Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.
OCR for page 34
Asking the Right Questions About Electronic Voting 3 Voting Technologies 3.1 INTRODUCTION Mechanical devices started to replace hand-marked paper ballots in the late 1800s, and the use of the pointer/punch card system to record votes dates to 1892. Some form of this method remains in use throughout most of the nation today, with as much as a third of the population still voting with punch card systems. By automating vote counting, punch card systems greatly speeded vote tabulation/counting and somewhat reduced the potential for error and fraud as compared to hand-counted paper ballots, but systematic machine error and intentional damage to or tampering with voting or tabulating equipment remained possibilities. (In addition, certain punch card systems may have increased the number of failures to record voters’ intentions because of the poor feedback available on these systems.) A variety of electronic voting systems have been proposed to further increase the efficiency of election administration and reduce the problems and errors associated with nonelectronic systems. In the public debate, the term “electronic voting system” has been used to refer to a computer-based voting station located in the polling place with which citizens interact directly to cast their ballots—that is, in common parlance, an electronic voting system is an electronic ballot marking system. This report is mostly about electronic ballot marking systems, but will generally use the term electronic voting system in deference to common usage except when the ballot marking function needs to be emphasized. Nevertheless, it is
OCR for page 35
Asking the Right Questions About Electronic Voting important to note that computer-based systems can and do support the electoral process in at least three other important ways: Computer-based voter registration databases. Today, almost all registration is done with such systems; nonelectronic systems are now the exception and they will be essentially nonexistent as of January 1, 2006, if the Help America Vote Act of 2002 mandates for voter registration databases are met. Electronic vote tabulation systems. These administrative systems tabulate the individual ballots cast by voters, regardless of how those votes were recorded or indicated. With some types of ballot, these tabulation systems are responsible for determining how the marks on the ballot should be interpreted. Voters do generally not interact directly with tabulation systems.1 Ballot definition systems that determine all of the contests that are relevant to specific precincts. As noted in Section 1.1, ballot definition is often a complex process because the geographical districts associated with specific electoral contests are not identical to precincts, and any precinct may contain several districts. Computer-based systems greatly simplify the administrative task of ballot definition. Even from the brief description above, it should be apparent that computer technology and voting and elections intersected long before the public debate about electronic voting systems came to the fore. But as often happens, the importance and greater visibility of the electronic ballot marking systems that voters use directly have highlighted both the potential problems and the new opportunities—and both problems and opportunities are now at the center of the public debate. All ballot marking systems are expected to meet a number of different goals. They should be low in cost to purchase, operate, and maintain over their entire life cycle. They should be efficient and secure in their operations to provide accurate counting and produce the fast results required by the press, contestants, and voters. Ballot marking systems should minimize voter errors including overvoting, undervoting, and unintended voting. (In overvoting, the voter indicates more than one choice for a single-choice contest, thus invalidating his or her vote. In undervoting, the voter indicates no choice for a given contest. Undervotes are entirely legal, and there is no way of distinguishing between a voter’s choice to 1 In some cases (in particular, with direct recording electronic systems), the ballot marking system incorporates a local tallying function that totals the votes cast on individual stations. The central tabulation facility thus tallies results from individual voting stations.
