Ten Things I Want People To Know About Voting Technology
By Kim Alexander, President & Founder
of the California Voter Foundation
Presented to the Democracy Online Project's National Task Force
National Press Club, Washington, D.C.
January 18, 2001
(A condensed version of this essay is also available in English and French)
|Ten Things to Know About Voting Technology|
|Discussion of the two resolutions|
Like many people, I was initially excited about the idea of using computers and the Internet to cast and count votes. I've been an advocate for using new technologies to improve democracy for seven years now, and at first online voting seemed to be a way to improve democracy that was just as promising as other projects I'd undertaken, such as online voter education and Internet disclosure of money in politics.
In fact, at the first meeting of California's Internet Voting Task Force, back in the Spring of 1999, I was the person in the room suggesting that we all agree that Internet voting is something California should pursue. I'm grateful that my fellow task force members rejected my suggestion, because in the months that followed my own opinion changed dramatically. The more I learned about the complexities of the voting process, the more I realized how difficult and potentially dangerous Internet voting could be.
I have some concerns about using computers at the polling place as well, but I also have more confidence that my concerns about computerized voting may be addressed through sound technology and good public policy. To help inform the discussion, I've developed a list of ten things I want people to know about voting technology. The items on my list address issues raised by the two resolutions the Democracy Online Project's National Task Force has asked us to consider: 1) "The 107th Congress should approve national standards for computer precinct voting"; and 2) "The 107th Congress should appropriate funding for the implementation of remote Internet voting by 2004". In the conclusion of my remarks, I'll return to these two resolutions and provide some recommendations that will help us move forward with new voting technology in a thoughtful and responsible way. I also encourage you to visit the California Voter Foundation's web page on voting technology, featuring resources to help shape an informed debate on this topic, including news articles, studies, commentary and links. This resource is available online at www.calvoter.org/votingtechnology.html.
1. Voting is not like any other transaction.
The first remark I usually hear on the subject of Internet voting is, "I can shop online, I can bank online, why can't I vote online?" The answer is that voting is not like those transactions. Credit card companies and banks tolerate a degree of fraud in all of their transactions. We could not similarly accept some degree of fraud in the voting process. And, when you make a deposit to your checking account over the Internet, your bank sends you back a message confirming the transaction and the amount of your deposit. But if we are to preserve our right to cast a secret ballot, then we would not want to vote online and have our election agencies send back to us a note confirming our choices.
Casting a secret ballot in a fair and democratic election is, in fact, unlike any other kind of transaction. Think about it: each person only gets to vote once, in a limited time frame, and every voter must be authenticated while at the same time preserving that voter's right to cast a secret ballot. Voters must be confident that their votes have been accurately recorded and the voting system must create an audit trail in case a recount is needed that also preserves the secret ballot. It is not impossible to build an online voting system, but it's important to realize that to do so creates unique challenges because voting is unlike any other transaction.
2. There are two kinds of Internet voting: polling place Internet voting, and remote Internet voting.
It's important to distinguish between polling place Internet voting and remote Internet voting, which is voting from home or work. Both remote and polling place Internet voting use computers in the voting process and both use the Internet to transfer ballots to the central counting center. The important difference between the two methods is ownership of the computer that's acting as a voting machine. With polling place Internet voting, the voting machine is owned and controlled by election officials. With remote Internet voting, the voting machine is owned and controlled by either the voter or their employer.
In our January 2000 report, the California Internet Voting Task Force made this important distinction between polling place and remote Internet voting, and concluded that while polling place Internet voting can and should be explored, remote Internet voting could greatly expose the voting process to fraud. For this reason we made no prediction of when, if ever, remote Internet voting would be possible.
3. Remote Internet voting is highly susceptible to voter fraud.
A voting machine owned and maintained by a county election office can be controlled, but a third party machine, owned by the voter or their employer, is highly susceptible to attack. For example, a remote Internet voter could unknowingly download a "Trojan Horse" or virus that sits on the voter's computer. When the voter opens his Internet ballot on his computer desktop, at that point the ballot is no longer encrypted and would therefore be susceptible to manipulation by a virus or malicious code. A Trojan horse could then, for example, rearrange the appearance of the voting boxes on the ballot, leading you to believe, for example, that you voted for the incumbent but actually returning your ballot with a vote for the challenger. You would then send your ballot back encrypted to your election agency, and since we cast a secret ballot neither you nor your election agency would know that your vote had not been properly recorded.
