The debate over the security of electronic voting machines hasn’t gone away after November’s elections in the U.S.
In Florida, Christine Jennings, a Democratic candidate for U.S. House of Representatives, is pressing forward with a lawsuit asking for a revote. More than 18,000 people in Sarasota County, Florida, voted in other races on the ballot, but e-voting machines from Election Systems & Software Inc. didn’t record a vote in Jennings’ race, which she lost by 369 votes.
Meanwhile, in early December, the Technical Guidelines Development Committee (TGDC), an advisory board to the U.S. Elections Assistance Commission, voted to draft requirements for independently verifiable voting records, such as paper printouts, to be used with direct record electronic (DRE) machines.
Groups like the Association for Computing Machinery (ACM) have long been calling for independent audits for DREs, and Eugene Spafford, chairman of the group’s U.S. policy committee, says there’s still work to be done to ensure accurate e-voting. Spafford, a widely recognized computer security expert and executive director of the Purdue University Center for Education and Research in Information Assurance and Security, recently spoke to IDG News Service about e-voting security and reliability. An edited transcript of that interview follows.
IDGNS: Even with the TGDC’s vote in December, an independent audit requirement would still be years away. What needs to be done sooner to improve e-voting security?
Spafford: Any equipment that’s deployed should have something like that in place before the next election. Not all jurisdictions have finished their acquisition of new [voting] technology, so the vote may guide them in their decision. It may also help the vendors. Although it may be two to three years before the federal requirements take full effect, the trend is clear already.
IDGNS: One of the concerns at the TGDC meeting focused on the potential for e-voting machine printers to fail during elections. Are there other ways of creating independent audits?
Spafford: One of the things that needs to be clarified is, there are a number of different ways of using paper as an audit trail. There is indeed concern, and rightfully so, over simply tacking on a printer to an existing DRE. Those printers were never really designed for reliability. They jam and can cause problems.
The goal should be to design systems carefully with the fault levels in mind and an appropriate way of using paper, if that’s the mechanism. Systems that mark individual ballots for optical scan is a form of paper that’s auditable. They don’t lead to the kinds of jams or problems that one would see with thermal paper printer roles. If you look at it as a design issue, there are many ways of using paper appropriately that don’t have the disadvantages.
Other than paper, a number of different ideas have been discussed. For instance, one method that’s been talked about is to have a video recording of the screen. A couple of ideas involve a cryptographic algorithm to create a kind of cryptographic receipt. Some of those ideas have raise concerns about preserving the anonymity of voters.
IDGNS: Some of those ideas don’t sound like they’d get around the “black box” question with e-voting — that people don’t see what’s going on in the machine.
Spafford: There’s something that I think has been overlooked by a lot of people who work in this realm. The average voter does not have the technological sophistication to have confidence that the mechanism preserves their anonymity and their vote. Some of the methods that involve cryptography, for instance, while scientifically very sound, would be used by people who don’t understand the mathematics behind it and are mistrustful of the idea that they would have to take someone’s word that it works.
The method of having a paper record is a technology people can immediately grasp and understand. That’s really important. We want not only to protect the vote, but we want people to feel comfortable that their vote matters.
Anything that we do to make the system more complex or difficult to understand disenfranchises some people.
IDGNS: Some e-voting security critics have pointed to some major flaws, such having e-voting machines networked with each other. In your view, why did that happen?
Spafford: You have to look at systemwide problems with fault tree analysis. It’s not an area where there’s a lot of expertise. Certainly, the companies involved followed the existing regulations. It’s hard to lay 100 percent of the blame on vendors.
It was a situation where states were required to go out and spend a lot of money in a short period of time without necessarily appropriate guidance. These companies responded, and they did, in large part, provide equipment that met the existing guidelines, which may not have addressed the potential problem.
IDGNS: Do you think the debate on e-voting has turned a corner with the TGDC vote?
Spafford: Not yet. The reason is that the issue is still not well understood by a number of local officials. Some of us in the community perhaps have not done the best job in describing the issue. We’re worried about the security aspects, but we’re also worried about reliability. For instance, what has happened in the Florida race is probably not a security breach. It’s probably poor design or machine failure.
But we have no way of knowing what the voter intent was because there was no independent audit trail.
One of the ways we can capture attention is talk about security failures. The people at local elections level, when we have raised these arguments, have taken a sort of personal umbrage. First, we’re calling into question their judgment for buying the machines in the first place, and second, we’re implying that their procedures are faulty or the people involved are dishonest.
That isn’t going to enlist their support in moving to better systems. We need to convey to them that it’s in the interest of the population to have greater confidence in elections.