An Exit Strategy for Electronic Voting
By Bruce O'Dell
Original Article at
Even though there are fundamental technical considerations which should rule out use of electronic vote tallying technology, some of my Information Technology colleagues are still trying hard to salvage it (see, for example, the web site of the research group called
When it comes to electronic voting technology, we do not need a better mousetrap – we need an exit strategy.
I've done my best to explain why, in detail, elsewhere – but the main points bear repeating.
Voting systems are national defense systems (!) deserving the highest level of protection. Undetected compromise of our nation's voting systems is equivalent to our being invaded and occupied by a foreign power, since the American people lose control of their lives and destinies in either case - except that "coup by covert election manipulation" occurs under the reassuring guise of business as usual. I am ashamed that my profession has enabled voting systems to be deployed with mechanisms inadequate to protect mere financial transactions - much less, to safeguard the foundation of our national sovereignty.
Voting is inherently hard to protect. All the conventional techniques for electronic auditing of transactions rely on strong proofs of identity and complete transparency. We can conduct electronic financial transactions well enough that embezzlement is the exception and not the rule because all counterparties to a financial transaction are required to provide strong, legal proof of identity to the others, all parties to electronic financial transactions are strongly motivated to verify accuracy of results, and the laws regulating resolution of financial disputes are mature. None of these conditions apply to voting.
Voting is private and anonymous. You cannot provide a voter with a record of her transaction sufficient to prove how she voted after the fact (or you enable sale of votes, coercion and a host of other problems...). But if you do not provide such an unambiguous receipt, all that electronic vote-auditing protocols can do is simply enshrine a computer's assertion that it recorded your touch on a screen or your mark on an optical scan ballot as you intended.
Any program that generates an electronic audit trail -- no matter how complex -- can easily be programmed to consistently lie about what truly happened when your choice was presented to the machine for tallying. Electronic auditing of electronic vote tallying simply shifts the issue of trust from one suspect set of software to another.
Can we ensure that machines count our votes as cast?
Our only recourse to ensure correct electronic tallying is to generate an anonymous non-volatile receipt of the voter's choices, verified by the voter, retained by electoral authorities, and always audited - by hand - after the fact. And even this approach has limitations; for VVPATs (Voter-verified paper audit trails) there is ample evidence that many people do not actually "verify" their "PAT." Optical scan ballots are a much more desirable paper record.
OK - if we always have to audit the electronic tally, how should we do it?
The conventional approach is to have election insiders audit 100% of the vote in a few percent of the precincts, days or weeks after the election, in private beyond public view. If, of course, there are any paper ballot records to audit.
But as reported irregularities in Ohio in 2004 reveal, this approach is both inaccurate and highly vulnerable to gaming.
In response, Jonathan Simon, Steven Freeman, Josh Mitteldorf and I have just published a paper that recommends nothing less than a 10% in-precinct hand count of all paper ballot records to be done by the public and on election night, everywhere we allow electronic tallying. This will provide 99% certainty of detecting errors or deliberate manipulation, regardless of their source, that affect 1% or more of the official electronic tally. Nothing less will provide the indisputable statistical rationale to enable candidates to actually dispute a tainted election in a toxic political environment like the one we find ourselves mired in at the moment.
But all this begs the question: if we have to always hand-audit electronic vote tallies . . . then what, exactly, is the point of electronic tallying?
Requiring electronic voting to enable accommodation of voters with disabilities is a red herring – cheaper, better, non-computerized alternatives already exist.
And so we advocate a 10% hand count in 100% of the precincts only as a transitional step in an exit strategy for electronic voting. Because I for one firmly believe that wherever and whenever we actually do start hand-counting ballot records in public on election night, we will find such a catalog of horrors, such unconscionable sloppiness, such pervasive backdoor manipulation of the electronic tally that the American people will rise up and demand that we take back control of our elections into our own hands – and cast and count
our paper ballots ourselves.
I'm not accusing my colleagues – such as Avi Rubin, Director of ACCURATE – who are working to salvage electronic voting of "being on the take." In fact I commend their hard work to expose the risks of electronic voting. But, on the other hand, as a technology professional I would refuse to work on electronic voting systems because, for all of the above reasons, I believe it to be a violation of the professional code of ethics of the Association of Computing Machinery, the world's largest and oldest computer society - of which I am a member.
The ACM Code of Ethics states in part:
"Ethical tensions can best be addressed by thoughtful consideration of fundamental principles, rather than blind reliance on detailed regulations. These Principles should influence software engineers to consider broadly who is affected by their work; to examine if they and their colleagues are treating other human beings with due respect; to consider how the public, if reasonably well informed, would view their decisions; to analyze how the least empowered will be affected by their decisions; and to consider whether their acts would be judged worthy of the ideal professional working as a software engineer. In all these judgments concern for the health, safety and welfare of the public is primary; that is, the 'Public Interest' is central to this Code."
I say again: "to consider how the public, if reasonably well informed, would view their decisions." According to Zogby's latest poll, the American people, if properly informed, are hardly likely to continue to tolerate secret elections, run by insiders, "certified" by "experts", and tallied by machines. I prefer to stand with the people.
And again: The issue at hand is the integrity of the systems that grant sovereignty over the world's largest economy and only superpower military. There are overwhelming indications those systems can be and likely have been hijacked in pursuit of a radical agenda contrary to the wishes of the majority of the American people.
Beyond the technical considerations that preclude placing our trust in electronic vote tallying is the most important principle of all:
We, the people, have the inalienable right to run our own elections.
My colleagues working to salvage electronic voting are free to disagree. But I wonder why such a talented group is preoccupied with inventing a better voting mousetrap when the people are fully capable of running our elections in the absence of the inappropriate technologies that have precipitated our election integrity crisis.
In fact, there are a host of other, far more pressing problems that confront us technologists – consider that the public is just now waking up to one fact that security insiders have known for some time: the barbarians are at the gates of the internet. These are the kinds of problems that should demand our urgent attention so that we can protect and serve the public, who have become almost totally dependent on the technologies we provide them.
Author's Bio: Bruce O'Dell is a self-employed information technology consultant with more than twenty five years experience who applies his broad technical expertise to his work as an election integrity activist. He lives just outside Minneapolis, Minnesota, and shares a love of good books with his wife - and her beautiful garden, with their talkative cat.
LINKS to sources referenced in this article:
The ACCURATE project
O'Dell on Auditability
Cuyahoga recount indictments
HR550 Audit Accuracy paper.pdf
Also see Equalivote
ACM Code of Ethics
Scientific American article on Internet security