by Phillip J. Windley and Jay Lepreau
If there was anything that the election of 2000 taught us, regardless of our feeling about the outcome, it was that elections are precarious things, run on unreliable systems using technologies and procedures that left us all shaking our heads. Some people probably felt a computerized system would naturally be better. Computers have fundamentally changed other parts of our lives, so why not voting as well?
The State of Utah has $20 million to spend on developing or purchasing new voting systems. The State's Elections Office recently issued a request for proposals (RFP) for voting equipment. We, along with over a dozen local Computer Science professors and voting experts sent a formal response citing significant problems (www.utahpolitics.org/docs/vesc_response.pdf). The State seems to be rushing into a momentous decision with potentially disastrous consequences.
One problem is that the RFP contains almost no specific requirements for what the State needs. This invites vendors to push new, unproven, and insecure equipment. In the case of something as important as voting equipment, that is downright dangerous.
Many people expect that fully computerized systems must work better than partialy mechanical systems. Ironically, it turns out that electronic machines are among the most error prone! Study after study, from MIT, Caltech, and elsewhere, have shown that only punch cards consistently generate a higher rate of voter error. Old-fashioned paper ballots-- those marked with an 'X' and counted by hand-- and optically-scanned paper ballots counted by machine have the lowest rate of voter error. Researchers don't know the reasons for these results, but it emphasizes the folly of rushing into expensive new systems.
So, fully electronic systems don't make voting easier. What's worse, unless electronic voting machines are constructed in a way that makes them independently auditable, there is no way to be sure that they have correctly counted the vote.
Proponents of paperless electronic voting systems like to paint the issues that we and others raise as "doomsday scenarios." Unfortunately, these scenarios are not unlikely, nor do they require vast, sophisticated conspiracies. Problems as simple as a computer bug or configuration mistakes by election workers could cause errors in recording votes.
The most straightforward way to provide independent auditability is to add what's called a "voter verifiable paper ballot" or VVPB. A VVPB simply records the voters intentions, allows the voter to verify that the ballot has correctly printed those intentions and is deposited separately from the voting machine to allow for an independent recount of the election results.
Paperless voting proponents cite the expense of adding printing systems to voting equipment and caution that mechanical printing systems would be subject to frequent breakdowns. Inexpensive, reliable printers are used everywhere in our daily lives. We all insist on a receipt at the grocery store or the bank, why shouldn't we expect the same from our voting systems?
Some people believe that simply recording the vote on two different devices in the voting machine achieves the objective of creating an audit trail, but computer security experts know that this sort of plan is flawed. It's all too easy for the computer program, regardless of how thoroughly it is tested, to record the same mistake in two places. The only way to avoid this is to give the voter the control over a permanent copy, on paper, that can be deposited in a separate container for review if needed.
Another objection to VVPB raised by some is that there would be confusion as to the electronic or paper version is the official ballot. This is simply absurd since the problem can be easily solved by designating an official ballot in election rules with procedures for when the paper ballot would be used.
The consensus of computer and security experts is overwhelming: in a poll of members of the ACM, the premier organization for computing professionals, over 95% of the respondents felt that voting systems should provide a recountable physical record, e.g., paper. On the other side of the issue, by contrast, we hear the same few national "experts" testify over and over again.
We applaud the voting equipment selection committee's efforts to improve Utah's voting system. However, we believe that the result should really be an improvement. Utah must take the time to do the right thing, and benefit from other states' collective experience and research. The state must ensure that our voting system is at least as secure and trustworthy as the financial systems we've learned to trust. Any other course is simply reckless.
Phillip J. Windley is an Associate Professor of Computer Science at BYU and the former CIO of the State of Utah under Governor Michael Leavitt. Jay Lepreau is a Research Professor of Computer Science at the University of Utah.