The Problem with Electronic Voting Machines.
Computer security experts are unanimous on what to do. (Some voting
experts disagree, but I think we’re all much better off listening to
the computer security experts. The problems here are with the computer,
not with the fact that the computer is being used in a voting
application.) And they have two recommendations:
- DRE machines must have a voter-verifiable paper audit
trails (sometimes called a voter-verified paper ballot). This is a
paper ballot printed out by the voting machine, which the voter is
allowed to look at and verify. He doesn’t take it home with him. Either
he looks at it on the machine behind a glass screen, or he takes the
paper and puts it into a ballot box. The point of this is twofold. One,
it allows the voter to confirm that his vote was recorded in the manner
he intended. And two, it provides the mechanism for a recount if there
are problems with the machine. - Software used on DRE machines must be open to public
scrutiny. This also has two functions. One, it allows any interested
party to examine the software and find bugs, which can then be
corrected. This public analysis improves security. And two, it
increases public confidence in the voting process. If the software is
public, no one can insinuate that the voting system has unfairness
built into the code. (Companies that make these machines regularly
argue that they need to keep their software secret for security
reasons. Don’t believe them. In this instance, secrecy has nothing to
do with security.)
Computerized systems with these characteristics won’t be perfect —
no piece of software is — but they’ll be much better than what we have
now. We need to start treating voting software like we treat any other
high-reliability system. The auditing that is conducted on slot machine
software in the U.S. is significantly more meticulous than what is done
to voting software. The development process for mission-critical
airplane software makes voting software look like a slapdash affair. If
we care about the integrity of our elections, this has to change.
Proponents of DREs often point to successful elections as “proof”
that the systems work. That completely misses the point. The fear is
that errors in the software — either accidental or deliberately
introduced — can undetectably alter the final tallies. An election
without any detected problems is no more a proof the system is reliable
and secure than a night that no one broke into your house is proof that
your door locks work. Maybe no one tried, or maybe someone tried and
succeeded…and you don’t know it.
Even if we get the technology right, we still won’t be done. If the
goal of a voting system is to accurately translate voter intent into a
final tally, the voting machine is only one part of the overall system.
In the 2004 U.S. election, problems with voter registration, untrained
poll workers, ballot design, and procedures for handling problems
resulted in far more votes not being counted than problems with the
technology. But if we’re going to spend money on new voting technology,
it makes sense to spend it on technology that makes the problem easier
instead of harder.
This article originally appeared on openDemocracy.com [Schneier on Security]