The Risks of Touch-Screen Balloting

Henry Norr
Monday, December 4, 2000
San Francisco Chronicle  Page D1

With no end in sight to the election debacle, readers had strong reactions to last week's column about voting technologies. Most of them agreed with the case I made for touch-screen systems, but a few sharply disagreed, and others provided some interesting additional information and perspectives.

One issue -- or, to my mind, nonissue -- concerned absentee voting: Several readers worried that if their jurisdictions converted to touch-screen voting machines, it would be more difficult or even impossible for them to cast a ballot without visiting their local polling place on election day.

That one is easy to dispose of: The equipment used in polling places has no necessary bearing on how absentee voting is conducted. Jurisdictions that use old-fashioned mechanical lever machines obviously can't ship those to absentees -- they have always had to send out some kind of paper ballot.

Places that adopt touch-screen "direct-recording electronic" systems can do the same. Riverside County in Southern California has converted to DRE at the polls, but it still mails out paper ballots to absentees. They're scanned optically, and the results are added to the totals from DRE equipment.

This adds a bit of cost and complexity to the process, but it's hardly a reason to rule out the electronic approach.

Much more serious objections came from Peter G. Neumann, and he's certainly not someone to argue with lightly: He's principal scientist at the Computer Science Lab at SRI International in Menlo Park, chairman of the Association for Computing Machinery Committee on Computers and Public Policy and author of a book called "Computer-Related Risks," among many other distinctions. Among his areas of expertise is the problem of election security.

In essence, he argues that the challenge of ensuring the integrity of elections conducted on electronic equipment is much greater than my column suggested. In fact, he describes touch-screen systems as "disasters waiting to happen -- with enormous opportunities for fraud and accidents that are very difficult to detect and almost impossible to rectify."

Through Neumann I also heard from Rebecca Mercuri, a computer scientist who recently completed a Ph.D. dissertation on "Electronic Vote Tabulation Checks & Balances." In laying out a perspective similar to Neumann's, she focused in particular on the absence of an audit trail with electronic systems:

"It is essential to elections that there be an alternative method for independently verifying that the votes cast correspond to the totals reported. Since I (as well as many 12-year-olds) can write programs that accept one input value, record a different one and report yet another, computer systems can be no more trusted to provide their own verification than can a fox guarding the hen house."

NEW YORK STORY

Both Mercuri and Neumann cited the experience of New York City, which spent more than 15 years and $17 million in search of an electronic system to replace its lever machines. At one point city officials even signed a contract with Sequoia-Pacific, a well-known manufacturer of voting equipment, but canceled it after experts, including Mercuri and Neumann, pointed out problems with the system, particularly in the area of security.

In the end, the city gave up because, according to Mercuri, no vendor could satisfy the security requirements in a specification that was "not really very strict" by her standards.

If you want to check out their arguments for yourself, go to Neumann's page,

www.csl.sri.com/~neumann, scroll down to the section on Computer-Related Elections, then follow the links. For Mercuri, go to her company's site, www.notablesoftware.com, and click on Electronic Voting.

These are obviously serious arguments from serious people, but I'm not ready to give up on the touch-screen solution. For one thing, other experts claim DRE equipment can be designed to meet security requirements -- see the paper by Michael Shamos, the computer scientist, lawyer and voting-equipment examiner I cited last week, at www.cpsr.org/conferences/cfp93/shamos.html.

It's also worth recalling that all voting systems are subject to some kinds of abuse. Optical-scan systems, for example, are subject to most of the vulnerabilities Neumann and Mercuri bring up about touch-screen equipment -- in both cases the results are tabulated electronically, which means they could in principle be manipulated by code hidden in the machine by a malicious programmer.

In her message to me, Mercuri wrote that "it is impossible to verify that such hidden code is not present" because "voting system vendors do not provide their code internals for inspection, claiming trade-secret protection. " As long as that's true, the safeguards I mentioned last week -- an escrow requirement and line-by-line audits -- aren't available.

