How E-voting Works

With a paper-based system, the electronic component is usually a tabulation device. This means that votes are counted on an electronic system, which is much faster than a manual count. Some ballot printing systems resemble DRE systems. Voters use a touchscreen or similar electronic device to make their choices. When the voter submits his vote, a printer attached to the device produces a physical paper ballot. An election official or volunteer takes all the paper ballots produced to a centralized location for counting once the polls close. A separate electronic device optically scans these ballots and tabulates the results.

One of the advantages of a paper-based system is that the ballot is physically represented by a piece of paper. This tangibility reassures voters that their choices are being counted. Still, a physical ballot does not ensure a vote will be correctly counted. Many factors can contribute to a misapplied vote. Holes in punch cards may not be properly aligned or fully punched, resulting in a “hanging chad,” made infamous in the 2000 election in Florida. On optical scan cards, stray marks or incomplete markings may be misinterpreted when tabulated. Printers that mark optical scan cards can run low on toner, resulting in cards with incomplete or unreadable marks. It may also be possible for a voter to vote for two or more candidates for a single position, known as overvoting; these selections are not counted by tabulation devices.

Physical ballots can be lost or destroyed before tabulation. Still, it is far more difficult to lose paper ballots than it is to lose an intangible electronic record. In the next section we will examine Direct Recording Electronic systems, some of which record votes solely on just such an intangible record.

Direct Recording Electronic Systems

A Direct Recording Electronic System is essentially a computer. Voters view ballots on a screen and make choices using an input device such as a bank of buttons or a touchscreen. Some DRE systems also employ a card swipe or cartridge system that must be activated before a ballot can be cast. Votes are stored on a memory card, compact disc or other memory device. Election officials transport these memory devices to a centralized location for tabulation, just as they would with paper-based ballots. Some machines have the capability to broadcast results over a modem-to-modem line, though due to concerns about data security, these results are normally deemed unofficial until they can be verified by tabulating the results stored on the memory devices. Many DRE devices also have the capacity to print a paper record of ballots cast. Some, however, have no corresponding paper trail.

A DRE system can have major advantages over paper-based systems, assuming it is secure and reliable (more on that later). Because ballots are displayed electronically, there are no limitations on a ballot’s appearance. Programmers can create ballots in any language. They can design large print layouts for voters with poor eyesight or even record and incorporate audio files for blind voters. Election officials do not need to estimate how many ballots to order for each possibility; any particular format could be called up as situations arise.

Since votes are recorded on a memory device, tabulation takes less time. There are no paper ballots to scan, so there’s less risk of mechanical error. While human error is still a factor and there is always a concern about software bugs; in an ideal system, tabulation is instantaneous with no need for recounts.

In the next few sections, we will look at some of the concerns critics have regarding DRE systems.

Critics point out some major concerns about DRE systems. The biggest one is the potential for voter fraud. Proponents of DRE systems argue that it would take talented individuals with very specialized knowledge to compromise a system. Due to this level of expertise, very few people would be capable of committing fraud. DRE systems are designed as self-contained units where the computer system is locked away from easy access. This means that the only time anyone has access to the computer element would be when the system is in a high security area such as a storage facility or within the production area of the vendor’s shop. Critics argue that the possibility of fraud on a monumental scale is still present under the right circumstances (for example, a programmer who has accepted bribes) and that fraud is potentially more difficult to detect when using electronic ballots versus paper ballots.

Election officials and DRE system vendors have to consider many factors, including voter anonymity. A voter’s ballot cannot be linked back to a specific voter without compromising confidentiality. Paper-based ballots or a DRE system that generates a paper trail create a physical record of each voter’s choices. Without this paper trail, the only record produced is electronic. Critics of paperless systems argue that a programmer could alter the electronic record of ballots cast and, because votes cannot be linked back to a particular voter for verification, detection of vote tampering could be impossible.

