February 2004

Valid Voting?

Stanford University computer scientist David L. Dill on the security of electronic voting.

By Erika Jonietz

David L. Dill
Position: Professor of computer science, Stanford University
Issue: Electronic voting. U.S. state and local election commissions are increasingly adopting computerized voting machines. But many believe the systems open the door to increased voting error and fraud.
Personal Point of Impact: Crafted the Resolution on Electronic Voting, advocating a permanent paper record of each vote that allows voters to verify their own ballots; the resolution has been endorsed by several top computer security experts

Technology Review: Electronic voting is a relatively new concept in the United States. How do these systems work?

David L. Dill: We have touch-screen machines, or more generally, direct-recording electronic machines. The voter puts in the vote either via a touch screen or a knob, and the ballots are recorded electronically in the machine's memory.

TR: Wouldn't that make counting votes faster and more accurate than other systems, like punch cards? Why object?

Dill: The problem with this technology is the voter can't observe the record that it made. So a voter could vote for candidate A, and the machine could record a vote for candidate B. There is no way that anyone can tell that that voter voted for candidate A. No matter how you conduct a recount, you're going to get what appears to be a vote for candidate B-we're unable to do a meaningful recount.

TR: Are errors and fraud really more likely with these machines, though?

Dill: Of course, there has been election fraud with paper ballots. Sometimes what the debate gets down to is, people admit that electronic voting is completely insecure but say that paper is insecure as well. It really depends on how well your election is run. People have had a hundred-plus years of experience with paper ballots. It's pretty well known how to maintain the integrity of a paper-ballot election.

The problem with the touch-screen machines is, regardless of how diligent election officials are, there can be errors or fraud committed by the programmers or anybody who had access to the software before it was installed on the machine.

Now, I suspect that the most frequent problem we'll see-or more worryingly, the most frequent problems that will occur that we don't see-will be errors, just accidents, causing changes in the vote.

TR: Intentional fraud wouldn't seem to be much of a concern, then.

Dill: If you think about it rationally, there's a set of questions. Who might commit fraud, and what is their level of motivation? Can they get technical experts to do it? What kind of money or other resources can they muster? And if you think about people who would want to alter the results of elections-particularly at the national level-they can bring tremendous resources to bear. We're talking about foreign governments, organized crime, major government contractors-people who have a major financial stake in who is controlling the U.S. government.

There are certainly case studies of these things happening in foreign countries, but in our own country, if you look at Watergate as an example-suppose those guys weren't trying to bug the Democratic Party headquarters but were actually going after the electoral system through a voting company? It's a pretty scary prospect, and it seems to me from examining the system that there's little likelihood that somebody committing that sort of fraud would get caught.

TR: Voting-machine companies face severe criticism for the security of their software. But couldn't these machines be made secure enough to avoid that scenario?

Dill: As a computer scientist, I don't think they can make it secure enough, no matter what their procedure, or how they design the machine, or how the machines are inspected at independent laboratories. I have, however, attempted to find out what the actual processes are, and they are much worse than what is achievable. The place where we learned the most was when [touch-screen-voting leader] Diebold's source code and many of their other files were placed on the Internet. They were examined by researchers at Johns Hopkins University and Rice University. And various possibilities for external attacks-even by voters-came up in that review.

I don't know how concerned to be about that. It could be that these systems have major weaknesses that they don't need to have. That was certainly the case with Diebold. And the various regulations, the testing laboratory, the logic and accuracy tests are not solving the problem.