The Broader Context of Electronic Voting
6.1 THE END-TO-END NATURE OF THE ELECTORAL PROCESS
In practice, public debate over electronic voting has devolved into an argument over the technical security of voting systems and whether or not a paper trail to facilitate election auditing is or is not desirable from a public policy perspective. While these issues are important, there is a broad range of end-to-end issues, from the point of capturing the voter’s intent to assuring an accurate final tabulation of votes. Consideration of electronic voting cannot be divorced from these issues, which frame such consideration and embed it in a larger context. Furthermore, these issues are themselves embedded in a larger electoral system that includes voter registration databases, election planning and administration, procurement of election systems, and so on.
Put differently, challenges to election quality cannot be tied to just one potential problem whose solution would result in a near-perfect election process, but rather are the result of the cumulative impact of many potential failures large and small, including human error, equipment failures, procedural miscues, and so on. Thus, issues of the security or accuracy or usability of electronic vote systems have to be examined in the context of the entire electoral process. While the two previous chapters have addressed questions that election officials might reasonably pose in the course of deciding whether and how to move toward electronic voting, this chapter discusses this larger context in which electronic voting is
embedded and poses some questions that are essentially research questions with particular relevance to voters and elections past and present.
6.2 DATA ISSUES
Data are lacking on many aspects of the electoral process that are needed to make improvements or to conduct audits. With high-quality, consistent data in hand, a great deal more can be learned about the workings of voting machines, voter registration systems, and reforms in different states that would inform the election administration process. For instance, it would provide a basis for security assessments and transparency evaluations. Collecting data on incident reports could enable a feedback loop for election officials to prevent problems from occurring in other jurisdictions in real time; it could also facilitate forensic analysis to prevent problems from recurring after Election Day. Additional data on why registered voters did not reach a changed polling location, such as for reasons of greater distance or lack of information, could also help to inform questions related to the consolidation of polling places or future attempts at “anywhere” voting that would enable a voter to cast a vote at any precinct location.
Note also that because voting is a decentralized affair, with localities administering their own elections on their own systems, data must be very fine-grained as well as systematically collected to be most useful.
6-1. What is the relative contribution of different sources of error in converting a voter’s ballot intention to a final tabulation of votes? For example, one might distinguish between voter registration errors that prevent a voter from voting, casting errors that result in votes being cast in a manner other than that intended, machine errors that record votes inaccurately, administrator errors that result in recorded votes being counted more or less than once, security problems that result in the deliberate commission of fraud, and so on. How do these sources of error differ with in-person voting, absentee voting, and provisional voting? Historically, voter registration problems have been the most significant source of problems (including fraud) in voting, regardless of the voting technology used.1
6-2. What data collection must be mandated by states? Data collection regarding elections is an inherently local process, but the very localities with persistent election problems often do not have strong incentives to collect data that might document the existence of their problems. Thus,
the states may have important roles to play in ensuring that appropriate data are collected systematically in all jurisdictions.
6-3. What data are needed to evaluate the performance of electronic voting systems? Because electronic voting systems are relatively new, even localities that have been collecting lots of data for a long time will need to adjust their data-collection practices. While certain types of data continue to be relevant (e.g., number of individuals turned away from the polls for improper registration), other data types are relevant only to electronic voting systems. For example, the number of times that a voting station needs to be rebooted or the time a system is unavailable for voter use only have meaning in the context of an electronic voting system. Other data may be necessary to evaluate how voters view electronic voting systems. For example, it may be useful to compare the number of people who come to the polls versus the total number of ballots cast on electronic voting systems. This comparison might shed light on the number of people who try to vote on electronic systems but fail to actually push the final button that records their ballot. (See also Box 4.6.)
6.3 PUBLIC CONFIDENCE IN ELECTIONS
Election officials have been very concerned that various election problems in recent election years (most particularly in 2000, and to a lesser extent in 2002 and 2004) have shaken public confidence in elections, with the likely impact of depressing voter turnout in the short term and potentially undermining the legitimacy of government in the longer term. They have further believed that the controversy over electronic voting could have a negative effect in this regard in the jurisdictions that use electronic voting, a point of particular significance when margins of electoral victory are very small. Electronic voting skeptics have argued that some wariness regarding untested and unproved electronic voting systems was justifiable. The introduction of new technologies into the polling place may help to draw in people previously disinclined to vote, or it may erect barriers, real or perceived, to broad voter participation. Furthermore, these impacts may differentially affect different demographic groups.
6-4. What are the factors that influence public confidence in elections? What is the relative contribution to such trust of various factors, including faith in specific public officials, trust in the democratic process, personal experience at the polling place, lack of public controversy, broad acceptance by societal elites, the substance and tone of election and political rhetoric, technological literacy and knowledge, voting system ease of use, the reality or appearance of partisan election officials, the level of spending on elections, the tone of campaign rhetoric, and the presence or
absence of public arguments about voting systems? What factors specific to elections contribute to public confidence (e.g., the outcome of the election;2 the transparency of the process, the availability and frequency of recounts;3 the management of the election by nonpartisan election officials; and so on)? In this light, it is clear that voter confidence in elections is multifaceted, and a voter’s experience with the technology of voting per se is only one aspect of it. All of these factors, and no doubt others, will interact to influence voter confidence.
