Electronic Voting Does Not Threaten Democracy

Robert Pinchbeck
BGS 399 - Senior Thesis, Section 98A
Professor Karen Olesch
Final Document
December 13, 2006


The United States 2000 presidential election was decided by a fraction of a percent of the votes in the State of Florida. This extremely narrow margin of victory in a national election attracted the critical scrutiny of the American public. During repeated recounts of the Florida vote, government officials discovered substantial problems with the voting process. This led to widespread questions about the effectiveness and reliability of the American voting system. In response to these concerns, Congress quickly enacted legislation that provided funding for states to improve their voting systems. Soon afterward, many states started using these funds to purchase and deploy electronic voting systems.

Direct recording electronic voting systems, which use a computer to record and tally votes, are highly controversial. Opponents argue that these systems are inherently insecure, and pose unacceptable risk to the democratic process. Admittedly, these new voting systems do have significant problems; however, these problems are present, to varying degrees, in every voting system. Even so, researchers at prestigious universities have developed solutions to these problems that, when implemented properly, will deliver failsafe voting systems in the near future. Opposition to direct recording electronic voting is unfounded because the objections of opponents are based on procedural problems that can be corrected and controlled. Given the recent advances in voting technology, direct recording electronic voting systems can provide improved accuracy and reliability while maintaining an acceptable level of risk.

The United States Election System

According to the U.S. Government Accountability Office (2004), "The U.S. election system is highly decentralized, with primary responsibility for managing, planning, and conducting elections residing at the local jurisdiction level" (p. 4). This means that the outcome of any federal election depends upon the scrutiny and diligence of a large number of county and city election officials. There is no central authority that administers, or directly controls, the entire election process in the United States. This heterogeneous approach to nationwide voting helps prevent election fraud because only a vast conspiracy of thousands of election officials would be able to compromise elections.

To further protect the American electorate, the United States employs a confidential method of voting -- the secret ballot. Voters cast their votes in private and, once cast, their votes becomes anonymous. The purpose of a secret ballot is to permit voters to cast their votes freely, without fear of rebuke, intimidation, bribery, or retaliation. However, this freedom has a price: if voters make a mistake when casting their ballots, it becomes impossible to ascertain their original intent.

Despite the extra security offered by secret ballots, the vast majority of voting systems employed in the United States are still prone to voter error. Undervoting occurs when a voter either forgets to vote for a candidate, or deliberately refuses to vote for any candidates. Overvoting occurs when voters cast their votes for multiple candidates in the same political office. Undervoting or overvoting for a given political office, whether intentional or not, both result in a spoiled ballot. In other words, for the vast majority of Americans, making a mistake while voting for a given political office is tantamount to not voting at all.

Electronic Voting Systems

There are many different types of electronic voting systems available in the United States. Some electronic systems use paper ballots with printed ovals which are marked by voters with special pens or pencils, and others use paper ballots containing marked areas which are physically removed by voters using a hole-punching tool. Both types of paper ballots are fed into electronic scanning devices which determine the voter's selection and record the appropriate vote; hence, these systems are referred to as paper-based electronic voting systems.

While paper based electronic voting systems have been in use for more than 30 years, the most recent and most controversial electronic voting systems are direct-recording electronic (DRE) voting systems. DRE systems use an electronic ballot -- a computerized touch sensitive display -- to interact with voters, determine their selection, and record their votes.

The 2000 Election Crisis

In a study of the 2000 ballots cast in Florida, Schwartz (2002) revealed that "Florida's sixty-seven counties used five voting technologies consisting of twelve different kinds of machines made by seven different manufacturers" (p. 631). According to Wolter, Jergovic, Moore, Murphy, & O'Muircheartaigh (2003), the majority of voting systems used in Florida were "two systems based on punchcards, and various optical scanning systems" (p. 1). Hence, the vast majority of votes were tabulated by paper-based electronic voting systems and, consequently, those votes were susceptible to both overvoting and undervoting. Normally, the overvotes and undervotes in an election are not enough to influence the outcome. However, in Florida, the 2000 presidential race was so close that the slightest margin of error had a profound impact on the results. In this case, the acceptable margin of error for elections exceeded the margin of victory. This made it extremely difficult to determine the winner of the election, despite repeated recounts. Ultimately, in a highly controversial 5-4 decision, the U.S. Supreme Court ordered the State of Florida to cease further recounts, effectively deciding the election in favor of George W. Bush.

