What's Next for Electronic Voting?

Shift toward e-voting solutions raises more questions about voting integrity.

by / August 5, 2003
After the problem-plagued 2000 presidential election, the Help America Vote Act of 2002 (HAVA) aimed to re-establish America's faith in voting procedures. However, some say HAVA did not do enough to restore voter confidence. A recently introduced bill aims to finish what HAVA started, but critics say the legislation will halt the progress HAVA intends to achieve.

HAVA's mandate to replace outdated voting equipment caused a shift toward direct record electronic (DRE) voting machines, such as touchscreen machines, where voters directly cast their votes into electronic memory. Some say there is no way to ensure the voting machines are bug-free or have not been tampered with.

"The nightmare scenario is that the voter votes, confirms the vote, and then the vote is recorded internally in the machine differently than the voter intended," said Stanford computer science Professor David Dill. "I don't think there is any technological basis for somebody to assure us that can't happen."

HAVA required that voting machines produce a paper record of each vote and that each voter be able to confirm their vote before casting it. But HAVA does not specifically require that the voter verify the paper record.

"Right now the voter verified [requirement] is one thing; the paper record might represent something else. So there is an audit gap," said Dill. If votes are changed or lost due to system errors or tampering, a printout at the end of the day will reflect erroneous vote tallies, he explained. "Because of ballot secrecy, once the voter leaves the voting booth, there is no one who can make sure that voter's vote is consistent with what was actually recorded inside the machine. The voter can't do it. Election officials can't do it. The vendor can't even do it."

New legislation -- H.R. 2239, the Voter Confidence and Increased Accessibility Act of 2003 -- would require a voter-verified paper trail. The measure was introduced in the U.S. House of Representatives in May to amend HAVA, but some contend the bill causes more problems than it would solve.

Besides the paper-trail requirement, the bill mandates surprise recounts in 0.5 percent of jurisdictions and a verification system that separates the vote generation function from that of vote casting for those with visual impairments. The measure also would ban wireless technology in voting machines and require source code be made available for inspection by any citizen.

The recent press surrounding Johns Hopkins University and Rice University researchers who claim Diebold Election Systems' code may have fatal security flaws could bring this point to life because it is unclear whether the code examined by researchers was ever used in an election.

If vendors were required to expose their source code, voters wouldn't be left guessing about its quality, but exposing the code without precautions could prove disastrous, said Dill. "The code is probably full of security holes, because the companies are depending on secrecy so heavily."

But security for electronic voting devices shouldn't depend on secrecy of their source code, added Dill, regardless of the legislation. Even if the design is kept secret, he argued, the system should be secure even if the design were exposed.

At least one voting system manufacturer said exposing source code would not trigger security concerns. John Groh, senior vice president of strategic alliances for Election Systems & Software (ES&S), said his firm would make open source code as secure as its current system if the law were to pass.

However, there may be confusion over just how far the bill's source code requirement could stretch, and broadly distributing the source code could be an invitation for problems, according to Groh.

"You do not want that in the election industry," he said. "Where people can take something and modify it. That is exactly where somebody would take a system, change how the source code and all of the operational functions work, and make it not count ballots correctly."

Groh said the code for electronic voting devices is already subject to review by an independent testing authority, but exposing the source code to anyone who wants to examine it would threaten industry competition.

"If you open that up and allow anybody to look at it, the competitors are going to be able to look at each other's and take the good from somebody else's," he said. He also said to maintain the highest security, the code should only be available to those "directly responsible for testing and administrating elections."

But many computer scientists say the current certification process for electronic voting systems is too secretive. They contend citizens should be able to verify that the equipment is doing what it is supposed to do. "Publicly disclosing the design allows more people to inspect it and find problems," said Dill.

On a Web page devoted to frequently asked questions about DRE voting systems, Dill and fellow computer scientists Rebecca Mercuri, Peter Neumann and Dan Wallach give the example of how "easter eggs," or hidden features inserted by programmers that are triggered by arcane combinations of commands and keystrokes, according to them, routinely clear quality assurance tests by vendors.

Dill said a voter-verified audit trail is still necessary even if source code were exposed for inspection. "Security holes are sometimes still discovered the hard way," he said. "Open source is not a panacea, because it is practically impossible with conventional computer technology to make sure the open source software is what is really running on the computer."

