An Exit Strategy for Electronic Voting
By Bruce O'Dell
August 24, 2006
Even though there are fundamental technical considerations which should rule out use of electronic vote tallying
technology, some of my Information Technology colleagues are still trying hard to salvage it (see, for example, the web
site of the research group called ACCURATE).
When it comes to electronic voting technology, we do not
need a better mousetrap – we need an exit strategy.
I've done my best to explain why, in detail, elsewhere – but the main points bear repeating.
Voting systems are national defense systems (!) deserving the highest level of protection. Undetected compromise of our nation's voting systems is equivalent to our
being invaded and occupied by a foreign power, since the American people lose control of their lives and destinies in
either case - except that "coup by covert election manipulation" occurs under the reassuring guise of business as usual.
I am ashamed that my profession has enabled voting systems to be deployed with mechanisms inadequate to protect mere
financial transactions - much less, to safeguard the foundation of our national sovereignty.
Voting is inherently hard to protect. All the conventional techniques for electronic auditing of transactions rely on strong proofs of identity and complete
transparency. We can conduct electronic financial transactions well enough that embezzlement is the exception and not
the rule because all counterparties to a financial transaction are required to provide strong, legal proof of identity
to the others, all parties to electronic financial transactions are strongly motivated to verify accuracy of results,
and the laws regulating resolution of financial disputes are mature. None of these conditions apply to voting. Voting is
private and anonymous. You cannot provide a voter with a record of her transaction sufficient to prove how she voted
after the fact (or you enable sale of votes, coercion and a host of other problems...). But if you do not provide such
an unambiguous receipt, all that electronic vote-auditing protocols can do is simply enshrine a computer's assertion
that it recorded your touch on a screen or your mark on an optical scan ballot as you intended. Any program that
generates an electronic audit trail - no mater how complex - can easily be programmed to consistently lie about what
truly happened when your choice was presented to the machine for tallying. Electronic auditing of electronic vote
tallying simply shifts the issue of trust from one suspect set of software to another.
Can we ensure that machines count our votes as cast?
Our only recourse to ensure correct electronic tallying is to generate an anonymous non-volatile receipt of the voter's
choices, verified by the voter, retained by electoral authorities, and always audited - by hand - after the fact. And
even this approach has limitations; for VVPATs (Voter-verified paper audit trails) there is ample evidence that many
people do not actually "verify" their "PAT". Optical scan ballots are a much more desirable paper record.
OK - if we always have to audit the electronic tally, how should we do it?
The conventional approach is to have election insiders audit 100% of the vote in a few percent of the precincts, days
or weeks after the election, in private beyond public view. If, of course, there are any paper ballot records to audit.
But as reported irregularities in Ohio in 2004 reveal, this approach is both inaccurate and highly vulnerable to gaming. In response, Jonathan Simon,
Steven Freeman, Josh Mitteldorf and I have just published a paper that recommends nothing less than a 10% in-precinct hand count of all paper ballot records to be done by the public and
on election night, everywhere we allow electronic tallying. This will provide 99% certainty of detecting errors or
deliberate manipulation, regardless of their source, that affect 1% or more of the official electronic tally. Nothing
less will provide the indisputable statistical rationale to enable candidates to actually dispute a tainted election in
a toxic political environment like the one we find ourselves mired in at the moment.
But all this begs the question: if we have to always hand-audit electronic vote tallies... then what, exactly, is the
point of electronic tallying?
Requiring electronic voting to enable accommodation of voters with disabilities is a red herring – cheaper, better,
non-computerized alternatives already exist. And so we advocate a 10% hand count in 100% of the precincts only as a transitional step in an exit
strategy for electronic voting. Because I for one firmly believe that wherever and whenever we actually do start
hand-counting ballot records in public on election night, we will find such a catalog of horrors, such unconscionable
sloppiness, such pervasive backdoor manipulation of the electronic tally that the American people will rise up and
demand that we take back control of our elections into our own hands – and cast and count
our paper ballots ourselves.
I'm not accusing my colleagues – such as Avi Rubin, Director of ACCURATE – who are working to salvage electronic voting
of "being on the take". In fact I commend their hard work to expose the risks of electronic voting. But, on the other
hand, as a technology professional I would refuse to work on electronic voting systems because, for all of the above
reasons, I believe it to be a violation of the professional code of ethics of the Association of Computing Machinery, the world's largest and oldest computer society - of which I am a member.
The ACM Code of Ethics states in part:
"Ethical tensions can best be addressed by thoughtful consideration of fundamental principles, rather than blind
reliance on detailed regulations. These Principles should influence software engineers to consider broadly who is
affected by their work; to examine if they and their colleagues are treating other human beings with due respect; to
consider how the public, if reasonably well informed, would view their decisions; to analyze how the least empowered
will be affected by their decisions; and to consider whether their acts would be judged worthy of the ideal professional
working as a software engineer. In all these judgments concern for the health, safety and welfare of the public is
primary; that is, the "Public Interest" is central to this Code."
I say again: "to consider how the public, if reasonably well informed, would view their decisions". According to Zogby's
latest poll, the American people, if properly informed, are hardly likely to continue to tolerate secret elections, run by
insiders, "certified" by "experts", and tallied by machines. I prefer to stand with the people.
And again: "In all these judgments, concern for the health, safety and welfare of the public is primary." The issue at
hand is the integrity of the systems that grant sovereignty over the world's largest economy and only superpower
military. There are overwhelming indications those systems can be and likely have been hijacked in pursuit of a radical
agenda contrary to the wishes of the majority of the American people.
Beyond the technical considerations that preclude placing our trust in electronic vote tallying is the most important
principle of all.
We, the people, have the inalienable right to run our own elections.
My colleagues working to salvage electronic voting are free to disagree. But I wonder why such a talented group is
preoccupied with inventing a better voting mousetrap when the people are fully capable of running our elections in the
absence of the inappropriate technologies that have precipitated our election integrity crisis. In fact, there are a
host of other, far more pressing problems that confront us technologists – consider that the public is just now waking
up to one fact that security insiders have known for some time: the barbarians are at the gates of the internet. These are the kinds of problems that should demand our urgent attention so that we can protect and
serve the public, who have become almost totally dependent on the technologies we provide them.
*************
Authors Bio: Bruce O'Dell is a self-employed information technology consultant with more than twenty five years
experience who applies his broad technical expertise to his work as an election integrity activist. He lives just
outside Minneapolis, Minnesota, and shares a love of good books with his wife - and her beautiful garden, with their
talkative cat.