E-Voting -- Prospects and Problems

A talk presented by
Douglas W. Jones
at Tau Beta Pi's 31st Annual Paul D. Scholz Symposium
University of Iowa, Iowa City, Iowa

April 13, 2000

Indexed on the web at http://homepage.cs.uiowa.edu/~dwjones/voting/

The Prospect

Some time in the not too distant future, voters will no-longer be required to visit precinct polling places to cast their ballots! Voters will be able to cast ballots in their home precinct from any polling place, from voting kiosks in shopping malls, libraries and other public places, and from their home computers.

Paper ballots and old fashioned voting machines will be but a memory. Voting machines will display ballots on flat panel displays, and voting will be a simple matter of touching the screen to pick a candidate. Voting machines connected to the web will add a new dimension, allowing voters to bring up candidate or issue group web pages if they need more information to make an informed choice.

We will no-longer have to wait days for official election results, contenting ourselves with unofficial results gathered by the press. Within minutes after the polls close, the network of voting machines will communicate with county and state computers to calculate the official election results.

This is not some wild-eyed technophile's dream. Several of the voting machines currently approved for use in the state of Iowa support one or the other of the functions I just listed, and over the last few years all of these functions have been demonstrated!

These new technologies will make voting far more convenient. More people will participate, higher voter turnout will lend greater legitimacy to the electoral process, and as a result, the tide of voter apathy that has swept the country since 1970 will come to an end!

At least, that is what the proponents of these new technologies hope. Voter apathy owes more to Watergate and Monica Lewinsky, to campaigns based on sound bites, and to congressional deadlock than to the technology we use for voting. It is unlikely that a change in voting technology will significantly change voter attitudes.

Some Problems

It is commonly argued that, by analogy with success of E-commerce, E-voting ought to be straightforward. The internet was used successfully for student government elections this spring at Iowa, and on March 11, the Internet was used for the Arizona Democratic primary, attracting widespread press attention and driving voter turnout to an all-time high.

Unfortunately, the world of E-commerce is plagued by problems! Credit card fraud may be at an all-time high, but banks are extremely reluctant to disclose any statistics. A whole new field of crime has emerged, identity theft, that we are only beginning to grapple with. I routinely use the web to transact business, both as an industrial consultant and as a consumer, but I would never tolerate an election system subject to the level of abuse that I suspect is present in the world of E-commerce.

Furthermore, the use of computers in the voting process raises serious new problems that have no parallels in the world of E-commerce. With paper ballots, including the computer-counted mark-sense and punched-card ballots that are common today, we have a paper trail to fall back on. If we suspect that the software in the voting machine is faulty, we can manually count the ballots to verify the correct count. In the world of E-commerce, consumers receive bills in the mail, on paper, that they may contest if there is a problem. In the world of elections, giving voters paper confirmation of the votes they cast could actually contribute to certain abuses of the election process.

A common reaction to questions about the trustworthyness of electronic voting is to say that today, in America, vote fraud is not a big problem. Sure, 100 years ago, in the days of Tamany Hall and the old Chicago Machine, but today, we've solved those problems! Today, our elections are generally honest.

The answer to this question is simple: Todays elections in the United States are, if not perfect, at least generally honest in large part because of changes we have made over the past 150 years to the systems we use to conduct elections. These changes have made fraud difficult, and as a result, a culture of honesty has had the freedom to emerge among those who conduct elections. Our challenge is to make sure that, in introducing new voting technology, we do not introduce new opportunities for fraud and thereby weaken the culture of honesty on which our current democratic institutions rest.

The Australian Secret Ballot, that is, the paper-ballot technology that we use today, has been tested and refined considerably since its first use in South Australia in 1858. It is a pencil and paper system, but this should not mislead anyone into thinking that it is unsophisticated. The Australian ballot was not an obvious idea when it was new, and it took several decades for jurisdictions outside Australia to recognize its advantages. Since that time, this system has seen considerable refinement, so that, now we judge it to offer a reliable indication of voter intent even when we do not trust any of the individuals involved in the process.

Proprietary Software

The question is not "who can you trust to run a fair election," but rather, "how can you construct a trustworthy electoral system when none of the participants are trustworthy." A properly administered Australian paper ballot system demonstrates that this is possible. At no stage in the processing of ballots are they ever in the hands of one person who we must trust. Instead, we insist on the presence of opposing parties at each stage in ballot processing, and each step is undertaken in public if possible, or if not, in a setting where observers representing various factions are welcome.

The situation with computer-based voting systems is quite different! Proprietary software is the rule! In effect, the vendors say "trust us!" to every jurisdiction using their systems. In the case of mark-sense and punched-card ballots, we at least have a paper record, and the presence of this record is a strong deterrent to anyone who might be tempted to write dishonest software.