In the wake of the 2000 election crisis in Florida, the federal government faced significant public pressure to avert a similar election crisis in the future. In response to the overwhelming demand for election reform, Congress drafted and enacted the 2002 Help America Vote Act (HAVA). The U.S. Office of Management and Budget (2007) reports that:

Since enactment of [HAVA], the Federal Government has provided approximately $3 billion to upgrade voting systems, develop electronic voter registration lists, assure access for individuals with disabilities, and train election officials for all 50 States, the District of Columbia, and four territories. (pp. 297‑298)

The new law openly encourages states to replace outdated voting systems with federally approved voting equipment, and it establishes the U.S. Election Assistance Commission (EAC) to draft and maintain a set of voting system guidelines and assist states with their implementation.

On December 13, 2005, after a 9 month process of drafting and public comment, the EAC published and adopted the 2005 Voluntary Voting System Guidelines (VVSG). According to the EAC (2005), "the purpose of the [VVSG] is to provide a set of specifications and requirements against which voting systems can be tested to determine if they provide all the basic functionality, accessibility and security capabilities required to ensure the integrity of voting systems" (p. 3). State compliance with the guidelines is voluntary, hence the name. States are free to adopt all, part, or none of the guidelines and, according to the EAC (2006), "at least 39 States use the national guidelines in their voting system certification process" (para. 4). The guidelines permit the use of DRE equipment and, therefore, states which follow the guidelines can employ DRE voting systems, if they find them suitable.

Voting System Performance Factors

When evaluating the suitability of any voting system, there are many performance criteria against which it can be measured. Election officials strive to implement voting systems that are as accurate, reliable, secure, transparent, usable, accessible, and auditable as possible.

All voting systems satisfy some of these criteria, but DRE voting systems are the only systems that are capable of satisfying them all. When considering the importance of these factors, Saltman (1988) provides an excellent assessment:

Accuracy is the essential requirement of a computerized vote-tallying system, but its achievement may not be possible without the implementation of integrity and security. Even if accuracy is attained, confidence in the results may not be assured unless the other two factors can be shown to be present. Thus for vote tallying systems, these factors are not mutually exclusive parameters that can be separately considered (section 2.1, para. 1)

Arguments Against DRE Voting

Despite the unique benefits of DRE voting systems, opposition to these systems has been gaining momentum. With regular reports of system failures nationwide, and with repeated studies revealing serious security risks with voting equipment, DRE voting systems have become quite controversial. Opponents of DRE voting typically enumerate the dangers of so-called "black box voting," citing the risk of malicious programming, programming errors, inadequate testing, device failure, weak security, and poor auditability. Still, it is important to bear in mind that every voting system suffers from analogous elements of risk, as Jones (2005) observes:

There is no doubt that rogues have been corrupting scattered elections across the United States for two centuries. . . . While the technology has changed, and while we may be doing somewhat better today, there is no reason to believe that the rogues have lost interest (pp. 1‑2).

Black Box Voting

Harris (2004) defines black box voting as: "Any voting system in which the mechanism for recording and/or tabulating the vote is hidden from the voter, and/or the mechanism lacks a tangible record of the vote cast" (Preface, para. 5). Harris, like many other opponents, argues that DRE voting systems cannot be trusted because the public cannot inspect and verify the inner workings of the voting equipment during an election. Opponents of black box voting often claim that only paper ballots can be relied upon to give accurate and auditable vote counts. These claims may appeal to the risk averse voter, but they overlook an important fact: by design, the secret ballot system is always "black box voting." Voters will never be certain that their votes are counted correctly, regardless of which type of voting system is employed. This is because secret ballots are not individually recognizable. Even if voters personally inspect the voting process, they will have no way of knowing that their individual votes are counted properly. Once ballots are cast, voters must necessarily trust election officials to tabulate their votes fairly and accurately. By this measure, DRE voting is just as trustworthy as paper voting, because, ultimately, the outcome of any election relies on the diligence and scrutiny of election officials.

Malicious Programming

Still, many DRE opponents claim that malicious computer programmers could alter voting system software to record votes incorrectly. Moreover, opponents argue, since these devices are distributed nationally by a small group of vendors, such malicious changes could tamper with the results of elections on a national scale. Rubin (2006) comments on this type of fraud:

The ability to corrupt multiple [voting] machines in multiple locations, or to influence the aggregate results of multiple machines with a single action, constitutes what we call wholesale fraud, where the smallest effort causes the greatest damage. Software based, paperless voting makes wholesale fraud possible (p. 37).

Malicious programmers are notorious for creating computer viruses that wreak havoc on the internet, opponents argue, so what prevents them from engaging in wholesale fraud on DRE voting systems? The answer, of course, is: "Nothing." Indeed, DRE voting software could be altered to record a different vote from the one cast by the voter, and a malicious industry insider with the necessary skills and access to voting equipment could secretly corrupt the software. It is even possible that a sophisticated programmer could introduce malicious software that would escape early detection.

However, the most sophisticated malicious software is extremely unlikely to escape detection during parallel testing. On Election Day, election officials conduct parallel testing by selecting voting machines at random and staging mock elections. If the machines are malfunctioning, then the outcome of the mock elections will be incorrect. Attempts at election fraud are easily detected in this manner, even if they escape early detection. To avoid detection during parallel testing, the malicious software would have to deactivate itself often enough that random testing could not reliably detect it. Presumably, if the malicious software is only active a small percentage of the time, then it will not affect elections in a meaningful way, because the percentage would have to be small enough to elude detection.

The possibility of malicious programming does not justify prohibiting DRE voting. Malicious programming is merely another example of election fraud, and it should be dealt with in the same manner as any other attempt at election fraud: election officials should take strong measures to detect the fraud, then apprehend and charge the responsible parties with the appropriate crime.

Programming Errors

Even if election officials take all necessary measures to counter the threat of malicious programming, the possibility of programming errors is still a legitimate concern of DRE opponents. As Jones (2005) observes: "Almost everything that a malicious attacker could attempt can also happen by accident; for every malicious attacker, there may be thousands of ordinary people making ordinary careless errors" (p. 2). Certainly, computer programmers sometimes make mistakes and, as a result, computer software is not perfect. It is possible that programming mistakes could cause DRE systems to record votes incorrectly. Moreover, these mistakes might also escape detection during testing (perhaps even during parallel testing), since the combination of test votes might not trigger the broken portions of the program.

Unfortunately for opponents who raise this argument, all voting systems have a margin of error. Admittedly, DRE systems introduce a new and unpredictable risk of error, but that does not justify prohibiting their use. Essentially, those who argue against DRE voting on this basis are unwilling to tolerate new (and unknown) risks, even when these risks result in more accurate voting. Properly implemented DRE voting systems are more accurate than any other available system of voting, as Selker (2004) observed: ". . . when Georgia changed over to DREs [sic] in 2002, residuals (the total number of overvotes and undervotes combined) were reduced from among the worst in the nation at 3.2 percent on the top race in 2000 to 0.9 percent in 2002" (p. 92). Opposing DRE voting systems because they might contain errors despite the fact that they are more accurate is like opposing the use of airplane computer systems, even though they allow more flights to land safely.

Inadequate Testing

The risks of poor programming can be mitigated by testing the voting software thoroughly and diligently. Still, perhaps the most compelling argument against DRE voting systems is an apparent lack of adequate testing. Federal guidelines require DRE voting system vendors to have their software certified by a federally approved independent testing authority (ITA); however, these guidelines also permit the vendor to select and hire the tester. This presents an enormous conflict of interest for both parties. The vendor has an incentive to seek out the least stringent tester, and the tester has an incentive to certify flawed software in order to gain future employment from the vendor. Moreover, vendors are not required to share test results with the public, further obscuring the potential flaws in their software. Wagner (2006) points out:

Even if an ITA finds a serious security flaw in a voting system, they are not required to report that flaw if the flaw does not violate the VVSG standards. Thus, it is possible to imagine a scenario where an ITA finds a flaw that could endanger elections, but where the ITA is unable to share its findings with anyone other than the vendor who built the flawed system. Relying upon vendors to disclose flaws in their own products is unsatisfactory. (p. 3)

The problem of inadequate and possibly corrupt testing is a valid concern. However, it is a procedural problem that can be effectively remedied and does not justify prohibiting DRE voting systems. There are several approaches that could resolve the problem. For instance, the conflict of interest could be removed by randomly selecting a federally approved tester to certify a given release of voting software. Furthermore, if test results were a matter of public record, this would motivate vendors to deliver the best DRE voting software possible, lest they face public criticism for shoddy work.

Device Failure

Continual reports of DRE voting equipment failure have fueled objections to its use. These types of failures are quite varied. Sometimes, the DRE system won't start up, or the voting software becomes slow or unresponsive. In many cases, these failures have prevented polling centers from tallying votes or caused them to turn away voters. In extreme cases, malfunctioning devices have caused the loss of thousands of votes. For example, according to Pippin (2005), "In Carteret County [North Carolina] ... 4,438 votes were permanently lost because of a mishap over the storage capacity of a control unit used during the early voting period" (para. 2).

Even so, every voting system is susceptible to failure. For every instance of DRE voting failure, there are instances when paper voting has similarly failed. There are documented cases of paper ballots failing to reach polling centers in time, misprinted paper ballots, lost (or stolen) paper ballots, and polling centers exhausting their supply of paper ballots. Gross (2004) quotes Linda Hlebak, Deputy Director of Elections for Lake County, Ohio as saying: "I think people figured out how to rig paper ballots a hundred years ago. . . I've seen people hand count ballots, and even with people checking and double-checking, you can't get the same answer" (para. 22). Clearly, the potential for system failure does not justify prohibiting DRE voting systems. The solution is to build more reliable systems; as Shamos (2006) quips, "Planes shouldn't crash much, and neither should voting machines" (section 1.1.3).

Weak Security

Many opponents of DRE voting argue that it is vulnerable to vote tampering on a massive scale. However, tampering with DRE voting systems requires technical expertise and computer equipment, neither of which is readily available to the majority of the American public. With paper voting systems, tampering with ballots merely requires a pen, pencil, or hole-punch. In addition to simple tampering, Burr, Kelsey, Peralta, & Wack (2006) observe:

Paper has been lost or stolen; it can be switched or otherwise tampered with. Generally speaking, this has occurred when accepted practices and procedures have not been followed. But if people fail to follow accepted procedures, then any voting system can become insecure.

Hence, paper voting systems present a similar degree of risk, if not more so. Adler (2003) offers the following insightful opinion: "The conclusion, and what I believe fuels the DRE security debate, is that current DRE error margin is unknown to a guaranteed level of confidence. Confidence is merely asserted, based on assumptions of 'good' system design and election procedures" (p. 4). Adler goes on to argue in favor of verifiable voting systems, but not for paper ballots.

Prohibiting DRE voting because of the potential of election fraud is like prohibiting automobiles because of the potential of drunk drivers. As with any serious crime, there are stiff penalties for those who would perpetrate election fraud, whether by electronic or paper methods. If stiff penalties do not discourage vote tampering, then abandoning DRE voting systems will not discourage it either.

Still, opponents of DRE voting insist that it poses too great of a security risk. They point to studies that reveal security flaws in DRE devices and conclude that they are easily compromised. Yet, these studies are conducted by researchers who have full access to the voting devices. The researchers bypass every physical security mechanism, pore over the design of the devices, develop approaches to exploit the vulnerabilities they discover, and publish the results. This is hardly an example of what is likely to occur in the field. After all, there is a substantial difference between demonstrating security vulnerabilities and actually exploiting them. Shamos (1993) draws this very appropriate conclusion:

No one would buy a safe that could be easily opened, but everyone who has ever bought a safe has bought one that can be cracked. The same is true for voting systems. The issue is not whether they are secure, but whether they present barriers sufficiently formidable to give us confidence in the integrity of our elections. (Experience, para. 4)

Poor Auditability

Another strong argument against DRE voting is the lack of auditable DRE systems. Since a computer records the vote, there is no guarantee that the electronic record accurately reflects the intention of the voter. Even though parallel testing can detect system-wide attempts at vote tampering, the case of an individual voting machine being compromised might escape detection. Many DRE systems record votes on removable media, leaving vote tallies vulnerable to unscrupulous voting officials, poll workers, or other malicious individuals who could gain access to the media and attempt to modify it.

Admittedly, most paperless DRE voting systems are not equipped to prevent this type of fraud; however, this does not justify opposition to DRE voting systems. This type of vote tampering can easily be avoided by employing write once media and advanced encryption techniques. Such measures will not stop malicious election officials from deliberately "misplacing" recorded votes (which they can also do just as easily with paper ballots), but it will stop them from submitting altered votes for tallying -- something that paper ballots cannot prevent.

As with most objections to DRE voting, the auditability problem is a procedural one. Consider the procedures that casinos employ to protect themselves from slot machine fraud. Slot machines are entirely computerized, and casinos have a vested interest in safeguarding their correctness. Casinos have detailed procedures for certifying, handling, inspecting, and verifying the correctness of slot machine hardware and software. They fully recognize the risk of malicious insiders, and they take remarkable measures to hinder attempts at fraud. They employ random audits, video surveillance, random equipment swapping, schedule monitoring, random employee assignment, and a host of other security measures. Harris (2004) notes:

Actually, accountants for Las Vegas casinos have better expertise on fraud-prevention techniques than computer professors. Accountants are never invited onto voting task forces, nor were they called upon to testify when the Help America Vote Act, which prescribed new voting requirements, was written (p. 21).

Certainly, casinos have a great deal at stake, but so does the election process. There is no reason why State and local governments should not emulate the relevant portions of casino security to safeguard the accuracy of election results.

Benefits of DRE Voting

Apart from its potential weaknesses and vulnerabilities, DRE voting offers remarkable benefits, many of which are unique to DRE voting. It prevents overvoting through the use of electronic ballots. It also offers true accessibility for the disabled, greater efficiency resulting in shorter voting lines, and increased security when properly implemented.

Electronic ballots obviate the need for paper ballots by presenting voters with a touch screen display of ballot choices. Unlike paper ballots, electronic ballots cannot be exhausted. No matter how many voters arrive at a polling center, DRE voting systems will be able to record their votes. The same cannot be said of paper ballot systems, since the supply of paper ballots at a given polling center can be, and frequently has been, exhausted.

Electronic ballots also allow voters to view the ballot in a language of their choice. Under the terms of the Voting Rights Act (1965), "whenever any State or political subdivision [affected by the Act] provides any [election materials], including ballots, it shall provide them in the language of the applicable minority group as well as in the English language" (Sec. 1973aa-1a). This requirement places a significant burden on many election districts to provide additional paper ballots in multiple languages, many of which will not be used. Indeed, at the conclusion of paper-based elections, all unused paper ballots are discarded at considerable cost to taxpayers. