premises are dependent on complete and unfettered access to a system, which is not reflective of a real election environment," said David Bear, spokesman for Diebold Election Systems.

He said the allegations ignore the fact that an election fixer would need access to the systems' locked storage locations. He or she would need to break serialized seals on the machines that would leave evidence of tampering to gain the needed information for creating a Trojan horse. And he or she would need to have a clearance code on Election Day to access the closely watched machines.

Bear said Felton's team didn't account for circumventing those kinds of realities that would normally block a felonious programmer from creating malicious software. The researchers simply had a machine dropped in their laps, he said, and got to comfortably take their time creating a virus.

Both Bear and Shamos emphasize that despite numerous "what if" scenarios, there is no documented case of a DRE machine being fixed.

Shamos said fears over similar software invading voter polls are overblown. He said voters and election officials should view similar discoveries as lessons in improving voting machines -- not causes to abolish them.

Shamos said Felton merely demonstrated that poll workers could ensure their DRE machines were free of such software by running a simple test before voting started -- a test just like Felton did before Congress. They could perform a small test election on the machines, knowing the results beforehand. If any of the machines produced numbers different than what the poll workers entered, they would know the machines had been compromised.

"I don't see what's so frightening about that," Shamos said.

Zimmerman said he believes election officials genuinely care about voting accuracy, but they tend to declare success prematurely.

"There is an instinct to declare victory -- to declare that the machines worked perfectly -- that there weren't any problems based only on the fact that they didn't notice any machines crashing or some kind of blue screen of death like you see on a Windows machine," Zimmerman said. "The certification that approves these systems is, for the most part, very inadequate. There isn't a very substantive review of the code and the components that go into these systems."

Georgia Turnaround
Georgia's certification process is far from slipshod, insists Chris Riggall, press secretary for the Georgia Secretary of State's Office. The Georgia General Assembly appropriated funding to create the Center for Elections Systems at Georgia's Kennesaw State University in 2002 -- the year the state implemented its Diebold machines.

"The Center for Elections Systems [was] our eyes, ears, expert advisers, auditors, testers and evaluators as we went through the deployment process," Riggall said, adding that the center tests all aspects of any new software Diebold releases for the machines.

"Usually it takes a few months if there's a new release of software where they torture-test things, and they vote [numerous] times on it," Riggall said. "They also developed a hashing program they use when going into all of our counties to make sure the servers are operating a pristine, uncorrupted version of the certified software. They verify the election-management software to verify that it is identical to the version that came through federal and state certification testing. They run the hash on servers. They inspect the physical security of the voting units, county election servers and the chain of custody of the hardware."

Georgia also established voting equipment security regulations that were far more stringent than the existing federal standards.

The Study
Riggall said some Georgia counties suffered larger residual vote rates -- left a selection blank, made too many selections or were disqualified by a poll worker than Florida did in the 2000 election. The General Assembly formed the 21st Century Voting Commission, a bipartisan group of legislators, the League of Women Voters and other similar organizations. The commission conducted a study of Georgia's voting problems and explored potential solutions.

"We did that right off the bat in 2001 and spent the next year looking at what other communities did," Riggall said, noting that 94,000 ballots -- 3.5 percent of the ballots cast statewide -- in the 2000 presidential race showed no choice for president.

The study broke down each county by precinct and noted the voting method in each one.

He said punch cards were the most common voting machines used, and produced the highest residual vote rate. That didn't surprise anyone. But optical scan machines -- which read and store results from paper ballots that are filled in by voters -- performed far below expectations in some precincts.

"Some of those counties demonstrated alarmingly high residual vote rates with optical scan, including quite a few precincts showing residual vote rates in the double digits. Some of them were higher than 20 percent in the president's race, if you can believe it. Obviously when you've got a 20 percent undervote rate you've got a problem," Riggall said, later adding, "That led us to DRE."

The 21st Century Voting Commission conducted a pilot to test DRE machines offered by several different vendors in the state's 2001 municipal elections. Riggall said the state needed to pay for the machines because most counties couldn't afford them.

"Most of the major vendors at the time participated in that pilot, brought their equipment in, trained the locals on using it, did some public education about it and actually had voters participate in that process," Rigall said. "We also did exit polling to intercept voters and garner their feedback."

