ITIF’s eVoting report: point-by-point

Here is my point-by-point review of Daniel Castro’s ITIF eVoting report.

This is a long post. I recommend that you first read a summary of my views.

I am basic agreement with the thesis of the report which is that the debate about eVoting should move beyond voter-verified paper audit trails to include systems that can prove to a voter that their vote was counted as cast. However, I found the tone and focus of the report disagreeable and I disagreed with much of the material in the report advocating for eVoting and against voter-verified paper audit trails.

Poisonous labeling of opposing views

Much of the report (especially the first half of it) attacks voting reform advocates who support paper audit trails or who oppose the use of electronic voting machines. Some rational is given which I will address below but I find the attacks themselves intolerable.

Some examples:

• a growing technophobic movement – slanderous; ignores that many in the movement are technophiles, computer scientists, and software developers
• Many opponents of electronic voting machines are motivated by a distrust of technology.
  Again, ignores that many opponents are technophiles, computer scientists, and software developers. For example, Slashdot is a technology-oriented site whose readers and commenters are strongly against against eVoting.
• Unfortunately, the effort to bring voting machines into the digital age has been politicized by various interest groups…
  This is an oversimplification and refuses to acknowledge that objections to eVoting systems are often completely rational and non-partisan.
• …anger at election results, and conspiracy theories about voting companies
  Any change to how a political system works is subject to this issue. The way to resolve it is to ensure that the results of an election are trustworthy and not manipulated by insiders. As the ITIF report points out, the US has a history of election fraud. It is rational to not have full trust in election results. Quoting Joseph Stalin: “The people who cast the votes decide nothing. The people who count the votes decide everything.”. And quoting Tom Stoppard: “It’s not the voting that’s democracy, it’s the counting.”

Misleading arguments about reasonable security of digital data

A number of arguments are made that digital data is generally trustworthy and can be secured. (Obviously, Mr. Castro is not a reader of the RISKS Digest.) Some examples:

• foundation of digital society… based on the knowledge that information can be reasonably secured
  Misleading. Many things have wide adoption despite NOT offering reasonable security. The current credit card system is a good example of this.Arguably election systems should have a very high bar for what is considered sufficient security. Consider that a reasonable argument can be made that tampering with an election is treason. (An election is an expression of the will of the people and democracy operates on the ideal of government by the people. ‘The people’ is the ‘the sovereign’ and elections are the primary way that the will of the sovereign is expressed.) I agree that the fact that both paper voting and eVoting systems can be vulnerable to fraud. However it is clear that eVoting enables wholesale fraud that was not possible with paper systems. To me, any argument for eVoting must introduce an overwhelming benefit. Such a benefit has been lacking in the systems that have been used to date.
• At the heart of the argument against e-voting is the notion that a computer cannot be trusted – an idea that flies in the face of our digital culture
  Many of the DRE opponents (myself included) are deeply vested in our digital culture. As an example, I work daily at programming software and have a degree in computer science. We know that computers are tools that do what they are told to do. Elections are contests that occur every few years where the contestants are highly vested in the outcome and where past contests have a known record of attempts to cheat. To blithely say that computers should be trusted ignores this reality. A robust election system should work on the assumption that parties do not trust each-other and will sometimes try to cheat. Many systems using eVoting do not do well under these assumptions without a robust trustworthy verification process.
• e-voting offers the chance to minimize the margin of error [from fraud or error] by offering complete end-to-end auditing
  This is true but fails to acknowledge:
  1. No system currently deployed in the US currently offers this
  2. complete end-to-end auditing can also be offered by voting systems where the voter does not interact with a voting machine when they vote
• Because some people do not understand that voting machines must undergo independent testing, they fear that a voting machine may steal their vote.
  They fear so rightly. It is trivial to write software that will behave correctly under some circumstances and incorrectly under others. Voters also have little confidence that the software that was certified is what is actually running on the machines when they vote. In practice, it is common for uncertified software to be running on the machines.

