Eight years ago, with the fate of the U.S. presidential election hanging by a chad, America woke up to the inconvenient truth that its voting technology was obsolete.
How could a nation that put a man on the moon and a computer in every car still be voting with punch cards, levers and No. 2 pencils?
New York Sen. Charles Schumer, author of the bipartisan Voting Study and Improvement Act of 2000, pointed out the painfully obvious: “We vote as if we still live in the 19th century.”
In the ensuing kerfuffle, one radical solution seemed to warrant a closer look: voting by ATM.
At first blush, an ATM seemed a perfect fit as a voting device. ATM touch-screen or keyed displays could easily be adapted for balloting purposes. Special credit-card-like voting cards and PINs linked to Social Security numbers could be issued to identify voters. ATMs often had cameras and other security devices already installed. And the machines themselves were rugged, reliable and ubiquitous, which could potentially save billions in equipment costs.
Plus, there was the trust factor. Americans were comfortable with the interface and the nation’s quarter-million ATMs were already wired to secure interbank networks, separate and apart from the more suspect Internet.
But when you go to the polls to vote on Nov. 4, your ATM machine won’t get you anything but lunch money.
What happened to this promising, convenient, intuitive vision of voting?
Let’s talk to the man who single-handedly shot it down.
Voting rule No. 1: Trust no one
David Jefferson doesn’t mince words when it comes to ATM voting: “The whole idea is just catastrophically bad on so many levels,” he says.
Jefferson, a computer engineer with Lawrence Livermore National Laboratory in Livermore, Calif., is one of perhaps 20 national election-systems experts who spend much of their time interfacing with state officials, congressional inquests, federal regulators, election equipment vendors and each other. He holds board positions on the California Voter Foundation and the Verified Voting Foundation and frequently consults with state election agencies — all pro bono work that amounts to a part-time job.
In 2000, Jefferson wrote an eight-paragraph post on an election engineer bulletin board that effectively rendered the idea of ATM voting “a nonstarter.”
First, there’s the obvious: ATM sites are not secure polling places. That leaves voters vulnerable to both coercion and vote buying and selling.
David Beirne, executive director of the Election Technology Council, a trade organization that represents the four voting systems providers who control 90 percent of the U.S. election market, says that’s precisely why you’ll never receive a receipt of your vote.
“Vote buying is a very big concern,” he says. “Election practitioners and policymakers agree that receipts are never going to happen because of concerns about vote buying as well as the potential for intimidation and disclosure of how someone voted. It is codified under federal law that you cannot exchange anything of value for a vote.”
Second, there’s the issue of voter verification. Just as with ATM cards, a mag-stripe voter card and secret PIN can easily be shared — or worse, purchased — when there are no polling clerks present to obtain handwritten signatures.
“There is no possibility of me authorizing you or my wife to vote for me; that’s absolutely forbidden everywhere in the United States,” Jefferson notes. “You need much stronger identification mechanisms before you permit somebody to vote at an unattended site like an ATM machine.”
Third, because ATM networks are privately owned by the banks and financial institutions they serve, they present several insurmountable obstacles:
- Technology: ATM networks were designed to transfer money electronically, not collect and transmit votes. “What you would, in effect, be trying to do is run either one or the other of two completely different but both high-security applications, one very public, the other very private, on the same network — one that was designed for one of them but not the other,” says Jefferson. What would likely happen? “Either the banking software could act like a giant Trojan horse inserted into the election system or vice-versa.”
- Security: “The security problems for dealing with financial transactions and those dealing with elections bear no resemblance to one another at all,” says Jefferson. “Election officials would worry, rightly, that bank employees or contractors might insert code to undermine the election; and banking officials would worry, rightly, that election administrators or vendors would insert code to steal money!”
- Private ownership: “It’s a bad idea to conduct elections through private infrastructure,” says Jefferson. “Immediately, you would face a huge insurmountable barrier that you don’t want a private company’s property in the path between the voter’s ballot and the county canvass process.”
