For more than a decade, Aviel “Avi” Rubin, a professor of computer science at Johns Hopkins University in Baltimore and an e-voting activist, has been a vocal critic of e-voting systems across the nation. In 2006, Rubin wrote the book, Brave New Ballot: The Battle to Safeguard Democracy in the Age of Electronic Voting, which heavily criticized e-voting machines for security and reliability shortcomings. Rubin talked with Computerworld about the recent presidential primary election cycle and his thoughts on e-voting going into the November elections. The following is an edited version of that interview.
Now that we’ve finished our presidential primaries, how do you think e-voting went this election season? E-voting is really dangerous and unpopular with security people, not because of how the election is likely to go in what’s perceived, but with the problems that might happen that are not perceived.
For example, if the concern is that the electronic voting machines are going to record votes incorrectly, in a way that might not be noticeable, then you can run an election and say that it appears to have gone fine, but we don’t really know. And so, given that I have the concern that we have voting machines that we can’t audit and we can’t have confidence that they got the answer right, then the answer is, “Well we think it went OK, but we don’t really know.”
The kinds of problems that we worry about are exactly the kind that don’t necessarily have a noticeable manifestation. I do think one of the risks of fully electronic voting is that a small mistake can be magnified in scale all over the place because the touch-screen e-voting machines are all the same, they’re all electronic, they all require power, and they all use computer code and a particular set of circumstances that could cause something bad to happen everywhere. I don’t usually think it’s likely to happen, and in this case, it doesn’t appear to have happened. But the concerns of security and auditability are not necessarily things that would leave any incriminating evidence of a potential problem.
E-voting advocates and vendors say that such worries are the stuff of disgruntled conspiracy theorists who can’t accept the e-voting systems that we use. How do you respond to those allegations? I would ask those people if they would be willing to allow their bank accounts to be unauditable. And if they would be willing to forgo monthly statements for their bank accounts that show where the money came in and where it came out and if they would give up on getting any confirmation of their ATM transactions.
In my opinion, votes in this country are just as important as money, but we have the anonymity requirement so we can’t get a monthly statement about our votes and who we voted for. So we need to have a system that accommodates the ability to audit to be sure that the machines got the right result.
Can you give me your technical analysis of this election season? Did you see any specific problems that screamed out to you about e-voting technologies and the machines? I’ve seen some people in various places on some mailing lists that I’m on talk about various voting machines having totals that were off by one or two that didn’t match up, but I haven’t seen any kind of technical evidence that raised my concerns specifically.
Can technology companies build systems today that are safe, reliable and secure with the votes cast on them? Definitely. I’ve seen designs of voting systems that I’d be happy with. I don’t think anything is totally secure. Ultimately, I think the goal is to do the best we can and not be perfect. When you’re talking about 100 million votes, all cast pretty much on the same day across the country, there’s no dress rehearsal.
What then do you think needs to be done differently? First of all, there are several areas where there have been problems. One has been the certification and testing that we have doesn’t actually [cover every scenario]. For example, if you drop a voting machine from four feet, will it still work? Or if you hit a certain temperature in the room, what problems are you going to have with the voting system? It can’t really test the voting systems for how they’ll perform in a particular software failure because you can’t anticipate what all the software failures are going to be.
The National Institute of Standards and Technology [NIST] identified what I think is a breakthrough property in an e-voting machine, which is the idea of making it software-independent. That means designing voting systems where a software failure does not have any possible impact on the accuracy and integrity of the election. This isn’t my idea. This is NIST. They published a paper where they identified that, and I said that is the killer property that you want.
A light went off over my head when I read that, and I said that that’s a very good way of describing what I’ve been trying to say. The concern that I’ve always had as someone who’s an expert in software is that what we need is software that’s redundant and that’s not trusted in the process.
How would that work? Are you talking about using old-style vote counters and mechanical systems again? No, you can do it with computer systems. If you start out with the goal of designing something to be software-independent, which is a different mind-set from designing something without that requirement, you design it very, very differently. You have redundant components.
Let me give you an example of a system that is software-independent. You have a system where voters use a touch screen to make their selections and the touch-screen machine, when they’re done, prints out a paper ballot that they look at and has all the candidate choices that they made. The voter then takes the completed, printed ballot, and they put it into a scanner. The scanner tallies the ballots up and keeps counts of all the votes. Now if the software on that system fails, they wouldn’t get a printed-out ballot that they could then accept and approve.
After the election is over, you pick a bunch of scanners randomly, and you audit them. You count the papers, and you compare the totals that the scanners ran, or you have a different independent scanner that you run the ballots through to see if you get the same answers.
In any stage of the process, a flaw in the software will either be caught and corrected, or it will prevent you from proceeding, in which case you can get the ballots pulled up some other way.