Nor is it entirely clear that all of these factors are well defined. Election outcome and frequency of recounts are reasonably clear, but what precisely is the meaning of election transparency? By one definition, it involves posting of as much information as possible on the Internet and elsewhere about election results, having observers who can watch voting and vote tabulation, having observers watch the loading of software and perhaps watching those who are guarding machines. Others might argue that only when the source code of electronic ballot marking and tabulation systems is public can an election be transparent. Still others would say that the mathematics underlying the system must be readily comprehensible.
That said, it is still worthwhile to develop voting systems that promote confidence, and voting experiences that leave the voter uncertain or frustrated are unlikely to do so. Tapping into voter sentiment immediately after an election (rather than waiting a long time afterwards) will generate anecdotes and recollections that are more likely to be accurate and undimmed by time. Interviews, voting simulations, exit polls, and
focus groups all have a role in understanding voter confidence. Finally, special care must be taken to understand the concerns of voters with disabilities or voters who come from language, ethnic, or racial minorities.
6-5. How do confidence in and knowledge about elections and voting mechanisms vary across demographic groups? Different demographic groups perceive technology and social processes in different ways, and there is no reason to expect that this is not true with respect to their perceptions of elections and voting systems as well. For example, the introduction of electronic information technology into the polling place may help to draw in people previously disinclined to vote, or it may erect barriers, real or perceived, to broad voter participation. Understanding how these new technologies (and the publicity regarding their introduction) may affect the nature and extent of voter turnout among different demographic groups is likely to be of interest to election officials.
6-6. What would be the impact on voter confidence of giving independent observers the ability to audit or scrutinize the conduct of an election? In the past, voters had to rely on muckraking sources, on parties, candidates, or the press to raise questions about the integrity of an election, and to obtain the data needed to support allegations of election impropriety. But a number of new information technologies can put at least some of this power in the hands of the general public. For example, David Chaum has demonstrated that the use of appropriate cryptographic mechanisms enables a voter to cast a vote in perfect secrecy but still be able to check that his or her vote was actually counted in the total count for a given candidate,4 though the specific mechanisms involved are far from transparent. Public disclosure of voting system source codes may help to promote vendor accountability and reassure those concerned about security, but might in some cases also compromise trade secrets that competitors could exploit or expose security vulnerabilities that adversaries could exploit. An analogy in this regard is the requirement that donations to a particular political campaign in excess of a certain amount must be listed publicly.
6.4 TESTING, CERTIFICATION, AND EVALUATION
As noted in earlier chapters, the process of testing and certifying electronic voting systems is complex. Yet states and local jurisdictions rely on testing and certification for indicators of whether a system is safe or unsafe to acquire. Today, the process is based on federal qualification and state
certification. But the qualification and certification process is cumbersome and slow and potentially subject to certain conflicts of interest.
6-7. What are alternatives to the current testing and certification infrastructure? The Independent Testing Authorities (ITAs) are private entities, designated by the National Association of State Election Directors and its successor, the Election Assistance Commission, to serve that role. Vendors contract with any ITA with whom they can negotiate an acceptable contract. Although there are no credible allegations of misconduct to the committee’s knowledge, the possibility that a vendor might receive a “sweetheart” evaluation from an ITA is an obvious one to consider under these circumstances, especially because there are multiple ITAs all vying for such business. Possible alternatives are addressed in Box 6.1.
6-8. Who will conduct testing that is needed beyond what is required by the qualification and certification process? Neither the qualification nor the certification process addresses problems that might arise in actual operational use. In actual use, some voters are likely to encounter frozen screens that refuse to accept input, jammed printers, improperly printed scan sheets, and so on. Allegations of machine rigging will arise. Some impartial and unbiased party, with the requisite technical knowledge, must be able to investigate these problems (both real and alleged) if citizens are to have confidence in election outcomes.
6-9. What certification requirements, if any, should be imposed on statewide voter registration systems? Voter registration systems are highly customized to the needs of individual states and are thus developed in close cooperation with state election officials. Inasmuch as certification ensures that a certified system meets a minimum set of functional and performance requirements, certification of voter registration systems could impose a greater degree of uniformity on voter registration practices across states. Whether this is desirable or undesirable almost certainly depends on the point of view of the person making the judgment.
