This article appears by the permission of the Steering Committee of the League of Women Voters of Winchester, MA. It may be reproduced in any publication of the League of Women Voters, including local League Bulletins and state League Voters, as long is it is reproduced in full, including this paragraph. Copyright ©, League of Women Voters of Winchester, MA, March 2004.
Direct Recording Electronic Voting Systems
Direct Recording Electronic voting systems are coming no later than 2006. Among the provisions of the recently passed HAVA (Help America Vote Act) is a requirement that every polling place be equipped with at least one voting booth where a blind person can cast a secret ballot. Today blind persons can vote only with the help of a trusted person with sight. The Direct Recording Electronic voting system, the only voting system certified today that can enable the blind to cast a secret ballot, is controversial because of its vulnerability to software errors and election fraud.
Direct Recording Electronic Systems
A DRE (Direct Recording Electronic) voting system consists of a computer with a touch-screen monitor, a permanent storage medium such as a write-once memory card, software, and, in some systems, a ballot printer.
The computer is much like a home computer. A touch-screen monitor allows the user to touch a marked spot on the monitor surface with his finger, thus entering data as if the screen were a keyboard; you have seen one if you have ever used an Automatic Teller Machine.
The software consists of two parts:
1) An Operating System that supports the voting software and directly controls the monitor, the permanent storage, and any other device that forms part of the computer system.
2) The voting system itself, which runs as an application on the Operating System. It manages the user interface, guards against certain user errors – e.g., it refuses to accept a vote if the user votes for more candidates than there are offices to be filled – and records the vote of each user on the user’s command. The voting system also counts the votes and records the counts, or else cooperates with a central computer to produce these results.
The ballot printer, if there is one, produces a document that may look like a ballot; it shows the choices made by the user. After the user has examined it, he may direct the system to record his vote or he may ask for another chance to vote. When the voter has made his choice, the system disposes of this document in one of a number of ways, which will be described later. Most of the DRE systems installed in the United States today do not have these printers.
Other Voting Systems
Other commonly used voting systems with which the DRE system must be compared are the hand-counted paper ballot, the lever machine, the punched card system, and the optical scanning system. Any system without an audit trail does not allow a recount.
The hand-counted paper ballot is the oldest of these voting systems. It is expensive and prone to error and fraud because the counting is done by people, not machinery, and people are not as good as machines for accuracy in simple, repetitive tasks. Stories of missing ballot boxes and other villainy are almost characteristic of this voting system, but at least the ballots themselves constitute an audit trail. It is also prone to voter error because it cannot detect over-voting and it can be abused by creating ballots that are difficult to read, like the butterfly ballots used in the 2000 Florida election. Few Massachusetts jurisdictions now use hand-counted paper ballots.
The lever machine is familiar to those who have voted in Winchester several years ago. It is easy to use, it can prevent certain user errors such as over-voting, and it automatically counts the votes cast on each machine. It is not strongly subject to fraud. On the other hand it is hard to maintain and not completely reliable in operation, and it leaves no audit trail to support a recount; all that can be recounted is the accuracy with which election officers copy the results from each machine and the correctness of their arithmetic. Lever machines are being gradually replaced in most parts of the United States; few towns in Massachusetts have them now.
The punched card system is infamous for its behavior in Florida in the Presidential election of the year 2000. Its defects as a means of recording votes are inherent; they can be eliminated only by replacing the machines, as is being done throughout the United States. None are used in Massachusetts.
The optical scanning system is used for all elections in Winchester. The voter fills in an oval beside the name of the candidate or the text of the ballot question for which he wishes to vote. The counting is done by an optical scanner incorporated in the ballot box, so people do not directly count the ballots; thus, it is not very vulnerable to error and fraud. The ballots themselves constitute an audit trail. In spite of the extra cost of printing ballots on special paper, it is cheaper and more accurate than the hand-counted paper ballot. The scanner can be programmed to cast out for hand counting the ballots that are marked in a way that the scanner cannot interpret; it can also be programmed to detect such voter errors as over-voting and to reject an invalid ballot while the voter is still present and can receive a new ballot. It is possible to prepare a confusing ballot, but the limitations of the scanner are a constraint. Experts like Prof. Steven Ansolabehere of MIT prefer optical scanning among today’s available technologies.
