Skip to: Site menu | Main content



Voting Accuracy and Honesty






Voting Accuracy and Honesty

A landmark study by the Brennan Center for Justice notes:

Most Americans would agree that the integrity of our elections is fundamental to our democracy. We want citizens to have full confidence that their votes will be accurately recorded. Given the current tenor of debate over voting system security, this is reason enough to conduct regular systematic threat analyzes of voting systems. Just as importantly, such analyzes, if utilized in developing voting system standards and procedures, should reduce the risk of attacks on voting systems. As a nation, we have not always successfully avoided such attacks – in fact, various types of attacks on voting systems and elections have a “long tradition” in American history. The suspicion or discovery of such attacks has generally provoked momentary outrage, followed by periods of historical amnesia.

VoiceVote is a alternative to other voting systems that offers significant advantages in the following areas:
  • accurately capturing voter intent
  • guaranteeing that all votes cast are accurately recorded and counted
  • adapting to the needs of disabled voters and multiple linguistic communities 
  • combating vote fraud
  • enhancing voter confidence
  • resistance to malicious attacks and errors.
Capturing Voter Intent

VoiceVote combines an electronic touch screen to register votes with the creation of duplicate paper trails. Touch screen voting has been shown to have among the highest accuracy rates. It eliminates the ambiguous marking of ballots that plagues paper ballots. It eliminates overvotes, in which the voter casts more than one vote for an office, and greatly reduces undervotes, in which the voter unintentionally fails to vote on some ballot question.

No system other than VoiceVote adequately addresses the issue of undervotes, which was highlighted by the 2006 vote in Florida's 13th Congressional District. In that congressional contest the margin of victory was 368 votes, while the reported undervote in one single county was 18,382, almost certainly altering the outcome of the election. Because the voting machines in that county did not produce a paper trail of any sort, a meaningful recount was impossible. It is remains unclear whether the undervotes were due to poor ballot design or to voting machine error or fraud.

Even a single paper trail retained by the voting authority would not have resolved this question since such a paper trail could suffer the same inaccuracy as the reported vote total. The second paper trail that VoiceVote provides -- alone among current and proposed voting systems -- would have permitted any voter whose vote was not properly recorded to demonstrate the error and seek appropriate redress.


Adapting to the Needs of Voters

 
The electronic vote input used by VoiceVote offers the greatest accessibility for people with vision or physical disabilities. Larger type sizes, headphones, Braille printing and voice recognition are among the techniques that make voting without assistance more widely available. Paper ballots and optical scan systems are less flexible in accommodating voter needs.

Electronic vote input permits clean ballot design, such as presenting each issue on a separate screen and using widely recognized visual conventions. It is the responsibility of the election authority in each jurisdiction to follow the guidelines for good ballot design. By making ballot designs available in advance for public review, VoiceVote greatly increases the probability that good design principles will be consistently adhered to.

Electronic voting devices can be programmed to allow the user to choose a ballot in a preferred language, which is critical for equal ballot access by different linguistic communities. It separates making the ballot available in multiple languages from issues of recounts and auditing of election results. 

Improving Voter Trust

 
A substantial proportion of voters currently lack confidence that their votes are accurately counted. This lack of public confidence constitutes a serious corrosion of one of the foundations of representative government. The United States has among the lowest levels of voter participation in the world, which is traceable at least in part to the doubts among voters that their votes count. This reached nearly to the level of a constitutional crisis in the presidential election of 2000, which was resolved by the Supreme Court because of the inability or unwillingness to count contested votes. The disposition of a small number of contested votes resulted in the winner of the popular vote losing the election, underlining the imperative of maximum accuracy and certainty in the counting of every vote.

While there is no hard evidence of widespread vote selling, the existence of this corrupt practice is an expression of profound alienation from the electoral system. VoiceVote contributes to restoring voter confidence in elections by permitting each voter to check that his or her own vote is properly recorded and permits anyone to audit the vote count for any office.

Resisting Attacks on the System


In practice, some of the most basic guarantees of computer system security have either failed to be implemented or have broken down even though the threat of such failure has been clear for some time.  Tadayoshi Kohno, Adam Stubblefield and Aviel Rubin analyzed one such system:

With significant U.S. federal funds now available to replace outdated punch-card and mechanical voting systems, municipalities and states throughout the U.S. are adopting paperless electronic voting systems from a number of different vendors. We present a security analysis of the source code to one such machine used in a significant share of the market. Our analysis shows that this voting system is far below even the most minimal security standards applicable in other contexts. We identify several problems including unauthorized privilege escalation, incorrect use of cryptography, vulnerabilities to network threats, and poor software development processes. We show that voters, without any insider privileges, can cast unlimited votes without being detected by any mechanisms within the voting terminal software. Furthermore, we show that even the most serious of our outsider attacks could have been discovered and executed without access to the source code. In the face of such attacks, the usual worries about insider threats are not the only concerns; outsiders can do the damage. That said, we demonstrate that the insider threat is also quite considerable, showing that not only can an insider, such as a poll worker, modify the votes, but that insiders can also violate voter privacy and match votes with the voters who cast them. We conclude that this voting system is unsuitable for use in a general election.

All current electronic voting systems "have significant security and reliability vulnerabilities, which pose a real danger to the integrity of national, state, and local elections," according to a report by a distinguished panel of security and election experts convened by Brennan Center for Justice. The panel makes a set of recommendations to enhance election security. The VoiceVote system meets and goes beyond the security recommendations of the report.

  • The least difficult and most dangerous attacks involve software attack programs. Programming errors or errors by election officials in the use of the equipment may have similar consequences. The Brennan report defines a widely applicable and quantifiable measure of the ease of an attack (or likelihood of an error): the fewer parties required to carry out an attack successfully, the easier it is. Software attacks and errors are particularly dangerous because of the potential scale of their consequences. 
VoiceVote secures against malicious or malfunctioning software by implementing the principle of software transparency. All VoiceVote software, in both human and machine readable forms, is made available for public inspection in advance of the election, bringing the expertise of the entire computing community to bear on its correctness. Further, VoiceVote builds in tests that the programs running on voting machines are exactly the programs that have been approved. These measures make software attacks extremely difficult. While these measures are compatible with other voting technologies, no system currently in use makes its computer code public.

Another way of testing against software attacks and errors is to check that the output of the system (the recorded ballot) is the same as the input to the system (the voter's choices). VoiceVote also meets and exceeds the recommendations in this respect. It empowers each voter to check that their own vote is correctly recorded. The digital signature on the ballot can be used to prove any alteration. The action of even a small fraction of the voters performing such checks would make it overwhelming likely that any systematic error or fraud would be detected. In addition, any individual or public body can independently tally the vote on any ballot issue. At each stage of the voting process the appropriate election authorities have similar powerful tools at their disposal to detect fraud or error.
  • A paper trail, by itself, is of little security value unless it is checked and unless the uncovering of error leads to effective corrective action. VoiceVote builds in a unique procedure -- a second paper trail -- by which an extensive and automatic audit of election results is performed by the voters, in addition to the security procedures followed by election authorities. This provides significant confidence in election integrity beyond what can be provided by spot checks by election authorities.
The Developing Science of Computer Security

Independently, but in parallel with developments in election security, computer security itself is undergoing rapid and perhaps revolutionary change.  A report published by Computing Research Association noted:

[T]he idea of a defendable perimeter for computer security has become meaningless .... The enemy to defend against may well be a trusted employee acting alone — a trusted "insider" — and not an identifiable external force mounting an attack. 

Further, the report identifies as one of the grand challenges of trustworthy computing: "Design new computing systems so that the security and privacy aspects of those systems are understandable and controllable by the average user."

Shortly after the 9/11 attacks William A. Wulf testified before the House Science Committee:

[T]he Maginot Line model has never worked! Every system ever built to protect a Maginot Line-type system has been compromised--including the systems I built in the 1970s. After 40 years of trying to develop a foolproof system, it’s time we realized we’re not likely to succeed. It’s time to change the flawed inside-outside model of security. ...

Other models could distribute the responsibility for defining and enforcing security to every object in the system. Most research on cyber security is based on the assumption that the thing we need to protect is "inside" the system. Therefore, we have tried to develop "firewalls" and the like to keep outside attackers from penetrating our defenses and gaining access or taking control of it. This model of computer security--I call it the Maginot Line model -- has been used since the first mainframe operating systems were built in the 1960s. Unfortunately, it is dangerously flawed. ...

The VoiceVote paradigm provides the basis for doing two things that no voting system currently in use -- whether paper ballot, optically scanned ballot marking system, or touch screen with or without paper trail -- does: i) enabling a distributed defense against error or fraud, enlisting the knowledge and activity of millions of voters and ii) empowering the voters themselves as guarantors of the elections, thereby enhancing their confidence in the system.
Previous   Next