6-10. How will election officials respond if, after all is said and done, voters use voting systems that are running uncertified software? The combination of immovable election dates (general election or primaries), relatively slow qualification and certification processes, and relatively immediate needs for software updates to correct software bugs or accommodate new legislative mandates virtually assures that some jurisdictions using electronic voting systems may wish to use software that has been patched or altered to fix pressing problems but has yet to be recertified for use. In the best of all worlds, election officials would be able to demand—and obtain—from the vendor a formal notice that all certification and qualification requirements were met. But in the real world, the
The list below suggests some of the functions that this infrastructure might support and possible mechanisms for how these functions might be served. The committee expresses no view on the desirability or undesirability of any of these mechanisms, except for comments made in the main text.
Research and Development
Research and development (R&D) on electronic voting systems would support future improvements in such systems by building an open knowledge base accessible to all vendors and would-be vendors in the field. (In principle, R&D can be proprietary as well as public; in practice, it does not appear that large firms are entering into the electronic voting systems market, and small firms are generally unable to sustain research over any extended period of time. Thus, some kind of public support may be necessary to undertake significant R&D.) Note that “research” would include both technical and nontechnical work, the former devoted to improvements in the systems themselves and the latter devoted to better understanding of the environments in which electronic voting systems are used. Alternative models of support include:
Qualification and Certification
As noted in the text of the present report, qualification and certification provide some degree of assurance to purchasers that the systems meet certain standards. But when testing authorities compete against each other for business, a vendor can select the authorities most favorable to its products or negotiate for
realities of software development against fixed deadlines mean that time is limited, and election officials may be faced with two unpalatable alternatives—not fixing a problem or fixing it with uncertified or unqualified software. (Vendors are also likely to argue that the fix is not “large enough” to warrant recertification, as discussed in Section 188.8.131.52.)
This same question applies in a different form to the entire standards and certification process. That is, the standards-setting process is time-consuming, and thus new issues are likely to arise during that process—
advantageous testing procedures. Whether or not this actually happens in practice is not as important as the fact that there is no real way to know whether it does happen. Alternative models include:
Field Investigation and Testing
A hard-won lesson learned from much information technology experience is that the investigation of anomalies is greatly enhanced by the preservation of as much of the state of the machine(s) as possible at the point of the alleged malfunction. In practice, this means that the system should be taken out of use and power maintained so that important information in memory is not lost or that a memory map should be taken before powering down. All relevant records should then be made available to the vendor and to an independent body for subsequent investigation. Parallel testing on randomly selected machines deployed to polling places is also an important function that can provide statistical reassurance that machines deployed are functioning as expected. However, no mechanism exists today for ensuring that these functions are performed when anomalies and allegations of fraud in electronic voting systems arise. Alternative models for an independent body include:
These bodies could also be empowered to receive reports of voting system irregularities that intentionally bypass election officials on the chance that these officials might have had some responsibility for these irregularities or some incentive for covering them up. This approach is based on lessons learned in the financial industry, which underscore the importance of upward communication routes that bypass an entire chain of administrative command en route to an outside independent audit committee.
with the result that the standards may well lack relevance to the current context when they are released. Certification processes presume the stability of an artifact for evaluation, but artifacts evolve as new problems and needs are uncovered. Thus, the updated version of a product may well be uncertified in time for use in any given election.
Finally, to the best of the committee’s knowledge, there are no penalties or liabilities associated with the use of uncertified election software, even when state election law requires the use of certified software.
As for evaluation, the concept is broader than certification, which in a strict sense assesses the compliance of a system with a given set of standards. Evaluation also includes notions such as fitness of purpose. Today, private sector vendors drive the design and configuration of the electronic voting systems they offer for sale. For obvious and understandable reasons, these firms are highly motivated to develop systems whose sale will maximize their profits. Such an approach begs the question of whether less expensive systems might still be suitable for large-scale voting use. Few mechanisms exist today to undertake such evaluations systematically; the institutions for R&D and for certification and qualification described in Box 6.1 might serve such a function.
6.5 FUNDING AND SUSTAINING IMPROVEMENT
Aggregated over all jurisdictions and as a rough average, election administration costs the states about a billion dollars per year, regardless of year and prior to the passage of the Help America Vote Act of 2002 (HAVA), of which a very small fraction is for procurement of equipment.5 Appropriations for HAVA have added significant sums (several billion dollars) for the procurement of new voting systems, but HAVA was never intended to assume an ongoing federal role in supporting and operating these systems. Nevertheless, the ongoing maintenance cost of a system is in general much larger than its initial acquisition cost.6 Systems need to be upgraded as more is learned about their suitability for use and about the problems they encounter. And costs of election administration are likely to rise in the future as the result of mandates such as those contained in HAVA.7 These points raise questions about long-term sustainability.
6-11. How will funding be provided for the periodic refreshment of electronic voting systems? Electronic voting systems will either have to be replaced periodically or expertise and spare parts will have to be maintained for an artificially long time that is not market supported—either is expensive. How will funding be made available for technology refreshment on a timescale comparable to the obsolescence time of electronic voting systems that are deployed today? How will equity of access
to electronic voting systems be maintained across local election jurisdictions with disparate financial resources?