If you think this scenario is far-fetched, consider this: already some Internet users have unknowingly downloaded programs known as "spyware" that keep track of their computer usage and page visits without their knowing it and report this information via the the user's Internet connection to commercial and marketing interests. Already the vast majority of Internet users visit web sites that set "cookies" in their web browsers used to track their online movements. Few even know what a cookie is, let alone know how to remove one or how to set their browser preferences to refuse them altogether.
Consider also the fact that remote Internet voting will give rise to a whole new wave of voter fraud attacks from people living in foreign countries as well as those who previously had no interest in elections but enjoy a good hacking challenge. The Pentagon detected more than 22,000 attempts to probe, scan, hack into, infect with viruses or disable its computers in 1999 alone, and anticipates the number of attacks will only increase with time. And let's not be naive about our country's record on voter fraud. Though voter fraud is not as much of a problem here as it has been in other countries, history shows that in close races some campaigns do resort to cheating in order to win. Automating the voting process gives one person the ability to make a much greater impact when they attempt to cheat.
When you consider the likely increase in attempts at voter fraud, combined with the low level of computer literacy we have now, both among users and the election community, it is unrealistic to think we are ready for remote Internet voting anytime soon.
4. Remote Internet voting may erode our right to cast a secret ballot and lead to political coercion in the workplace.
Currently we cast our ballots in a private polling booth, and in some counties voters place their ballots inside an envelope so that poll workers and other voters won't catch a glimpse of their votes before they drop their ballot into the ballot box. Polling place Internet voting can preserve the secret ballot and the sanctity and privacy of the polling place. Remote Internet voting, on the other hand, can lead to voting from work, which is where most of us connect to the Internet during the day. And for many of us, our workplace computers are far from private.
If we were to vote from work, our coworkers or supervisors might casually or deliberately watch us as we make our choices. Even if they aren't standing over your shoulder, the company intranet could easily retain a copy of your ballot. These are not insurmountable obstacles, but it does mean that if we allow for voting in the workplace, we'll need new policies to protect employees from potential political coercion in the workplace. New policies would need to be developed to protect the right to cast a secret ballot in the workplace on your employer's computer, and such policies would contradict with existing laws that assert an employer's right to review any material their employees create on a company computer, including personal email. Simply put, voting in the workplace could be a nightmare for employers and employees alike, and if we were to move forward with remote Internet voting in the future we'd be wise to prohibit voting in the workplace altogether.
5. Remote Internet voting poses a threat to personal privacy.
How would we authenticate remote Internet voters? Authenticating voters is one of the primary steps we take to protect our elections from fraud. We have to make sure that people are eligible to vote, vote only once, and cast their own ballots. Using a pin number in combination with other pieces of personally identifiable information, as the Arizona Democratic Party did in its March 2000 Primary, is not sufficient to protect our elections from vote selling, vote swapping, and voter fraud. Digital signatures may be an option, and we have a long way to go before that technology is widely understood and accepted by the public, and digital signatures still cannot protect Internet voters' ballots from a Trojan horse attack.
The most secure way to authenticate voters is to use biometric scanning procedures, such as retinal or finger-printing scans. I, like many Americans, find such security measures invasive, and believe it would be unwise to sanction government agencies to begin collecting sensitive biometric data on American citizens. There is a general rule I follow: for every degree of convenience we gain through technology there is usually a corresponding loss of privacy. Remote Internet voting would make voting more convenient, but that convenience will come at a price that, in my opinion, is too high.
6. There is a huge politics and technology information gap.
In my seven years of working in politics and technology, I have found there are unfortunately too few people who have a working knowledge of both fields. This huge gap between politics and technology appears to be widening, not closing over time, and is becoming increasingly evident around the issue of Internet voting. Many of the political experts who talk about Internet voting don't appreciate the technological dangers of voting online. Then there's the technologically-savvy but politically naive people who say, "Wouldn't it be great if we could vote on everything?", failing to understand either the benefits of representative democracy or the complexities of the voting process. If we are going to close the politics and technology gap, we are all going to have to make a great effort to educate the experts and bring people from diverse fields together online and offline through conferences and public meetings. It's going to take a lot of work, but if we address the politics and technology information gap it will make for better public policy in every area impacted by technology.
