It's Election Day -- albeit an off year election. In Provo we are electing a new mayor and several members of the city council. I've heard and made the argument that local elections like this are actually more important because local officials have a greater effect on our personal lives that those in faraway Washington. Unfortunately I think that's no longer the case.
But I digress.
The subject of this blog entry is election technology. Like many municipalities we have changed to a computerized "Direct Entry" voting system in which the voter enters his or her votes into a touch-screen device. Despite being a technophile, I have serious misgivings with these systems.
To be sure, electronic voting makes tallying the vote quick and easy. My concern is that no matter how secure you make these systems, it remains possible that the vote could be manipulated without leaving any evidence. The computer scientists on Freedom to Tinker have been involved in several reviews of voting system software. They've found numerous security flaws as well as cases of accidental under and over-voting. Even if the flaws were fixed, the systems would be insecure without proper security procedures.
Recently, Sequoia Voting Systems announced that they will be publishing the source code to their voting systems. This is a very important step as it will allow independent reviews to detect and correct security flaws. However, while this makes it more difficult to manipulate the vote it can't prevent it entirely. Even with perfect software, there are other ways to manipulate the data as it passes through the system. And published source doesn't reduce the indetectibility of the manipulation if it does happen.
Another serious problem is attempting to determine voter intent, especially in the case of a recount. Despite dangling chads and other obstacles, at least the recounters in the 2000 U.S. Presidential Election had physical evidence of voter's actions. With direct-entry systems, little physical evidence is preserved. The better systems, like those used in Utah, include a paper tape printer. The voter is expected to verify his or her vote on the printed tape before it is finalized but I suspect that many voters don't bother or don't understand the importance of verification. And for paper verification to work, there need to be random tests where human counters check to make sure the tapes match the recorded vote.
More serious, in my opinion, is that computer security issues aren't intuitive to those not trained in the subject. Despite good intentions (and some training) volunteer election judges can be oblivious to serious security issues simply because they don't know what to look for.
For these reasons, I favor Optical Scan balloting systems. These systems use paper ballots that are marked by hand. For efficiency, they are rapidly counted by an optical scanner.To be sure, optical scan systems remain vunerable to ballot stuffing, voter intimidation and other attempts to manipulate the vote. But these known problems are int intuitive to election judges and there are good procedures that can be used to mediate the problems. When using optical scan ballots, paper-only security systems can be augmented by electronic security systems like digital serial signatures that ensure only authorized ballots are cast and that each ballot is only counted once.
Optical scanners are just as vulnerable to computer security issues as direct entry systems. Because of this, published source remains an important security measure. Another verification is random hand-counts to see that optical scans match the counts made by human judges.