6-12. How will research and development on electronic voting systems be supported and performed? Over time, electronic voting systems will improve, just as other information technology (IT)-based systems have improved. But such improvements draw on an underlying R&D base. For electronic voting systems, some improvements are likely to piggyback on improvements in generic information technologies. (For example, advancements in cryptography and cryptographic applications may help to address concerns about security of voting. Human factors and user interface research may be useful in the design of electronic voting systems. Work on the design of dependable computer systems may help to improve the reliability of electronic voting systems.) But other improvements will depend on the availability of specialized knowledge that can be obtained only by examining electronic voting systems in particular. Thus, some mechanism (perhaps involving a mix of public and private funding or perhaps one or the other exclusively) will need to be found to support and sustain such research. As for the appropriate level of R&D investment, the committee observes without comment that information-intensive industries in the private sector typically spend about 10 percent of their gross revenues in R&D activities of various sorts. If election administration is regarded as an information-intensive enterprise, R&D investments of about $100 million per year might be expected. Who will perform the research is a second question (see Box 6.1).
6-13. What is the impact of evolving standards on deployed electronic voting systems? Standards for all technologies invariably evolve over time as more is learned. Indeed, R&D would be useless if it were not ultimately reflected in the standards to which certified or qualified systems must conform. But standards evolution will almost certainly result in some previously certified or qualified products being in violation of some part of the new set of standards. In the analogous situation in building codes, changes in building codes generally only apply to new construction, whereas regulators in the gambling industry are willing to decertify gambling machines previously deemed in compliance with the old standards. Election officials must decide how to proceed in this situation.
6-14. What are the incentives for and barriers to improving electronic voting systems? The ultimate consumer of an electronic voting system is the voter. However, the system vendor is not ultimately responsible to the voter, but rather to the locality that purchased the system. In principle, the locality is a governmental agency that is responsible to the voter, but in practice the purchasing entity must make significant efforts to stay in touch with and be responsive to the concerns of individual voters. Thus, taking into account the inevitable improvements in the
power and capability of information technologies (both hardware and software), a careful analysis of incentives and barriers would do much to shed light on the rate and nature of progress that electronic voting systems will undergo in the future. Note also that improvements in the technology of voting are not the only (or even necessarily the most important) improvements that can be made—election procedures and organization are also possible areas of improvement for many states and local election jurisdictions.
6-15. What lessons learned relevant to electronic voting can be found in other regulated industries (e.g., gambling, finance) and government? Computer scientists who have examined electronic voting often argue that voting systems are unique in their needs and requirements. This is surely true in certain ways (e.g., the need for absolute user privacy and the need for auditability rarely coincide in any other application). In fact, however, other industries have faced and addressed many of the same challenges.
For example, modern gambling machines are controlled through an embedded microprocessor that must be programmed, and the gambling industry (as well as government regulatory bodies) has developed techniques to guard against the possibility that a machine might be programmed improperly so that its payout is something other than that promised to the consumer. Both banking and the gambling industry have relevance to elections in that all share similar requirements for auditability and usability by people of diverse backgrounds. What can be learned from experiences in those other industries or sectors with respect to regulation, administrative rules, and contracting? Box 6.2 describes some possible lessons learned from the gambling industry.
Also, regulatory and investigative models from other industries might be helpful. For example, some have advocated a standing body whose role is to investigate statistical and historical anomalies in the outcome of an election, allegations of fraud, system failures, and other incidents involving electronic voting systems in much the same way that the National Transportation Safety Board investigates every plane crash in the United States. Such a body would address a very broad set of issues that might be relevant. These advocates believe that this kind of independent oversight could improve security and enhance public confidence by quelling un-founded concerns and rumors.8
Slot machines used in the gambling industry have many similarities to the systems used in electronic voting. In essence, both are computers, and it is important that they be accurate and reliable, both in appearance and reality. The state agencies responsible for regulating the industry have developed procedures and rules for ensuring that all participants (gamblers, casinos, and the state tax authorities) are treated fairly.
The parallels are far from exact, but it is worthwhile to consider some of the principles that the states have evolved to regulate gambling machines:
Some of these principles may be relevant to the management of electronic voting machines. On the other hand, there are also substantial differences between the gambling and voting environments. From the point of view of the relevant technical requirements, gambling does not entail a presumption of privacy. Thus, slot machines can keep records of every action, and these records can be used along with in-person testimony for dispute resolution and auditing. From an administrative point of view, the finances are very different as well: state regulation and oversight of each machine costs several hundred dollars a year, paid by the casino. (With about 800,000 voting machines in use on Election Day, a similar cost imposed on voting machines would add about 10 to 15 percent to the nation’s yearly expenditures on elections.) From a logistical point of view, slot machines are used every day, a characteristic that reduces the educational needs required of the user to operate the machine. And on-site maintenance is available, which minimizes the amount of time that a machine may be inoperative.