OCR for page 36
Asking the Right Questions About Electronic Voting refrain from voting in a particular contest, an error of omission on the voter’s part, or a vote that a system fails to capture somewhere.) Ballot marking systems should safeguard the secrecy of a voter’s ballot. They also should be easy to use and accessible to all voters regardless of age, language capabilities, physical abilities, or level of experience. Note also that some of these goals may be inconsistent or at least in tension with each other. When the ballot marking systems in question are electronic, other goals may be added. For example, one might argue that they should be as transparent as possible in their operation, or that they should be resistant to disruptions in service caused by externalities such as power failures, or that they should actively guide voters through the ballot, or that they should intervene to recognize, block, and help users recover from errors. Because experience with electronic voting systems is much more limited than experience with nonelectronic systems, there is less consensus on the relative desirability or importance of any of these goals compared to other goals. It is easy to see why electronic voting is appealing to election officials. For many jurisdictions, electronic voting promises significant reductions in the logistical burdens of election administration by reducing the volume of paper that must be managed. Electronic transmission of results from the local precinct to the central tabulation authority offers the possibility that election results can be known much more rapidly. Certain possibilities for fraud—in particular, those that were most common in the past with hand-counted paper ballots or mechanical voting devices—are greatly reduced, because the expertise needed for committing such fraud is greater and the media involved are different. Where the voter is using an electronic ballot marking system, the possibilities of voter error may be reduced, as electronic voting machines can be programmed to check for common voter mistakes such as overvoting and because these voting systems can reduce the need for subjective assessments of potential voter intention. For such reasons, election officials are favorably predisposed toward electronic voting, making it likely that over the long run, electronic voting systems will supplant nonelectronic voting systems. But acknowledging this trend over the long run does not mean that acquisition of such systems should happen before important questions about these systems are resolved. It is in this spirit that the questions of the report are offered. Electronic voting systems also have unique characteristics from security and usability perspectives. From a security perspective, the complexity of the technology involved means that the expertise required to commit election fraud is greater, as compared with nonelectronic systems. With greater expertise required, fewer people are thus capable of perpe-
OCR for page 37
Asking the Right Questions About Electronic Voting trating election fraud. Moreover, because voting systems are deployed to the field essentially as sealed boxes, possibilities for committing fraud in electronic systems are limited to points of high leverage, such as central storage depots, a vendor’s distribution facility, or the vendor’s software development shop. On the other hand, the magnitude of the fraud possible becomes large under these circumstances—and because electronic voting systems operate on electronic signals rather than with physical documents, the detection of fraud is potentially more problematic. From a usability perspective, electronic voting systems offer programmable user interfaces. Programmability means that there are many more options for presenting ballots to voters. With many more presentation options, a much higher degree of customization to voter needs or preferences is possible. Programmability also enables more rapid prototyping and testing and easier modification of ballot interfaces. And, appropriately programmed electronic voting systems are also capable of monitoring user behavior and can thus intervene to block certain kinds of errors or to actively help users with interface problems. On the other hand, a large number of options for presenting a ballot means that there are many more possibilities for getting some aspect of the interface wrong, and thus many more opportunities for potential confusion or outright mistakes. In addition, some voters perceive the “disconnect” of the interface from the tabulation mechanism as a potential source of fraud, and so programmable interfaces may contribute to lessened confidence in the voting system. 3.2 ELECTRONIC VOTING SYSTEMS IN USE TODAY As a baseline for understanding the characteristics of electronic voting systems, consider the traditional paper-based voting system. In this traditional system, voters cast their ballots by marking forms that have the names of candidates printed on them. These forms are tabulated manually and have no computer-assisted error checking. Unlike other types of voting systems, paper ballots can accept different marks on them and still be comprehensible to the human being who reads them. On the other hand, the fact that a human being is involved in tabulation means that tabulation is slow when many ballots must be counted, and also that subjective human judgment is involved in interpreting ambiguous marks on the ballot. When large numbers of voters, multiple languages, and complex ballots are involved, hand-counted paper ballots are especially inefficient. A second kind of traditional voting system is the lever machine. Such machines are based on the use of a ballot that is posted in the voting booth to indicate the correspondence between lever and candidate or proposition. The vote tabulation in the precinct is mechanical, not computer-
OCR for page 38
Asking the Right Questions About Electronic Voting assisted, and central counting is not possible. Lever machines prevent one type of voter error—overvotes. Obviously, they cannot be used for absentee ballots. Furthermore, lever machines are no longer manufactured, which contributes to their high overall costs. These two voting systems—hand-counted paper ballots and lever machines—do not use computers in any stage of the process, although even with these systems, computers—or at least calculators—must be used to tally long lists of numbers. Of course, the introduction of electronics and computer technology expands enormously the options for the design of voting systems. In the United States, there is a wide diversity of electronic voting systems currently in use. All of these systems use computers to tabulate votes, including systems that are entirely manual from the standpoint of accepting user input.2 Some systems also use computers as the input device used by the voter for casting a ballot. An important distinction in these systems is how the system enables the voter to verify that his or her vote is indeed captured as intended. The revised Federal Voting System Standards distinguish between direct and indirect verification of a vote. Direct verification is voter verification that is mediated through a human sense, such as vision. That is, the voter’s actual ballot—with votes recorded on it—can be directly viewed by the voter, and his or her votes as recorded can be checked by the voter to see that they are correct without the mediation of any other device. Direct verification thus provides substantial (and tangible) evidence for the voter that his or her vote has indeed been captured by the marked ballot as intended. Today, direct verification systems are based on punch cards and optical scanning. Punch card systems are based on a physical document ballot and computerized vote tabulation. In one system, the voter uses a stylus to punch holes in the card at the appropriate positions to indicate his or her vote; this system can be used for absentee voting as well. In addition, the most commonly used form of punch card itself does not have names printed on it, and so the correspondence between a given hole and the appropriate candidate must be assured by the proper physical alignment of the card in a holder or bracket. Furthermore, it is virtually impossible for a voter to verify that his marks on this type of punch card correspond to his actual choices without going to a great deal of extra effort to match 2 Approximately 86 percent of all votes in the 2004 election were counted by computer (all votes except those cast by paper or lever). By contrast, about 29 percent of votes were cast electronically. See Election Data Services, Voting Equipment Summary by Type as of 11/02/2004. Available at http://www.electiondataservices.com/VotingSummary2004_20040805.pdf.
