Voting and Technology: Who Gets to Count Your Vote?
Paperless voting machines threaten the integrity of democratic process by what they don't do.
Voting problems associated with the 2000 U.S. Presidential election have spurred calls for more accurate voting systems. Unfortunately, many of the new computerized voting systems purchased today have major security and reliability problems.
The ideal voting technology would have five attributes: anonymity, scalability, speed, audit, and accuracy (direct mapping from intent to counted vote). In the rush to improve the first four, accuracy is being sacrificed. Accuracy is not how well the ballots are counted; it's how well the process maps voter intent into counted votes and the final tally. People misread ballots, punch cards don't tabulate properly, machines break down, ballots get lost. Mistakes, even fraud, happen.
When the election is close, we demand a recount. It involves going back to the original votes and counting them a second time. Presumably more care is taken, and the recount is more accurate.
But recounts will become history if paperless Direct Recording Electronic (DRE) voting machines -- typically touch-screen machines -- become prevalent. Approximately one in five Americans vote on such machines, as do citizens in several countries.1 In the U.S. the "Help America Vote Act" will subsidize more DREs.
DREs have some attractive features. The human interface can be greatly improved. People with disabilities can vote unassisted. Ballots can be changed at the last minute and quickly personalized for local elections.
However, all of the internal mechanics of voting are hidden from the voter. A computer can easily display one set of votes on the screen for confirmation by the voter while recording entirely different votes in electronic memory, either because of a programming error or a malicious design. Almost all the DREs currently certified by state and local agencies have an "audit gap" between the voter's finger and the electronic or magnetic medium on which the votes are recorded. Because the ballot must remain secret, there's no way to check whether the votes were accurately recorded once the voter leaves the booth; neither the recorded vote nor the process of recording it can be directly observed. Consequently, the integrity of elections rests on blind faith in the vendors, their employees, inspection laboratories, and people who may have access -- legitimate or illegitimate -- to the machine software.
With traditional voting machines, election officers are present to ensure integrity. But with DREs, election officers are powerless to prevent accidental or deliberate errors in the recording of votes. If there is tampering, it is likely present in the DRE's code, to which election officers have no access. In fact, DRE code is usually protected by code secrecy agreements, so that no one but the manufacturer has access to it. In recent cases the complainants have not been allowed to review the code, even when DRE-based elections have been contested in court.
Anyone who doubts the result of an election is now obliged to prove those results are inaccurate. But paper ballots -- the main evidence providing that proof -- are being eliminated. Vendors and election officials are free to claim that elections have gone "smoothly," when there is, in fact, no evidence the votes counted had anything to do with the intent of the voters.
This is an unacceptable way to run a democracy. The voters and candidates are entitled to strong, affirmative proof that elections are accurate and honest. Paper-based elections with good election administration practices show the losers in an election that they lost fair and square. DREs do not.
Many voters and election officials are under the impression that computerized voting machines are infallible. DRE manufacturers insist that care goes into the design and programming of the machines. They and some election officials reassure us the machines meet rigorous standards set by the Federal Elections Commission; that the designs are reviewed and the machines thoroughly tested by independent testing labs; and that further review and testing occurs at the state and local levels.
The problem with these arguments is that it's impossible without some very special hardware (and maybe even with it) to make computers sufficiently reliable and secure for paperless electronic voting. The manufacturers attempt to hide this fact by keeping the designs of their machines a closely held secret, and then challenging critics to find flaws in those designs. Ironically, reverse engineering the code used for voting machines to check for bugs or voting fraud is likely to be a violation of the Digital Millennium Copyright Act.2
Even if adequate reliability and security were achievable, current practices are grossly inadequate. There is no indication that the major vendors or testing laboratories have computer security professionals to design and evaluate voting equipment. Manufacturers make basic computer security errors, such as failing to use cryptography appropriately, or designing their own home-brew cryptographic algorithms. Moreover, regulations and tests of greater rigor than those used for DREs routinely miss accidental flaws in software for other applications, and have virtually no chance of discovering tampering with software.
Problems are routine.3 For example, a March 2002 runoff election in Wellington, FL, was decided by five votes, but 78 ballots had no recorded vote. Elections Supervisor Theresa LePore claimed those 78 people chose not to vote for the only office on the ballot! In 2000, a Sequoia DRE machine was taken out of service in an election in Middlesex County, NJ, after 65 votes had been cast. When the results were checked after the election, it was discovered that none of the 65 vote were recorded for the Democrat and Republican candidates for one office, even though 27 votes each were recorded for their running mates. A representative of Sequoia insisted that no votes were lost, and that voters had simply failed to cast votes for the two top candidates. Since there was no paper trail, it was impossible to resolve either question.
While accidental design flaws are likely to cause election disasters in the immediate future, deliberate tampering is an even more serious concern. In older voting systems, election fraud typically is a labor- intensive process of altering or forging individual ballots. With large numbers of DREs in use, a small group or even a single individual at a voting machine manufacturer could alter software later installed on tens or hundreds of thousands of machines. If modified software switched a small percentage of votes between political parties, the tamperer could change the outcome of close races around the country.
