Published: June 09, 2006 01:12 pm            

Electronic voting requires paper records

The recent primary elections gave Pennsylvania voters a preview of new voting machine technology – touch-screen and optical-scan ballot machines – that could be available for the midterm elections in November. News accounts have suggested that voters and some local election officials appeared to endorse the technology: The voting machines were perceived as easy-to-use and, as some county officials say, “the way of the future.”

New voting technologies offer approaches to known risks. We need alternatives to error-prone punch-card ballots and hanging chads. But new technologies always entail new risks. We need to understand those risks in order to protect both the voter’s privacy and the voter’s vote.

All information systems are susceptible to tampering, whether from outsider hacking or insider data fraud.

Reports of tampering are in the news more or less every week. As with Microsoft’s unending security problems, electronic voting systems won’t be immune to tampering.

Indeed, a security hole for Diebold optical-scan voting machines was demonstrated last year (www.blackboxvoting.org/BBVreport.pdf).

Other voting machine security flaws also have been reported. When American election outcomes are worth billions of dollars, there is no question that it will be worth somebody’s time to tamper with voting equipment.

The challenge, then, is how to mitigate these risks – that is, to make it easier to detect tampering and more feasible to recover when tampering is detected. Creating concomitant, duplicate records, such as paper receipts or off-site electronic backups, contributes to this by creating a record external to the machine for cross-checking results.

When electronic voting systems are configured to not produce concomitant voting records, such as paper receipts, it becomes difficult, and in some cases impossible, to detect tampering, or, if tampering can be detected, to remediate the tampering through a recount. Why? Simply because nothing was ever produced to recount.

I see a dangerously skewed sense of risks here. The feeling of security about touch-screen systems, for example, might be attributable to the very fact that nothing tangible is produced: No piece of paper for bad people to steal or alter.

The vote must be going straight into the computer; where else could it go? But this analysis gets things exactly backward. When nothing auditable is produced, there is no way to tell what was recorded inside the machine, and no way to ensure that whatever was recorded will not be changed subsequently.

I find it peculiar, and technologically naive, that the state of Pennsylvania has taken the position that producing a paper voting receipt compromises voters’ privacy rights. There is no requirement that a voting receipt would have to include identifying information about the voter. The receipt only has to include information about the vote, so that the voter can verify that what the machine recorded was what the person intended, and information to establish the authenticity of the receipt itself.

This is sufficient to enable a recount if one were ever required. And we know from history that someday, somewhere, a recount will be required.

With the specter of the Florida voting irregularities still so vivid in our minds and so threatening to our democracy, we should approach decisions about the next generation of voting technologies very carefully. To protect our interests, local election officials should engage information technology advisers to help them act in the public’s best interests. Good intentions are not enough.

Jack Carroll is the Edward M. Frymoyer Professor of Information Sciences and Technology at Penn State.

        

• Click to discuss this story with other readers on our forums.