In the case of purely electronic voting machines and internet voting, however, we have no independent record of the votes cast. To meet the challenge this poses, the Federal Election Commission has drafted a set of standards for electronic voting machines. These standards are nonbinding, but over the past few years, many states (Iowa included) have enacted laws requiring conformance to these standards.

The current Federal Election Commission standards require that all software used in voting machines be subject to testing and audit by an independent testing authority. This preserves the right of voting machine manufacturers to retain proprietary rights to their software while providing for outside oversight.

Unfortunately, the current Federal Election Commission standards contain two large loopholes. First, they only cover voting machines. Vote counting software that runs in county or state office buildings is not covered and vote counting software that runs on a web-server is not covered.

The second major weakness is that "industry standard components" are exempt. This encourages vendors to use off-the-shelf software, and on the face of it, this seems reasonable. Unfortunately, many industry standard components are known to be unreliable and insecure. In addition, some industry standard software is made by companies that are either in an adversary relationship with the Federal government, or may have publicly stated partisan positions in an upcoming general election.

As an example of the vulnerability this creates, consider the following attack: In the next version of their window manager, a major vendor includes a little bit of code as part of the "open new window on screen" mechanism. If today is the first Tuesday in November of an even numbered year, this code checks the contents of the window. If the window contains the strings "Straight Party", "Democrat", "Republican", "Socialist", and "Reform", and if the window contains a "radio button" widget, allowing the selection of one out of n alternatives, the software would, one time out of ten, exchange the words "Republican" and "Reform".

What does this little bit of code do? On election day, and on no other day, it throws ten percent of the straight party Republican vote to a large third party that is known to attract many Republican-leaning voters. In closely contested Democratic-Republican contests, this could easily swing the outcome to favor the Democrats, and on a national scale, it could easily provide the winning margin for control of Congress or the White House.

Today, this is not a serious threat for two reasons. First, until a large fraction of voting machines on a national scale use window managers from the same supplier, such an attack would be insignificant, and second, until a large fraction of voting machines are vulnerable, there are overwhelming marketing reasons to keep all new-technology voting machines strictly honest.

This kind of attack does not require either massive conspiracy or corporate approval or cooperation! So long as a single programmer can covertly incorporate a few lines of simple code into a component that he or she knows will end up in a large fraction of all voting machines, and so long as that code is not subject to exhaustive inspection, the system is vulnerable! Someone intent on fixing an election does not need to buy the support of the company, they only need to buy the support of one programmer with access to a key component!

It is important to keep in mind that this window-manager attack is only an example. Computer based voting systems are vulnerable to attacks from many other software components, ranging from the file system to cryptographic packages and communication software. If the operating system is insecure, all of these have the potential to make arbitrary changes to information displayed on the screen or to data anywhere in the computer's memory.

Recommendation

What defenses can we erect against such attacks? It would be tempting to say that we should simply forbid the use of proprietary software in voting machines or electronic voting systems. If all code in the voting machine and vote counting computers were open-source, so that anyone who wanted could look at the code, there would be no problem.

Unfortunately, under such a system, there would also be little incentive to innovate! The reason we have so many interesting new voting systems on the market today is precisely because it is a market, and markets reward those who sell attractive and useful products.

I think we must change the law so that all components of the voting software are either open to public inspection or subject to inspection by an independent testing authority. Open-source operating systems like Free-BSD and Linux, combined with an open-source window manager such as X, provide facilities that are as rich as proprietary systems such as Microsoft Windows or MacOS, so this requirement would work.

Voting machines that are owned by the county can easily meet this requirement, so we should expect it to be met by voting machines in polling places or more innovative settings such as shopping malls. Unfortunately, this requirement leads directly to trouble if it is applied to Internet voting using privately owned personal computers.

To meet this requirement, voters interested in using their personal computers to vote would have to install a certified operating system. The only really practical approach to this would be to distribute the operating system and the voting application on something like a CD-ROM, and require that the voters reboot their machines from this in order to vote. In many cases, it would be easier to vote at a neighborhood polling place than to do this!

Software Version Control

Let's suppose, for the moment, that we have an open-source law requiring that all software used in voting machines be open to public inspection. Each vendor might, for example, maintain a web site containing all current and past versions of the software in their voting machines, open to whoever wants to inspect the software to see if it seems honest.

How can we be sure that the software that we inspect is the same as the software actually running in the voting machine or distributed on CD-ROM for use on personal computers? If everyone was honest, of course, this would be no problem, but as I have already said, prior to the widespread adoption of the Australian secret ballot in the United States, election fraud was quite common. It is the very fact that our current balloting system makes fraud difficult is what allows us to develop a culture of honesty!

Assume that a question has arisen about possible impropriety in an election, requiring that we prove that the software that was used to count ballots was the same software that was approved for the purpose. This may be several years after the software was approved -- the software audit and approval process is expensive, so voting software is not subject to rapid cycles of modification the way some commercial products are.