The commission took its findings to the governor and General Assembly, and received authorization to purchase Diebold DRE voting machines for all 159 Georgia counties.

"Funding from HAVA was sort of a promise off on the horizon, but we certainly had no certitude at the time that the feds were going to make good on this discussion. We made our deployment and purchases with bonds," Rigall said. "It was a $54 million investment."

He said after the 2004 presidential election, the Secretary of State's Office reviewed the counties that once showed large residual vote gaps between precincts using optical scan machines. Those gaps nearly disappeared, Riggall said.

"That tells you technology makes a difference," Riggall said. "These were people in the same community voting in a presidential election four years apart. With an optical scan environment there was a difference of 7, 8, 9, 10 and even 15 percent. With a DRE environment they've got .7 and .9 [percent] differences. Those translate into thousands of ballots that are being counted that were formerly not."

Paper Trail
Many advocate DRE machines that produce a paper record of each vote for recounts as a compromise.

The Election Center's Doug Lewis said he favors such machines, but that the existing models need design improvements.

"The current systems by design at this point are not as reliable as you would like for election use. As a result, you're asking poll workers of an advanced age to become voting systems technicians to repair these inexpensive printers that were not designed to carry this kind of load -- fixing paper jams with coat hangers or paper clips, or trying to replace paper rolls when [the poll workers] don't know how to do that very well," Lewis said. "Or having ink or ribbon run out. All of those things complicate the process."

Federal standards require DRE machines to have some mechanism for "trapping" a citizen's vote exactly as he or she voted. Lewis said DRE machines usually achieve this by saving the vote to flash memory with triple redundancy.

Many state election laws say that those "trapped" votes must be considered the actual vote, meaning if a trapped version of that vote doesn't exist the vote doesn't count. Here is where the current paper record machines create a serious problem, Lewis said.

"If anything happens to the paper, if it gets destroyed, jammed, the printer sits there and prints 7,500 lines all on the same spot and never advances the paper," he said. "Then you've lost the paper ballots."

Cuyahoga County, Ohio, encountered those problems after its 2006 primary, according to a widely reported study by the California-based Election Science Institute (ESI). ESI reported that in addition to damaged and illegible paper ballots, 87 rolls of paper ballots went missing.

Lewis said printer errors disqualified 10 percent of the votes in that county, but added that he thinks DRE machines with printers will become the common standard in the long term.

"If you give the engineers long enough, they'll figure this out," Lewis said.

The Big Picture
DRE machines already are common in a few other countries, like Canada and India.

"India is 100 percent e-voting. Typically the number of votes cast in India in an election is about three times the size of the U.S," said Carnegie Mellon University's Shamos, noting that DRE machines are less common in many European countries because their elections are less complicated than those in the U.S. "The U.S. has the most complicated elections in the world. This is historical. It has to do with the nature of our representative democracy, which is different from that of Europe, which is parliamentary. You don't vote for candidates in Italy. You vote for parties. That's an extremely simple ballot."

Shamos said many who panic about DRE machines forget how inaccurate paper ballots can be.

"Even if you counted the Florida election 100 percent accurately, that is, every hole on every punch card was counted exactly right, you would still have an inaccurate election because the setup of the ballot misled voters into voting for the wrong person," Shamos said, adding that paper ballots also are vulnerable to fraud.

"To this day people still get convicted for paper ballot fraud after every election cycle in the United States," Shamos said. "In the 27 years that we've had DRE voting there hasn't been a single verified incident, either of tampering or of an attempt to tamper.

"It's time for everybody to calm down and realize that this is an engineering problem. There are certain requirements for a voting system. It has to be safe. It has to be secret. It has to be usable. It has to be reliable," he continued. "Those are the kinds of things you go and tell an industrial engineer when he goes and signs a product. If we find a vulnerability in a machine, the simple thing to do is fix it. You don't all of a sudden say, 'Aha, the Diebold machine is vulnerable; therefore, we need to outlaw DRE machines all over the United States.'"
Andy Opsahl

Andy Opsahl is a former staff writer and features editor for Government Technology magazine.