E-Voting Is Very Different From E-Banking
from the paper-trail dept
Catching up on my reading, I recently came across this post from the University of Chicago’s Saul Levmore about the merits of touchscreen voting. Levmore thinks that “the future is surely with the touch-screen or some other form of online voting.” Levmore doesn’t go into any detail about why he thinks this; I assume he’s simply not familiar with the many e-voting problems we’ve covered here at Techdirt. He may not know, for example, that voting machines are susceptible to viruses that can allow a single person to corrupt every machine in a county or even an entire state. Levmore makes an interesting analogy to automatic teller machines. He points out that we’ve been using ATMs without any serious problems for decades, and wonders why we can’t use the same technologies for voting machines.
What Levmore is missing is that the security model of an ATM is totally different from the security model of a voting machine. The most important line of defense against ATM fraud is not the machines themselves, but the fact that they produce a lengthy paper trail. If a hacker breaks into a bank’s network and transfers funds from someone else’s account to his own, two important things will happen. First, the victim will notice an unauthorized transaction and complain. And second, the perpetrator will need to pick up the money somehow, which will create a paper trail that will help the police find him. For example, a hacker trying to physically steal the cash from an ATM has to be physically present to pick up the cash, which increases the risk that he’ll be caught in the act — especially if he tries to knock off several machines in a row. It is the likelihood that fraud will be detected and punished, not the inherent unhackability of the machines themselves, that makes ATMs secure. In contrast, nobody knows what the “right” election outcome is supposed to be, so there’s no one in a position to object if the results get altered. And because peoples’ votes have to be kept secret, voting machines can’t create the same kind of personally-identifiable paper trails that ATMs do. Unlike stolen cash, a stolen election doesn’t need to be physically delivered to the beneficiary, so there’s no way to trace the loot to find the perpetrator. That means that even if election fraud is detected, there’s not going to be any straightforward way to figure out either who did it or what the result should have been. We can be pretty sure, for example, that something went wrong in the 2006 election in Sarasota County, but we have no way to be sure if foul play might have been involved or if (as seems more likely) the software was just flaky.
There’s a more fundamental issue that should be especially familiar to the folks at the University of Chicago: banks have much stronger incentives to get things right than election officials. If a criminal succeeds in knocking off an ATM machine, the bank that owns that ATM machine stands to lose a lot of money. As a result, the bank has a strong incentive to take the steps necessary to secure the ATM, or to not deploy the ATM at all if it thinks that securing it would be too difficult. Banks have both the incentives and the resources to hire computer security experts to advise them on fixing potential problems with their ATM machines. In contrast, state officials have only a weak incentives to get voting machine security right. A stolen election will be a rare occurrence even with insecure voting machines, and if it does occur, state officials can easily shift blame to other people — county election officials, vendors, poll workers. It’s not surprising, therefore, that states have rushed to deploy electronic voting systems that virtually every computer securit expert on the planet says are insecure. Without strong accountability, election officials tend to be swayed by the superficial impression that computerized processes are inherently better than older technologies, or even by lobbying by voting machine vendors. Peoples’ opposition to e-voting is not, as Levmore seems to think, a result of knee-jerk opposition to new technologies. It’s a recognition that the e-voting problem is much harder than is generally supposed, and it’s better to err on the side of caution until e-voting technology has had a chance to mature.
Filed Under: e-banking, e-voting, saul levmore
Comments on “E-Voting Is Very Different From E-Banking”
and yet somewhat similar....
Why is it very, very important that ATM machines have an auditable paper trail (and effectively human verified, because if the paper trail did not consistently match the actual transactions it would be noticed fairly quickly), but voting machines do not?
This has always seemed very odd to me. Especially where the same company makes both types of machines.
Re: and yet somewhat similar....
Because that sort of paper trail would violate the secret ballot.
Re: Re: and yet somewhat similar....
Because that sort of paper trail would violate the secret ballot.
Electronic voting machines can generate paper trails that do not violate the secret ballot. Secret ballots are intended only to keep how an individual voter voter secret, not the vote itself. The real reason paper trails on electronic voting machines are resisted is because it makes it harder to rig elections.
Re: and yet somewhat similar....
Because that sort of paper trail would violate the secret ballot.
Re: and yet somewhat similar....
