- by Paul Murphy -
A few weeks ago I wrote a commentary on electronic voting for the Washington Dispatch in which I argued that what makes it possible for conspiracy theorists to use evoting as the basis of an attack on the legitimacy of an expected Bush victory on November 2nd is the client-server architecture, not the specific failures of the technologies used within it. Conspiracy theorists, I said pointing at the technology proposed by the open voting consortium as an example of the best in client-server technology, are not constrained by practicality. As long as there's a programmable device or data transfer step under local control somewhere in the elections process, conspiracy theories cannot be conclusively disproven.
Needless to say, not everyone agreed. One of those who disagreed, Tom Mereckis of votehere.com, offered to debate the issue in the pages of LinuxInsider but backed out at the last minute.
Prior to that we had agreed to discuss how each of five main issues expected to arise from the current election would have been avoided had our preferred technologies been available and adopted for universal use during this election. That, of course, is a "gedanken experiment" but, just for fun and in support of the congressional committees which will be investigating this election's IT fiascos, I thought I'd present just my half anyway - so here we go, starting with a reprise of two earlier LinuxInsider columns on what that ideal voting technology would look like.
Imagine a system that has Sunrays in the voting booths, connected directly to state level data centers, with two national data centers linking the state centers. Within each state, voters can go to any polling place, identify themselves and their place of residence, and see only the ballot appropriate to their home address. When they use the software to vote three things happen: a paper ballot is printed and automatically dropped in the right ballot box; their votes are added to the totals at the state and national levels; and the combination of name and address used is marked as "already voted" in the database.
As I've discussed in previous LinuxInsider columns, there are lots of legislative and other "paper" issues associated with making this happen, but there no technical showstoppers and costs can reasonably be expected to be far below those of the current systems.
Notice that there is no programmability at the local level, no way to add unauthorised devices to the network, and no obvious way for someone trying to commit voting fraud to simultaneously corrupt the voter list, the paper ballots, and the electronic count.
This approach doesn't eliminate all opportunities for vote cheating, but it does remove most of them from the local level and all of them from the polling place. Fraudsters, for example, will generally have to go after the weakest element in the chain: trying to get their people multiple voting opportunities through the use of multiple identities. Notice, however, that most such frauds now operate by stuffing the ballot box with ballots from the dead or otherwise ineligible, and that can't happen because votes are taken, and recorded, one at a time. Thus someone with three in-state and one out-of state address may be able to vote four times, but it will take four trips to the voting booth to do it - and the person involved is virtually certain to be caught if an auditor compares actual voters against a national identity database such as that maintained by Acxiom.
This election is marked by a bitterness verging on the pathological among leading Democrats. As a result they've announced their willingness to do whatever it takes to win -including intimidating election officials and contesting every Republican victory through the courts. The Kerry campaign, for example, has recently announced its intent to have 2,000 lawyers among the 7,000 party representatives attending polling places just in Florida and had earlier promised 10,000 lawyers on standby across the nation. Some Democrats in congress, meanwhile, invited the UN to supervise an American election.
Assuming Mr. Bush wins, we can expect that these people, many of whom maintain against all evidence that Gore won in 2,000, will respond bitterly, viciously, and without consideration for the consequences to democracy.
Conspiracy theorists are not constrained by reality: if vote cheating is remotely possible, and a Republican wins, vote cheating will be alleged. The electoral officials involved will then find their records subpoenaed, their every action and motive questioned, and themselves facing trial by media. That may sound exaggerated, but the groundwork is already in place. For example, in yesterday's (Oct 22nd) Toronto Globe and Mail, Alan Freeman, has this to say:
Florida's creaky election system may have been studied, reformed and remodelled, but Sharon Pynchon is still convinced the Republicans would steal the election on Nov. 2 if given a chance.
"We feel there's absolutely no basis for trust because they've shown that if there's an opportunity, they'll circumvent the law," said Ms. Pynchon, a volunteer running the local Democratic headquarters in DeLand, the sleepy seat of Volusia County.
"We can sit and stare at an electronic voting machine all day, but have no idea what is happening in the technology part of it," she continued, speculating that the machines can still be tampered with remotely.
Opinions like these are unburdened by supporting evidence, but there is an underlying reality to them- today's evoting machines and the processes within which they are used have systemic weaknesses. Although these problems are serious I think that their biggest impact will come, not from vote rigging, but from the effects on public opinion when well intentioned but technologically illiterate judges react to expert testimony about these weaknesses by finding reasonable grounds to doubt the legitimacy of at least some election outcomes.
It would take a Bush landslide (or a Kerry victory) to limit the effect for this election but the long run right answer is to put in place a system in which local cheating is truly impossible. Not difficult or implausible, but impossible.
That's what the Sunray solution offers: you can't cause it to cheat, because there's nothing programmable on it that can interact with the application used to deliver the ballot and record the vote. With the very best of the present evoting technologies any expert testifying in court would have to say that cheating would be so hard to do that it probably wasn't done often -and that equivocation makes it impossible for election officials to ever prove Ms. Pynchon wrong. In contrast, any expert on the Sunray solution could slam the door on her by testifying that no cheating took place because no cheating is possible. It can't be done, therefore it wasn't done. Period.
