Electronic Voting Machines

Today being the second Tuesday in November, I woke up early and got out of the house to go vote at a local school. I have used two types of voting machines in the past. One is a punch-card voting machine where you use a small stylus to poke holes through a specially made paper card indicating your selection. The second is a large metal box that contains a number of metal "flags" that you flip downward to indicate a vote for a particular person. Once you flip the appropriate flags, you pull a slot-machine type lever to register the vote.

This morning, I tried the latest - a WinVote electronic voting machine.

The interface was pretty easy. Each possible selection was placed in its own large box. Touching anywhere in the box clearly selected the candidate. Voting was a process of several steps. First you selected your candidates. After hitting the "next" button, you got a list of the selections you made, in essence a confirmation dialog, giving you the option of going back and changing your selections. After I hit next again, it displayed a final summary with a very large (1/2 the screen) button labeled "VOTE". When pressed, it provided a visual confirmation. So the interface was decent, in that it was clear you had to press the "VOTE" button in order for it to count, and you got two opportunities to confirm your selection or go back and make corrections.

Notably, this machine does not print a paper confirmation of the ballot. Also, it communicates wirelessly with some central machine in order to record your vote. These two features pose something of a problem.

For a moment, I want to talk just about those two features. There are many other potential problems with electronic voting, including a citizen's inability to understand how the system really works when vendors won't allow access to the machine's source code, and at least the hypothetical possibility that electronic votes could be intentionally designed to deliver votes to one candidate. But for the sake of argument, let's assume these systems are fully vetted, and we completely trust the vendors. (While I'll grant that is already a large step)

The lack of a paper ballot makes traceability very difficult. Who's to say that the machine really recorded your vote? Even the best software developers make mistakes. Without a human-readable piece of paper, there's no way to know which actual signal the voting machine sent to the mothership. What's worse, if the mothership breaks down, or misses the communication, there's no way to re-record the vote after the fact. Voting machine vendors usually swear you can re-tally electronically, but you can't do it by hand, and re-tallying electronically won't instill any confidence. I mean, if they retallied electronically and got a different number than the original count, what was going on there? Either the retally would follow the same procedure, leading to an inevitably similar result (which would question the purpose of a retally) or it would reach a different result and call the original method into question.

The wireless connection raises security concerns. Yes, the wireless link is probably encrypted, but that doesn't provide adequate security against a talented and intelligent attacker. One trend that's seen again and again in computer security is that things only get very secure after they've been around for a period of time and have been cracked wide open and patched, repeatedly. So which elections would you like to use as the test runs?

Now you might think that with this nay-saying, I'm some sort of luddite that's against electronic voting machines. I am actually in favor of them for a number of reasons. First, the efficiency and cost benefits that they have probably make them inevitable in the long run. Second, I think in the long run they can be built to be more secure, auditable, and traceable than the paper process. When and if that's done, electronic voting machines have the potential to eliminate any possible discussion of swinging/pregnant/hanging chads and provide more certainty. It's just that getting to that point is likely going to be more expensive and slow than people think.

Citizens will have to insist on absolute transparency in the process, to include access to the source code, and an extended period of government indication to break into the system and patch resulting vulnerabilities long before it is actually used in a real vote. Offer cash prizes for breaking into the voting machines or subverting the count, and give those patriots the recognition they deserve. As a result, if done right, voting machines probably wouldn't be a commercial proposition because I just can't see a company interested in their intellectual property accepting the terms that are necessary in order to make this workable.

Additionally, consistency standards have to be put in place for actually using these machines, because 100% secure systems in the hands of people who aren't trained in their use (for example, volunteer pollsters at your local elementary school) are far from secure. Once you do these things for a few years, you should be approaching something that's workable. Social engineering as a security threat is usually more worth worrying about than the technical aspects of security.

After all this, electronic voting could be rolled out to smaller citizens groups or companies (perhaps Nielsen ratings, labor unions, the NRA, the AARP, etc) for their elections. Feedback and large user group testing would provide case studies in what goes right and wrong with the technology. Maybe then, the technology would be ready for state and local government elections, and eventually federal and all national elections.

Normally I'm an advocate for getting technology into things quickly, and taking advantage of its benefits. On this one, I think it's best to take things slowly. The costs of failure are extremely high.

This is our democracy that we're talking about.