the machines, and even external attackers with no special access, can
completely control the storage and
counting of votes.a
Castro says the focus on paper trails
ignores other aspects of voting systems. In reality, advocates of PCOS systems have thought through the broader issues, including cost, accuracy, and
accessibility. In all these dimensions,
PCOS systems are competitive with
DRE systems.
Castro argues we cannot act without a “quantifiable risk analysis framework,” and a “cost-benefit analysis.”
Risk analysis and cost-benefit analysis
are great ideas; DREs would never have
been purchased had these types of
analyses been performed and heeded.
a M. Bishop, “Overview of Red Team Reports,”
Top-to-Bottom Review, California Secretary of
State’s Office; www.sos.ca.gov/elections/vot-ing_systems/ttbr/red_overview.pdf.
However, legislation need not wait for
further study because DRE systems are
clearly much riskier than PCOS systems, a fact that demands prompt action. The most comprehensive study
so far (which is the basis for a summary
cited by Castro) concludes that a single
individual could alter the outcome of a
close election on paperless DREs, but
that a much larger team of attackers
would be required to steal an election
using PCOS—assuming appropriate
procedures including manual audits.b
As for cost-benefit analysis, PCOS systems obtain the benefits of DREs and
more, at lower cost.c
b Norden, L. et al. The Machinery of Democracy:
Protecting Elections in an Electronic World.
Brennan Center for Justice at NYU School
of Law, October 2006 (see p. 50 and p. 83);
brennan.3cdn.net/52dbde32526fdc06db_4s
m6b3kip.pdf.
c See www.verifiedvotingfoundation.org/article.
php?list=type&type+ 77.
Castro claims there are other ways of
solving the problems of electronic voting, including the Prime III system and
several end-to-end systems (
Punchscan, VoteHere, and Scratch&Vote).
Prime III has video and audio (rather
than paper trails) that would be very
difficult to audit in practice. Punchscan and Scratch&Vote are arguably
voter-verified paper ballot systems, albeit cryptographic ones. More importantly, these systems will not be available to replace DREs for years (if ever).
VoteHere’s system, which also had paper receipts, never caught on, possibly
because election officials, technical
reviewers, and the public found it difficult to understand.
It is unacceptable in a democracy to
have election results that could be un-detectably tainted by bugs or malicious
software. There is no excuse for further
delay in implementing a readily available solution to this serious problem.
Rebuttal: Daniel Castro
WHILE DAVID DILL makes
a passionate case for
paper ballots, he omits
one stubborn fact: historically, paper ballots
are at the root of most voting fraud.
This is not surprising since paper ballots can be easily changed, lost, stolen,
or invalidated. Yet his solution is to
throw more money at precinct-count
optical scan (PCOS) systems. While
these paper-based voting machines
have some initial appeal, they are not a
panacea.
First, his claim that PCOS systems
are less costly than other forms of voting technology is simply false. This is
akin to claiming that apples are more
expensive than oranges. The total cost
of a voting system for a county depends
on many factors: the price and quantity
of the voting devices, the number of
elections per year, the lifecycle of the
equipment, and the cost of recounts,
storage, maintenance, and disposal. 2
Moreover, any proposal to change voting technology must also take into account the cost of switching technology,
such as retraining election officials.
Second, PCOS systems can be
hacked. In fact, the Brennan Center
writes in its report on voting systems,
“Nothing in our research or analysis
has shown that a Trojan horse or other software attack program would be
more difficult against PCOS systems
than they are against DREs.” 1 Manual
recounts prevent some attacks, but not
all of them. For example, an attacker
could disable the over/under-vote alert
on the optical scanners in certain counties resulting in many invalid ballots.
Since over/under-votes account for up
to 4% of total votes, this attack could
swing a close election.
Moreover, PCOS systems do not
provide voters any proof their ballots
were included in the final tally. Neither do PCOS systems offer any kind of
guarantee to voters that no illegitimate
ballots have been added to the tallies.
The only way to achieve that level of
confidence is to provide end-to-end
(E2E) verifiability, which is why I recommend E2E voting systems as a long-term solution.
As a short-term solution, we should
tighten up security requirements to
eliminate known vulnerabilities and
ensure consistent election procedures.
Election officials can use pre- and post-election auditing to make sure the machine does what it is supposed to do,
parallel testing to make sure it works
correctly during the election, and hash-code testing to make sure the software
that is on the machine is the same software that was previously tested and is
on file.
States can make their current e-voting systems reasonably secure without
a federal requirement for paper audit
trails. Switching every county to PCOS
or paper ballots would cost over $1.1
billion, and still not solve the security
problem. And ultimately, switching
to PCOS or paper ballots is a waste of
time, money, and effort because it does
not move us to where we want to go:
end-to-end verifiability. Requiring paper ballots will only move us sideways
or even backward—we should move
forward.
References
1. Norden, L. et al. The Machinery of Democracy:
Protecting Elections in an Electronic World. Brennan
Center for Justice at NYU School of Law, October
2006.
2. Norden, L. et al. The Machinery of Democracy: Voting
System Security, Accessibility, Usability, and Cost.
Technical report, Brennan Center for Justice at NYU
School of Law, October 2006.