OCR for page 39
Asking the Right Questions About Electronic Voting the numbers on the punch card with the numbers in the informational booklet for voters. In another, less widely used punch card system, a special device is used to punch holes in a ballot card with the names printed directly on the card. For both systems, multiple punch cards must be used for long ballots. Optical scan systems (sometimes called Marksense systems) are based on a physical paper ballot on which votes are indicated by the appropriate marks. An optical scanner then reads these marks when the ballot is fed into it, and votes are tabulated electronically. In the most common instances, these marks are made by the voter’s hand (e.g., by using a pencil to fill in an oval or to draw a connecting arrow for each contest). Because marks are made by hand, optical scan systems can be used for absentee ballots. Only a narrow range of ballot marks can be read by the optical scanner, and so a voter may be in the difficult position of not knowing exactly what marks will be read properly by the machine. For both punch card and optical scan systems, it is possible for voters to cast invalid ballots (e.g., if more than one candidate is chosen for a one-person race), though in-precinct counting at the point of voting can warn the voter that an invalid ballot has been cast (so that he or she may try again). Warnings of undervotes can also be provided.3 When centralized counting (at the central tabulation facility) is used, opportunities for real-time error correction are lost, although in the case of optically scanned ballots, the jurisdiction can organize a committee to infer voter intent on improperly marked ballots (if permitted by state law). A further subtlety is that a voter may have directly verified that he or she has marked the ballot as intended, but such a mark may not correspond to a vote that is machine-readable. For example, a voter who circles names on an optical scan ballot when a valid vote is indicated by a filled-in bubble can verify that the correct names are circled, but the votes on the ballot will not be recorded by the scanner. Indirect verification refers to voter verification that is mediated electronically. That is, the voter’s ballot is recorded on some computer-readable medium and electronically displayed back to the voter for verification. In this instance, the voter must trust that what is displayed for verification is indeed what the system has captured. The canonical indirect verification system is the direct recording electronic (DRE) system. A DRE system allows the voter to make his or her 3 In practice, warnings of undervotes are often not provided, for two reasons. First, voters have a right to undervote, and so a public indication of an undervote might be regarded as an invasion of a voter’s privacy. In addition, the check for an undervote often slows down the voting process significantly, so election officials often do not activate such a feature.
OCR for page 40
Asking the Right Questions About Electronic Voting choices and, when the voter is finished voting, provides the voter with the chance to verify all the votes cast and then records the votes when the voter takes some affirmative action to finalize the ballot. Indeed, the earliest DRE system could be described as an electronic version of the lever machine: the entire ballot appeared on a single sheet, microswitches lit up when pressed, and voters were required to cast the ballot at the end. In general, modern DRE systems rely on a display screen to present the ballot to voters. For accepting input, some use touch screens, while others use mechanical selection devices. DRE systems enforce ballot logic in real time at the point of voting, can perform error checking to inform the voter of overvotes and undervotes, and can prevent the voter from improperly marking his or her ballot. Because they are programmable devices, displays and other user interfaces can accommodate a variety of user needs, and DRE systems are thus potentially the systems that are the most usable by people with various disabilities. Unless they are specifically designed to do so, DRE systems cannot be used for absentee voting (but see Box 3.1). If only initial purchase costs are taken into account, DRE systems are among the most expensive of all voting systems on the market, although no one knows what the total unsubsidized cost of ownership and operation of such systems is over their lifetime. Finally, a number of other electronic voting systems attempt to merge the strengths of both direct and indirect verification. Direct verification has the advantage of being an unmediated interaction between voter and ballot. Because the voter-ballot interaction in indirect verification systems is mediated electronically, such systems can also count ballot results electronically, without the need for human intervention. These combination systems also create the physical record contemporaneously with the casting of the (electronic) ballot rather than creating the records after the polls close from the electronic records stored on the voting device, and many electronic voting skeptics believe that contemporaneous creation provides a high degree of traceability from the voter’s intent to ballots that can be physically counted. With a physical record in hand, vote tabulations can be undertaken in principle repeatedly should they become necessary (e.g., if a recount is necessary). At the same time, it must be recognized that the mere existence of a physical record of a vote does not guarantee that it can be read unambiguously. Indeed, recall that the dimpled and hanging chads of the 2000 election were associated with a system based on physical records—the punch card. A laser printer that prints documents will eventually run out of toner, and the documents printed near the end of the print run may be faded and unreadable. A thermal fax printer might print a record that fades over time with exposure to light. Such problems can be ameliorated at sufficient expense, but it is unrealistic to assume that they can be eliminated.