But that's not the final word. Audits and escrow arrangements could be mandated by law. Failing that, officials putting equipment procurements out to bid could simply make such terms part of their specifications; manufacturers who refused wouldn't be considered. Some vendors might try to hold out, but they'd have to come around -- or new competitors would surely enter the market -- if officials in enough jurisdictions stuck to their guns.

The one real advantage of the optical-scan approach, with respect to security, is that there's a human-readable audit trail: In case of a dispute, election officials, observers and (as we now know well) judges have the option of looking back at the paper ballots.

If we really want that safeguard, though, it's also possible to add something equivalent to touch-screen technology: The machines could be designed to print a completed paper ballot, which the voter could examine to make sure it reflected his or her intentions before the vote is finally recorded. Once approved, the ballot would go into a secure ballot box, but it would never need to be counted unless some serious question arose about the integrity of the original electronic count.

This again would add cost and complexity, and I'm not convinced it's worth it. If we really can't create digital systems we can trust without a paper trail, maybe optical scanning is better after all.

ON THE OTHER HAND

If we make that choice, though, we should remember how much we'd be giving up. Last week I noted some of the advantages of touch-screen systems: They effectively eliminate the possibility of voter errors like marking the wrong place, using the wrong pen or voting for two candidates; they deliver a quick and (assuming security holds up) accurate count; and they can easily handle multiple languages and long ballots.

In addition, such systems have a couple of other advantages I didn't mention. One is that a voice synthesizer -- software that would read the ballot aloud -- and an appropriate input device could be added so the blind and visually impaired could vote in privacy like the rest of us.

Reader Paul Perkovic, an elected member of the Midcoast Community Council, an advisory council representing the citizens of the unincorporated portions of the San Mateo County coast, wrote to remind me of another important argument: An all-electronic system would make it much easier to implement some new forms of democracy -- notably, what's known as instant-runoff voting.

This idea has been gaining increasing attention in recent years. Last month, voters in Oakland and San Leandro even adopted it for local elections through charter amendments, and San Francisco Supervisors Michael Yaki and Mark Leno endorsed the same idea in the wake of the city's inconclusive district elections.

In an instant-runoff election, you don't vote for just one candidate in each race -- you pick a first choice, a second choice, and so on. If your first choice is eliminated from the contest, your vote then goes to your second choice; if your second choice is eliminated, your third choice gets your vote, and so on. For further explanation and lots of interesting links -- including one to Yaki and Leno's paper on the subject -- see www.fairvote.org/irv/index.html, an excellent overview put together by the nonprofit Center for Voting and Democracy. A San Francisco group promoting instant-runoff voting has a site at www.irv4sf.org.

The best argument for such a system, at least to my mind, is that it would open up our politics to new ideas, new people and maybe even new parties by eliminating the spoiler problem. Consider this year's presidential campaign.

Millions of voters who admired Ralph Nader and supported the Green Party program were discouraged from voting their preference for fear that by doing so they would help throw the election to George W. Bush -- an outcome few Green sympathizers wanted.

With instant runoff voting, they could have made Nader their first choice and Gore their second. Once Nader was mathematically eliminated, their votes would have gone to the vice president. That way, such voters could express their real political views, but still get to tip the scales toward the lesser evil.

Until now, one major problem with instant runoff voting has been the difficulty of tabulating the ballots in a timely way. (In Cambridge, Mass., which has had a somewhat similar system in place for decades, it used to take weeks to get final results for city council elections.) With an electronic system, however, it could be done in minutes.

WHISTLING IN THE DARK: If you need a break from these weighty matters, there's always the next version of Windows to contemplate. Code-named Whistler...

Tech21 appears every Monday in The Chronicle. Send your comments and tips to Henry Norr at hnorr@sfchronicle.com.  ©2000 San Francisco Chronicle