More than a dozen vendors produce the DRE systems now in use. Each vendor develops (or partners with another firm to develop) unique software to display, record and tabulate voter ballots. States are not bound to a single vendor and may purchase systems from multiple sources. Critics argue that connecting different systems together could compromise the security of the network of machines. Vendors do not design their systems to interact seamlessly with other vendors’ systems, so connecting two very different systems may make either or both behave in unintended ways.

Another major concern is transparency. Transparency refers to a full and accurate description of how the system works. One way of achieving transparency would be to share the source code used in displaying and capturing ballots with computer scientists. Source code is the programming language that is readable by people but not by computers -- computers read object code. By examining the source code, critics argue, computer scientists could determine that the program performs the intended task without error. Vendors, however, consider their source code to be proprietary knowledge. They are unwilling to share this information for fear competitors could use it.

Proponents of DRE systems are quick to point out that by releasing source code, vendors could expose vulnerabilities of their systems that others might exploit, making such systems less safe rather than more. Critics argue that without careful examination of the code, voters cannot be certain that the system is doing what it is supposed to do in the first place. Fraud, they say, could originate with the vendors either intentionally or through a programming error, and votes could be misattributed without chance of detection.

Fraud is a major concern with e-voting. Click here to learn how fraud in e-voting is similar to fraud in online surveys.

 

Transparency and fraud are both factors in another concern critics have of DRE systems: impartiality. DRE systems are produced by private companies, and these companies have not always been seen as politically neutral. Critics question if it is wise to entrust public elections to private companies that have a vested interest in a particular party’s victory in the election.

Auditing is another important consideration in the use of DRE systems. HAVA requires that all voting systems are auditable, both for recounts and to confirm that the system is working properly. This is an ongoing struggle for computer scientists and vendors. It is extremely difficult to create an auditing process that still preserves the anonymity of voters. Some experts argue for a Voter Verified Paper Trail (VVPT), where both the machine’s memory device and a physical paper trail record each ballot. Each voter could then compare the paper trail to the results screen on the DRE monitor to verify his vote was counted properly. Currently, 27 states have legislation or regulations requiring a paper trail. Out of the rest, Arkansas has mixed legislations that requires some jurisdictions to have paper trails but does not require the same of other jurisdictions. Twelve states have proposed legislation that has not yet been enacted, and 10 states have no proposed legislation on the subject.

Some critics of DRE systems argue that without a paper trail, a DRE system is unaccountable. They say that if an audit cannot determine that the ballots recorded are the ballots voters actually cast, then the results of such an election cannot be verified. Others argue that paper trails alone are of no use. A DRE System could display and print a voter’s choices with no apparent errors and still electronically record the vote improperly on its memory device. Their solutions often focus on extended testing and certification of voting systems to determine in careful simulations whether or not the voting system is accurately capturing votes.

Finally, DRE systems cost more than other systems currently in use. What’s more, the ongoing costs of maintaining DRE systems are unknown at this point. As with computer systems, adjustments will need to be made to any DRE to fix bugs or make upgrades. While states received money due to HAVA in 2002, that was a one-time grant. Maintenance costs are left to the states. If vendors go out of business or consolidate, that may affect the costs of maintaining hardware and software.

In the next section, we'll look at Internet-based systems.

In 2000, the Federal Voting Assistance Program (FVAP) conducted a pilot program called Voting Over the Internet (VOI) to see if votes could be reliably and securely cast using the Internet. The program was modest in size – 84 volunteers in 21 states and 11 countries used the system to cast absentee ballots for the November 7, 2000 election. Select counties in South Carolina, Florida, Texas and Utah participated. The VOI initiative marked the first time in the United States that ballots cast using the Internet counted in federal, state and local election results. To assure the volunteers that their votes would be counted in the case of a failed experiment, each volunteer was also allowed to cast a traditional paper-based absentee ballot.

