the machines, and even external attackers with no special access, can completely control the storage and counting of votes.^a

Castro says the focus on paper trails ignores other aspects of voting systems. In reality, advocates of PCOS systems have thought through the broader issues, including cost, accuracy, and accessibility. In all these dimensions, PCOS systems are competitive with DRE systems.

Castro argues we cannot act without a “quantifiable risk analysis framework,” and a “cost-benefit analysis.” Risk analysis and cost-benefit analysis are great ideas; DREs would never have been purchased had these types of analyses been performed and heeded.

a M. Bishop, “Overview of Red Team Reports,” Top-to-Bottom Review, California Secretary of State’s Office; www.sos.ca.gov/elections/vot-ing_systems/ttbr/red_overview.pdf.

However, legislation need not wait for further study because DRE systems are clearly much riskier than PCOS systems, a fact that demands prompt action. The most comprehensive study so far (which is the basis for a summary cited by Castro) concludes that a single individual could alter the outcome of a close election on paperless DREs, but that a much larger team of attackers would be required to steal an election using PCOS—assuming appropriate procedures including manual audits.^b As for cost-benefit analysis, PCOS systems obtain the benefits of DREs and more, at lower cost.^c

b Norden, L. et al. The Machinery of Democracy: Protecting Elections in an Electronic World. Brennan Center for Justice at NYU School of Law, October 2006 (see p. 50 and p. 83); brennan.3cdn.net/52dbde32526fdc06db_4s m6b3kip.pdf.

c See www.verifiedvotingfoundation.org/article. php?list=type&type+ 77.

Castro claims there are other ways of solving the problems of electronic voting, including the Prime III system and several end-to-end systems ( Punchscan, VoteHere, and Scratch&Vote). Prime III has video and audio (rather than paper trails) that would be very difficult to audit in practice. Punchscan and Scratch&Vote are arguably voter-verified paper ballot systems, albeit cryptographic ones. More importantly, these systems will not be available to replace DREs for years (if ever). VoteHere’s system, which also had paper receipts, never caught on, possibly because election officials, technical reviewers, and the public found it difficult to understand.

It is unacceptable in a democracy to have election results that could be un-detectably tainted by bugs or malicious software. There is no excuse for further delay in implementing a readily available solution to this serious problem.

 

Rebuttal: Daniel Castro

WHILE DAVID DILL makes a passionate case for paper ballots, he omits one stubborn fact: historically, paper ballots are at the root of most voting fraud. This is not surprising since paper ballots can be easily changed, lost, stolen, or invalidated. Yet his solution is to throw more money at precinct-count optical scan (PCOS) systems. While these paper-based voting machines have some initial appeal, they are not a panacea.

First, his claim that PCOS systems are less costly than other forms of voting technology is simply false. This is akin to claiming that apples are more expensive than oranges. The total cost of a voting system for a county depends on many factors: the price and quantity of the voting devices, the number of elections per year, the lifecycle of the equipment, and the cost of recounts, storage, maintenance, and disposal. ² Moreover, any proposal to change voting technology must also take into account the cost of switching technology, such as retraining election officials.

Second, PCOS systems can be hacked. In fact, the Brennan Center writes in its report on voting systems, “Nothing in our research or analysis has shown that a Trojan horse or other software attack program would be more difficult against PCOS systems than they are against DREs.” ¹ Manual recounts prevent some attacks, but not all of them. For example, an attacker could disable the over/under-vote alert on the optical scanners in certain counties resulting in many invalid ballots. Since over/under-votes account for up to 4% of total votes, this attack could swing a close election.

Moreover, PCOS systems do not provide voters any proof their ballots were included in the final tally. Neither do PCOS systems offer any kind of guarantee to voters that no illegitimate ballots have been added to the tallies. The only way to achieve that level of confidence is to provide end-to-end (E2E) verifiability, which is why I recommend E2E voting systems as a long-term solution.

As a short-term solution, we should tighten up security requirements to eliminate known vulnerabilities and ensure consistent election procedures.

Election officials can use pre- and post-election auditing to make sure the machine does what it is supposed to do, parallel testing to make sure it works correctly during the election, and hash-code testing to make sure the software that is on the machine is the same software that was previously tested and is on file.

States can make their current e-voting systems reasonably secure without a federal requirement for paper audit trails. Switching every county to PCOS or paper ballots would cost over $1.1 billion, and still not solve the security problem. And ultimately, switching to PCOS or paper ballots is a waste of time, money, and effort because it does not move us to where we want to go: end-to-end verifiability. Requiring paper ballots will only move us sideways or even backward—we should move forward.

 

References

1. Norden, L. et al. The Machinery of Democracy:

Protecting Elections in an Electronic World. Brennan Center for Justice at NYU School of Law, October 2006.

2. Norden, L. et al. The Machinery of Democracy: Voting System Security, Accessibility, Usability, and Cost. Technical report, Brennan Center for Justice at NYU School of Law, October 2006.