OCR for page 41
Asking the Right Questions About Electronic Voting Box 3.1 The Secure Electronic Registration and Voting Experiment (SERVE) In 2004, the Department of Defense (DOD) initiated planning for conducting a prototype-based experiment, the Secure Electronic Registration and Voting Experiment (SERVE), which would have enabled certain American citizens living outside the United States and military personnel and their dependents wherever they were living to register to vote in their local communities (in the United States) and to vote in the elections for those communities. The system developed for SERVE would have enabled a voter with proper authentication credentials to register to vote, and then to vote, from any modern Internet-connected, Web-enabled Windows-based personal computer. The local SERVE application (downloaded from a secure central server) would have interacted with that central server. The central server would have been responsible for authenticating the voter’s credentials, presenting the correct ballot through the Web browser from the appropriate community, receiving user input representing his or her votes, and transmitting the records of every individual vote cast to local election authorities in the appropriate community. An application running in those communities would then integrate the cast vote records received with votes cast in polling places and by mail. In its initial form, SERVE was intended to provide electronic registration and absentee voting services for voters in 51 jurisdictions in seven states that had agreed to participate. DOD had expected to serve about 100,000 votes over the course of a 1-year experiment, including both the primaries and the general election. Information obtained from this experiment was to have been used to provide these services in the future to all overseas and military voters and their dependents. In early 2004, the DOD canceled the SERVE experiment, citing security reasons for its termination.1 However, in the FY 2005 Defense Authorization Bill and taking note of security issues, Congress directed the DOD to try again, after the Election Assistance Commission promulgates guidelines for electronic absentee voting and voter registration. 1 An analysis of the security of SERVE can be found in David Jefferson et al., Security Analysis of the Secure Electronic Registration and Voting Experiment (SERVE), January 20, 2004, available at http://www.servesecurityreport.org/. An example of a combination system might be an electronic voting system that prints a properly marked optical-scan paper ballot. The electronic part of the system would be indirectly verified (and processed entirely electronically), while the printed optical-scan ballot can be counted using the techniques used for all optical-scan voting systems. Box 3.2 describes another example that is more commonly discussed—the voter-verified paper trail.
OCR for page 42
Asking the Right Questions About Electronic Voting Box 3.2 On the Voter-Verified Paper Audit Trail In 2004, the notion of the voter-verified paper audit trail (VVPAT) took center stage in the public debate over electronic voting. Indeed, the debate came to be framed in terms of whether one was for or against the VVPAT. A VVPAT consists of physical paper records of voter ballots as voters have cast them on an electronic voting system. In the event that an election recount or an audit is called for, the VVPAT provides a supporting record. The “voter-verified” part of the VVPAT refers to the fact that the voter is given the opportunity to verify that the choices indicated on the paper record correspond to the choices that the voter has made in casting the ballot. Thus, the result of an election is an electronic tally of the votes cast and a paper record of the individual votes that have been cast. If all has gone well in the election, the electronic tally and the paper record correspond exactly. The argument for the VVPAT is based on the fact that in the absence of a physical and enduring record, vote records stored electronically have an inherently uncertain lineage, because a record written fraudulently is indistinguishable from one written legitimately. The concern expressed by advocates of the VVPAT is usually focused on security—that the uncertain lineage of electronic records presents many opportunities for fraud that are not present when nonelectronic voting systems are used. Thus, because the voter himself or herself creates a physical record that can be used if the legitimacy of the electronic tallies is called into question, meaningful recounts and audits become possible that can discern the intent of voters in an election. For a VVPAT to be an effective tool for assuring the integrity of an election, the VVPAT must always be checked against the electronic tally in some voting stations. How many checks are necessary is a statistical sampling issue that depends on the confidence level that election officials require for asserting that no fraud or anomalies within a certain specified error margin have occurred. In the event that this random statistical check suggests that fraud or anom Table 3.1 provides a summary comparison of voting technologies in use today. 3.3 THE LARGER CONTEXT In practice, public debate over electronic voting has devolved into an argument over the technical security of voting systems and whether or not a paper trail to facilitate election auditing is or is not desirable from a public policy perspective. While these issues are important, there are a broad range of end-to-end issues, from the point of capturing the voter’s intent to assuring an accurate final tabulation of votes. These issues are themselves embedded in a larger electoral system that