One important additional different between a voting machine and an ATM that cannot be corrected with more paper is that a vote record *cannot* link the voters identity to the vote cast, lest vote buying or vote coercion become possible. ATMs link every transaction to an account very clearly.
Scantron
They should really base it more on the Scantron system. That way there is a punch card or something to go back to incase of questions of the validity of the election.
Hell, since the punchcard is apparently “too difficult” for the common man to use keep the touch screen idea so you click a button with the person’s name next to a picture of the person.
THEN have it spit out the punch card so you can verify you got who you wanted. No hole by the name of the person you voted for? Scream about it because your vote is being manipulated.
Then just have a slot to dump the scantron form in, preferably a seperate unit just for counting the votes.
Then once the Polls are closed transmit the results to a central repository (say in Washington DC, since that’s the national capitol) and ship the paper version (via the US Treasury Deparment) to wherever they keep that stuff now/before (probably in the local State capitol).
Congrats, electronic voting with a paper trail for backup and audit purposes. When the time rolls around again for the next national election (hopefully after 4 years) recycle all the paper scantrons to make new paper scantrons.
System will be a lot better and I hearby publish this to Public Domain (eg THE INTERNET) so if anyone trys to patent this system and gouge us we can show this in court. TechDirt should have a timestamp and I’ll screenshot it for giggles.
Now the only trick is to make a device that is as difficult as an ATM to break into (eg can’t use a pen/no tools) but not impossible. Just time consuming and noisy (mandatory battery powered alarm on it opening, even for maintenence. Just put an off switch in it).
Seriously, I just made this up on the spot after reading this article. Who agress it is a better system than the bullshit Diebold has been putting out? May be only theory right now, but it already sounds more secure.
Re: Scantron
Very good idea.
Start your own electronic voting machine company?
Theres a good market out there for a good, traceable system. 🙂
Re: Scantron
Not a bad comment at all. That’s the better system.
Here, we have a choice between touchscreen and bubble sheet ballots. I see no reason (other than expense) that the two couldn’t be combined.
But frankly, I never saw the need. If I have to go to the courthouse anyway, bubble sheets are no slower than touchscreens. Yes, there are millions of people in the state, but the state has never had a serious problem getting those bubble sheets counted on time – national news usually starts reporting most of the results the same evening.
Since bubble sheets can be counted in a reasonable amount of time, I really don’t see the need for touch screens. Getting the votes counted quickly isn’t really an issue, but that’s the only benefit of touchscreens.
Except for Internet voting, which would have a real benefit in convenience and getting more people to vote, but your system wouldn’t work there and we’re back to square one.
I tell you, nothing is wrong with the votin’ machines. Unless the results is fer democrats, then somethin’ is wrong. Yep, Diebold rocks.
Why on Earth...
what bugs me is that the ideas for a secure system seem easy enough (see above and elsewhere) that i just can’t understand why they have not yet been implemented?!
The future of voting for all intents and purpose should be electronic and further more online. It benefits the democratic process to make voting not only accessible but also easy!! so if security is of a concern, then figure it out already.
Re: Why on Earth...
Why should the future of voting be electronic and online? As far as I can see that’s just technology for the sake of technology. Making voting accessibly and easy sounds great, but if it means losing public confidence in election results, then it’s not worth it.
The big problem with electronic voting is not “security” in the technical sense — it’s the lack of transparency. With paper ballots and manual counting anyone can see what is going on, you do not have to be any sort of technical expert.
E-voting machines are, by nature, black boxes. They make public scrutiny by ordinary Joe Bloggs impossible. Some people on here have suggested parallel electronic and paper systems. But what’s the point? The paper ballots would have to form the definitive result, so what’s the point in the electronic counting anyway?
I’m also sceptical of mechanical counting of paper ballots, because of the same problem of lack of transparency. The manual counting process is open to public scrutiny, simply because lots of people are doing it and supervising it, and point out (more like pounce on) any irregularities.
Stick to tried and tested voting mechanisms. They work.
Right outcome
Actually I think the right outcome for an election IS known. Anyone that wants the power should be taken out back and beaten to death with a stick (most likely several) of wet celery [slow and painful].
Presidents should be selected from the population and forced to do the duty :-). In no way should anyone who desires the power be given it.
Nicely argued points, but I think the simple one is that ATMs are NOT 100% secure. We were reading a few months ago about people scamming them by taking advantage of default maintenance passwords. Every day, there’s stolen cards being used in ATMs.
The basic difference between ATM fraud and voting fraud is also a simple one. If an ATM is defrauded, the most that someone will lose is a few grand (usually recovered through the bank, for which they are insured). If the election is defrauded, the country’s government system is undermined. Why are people still so intent on sacrificing their votes for convenience?
Voting Fraud
Electronic votes of non-existent persons can’t be distinguished from legitimate (live) person votes. Multiple votes by live persons can’t be discovered. When the number of votes cast exceeds the number of registered voters, which votes do you throw out ? The paper trail is necessary.
Confounding
You can have a paper trail and still maintain secrecy.
Electronic voting machines COULD offer a number of benefits. You can easily set up multi-lingual ballots. You can have large fonts for those with impaired vision, or audio for those who are blind. You can present candidates in random order so none are advantaged by position.
All that needs to happen is that you confirm your view, receive a human-readable card, and drop that receipt into the ballot box. The e-voting machine will enable fast/instant vote tallies. The ballot boxes contain the paper records needed to validate the electronic tally. (And the paper ballots are the legally binding ones.)
Why this simple concept seems to generate so much controversy is beyond me. The only thing I’ve heard which is remotely sensible is that paper and ink handling are mechanical and susceptible to failure. But surely there are ways to make it so robust as to become a non-issue.
There are choices.
PenVote used Digital Pens and Anoto enabled paper for poll books in last Novembers election. The objective was to see if this technology was transparent to the user (Voter), poll workers and reliable. Without any training given to the poll workers or voters, it was reviewed as an complete success. Voter credit was ready in less than one hour after the polls closed.
Using Pen and Paper as the basis for voting and have the digital component results as the audit trail is the reciprocal of today’s voter model. Unfortunately, early interest has been from emerging democracies that recognize elegance in the simplicity with integrity and appreciate its lower costs.
We in the US seem to have our skivvies in knot when comes to thinking about voting systems. Just as an answer to automobile efficiency is a hybrid, we can not link that to a better voting system that uses a hybrid of old paper and pen combined with an digital audit trail. Maybe 2012 or 2016?
It has nothing to do with fraud, paper trials, or vote buying. It comes down to the liberals being scared they will never win an honest election. There are only so many votes scare tactics, lies and ignorance can get you, then you have to cheat. I’d be willing to bet 30% of votes for Democrats nation wide in most elections are fraud, from buses driving around states, taking people to vote multiple times, them going in nursing homes, and voting for every person in there. You will also notice Democrats fight every way possible to keep voter id’s out of elections, fair elections, is completely against their goals. Mississippi’s last governor won by less than 200 votes, yet in his home town, 700 more people than were registered to vote voted for him, plus several hundred voted for the republican. In the same election, I noticed my grandmother who had been dead for 10 years name was back on the roles and had voted.
Re: Re:
That sounds more like a serious issue with your local government than with the nation-wide party.
Besides, considering everything else the Republicans are ripping us off with and blatantly lying about to the world and country, I’m kind of inclined to believe they’d be more apt to pull the ruses.
Re: Re: Re:
Besides, considering everything else the Republicans are ripping us off with and blatantly lying about to the world and country, I’m kind of inclined to believe they’d be more apt to pull the ruses.
Yep. For example, if it weren’t for the e-voting shenanigans that they pulled off in Ohio in 2004 Bush wouldn’t be president today.
The Straight Facts
Most states do not allow voting systems to be on an open network; closed networks are limited in size; and entire voting system will rarely (if ever) be networked in the US. Certainly, one county’s voting system will never be connected to another county’s system, let alone an entire States voting infrastructure. Wild accusations about viruses running rampant in a voting system shows just how little you really know about voting systems.
E-Voting Is Very Different From E-Banking
Because money is more important than votes.
Tautology
ATM machine = Automated Teller Machine machine.
Unrealistic expectations are never satisfied
There are two major problems we face in finding the best voting system: expectations and anonymity.
Our expectations for a voting system seems to be that it must produce zero errors and contain no fraud. This is to a certain extent understandable because of the high stakes involved (especially in a presidential election), but when 125 million people participate in a system, there will be errors and there will be fraud. Expecting to completely eliminate either is a very unrealistic expectation. Systems fail and people do bad things. We need to accept these realities even as we attempt as best we can to mitigate their consequences.
The other major challenge we face is in the guaranteed anonymity of the ballot. All the security challenges we face eventually come up against the need for anonymity in the voting choice. Security would be simple (as stated in the article and comments) if we could tie a name and voter ID to a specific ballot. Unfortunately, we have yet to find a way to do that while still protecting the anonymity of the voter.
We need to look for balloting systems that offer the best balance between ease of use, security, and anonymity. Discussions like this will help in that effort, but I suggest that the best course of action is to continue to allow local election districts to experiment. What works for a village of 200 people in Iowa will not work for New York City. As each local election authority tries new (or old) systems, other districts will take note and apply lessons to their own situations. This is far better than congressional mandates that impose a single system, or even a single type of system, on every district nationwide. A de-centralized system leads to innovation and will mitigate the consequences of failure since the failure will only affect that one district, not all.
Re: Unrealistic expectations are never satisfied
Expecting to completely eliminate either is a very unrealistic expectation. Systems fail and people do bad things. We need to accept these realities even as we attempt as best we can to mitigate their consequences.
Expecting perfection and accepting fraud are two very different things. I don’t expect perfection but I don’t accept fraud either. To say that I have to do one or the other is false.
What works for a village of 200 people in Iowa will not work for New York City.
Who says that there couldn’t be such a thing? You just proclaim it with no evidence.
Defining the problem wrong
I think the problem we are having with electronic voting stems from a wrong assumption being made about the voting process. We are trying to automate what has been done before instead of improving the process with modern technology. The assumption that votes should be anonymous is the root of all this evil. In reality, we can make voting like atm transactions by removing the anonymous aspect. Now before anyone panics, let me add the rest of the banking, not ATM scenario. I will have an account that is secure and that only I have access to that will contain my voting history. But you see, I don’t need to withdraw any cash, so I don’t need the ATM analogy or security weaknesses. I would rather use the analogy of home banking over the internet, since no physical interaction is required to place a vote. This is a more accurate analogy and will allow me to vote over the internet from anyplace that I choose, will make absentee forms obsolete and will allow instant feedback to the entire world from the web of voting results.
This will scare silly those that control the existing political voting system, because soon those that converse over the web will be able to swing the vote extensively by using the instant feedback online to alert those demographic groups that are not voting to get there. Because the secure account carries all of my demographics, but reports them only in aggregate, much more accurate statistics on participation will be available. The pollsters will have problems here because anyone that wants can query this base, and the primaries for both parties will be able to be managed completely without the crazy antics necessary today.
The lamenting over those poor lost souls that they can’t drag out to the voting booths will be a thing of the past. Rather than braving wind, rain sleet or hail to go out and get accosted by all those busybodies that are trying to sway voters last minute or find out what they did in the booths, I can sit comfortably at home in my ubiquitous bunny slippers and see who is winning, then cast my vote and see the difference I make in real time.
If I log into my voting account and see a vote posted that I didn’t do, or a double vote, I can lodge a complaint, just like with any other account that a transaction should be disputed over. In fact, third parties that should be seriously considered for this job would need to be credit card companies or credit reporting agencies that already manage personal data for most of us.
This also addresses the auditing issues that concern many who contemplate this change in our voting process. By using systems that manage accounts similar to financial accounts, the auditing of these accounts could be done by independent groups to keep everyone honest. My personal account provides a voting record that I can refer back to whenever I choose. For those paranoids that don’t want the government managing their private voting account (count me in here), this could always be managed by a third party. After all, that’s what banks are, private keepers of our publicly issued currency. If I am willing to trust a bank or credit card company with my money, why not my vote?
Let’s stop trying to use 1700’s processes when we have 22nd century technology.
And, by the way, shame on you at tech dirt if you have been posting on these self-created problems forever, since it should be just you tech savvy guys that suggest innovative solutions to problems, not get caught up in the paranoia of the non-technical masses.
Re: Defining the problem wrong
Hans: You say that the prospect of Internet voting would “scare silly those that control the existing political voting system”. Well, where I live (the UK) it’s the government politicians and officials who are all gung-ho about “modernizing” the electoral process, and it’s grassroots campaign groups (like the Open Rights Group, http://www.openrightsgroup.org/2007/01/16/taking-the-lid-off-e-voting/) who are making warning noises about the difficulties involved in it. From what I can tell it’s much the same in the US. The political establishment want to appear “modern”, so rush to implement e-voting without thinking about whether it works, or even of whether it’s actually of any use.
We aren’t using “1700s processes”, if we were then people would be declaring their vote in public by standing on one side or the other of a hall (that’s how all elections used to be conducted). The secret ballot actually is an invention of the mid-19th century. Having Internet voting from home would violate the secret ballot. We don’t have ballot boxes and voting booths because of some quaint old tradition or because the voting process is out of touch with modern times. It is because of the need to ensure that votes are cast *in secret*. If votes can be cast from home, or anywhere else other than a supervised voting environment, then there is no way of preventing coercion or vote-buying. You can make the voting process as technically secure as you like, but no scrutiny is possible over the circumstances under which the vote was cast.
Being able to “see” your votes in a “voting account” would also violate the secret ballot. If you have no way of seeing how you voted, then you have no way of proving to anyone else how you voted, and that is the most effective way of preventing vote-buying.
Letting people see how their vote affects the result immediately is also a BAD idea, because it would give an advantage to people who vote later (as they will know better how their vote is going to affect the result). Making sure that the result is not known until every vote is collected and counted means that everyone is voting based on the same knowledge of the electoral situation — i.e. they know the opinion polls from the day before, but the rest is a guess.
Trusting someone with your money is very different from trusting someone with your vote. Banking secrecy is very different from voting secrecy: your bank needs to know about your financial affairs, but NO-ONE SHOULD BE ABLE TO KNOW about how you voted. The way youtalk about lodging complaints about irregularities in your “voting account” suggest that you entirely misunderstand the secret ballot. The vote is not a private right that only affects the individual. It is a PUBLIC right. A voting irregularity affects much more than the individual whose vote was lost or wrongly cast — it affects the integrity of the entire election. The sort of mechanisms you talk about inevitably mean that someone — whoever runs the auditing — can find out how you voted, and that is unacceptable, whoever it is.
Finally, my experience is that the people who tend to go on about how old-fashioned our voting process is in the “21st century” tend to be technical ignoramuses — they’re the sort of people who are starry-eyed but pig-ignorant anout technology. While those who urge caution tend to be technically minded people — especially security professionals — who actually understand the real issues involved.
Motivation Behind Adoption
Tim, your post is great. I’d like to add one point of clarification if I may. You commented in relevant part:
> A stolen election will be a rare occurrence even
> with insecure voting machines, and if it does
> occur, state officials can easily shift blame to
> other people — county election officials,
> vendors, poll workers. It’s not surprising,
> therefore, that states have rushed to deploy
> electronic voting systems that virtually every
> computer security expert on the planet says
> are insecure…
I am betting you did *not* intend to suggest that states are implementing trust-free voting machines primarily as scapegoats. But that’s a side point.
Here is the real clarification I want to add (assuming someone else hasn’t already… I haven’t ventured into the comment thread rabbit hole on this post.)
States are implementing e-voting technology regardless of security issues because there is a Federal incentive (if not arguably an impending mandate) to do so: money.
I am referring to the Help America Vote Act of 2002 or simply “HAVA.” HAVA is Congress’s largest ever investment in election reform. The Act devoted $4 billion in federal funds to replace punch card voting machines, develop state voter registration databases and establish the U.S. Election Assistance Commission. HAVA more or less set a deadline for old punch card and lever machinery replacement to be the end of 2006, although that was not cast in code per-se, and the sunset on old systems has waned.
But the point is the incentive for the states is/was the ability to receive Federal subsidy dollars to pay for machinery replacement. And that is more the motivation than simply deploying a digital scapegoat. HAVA is not likely to be reversed, and the digital democracy isn’t going to slow down. Yet, clearly we need to save Democracy from Computers.
So, the real question I submit has less to do with motivation for implementing sloppy technology, and more with why the technology is trust-free in the first place.