DRE’s are strongly subject to the risks described below. The optical scanning system is also programmed and therefore in principle subject to these risks, but in practice today does not seem to exhibit their ill effects.
No matter what the precautions, errors are inevitable in computer programs; they are especially prevalent in programs that perform complex functions or can have a large variety of inputs. Simple programs, like the Basic Input-Output software in most personal computers, can be brought to a sufficient state of reliability to be embodied, as is customary, in read-only memory chips. In more complex software, the frequency and severity of errors can be greatly reduced by the special techniques used for trusted code and described at the end of this article, but because of the complexity they cannot be wholly eliminated.
An error can occur in the Operating System or in the Voting System. An error in the Operating System will usually bring the whole thing to a halt, so it will not go undetected. The record of votes already cast may be recoverable and it may not. A flaw in the Voting System is most likely to produce an undetected error in the record of votes cast by attributing a vote to the wrong candidate, by losing it altogether, by actually subtracting it from the existing total of some candidate, or by compromising the secrecy of the ballot.
Unless the precautions described below in the section on trusted code are followed, the Voting System is subject to fraudulent programming, and no DRE system on the market today follows these precautions. Fraudulent programming can compromise the record of votes cast in the same ways as an error can, but in a systematic way that favors one or more candidates or ballot questions.
Fraud may be committed by an election officer, by a hacker invading the system, or by the programmer writing the system. It is difficult for an election officer because there are always a great many people watching what goes on in the polling place. The voting program can readily be corrupted by a hacker if the system is connected to an outside network; it is even easier if this network is the Internet, especially with a high-speed connection. But the most likely source of fraudulent code is the original programmer, because he has unlimited and unquestioned access to the program.
Detection and Correction
The DRE system, in the absence of the optional ballot printer, leaves no audit trail, so error detection completely depends on suspicious patterns, such as a negative number of votes for a candidate or more total votes than the number of voters in the precinct; both these errors have occurred in real elections.
A less conclusive way of catching errors is to observe statistically unlikely patterns of voting. For example, a candidate trailing by far in the polls just before the election may win by a landslide; an exit poll may show a discrepancy with the recorded vote; or the totals for some minor candidates may be unexpectedly large. Statisticians may be confident that something is wrong in these cases, all of which have occurred in real elections, but it is hard to convince courts or the public in any particular case.
As for correction, recounts are impossible in the absence of the optional ballot printer, because there is no audit trail.
Advantages of DRE Systems
The main advantage of the DRE system is that it can be configured with audio and tactile signals so that a blind person can vote without a sighted person in the voting booth. Thus it is the only system known today that allows a truly secret ballot for the blind. HAVA requires this capability in at least one voting booth in each precinct, although not in the year 2004. The DRE user interface can also be configured so as to be friendly to persons with other disabilities.
For all voters DRE systems have the advantage of detecting voter errors and omissions, informing the voter and refusing to cast the ballot until it is error free. DRE machines can easily be configured to handle different candidates or even different arrays of offices for different polling places and even for different voting booths in one polling place, saving much time, effort, and infuriation in places where several jurisdictions overlap in one major voting jurisdiction. They can even be set up so that the voter can choose one of a large number of languages right in the booth.
If the DRE system were not prone to error and vulnerable to fraud, it would have other advantages because it is computer-based. It can count the votes in each booth and, if it is connected to the warden’s computer, the votes of the entire precinct can be counted automatically. If the warden’s computer is connected to the Town Clerk’s, the totals for the whole town can likewise be automatically accumulated, and so on to the state level, omitting the error-prone manual accumulation of totals.