Ballot secrecy is critical to the democratic process because it allows voters to reject those who try to pay or frighten them into voting for favored candidates. With client-server evoting attacks on ballot secrecy can succeed simply by correlating information from something like a hidden camera (or just someone who takes notes) in the polling place to the vote record as recorded in a database or ballot register.
In the Sunray solution the physical ballots dropped into the ballot box for audit and control reasons do not carry markings that could give away their sequence.
The actual vote is not recorded anywhere other than on the paper ballot. At the state level the only thing recorded is the running total for each vote category. In the normal course of things this means that no record of individual votes can be reconstructed.
There are some exceptional circumstances. If, for example, there are few polls applicable to a category and very few voters record a choice during a known time period, then a high likelihood reconstruction is possible. To thwart that, the system would be set up to buffer some votes - not recording new totals until the smallest change exceeds a threshold such as five and clearing its buffers only on shutdown after the election period expires.
The Sunray solution also offers a defence against the more recent method of coercing voters to "do the right thing" by having lawyers and paralegals at the polling places to "guide" the otherwise disenfranchised. Although primarily just a thinly disguised attempt to intimidate election officials into looking the other way on this and related abuses, this is also a way to limit the effect of ballot secrecy while setting aside rules against electioneering in the polling place.
Voter training, using one or more terminals set up specifically for that purpose adjacent to, but not in, each polling place, is part and parcel of the Sunray proposal. Combined with the removal of most registration issues from the polling place, this gives the voter an opportunity to obtain training and run practice voting in a non coercive environment while enabling electoral officials to enforce privacy in the polling booth.
There are always errors, human and mechanical failures, and people who try to scam the system.
In the case of the Sunray solution, training, finance, and physical hardware/network distribution for the polls are bundled issues.
As in any complex system, the likelihood of failures, particular human and network failures, increases as non electoral usage decreases. Thus one of the great weaknesses of the client-server technology now used is that the gear gathers dust between elections - meaning that the people involved have to re-invent their expertise each time an election is carried out.
If used only during elections the Sunray system has the big advantage of simplicity in set-up and operation. The electoral officials basically just need to plug them in, lock the ballot boxes onto the printers, load paper, and turn everything on - with the more difficult telecom components provided and tested by people who work with that technology every day and therefore know what they're doing.
The Sunrays, however, don't have to gather dust between elections. The approach which minimises public cost while maximising benefit (and administrative resistance to implementation) is to use them in schools during non election periods. Doing so would, of course, also provide a large pool of knowledgeable users and technologists while debugging network issues during normal operations.
Either way there is no percentage in stealing the equipment or in trying to scam the system by inserting a few terminals - the Sunray software will issue an alarm if devices are missing and won't accept an unauthorised device at all. Note too that many of the problems affecting client-server: things like data losses or modification during transfer, virus attacks, boot or other device failure, and so on; just don't exist in the Sunray environment.
The state and national centers, whether used only during elections or continually, represent low risk environments because the technologies and procedures are widely used and well understood. Most importantly, there are very few of these and their operations can be made wholly transperant - including fully open source code- to audit teams present during the elections.
Basically, no matter how the installation is handled, we can expect that some things will go wrong - but also that remediation should be quick enough that the impacts, if any, are very minor.
In the Sunray solution a voter is marked as having voted only if a ballot is produced and dropped in either the authorised or the provisional bin. Thus for every vote increment recorded at the state or national level there has to be a piece of paper - whether that increment is zero and the ballot blank or not. No under votes, no over votes. No issues separating provisional votes, and full downstream auditability on who voted.
(Interestingly, Edward Delp and his colleagues at Perdue have recently developed a way to "fingerprint" printers - meaning that stuffing the ballot box after the election in an attempt to upset the audit would not succeed because ballots not printed in the polling booth could be positively identified.)
Notice, however, that the paper ballots by themselves do not constitute the audit trail. What's going on here is like a three - way form of double entry bookkeeping. The electronic count, the paper ballots, and the list of voters who voted, have to balance - and if any two go out of sync, the source of the problem will be totally obvious.
In contrast to the client-server solutions, which require continual monitoring and effort, the Sunray solution, once installed, simply works. As a result election officials will be able to ignore the technology to focus on the bigger picture - things like ballot and voter list preparation.
In both cases the Sunray solution will support rather than impede management's work. For example, ballot preparation is intended to proceed by having county officials prepare text files which are then automatically converted to the HTML (or Java) form used during the election. Thus the system will enable ballot debugging via practice runs while reducing the time needed to affect change.
Similarly, the voter list preparation process is expected to take months prior to the election. This, however, has unique legal and other risks for the participants that will be reduced by the system's ability to track change and record effort. Thus when, during the election, people appear "from out of thin air" (as always happens) the system's centralised record management can easily accommodate them and areas of concern later identified for improvement to the process next time out.
Mr. Mereckis backed out of the debate, but I'm hoping you won't. We're five days from the election: so lets hear what you think is going to happen with evoting.