SOURCE: Briefings to the committee from Nevada and New Jersey gambling regulators, December 9, 2004.
6.6 ELECTION INSTITUTIONS
Nonelectronic voting systems have had a long history of operation, one measured in decades. Accordingly, election officials have not had to deal very much with issues of technological change. The introduction of electronic voting systems into the electoral process is thus potentially disruptive to that process. Perhaps more relevant is the fact that the timescales of change for information technologies is much shorter than decades, a point that raises the prospect of a more or less continuous disruption to the process. Consider, for example, that the interval between presidential elections is 4 years—in the world of information technology, 4 years is a very long time, and an electronic system used to process the presidential vote in any given year may never be the same in any subsequent presidential election. From the standpoint of a voter, the significance of internal changes in the underlying system can be minimized by concealing them behind a user interface that remains the same, much as Web browsing has remained more or less the same over a number of years despite many changes in the technology of browsers. Nevertheless, these internal changes may be significant from the standpoint of election officials, because (by definition) they change the behavior of the system—and may introduce unanticipated quirks of behavior that confound or confuse an internal administrative process. (Note that comments about rapid technical change apply to any new technology, including the retrofitting of newer technologies (e.g., paper audit trails) on top of new ones (e.g., direct recording electronic systems) not originally designed to accommodate those newer technologies.)
Such rapid change raises many issues for electoral institutions.
6-16. How can election officials obtain sources of information about electronic voting systems other than the sources provided by vendors? Vendors know a great deal about the systems they sell and, given the highly technical nature of electronic voting systems, have a significant information advantage over those making decisions about procuring or maintaining these systems. Moreover, vendors have strong incentives to be forthcoming only with information that is favorable and supportive of a decision to proceed. Election officials may wish to engage the services of others to help break this asymmetry.
6-17. With dramatic changes in the election environment, the law, public scrutiny, and technology, how can election officials obtain the knowledge and information needed to respond to and manage change effectively? These issues are particularly important in communities without full-time election officials.
6-18. What institutional infrastructure is necessary to support cost-effective use of electronic voting systems over the long term? Given the complexity of electronic voting systems and the revolutionary changes in voting and electoral processes that they are likely to enable, intuitions and common wisdom about what is possible that election officials and the public have built up over a century of conducting elections in the United States are probably an inadequate basis for understanding the full potential and risks inherent in these systems. Thus, it is important to consider how mechanisms might be established (see Box 6.1) to support research and development activity that would improve security, reliability, usability, and functionality in new generations of electronic voting systems; provide certification or other services that help election officials make informed decisions about products that they might purchase, lease, or use; conduct field testing and investigate reports of operational difficulty or other anomalies in the use of electronic voting systems; consider issues of electronically perpetrated fraud; and disseminate information about these systems on a nonpartisan basis.
6-19. What do the equal protection requirements of voters enunciated in Bush v. Gore mean for decisions about voting technologies and their supporting infrastructure? Traditionally, local election jurisdictions have controlled election administration and acquisition of voting systems. But Bush v. Gore found that certain jurisdiction-to-jurisdiction variations in the standards for determining voter intent were inconsistent with equal protection requirements. A variety of issues related to electronic voting may thus be implicated:
Differences in functionality afforded by different electronic voting systems that may be acquired by different local election jurisdictions.
Differences among local election jurisdictions in personnel training, administrative capacity, and the availability of professional staff needed to maintain and use electronic voting systems.
Differences in the tax base and other resources available to local election jurisdictions for acquisition, maintenance, training, and education associated with new electronic voting systems.
Perhaps in response to the Bush v. Gore decision and HAVA mandates, many states—including Alaska, Georgia, Hawaii, Maryland, New Hampshire, Oklahoma, Rhode Island, and Vermont—have already adopted centralized statewide technology acquisition programs, though it is as yet unknown if centralized acquisition results in more uniform election administration across local jurisdictions.
6.7 THE ROLE OF THE PRIVATE SECTOR IN ELECTION ADMINISTRATON
Election administration has never been a function performed entirely by government. Indeed, private political associations (interest groups and political parties) have been involved in the administration of elections for a very long time. These private associations provided ballots under the ballot systems used before secret ballots were introduced. Further, as noted in Section 2.2, elected officials are associated with these private political associations.
Private firms have also been involved in election administration, a fact consistent with a trend over the last few decades of many local governments outsourcing certain functions that were previously managed and operated by those governments. There have been many reasons for this practice, including a belief that outsourcing will result in greater responsiveness and reduced costs. Various kinds of functions have been outsourced, including trash pickup, parking enforcement, and bus services. However, in certain instances outsourcing has created considerable controversy and argument over whether the particular function being outsourced should be outsourced—that is, whether a given function is inherently a function of government.
In election administration, private firms have for many years routinely undertaken certain election administration tasks such as the design, layout, and printing of ballots—a practice that generates little controversy. But local governments are also turning to private firms to provide electronic voting systems, to program them appropriately, and to repair and maintain them over time. Similar comments apply to many statewide voter registration databases. For both electronic voting systems and voter registration databases, vendors are often the primary and most important source of expertise, and gone are the days when the county or municipality had its own staff to repair and program its lever machines.
It is unknown whether the involvement of private firms improves election administration in some overall sense. In some states, the introduction of electronic voting systems (both direct recording electronic systems and optical scan systems) has increased dramatically the role of private firms. To the extent that private firms are involved in those aspects of election administration that relate to electronic voting systems, a number of important questions do arise, some of which cut across other areas discussed elsewhere in this report.
6-20. What security concerns (Section 4.2.2) arise with the intimate involvement of private firms in the operation and maintenance of voting systems? Are there reasons to suggest that security issues may be
more or less well managed by private firms than by local county or municipal governments? How should citizens or election officials determine if there is an “unhealthy” dependence of a local election jurisdiction on a given vendor?
6-21. What are the roles of vendor certification and a code of ethics for vendors? To date, the qualification/certification process has focused on the voting systems that vendors offer rather than qualifications of the vendor. In some other sectors, qualification of the vendor itself is also used as a selection criterion. For example, procurements may only be made from vendors whose business and development processes conform to some standard (e.g., an ISO 9000 standard). Acceptance of and conformance to a code of ethics can also be a requirement. The content of a code of ethics and a vendor certification requirement, as well as the roles that these might play, are questions that warrant further exploration.
6-22. What would be the impact of consolidation among voting systems vendors? A common path in any new niche is the initial proliferation of a large number of small vendors, followed by consolidation as weaker vendors drop out of the market. If this path is followed in the voting systems or election services market, a few large private firms will be in the position of managing and administering elections for a large number of local jurisdictions—raising the possibility that those who control these firms will be able to exert undue and improper influence on election outcomes for either financial or political reasons.
6-23. How will contractual responsibilities be maintained over time? As suggested in Section 5.1, the longevity of a private firm is not guaranteed. But an election jurisdiction that is strongly dependent on a vendor runs the risk that election services may be disrupted by discontinuities in support. Even if performance bonds are posted (a common requirement of acquisition contract, though disliked by many vendors), money is a poor substitute for continuity of service.
6-24. Who owns the data associated with the holding of an election? When governments are solely responsible for the conduct of an election, the ownership of the data is clear. (Box 4.6 indicates some of the data that might be in question.) But if private parties have a legitimate claim to the data, government officials are unlikely to have comparably unfettered access to that data, especially if such data might embarrass or compromise those private parties in some manner. For example, if election officials wish to audit an election to see where improvements are needed, vendors may be reluctant to share data indicating that their systems operated improperly.
A collateral question involves the ownership of the physical media on which data are stored. For example, vote totals may be recorded on a data memory card. If allegations arise that the card also contained executable
code that could have illegally affected the behavior of individual machines, access rights of auditors to the card itself may not be clear in the absence of a specific understanding about the media.
6-25. Who bears responsibility for failures or irregularities in the election process? When private parties play an integral role in election administration, lines of responsibility are less clear than when government is responsible for all significant aspects of election administration. And, to the extent that laws intended to ensure properly conducted elections are targeted at election officials, these laws may need to be updated to include private parties that have assumed certain responsibilities previously associated with election officials.
6.8 RESEARCH QUESTIONS
As the committee examined the issues, it became increasingly clear that much of the basic knowledge and information about voting and elections that one might hope had been codified does not exist or is not easily accessible. This section sketches out some of the relevant research questions that would help to inform election officials seeking to make good decisions about how to administer and manage elections in the context of new technologies that may enable new options for discharging their responsibilities.
6-26. What new options (or variants on existing options) do electronic voting systems enable? For example, electronic voting systems could support instant runoff voting (in which voters express a rank ordering of their preferences for a given race), so that races that require a majority (rather than a plurality) for victory need not require a second election for resolution. A second option is that the presentation of pictures of the various candidates for a given race is more easily managed with electronic voting systems. How might electronic voting systems improve or diminish the cost-effectiveness of alternatives to traditional voting such as absentee voting or early voting?
6-27. How can electronic voting systems be made more secure?
Within the information technology world, there are many who advocate the use of open source code as a security measure. Others argue that disclosure of vulnerabilities is dangerous and facilitates attacks. What would be the impact on security of the disclosure of election system software (perhaps on a limited basis subject to nondisclosure)?
How can voters be reassured that a vote cast in a certain way has indeed been counted that way in the tabulation?9 Note that this question goes far beyond the question of a voter-verified audit trail, since such a trail only provides assurances that the vote was recorded as cast.
Given that premiums on voter secrecy are high, what mechanisms might enable individual voters to give up some degree of secrecy in exchange for some degree of verified assurance that their individual votes are counted? Under what circumstances might such mechanisms be desirable?
