Talk given to a gathering of election officials in Ashfield, Massachusetts:
We need voting systems that are as open and obvious as possible while preserving the secret ballot. We\'ve been doing this for centuries with paper ballots, and simple changes can improve the accuracy, speed, and security of paper ballot systems even beyond current levels. Paper ballots, hand counted, are the "gold standard" around the world, and guidelines are published that make for reliable results even in those parts of the world where corruption is the norm. Paper ballot systems, especially ones that are hand counted, provide not only the fewest opportunities for tampering but are the most accurate as well. They are also the most open to public scrutiny, and they are the only systems that can be thoroughly audited.
1. The URL of this page is http://home.tiac.net/~rjf/software-and-voting-ashfield-17jan06.html
[This talk was given to a gathering of election officials in Ashfield, Massachusetts.]
Software and Voting
I'm a computer professional. I've been a computer systems consultant for over 30 years, and have most
recently worked in computer security, wireless, and software testing. I have a masters' degree in computer
science from MIT.
You would think that I would be all for the computerization of our elections, but I'm not. There are just too
many risks associated with computer systems as used in elections. Computerization is essential to many
aspects of modern life, e.g., electronic funds transfer, but it is not in any way necessary for the conduct of
elections. We need to increase public trust in elections; the additional risks associated with computers in
elections destroy that trust.
The workings of computerized election systems are complex, hard to understand (even for experts), hidden,
and commonly held as secrets by private interests. These are all characteristics we shouldn't want for the
foundation of our democracy. Most disconcerting, however, is that computerization greatly increases the
opportunities for election tampering and sabotage.
(Common wisdom in this state and nation says that these risks of tampering remain just theoretical
possibilities, that they haven't actually affected any major elections in significant ways. Given the high value
of winning elections, I think it is highly likely that tampering will be attempted. Some people claim that
there is already a lot of evidence of attempted, and even successful, tampering. Our nation, and our media, is
understandably reluctant to investigate this possibility.)
Errors -- accidental or deliberate?
We all have our favorite stories about computer errors -- bugs, glitches, whatever -- that mess up our email,
our bank account, or a space probe. Some errors are quot;innocentquot; -- simple human mistakes on the part of
programmers. Many errors we encounter these days, however, are deliberate. A whole industry has arisen to
produce software to protect us against deliberate damage, malicious entry, or tampering to our personal
computers and to the big computer systems that run our modern infrastructure. We probably all know horror
stories about people losing their email and all their work to computer quot;virusesquot;, and occasionally we hear
about major databases and corporations being quot;hackedquot;.
Any kind of error -- innocent or deliberate -- can affect the computer systems we rely upon, including any
computer systems used in elections. Innocent errors tend to be unbiased in their effect -- they are blind to the
candidate, party, or issue involved in a vote. Usually, over the long run, innocent errors tend to cancel each
other out. Even innocent errors may sometimes be quot;bigquot;. Such an error can change the outcome of an
election -- we have to be on the lookout for them.
Remember the not so old saying: quot;To err is human; to really foul things up requires a computerquot;!
2. Deliberate Errors
Deliberate errors, on the other hand, are quite a different risk. Software is as malleable as putty: once
malicious entry is made to a computer system, almost any change is possible. And, as with putty, it is easy
for a software attack to cover its tracks and change things back. Unlike putty, the attacker doesn't need
quot;hands onquot; to make the change. Also unlike putty, the change can lie unseen, with no visible effect, until
Election Day.
So what could malicious software -- quot;malwarequot; -- do to tamper with an election? Point shaving is one likely
tactic: taking a few votes from one candidate and giving them to the preferred candidate on each machine.
The error on each machine is small, but they add up. Unlike innocent errors, all these errors on every
machine would favor the same side. (One clue that an error is not quot;innocentquot; is consistent bias in one
direction.) One study has shown that a change of one out of every 87 votes in Ohio would have changed the
outcome of the 2004 presidential election -- that may require only a handful of votes to be changed per
machine, especially a DRE. Would you notice that small an error on a machine? More particularly, would
anyone notice if many machines had a similar error in the same direction?
