Electronic Voting: Is It Safe Yet?
When Santa Clara County voters head to their voting places this November, they'll be greeted by a bank of gleaming new electronic voting machines -- a high-tech voting video arcade. The old punch-card system -- with hanging and dimpled chads and butterfly ballots, the disastrous scenario of the 2000 presidential election -- is history.
The touch-screen machines -- small, free-standing, portable computers supported by silver folding legs -- will appear reliable and efficient, the instructions easy and intuitive. Voters will be handed a card that they'll insert into the computer to activate the ballot in one of five languages of their choice. They'll select their voting preferences by touching the boxes displayed on the 15-inch screen, and if they make a mistake, they can correct it. After reviewing their choices one last time, they'll press a button to submit their votes. It's not that much more complicated, from an operational standpoint, than an ATM.
What voters won't know, however, is that they will be casting their ballots in the first unverifiable election in the history of Santa Clara County. If candidates dispute the results, they'll have to take the word of a third party, namely the manufacturer of the voting machine, as to what the ballots said. This trend is hardly unique to the valley; new electronic voting techniques are being adopted throughout the country as anxieties spread over the fallibility of outdated voting systems.
Santa Clara County supervisors are worried enough about electronic voting to take what some say is a token step: requiring 5 percent of the ballots to have a tamper-proof paper backup system. Over the long term, however, it's not clear what county officials are prepared to do -- and what political risks they're willing to take -- to ensure an accurate and verifiable election count.
Santa Clara County Registrar Jesse Durazo says everything is fine; the new system comes with a computer-generated audit trail that would enable a recount if the election is called into question, which, he says, has happened twice in the county's history, in the early 1990s and in 2002. The company that the county has contracted with to make the touch-screen voting machines -- Oakland-based Sequoia Voting Systems, one of the top U.S. manufacturers of electronic voting systems -- claims its machines are tested, secure and error-free.
But a growing cadre of voting-rights activists and a group of 1,200 computer scientists and technologists, led by Stanford University computer science professor David Dill, argue that the new generation of electronic voting machines are a time bomb for fraud and inaccuracy. In trying to protect voters from transparent electoral fraud, they say, Santa Clara County, as well as the rest of the country, is heading into an even more frightening period of potentially invisible, or undetectable, fraud.
"Election officials have promised for several years now the dream of paperless electronic voting," says Dill, who began the movement calling for safer electronic elections by drafting a resolution that is quickly gathering the signatures of prominent scientists and academics from Silicon Valley and nationwide. "There are many advantages, particularly for election administrators. They don't have to worry about paper, printing, training. [But] the question is, if I'm going to vote on this machine, why do I trust it?"
Secrets of the Ballot
After the 2000 presidential election debacle in Florida, federal officials raced to revamp the country's use of paper-based and manual-lever voting systems. A 2002 law provided $4 billion to help states buy electronic voting machines, namely optical scanners and touch-screen machines. But the feds didn't specify how secure the technology has to be, even though it's expected that by 2010, 75 percent of voters will cast their ballots electronically.
Here in California, officials in all nine counties have the additional pressure of a federal court order, arising out of a lawsuit brought by the ACLU of Southern California, to replace their punch-card ballots by March 2004, the next statewide election and presidential primary.
Secretary of State Kevin Shelley decertified punch-card ballots in 2001, and in 2002 California voters approved $200 million in bonds to upgrade their voting systems. For their part, Santa Clara County supervisors decided that they'd rush to have electronic voting up and running by the November 2003 election, when voters will weigh in on municipal and school district races.
After a nine-month process, everything was set to go in January. The supervisors, following the advice of county staff, were weeks away from signing a $19 million contract with Sequoia Voting Systems, who beat out two other vendors, for 5,500 new touch-screen voting machines for the region's 1,000 precincts and 740,500 registered voters ($9.5 million is to be reimbursed by the state).
But as they were heading toward the finish line, Dill and several other highly regarded computer experts intervened with an urgent appeal: The new voting machines were dangerously vulnerable to programming error, equipment malfunction and malicious tampering, they stated. What's more, Dill said, Sequoia and other vendors use proprietary software; their codes are trade secrets. There's no way to verify whether the codes are as invulnerable to cheating as the companies claim, particularly as the software community comes up with ever more inventive tools to break into supposedly secure systems.
The supervisors slowed down and took note. "The election could be running as smooth as silk," Dill reportedly told them, "only the wrong person is elected, and no one can tell. No one can prove it." This was news to the supes; they had not been worried about security and verifiability because the machines were certified for state elections and met state standards.
The only way to fix the problem, Dill and the other speakers argued, is to make sure the new machines have a voter-verifiable audit trail or paper record, or in other words, the computers print out a marked ballot as the voter votes, as a backup to the digital ballot. Otherwise, "There's no assurance that the vote that appears on the screen is the one that's recorded [by the machine]," voting-technology expert Peter Neumann, principal scientist in SRI International's computer science laboratory, was quoted as saying.
This independent, permanent printed record could be checked by the voter before the vote is submitted (and can't be altered afterward) and is collected by the registrar for use in a recount, taking precedence over any electronic records. If the supervisors don't require a verifiable paper audit, use of the new machines should be halted, Dill stated unequivocally.
"The feeding frenzy of rushing into a new technology is always risky," says Neumann in an interview. "But it's even more so in this case, because the existing all-electronic voting machines have essentially no assurances and no accountability that your vote is correctly recorded and counted. Despite what the vendors say, there are various opportunities for both accidents and intentional riggings of elections."