Discussion on the merits of eVoting
A number of arguments are made suggesting that eVoting is superior to other systems. I agree with many of the arguments about the benefits of eVoting systems but I think the report underplays the risks and costs of eVoting. In my judgment ITIF does not offer a convincing argument for using eVoting over using paper ballots with technologies like punch-card or optical scan.

• in the binary world of computers, “dimpled chads” do not exist
  True but fails to acknowledge that DREs introduce their own classes of risks and that these risks enable ‘wholesale’ fraud rather than just ‘retail’ fraud.
• In the 2000 U.S. presidential election… punch-card voting machines created ballots with half-punched ballots. When election officials could not determine voter intent, they had to discard these ballots.
  Neglects to mention that this apparently happened due to negligent and possibly fraudulent manufacturing defects.
• Electronic voting also has the potential to revolutionize the voting process for blind, disabled, or illiterate voters
  This argument is vastly overplayed.
  1. accessibility technology exists other than electronic voting
  2. in the CA top-down review DREs actually did very poorly at meeting their accessibility goals
  3. Suggesting that everyone submit to a more fraud prone voting system due to the needs of a small portion of the population is unwise. It is like suggesting that a building may not have any stairs in it because some people are unable to use stairs. Accessibility is an important issue but it is falsely used as an argument to impose poor changes that affect all of the people; not just those with accessibility needs.
• many states allow early voting at central polling locations… in the days prior to Election Day… Early voting with paper ballots is impractical and expensive because custom ballots must be made available for each precinct, often in multiple languages…. DRE voting machines can host ballots for every precinct, so election officials can more easily provide early voting.
  This is an excellent point and in my view one of the few decent arguments in favor of electronic voting. Note that there are other solutions to the problem of effective early voting systems. Why Tuesday? is a good source for discussion on this issue. Note that one alternative is increased use of vote-by-mail where the ballots that are sent to people are for the correct precinct and in the correct language.
• Critics [of eVoting] claim that reliance on physical security controls is a weakness; however, paper-based voting systems also depend on physical security controls to avoid cheating.
  True. But the consequences of cheating can be larger with altering of a DRE. The cheating can be more subtle or, in some cases, can compromise other DREs as well. Cheating by an insider such as an employee of the DRE manufacturer who can control what code is used on ALL of the DREs is especially worrisome.

Discussion on the merits of voter-verified paper audit trails

A number of arguments are made suggesting that eVoting without a voter verified paper audit trail is better than eVoting with a voter verified paper audit trail. I agree with many of the arguments about the expense, complication, and cost of a voter verified paper audit trail, but I think that the report underplays the value that they add. In my view they net out as a being an improvement. That said, in my view there definitely some risk of it being “putting lipstick on a pig”. In my view eVoting has to offer very strong value for it to be worth all of the eVoting costs and risks.

Examples:

• …paper audit trails for DREs … do not provide complete security to voters and they increase costs and risks
  I agree that they do not provide complete security. None of the systems in widespread use (paper or otherwise) provide complete security to voters.
• The …property… that the vote was tallied as recorded… is not provided by voter-verified paper audit trails.
  This is not fully true. One can perform an audit comparing the paper audit trail with the vote counts reported by the voting machines. Passing such an audit demonstrates one of:
  1. the election was not tampered with
  2. the auditor cheated
  3. both the audit trail and the vote counts reported by the DRE were tampered with but match

  Thus an audit offers some assurance but not full assurance that the votes were tallied as recorded.