7. There is a generational technology gap.
Older people are not as familiar with new technology as younger people are, and surveys show that younger voters are sometimes intimidated by existing voting technology. The generational technology gap turns up in many places. The Democracy Online Project's post-2000 general election survey found that the younger the voter, the more likely they used the Internet to access election information.
Internet voting polls also find that younger voters find the idea of Internet voting much more appealing than older voters do. For example, a poll conducted by ABC News in 1999 found that only 19 percent of Americans age 65 and over would support Internet voting even if it could be made secure from fraud. Similarly, a year ago the Public Policy Institute of California surveyed Californians and found that public support for Internet voting is highest among 18-34 year olds (59 percent) and lowest among those 55 and over (27 percent). There is no doubt that new technology provides an unprecedented opportunity to engage alienated young people in the democratic process, but we must be careful that we don't alienate older voters along the way.
8. Changing technology alone isn't enough; voter education is also needed.
It made me angry to hear people ridicule Florida's voters for casting their votes incorrectly. As an experienced voter educator, it no longer surprises me to hear about the elements in our voting process that voters find confusing. There is an intolerable lack of reliable, nonpartisan voting information available for U.S. voters; most of what passes for election information comes in the form of campaign mailers and thirty second spots designed to confuse, manipulate or scare voters and do just about anything but inform them.
We take so much for granted when it comes to voter education, and it is shameful that the United States poses as a model democracy for other countries to emulate when we make virtually no effort to educate our own voters and prepare them to vote on Election Day. We can begin to address this problem by appropriating federal and state funds to nonpartisan voter education efforts. We already spend $31 million a year on the National Endowment for Democracy to advance democracy abroad; we can certainly afford to spend at least the same amount to advance democracy at home.
9. Transparency in the voting process fosters voter confidence and security.
Whatever changes we make to our voting technology, we must not sacrifice the trust that is gained by having a transparent vote casting and counting process. The old voting technology that we are talking about replacing, in particular the punch card ballot, functions in a way that is transparent to the voter. You mark or punch your ballot, you drop it into a locked box, and the box is transported to the central counting center by pollworkers where the public can (and often does) watch the counting of ballots.
Now, as we consider introducing computers into the voting process, we must look at how transparency may be affected. Whether we are talking about Internet voting or any kind of computerized voting, one inevitable result is that very few people, and certainly not your typical voter, have the expertise to review the software used for a computerized system and know that it is functioning properly. Consequently, it will require much more faith on the part of the voter in both the voting technology and their election officials to trust that a computerized system accurately records and counts their votes. And faith, unfortunately, is something that's in short supply right now in our democracy, so we must be careful that we don't erode it any further when we upgrade our voting technology.
10. Software used in the voting process should be open to public inspection.
One way to build public confidence in computerized voting is to require voting software code be made public. Election officials often cringe at this suggestion for two reasons: they think that making voting technology source code public will undermine the security of the voting process; and they expect that voting technology companies will object to revealing their source code because it undermines their competitiveness in the marketplace. In fact, many of the leading voting technology companies are not necessarily opposed to public source software, and some have already indicated they will comply with a public source code requirement if it's imposed on everyone.
The first concern -- the public source undermines the security of the voting process -- reflects the misguided "security through obscurity" approach to software, which is the idea that keeping your source code secret makes your technology more secure. In fact, there is consensus in the security industry that public source code leads to more secure computer systems than closed source.
In fact, the Pentagon, our number one military agency, recently decided to no longer purchase closed source, commercial software programs from companies such as Microsoft, Netscape and Lotus to use in its most sensitive systems. The reason given by a Pentagon official, speaking anonymously to the Washington Post, is because they found that these closed source programs had too many holes, backdoors and trapdoors that place the department in greater danger of a computer attack than using public and open source software would.