The root problem with e-voting today is simply that it has never been in the best interest of vendor shareholders to incur the true non-recurring engineering charges to properly design, develop, and produce the high-assurance single-purpose application specific devices required for trustworthy e-voting. High assurance engineered devices are complicated, expensive, and time-consuming to build. High assurance methodologies are regularly employed in mil-spec products, medical technology, and NASA spacecraft and related devices. But in voting, there is no ROI (return on investment) that pencils for the e-voting vendors to go to that trouble. In other words, the market is paradoxically small while requiring expensive equipment. So given that shareholder value trumps voter assurance, they turned to the only alternative they could: off-the-shelf general purpose computing hardware with off-the-shelf commodity operating systems software, combined with their proprietary “black box” application (their only real value added).
Not to be preachy here, but honestly, the only way to solve the root problem of trustworthy e-voting machinery is to do so in the public trust in a transparent open source manner. The cornerstone of our democracy (the machinery by which we cast our votes) increasingly digital as it is becoming, can no longer be left to the shareholder interests of the private sector, nor the bureaucratic mandates of Governments. Once this cornerstone is developed in the public trust, then and only then will it be possible to have public inspection, accountability loops, and no more scapegoating. In other words, this nation needs to move from black box voting to glass box voting.
Public Officials are Honest???
Tim, your article is interesting but you have “assumed” one point that I just cannot agree with or even come close to believing. Your assumption is that the e-voting vendors can sway the officials who are in charge to accept a system that is not secure. If these officials can be swayed that way, why would they not also be open to be manipulated by any candidate/political party that comes along with something for the pocket of the same officials?? I say, again, show me a system that is totally honest that this country has tried and you can count me as a believer! Until then, I will say any system is only as secure and the HUMANS who handle/use/etc them! Give me a machine that I can punch buttons on and get me on my way and I’m a happy voter!
Oh, and I am really curious if these technology naysayers have ever driven a car, or flown in an airplane, or used a computer to make their life/job more efficient and easier? I have to wonder why they seem to be in a feeding freenzy over the problem but they aren’t proposing anything as a solution that promotes the technology in question. Yep, that dang thing will never fly! Them computers is just a commie trick! One day that dang’d voting machine is going to kill someone!! Remember, I told you so!
Re: Public Officials are Honest???
But e-voting is completely opaque. By contrast, manual ballot and counting systems are transparent. The traditional voting process works by relying on lots and lots of pairs of eyes, belonging to many people who work for various organizations that are all independent of each other (and to some extent have conflicting aims, e.g. supporters of different political candidates or parties): they are not all in the pay of one voting macine vendor, or connected to the election officials. If there is an irregularity in the voting process, whether caused by fraud (including by voting officials) or human error, then anyone observing the process can flag it up and it can be corrected or dealt with. No such independent scrutiny is possible with technological solutions. You at least have to be an expert in the technology, and that probably means being connected to its vendor, to even know there’s a problem, never mind flag it up and correct it.
You are “assuming” that the voting machines do what they say they will. The point isn’t whether they *are* technically doing the right process, but whether they are *seen* to be. Since a voting machine is a black box, that is not possible.
Give me a machine and I am NOT a happy voter, because I only have the machine’s word that my vote has been registered and counted.
Don’t let the expert control the election.
And why should people sceptical of e-voting technology have to propose something technological as an alternative? This is technology for its own sake. Non-technological voting systems WORK. Or if they don’t, it’s easy to discover why and correct the problem. The problem is people who are starry-eyed about technology, who think automatically “It’s hi-tech therefore it must be better.” Not necessarily so.
Just one inconsistency - please correct so I can f
Great article and terrific response to a commonly heard claim that banks can count money OK so why not voting machines count votes?
However, please fix this slight inconsistency so I can widely let people know about your article:
You said both:
“nobody knows what the “right” election outcome is supposed to be, so there’s no one in a position to object if the results get altered.”
I agree. But then you said:
“A stolen election will be a rare occurrence even with insecure voting machines, and if it does occur, state officials can easily shift blame to other people.”
But in the vast majority of states no one would ever know if an election were stolen – yet this sentence makes it seem as if one could tell. You cannot possibly know that “stolen election will be a rare occurence” It could be happening constantly on all levels, state, federal, and local – but how would you ever know without publicly verifiable audits, ballot security, and ballot reconciliation since NO state does all three.
Cheers and thanks for writing this.