Stanford University computer scientist David L. Dill on the security of electronic voting.
David L. Dill
Position: Professor of computer science, Stanford University
Issue: Electronic voting. U.S. state and local election commissions are increasingly adopting computerized voting machines. But many believe the systems open the door to increased voting error and fraud.
Personal Point of Impact: Crafted the Resolution on Electronic Voting, advocating a permanent paper record of each vote that allows voters to verify their own ballots; the resolution has been endorsed by several top computer security experts
Technology Review: Electronic voting is a relatively new concept in the United States. How do these systems work?
David L. Dill: We have touch-screen machines, or more generally, direct-recording electronic machines. The voter puts in the vote either via a touch screen or a knob, and the ballots are recorded electronically in the machine’s memory.
TR: Wouldn’t that make counting votes faster and more accurate than other systems, like punch cards? Why object?
Dill: The problem with this technology is the voter can’t observe the record that it made. So a voter could vote for candidate A, and the machine could record a vote for candidate B. There is no way that anyone can tell that that voter voted for candidate A. No matter how you conduct a recount, you’re going to get what appears to be a vote for candidate B-we’re unable to do a meaningful recount.
TR: Are errors and fraud really more likely with these machines, though?
Dill: Of course, there has been election fraud with paper ballots. Sometimes what the debate gets down to is, people admit that electronic voting is completely insecure but say that paper is insecure as well. It really depends on how well your election is run. People have had a hundred-plus years of experience with paper ballots. It’s pretty well known how to maintain the integrity of a paper-ballot election.
The problem with the touch-screen machines is, regardless of how diligent election officials are, there can be errors or fraud committed by the programmers or anybody who had access to the software before it was installed on the machine.
Now, I suspect that the most frequent problem we’ll see-or more worryingly, the most frequent problems that will occur that we don’t see-will be errors, just accidents, causing changes in the vote.
TR: Intentional fraud wouldn’t seem to be much of a concern, then.
Dill: If you think about it rationally, there’s a set of questions. Who might commit fraud, and what is their level of motivation? Can they get technical experts to do it? What kind of money or other resources can they muster? And if you think about people who would want to alter the results of elections-particularly at the national level-they can bring tremendous resources to bear. We’re talking about foreign governments, organized crime, major government contractors-people who have a major financial stake in who is controlling the U.S. government.
There are certainly case studies of these things happening in foreign countries, but in our own country, if you look at Watergate as an example-suppose those guys weren’t trying to bug the Democratic Party headquarters but were actually going after the electoral system through a voting company? It’s a pretty scary prospect, and it seems to me from examining the system that there’s little likelihood that somebody committing that sort of fraud would get caught.
TR: Voting-machine companies face severe criticism for the security of their software. But couldn’t these machines be made secure enough to avoid that scenario?
Dill: As a computer scientist, I don’t think they can make it secure enough, no matter what their procedure, or how they design the machine, or how the machines are inspected at independent laboratories. I have, however, attempted to find out what the actual processes are, and they are much worse than what is achievable. The place where we learned the most was when [touch-screen-voting leader] Diebold’s source code and many of their other files were placed on the Internet. They were examined by researchers at Johns Hopkins University and Rice University. And various possibilities for external attacks-even by voters-came up in that review.
I don’t know how concerned to be about that. It could be that these systems have major weaknesses that they don’t need to have. That was certainly the case with Diebold. And the various regulations, the testing laboratory, the logic and accuracy tests are not solving the problem.
TR: Diebold has sold touch-screen machines to Georgia, and has a contract with Maryland?
Dill: Yes. [Note: A Diebold spokesman says these machines use updated source code, different from that posted on the Web.]
TR: What is required to avoid fraud or large-scale errors?
Dill: I wrote the Resolution on Electronic Voting with help from other computer scientists. We tried to make the most general requirement we thought would work. So we asked for a voter-verifiable audit trail-a permanent record made of the vote that the voter can check is accurate, and that is available for a recount. Now, the only way to do that that is proven at this point is to use paper somehow. You can have a fully manual process, in which case the ballot that you fill out is that voter-verifiable audit trail: you have the ability to make sure it’s correct because you’re actually filling it out. The same for an optical-scan ballot or punch card.
With the touch-screen machine, the solution is to add on a voter-verifiable printer. That prints a copy of your vote, and you get a chance to look at it, make sure that it correctly registers your vote, and reject it if it does not. Then that paper record goes into a locked ballot box. It’s important that the voter not be able to take it out of the polling place because that facilitates vote selling or coercion.
There’s nothing inherently wrong with having computers in the process. You just have to do it right. The Help America Vote Act, a national election reform law passed in 2002, says something about a manual audit capacity. And California’s Prop 41 says that the machines have to print paper copies of the ballot either during the election or right after the polls close. The problem with the second solution is, if we go back to the scenario where the voter votes for candidate A, and a vote is recorded for candidate B, anything that’s printed after the polls close cannot be verified by the voter. You’ll end up with a copy of what’s in electronic memory. Your recount is always going to come out the same as your electronic copy, and it will fail to catch errors in recording the votes.
TR: So what is currently the best option?
Dill: It’s a really difficult question because people have a very long wish list for electronic voting-or for any kind of voting. It’s hard to satisfy all of these requirements. But given what I know now, I think the best option is a precinct-based optical-scan system-with some special device such as a touch-screen machine for use by people who cannot use that system. In a precinct-based system, the voter himself puts the ballot into the machine which reads it. The advantage is that the machines can be programmed to reject ballots that have stray marks or too many votes, so that the voters can correct them then and there.
The other option is to go with direct-recording electronic machines with a voter-verifiable printer. I really only have two concerns about that. One is that it is even more expensive than the touch-screen machines, which are pretty expensive. The other concern is that it’s a relatively new idea that hasn’t been tested a lot in actual elections. I think we should have the pioneering counties try it out and then, once we understand how that system works better, consider deploying more machines.
TR: The U.S. Department of Defense has a pilot program using Internet voting to help soldiers stationed abroad vote more easily. Might we all vote that way someday?
Dill: They’ve succeeded in finding the only idea worse than electronic voting in precincts. Even people who disagree with me about touch-screen voting say that Internet voting is a bad idea. I understand the need to make sure that people in the services vote. And I understand the problems they have now with getting absentee ballots. But I think Internet voting is not the right solution. I’m too busy with my particular battle to combat that, but I hope somebody is able to get it killed.