No software program is perfect, and any voting software program will inevitably have holes and some problems. If the source code is closed, those who want to manipulate the outcome of an election will eventually find and exploit those holes. If the source code is open and public, then the good guys in the security industry can find the holes first and help fix the software.
One high-profile example of this shift toward public source for high-security operations is the National Security Agency's initiative to develop "Security Enhanced Linux". This is a new, security-enhanced operating system that was just released this month. It's based on Linux, a very successful open source operating system, and anyone in the world can go online to www.nsa.gov/selinux/ and download its source code. If the agency entrusted with protecting our national security finds public source code more secure than closed source code, it should be a clear signal that the election community would be wise to follow suit.
Of course, we can't assume the good guys are going to forever be reviewing voting software code, so it's crucial that a continuous recertification process is also established. Computerized voting machines, unlike punch cards, are based on dynamic, not static technology. We must anticipate that any computerized system will need to have security holes fixed, upgrades made, and new computer and Internet protocols supported.
Even if we have public source voting software, we will still have a limited number of experts capable of evaluating its reliability. And what some security experts are saying is that it will be difficult, if not impossible to know for certain if the software that's been certified and is publicly available is the same software that's running on your voting machine. It's worth noting that some of the strongest objections to computerized voting are made by computer security experts. For this reason, and also to foster voter confidence in new voting technology, it would be wise to consider a way to use a mix of paper ballots and computers in the voting process, and to require that paper ballots be counted along with digital ballots so that we could create a paper audit trail and thwart attempts to rig voting software.
III. Discussion of the two resolutions
"The 107th Congress should approve national standards for computer precinct voting."
The conduct of elections is a matter currently left up to the states. To impose national standards for computerized precinct voting would represent a major shift in how U.S. elections are conducted. However, the Federal Election Commission does have a voting systems standards group in place. Though its standards are advisory, they have already been adopted by 31 states. We may not even need legislation to get the remaining 19 states to follow suit; through better public scrutiny of these standards and better tracking of the states that follow them we could make positive advancements in voting systems.
If Congress were to adopt any standards for computerized voting, such standards should include a public source code requirement, and be accompanied by funding for voter education and a plan to bridge the generational technology gap.
"The 107th Congress should appropriate funding for the implementation of remote Internet voting by 2004."
For all the reasons I've stated before, we are simply not ready for remote Internet voting and to set a deadline for when we will be ready would be irresponsible. While the California Internet Voting Task Force featured remote Internet voting as the fourth and final stage of an Internet voting process, we also did not make any predictions for when, if ever, remote Internet voting would be a practical voting alternative. To adopt this resolution would be a classic case of putting the cart before the horse. If Congress wants to advance remote Internet voting, it should first articulate the criteria of such a system before setting a date for its implementation.
New voting technology has many advantages, but it also brings new challenges to the voting process. And not all current voting technology is inadequate. Many voters in the U.S. cast ballots using optical scan systems, which are affordable, accurate, have a paper audit trail that can provide for a recount, and some of which feature a ballot scanner at the polling place that helps voters avoid overvoting or spoiling their ballots. Whatever we do to upgrade voting technology, we must ensure that all voters have an equal chance of having their votes counted.
We need to close the politics and technology gap and continue to bring experts from different fields together to share information and learn from each other. We need our elected representatives to demonstrate patience, good judgment and leadership, and we need the media and public to pay close attention to voting technology policy as it develops. And we need to get serious about voter education in this country and spend the public resources needed to prepare people to vote on Election Day.
It is remarkable that the first Presidential election of the new millennium came down to the question of whether we have more faith in people or machines to accurately and fairly count votes. The U.S. Supreme Court decided the answer was machines. This ruling sets a dangerous precedent. Technology can do a lot for us, but it cannot and should not trump human judgment.
I raise concerns about Internet voting not because I am pessimistic; on the contrary, I am very optimistic about the opportunities before us to advance and transform democracy using computers and the Internet. I am critical of voting technology not because I am opposed to it, but because I cherish democracy and think computerized voting is both one of the most exciting and potentially dangerous ideas of our time.
This page was first published on January 17, 2001 | Last updated on June 12, 2001
copyright 1994 - 2001, California Voter Foundation. All rights reserved.