Access versus Security
According to the seemingly non-negotiable position of The American Association for People with Disabilities, the ballot printer, by its very presence in the voting booth, constitutes discrimination against the blind, who cannot read its output, and against those with certain other disabilities; it is therefore in violation of HAVA. The Association will accept only an audio report of the user’s vote before it is recorded, with no paper trail, and seems little perturbed by vulnerability to undetected error and fraud as long as the disabled are on the same plane as everyone else.
A further objection to the ballot printer is that the voter may take the “receipt” out of the polling place, thus destroying the secrecy of the ballot. In the system as originally proposed, the voter sees the printed ballot but cannot touch it; as soon as the voter’s decision is made, the ballot goes directly into a locked box; it is not a receipt at all. The original proposal for the ballot printer makes the printed ballot the official ballot that is counted, and any results provided by the DRE system itself are merely provisional. Usually, however, the DRE system quickly and cheaply provides the official count; the paper ballot, because of the cost and vulnerability to errors of counting, is merely an auxiliary, a trail for sample audits and recounts.
The other side of all this, of course, is made up of the risks to error and fraud that are cited above and supported in detail below. The ballot printer, with its verification by the voter and the audit trail it provides, does not make the DRE system invulnerable, but it closes a giant hole in its defenses.
The electronic voting industry is dominated by only a few corporations – Diebold, Election Systems & Software (ES&S), and Sequoia; Diebold and ES&S combined count an estimated 80% of U.S. DRE votes. Bob and Todd Urosevich founded ES&S’s originator. Bob now heads Diebold Election Systems, and his brother Todd is a top executive at ES&S. Thus, the brothers Urosevich figure in the counting of approximately 80% of electronic voting in the United States.
Walden O’Dell, chief executive of Diebold Inc., wrote, “I am committed to helping Ohio deliver its electoral votes to the president next year.”
Evidence of Malfunction
Ohio’s review of DRE machines turned up so many potential security flaws that the state’s top elections official called off deploying them in the March elections. The machines of all the companies selected during Ohio’s extensive certification process – Diebold, Sequoia, Hart InterCivic, and ES&S – were found to carry risks. Among the findings:
Voter “smart cards” could be deciphered or counterfeited and used to cast illegal votes.
Passwords could be easily guessed. Diebold, for example, had a single password, 1111, nationwide, and investigators were able to guess it in two minutes.
Election results could be intercepted during transmission and decrypted.
There were many ways by which someone without the proper authority could enter the systems – with the flick of a switch or the use of a laptop PC – and change results.
Early this year Bev Harris, author of “Blackbox Voting” found Diebold software – which the company refuses to make available for public inspection, on the grounds that it’s proprietary – on an insecure computer. The software was in a folder titled “rob-Georgia.zip.” Diebold software was found unreliable and subject to abuse by researchers at Johns Hopkins and Rice Universities. A report for the state of Maryland apparently reached similar conclusions, as suggested by a heavily censored version released by the state. Leaked internal Diebold e-mail suggests that corporate officials knew their system was flawed and circumvented tests that would have revealed these problems. The company hasn’t contested the authenticity of these documents, but it has tried to prevent their dissemination by legal actions against Bev Harris.
During the California recall election, some candidates in Tulare county, California who could not affect the result were getting unusually large numbers of votes. A researcher therefore examined vote totals, in California counties that use Diebold machines, when 96% of precincts had reported, using the election results from the secretary of state’s website. When the vote for each candidate in Tulare county is ranked by the percentage of that candidate’s state-wide total, the variance from an even distribution at the top of the list is slight. Many lower-ticket candidates, however, have vote totals that only correlate with the use of Diebold equipment, being higher than those of other lower-ticket candidates. The candidates with skewed results are not residents of the counties where they got very high percentages. It seems as if something is moving votes from high-ranking candidates to low-ranking candidates, keeping the total number of votes constant while robbing some candidates.
