MSNBC posted a story with video about an electronic touch-screen voting machine changing a clear selection for one US presidential candidate into (at least apparently) a vote for another. This pretty well lays the groundwork for the reasons electronic voting is a bad idea.
There are all kinds of great things we can do — and do better — with electronic systems than with traditional pen and paper. Many of these are highly sensitive jobs with a lot of time, money, personal, professional, or national interest at stake. Finance, health care, even launching nuclear missiles are all better and more reliable thanks to electronic automation.
Voting isn’t.
I recently got a call from my Visa card’s issuing bank asking if I’d just spent $1600 at an Apple store in Belgium. Since I’ve never been to Belgium (and haven’t been to Europe in more than twenty years), I was confident the answer was no. They were able to reverse the transaction and save me from the fraudulent use of my credit card.
That can’t happen with electronic voting. There are two reasons.
Voting is anonymous
Systems which process sensitive transactions rely on strong identification of the participants in those transactions. Am I really the owner of this bank account, this health record? Confirmation that I am authorized to perform an action is essential to the transaction — not just of entering it, but of auditing it afterwards. Consider the Visa example. Someone had a fraudulent copy of my credit card in Belgium. It was sufficiently good (or they were in cahoots with a store employee) to allow a transaction to proceed. That was a failure in authenticating the card holder. That’s bad for Visa (who makes it bad for the merchant). It wasn’t bad for me, though, as Visa’s process to verify the transaction confirmed that I had not participated.
Identification + Audit = Security (before and after the fact)
Votes must be separate from voting systems
My vote is the record of my intent at the polls. The system which records my vote is an accounting system which tracks those records. In all-electronic voting, you can’t separate those, as my use of the voting system is direct input into the accounting system. There’s no paper trail to fall back on. A failure of the accounting system is a failure of the record itself — as you can see in the video linked above.
There are all kinds of ways that system can fail:
- A programming error — and there are always programming errors
- Deliberately malicious programming intended to manipulate voting records. In large complex systems (like, say, voting machines) these can be very difficult to detect
- Manipulation of the voting machine by a knowledgeable user to modify voting records (over count, under count, change totals, etc.) This is typically related to programming errors, but the effect is at the “counting” end rather than the “voting” end
Programmers and security experts can do a lot of neat tricks to minimize these issues, but they can only reduce them. And because the record of the vote is created by the potentially compromised system, it can be very difficult, if not impossible, to detect the nature of the error or manipulation.
Compare that to paper votes. My home state of Minnesota uses paper bubble forms which are scanned on submission. This is widely regarded as one of the most reliable ways of conducting elections. I fill out my paper form and feed it into the scanner, which tallies my vote. Simple and fast.
When everything works, it works as quickly and as well as all-electronic voting.
And then there’s a recount.
They run the ballots back through the scanners (maybe the same scanners, maybe different ones) and get another total. They can compare objective results. They can count by hand if necessary (though, personally, I think that’s less likely to be reliable than by machine, but that’s a different discussion).
In all cases, the integrity of my original ballot is maintained. The only way that changes is catastrophic failure of the scanner which destroys the paper, in which case the failure is limited to a single vote lost, or malfeasance of an election judge who modifies my ballot. In that case, the scope of their bad actions are more easily limited. It’s hard to modify a large number of paper records in a room full of skeptical onlookers (and opposite party judges) than it is a large number of electronic records. With the right system failures, those can be changed with the touch of a button.
With credit cards, paper slips are still a last-line guarantee in some cases. I disputed a charge made at an out-of-state florist. I’d never used it, nor had my wife, and neither of us were in that state at that time. Visa requested a signature slip from the merchant, who couldn’t provide it. Problem solved, for me anyway. The integrity of my system was maintained. Nobody was able to misappropriate my money (or vote).
That can’t work in an anonymous voting system. It would be like trying to verify credit card transactions without knowing the card numbers, the shoppers, or the authorization codes. There’s no way to distinguish between legitimate and illegitimate votes. That may be true of paper as well, but the scale on which electronic votes can be manipulated isn’t contained by physics/observability as it is with physical votes.
With electronic transaction systems where you only get one shot per participant, you need to contain errors. You can’t do that if you can’t separate the record from the accounting system. You can’t do that if you can’t provide limits on the scope of record modifications. Cryptographers and computer scientists can do really cool things to contain those problems, but they can’t change the fundamentals.
Electronic systems are really bad at both of the main jobs we need voting systems to do.
