Elections in the United States are run by state authorites that use a wide variety of voting technologies, often with newsworthy results.
Some computerised elections have even awarded the election to the wrong candidates. This has prompted a partial return to a human-readable paper record of the vote. For a comprehensive and worrying history of US experiments in election technology, see Simons and Jones’ excellent book, Broken Ballots.
Here are some state-by-state highlights of electronic voting in the US.
Florida (of course)
Seats on the city council of Palm Beach, Florida, were mistakenly awarded to the wrong candidates because their computerised optical scan vote (paper ballots that voters complete by filling in the oval of their choice which are then scanned and counted automatically) tallying system was not set up properly. Fortunately, the actual paper votes could be counted by hand. Unfortunately, nobody noticed the problem until after the election results had been certified.
A manual recount was impossible for the 2010 Democratic Primary in South Carolina, because the Direct Recording Electronic (DRE) voting system - a computer that accepts votes from individuals and makes electronic records - produced no paper record. Researchers inspecting the electronic records found numerous electronic vote records that were not counted, but it was impossible to prove exactly what the election outcome should have been.
But those were just accidental failures. What about deliberate manipulations via insider access or security vulnerabilities? American voters, accustomed to more shenanigans at voting time than we are, were appalled to hear that Diebold CEO Warren O’Dell was “committed to helping Ohio deliver its electoral votes to the President” in the 2004 election. Voters feared that he could deliver on his promise, because his company produced unverifiable DRE voting systems used throughout the state.
In 2007 the California Secretary of State commissioned a wide-ranging “top to bottom” technical review of voting systems. The researchers found numerous serious security vulnerabilities which could have allowed an attacker to manipulate votes. For example:
The testers discovered numerous ways to overwrite the firmware of the Sequoia Edge system…the attackers controlled the machine, and could manipulate the results of the election. No source code access was required or used for this attack.
All DREs in California now produce a voter-verifiable paper audit trail, which means that the DRE prints a paper record which is checked by the voter and retained by the authorities. Some paper records are selected at random and reconciled with the electronic record to verify the election outcome. This is called a “post-election audit”. Many other US states now have a similar process, which provides a reasonable degree of evidence of the correct result. However, some still use DREs without any human-readable paper record, implying that machine error could undetectably change the election outcome.
Takoma Park, Maryland, runs a sophisticated voting system that gives voters a mathematical proof that their vote was correctly recorded and counted. This actually provides a higher degree of evidence than traditional paper methods.
Washington DC (the Internet)
Most US computer scientists and electronic security experts oppose Internet voting, because it is too easy to manipulate and too hard to prove who should have won.
In 2010 electoral officials in Washington DC ran a courageous experiment: they put up a practice version of their open-source Internet voting software and encouraged people to test it or attempt to hack it. A team from the University of Michigan did just that. Their report, Attacking the Washington, D.C. Internet Voting System, also says:
Within 48 hours of the system going live, we had gained near complete control of the election server. We successfully changed every vote and revealed almost every secret ballot. Election officials did not detect our intrusion for nearly two business days—and might have remained unaware for far longer had we not deliberately left a prominent clue.
They also detected attempted intrusions from Iran, India and China.
By being open and transparent, the electoral officials were made aware of the vulnerabilities in time to call off the trial. The system would otherwise have been trusted for returning votes, while remaining vulnerable to outside attack.
Back home in Australia
Most Australian electronic voting trials have been careful and free of disasters. The ACT runs widespread computerised voting on an open-source system, which set a high standard for transparency when it was introduced in 2001. Unfortunately it hasn’t been updated in keeping with more recent ideas about voter verifiability.
Few other projects had openly available source code. A system currently in development at the Victorian Electoral Commission will be open-source and verifiable, with similar properties to the system in Takoma Park, Maryland. Other states and the federal government have trialled polling-place electronic voting machines for vision impaired voters and others with disabilities. Australia currently has no nationwide requirements for open source software or voter verifiability.
NSW voters who were out of the state during their most recent election were offered an Internet voting platform called iVote, from US vendor Everyone Counts. The system was extremely popular because of its convenience and accessibility, including for vision impaired voters. Unfortunately it misrecorded at least 43 of the votes, which contained the letter “N” in the boxes where numbers are supposed to go. Again this was probably an accidental bug rather than the result of deliberate hacking, but, despite giving voters a receipt that was described as “confirm[ing] there has been no tampering to the vote”, the system provided no meaningful evidence that any of the votes were correctly recorded, received or printed.
Indeed, there were known security vulnerabilities as well: the NSW Electoral Commission’s security audit found that “significant security vulnerabilities were highlighted”. A summary report after the election stated “some of the risks identified by third party security experts and NSWEC remained outstanding during the voting period”. The system remains in use, however, including for the current Sydney by-election.
Australia has a proud history of transparent, well scrutinised, high-integrity elections. The challenge for us is to use technology when it is beneficial, while ensuring that it maintains Australian standards of transparency and integrity.