The following piece was produced through OffTheBus, a citizen journalism project hosted at the Huffington Post and launched in partnership with NewAssignment.Net. For more information, read Arianna Huffington's project introduction. If you'd like to join our blogging team, sign up here If you're interested in other opportunities, you can see the list here.
This is the second in a two-part series. To read the first article in this series, click here.
The Help America Vote Act, passed in 2002, was supposed to make voting better and elections more secure by ordering states to replace punch-card and lever machines with electronic voting systems. Instead, recent elections have shown that the new machines had their own set of problems. So the question everybody is asking, as the primaries approach, is why are these new machines so insecure? And what can we do about it?
The heart of most criticism of electronic voting lies with DRE systems. DRE (direct-recording electronic) machines are systems in which the vote is recorded directly into the machine, usually via a touch screen or keypad, rather than marked on a paper ballot first.
DREs present a number of security issues, many of which are vividly described in the recent California review that led to decertification of the state's DREs. The software that runs the machines could be attacked in a number of ways: by a software developer who implements a virus during the manufacturing process; by someone who gains access to the machines while they are stored at a central location; even by a voter during the voting process. Removable memory cards that contain the information about an election can easily tampered with. Smart cards given to voters to cast their individual ballots also present opportunities for mischief. To cover up any changes, rogue voters can then destroy or reconfigure the paper trail, or end of day tape, produced by the machines. As the California report points out, many of these types of attacks aren't even difficult; they're low-level hacks that a teenager with some computer expertise could carry out.
Why is it so hard to create a secure DRE? Every day, countless people use touch screen ATMs to handle their most personal, important financial information. Few people now think about security problems when using an ATM, and it's hard to remember the last time there was a report of any kind of widespread tampering with an ATM machine.
But although the two machines bear a surface resemblance, there are several factors that make a big difference in the ability to secure them. Most obviously, ATMs are usually set into a building while DRE voting systems are freestanding machines that are kept in a number of locations prior to an election, and therefore accessible to a wide group of people. ATMs operate the same way every day and don't need to be started each morning with a new set of information; voting machines need specialized memory cards each time they're used and these cards are vulnerable pieces.
Probably most importantly, though, is the issue of the secret ballot. David Wagner, an associate professor of computer science at the University of California, Berkeley, and an expert on electronic voting security issues, explains: "With an ATM, there is no requirement to keep your identity secret. The ATM can (and do) keep all sorts of logs about your name and your account number and the transaction, and can provide you with a receipt to take home showing you what transactions you made, and so on. In the case of any dispute the bank can go back to all of those log entries and it is usually possible to figure out what went wrong. In contrast voting is secret so voting machines absolutely must not record any information about the identity of the voter who cast each ballot. If there is any dispute about whether the voting machine recorded your ballot correctly on its internal electronic memory, there may be no way to go back and resolve that dispute." (Click here to read a transcript of the full interview)
For many, the Voter Verified Paper Audit Trail (VVPAT) is the answer to security concerns. If there are any questions about an election, or if it is close enough to trigger a mandated recount (laws regarding this vary from state to state), the idea is that the paper record can be checked. However, a paper trail is not the same as an individual ballot. The Election Technology Council, the trade association for voting machine manufacturers, states in its FAQ that: "HAVA does not require that the paper ballot records be presented to the voter for confirmation of the ballot's accuracy. DRE systems present voters with the opportunity to verify vote accuracy on screen--an efficient, cost effective approach to assuring an accurate vote... HAVA requires that voting systems have the internal capability of producing a hard copy tally of votes. DRE systems are capable of producing this record. This is a record intended for use by election officials in a recount situation, not a receipt for individual voters."
This is really just a tape listing votes. A vote or group of votes that was manipulated will look the same as votes that were cast as intended. Onscreen verification isn't a sure thing either. The California review pointed out that the running tape can be crashed in the middle of an election and no one would know there was a problem until it was printed at the end of the day. In addition, what is seen onscreen and what the machine is recording internally can also be manipulated. True VVPAT means an individual receipt that is printed out, examined by the voter, and submitted.
HR 811, a bill sponsored by Representative Rush Holt of New Jersey, would require that all voting machines produce a paper audit-trail for all. Organizations such as MoveOn.org and Common Cause have sent out letters supporting the bill. Others, though, feel it does not go far enough. Teresa Hommel of WheresthePaper.org points out that the language would still allow manufacturers to interpret "paper trail" as a single internal tape, not as individual, voter-marked ballots. In a September 6 editorial, the New York Times called it "unfortunate" that the bill does not outright ban DREs.
The desire for an individually verified ballot has made optical scanners a suddenly popular choice. With an optical scan voting system, voters pick up a ballot and shade in the bubble next to their choices. Voters don't hand in the ballot until they are absolutely sure they have filled it out to their satisfaction. When they're ready, the vote is passed through the optical scanner, which records their choices. The machines are supposed to reject ballots where there are duplicate choices or where a choice has not been made. In March 2006, New Mexico passed legislation that ordered all elections throughout the state use a single paper ballot, optical scan system. In Oregon, all votes are conducted by mail. Voters' signatures are scanned when they register, and when they mail in their ballots, the signature on the outside of a return identification envelope is matched with the one on file. Once that happens, the vote is set aside to be tabulated anonymously.
The optical scan system isn't full-proof, of course; as shown by Florida's recent near-decertification of their optical-scan systems, the memory cards that record the votes are vulnerable to tampering. And as seen with the SAT debacle, there are external circumstances that can affect how well a machine reads the voters' choices. However, if something does go wrong with an optical-scan vote, the individual, shaded in ballots can be compared with the information recorded on the card and any tampering or malfunctioning can be found. The individual ballots can be hand-counted and the true total used in the election.
Most importantly, optical scan voting isn't an option for many disabled voters. Some states that have otherwise discarded DREs have allowed some models to be used at polling places in order to give disabled voters a chance to vote privately. Some states, such as Connecticut, have instituted a Vote by Phone system where disabled voters speak their votes into a phone that records their votes onto a computer. This system produces a single voter-verified paper ballot.
The best-designed system in the world can fail, though, if there aren't enough checks along the way. A machine can quietly malfunction. No one will check the individual, optically scanned ballots if there is no suspicion that anything went wrong. As Wagner points out, "Only about 13 states in the nation both have a paper trail and perform routine, mandatory audits." Without this kind of cross-checking, a problematic vote can go unnoticed.
All the testing, lab-certification, and analysis of different systems also means nothing if the individual machines are then poorly manufactured. A recent Dan Rather Investigates episode, "The Trouble With Touch Screens" revealed that ES&S touch screens were being made in a sweatshop in Manila. Problems with the screens were evident: they didn't stretch taut, and had bubbles or rolls in them. Tests showed that the screens went out of calibration when used in humid areas. This means that the screen and the information inside the computer aren't aligned. If a voter touched Box A on the screen, the machine could read it as Box B, the box below the one the voter meant to choose. The contested Jennings-Buchanan 2006 election, with the missing 18,000 votes, was conducted using ES&S touch screen machines.
When they became aware of this story, the Election Assistance Commission sent ES&S a letter rebuking the company for not including the Manila factory on its list of manufacturers, as required. In response, ES&S sent a letter to the EAC explaining that they didn't understand that they were supposed to list all of their manufacturers; in addition, the letter complained about how the EAC had posted their letter on their website first without discussing the matter privately with ES&S, a process, they felt that "created confusion and could undermine voter confidence in the entire field of elections" (here's something else that undermines voter confidence: manufacturing faulty touch screens in sweatshops).
What is the future of voting, then? A November 2006 Wired magazine article discussed the possibility of Internet voting. Online voting has been successful in small-scale trials in Switzerland, England, Estonia, and Canada. However, others think the Internet just has too many problems for a safe, secure vote. Wagner was one of a group of scientists that studied a proposed system that would have allowed members of the US military deployed overseas to cast their votes online. Their report caused the Department of Defense to shut down the program. Wagner believes that any possibility of a safe, secure Internet vote "would require either some new breakthrough or a wholesale change to our computing infrastructure."
In the end, though, after all the security checks, and the lab testing, and the paper trails, machines are not to blame for bad elections. Machines don't care who wins or loses. An election fails because of people--the nefarious, the lazy, the careless. In the wrong hands, the best technology in the world will produce an unfair, incorrect, or manipulated vote. And even in the most high-tech election, or at the most heavily guarded polling place, a vote is still something tangible that must be counted. And in time-honored fashion, a box of absentee ballots can still just disappear.