Date: Thu, 11 Apr 91 23:12:39 EDT From: Terry Gauchat You may direct enquiries to me, but my email is disappearing and (hopefully) changing to a new address soon (as yet unknown). University of Waterloo CS492 : Social Implications of Computers Term Research Project Computer Assisted Vote Tallying An Overview of the Problems, Implications, and Solutions for Prof. Robin Cohen prepared by Terry Gauchat, Toronto, Ontario, CANADA March 25, 1991 Abstract This report discusses the implications of using computers for vote tallying for all levels of government elections and referendums. Numerous historical examples of problems with election systems are given (with some emphasis on the Computer Election Systems' _Votomatic_ product). Also, a classification of types of voting systems and the key issues involved with their use is presented. Current standards documentation (particularly the U.S. Federation Election Commission's _Voting System Standards_) and legislation is briefly, but critically examined. I conclude that current computerized vote tallying systems are seriously deficient, but if most of the recommended standards are followed a good system can be implemented. I wrap-up by recommending a specific design for a vote recording/tallying system. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . 1.1. Scope 1.2. Other Uses for Computers in Elections 1.3. Why Computerize the Voting Process? 1.4. Extent of Computerized Vote Tallying 1.5. The Trouble With CES 1.6. Overview of this Report 2. Voting System Differences . . . . . . . . . . . . . . . . 2.1. Regular Paper Ballot 2.2. Computer-Readable Ballot 2.3. Direct-Recording Electronic 2.4. Degree of Count Centralization 3. Key Issues & Their Implications . . . . . . . . . . . . . 3.1. Election Fraud 3.2. Count Errors 3.3. Vote Integrity 3.4. Privacy & Secrecy 4. Standards & Legislation . . . . . . . . . . . . . . . . . 4.1. Responsibility 4.2. Federal Election Commission Standards Document 4.3. Government Produced Systems 4.4. Legislation 5. Conclusions & Recommendations . . . . . . . . . . . . . . References . . . . . . . . . . . . . . . . . . . . . . . . . ======================================= 1. Introduction 1.1. Scope This report examines the implications of using computers for vote tallying for all levels of government elections and referendums. Most of the examples cited are from the United States, which has rather complicated voting regulations for many types of elections. This report focuses on the acts of presenting, completing, and counting ballots. Automated systems are currently being used for each of these functions. The report also refers to experimental innovations such as phone-in voting. 1.2. Other Uses for Computers in Elections Besides the acts of ballot casting and counting, computers are being used in other parts of the election process. In the early phases of campaigns, computer applications have been so successful that they are growing market niches.[1] Political candidates maintain extensive databases containing information about voters in their districts. Political parties use computers to generate mailing lists to raise funds and support. This type of targeting has been criticized because it allows politicians to tell _half-truths_ in customized letters which present only issues that are important to a particular constituent, while omitting unfavourable topics. On the side of the voter, the _I VOTE_ system (Informed Voting Through Education) assists the user to match his/her views on issues with those of the candidates. Voting based on I VOTE would "strip the campaign's rhetoric and television imagery, decrease voter apathy, and increase informed voting."[2] Computers are also being used to improve the registration and enumeration process. Keeping accurate voters lists is important, since voters must be told which polls to vote at. A logical extension to this idea is an on-line voter list system which would permit a voter to vote at _any_ polling place in a district (or, with respect to Federation of Students elections, at any faculty/residence voting station on campus). Of all the uses for computers in elections, computerized vote _tallying_ is the function of greatest concern in democratic societies. Unfortunately, this process has also been plagued with the most problems and many have yet to be resolved. 1.3. Why Computerize the Voting Process? Hand counting votes on ballots is a laborious and time-consuming process. Due to human factors, the procedure is error-prone and many redundancies have always been included in manual count systems. Experts agree that "the job of counting votes seems perfectly suited to the computer; it's a classic DP application involving the repetition of a simple task, adding up the number of marks or holes found on a stack of voting cards."[3] However, the task is actually a rather difficult computing problem due to the differences and complexities of each precinct's voting rules. In addition to listing different candidates and issues to be voted on, there are often interlocking restrictions imposed. There may be requirements for specific numbers of votes in a category depending on what was selected in another or on what political party the voter is registered in. Effective security against fraud is also a necessary and complex component of a voting system. One cynic said, "Why would anyone want to computerize voting? Doing so only increases the risk of fraud, by reducing the number of people involved in the process. (_The best deterrent to crime witnesses._) Elections don't happen often enough that saving money can count for much in fact, I believe around here ballot counters are unpaid volunteers. Rapidity of the count? Who cares whether the results are known in two hours or two days? Sounds like yet another scheme to enrich computer companies at the public's expense."[4] Notwithstanding this opinion and admitting that the vote tallying process is inherently complex and in danger of fraudulent manipulation, it can be shown that computers can do more than just increase the speed of vote tabulation. Although care must be taken, customized software may be written to make the vote casting and counting process _user-friendly_ and _bullet-proof_ due to the power and flexibility of technology available today. Also, computers can assist with the election auditing process (e.g., automatically compare consolidated vote counts with total number of voters in each precinct) by faithfully maintaining more audit trails than would be manageable with manual systems. However, it is important that the government does not implement such technology without ensuring that it is trustworthy. Since the old manual system was understandable, a large number of human checks and balances prevented problems. Now, "technical skills are involved in the vote-counting process and this alienates most of the poll workers from the results. An air of mystery surrounds the computer, and in at least one state, workers _rubber-stamped_ the results without examining them."[5] 1.4. Extent of Computerized Vote Tallying According to the U.S. Federal Election Commission, in the 1984 presidential election, 65% of all votes cast were tabulated by computer[6] (not including computer assisted counting of normal paper ballots, or the use of purely mechanical lever-type voting machines still used at that time by about 30% of American voters). Less than 10% of the votes were cast using pencil mark-sense technology (the only system used minimally in Canada see Toronto 1988 civic elections), and less than 5% were cast using electronic direct recording systems.[7] Nine out of twenty votes (44.2%) were cast using the _Votomatic_ pre-scored punch card system and counted with equipment from one company, Computer Election Systems (bought in 1986 by the Business Records Corporation, the sole and wholly owned subsidiary of Cronus Industries, Dallas)[8]. It was estimated that Cronus/BRC/CES held between 60% and 80% of U.S. market share in voting systems,[9] much to the dismay of Jim Mattox, Texas attorney general who exclaimed "One thing is clear: one company in the United States should not have as big an impact on elections as this company has got ... The right to vote is too sacred."[10] In some areas where the choice must be permitted by law, as many as 30% of voters have requested regular paper ballots in preference to the computer-readable alternative.[11] Nevertheless, the use of computerized vote tallying systems is likely to increase (nearing the 100% level), though it is unlikely that the Cronus/BRC/CES Votomatic system will continue to be used. 1.5. The Trouble With CES A report to the Illinois Board of Elections in September 1985 revealed that 28% of the voting systems tested before elections contained errors.[12] General problems with computerized vote tallying systems, including hardware limitations and other inherent difficulties will be discussed later in this report. While researching material for this project, however, it became evident that most of the anguish experienced with respect to automated voting is directly attributable to the widespread use of products from _Computer Election Systems_ (CES, later bought by Cronus Industries' Business Records Corp., BRC), as described above. This company has been the target of numerous lawsuits and accusations of election fraud. A 1980 evaluation of CES's Votomatic system said the system "is based on seriously outmoded computer technology"; it was "a security nightmare, open to tampering in a multitude of ways"; that "tampering with the tabulation element is not only easy, but virtually encouraged"; and "the tampering that could be performed by an imaginative and determined individual is only hinted at."[13] Four examiners recommended that the state of Pittsburg deny the system certification this recommendation was ignored, and hence, Votomatic continued to be used.[14] An Indiana consulting firm analyzed CES's program on behalf of one of the losing candidates who is suing CES. The problems they found include: - The translation between the Hollerith punch card code and characters was nonstandard. The 1971 NCR system which the software ran on did not use standard EBCDIC. - The contents of memory were continually being redefined. Numerous variables and fields were overlaid in memory. The same memory locations were re-used for the vote counts of different races. - There was a total lack of structure. The program contained no PERFORM UNTIL (DO-loop) statements but had numerous GOTOs. - The program interacted heavily with the operator, who can operate the console switches to examine and modify any part of the memory or program after each set of data is tallied. The program made it easy for the operator to turn off error logging and audit trails. - There was heavy use of control cards in the data deck to redefine data fields, raising the possibility that a _knowledgable_ voter could punch a control card and drop it into the ballot envelope to change the program's processing of election results. - CES sends _updates_ to election personnel before each election. - The program did not correctly count _crossover votes_, in which, for example, a voter punches a vote for a straight Democratic ticket and punches votes for several individual Republicans. Before an election in West Virginia, newspaper publicity specifically said that such votes were allowed, yet the program failed to count them.[15] This list of problems does not include deficiencies in the Votomatic punch cards and booklet system which are described later in this report. Nearly every precinct which used the CES product and experts who studied it discovered additional problems.[16] That these systems were used extensively and may continue to be used is incredible. CES's _first attempt_ lasted far too long. The fortunate result of these publicized problems is persistent demand for strict standards for all future voting systems. 1.6. Overview of this Report The following sections of this report examine computer assisted vote tallying in more detail. First, the distinct varieties of voting systems are described, as categorized on the basis of ballot type and amount of count centralization. Next, the four key social issues with respect to computerized vote tallying are explained, along with a look at the implications of these issues. Finally, an examination of professionally recommended standards and legislation is presented, followed by my own conclusions on this topic. 2. Voting System Differences Voting systems can be categorized based on the type of ballot used (if any) and the amount of count centralization in the polling hierarchy. 2.1. Regular Paper Ballot Historically, the most common form of secret ballot is a simple slip of paper listing the candidate's names or referendum items, each with a box (or two boxes: _yes_ and _no_) where the voter can place a handwritten 'X' to indicate his vote. These ballots are read and counted manually by poll workers who often employ redundancy checks. These precinct poll workers now generally use some type of computer to assist with the tabulation (e.g., spreadsheet software), or to consolidate results from several districts into a total count. With _computer assisted tabulation_, the most common problem is data entry error. For example, in September 1988, "a computer entry error apparently increased the vote count of the incumbent Lieutenant Governor of Delaware. The correct number of votes in one district was 28 but the operator keyed in 2828 by mistake."[17] 2.2. Computer-Readable Ballot In order to increase the efficiency of counting votes, replacing the human reader with an automated reader is one possible solution. The ballot should be easy to complete by voters. It should also be human interpretable in order to allow the voter to check his vote and provide the basis for a manual recount. The ballot/reader combination must also be able to report votes consistently and accurately. Unfortunately, computer-readable ballot systems have been plagued with problems due to poor design, lack of voter education, incomplete procedure guides and contingency plans, and insufficiently advanced technology. Computer-readable ballots can be classified into three categories: (a) Mark-Sense: The ballots used are printed with the choices along with a bubble which must be filled in with a pencil to indicate a vote. Mark-sense ballots are like the ticket number selection system used for Lotto 6/49 type lotteries. This sort of ballot was used in the Toronto November 1988 civic (municipal) elections, but not without significant problems. The machines, purchased at a cost of $1.6 million, failed to read 1,408 ballots due to improperly printed or cut cards.[18] The system, supplied by the (U.S.) Business Records Corporation (BRC/CES), was overly sensitive: "Any variance of 25 thousandths of an inch would cause the machine to reject a ballot." Officials decided to recount all 142,107 ballots by hand as well as by machine (the rejected ballots were not separated during the first count).[19] (b) Pre-Scored Punch Card: These ballots (popularized by CES in the U.S.) may be similar to the mark-sense cards, with the only difference being that the voter punches out a pre-scored hole in the card rather than marking it with a pencil. The primary problem with these ballots is the question of how to count cards improper punches ("The punched-out scraps have come to be called _chad_ ... Sometimes, a chad does not break completely free from the card and becomes a _hanging chad_, and sometimes voting-holes are merely indented by the voter's stylus."[20]). Even when examined manually it may be difficult to interpret the voter's intentions, and the chad present on a card may actually change between count and recount. "The inexact science of divining what the voter intended ... has been called _chadology_."[21] In order to allow more flexibility, the Votomatic system uses generic cards which are inserted into a booklet with a page listing the items to be voted on and a plastic template exposing the holes that may be punched. These booklets add to the problem, as "the ballot pages could easily be shuffled or replaced [and] blank punch-card ballots were easy to obtain."[22] In the case of Votomatic, an additional security failure exists because the same reader used for counting ballots can be used to read control cards. (c) Machine Punched Card: To avoid the chad problems of a pre-scored ballot card, voting stations may provide normal unpunched cards and a type of key-punch machine. The voter prepares the card by inserting it into the machine and pressing appropriate keys to vote. This increases the likelihood of the ballot being computer _readable_. The punched card, however, should still be human readable as well. To my knowledge, this type of key-punch system has not been used extensively. 2.3. Direct-Recording Electronic Direct-recording (ballot-less) voting systems have been in use for nearly a century, ever since the invention of the lever-type mechanical counting machines invented prior to 1900 and manufactured by the Automatic Voting Machine Company, or its rival, the Shoup Voting Machine Company. By 1928, a lever machine was used by about one of every six American voters.[23] These machines keep count by using gears for ones, tens, hundreds, etc., and can display or print the total for a voting official. Now, these machines are being replaced with fully electronic equivalents (referred to as DRE machines). Though these may be fairly unsophisticated devices, at least one company (Nixdorf Computer Corporation, Germany) includes TV displays with touch sensitive screens. The screens clearly display the choices to the voter and simplify the selection process.[24] Supposedly, the voter can be immediately warned of _illegal_ voting combinations and given a chance to correct the displayed ballot. There are two significant drawbacks to direct-recording electronic systems. First, since there is no physical ballot involved, _real_ recounts are impossible this can be disastrous if memory, tape, or disk failures occur. Secondly, the voter must trust that the machine recorded his vote properly and that it is not subsequently altered. According to Roy Saltman of the (U.S.) National Bureau of Standards' Institute for Computer Sciences and Technology, "the fact that the voter can see his or her choices on a display, or even receives a printout of the choices made, does not prove that those were the choices actually recorded by the machine."[25] 2.4. Degree of Count Centralization The voting process involves a polling hierarchy. Voters vote at voting stations at precincts (polling places) which report to an election district office (to give a district total), and these in turn report to another central location (ward office?). The actual vote tallying CPUs may be located at any or several of the stages, and count consolidation between stages can be done either by paper or electronic (phone and modem) reporting. For example, mark-sense and punched-card systems often require the ballots to be locked in boxes at the precincts and then trucked to the central computer facilities for a designated set of precincts. Conversely, DRE machines may contain microcomputers which maintain a local count, or they could be terminals networked to a precinct computer or a more centralized and powerful election district computer. When transferring counts or ballots to the central location for consolidation, security must be employed to protect the results from tampering (e.g., electronic transfers should be encrypted). Full centralization and fully electronic consolidation of poll results is apparently the most efficient, since it requires none or minimal computer hardware at the precinct level and limits technician requirements. However, this increased efficiency is acquired at the cost of public trust. According to Eva Waskell, who organized a two-day conference in 1986 on the potential of computer fraud in voting, "the centralized counting system takes control away from precinct poll workers who would otherwise provide an additional level of control. Furthermore, centralization makes rigging easier a single computer operator can be bribed rather than the dozens or hundreds of poll workers involved in ordinary elections."[26] Election officials like Audrey Piatt, Virginia, are also very cautious about central count systems: "If we ever did use a central counting procedure and the Virginia legislature is a long way from allowing the transportation of uncounted ballots you can bet there would be a very stringent test to check it before the election."[27] Extensions to the concept of count centralization may permit voters to vote from any polling place, or even from home via a touch-tone phone, computer terminal, or fax machine. The fundamental problem will continue to exist essentially, centralization increases the amount of trust that must be placed in the computer system, as the number of audit trails (e.g., sub-totals for precincts, sub-districts, etc.) are reduced significantly. 3. Key Issues & Their Implications 3.1. Election Fraud The public and political candidate's number one concern with respect to new voting procedures, is election fraud. Studies of computer crime and computer limitations have shown that "no computer program can be made completely secure against fraud."[28] As has been shown earlier, computerized voting systems to date (particularly, the CES/BRC products) have had very little security and minimal audit procedures. The running systems were open to tampering. Methods of electronic ballot box stuffing are numerous, and include the use of software with hidden code designed to alter vote counts only after initial _standard_ testing, the use of a computer console or control cards to change count variables during a tally, and/or modification of the card reader or interception of the electronic transmission of ballot data. In many cases a detailed audit trail and random manual recounts can help detect fraud (except for fraud involving physically modified or replaced ballots!). Election fraud concerns have encouraged the development of stricter testing, auditing, and run-time security standards. Officials wish to be able to examine source codes of proprietary software which is normally kept secret in order to retain Trade Secret protection. Political candidates which have financial relationships with producers of voting systems are likely to be suspected if fraud occurs. 3.2. Count Errors Also due to inadequate audit procedures, it is difficult to both _detect_ tally errors and then _determine_ if the error is entirely innocent or deliberately and fraudulently caused. The large numbers of errors that have been detected cause speculation that a proportionally greater number probably remain hidden. It has been stated by reviewers of computer tallied election results that "the data provided are insufficient to demonstrate the correctness of the results provided."[29] Stories of mysterious election results are common. For example, a review of 1984 election counts showed that President Reagan received 159 votes in the Trinity River Bottom precinct this Texas district was inhabited only by squirrels, rabbits, and fish. Terry Elkins, a political researcher said "The computer invented those numbers no one lives there, so the fish must have voted."[30] Errors may be caused by faulty hardware, software, or input data. Faulty input data results from mistakes made by voters or poll officials when completing ballots or consolidating totals. It is unreasonable to demand that an election system be error free, rather, controls should be incorporated which help detect and trace errors. For example, the system should compare the number of votes cast with the sum of the total votes for each candidate this implies that _undervotes_ (choices left blank) must also be tallied. Once again, the ability to recount ballots manually is an important last resort to guarantee that a reliable result can be reported. This assumes that at least a human readable error-free ballot is created and securely stored. 3.3. Vote Integrity The concept of vote integrity includes ensuring that the vote count is safe from fraud and undetected errors. In addition to these two factors, voting systems must also ensure that each voter does not lose his voting right due to a lost, rejected, or miscounted ballot. Computer storage failures in DRE systems could wipe out hundreds of votes in an instant. Bugs in voting systems have caused ballots in certain configurations to be disallowed, even though such configurations were publicly declared legal according to local regulations. Cries of discrimination occurred when the majority of votes rejected in one election came from wards where most of the voters are black.[31] Many of these problems occur because the American election system is inherently complex. Voting systems must be able to properly interpret votes which involve such intricacies as write-in candidates, cross-over endorsements, split precincts, straight party or group voting, N of M selection, undervoting, multi-card ballots, and more.[32] Careful system design, backup procedures, and complete testing of all legal vote configurations can help to guarantee vote integrity and the preservation of the voting right. Voting systems should separate (or store) ballots uncounted for any reason, so that they may be examined by an election official. Voting systems must appear trustworthy to the average voting citizen and be usable with minimal education. A DRE system in Holland 1986 was questioned because "several voters were confused by the layout of the buttons and inadvertently chose the wrong candidate by pushing the button at the wrong side of the candidate's name."[33] The problem of interpreting hanging-chad on Pre-Scored ballot cards (discussed above) is a similar threat to vote integrity. These problems may be attributed to _voter error_, but in any case, misinterpretation of the voter's intentions is serious. 3.4. Privacy & Secrecy In most countries, the right to vote is qualified by the right to have a secret ballot. While voting, a citizen must have privacy so as not to feel coerced into voting a particular way, and afterwards, his security is ensured because the ballot cannot be traced back to him. Secrecy, however, makes detailed auditing difficult, since it is impossible to verify a ballot against the voter's intentions after the election. Developing computerized voting systems which ensure privacy and secrecy is not difficult. Convincing the public that this is so, however, presents a problem. Especially if computers are used for both enumeration and voting, the ability for the system to permanently link voter and vote becomes obvious. Attempts to implement _phone-in_ voting are doomed to failure because of the necessity of tracking voters (to ensure only one vote per registered citizen), the public's awareness of phone tracing technology, and the need for each family member to vote in privacy (only one person is allowed in a voting booth, but many may share the home phone). Voter education may help increase confidence that ballots are kept secret. The audit problem may be circumvented with the use of a _numbered receipt system_, in which the voter receives a copy of his vote which can be compared to a list published after the election. Discrepancies could be reported through anonymous receipt drop-off.[34] 4. Standards & Legislation 4.1. Responsibility It makes sense that the responsibility for ensuring that computerized vote tallying systems are trustworthy lies with the government. Before each state, province, or other type of voting district purchases and implements a computerized vote tallying system, supposedly it is examined and _certified_ by local election administrators. Clearly, these examinations have not been sufficient and more stringent, nation-wide standards are required. In the United States, the task of developing standards has been brought to the National Bureau of Standards (who previously prepared computer systems standards for the U.S. General Accounting Office), and the Federal Election Commission, National Clearinghouse on Election Administration. These institutions hired consultants to examine the issues and make specific recommendations. In addition, concerned citizens such as Ms. Waskell, feel that "the Federal Government, using election powers outlined in the constitution, should mandate that all vendors conform to NBS standards."[35] 4.2. Federal Election Commission Standards Document In January (revised April) 1990, the National Clearinghouse on Election Administration (a department of the U.S. Federal Election Commission) published a 300 page document entitled _Voting System Standards_ (developed by consultant Robert Naegele). The major portion of this document is entitled "Performance and Test Standards for Punchcard, Marksense and Direct Recording Electronic Voting Systems". The document also contains sections on standards implementation, system escrow requirements, and evaluation of independent test authorities. According to the preface, "These standards specify general performance criteria, as well as detailed test criteria. Essentially, they address what a voting system should reliably do, not how the system should meet this requirement. It is not the intent of the standards to impede the design and development of new, innovative equipment by vendors. Furthermore, the standards ought not force vendors to price their voting systems out of the range of the local jurisdictions."[36] The document deals mainly with the common sense items that vote tallying systems to date have failed to properly provide. Included are minimal security specifications (procedures for preparation, election conduct, and poll closing), specific _always-on_ audit reports, electronic consolidation function descriptions, documentation requirements, multi-level and independent party testing procedures (size of test runs, comparing test results between runs and between product upgrades), structured coding guidelines and limitations (high-level language must be used), etc. Specific size and printing standards for computer-readable ballot cards are given, but very little is mentioned on the design of the user interfaces for DRE terminals. Some of the specifications given seem overly detailed and restrictive (and hence are likely to be ignored if a choice is given). Hardware test criteria, for example, includes drop test descriptions which are difficult to understand. For example, instructions for one test contained the following condition: "If the horizontal distance from the centre of gravity of the test item to the pivotal axis formed by the two supported corners is appreciably greater or less than half the distance between the pivot axis and the elevated edge, then the height to which the unsupported edge is to be raised shall be adjusted so that the product of the vertical distance travelled by the centre of gravity from release to impact and the weight of the test item is maintained at 200 foot-pounds."[37] These details increase the size of the standards document considerably, and thus the document does not focus on what appear to be the key issues (presented earlier). The use of _escrow agreements_ is recommended. The software producer should be required to provide a copy of the source and object code to be held by an escrow agent in case examination is required at a later date. Ideally, the escrow agent should immediately verify that the software meets the FEC standards. Along with sample escrow agreements, the document describes escrow procedures, such as how to confirm that escrow copies match production copies. This document (nor any other official document according to my knowledge) makes no specific recommendations on DRE systems versus computer-readable ballots. Extensive training of election adminstration in computer technology and security issues was recommended, however. I have been unable to find any equivalent or similar voting system standards documentation in Canada perhaps the U.S. FEC document can be used here as a starting point. 4.3. Government Produced Systems Some people believe that the government should actually commission and supervise the development of a computerized vote tallying system, and subsequently makes its use mandatory for all elections. While the cost would be tremendous, this might ensure that a proper system is put in place and the software would be completely available for public inspection. However, the government prefers to allow free enterprise and competition to develop the best product. Considering that election regulations vary significantly from state to state, the use of one system nation-wide is probably infeasible. 4.4. Legislation As mentioned above, many people think that the FEC or NBS standards should be made compulsory. Presently, however, the adoption of these standards is voluntary, and each state may decide which specific set of requirements to legislate. Some legislation is important in order to prevent conflicts with other laws. Escrow agreements, for example, can conflict with Trade Secrecy laws. Texas has implemented the following law: "Copies of the program codes and the user and operator manuals and copies or units of all other software and any other information, specification, or documentation required by the Secretary of State relating to an approved electronic voting system and its equipment must be filed with the Secretary. The program codes and all other software on file with the Secretary of State under this section are not public information."[38] Some regulations might actually do more harm than good. Recounts of Toronto's 1988 mark-sense ballots were made difficult by a law which states that all ballots must be read in the same fashion as on election day i.e., by the machines which may be faulty![39] Other regulations permit physical ballots to be destroyed after as few as 61 days after the election.[40] To address the concern of inauditability of ballot-less DRE systems, Kurt Hyde had the following resolution passed at the 1988 New Hampshire State Republican Convention, "Computerized voting equipment must either produce a manually recountable ballot for the voter's inspection prior to electronically casting the voter's ballot or use as its input a ballot which can be used in a manual recount."[41] In general, legislation is, as usual, far behind the capabilities and problems of the technology. Hopefully, the NBS and FEC will keep their standards documentation up-to-date and encourage the use of these guides nationally. It is likely that a local government with nowhere else to turn will choose to use these standards as certification criteria. 5. Conclusions & Recommendations This study has revealed that current computerized vote tallying systems are seriously deficient in addressing the issues of security against fraud, assurance of reliability, and maintenance of vote integrity. The widely used Votomatic system from CES/BRC is the ultimate _bad example_, as it clearly demonstrated the bulk of the problems. The FEC document, _Voting System Standards_, is a good first-attempt at providing strict guidelines for computerized vote tallying systems. Although its emphasis on trivial details lessens its focus on some of the more important issues, it provides sufficient minimal specifications for a much safer voting product than exists today. It is recommended that jurisdictional governments (including Canadian) voluntarily adopt as many of these standards as applicable. More work by the NBS and FEC is required, however. Specifically, a recommendation between DRE and computer-readable ballot systems would be useful, and the innovation of telephone voting should be addressed. In my opinion, with technology available today, the best voting system might be as follows:[42] - It should be a DRE type system, employing a touch-sensitive display screen, in order to allow _user-friendly_ ballot presentation and subsequent checking for conformity to voting regulations. Every voter must at least press the CAST button on this system (to count non-votes). - When the voter presses the CAST button, the system immediately checks the validity of the vote and displays error messages as appropriate. The user may then correct his/her ballot. - If the ballot is correct, it is printed on official paper in a form that is both human and machine-readable, and displayed in a window, where it may be examined by the voter. The voter may choose to accept this ballot, in which case it falls into a secure ballot box, else it falls into a rejected ballot box and the voter may start over. - Accepted ballots are recorded electronically as in current DRE systems (tally maintained and reported locally, and also consolidated electronically). - The paper ballots are available for random auditing (samples are selected, counted, and matched with the DRE counts), and official recounts. Counts of these paper ballots can be done by either/both computer-readers and human-readers. Perhaps a serial numbered copy of this paper ballot may be given to the voter for additional safety. - Applicable standards from the FEC document would be incorporated into this system (software design, run-time security, minimum audit reports, etc.). - This system should be used as widely as possible, in order to minimize voter re-education requirements. What I am suggesting is an easy to use system with a secure paper backup procedure. Of course, certain details have yet to be considered for example, we must make sure that the paper ballots cannot be tampered with while being counted. In conclusion, regardless of the opinions of certain cynics, I believe that computers can be extremely useful in the election process and that a _good_ voting system is possible. The bad experiences of the past should not be allowed to prohibit the use of technology in the future. Hopefully we have learned that with functions as important as the unalienable right to vote, the social implications of using computers must be considered first, and then great care must be taken when implementing the automated systems. ======================================= NOTES [1] Karen A. Frenkel, "Computers and Elections" in Communications of the ACM, Oct 1988, p. 1176. [2] Patrick Flanagan, "Computer-Aided Voting: Big Help or Big Brother?" in Computer Decisions, Oct 1988, p. 60-64. [3] John W. Verity, "Machine Politics" in Datamation, 1 Nov 1986, p. 54. [4] Andrew S. Beals, "Why would anyone want to computerize voting?" in _Forum on Risks to the Public in Computer Systems_ (electronic newsgroup "comp.risks"), 19 Mar 1986, p. 18 [page numbers for _Forum..._ refer to page numbering in "Articles From Usenet COMP.RISKS Archives" compiled by Terry Gauchat. [5] Tom Forester, and Perry Morrison, _Computer Ethics_, The MIT Press, Cambridge Massachusetts, 1990, p. 104. [6] Gregory Witcher, "Use of Computers in Elections Raises Security Questions" in _Boston Globe_, 23 Aug 1986, p. 17. [7] Ronnie Dugger, "Annals of Democracy: Counting Votes" in _The New Yorker_, 7 Nov 1988, p. 43. [8] Ibid., p. 42. [9] Ron Newman, "Computerized Voting No Standards and a Lot of Questions" [Summary of talk by Eva Waskell, computer programmer, independent science writer, on potential of fraud in voting.] in _Forum..._, 14 Apr 1986, p. 34. [10] Dugger, p. 45. [11] Ibid., p. 57. [12] Forester et al., p. 105. [13] Willie Schatz, "Yes, Virginia, There is an Answer" [Quoting Michael Shamos.] in _Datamation_, 1 Nov 1986, p. 60. [14] Ibid. [15] Newman, p. 35. [16] See Dugger. [17] Forester et al., p. 105. [18] Sean Fine, "Machine Misses 1,408 Votes. Toronto Clerk Wants Recount" in _The Globe & Mail_, 19 Nov 1988. [19] Mark Brader, "Troubles with Automatic Vote Counting in Toronto" [referring to _Toronto Star_, 22 Nov 1988] in _Forum..._, 22 Nov 1988, p. 12. [20] Dugger, p. 54. [21] Ibid. [22] Ibid., p. 58. [23] Ibid., p. 46. [24] Ibid., p. 108. [25] Ibid. [26] Forester et al., p. 104. [27] Schatz, p. 60. [28] Dugger, p. 45. [29] Ibid., p. 105. [30] Witcher, p. 17. [31] Charles Youman, "More on Missouri Voting Decision" [Quoting from article "Decision Threatens Punch-Card Elections" in _St. Louis Post-Dispatch_, 24 Dec 1987] in _Forum..._, 6 Jan 1988, p. 25. [32] National Clearing House on Election Administration, Federal Election Commission (NCH/FEC, U.S. Government, Washington D.C.), Robert J. Naegele, consultant, "Performance and Test Standards for Punchcard, Marksense and Direct Recording Electronic Voting Systems" in _Voting System Standards_, 1990, p. 97. [33] Eke van Batenburn, "Confusing Input Request in Automatic Voting Systems" in _Forum..._, 3 Dec 1989, p. 24. [34] Mike McLaughlin and others, "Voting Receipts" in _Forum..._, 4 Mar 86, p. 43. [35] Newman, p. 37. [36] NCH/FEC, p. xvii. [37] Ibid., p. 75. [38] Ibid., Section 3., p. 13. [39] Fine. [40] Newman, p. 37. [41] Kurt Hyde, "NH State Republican Convention Computerized Voting Standard Resolution" in _Forum..._, 21 Nov 1988, p. 50. [42] Based on ideas presented by Tom Benson, Kurt Hyde, Jim McGrath, others in _Forum..._, Mar 1986, pp. 44-51. ======================================= REFERENCES Dugger, Ronnie, "Annals of Democracy: Counting Votes" in _The New Yorker_, 7 November 1988, pp. 40-108. Fine, Sean, "Machine Misses 1,408 Votes. Toronto Clerk Wants Recount" in _The Globe & Mail_, 19 November 1988. Flanagan, Patrick, "Computer-Aided Voting: Big Help or Big Brother?" in _Computer Decisions_, October 1988, p. 60-64. Forester, Tom, and Morrison, Perry, _Computer Ethics_, The MIT Press, Cambridge Massachusetts, 1990, pp. 104-7. Frenkel, Karen A., "Computers and Elections" in _Communications of the ACM_, October 1988, pp. 1176-83. Hunter, Nell, "System Helps Atlanta County Keep Pace with its Voters" in _Government Computer News_, 7 November 1988, p. 85. National Clearing House on Election Administration, Federal Election Commission (U.S. Government, Washington D.C.), Naegele, Robert J., consultant, _Voting System Standards_, (includes "Performance and Test Standards for Punchcard, Marksense and Direct Recording Electronic Voting Systems", "A Plan for Implementing the FEC Voting System Standards", "System Escrow Plan for the Voting System Standards Program", and "A Process for Evaluating Independent Test Authorities"), 1990. Neumann, Peter G., "Risks in Computerized Elections" in _Communications of the ACM_, November 1990, p. 170. Saltman, Roy G., "Accuracy, Integrity and Security in Computerized Vote-Tallying" in _Communications of the ACM_, October 1988, pp. 1184-93. Schatz, Willie, "Yes, Virginia, There is an Answer" in _Datamation_, 1 November 1986, pp. 60-1. Tchashchin, Kirill, "Moscow: Bid Awarded for Computerized Voting System in Perm. (Dzerzhinsky Industrial Association Wins Contract with Supreme Soviet)" in _Newsbytes_, 12 April 1990. Till, Larry, "Automated Voting System Under Fire (Optech III-P, from Business Records Corp.)" in _Computing Canada_, 5 January 1989, p. 9. Various, _Forum on Risks to the Public in Computer Systems_ (electronic newsgroup "comp.risks"), moderator Neumann, Peter G. See also: "Articles From Usenet COMP.RISKS Archives" compiled by Gauchat, Terry, 1986-1990. Verity, John W., "Machine Politics" in _Datamation_, 1 November 1986, pp. 54-61. Witcher, Gregory, "Use of Computers in Elections Raises Security Questions" in _Boston Globe_, 23 August 1986, p. 17.