What are the known technical threats to the security of voting systems? How often have these threats manifested themselves? What is the likelihood of these threats? What are likely future threats?
How do legal standards for proof and evidence relate to security requirements for voting systems? Note that the relationship is bidirectional. In one direction is the issue of how legal standards for proof and evidence affect security requirements in voting systems. In the other direction is how security considerations might affect legal standards and requirements.
What indicators (statistical and otherwise) can be used to suggest where further investigations into the possibility of election fraud or error might be warranted? Statistical analyses and historical anomalies cannot prove that fraud or error has occurred but can point to possibilities worth investigating. Such approaches are analogous to methods used by the Securities and Exchange Commission to indicate the possibility of stock fraud or insider trading.
How can the impact of technical vulnerabilities be mitigated by organizational or procedural measures? How can the impact of organizational or procedural vulnerabilities be mitigated by technical means? Though it is certainly a worthwhile endeavor to improve technology to reduce vulnerabilities, it is sometimes the case that the likelihood of exploitation of those vulnerabilities can be reduced as well. Consider, for example, that an audit (a procedural technique) can reduce the likelihood of improper programming introducing large errors into a vote count. Similarly, using cryptographic techniques to authenticate a flash memory card containing vote totals from a precinct can help to reduce the likelihood that a fraudulent flash memory card can be improperly substituted for it when precinct vote totals are delivered to the tabulation authority.
Chaum’s work, cited in Footnote 4, is a step in this direction.
6-28. What are the operational implications of the voter-verified paper audit trail? As noted in Box 3.2, much of the nation is moving forward with some form of paper trail requirement for electronic voting systems without an empirically based understanding of its actual impact on elections using direct recording electronic systems. Thus, it seems worthwhile to undertake empirical research on questions such as these:
How can voter-verified paper audit trail (VVPAT) technologies be added to already complex electronic voting systems without adding to the burdens already placed on poll workers? As discussed in Section 5.2, poll workers are typically poorly paid (or serve as volunteers), are sometimes inadequately trained, may not be technologically savvy, and are often stressed.
How do VVPATs impact the expenses of conducting and administering elections? On the one hand, they might increase costs by requiring the handling of large volumes of paper, a task that election officials hope to reduce or eliminate through the use of electronic voting. On the other hand, a long-term analysis might show that they can lower costs by reducing the expenses entailed in contested elections.
What are the optimal forms in which a paper trail should be presented to the voter? Some approaches allow the voter to actually receive the paper version of their ballot in their hands, after which the voter verifies and deposits the paper version in a ballot box. Other approaches do not allow the voter to touch the paper version of the ballot at all; rather the paper ballot typically scrolls under a pane of glass, and once verified by the voter, moves to a position where it cannot be further viewed. What are the usability, reliability, security, and privacy implications of these approaches?
To what extent are VVPATs easily accessible to voters with vision impairments? How difficult or expensive would it be to produce VVPATs for languages other than English? How can new technologies help to address problems, if any, in these areas?
To what extent and in what ways, if any, do VVPATs affect the voter’s confidence in the casting of a vote? Because a voter’s actual behavior in the voting booth is private, it may be difficult to know how a voter actually uses the voter verification feature, and what impact it has on his or her confidence in the election. The feature might provide reassurance that an auditable record of his or her ballot has been generated (as advocates of the VVPAT claim), or it might introduce a measure of doubt where none existed without the feature (as some vendors claim).
6-29. What special data collection requirements are associated with auditing elections conducted with electronic voting systems? More generally, how should election reporting systems in toto be designed to enable good postelection analyses that check for anomalies? Election reporting systems generate data that cover all aspects of the election—including votes cast in venues other than polling places on Election Day.
6-30. What are the costs and benefits of open standards that could facilitate the design of interoperable components for electronic voting systems? What would these standards cover? If they are desirable, what are the impediments to developing them? Who would develop them? How should they be developed in order to avoid advantaging one vendor or another? In general, modularity and conformance to standards (e.g., data exchange standards, public applications programming interfaces) allow a marketplace to develop that is friendly to smaller companies, thus facilitating multiple alternatives in the marketplace. While this fact arguably works against the interest of a vendor that already has a significant presence in the market, it also gives potential purchasers confidence that they will not be left overly dependent on a specific vendor, and thus reduces the risk of making a commitment to an electronic voting path.
From a technical standpoint, modularity is valuable if the interface specifications between modules are clear, are well chosen, and are followed. For example, modular construction potentially enables certification of a system component by component, which means that changes in one module do not affect the behavior of other modules, and therefore an entire system can be regarded as certified if each of its constituent components is certified. On the other hand, it can be very difficult indeed to develop interface specifications that guarantee that a module interacts with the outside world only through its interfaces, and of course it is impossible to guarantee entirely modular interactions before there is agreement on the interface specifications. Moreover, assurances of a system’s security are often based on the assessment of the system as a whole, and moving components in and out is likely to introduce security vulnerabilities, especially in the absence of good interface standards. It may turn out that in the long run, the benefits of a more open market facilitated by enhanced modularity outweigh the formal assurances of certifying systems as a whole. But that analysis has yet to be performed.
6-31. What are the implications, for security and otherwise, of using multipurpose hardware for voting purposes? Almost all of today’s electronic voting systems are based on dedicated hardware and software, and so these systems are entirely useless for other purposes. Nontrivial cost savings might flow from the ability to use multipurpose equipment already owned by the jurisdiction in question for voting purposes. The
conventional wisdom is that the use of such off-the-shelf commodity equipment is not well adapted to the security and usability requirements of voting, which is a very specialized application. And this point of view may well be correct. Nevertheless, the question deserves investigation, as it may be possible to develop architectures that are more secure than the models considered in the conventional wisdom.
6-32. What would be the desirability and content of a model election code to govern elections undertaken with electronic voting systems? As noted in Chapter 1, the laws governing elections vary significantly by state. To ease the design burden on vendors currently in or seeking to enter the electronic voting market, it might be desirable to provide some uniformity in the requirements governing these systems. A model election code might be established, in spirit patterned after projects initiated by the National Commissioners of Uniform State Laws (NCUSL). The NCUSL have worked effectively with states to establish—among other uniform state laws—the Uniform Commercial Code. Such uniformity would promulgate a framework with which vendors could more easily work.
To illustrate an issue that may become relevant in the future, consider the question of what is regarded as the official record of an election. The proposed technical guidelines for voting system security include the requirement for independent dual verification (IDV) of the voter’s ballot. IDV is the idea that the voter’s casting of a ballot results in two records of that vote, separately maintained and stored. But when two records are generated of a single transaction, what is to be done if and when there is a discrepancy between them? Which one is the record that will be used in recounts, for example?
6-33. How and to what extent have notions of voter privacy and secrecy changed over time and with the introduction of new voting technologies? Many concepts change along with changes in the cultural and social milieu in which those concepts are embedded, so one can easily imagine that notions of voter privacy and secrecy might have done so as well. Some analysts argue, for example, that there has been an accumulating erosion of voting privacy over the last decade, and that virtually every technical improvement or change in the election law in recent years has been at the expense of voter secrecy rights. Others suggest that there are potential conflicts between some dimensions of an election system’s transparency and voter privacy. An explicit understanding of these issues might help to frame discussion of further changes in election law, policy, or technology.
6-34. How and to what extent is secure absentee voter registration feasible? For individuals who are living in locations other than the precincts where they are or should be registered to vote (e.g., individuals on
military deployments or working abroad), absentee voter registration would greatly facilitate their ability to participate in local elections. On the other hand, absentee voter registration requires methods for authenticating potential registrants that do not involve face-to-face interaction with local election officials. Absentee voter registration using electronic systems further raises the possibility that falsified voter registration might be undertaken on a large scale.
The committee also wishes to call attention to a research agenda for electronic voting developed at a workshop of the American Association for the Advancement of Science (Box 6.3).
To maximize the value of any research conducted, workshop participants [at the AAAS Workshop on Electronic Voting, held September 17-18, 2004] acknowledged the importance of achieving a common understanding across research fields of key concepts on which further study should focus and of identifying useful data and research methods. They recommended a set of 13 key concepts that warrant clearer definitions and more precise methods for measuring them and assessing their impact on the voting system:
Research on Voting Technologies
Several research questions were identified related to the design, adoption, use, evaluation, and certification of alternative voting technologies, [including vot
ing machines,] databases used for voter registration, the ballots used on Election Day, and the techniques used to test and evaluate the performance of the voting machines.
Research on Voter Knowledge, Perception, and Behavior
Research should be aimed at discovering ways in which the voting system does or does not serve the needs of the voter.
Research on Election Administration
One of the more overlooked components of the voting system by researchers has been how the voting process is administered…. Workshop participants [at the September 2004 AAAS workshop on electronic voting] noted the increasing responsibilities that the voting system places on election officials. Questions surrounding their role, preparation, and resources received considerable attention.
Research on Accountability Mechanisms
Holding people and technology accountable is critical to conducting and certifying elections and to generating public confidence in the system. Workshop participants identified several research issues associated with investigating the impact and effectiveness of various accountability mechanisms.
Research on Alternative Future Voting Scenarios
Participants noted a number of future voting scenarios that warrant careful assessment…. Research on how innovation of new voting technologies is affected by and affects the existing voting system is needed if we are to be better positioned to shape our “alternative future.”…
SOURCE: Excerpted with permission from Mark S. Frankel, Tova Jacobovits, and Adrianne Kroepsch, American Association for the Advancement of Science, October 2004, available at http://www.aaas.org/spp/sfrl/evoting/report2.pdf.