Opening Up E-Voting

by John W. Adams

The political dispute over electronic voting in America has little middle ground. The most rabid e-voting supporters explain e-voting's many virtues and dismiss its opponents as Luddites in tinfoil hats. The most extreme e-voting opponents list the known anomalous results of current e-voting systems and suggest their supporters are corporate tools at best, and creeping fascists at worst.

The politics of e-voting may be controversial, but the technologies used for e-voting are not exceptionally complicated or difficult to understand. Now, two initiatives have opened e-voting systems to public examination and varying degrees of tranparency and verification. The Open Voting Consortium demonstrated an e-voting system called evm, built from commodity hardware running GPL'd software last April 1. A few days later, VoteHere opened the source to its proprietary VTHi e-voting software to public inspection.

Open voting was defined by the late Irwin Mann in his 1993 presentation on Open Voting Systems given at the Computers, Freedom and Privacy Conference, as a system where:

  • every element of every component, both hardware and software, is in the public domain,
  • there are built-in capabilities for independent monitoring of software, and
  • there are institutionalized protocols for public monitoring of all components and the electoral process, sufficient to find any hypothetical discrepancy from the intended design, if it should happen to exist.

The Open Voting Consortium's system is designed to be built from off-the-shelf commodity hardware--the demo system shown in April in San Jose, California consisted of two PCs, a printer, and a bar code reader--and is written using open source software. Each PC was running Linux, and the demo software was written in Python and stores electronic ballot images (EBIs) in an XML database. Source code from the demo is available through SourceForge. (The one hackish component in the demo system were the cheap bar code readers, bought for a buck each and physically modified to yield plain text--these won't be used in production systems.)

Alan Dechert, president of the OVC, noted in an interview, "We used mostly Python for the demo. The demo software will be thrown out. I don't know what we'll use for the production system." In answer to demo audience questions about possible operating systems for evm, OVC member Fred McClain said, "It's our intent [to use an open source OS], but we would do an analysis of the security concerns."

How E-Voting Works

Here's how the OVC open voting system works. Before the polls open, PCs are booted up from CDs containing the operating system and the application software. The CDs are prepared and certified ahead of time, and can be verified on-site by standard methods, such as checking MD5 sums.

Two different stations are set up, with slightly different configurations. The ballot printer station consists of a non-networked PC with an attached printer. This is the device found in the voting booth. The ballot reader station is another non-networked PC with a bar code reader. This device,found outside the voting booth, allows the voter to verify that his ballot is an accurate reflection of his vote.

During the day as each ballot is filled out, the ballot printer station assigns a random number to each ballot. That number, the number of the election machine, and the votes cast are encoded into a bar code and printed on each ballot. The random number and the votes are also printed in plain text. If the voter's intent is questioned, the plain text of each ballot is the final authority.

Here's a working sample ballot from the April 1 demo. Try it--enter your own votes onto the ballot and follow through the verification process. (At the demo, votes were cast using a mouse. Keyboard and touchscreen entry are under consideration for the production software.) Once the ballot has been filled out and submitted, the voter's choices are displayed before the ballot is printed and the EBI is created.

The paper ballot then goes into a privacy folder, with only the bar code showing. The folder is then carried out to the ballot reader, where the voter can, if she wishes, scan the bar code and verify that her vote is correctly recorded. Once that's done, the ballot is then deposited into the ballot box.

At the end of the day the electronic ballot images are recorded on CD-R. This makes the stored EBI more secure (since CD-R is write-once, unlike a hard drive, it can't be changed after it has been written) and more private (since the write step is randomized unlike the audit tape in a cash register, voters can't be identified by the order in which EBIs are recorded.)

The paper ballots are scanned by the ballot reader, which uses the infomration from the bar code to create reconstructed electronic ballot images (REBIs), which are then matched against the EBIs on the ballot printer. If a false ballot has been put into the box, there will be no matching EBI on the ballot printer and the questionable ballot can be set aside for further investigation. The ballot reader then gives a report of all the votes cast in that location.

The VoteHere system is a Direct Recording Electronic (DRE) machine, but one which produces a verifiable receipt. VoteHere takes a different tack in providing the voter with an encrypted verifiable paper receipt, but not creating a paper ballot. VoteHere founder and CEO Jim Adler says, "Adding paper ballots is a step backward which will add ambiguity to the election process."

VoteHere also opened its proprietary source code to audit and review earlier this month. "It would be unfair to our investors to give away our code," Adler said in an interview. "We believe--the company and I believe--that elections should be transparent and open, but that our source code shouldn't be free [of cost]. We're practicing the openness and transparency part of open source." The reference code is available for download here, after agreeing to various license terms.

Why E-Vote?

"Quite a bit of work to get an electronic ballot!" e-voting opponents might suggest. "What's wrong with paper ballots?" It's not so much that there's anything wrong with paper ballots, but that there's a lot right with electronic ballots.

For instance, consider that federal law requires that ballots be accessible to all citizens. This means ballots must be provided to people in a variety of languages. Printing enough ballots to cover every language for, say, Los Angeles County, with enough ballots in each language for each precinct not to run short, is an expensive and time-consuming problem. The electronic ballot makes localization simple and eliminates the calculation of how many ballots to print.

Accessibility issues aren't limited to multi-lingual communities. Electronic voting systems offer improvements for the visually impaired and those with limited mobility. Text size and display colors can be adjusted by the user with poorly functioning vision, or text-to-speech can be used by those who cannot see the screen at all.

E-voting can also prevent many common vote frauds and inadvertent miscounts. One form of fraud is to purposely provide too few ballots, whether in a specific language or all ballots, at certain precincts. When the precinct "runs out" of ballots, the late-arriving voters are denied their vote. Think of it as a denial of service attack.

This is a hard type of fraud to guard against, because printing ballots is expensive, and budget limitations for election activites make it necessary to print what seems a reasonable amount of ballots for each precinct. Thus it's possible to innocently run out of ballots, especially in an election with a heavier-than-expected turnout.

Worse, as with most frauds which short-circuit the right to vote, after the fact remedies and penalties are too late. The right to vote has already been violated, the election outcome has been fraudulently altered--possibly so altered that penalties and remedies are no longer politically feasible to impose.

The electronic ballot makes this fraud impossible (though other denial of service attacks are possible). The electronic ballot also can alert the user to undervoting (not casting a vote in every race) and will not allow overvoting (casting more votes than allowed in a single race--usually one vote, but sometimes more in races for county commissions or city boards.)

By now, you may be thinking, "Why would anyone object to this system? Maybe e-voting opponents are tinfoil-hatted Luddites after all."

While some arguments against e-voting are partisan or circumstantial, many others, particularly against DRE voting machines, are born of experience. Security analysis of Diebold DRE machines in Maryland showed multiple vulnerabilities, many of them serious. During the recent California elections, there were multiple accounts of DRE voting machines, made by more than one manufacturer, providing inconsistent vote counts.

Just last week, California's Voting Systems and Procedures Panel recommended that California Secretary of State Kevin Shelley decertify Diebold's Accuvote DRE machines from use in the upcoming state elections, a decision which would leave four counties--Kern, San Diego, San Joaquin, and Solano--with no certified voting machines and little time to find replacements.

After the 2000 election fiasco in Florida, Congress made money available through the Help America Vote Act (HAVA) for election machine upgrades throughout the country. The Open Voting Consortium, a 501(c)6 non-profit, has a grant pending for some of that funding through the National Science Foundation. Companies like VoteHere, that are service providers and hardware companies, have been getting that funding less directly, from local election officials in charge of putting their voting systems into good shape. If money alone could buy a reliable voting system, the United States would be in good shape for the 2004 election.

Most voters aren't technically savvy. They don't understand why a voting machine can't be at least as reliable as a cash register, an ATM, or an electronic gasoline pump, all of which give them printed reports, at the time of the transaction and at the end of the billing cycle--and they're right not to be understanding. People check their receipts, match them against their monthly bills, and sometimes catch mistakes. If they didn't have some form of verification, how many more mistakes might not be caught? Why, then, should an unverifiable voting machine be any more reliable than an unverifiable ATM?

In this case, voters' limited technical knowledge serves them well, giving them a healthy sense of skepticism about the voting process. Skepticism becomes more useful as it becomes more informed and more focused, though, and here the voters have not been so lucky. Much of the e-voting discussion has been less a debate than a free-for-all, contentiousness likely to encourage many voters to become less trustful of the voting process--perhaps less trustful of democratic process, as well.

The intended benefit of open and verifiable voting systems will be accurately tallied elections that more fully reflect the will of the nation. But if taking the hood off the machinery of the republic for direct inspection by the voter helps bring about a more informed skepticism, one still capable of trust in the democratic systems, that may be e-voting's greatest benefit.

Editor's Note: For more of John's musings on e-voting check out his O'Reilly Network weblog.

John W. Adams relationship to databases has variously been that of peasant to tsar, meteroid to star, and finally tick to hound.

Return to the Policy DevCenter.