Ensuring the Integrity of Electronic Voting

Obviously, no election method can be fair if the votes are not counted and processed fairly and accurately. The Federal Election Commission oversees the establishment of voting system standards (links below). We believe, however, that additional safeguards are necessary for direct-recording electronic (DRE) voting systems. Electronic voting is inherently vulnerable to tampering, and integrity cannot be ensured unless the following precautions are taken.

First, all public DRE voting systems for general elections should automatically produce paper ballots that are readable both by the voter and by machine. No matter how tight computer security may be, someone must ultimately have unsupervised access to the system, and computer data files are simply too easy to delete or manipulate. Paper ballots in sealed ballot boxes cannot be easily "deleted" or manipulated as long as they are in the custody of more than one person. The paper ballots should be used as the primary source of data, and the electronically recorded votes should be used for a fast (but tentative) count and as a backup in case of lost or damaged paper ballots. If properly implemented, a combination of electronic and paper ballots can provide much better integrity than either mode can provide by itself.

Second, all public DRE voting systems should be based on open computer architecture and open-source software. "Black boxes" and proprietary software are unnecessary and should not be used for public voting systems. Closed systems are an invitation to tampering or outright subversion of the electoral process. The source code for the software used to count and process votes should be available for public scrutiny. The public has a fundamental right to know how its votes are counted and processed, and that right takes precedence over the proprietary interests of any voting system manufacturer. Any manufacturer that insists on keeping its systems proprietary or its source code secret should be disqualified from consideration.

The philosophy of "security through obscurity" may be appropriate when the data to be secured is owned by the party providing the security, but it is completely inappropriate for public voting systems. Although closed systems can be more secure against outside attacks, they are much more vulnerable to inside corruption. Outside attacks can be thwarted by common sense and access restrictions. For example, voting systems deployed in the field should have no editors or software development tools, and they should be protected by a rigorous password protection protocol. Inside corruption, on the other hand, can only be prevented by ensuring that all insiders (engineers, programmers, managers, administrators, election officials, politicians, etc.) are trustworthy. That is virtually impossible, of course.

Finally, online (Internet) voting in general elections should be prohibited indefinitely, except perhaps in certain rare cases (e.g., remote military bases). A common misconception about online voting security is that the only threat is of outside attacks by "hackers." That's only the start of the problem. Even if all outside attacks could be successfully thwarted -- which is debatable -- an online voting system would still be vulnerable to inside corruption because it could not possibly be based on paper ballots, as discussed above. The requirement for secret ballots makes security much more difficult to guarantee for online voting than for, say, online financial transactions (not many financial transactions are anonymous). Online voting may be appropriate for private elections and perhaps even primaries, but for general elections it just opens the door for all kinds of problems in return for very minor benefits.

Furthermore, the technical security problems of online voting are just the tip of the iceberg. Suppose your boss orders you to cast your vote on a company computer as he watches. Yes, it would be illegal, but it would also be very difficult to prosecute. To the extent that your boss or anyone else has leverage over you, your right to a secret ballot, free from coercion, could be seriously compromised. An abusive husband could dictate how his wife votes, for example. Online voting also encourages buying and selling of votes, because the buyer can vote directly for the seller and no longer needs to trust the seller to vote as promised. Absentee ballots suffer from the same basic problems, but they are not quite as convenient for abuse. And even if they were, that would be an argument against absentee ballots rather than for online voting.

The integrity of our public electoral system is well worth the cost of paper ballots and the minor inconvenience of a trip to a polling station. If we try too hard to impress ourselves with our technological sophistication, we could end up fooling ourselves into a false sense of security. Men died for our right to vote, and we can endure some minor inconveniences and costs to help ensure the integrity of our democratic elections. To recapitulate, the integrity of electronic voting in public general elections with secret ballots can be ensured only if the following precautions are taken:

generate and use paper ballots
use open computer architecture and open-source software
prohibit online voting in general elections (except in rare cases)

Crypto-Gram Newsletter by Bruce Schneier, a top computer security expert: "My suggestion is an ATM-style computer voting machine, but one that also prints out a paper ballot."
Electronic Voting by Rebecca Mercuri, a specialist in electronic vote tabulation: "At the present time, it is my strong recommendation that all election officials REFRAIN from procuring ANY system that does not provide an indisputable paper ballot."
Computerized voting lacks paper trail, scholar warns Stanford Report, February 4, 2003. See also VerifiedVoting.org.
vreceipts: the ultimate paper ballot, by David Chaum. They can guarantee your vote is counted properly.
Federal Election Commission:

ElectionMethods.org