Voting Accuracy and Honesty
Voting Accuracy and Honesty
A landmark
study by the Brennan Center for Justice notes:
Most
Americans would agree that the integrity of our
elections is fundamental to our democracy. We want citizens to have
full confidence that their votes will be accurately recorded. Given the
current tenor of debate over voting system security, this is reason
enough to conduct regular systematic threat analyzes of voting systems.
Just as importantly, such analyzes, if utilized in developing voting
system standards and procedures, should reduce the risk of attacks on
voting systems. As a nation, we have not always successfully avoided
such attacks – in fact, various types of attacks on voting
systems and
elections have a “long tradition” in American
history. The suspicion or
discovery of such attacks has generally provoked momentary outrage,
followed by periods of historical amnesia.
VoiceVote is a
alternative to other voting systems that offers
significant advantages in the following areas:
- accurately capturing voter intent
- guaranteeing that all votes cast are accurately recorded
and counted
- adapting to the needs of disabled voters and multiple linguistic communities
- combating vote fraud
- enhancing voter confidence
- resistance to malicious attacks and errors.
VoiceVote combines an electronic touch screen to register votes with the creation of duplicate paper trails. Touch screen voting has been shown to have among the highest accuracy rates. It eliminates the ambiguous marking of ballots that plagues paper ballots. It eliminates overvotes, in which the voter casts more than one vote for an office, and greatly reduces undervotes, in which the voter unintentionally fails to vote on some ballot question.
No system other than VoiceVote adequately addresses the issue of undervotes, which was highlighted by the 2006 vote in Florida's 13th Congressional District. In that congressional contest the margin of victory was 368 votes, while the reported undervote in one single county was 18,382, almost certainly altering the outcome of the election. Because the voting machines in that county did not produce a paper trail of any sort, a meaningful recount was impossible. It is remains unclear whether the undervotes were due to poor ballot design or to voting machine error or fraud.
Even a single paper trail retained by the voting authority would not have resolved this question since such a paper trail could suffer the same inaccuracy as the reported vote total. The second paper trail that VoiceVote provides -- alone among current and proposed voting systems -- would have permitted any voter whose vote was not properly recorded to demonstrate the error and seek appropriate redress.
Adapting to the Needs of Voters
The electronic vote input used by VoiceVote offers the greatest accessibility for people with vision or physical disabilities. Larger type sizes, headphones, Braille printing and voice recognition are among the techniques that make voting without assistance more widely available. Paper ballots and optical scan systems are less flexible in accommodating voter needs.
Electronic vote input permits clean ballot design, such as presenting each issue on a separate screen and using widely recognized visual conventions. It is the responsibility of the election authority in each jurisdiction to follow the guidelines for good ballot design. By making ballot designs available in advance for public review, VoiceVote greatly increases the probability that good design principles will be consistently adhered to.
Electronic voting devices can be programmed to allow the user to choose a ballot in a preferred language, which is critical for equal ballot access by different linguistic communities. It separates making the ballot available in multiple languages from issues of recounts and auditing of election results.
Improving Voter Trust
A substantial proportion of voters currently lack confidence that their votes are accurately counted. This lack of public confidence constitutes a serious corrosion of one of the foundations of representative government. The United States has among the lowest levels of voter participation in the world, which is traceable at least in part to the doubts among voters that their votes count. This reached nearly to the level of a constitutional crisis in the presidential election of 2000, which was resolved by the Supreme Court because of the inability or unwillingness to count contested votes. The disposition of a small number of contested votes resulted in the winner of the popular vote losing the election, underlining the imperative of maximum accuracy and certainty in the counting of every vote.
While there is no hard evidence of widespread vote selling, the existence of this corrupt practice is an expression of profound alienation from the electoral system. VoiceVote contributes to restoring voter confidence in elections by permitting each voter to check that his or her own vote is properly recorded and permits anyone to audit the vote count for any office.
Resisting Attacks on the System
In practice, some of the most basic guarantees of computer system security have either failed to be implemented or have broken down even though the threat of such failure has been clear for some time. Tadayoshi Kohno, Adam Stubblefield and Aviel Rubin analyzed one such system:
With significant U.S.
federal funds now
available to replace outdated punch-card and mechanical voting systems,
municipalities and states throughout the U.S. are adopting paperless
electronic voting systems from a number of different vendors. We
present a security analysis of the source code to one such machine used
in a significant share of the market. Our analysis shows that this
voting system is far below even the most minimal security standards
applicable in other contexts. We identify several problems including
unauthorized privilege escalation, incorrect use of cryptography,
vulnerabilities to network threats, and poor software development
processes. We show that voters, without any insider privileges, can
cast unlimited votes without being detected by any mechanisms within
the voting terminal software. Furthermore, we show that
even the most serious of our outsider attacks could have been
discovered and executed without access to the source code. In the face
of such attacks, the usual worries about insider threats are not the
only concerns; outsiders can do the damage. That said, we demonstrate
that the insider threat is also quite considerable, showing that not
only can an insider, such as a poll worker, modify the votes, but that
insiders can also violate voter privacy and match votes with the voters
who cast them. We conclude that this voting system is unsuitable for
use in a general election.