FVAP designed the system to mimic established absentee ballots. They did not design the system to tabulate votes. Each volunteer received a CD that had a browser plug-in designed to display and transmit ballots to the FVAP servers. The system required that volunteers use Netscape Navigator 4.05 or higher with strong encryption. The Department of Defense (DOD) oversaw a digital certification program to authenticate voter identity. Once a voter transmitted a ballot, the DOD would deactivate his certification to prevent him from voting again.

Encrypted ballots were transmitted over the Internet to the FVAP server. Only the intended destination of the ballot remained unencrypted. The server was in a secure location with very limited access and an uninterrupted power supply. Two intrusion detection systems were installed to monitor any attempts at fraudulent activity.

Local Election Officials (LEOs) used terminals at their local sites to access an LEO server. This server connected to the FVAP server, which transmitted the encrypted ballots addressed to that LEO site over the Internet. Once the ballots arrived, a computer at the LEO site decrypted them and printers produced paper copies. LEO volunteers transcribed the printed results onto paper-based absentee ballots.

At the conclusion of the experiment, FVAP officials declared the pilot program a success. They concluded that remote voting on a small scale with tight controls was an acceptable alternative to casting a traditional absentee ballot. They also noted that this was an experiment involving less than 100 participants; implementing a system to allow thousands or millions of citizens to vote using the Internet would require more thought.

The Secure Electronic Registration and Voting Experiment

After the success of VOI, Congress requested that the DOD conduct a larger Internet-based voting program. In 2001 the DOD began to design the Secure Electronic Registration and Voting Experiment (SERVE). The DOD estimated that 100,000 citizens would participate in the experiment, and their votes would be counted in both the primaries and the general election of 2004. If the experiment were deemed a success, Internet voting would be extended to all overseas military personnel and other citizens.

In early 2004, the DOD canceled the experiment due to concerns about security issues, ending the program before the implementation phase. Specific concerns included voter anonymity being compromised or hackers intercepting and manipulating ballots sent over the Internet. Congress has requested the DOD to try the experiment again once the Election Assistance Commission (established by HAVA) creates new guidelines for absentee voting and registration in 2007.

The VOI and SERVE programs were both designed to provide greater accessibility to voters who are overseas or otherwise must cast absentee ballots. Such voters number in the hundreds of thousands, and yet this population makes up only a small percentage of the overall number of registered voters. Internet-based votes will have to satisfy skeptics with secure, reliable and repeatable instances of voter verification, ballot display, ballot recording and ballot transmission. It may be many years before we see the Internet used as a significant voting system in the United States.

In the next section, we will see why public perception plays such an important role in election administration.

The public must trust that elections are fairly conducted in order for a democratic government to be considered legitimate. If the public perceives elections to be unfair, the foundation of the government is weakened. Whether electronic voting systems are fair may not even matter; it is the public perception that is crucial. At the moment, the latest electronic voting systems in use (particularly DRE systems, which according to Election Data Services, serves as the voting equipment available for 38 percent of the nation’s registered voters) are receiving a great deal of scrutiny and criticism. Citizens, private companies and elected officials are spending more time carefully examining these systems and the implications of their use.

Though debate on the issue of e-voting has been and will continue to be passionate, most critics recognize that a move towards electronic voting systems is an inevitable step in the evolution of our voting process. Because our democracy depends upon the public believing in fair elections, these systems must be shown to be as secure and reliable as other voting methods.

That is probably much easier said than done. Reports of lost data, corrupted files, bribed officials, vendor partisanship, unsecured information and other scandals have been in the news several times since 2000. While these reports likely create an unrealistic expectation of unreliability, they are legitimate causes for concern. It will be the responsibility of the states and vendors to determine the best means of creating public trust.

Some of these methods will likely include more stringent tests, careful discussions about the balance of proprietary information against the need for source code validation, and discussions on the balance between voter anonymity and the need for a reliable audit system. While these are big issues, elections are by their very nature important to our government and way of life. Considering that, is any issue too large to address?

For lots more information on e-voting and related topics, check out the links on the next page.