Utah is rushing headlong into electronic voting danger
If the election of 2000 taught us anything, regardless of our feeling about the outcome, it was that elections are precarious things, run on unreliable systems using technologies and procedures that left us shaking our heads. Many people believe that any computerized system must be better. Computers have fundamentally changed other parts of our lives, so why not voting? Unfortunately, purely electronic voting systems introduce serious problems that threaten the integrity of our elections. The State of Utah has $20 million to spend on developing or purchasing new voting systems. The state's elections office recently issued a request for proposals for voting equipment. We, along with over a dozen local computer science professors and voting experts, sent a response citing significant problems in the proposals request (http://www.utahcountvotes.org /response.pdf). In particular, the request contains few specific requirements, which invites vendors to push unproven and insecure products. The state seems to be rushing into a momentous decision with potentially disastrous consequences. Many people assume that fully computerized systems must work better than those with mechanical parts. Ironically, it turns out that all-electronic machines are among the most error-prone. Study after study, from MIT, Caltech and elsewhere, have shown that only punch cards consistently generate more voter errors. And what is the easiest to use? Paper. Old-fashioned paper ballots, marked with an "X" and counted by hand, and optically scanned paper ballots counted by machine, cause the fewest voter errors. Researchers don't know the reasons for these results, but they emphasize the folly of rushing into expensive new systems. What about voters who are blind, disabled, or speak an uncommon language? Proponents of all-electronic voting claim their systems are required for such voters, but computer attachments to non-electronic systems have been shown to work just as well. So, fully electronic systems don't make voting easier. Much worse, they provide no means to independently audit their results, so there is no way to be sure that they correctly recorded your vote. We must simply accept that "the computer is always right" no matter how unlikely the reported result, or how crucial. You want a recount? Sorry! Proponents of paperless electronic voting systems refer to these situations as rare "doomsday scenarios," but other states have already experienced them. Problems as simple as a computer bug or configuration mistake can cause vote recording errors - no vast conspiracy required. The only known way to ensure independent auditability is to add what's called a "voter-verifiable paper ballot," or VVPB. In some systems, the voter generates the VVPB by filling out a ballot, which is then run through an optical scanner. In others, voters use an electronic interface to vote and the VVPB is printed. In all cases, the VVPB lets voters verify that their vote is correctly recorded and provides a way to perform a full recount should problems arise. Paperless voting proponents cite the added expense of printers and caution that mechanical printers may frequently break. Inexpensive, reliable printers are used everywhere in our daily lives. We all insist on a receipt at the grocery store or the bank. So why shouldn't we expect the same from our voting systems? Some people believe that simply recording the vote on two different devices in the voting machine creates an audit trail, but computer scientists know that is not true. It's too easy for the computer program, no matter how thoroughly tested, to record the same mistake in two places. Another objection to VVPBs is potential confusion about whether the electronic or paper version is the official ballot. Most of us believe that each machine's electronic tallies should provide only preliminary results, with official counts from the paper ballots. In any case, the "problem" is solved with election rules and procedures. The consensus of computer and security experts is overwhelming: In a poll of members of the ACM, the premier organization for computing professionals, over 95 percent of the respondents felt that voting systems should provide a recountable physical record, e.g., paper. On the other side of the issue, by contrast, the same few national "experts" testify over and over again. We applaud the state's goal of improving our voting systems. However, the result must really be an improvement. Voting equipment, costs, standards, laws, judicial rulings, and public opinion are all changing fast. Delaying the acquisition by just a single year would definitely reduce the state's risks and likely its costs. Most important, the state must convince its citizens that any new voting system is at least as secure and trustworthy as the financial systems we use daily. Any other course is simply reckless.
Phillip J. Windley is an associate professor of computer science at Brigham Young University and the former state chief information officer under Gov. Mike Leavitt. Jay Lepreau is a research professor of computer science at the University of Utah.