Another possible way that malicious software could bias an election is through quot;defaultingquot; the occasional
undervote to the favored candidate. Nothing looks wrong with such a situation -- in fact, everyone thinks
reducing undervotes is a good thing. What's the undervote percentage in your town? What if all those un-
cast votes went to the same candidate?
One goal of any election saboteur would be to make the margin of victory high enough so that no recounts or
other challenges are triggered. This is easy to do.
The worst thing about using malicious software to bias an election is that you don't even have to mess with
the vote counting. If you know which precincts favor your opponent, or you simply notice that your
opponent is ahead on a particular machine, simply slow down or crash the machine. Long lines discourage
voters. When you hear stories of voters waiting hours to vote, rest assured that some decided they couldn't
wait. No audit or recount will ever catch such chicanery. I would wager that even a 1-hour wait reduced the
percentage of voters by quite a bit -- how long is your lunch break? What if you were on line with a child?
Again I must say that it is very easy for malicious software to erase itself and cover its tracks and thus
deliberate tampering becomes very hard to prove.
Also note that it doesn't take a vast conspiracy to alter a lot of voting machines, depending upon when and
how the malicious entry is achieved, it could be the work of just one person. Many viruses that swept the
Internet were the result of one lone individual.
Malicious entry and alteration of software can be achieved in many ways. Phone lines, networks, wireless
devices, memory cards, data discs are just some of the opportunities for an attacker to access and change the
software in a computer. Given the potential high value of election tampering, one must not rule out the
possibility of sabotage introduced in the software at the factory, or at any point from factory to Election Day.
It is really easy to make software that lies in wait, passing all tests, until the election itself.
Testing
I'm currently employed in testing software, so I'd like to say a few words about testing. Testing, even when it
goes under a fancy name such as quot;certificationquot;, is NEVER perfect. Testing does not find all errors.
Deliberate errors, i.e., sabotage, if designed to lie in wait until the right moment, are especially hard to
3. uncover by testing.
Some people think that quot;open sourcequot; software is the solution. The more eyes that actually study and work
with software, generally the better it becomes. quot;Open sourcequot; would force a saboteur to be subtle. However,
as with any software, open source software is never perfect. And open source software isn't per se less prone
to malicious entry or other tampering.
Central Tabulators
Everything said so far applies not only to the systems that count the votes (whether they are DREs or Optical
Scan), but also to Central Tabulators. The Central Tabulator may be an even more attractive target for
malicious entry and alteration of results.
There is no reason, however, that all of the data that goes into the Central Tabulator is not made immediately
public, at polling places, Town Halls, and on the Internet, so that anybody can check the calculations.
Audits -- Catching Errors
How do you know if you have an error in your vote count? Should voting be a quot;faith-basedquot; activity? Or
should it be possible to prove election results?
Our computer systems can be made more tamper-resistant -- at a price (and making them even more obscure)
-- but they will never be perfectly secure. It is always necessary to audit the results. Auditing an election is
not a recount in the traditional sense. An audit, whether for a bank or an election, is a check to see if
anything is going wrong. An audit should be an essential part of every election whether it is close or not; an
election should not be certified until it passes an audit.
(One problem is what do you do if it doesn't pass audit? Perhaps that's one reason we don't even bother to
audit elections.)
Audting of our elections must be done in the open, in public -- not behind closed doors.
People have varying opinions on what constitutes a good audit. Any credible audit must meet accepted
statistical and forensic standards; after all, the purpose is to catch both errors and tampering. In every case,
an election audit must compare original ballots with the counted result. Thus we must have original ballots,
as marked by the voter.
One reason our group does not accept DREs is that DREs do not use an original voter-marked ballot. Some
DREs don't have a paper trail at all. Even those DREs that do print a paper record are inadequate to a true
audit.
The same software risks that apply to the count apply to the printing of the paper record in a DRE. Malicious
software could alter the paper record. quot;Voter verificationquot; of such paper is very unreliable. Only a small
percentage of voters will actually check every vote carefully. The paper output of a DRE is NOT an original
paper record of the voter's intentions and is not suitable for a meaningful audit.
An optical scan ballot is an original voter-marked paper ballot. That ballot is suitable for a meaningful audit.
Please note that the optical scan machine is subject to all the same kinds of risks and attacks as a DRE.
Therefore optical scan machines MUST be audited at every election.