There is nothing fundamental to DRE machines that requires an audit gap. The DRE machine simply needs to record the vote on paper when the voter has finished voting.4 The voter reviews the paper ballot to verify it is marked in accordance with his or her intentions, after which the paper ballot is deposited into a ballot box. Discrepancies can be brought to the attention of an election official. The official vote count would be based on the DRE-produced paper ballots, with the DRE machine providing a preliminary total to be checked against the paper ballots in a recount. There is one such machine that is already certified in many states, and several of the major DRE vendors have agreed to provide voter-verifiable printers in contracts already in place.
Amazingly, the elimination of paper ballots is considered a major advantage by some, since the lack of paper simplifies the election process. The accompanying security risks are ignored, or even denied, by people who don't understand the underlying technology or simply want to believe the reassurances they receive from the vendors.
Maybe we will be extremely lucky, and every vote cast on DRE machines in the future will be accurately recorded. But there will always be surprising election results, and people who question the results. Even if voting machines are accurate, it's important that voters trust the machines and know they are accurate. Democracy should not depend on blind faith.
The anonymity requirement of elections makes voting machines difficult to design and implement. You can't rely on a conventional audit, as we do with large-value financial computer systems.5 Election machines must be treated like safety- and mission- critical systems: fault tolerant, redundant, carefully analyzed code. And they need to close the audit gap with paper ballots.
Over 900 computing professionals, including many of the top experts in computer security and electronic voting, have endorsed the "Resolution on Electronic Voting" petition,6 urging that all DRE voting machines include a voter-verifiable audit trail.
Fortunately, some policymakers understand the security issues relating to voting. Rep. Rush Holt recently introduced the "Voter Confidence and Increased Accessibility Act of 2003" (H.R. 2239)7 that calls for voter-verification and audit capacity in e-voting machines.
In 1871 William Marcy ("Boss") Tweed said: "As long as I get to count the votes, what are you going to do about it?" Paperless DRE machines ensure that only the company that built them gets to count the votes, and that no one else can ever recount them.
David L. Dill is a professor of computer science and, by courtesy, electrical engineering at Stanford University, Stanford, CA.
Bruce Schneier is CTO of Counterpane Internet Security, Cupertino, CA.
Barbara Simons is a former ACM president and current co-chair of ACM's U.S. Public Policy Committee.
2. See www.acm.org/usacm/Issues/DMCA.htm for information about ACM and USACM activities and statements relating to the DMCA.
3. See the Q/A Web page at verify.stanford.edu/evote.html and the wealth of information at www.notablesoftware.com/evote.html.
4. www.counterpane.com/crypto-gram-0012.html#1 is an early essay with this idea.
5. See www.counterpane.com/crypto-gram-0102.html#10 for more information.
6. See verify.stanford.edu/EVOTE/statement.html to read and endorse the petition.
7. See www.acm.org/usacm/PDF/HR2239_Holt_Bill.pdf
Categories: Elections, Laws and Regulations
Tags: Communications of the ACM
Wearing an “I Voted” sticker on Election Day announces that you are a proud participant in the grand tradition of representative democracy, the worst system except all the others. It says “I care,” “I’m informed,” and perhaps also “this shirt is machine washable.”
On that day (November 6! Mark your calendars!), when Americans are resting from their quadrennial labors of locating a polling place, standing in line, and pushing buttons, pulling levers, filling bubbles, or poking a touch screen, there is a surefire way to start a fight in any bar, church, or bus in the country. Three little words: I don’t vote.
Voting is widely thought to be one of the most important things a person can do. But the reasons people give for why they vote (and why everyone else should too) are flawed, unconvincing, and sometimes even dangerous. The case for voting relies on factual errors, misunderstandings about the duties of citizenship, and overinflated perceptions of self-worth. There are some good reasons for some people to vote some of the time. But there are a lot more bad reasons to vote, and the bad ones are more popular.
‘Every Vote Counts’
Let’s start with the basics: Your vote will almost certainly not determine the outcome of any public election. I’m not talking about conspiracy theories regarding rigged elections or malfunctioning voting machines—although both of those things have happened and will happen again. I’m not talking about swing states or Supreme Court power grabs or the weirdness of the Electoral College. I’m talking about pure, raw math.
In all of American history, a single vote has never determined the outcome of a presidential election. And there are precious few examples of any other elections decided by a single vote. A 2001 National Bureau of Economic Research paper by economists Casey Mulligan and Charles Hunter looked at 56,613 contested congressional and state legislative races dating back to 1898. Of the 40,000 state legislative elections they examined, encompassing about 1 billion votes cast, only seven were decided by a single vote (two were tied). A 1910 Buffalo contest was the lone single-vote victory in a century’s worth of congressional races. In four of the 10 ultra-close campaigns flagged in the paper, further research by the authors turned up evidence that subsequent recounts unearthed margins larger than the official record initially suggested.