All current electronic voting systems "have significant security and reliability vulnerabilities, which pose a real danger to the integrity of national, state, and local elections," according to a report by a distinguished panel of security and election experts convened by Brennan Center for Justice. The panel makes a set of recommendations to enhance election security. The VoiceVote system meets and goes beyond the security recommendations of the report.
- The least difficult and most dangerous attacks involve software attack programs. Programming errors or errors by election officials in the use of the equipment may have similar consequences. The Brennan report defines a widely applicable and quantifiable measure of the ease of an attack (or likelihood of an error): the fewer parties required to carry out an attack successfully, the easier it is. Software attacks and errors are particularly dangerous because of the potential scale of their consequences.
VoiceVote secures against
malicious or
malfunctioning software by implementing the principle of software
transparency. All VoiceVote software, in both human and machine
readable forms, is made available for public inspection in advance of
the election, bringing the expertise of the entire computing community
to
bear on its correctness. Further, VoiceVote builds in tests that the
programs running on voting machines are exactly the programs that have
been approved. These measures make software attacks extremely
difficult. While these measures are compatible with other voting
technologies, no system currently in use makes its computer code public.
Another way of testing against software attacks and errors is to check that the output of the system (the recorded ballot) is the same as the input to the system (the voter's choices). VoiceVote also meets and exceeds the recommendations in this respect. It empowers each voter to check that their own vote is correctly recorded. The digital signature on the ballot can be used to prove any alteration. The action of even a small fraction of the voters performing such checks would make it overwhelming likely that any systematic error or fraud would be detected. In addition, any individual or public body can independently tally the vote on any ballot issue. At each stage of the voting process the appropriate election authorities have similar powerful tools at their disposal to detect fraud or error.
Another way of testing against software attacks and errors is to check that the output of the system (the recorded ballot) is the same as the input to the system (the voter's choices). VoiceVote also meets and exceeds the recommendations in this respect. It empowers each voter to check that their own vote is correctly recorded. The digital signature on the ballot can be used to prove any alteration. The action of even a small fraction of the voters performing such checks would make it overwhelming likely that any systematic error or fraud would be detected. In addition, any individual or public body can independently tally the vote on any ballot issue. At each stage of the voting process the appropriate election authorities have similar powerful tools at their disposal to detect fraud or error.
- A paper trail, by itself, is of little security value unless it is checked and unless the uncovering of error leads to effective corrective action. VoiceVote builds in a unique procedure -- a second paper trail -- by which an extensive and automatic audit of election results is performed by the voters, in addition to the security procedures followed by election authorities. This provides significant confidence in election integrity beyond what can be provided by spot checks by election authorities.
Independently, but in parallel with developments in election security, computer security itself is undergoing rapid and perhaps revolutionary change. A report published by Computing Research Association noted:
[T]he idea of a defendable
perimeter
for computer security has become meaningless .... The enemy to defend
against may well be a trusted employee acting alone — a
trusted "insider" — and not an identifiable external force
mounting
an attack.
Further, the report identifies as one of the grand challenges of
trustworthy computing: "Design new computing systems so that the
security and privacy aspects of those systems are understandable and
controllable by the average user."Shortly after the 9/11 attacks William A. Wulf testified before the House Science Committee:
[T]he Maginot Line model
has never
worked! Every system ever built to protect a Maginot Line-type system
has been compromised--including the systems I built in the 1970s. After
40 years of trying to develop a foolproof system, it’s time
we
realized we’re not likely to succeed. It’s time to
change
the flawed inside-outside model of security. ...
Other models could
distribute the
responsibility for defining and enforcing security to every object in
the system. Most research on cyber security is based on the assumption
that the thing we need to protect is "inside" the system. Therefore, we
have tried to develop "firewalls" and the like to keep outside
attackers from penetrating our defenses and gaining access or taking
control of it. This model of computer security--I call it the Maginot
Line model -- has been used since the first mainframe operating systems
were built in the 1960s. Unfortunately, it is dangerously flawed. ...
The VoiceVote paradigm provides the basis for doing two things that no voting system currently in use -- whether paper ballot, optically scanned ballot marking system, or touch screen with or without paper trail -- does: i) enabling a distributed defense against error or fraud, enlisting the knowledge and activity of millions of voters and ii) empowering the voters themselves as guarantors of the elections, thereby enhancing their confidence in the system.