OCR for page 43
Asking the Right Questions About Electronic Voting alies may have occurred, or that discrepancies have no reasonable technical explanation, a paper-based recount of all voting stations and/or further investigation may be required. Some critics of the VVPAT argue that for those elections in which the paper trail is the authoritative record, tallying the vote based on the paper record will entail all of the problems that have plagued paper-based elections over the years. In particular, they argue, there is an ample historical record that documents the vulnerability of paper-based vote counts. Other critics argue that the voter verification dimension of the VVPAT compromises the ability of a blind voter to obtain a secret and independent verification of his or her ballot. Critics also express a variety of concerns about the reliability and additional costs of VVPAT-equipped systems. In 2001, only two states had a paper ballot requirement. As of this writing (July 2005), a total of 36 states and the District of Columbia have either adopted legislation requiring VVPATs or have such legislation pending. However, whatever one thinks of the arguments for or against a VVPAT, it is indisputable that the debate has been carried out in the absence of substantial empirical data about how a VVPAT would actually work in the context of direct recording electronic systems. Thus, the impending deployments and expected use of VVPATs in the future provide an important opportunity to test the arguments for and against its use. Some research questions about VVPATs are described in Section 6.8. NOTE: For arguments that favor the adoption of VVPATs, see David L. Dill, Testimony to the Senate Committee on Rules and Administration, June 21, 2005, Hearing on Voter Verification in the Federal Election Process, available at http://www.verifiedvotingfoundation.org/downloads/Dill%20Statement.pdf. For arguments against the adoption of VVPATs, see League of Women Voters of the United States, Questions and Answers on Direct Recording Electronic (DRE) Voting Systems and the Proposal to Require a Voter-Verified Paper Trail (VVPT), available at http://www.lwv.org/join/elections/HAVA_QAonDRE.pdf, and Jim Dickson, AAPD Policy Statement on Voter Verified Paper Ballots, available at http://www.aapd.com/dvpmain/elreform/aapdballots.html. includes matters such as voter registration databases, election planning and administration, procurement of election systems, and so on. Thus, the issue of accuracy of vote counts has to be examined in the context of the entire electoral process. Put differently, challenges to election quality cannot be tied to just one potential problem whose solution would result in a near-perfect election process but rather are the result of the cumulative impact of many potential failures large and small, including human error, equipment snafus, procedural miscues, and so on. The remainder of this report is devoted to articulating important questions about and related to electronic voting systems in this broader context and explaining why those questions are important.
OCR for page 44
Asking the Right Questions About Electronic Voting TABLE 3.1 Comparison of Voting Technologies in Use Today Method Percentage of Voters Using Percentage of Counties/Towns Using Name Printed on Ballot? Tabulation Error Checking Central or Precinct Counting Absentee Ballot Use Acquisition Cost Problems Paper (hand-counted) <1 9.6 Yes Manual None Depends Yes Low Inefficient and complicated for large numbers of ballots Punch card 13.7 11.3 No Computer-assisted Yes Precinct Sometimes Low Hanging chad problems Optical scan 34.9 45.9 Yes Computer-assisted Yes Precinct or central Yes Medium Requires a companion system for voters with disabilities Lever 14.0 8.5 n/a Mechanical Some Precinct No High No longer manufactured DRE 29.4 20.0 Yes Computer-assisted Yes Depends No High No direct verification Other 7.4 4.8 NOTE: Data presented are for November 2004. SOURCE: Election Data Services, Voting Equipment Summary by Type as of 11/02/2004. Available at http://www.electiondataservices.com/VotingSummary2004_20040805.pdf. A version of this chart was presented to the committee by Eric Fischer, of the Congressional Research Service.
Representative terms from entire chapter: