Stanford University Home

Stanford News Archive

Stanford Report, February 5, 2003

Computerized voting lacks paper trail, scholar warns

Warning of programming error, equipment malfunction and malicious tampering, computer scientists from around the country, led by Stanford Professor David Dill, say computerized voting machines should provide a voter-verifiable audit trail.

"The problem is not really with computerized voting systems per se," Dill says. "The problem is really that there is no way to double-check the results. It's really a problem of accountability."

More than 110 computer scientists and technologists from universities and laboratories across the nation have signed Dill's "Resolution on Electronic Voting," which states that it is "crucial that voting equipment provide a voter-verifiable audit trail, by which we mean a permanent record of each vote that can be checked for accuracy by the voter before the vote is submitted, and is difficult or impossible to alter after it has been checked."

The full text of the resolution and list of endorsers, including 22 from Stanford, are available online at http://verify.stanford.edu/evote.html.

Aftermath of 2002 election

Computerized voting has been a focus of discussion in many jurisdictions, especially since the Florida results of the 2000 presidential election spawned a movement to replace punch cards with high-tech systems. But high-tech solutions may bring new problems to the polls. On Jan. 31, a subcommittee of the Santa Clara County Board of Supervisors met to consider a recommendation from the County Registrar to purchase Sequoia direct recording electronic (DRE) voting machines, which Dill says do not provide a voter-verifiable audit trail. With the issue still unresolved, the full board met Feb. 4 as Stanford Report was going to press. Santa Clara is one of nine California counties under court order to replace punch-card voting systems by March 2004.

Paperless, touch-screen voting machines are used by nearly one in five voting precincts nationwide. "They pose an unacceptable risk that errors or deliberate election-rigging will go undetected, since they do not provide a way for the voters to verify independently that the machine correctly records and counts the votes they have cast," says Dill, an expert in finding design errors in computer systems. In 2001, he was named a Fellow of the Institute of Electrical and Electronics Engineers (IEEE) for his contributions to verification of circuits and systems.

When voters use touch-screen machines, they walk into voting booths, touch screens to select candidates and check their results on the screens. Voters can make changes if they've made a mistake or if their machines have problems. Then they touch a notation saying "cast the vote." At that point, the vote has never been anywhere except on the screen and in the memory of the computer. The vote is recorded internally in the computer, and then after the polls close, the votes are counted electronically, and, if desired, paper ballots can be printed from memory.

"The problem with this whole process is that nobody can really determine what's happening between when you push the button on the screen saying that you want to cast your vote and what vote is actually recorded," Dill says. "So we don't know if the votes are being accurately recorded. And as a computer scientist, I know that there are many, many ways that there could be unexpected errors, things you couldn't even predict, and even tampering, possibly even in the writing of the program, that could alter those votes."

No effective recounts

The risk is that in the event of a machine failure or suspect result, voters have no recourse. This may have been the case in a Florida 2002 primary, Dill says, where many problems with touch screens were documented. "You've got an election producing funny results, and you can't do an effective recount because the only thing you can recount is the votes that you've recorded electronically. About the only thing you can do is have a re-vote."

He adds: "The worst scenario ... is where we have the machines apparently working fine -- we have elections going smooth as silk -- and the only problem is that the wrong candidate was elected. Nobody even knows it, or people suspect it but they have no way of showing that there was an error in the election. At that point you have democracy itself threatened."

While some voting equipment vendors and government officials say that paperless, computerized voting systems are reliable, Dill and his colleagues disagree. "Without a voter-verifiable audit trail, it is not practical to provide reasonable assurance of the integrity of these voting systems by any combination of design review, inspection, testing, logical analysis or control of the system development process," the resolution says.

The resolution is being circulated at a time when many states and counties are seeking to upgrade their voting equipment. In response to problems with elections in recent years, funding is being made available at all levels of government to upgrade election equipment.

"Unfortunately, if available funds are spent on fatally flawed 'high-tech' voting equipment, it will be a long time before there is more funding to adopt truly superior voting technology," the statement says.

A paper solution?

In the future, Dill says, sophisticated voting equipment, certified by authorities, could be completely paperless and provide greater security and integrity than today's machines. But for those racing to upgrade systems before 2004, the solution ironically requires paper: "There has to be a paper ballot where the voter can look at the ballot and check that it has the right stuff on it. The voter then turns that in like they would any other paper ballot. So it's important that this paper ballot be anonymous for voter privacy so that voters can't be intimidated. And it's important that the voter not be able to keep the ballot because otherwise they could use that as a proof of vote in vote-buying schemes."

The computer scientists and technologists are urging jurisdictions that have already purchased such voting systems to replace or modify them to produce ballots that can be checked independently by the voter before being submitted and that cannot be altered after submission. They urge government officials who must replace outdated punch card voting systems to refrain from purchasing new voting equipment that does not provide a voter-verifiable audit trail.

"Election reform is now receiving much-needed attention, but we must guard against changes that inadvertently create even worse problems," Dill writes. "Unauditable voting equipment will erode confidence in our elections, causing further disillusionment of the voting public."