• Contrary to the claims of e-voting opponents, though, merely adding paper audit trails to DRE voting machines does not make elections more secure…. no voter regardless of the presence or absence of paper audit trails, currently knows whether his or her vote was actually counted
  I agree that adding a paper audit trail is not enough and that there are better approaches. As I demonstrated above, voter verified audit trails do add some small value. Some argue that it adds so little net value that it is just “putting lipstick on a pig”. No system currently deployed in the US allows a voter to know that his or her vote was actually counted. Voting systems that attempt to address this are worthy of research support a limited deployment but are not, in my assessment, ready for wide deployment.
• Another common argument made by opponents of e-voting is that without paper receipts, an attacker can easily make a voting machine alter ballots without being detected…. Opponents of e-voting… claim that they can ‘hack an election’ but none of their attacks are plausible under real-world election scenarios.
  I strongly disagree. Many DREs are hackable in ways that can realistically occur and compromise a whole election rather than just a single machine. This is especially true in cases where there are chain-of-custody issues with machines that can allow access (examples: ‘sleepovers’ of machines at peoples homes, machines left for days in delivery boxes in teacher’s lounges) and in cases where machines are networked in such a way that a single corrupt machine can spread issues to other machines via viruses and the like.
• …opponents of e-voting demand paper ballots and paper audit trails so that they can be used in a manual recount. Yet manual tallying introduces numerous possibilities for fraud and error given the unpredictable human elements.
  Yes. However manual recounts are a well established process by which people can gain confidence that election results were not tampered with. It is not ideal, but it is the only system currently used.
• If there is a discrepancy between the audit record and the electronic record, neither voters nor election officials will know which record to trust. Ultimately, election law will determine whether the electronic record or the paper record is counted as the true ballot in a disputed election.
  True. This is a good outcome as it is clear to all that there was fraud or error and what the extent of it was. This is vastly preferable to an outcome where there was significant undetected fraud or error. Ed Felton makes this point elegantly.

Moving beyond voter-verified paper audit trails
The thesis of the report is that the debate about eVoting needs to move beyond voter-verified paper audit trails and include other, better, verification technologies. I fully agree.

The report unfortunately does not focus on other proposals until late in the paper. I wish that it had focused more on this and less on promoting eVoting and disparaging paper trails and objections to eVoting.

When the report finally does talk about other systems the information is a bit to thin for my taste. I did like the contents of Box 2 which describes some of the primitives and principals of how cryptographically secure voting systems work. I feel that the author should have mentioned that not all cryptographically secure voting systems involve voting machines or voters interacting with voting machines. I wish also that he had mentioned the systems PunchScan and TriBallot.

Recommendations
The report makes three recommendations. I am in basic agreement with these recommendations.

• Congress and the states should allow the use of fully electronic ballots, not restrict electronic voting systems to those that create paper ballots.
  I do not fully agree. For such a recommendation to be acceptable it must be coupled with the system having an acceptable verifiable audit trail. It is my fear that this report will be used to justify continued use of electronic voting systems without any sort of verifiability.
• Congress and the states should require that future voting machines have verifiable audit trails, not require machines with verifiable paper audit trails.
  I agree. I am concerned that this recommendation does not limit the continued use of non verifiable systems that are currently in use. I am also concerned about the details of what is considered an acceptable verifiable audit trail.
• Congress should provide funding for the US Election Assistance Commission to issue grants for developing secure cryptographic voting protocols and for pilot testing new voting technology.
  I agree with the principle of this recommendation. Ideally funding is for open academic research of voting technology. I am unsure if the EAC is the correct vehicle for providing this funding.

Historical background
Much of the report gives historical background of paper and electronic voting in the US. Generally I found this section informative and interesting.
Of note:

• By 1982, more than half of the American electorate was using punch-card voting machines… These machines used the punch-card paper ballots made infamous during the controversial 2000 US presidential election
  I find it negligent to not mention the investigation by Dan Rather into the suspicious nature of the 2000 presidential election punch-card issues.
• The content in Box 1 about fraud in elections involving LBJ was very interesting. Readers interested in more of the history of fraud in US presidential careers should read the US Presidents and Election Fraud page at RangeVoting.org. Evidence is presented there suggesting that the careers of at least 6 post-WWII US presidents depended heavily on election fraud.

Surprising bits
A few interesting and surprising (to me) tidbits mentioned by the report.

• I was not aware that HAVA had $30million for pilot programs and improved voting technology that congress never funded.
• I was not aware of many of the alternatives brought up by the paper. I have not evaluated them so I can neither praise nor damn them. They include: audio verification of votes, various two-machine proposals, and a few cryptographically secure proposals: VoteHere and Scratch & Vote