If a question arises about the software used to count ballots, it is straightforward to extract the machine code for that software from the ROM or disks of the voting system, or from the CD-ROM that was distributed to voters, but then what? How do you verify that the machine code that was run on a computer was produced from the source code that was disclosed during the approval process?

If we were to require that all voting machine software be written in straightforward assembly language, such verification would be simple, since any compatable assembler for the target machine will generate the identical machine code, but this is not so with high level languages such as C++ or Java.

No two compilers for the same target machine can be expected to generate the same object code! Therefore, any attempt to verify the code that was used to conduct an election must be done using exactly the same program development environment that was used to create the code in the machine. You don't just say "use Code Warrior", you say "use Code Warrior Pro version 3."

The market lifetime of compiler versions may be considerably shorter than the lifetime of a voting machine or even internet-based voting software, so it is quite possible that, by the time a question comes up about the software in a voting machine, we would be unable to find a copy of the compiler version that was used. This leads to the requirement that the compiler itself be saved along with the source code.

Recommendation

I think that we must require that the source code and all software tools used to compile, assemble or link that code be deposited in a secure archive prior to the audit of the source code that is part of the voting system approval process! The code audited should actually be recovered from this archive, so that there is no possibility that the code audited differes from the archived code.

Furthermore, the secure archive must be maintained by a third party, neither the voting system developer nor the government! This third party effectively holds the source code and development materials in escrow, doing absolutely nothing with the stored material unless required to release it by court order.

There are two reasons that we require that the escrow copies be held by a third party! First, in the case of proprietary code, under current law, disclosure to the state usually means disclosure to the public. In Iowa, for example, all meetings of the Board of Examiners for Voting Machines and Electronic Voting Systems are open to the public, and everything presented to the examiners becomes a matter of public record. Thus, disclosure of source code to the state would eliminate much of the incentive for innovation.

The second reason that we require escrow with an independent third party is to protect ourselves against corruption within the government! If the official copy were held by the election authority, it would be dangerously simple to change the programs in the voting machines at the same time that the escrow copy is changed, thus making it far more difficult to prove that the programs used in some election are the same programs that were approved for use.

Other Problems

There are other things that I believe we need to do. For example, today's manufacturers of voting machines invariably offer machines that use proprietary communictions protocols and data formats. Because these are proprietary, even with the protection of an independent audit, it is very hard to determine if they are secure against attacks from hackers. In many cases that I have examined, it appears that the protocols offered by current systems offer only minimal security.

Furthermore, if I buy a voting machine from Microvote, for example, I cannot use software from Fidlar and Chambers to create or count ballots for that machine. Today, therefore, once a vendor gets its machines into a jurisdiction, that jurisdiction is hooked on that vendor. If we want the the full benefits of a competitive marketplace in the supply of voting machines, we will need to create standards for the electronic formatting of ballots and for the secure electronic communication of results.

I believe that the most responsible approach to introducing fully electronic voting will be to begin with the networking of precinct-based electronic voting machines to county-level vote counting systems. This should only be done after we extend the voting system standards to cover transmission of vote totals or ballots by electronic means, and it should only be done after we extend the standards to cover software outside the voting machine that is used to count votes.

I believe that we cannot really begin to seriously explore the full generality of Internet voting from personal computers until we have a base of experience with networked voting systems that are fully under the control of the county and state. Furthermore, I believe that any technology allowing voting at unattended voting machines, whether they are personal computers or kiosks in shopping malls, should be viewed as an alternative to absentee voting, so that people can still vote at their normal polling places in the event of trouble.

Acknowledgements and References

It is impossible in a short talk to cover all of the problems raised by electronic voting or the countermeasures we can take. Those interested in learning more about this subject can find a considerable amount of information on the web; I have indexed some of this at http://homepage.cs.uiowa.edu/~dwjones/voting/

I strongly recommend reading the extensive report of the California Task Force on Internet Voting, released in January 2000. This is available on the web site of The Election Center. This Task Force Report strongly recommends a conservative approach to use of the Internet. I would particularly like to thank Dr. David Jefferson, chairman of the technical subcommittee of the California Task Force, for the extended discussion we have had of these issues.

I have prepared a response to the California Task Force report, also available on the Web. I believe that, in combination, the recommendations of the California Task Force and of my response go a long way toward creating a reasonable outline of the rules that should govern the next few years of development of computer-based election systems.

All of the manufacturers of electronic voting systems have a web presence. Despite their weaknesses, these products, taken together, represent a vision of the future when it comes to how we vote.

Finally, I would like to thank the office of the Iowa Secretary of State for introducing me to the fascinating problems of voting machine certification, and particularly, Sandy Steinbach, who provides staff support to the Iowa Board of Examiners for Voting Machines and Electronic Voting Systems.