Personal tools
Navigation
Log in


Forgot your password?
New user?
 
Document Actions

Electronic Voting Machines, and Why It's Hard

Folks,

This newsletter is a bit ahead of schedule, but I've got something else on tap for next week and this newsletter is timely.

Voting System Failures in Maryland


We just received a gilt-edged reminder of just how fragile our democracy is here in Maryland. In Montgomery county, where I live, the voter access cards for the Diebold voting machines were not distributed to the precincts before the election started. As a result, many people were unable to vote in the morning until the Board of Elections was able to send the cards over by courier. People voted on paper provisional ballots, until the precincts ran out of the provisional ballots. Some places resorted to photocopying ballots. Polls were ordered to stay open an hour later than scheduled, but this still doesn't compensate for people like my neighbor Scott, who had to leave on a plane that afternoon.

This was a garden variety logistical screw up with no direct connection to the electronic voting machines. However, the Diebold system did have an indirect effect, via the Keep It Simple, Stupid principle. The Diebold system has many elements -- the cards, the voting machines themselves, power requirements, the technical support, the setup instructions for modem connections, etc. The probability of a problem arising is directly proportional to the number of things that the logistics people need to keep track of. Adding in the Diebold electronic poll books for this election squared the complexity of the system. Is it really surprising that there was a logistical snafu?

To compound the problem, the current system does not have obvious ways to degrade gracefully. It either works or it doesn't -- and if it doesn't then the result is chaos. It is possible to design a system that does degrade gracefully -- the space shuttle is an example, albeit an imperfect one. The engineers for the space shuttle have designed a system where a known potential failure point leads to a known path for recovery. To set this up takes time and skill and effort -- three elements that are in notoriously short supply among the people at the Maryland State Board of Elections. Even at NASA, they know that some failures are too catastrophic, and cannot be recovered from -- but at least they've thought through some of the possible failure modes.

Note: one of the arguments that electronic voting machines proponents use is the human error argument. Electronic voting machines are supposed to take human error out of the equation. This last fiasco was the direct result of human error. How did electronic voting machines protect against human error in this situation? This is a perfect example of how electronic voting machines move the place where human error can occur from the individual voter to the programmer or the board of elections. Where previously an error would cause problems for an individual voter or at most a single precinct, now errors result in chaos county-wide or state-wide. People who know computer systems understand that the way to avoid these sorts of problems is to reduce the number of single failure points via redundancy -- RAID, failover, etc. The electronic voting machines have *no* redundancy, and are begging for failures.

A good place to look for coverage on this issue is the Washington Post:

http://www.washingtonpost.com/wp-dyn/content/article/2006/09/12/AR2006091200535_pf.html
http://www.washingtonpost.com/wp-dyn/content/article/2006/09/14/AR2006091401614_pf.html
http://www.washingtonpost.com/wp-dyn/content/article/2006/09/16/AR2006091600804.html


In the last article, there's an interesting quote: "Jensen [Jean Jensen, secretary of the Virginia State Board of Elections] said that not a single vote was lost in 2004 and that 8,000 to 10,000 voting machines were in use on Election Day." How can she prove this? In fact, it's an unprovable statement -- if you think about it, in an anonymous voting system you can only prove that a vote was lost. It is impossible to prove that a vote was not lost.

Why Is It Hard to Create an All-Electronic Voting System?


Why have the systems become so complex (beyond the desire for higher fees from the voting machine makers)? It's because they're facing a hard problem, whether or not they recognize it. I maintain that there are three fundamental elements to an election as we know it. I call them the three A's:

  1. Accuracy - the votes must be counted accurately.
  2. Anonymity - must not be able to tie a ballot to a voter after the fact.
  3. Auditability - recounts can be done by anyone.


Accuracy would seem to be a given -- if you can't get the count right it's not a good system. Yet, this is the place where traditional paper-based voting systems fail. Traditional paper-based systems are subject to human fallibility in determining the vote counts, but they were all we had until recently.

Anonymity is now a given, although it was not always the case. Nevertheless, a cursory study of voting in the Tammany Hall era in New York City or voting in the Soviet Union leads quickly to the conclusion that this is a necessary condition for a fair election. Interestingly enough, most electronic record systems NOT associated with voting attempt to do the exact opposite -- they attempt to create an irrefutable trail associating a transaction with a person (non-repudiation).

Auditability is critical to public confidence in elections. If Joe or Jane Citizen who has no specialized skills cannot reach the same counts as are posted, then there will be no public confidence in the election. It may take an ordinary person longer to reach the conclusion than the election system, but the result should be the same. And if the original count and the recount come up with different numbers, there must be a way to resolve the discrepancy.

Any two of these requirements can be fulfilled easily enough. Straight paper-based systems (such as Florida's notorious hanging chads) sacrifice (1) in favor of (2) and (3). DRE's in their present form sacrifice (3) in favor of (1) and (2). A voting system based on digital signatures would sacrifice (2) in favor of (1) and (3).

At least for now, the best choice are the precinct-based optical scan machines. These fulfill all three elements also provide for two additional goals: protectipm against mis-votes (alert to undervotes and prevent overvotes) and accessibility to other voters (such as the blind and visually impaired, or non-English speakers).

Places to Go for More Information

http://truevotemd.org/
http://blackboxvoting.org/




--Paul


Paul Suh                                                         http://www.ps-enable.com/
paul.suh@ps-enable.com                           (240) 672-4212

Powered by Plone, the Open Source Content Management System