Now let’s compare that to an existing direct-recording electronic (DRE) touch-screen machine, where the voter comes in and marks his or her choices and they are stored on a magnetic card on the inside of the machine, and at the end of the day, the voting officials get the card and it has all the tallies. Any flaw in the software could change all the tallies or record the votes incorrectly, and there would be no checks and balances against that because there is no paper record of the actual choices made by the voters.
What is your analysis of e-voting security today? Can we even be sure that the right people won this year’s primaries, based on your long-term concerns about e-voting? I personally don’t doubt that the right people won the elections. I use several factors for that. One is the fact that we seem to be getting the results that are indicated by all the polls. Remember, I’m only concerned about the potential for problems, but we are using systems that can’t be audited. That’s not the same statement as “Somebody is cheating.” That’s a different leap that I’ve never taken.
I just say let’s avoid the potential for big problems down the road by having systems that we can audit. That’s basically my thesis. I think that if let’s say [Dennis] Kucinich won the Democratic primary race, then I would say yes, something went wrong [because that was not a result seen in the polls conducted through the races]. But considering the way the polls were going and the primary results, is it possible that Hillary Clinton should be the Democratic nominee? I don’t think it’s likely, but it’s definitely possible. The kind of mistake that that would have taken wouldn’t have been that big in a few key states, and then she would have had more delegates.
But haven’t we always been prone to possible errors like that, even with the old mechanical lever machines, before we ever began using electronic machines? Sure, and I’ve written extensively about the weaknesses of lever machines, and no way have I ever advocated going back to those. But the DREs are actually worse because if there’s an error in the lever machines, it was usually because somebody set it up wrong. And on purpose or by accident, it would affect just that one machine in one precinct. If there’s an error in the software of a DRE that’s being used everywhere, we might not know that there’s a problem there. That could be malicious or accidental as well.
But does doing better today still involve electronic voting systems? Can we use them and have secure, reliable elections, with the required checks and balances that you advocate? Yes, software-independent systems can do that. It’s a design philosophy. When you build a voting system, you try to build it so that any particular software component is not depended upon in terms of the accuracy of the election.
The easiest way to achieve that is to introduce paper ballots. Another way to achieve it, that I think is still in the research phase, is through cryptography, and I think ultimately we will be able to replace paper with cryptography. Cryptography is fancy math that can be used to test certain properties, like you can do encryption, you can do signatures and verification. And there are cryptographic techniques that can be used to achieve software independence so that even if there’s a bug in the software, you’ll detect if there’s a problem. But those are not ready for prime time in my opinion.
So IT should still be an important part of making our election system more secure and reliable in this country? Yes, I wouldn’t want to try to build a voting system without technology. I think if you take a different psychology, a different philosophy toward building systems, where you say we’re going to use software as much as we can but we’re not going to rely on it for security, you will actually design a pretty good voting system.
So under such a system, we’re leaving our trust in the paper ballots and in the audits, while using the software only for automating the tallying process? Exactly, and someday, in the cryptography.
As we look toward November, which is not that far away, are there any changes that you recommend should be made before the November elections? You don’t want to start changing your voting systems in June before a November election. In some states, it’s too late. I think we can put audits in place and observation and gather statistics and do good exit polling. But in Maryland, for example, we have electronic voting. In 2010, we’re going to switch to paper systems. That gives us two years. I don’t see how we could do it in a few months.
So bottom line, in your opinion, here now in the summer of 2008, are we better off now than we were in Florida in November 2000 during the presidential election, when the winner of the race eventually had to be determined by the U.S. Supreme Court? Much better. Most states have switched to paper records. I don’t know that even in the future we’ll have an election as close as that one. That was the perfect storm of problems. They were using punch cards that were poorly designed. Every technology can be designed well or designed badly. And it can be used well or used badly. I think we also learned a lot about voting, and election officials have learned more about technology. So I think we are through the hardest part, and things are improving. We’re definitely much better than we were in 2004, when we had 37 states that were using fully electronic voting that was poorly designed, without paper ballot backups.
And now most of those have switched to paper-based optical scan systems? Right. There are only a few that are still all-electronic, including Tennessee and Maryland. But both have laws to switch in 2010.
Well, then what problem remains? The problem to a great extent has been improved on. The problem in 2004 was that very few of the systems were software-independent because they relied on the software to keep and store vote tallies. In my opinion, most systems that use optical scanning of paper ballots, whether they are generated by computer or by hand, are likely to have that property. But you could conceive of designing it so badly that it didn’t have it.
What would it take to make existing e-voting equipment software-independent? Would it take a drastic rewrite of code? I don’t think it’s going to be very hard. I think there are many vendors that sell systems that I would consider to be software-independent. Almost any system that uses an optical scan paper ballot is software-independent because you have the paper ballot that you can go back to and you can audit. But again, it’s not if you don’t randomly audit the ballots after the election. You do have to make sure that proper auditing is done, otherwise you’re trusting the software and the scanner. A lot of states do very poor auditing, if at all.
So maybe we aren’t that far away from making the system safer and more secure? Yeah, I’m much more optimistic than I was a few years ago.