Rush Holt’s Bill
Representative Rush Holt (D-NJ) has introduced a bill, HR 2239, calling for each DRE machine to produce a paper record that the voter verifies. It requires that such verified voting be ready in time for the 2004 election – and that districts that can’t meet the deadline use paper ballots instead. And it also requires surprise audits in each state. An identical bill, S. 1980, has been introduced in the Senate by Sen. Bob Graham (D-FL).
The League of Women Voters of the United States has taken a firm position in opposition to any requirement for a voter-verified paper ballot or audit trail and is actively lobbying for its position. The main justification is: “The VVPT system requires the voter to verify the written paper ballot, which historically disenfranchised voters will find difficult to do if they cannot see or if they have difficulty reading the paper verification.” The details may be found on two pages at the LWVUS web site:
The formal position, which is hard to find from the League’s home page:
An attempt to discredit concerns about fraud:
The Conference in Boston
On February 28, 2004, the author attended the conference “Electronic Voting in Massachusetts: Problems and Prospects.” It was jointly sponsored by the LWV of Massachusetts, the Massachusetts ACLU, Suffolk University Law School, and other organizations dedicated to good government and civil rights, as well as technical organizations. The conference leaders were Carol Rose, Executive Director of the Massachusetts ACLU, and Madhu Sridhar, President of the Massachusetts League. The speakers and panelists included many distinguished computer scientists, lawyers, political scientists, and advocates for civil rights and for the disabled. Indeed, it was a gathering of eagles.
The conference was intended as an exchange of information and viewpoints, not as a road to consensus, and so it was. The advocates for the disabled were firmly opposed to the voter-verified paper audit trail and in favor of rapid introduction of DRE voting everywhere. Everyone else seemed to believe that a good deal of time is needed to get the kinks out of DRE voting machines. People for whom accurate, honest voting is important strongly favored the voter-verified paper audit trail, as well as an insistence on certain elementary changes in the way the DRE software is specified and written. Many in the audience favored a requirement that DRE software be written by a non-profit group with open-source code and careful auditing.
Open Source Code
All vendors of DRE voting systems maintain that the code of the Voting System is a trade secret. They will allow only reviewers they have chosen to see the code, and so far none of these chosen reviewers has been well enough qualified as a code inspectors to detect subtle errors and fraudulent code. It was a recommendation at the “Electronic Voting in Massachusetts” conference that purchasing officers buying DRE systems for their jurisdictions require all software to be open to inspection by inspectors chosen by the buyer. Although open code does not assure that the DRE system is free of error and fraud, it closes another giant hole in its defenses.
It is possible to reduce the likelihood of errors and fraud to a very low level through the technique of trusted code. This technique was developed by the Department of Defense for computer systems that handle classified information. There are many requirements relating both to the nature of the code (e.g. suspicious subroutines) and to the manner in which it is created (e.g. code inspections, version control). These requirements are described in the Orange Book. This standard has been superseded, but is still cited by the National Institute of Science and Technology as the basis for newer standards.
It will take a major change in the atmosphere surrounding DRE development for the manufacturers to submit to the strictures of the Orange Book or a similar, more modern standard, and then years of development to carry out the requirements, before trusted code can be available.
. Bob Fitrakis, The Columbus Free Press, February 25, 2004
. Paul Krugman, “Hack the Vote,” The New York Times, December 2, 2003
. Article in The Cleveland Plain Dealer, December 3, 2003
. Paul Krugman, “Hack the Vote,” The New York Times, December 2, 2003
. An unknown correspondent, as reported by Steve Chessin, LWV Los Altos – Mountain View Area (CA)
. Paul Krugman, “Democracy at Risk,” The New York Times, January 23, 2004
 “Department of Defense Trusted Computer System Evaluation Criteria,” Department of Defense Standard DOD 5200.28-STD, December 1985.