Electronic voting technology, used elsewhere, has not gone without a few wrinkles. In some cases, disastrous wrinkles. Florida's September 2002 election had a virtual meltdown in several counties. In Miami-Dade, to cite one example among many, 32 precincts reported no Democratic ballots cast despite more than 12,000 Democrats registered there. (Gubernatorial candidate former Attorney General Janet Reno called unsuccessfully for a statewide manual recount of votes.) Ballots jammed or tore as workers tried to put them through optical scanners. Some poll workers simply couldn't figure out how to fire up the computers.
Sequoia spokesperson Alfie Charles responds that overall Sequoia's voting machines performed well in 16 states, including Florida's last election. (However, backup activator cards had to be used when the original ones failed.) Closer to home, he says their machines also did well in Riverside, the first California county to switch to touch-screen voting.
"The scientists argued incorrectly that the potential exists for a rogue programmer to display one thing on the screen and tally something else without the voters consent," he says. "The likelihood of that happening is next to impossible, because the systems are reviewed for accuracy and reliability by independent testing authorities."
While noting that the county has to create the best system with the highest level of confidence for voters, Santa Clara County Registar Durazo has sided with Sequoia. Although the scientists have the right to ask questions, their concerns "are a far-out scenario," he says. (He was quoted in Wired News as saying, "These scientific smart people have not worked in an election, but they've created this whole UFO effect.") "The empirical information we have clearly demonstrates that the reliability, the security and the capability of those machines are unquestionable."
Regardless, supervisors listened to Dill and his colleagues and changed their course. They asked Sequoia to devise a prototype of a voter-verifiable paper record, which the company produced in a matter of days, although it had never made one before. They approved the nearly $20 million contract and called for a pilot project for the upcoming November election to test the touch-screen machines with the backup paper record in 15 of an estimated 300 precincts, or roughly 5 percent. And they required Sequoia to add the necessary printers to the machines at a later date, at no extra cost, if the state requires it.
Caught between sunny optimists on one side and the dire warnings of national computer experts on the other, the board struck a careful compromise; some might even say they passed the buck. Supervisors ordered a test run of the new paper audit, which, if implemented, would put Silicon Valley in the forefront of the movement toward safer elections. But instead of taking a firm stand on the controversial issue by calling for the backup system in all of the county's touch-screen machines, they decided to defer the decision to California Secretary of State Kevin Shelley. Shelley, responding to growing pressure, appointed in April a special statewide task force to investigate if and how paper ballots should be produced in electronic voting machines. (The task force report was released on July 2. California voters have until Aug. 2 to submit their comments.)
"Election systems need to be as secure in reality as in perception," says Kim Alexander, a task force member and president of the California Voter Foundation, a nonprofit at the forefront of the paper trail cause. "Voters have no good reason to trust 100 percent computerized, paperless voting systems run on secret software. I believe the voter-verifiable paper trail is inevitable. It's just a matter of how much money we waste and how many voters we lose along the way."
Resistance to voter-verifiable paper trails runs deep. Local and state election officials, election organizations such as the National Association of State Election Directors, political groups and voting-machine vendors make up an "entrenched election establishment ... an exclusive club" with "multidecade relationships," says Stanford's David Dill. Politicians at all levels of government are heavily lobbied by these groups, he says.
As the entire country heads into voting by computer, the magnitude of the problem becomes enormous, says Alexander: "There's lots of money at stake and lots of contracts out there and a handful of vendors."
Not unlike many high-powered industries, there's also a potential conflict of interest between election officials and the industry they are charged to regulate: electronic voting-machine vendors. "It's obvious," Dill says. "When you look at people who used to be in government who now work for vendors, it's clear that there's a revolving door. And it does influence purchasing decisions. ... [Election officials] trust and get their information from vendors, rather than a newcomer like me, who they're not necessarily going to listen to right away."
In Santa Clara County, Kathryn Ferguson, the former county registrar, now works for Sequoia. Some insiders speculate whether political influence or favoritism played a role in Sequoia landing the plum $19 million county contract. They also question whether Sequoia, whose executives have been adamant in their public opposition to the need for a paper backup, will rise to the occasion and provide the best possible system for the county's voters.
Sequoia's Charles denies the favoritism allegation.
"When presenting the system to the county, Kathryn was not involved in those discussions. She could have been, but out of an abundance of caution we opted to deal with the county with other people in the company. It was the most ethical thing to do, though legally she certainly could have been involved. She was not involved in any discussions with county or with the presentations."
A newly introduced Congressional bill, sponsored by Rep. Rush Holt (D-N.J.), calls for all voting machines nationwide to create a voter-inspected paper record by 2004. (It also requires automatic manual recounts for a fraction of ballots in every jurisdiction, selected at random, modeled after a similar California law.) If the bill passes, it would supercede state law, but not in time for the next election.
Meanwhile, the majority of the electronic voting machines in November's election will only have Sequoia's backup systems, which are essentially electronic paper records generated from the machine after the polls close -- and not the independent paper record that the voter prints and signs off on.
"I'm not worried about machine meltdowns," says Dill. "What I'm worried about is undermining our faith in elections. Right now, polls show that people love the touch-screen machines. But when we start to have elections where the results are surprising, and there's election challenges, and there's no way to check if the votes are recorded properly, I think people will definitely not be feeling good."