Progress or Hindrance?
Others say requiring a voter-verified paper trail will halt implementation of DRE machines, which have numerous advantages, such as allowing disabled citizens to vote autonomously and facilitating voting in numerous languages, including some that lack written form.

Critics argue that the audit requirement would add cost and weight to the machines; necessitate additional supplies, training and storage space; and introduce one more piece of technology that can malfunction and tie up the process.

"If you require something that hasn't been successfully implemented yet -- that is contemporaneous paper replica -- counties are going to have no choice but to stay with inferior paper-based systems," said Ohio State University law Professor Dan Tokaji, who was involved in California voting reform as a former attorney with the American Civil Liberties Union of Southern California.

Although HAVA requires a voting machine in each precinct that allows those with disabilities to vote independently, Tokaji said if H.R. 2239 were to pass, counties could revert to less accessible systems, such as optical scans. To avoid going to duel-system elections, Tokaji explained, counties could argue that they don't have to use DREs to accommodate those with disabilities because of the language of the statute.

"The question of whether a contemporaneous paper replica will be required is passing a cloud over voting modernization. Counties are understandably afraid to take any action because they're afraid either Congress or the state may mandate something that turns out to be completely unworkable," Tokaji said.

Uncertainty about standards also has influenced voting machine vendors. "We have had to look at the architecture and make certain that if these types of bills get passed, we can shift gears and make the changes necessary to accommodate them." said ES&S' Groh.

Vendors have to be flexible to keep up with demand anyway, said Groh, but with the proposed changes, they have had a close eye on legislation to keep ahead of possible requirements.

The fact that industry players are offering solutions in advance of legislation means the paper trail may find its way into use even if the bill doesn't pass. The major vendors are developing machines capable of a voter-verified paper trail, so jurisdictions can opt for its implementation even if the law does not require it.

A Paperless Compromise
Paperless technology capable of achieving an audit trail -- it would capture an image of the screen as the vote is cast and save it separately from tabulated votes -- is being developed.

Although the electronic version may not satisfy all audit trail advocates, the option would have advantages aside from eliminating need for additional supplies and storage.

The electronic audit trail could easily keep track of many languages, said Groh, which on paper could be problematic. "Are you going to require the printer to print in all those languages?" he said. "And then if it does print in all those languages, later when somebody goes to look at those ballots and interpret, you're going to need somebody that can interpret every language ballot that's there."

In California, the Ad Hoc Touch Screen Task Force created a report for Secretary of State Kevin Shelley that put forth an electronic audit trail as a possible solution, but acknowledged it would take time systems to develop, certify and implement systems.

Hurry up and Wait
One county has decided to wait for the legislation and technology ruckus to pass. The Sacramento County Board of Supervisors cancelled an RFP for touchscreen voting machines. Former Sacramento County Registrar of Voters Ernest Hawkins -- who retired Aug. 1 -- recommended the RFP cancellation to hold out for better equipment and to await resolution of the uncertainty over legislation.

Hawkins said even though vendors had developed or were in the process of developing better technology, the wording of the RFP would have required them to buy inferior equipment because the state had not yet certified the new equipment.

"If we'd have gone forward and made a recommendation to the board and actually bought equipment at that time, the vendors would have been obligated to install equipment here that was not state of the art," Hawkins said.

Uncertainty over federal legislation was also part of his decision to recommend cancellation. Hawkins said because part of what HAVA produced was a new organization to develop standards, and the process of appointing its members is not yet complete. "We're probably not going to have standards for a year, so we were a little bit reluctant knowing that we we're buying equipment that might not even meet the specs," said Hawkins.

Hawkins said because HAVA hasn't been fully implemented and put to the test, passage of H.R. 2239 is unlikely at this point. "I think the tendency is to hold off doing anything until that organization is in place, until we have the presidential elections next year and we see how this new Help America Vote Act works, and whether or not there is more reform that is needed at the federal level before legislation will get serious hearing, review and passage." he said.

"Were going through a period of hurry up and wait," Hawkins added. "Waiting to get everything fully into place before much of anything more will happen in my opinion."
Emily Montandon Staff Writer/Copy Editor