The numbers just get more ridiculous from there. In a 2012 Economic Inquiry article, Columbia University political scientist Andrew Gelman, statistician Nate Silver, and University of California, Berkeley, economist Aaron Edlin use poll results from the 2008 election cycle to calculate that the chance of a randomly selected vote determining the outcome of a presidential election is about one in 60 million. In a couple of key states, the chance that a random vote will be decisive creeps closer to one in 10 million, which drags voters into the dubious company of people gunning for the Mega-Lotto jackpot. The authors optimistically suggest that even with those terrible odds, you may still choose to vote because “the payoff is the chance to change national policy and improve (one hopes) the lives of hundreds of millions, compared to the alternative if the other candidate were to win.” But how big does that payoff have to be to make voting worthwhile?
‘Voting Is an Investment in the Future’
If you ask a man on the street why rich people are more likely to vote for Republicans, he will probably tell you a story about how the GOP promotes policies that favor businesses and lower the tax burden of the wealthiest people in society. But your sidewalk interlocutor is wrong on two counts. First, rich people are not more likely to vote Republican. (It was a trick question.) Second, study after study, poll after poll, finds that people do not typically vote in ways that align with their personal material interests. The old, for instance, don’t support Social Security in higher numbers than the young.
In their seminal 1993 book Decision and Democracy: The Pure Theory of Electoral Preference (Cambridge University Press), University of Virginia philosopher and reason Contributing Editor Loren Lomasky and his co-author, Geoffrey Brennan, offer an alternative theory of what drives voters. But first they offer a methodology for calculating the value of a vote. On their account, the expected utility of a vote is a function of the probability that the vote will be decisive, delivering gains (to the individual or society as a whole) if the preferred candidate wins. The probability of casting the decisive vote decreases slowly as the size of the voting pool gets larger, but it drops dramatically when polls show that one candidate has even a slight lead. Which means that in a presidential election, where the number of voters is about 120 million and one candidate is usually polling a point or two ahead on Election Day, you’re screwed.
In his brilliant 2011 book The Ethics of Voting (Princeton University Press), on which I have relied heavily for this article, Georgetown University philosopher Jason Brennan (no relation to Geoffrey Brennan) applied the Lomasky/Brennan method to a hypothetical scenario in which the victory of one candidate would produce additional GDP growth of 0.25 percent in one year. Assuming a very close election where that candidate is leading in the polls only slightly and a random voter has a 50.5 percent chance of casting a ballot for her, the expected value of a vote for that candidate is $4.77 x 10 to the −2,650th power. That’s 2,648 orders of magnitude less than a penny.
It’s not hard to beat that offer. Say you plan to sleep for an extra hour instead of voting. Unless you are astonishingly well rested, an hour of sleep is almost certainly worth more to you than an infinitesimal fragment of a penny. Or say you plan to use that time to write an election-related blog post. The expected social payoff of even the lowest-traffic blog post is higher than the payoff from voting. In fact, an alternative activity plan isn’t even necessary: Simply not driving to the polls slightly reduces the chance that you or someone else will die in a car accident on Election Day, which is worth more than your vote can ever hope to be.
Those figures reflect 2006 GDP figures and 2004 voting totals, but it almost doesn’t matter what batch of reasonable numbers you plug into the equation. Say you think victory is worth 10 or 100 or 1,000 times more than the roughly $33 billion that 0.25 percent of GDP amounts to. Say the polls show a gap of two percentage points between the candidates. In any plausible scenario, the expected utility of your vote still amounts to approximately bupkes. A vote for a third-party candidate pushes the figure into even more infinitesimal territory.
Voters know this on some level. If they truly believed that each person’s vote could be the vote, imagine how they would treat people who disagree with them in early November. Voter suppression happens occasionally, of course. Unscrupulous actors send out flyers that give the wrong date for Election Day or mislead voters about the correct polling place. But if people were operating on the theory that your vote actually counts, far dirtier tricks would be happening everywhere, every day.
‘Voting Is a Civic Duty’
No individual vote is likely to determine the outcome of an election; nor is it likely to result in a material gain for the voter. Does that mean people who vote are irrational, evil, or stupid? Not necessarily. Or at least not all of them.
In October 2000, Harvard economist Gregory Mankiw penned a column for Fortune called “Why Some People Shouldn’t Vote.” During his years-long stint as a columnist for the magazine, this was the only article the editors refused to run. The column, which he published on his personal blog years later, suggests that “the next time a friend of yours tells you he’s not voting, don’t try to change his mind.”
Mankiw’s argument draws on a 1996 article by economists Timothy Feddersen of Northwestern University and Wolfgang Pesendorfer of Princeton University that cites the phenomenon of “roll off”—people who make it all the way inside the polyester curtains on Election Day and then leave some blanks on their ballots—to illustrate the point that people who believe themselves ill-informed routinely choose not to vote, thereby increasing the quality of voters who actually pull the lever for one side or the other. There is some additional evidence for this claim: Education is one of the two best predictors of voter turnout (the other is age). Better-educated people are much more likely to vote, which suggests that the pool of voters is better informed and more qualified to make election-related judgments than the pool of nonvoters.