- Practicality: ATM networks are not interoperable; there’s a lot of proprietary software that would have to be brought into compliance. In addition, for ATM voting to be secure, the owners of the ATM network would have to relinquish full control of the network for a week or more to allow for pre-election certification. “Since, quite reasonably, the owners are not about to do that even for one day, let alone for enough time to build, test, debug, and certify such a system, the suggestion to use the ATM network for voting is a complete nonstarter,” Jefferson says.
In fact, you can pretty much scratch the whole notion of voting from the comfort and convenience of your ATM or personal computer for one simple reason: networks and elections don’t mix.
“Those of us who are concerned about security absolutely do not want the (voting) machines networked,” Jefferson says. “Many people have proposed transmitting ballots over the Internet to the counting site, but that gives those of us who are concerned about security absolute horrors. You do not want a voting machine connected to the Internet or telephone system in any way, shape or form. Connecting to any kind of network infrastructure leaves you open to all kinds of automated attacks by third parties, known and unknown.”
Jefferson even opposes the use of electronic databases to check voting registers from remote polling sites.
“You can attack an election either by changing the vote or by changing who is allowed to vote,” he points out. “If I can attack the voter database and mark 2,000 people of the political persuasion I don’t like as having already voted, then when they walk up to vote, they’ll be told they can’t.”
Voting rule No. 2: In paper we trust
Despite the occasional blind alley presented by chimeras like ATM voting, election officials, legislators and voting machine providers are making progress toward a better voting process. For example, thanks to the Help America Vote Act of 2002, all polling places now have at least one accessible electronic voting machine for voters with disabilities.
Beirne says the public fascination with electronic gadgetry has created a misperception that progress toward electronic voting remains sluggish.
“There is a disconnect between everything we’re dealing with regards to consumer-driven products such as Blackberries and cell phones versus what the expectation is for technology in the polling place,” he says.
In fact, ATM-like polling devices known as Direct Recording Equipment (or DREs) have become the e-voting machine of choice, despite ongoing efforts to force manufacturers to make them more secure.
The U.S. Election Assistance Commission, the bipartisan federal agency created by the Help America Vote Act, is currently at work on new, tougher standards by which to certify polling machines built by the “big four” — Election Systems & Software, Hart InterCivic, Sequoia Voting Systems and Premier Election Solutions (owned by ATM giant Diebold).
According to Election Data Services, 57.5 percent of counties will be using optical scan voting systems this November, versus 35.4 percent that will be using electronic DREs.
At the end of the long and winding e-vote road lies this quintessential irony: the key to securing an electronic voting system seems to be (drumroll, please) paper.
There are security properties of the paper medium that are not shared by any known electronic medium
|— David Jefferson |
Computer engineer and voting system expert
That’s right. It turns out that the only foolproof way to verify that electronic votes have not been tampered with is by creating a contemporaneous paper audit trail that is verified by the voter before they leave the voting booth. The current method is to record this voter-verified record on a small printer that attatches inconspicuously to the DRE.
Jefferson says that, just as ATMs initially seemed like a natural medium for electronic voting, the whole paperless-office movement — not to mention hanging chads — temporarily blinded us to the unique security qualities of paper.
“There are security properties of the paper medium that are not shared by any known electronic medium,” he says. “It’s a write-only memory. You can automate the printing and writing on paper, but you can’t automate the erasure of paper without detection. That means that tampering can be detected. And paper can be read and written by humans without the intervention of any hardware or software device. That means we don’t have to trust that those devices aren’t cheating.”
In a perfect world, Jefferson says the “perfect beast” would be a DRE that contains a window. Once a voter casts their electronic ballot via touch-screen or other selection method, a paper version of their ballot drops behind the window. The voter would then review their selections and verify that what is printed on the paper is correct.
“Auditability, rather than security, is the key,” says Jefferson. “The systems are too complex, and there will always be security vulnerability at the seams between subsystems, or in the weaknesses of the people that administer a system. But what you can do, and what I think is the final answer for the foreseeable future, is to create a system that can be reliably audited after the fact from voter-verified paper records.”
As for your regular ATM machine? There, you’ll have to confine your votes to presidents Washington ($1), Jefferson ($2), Lincoln ($5), Jackson ($20) and Grant ($50).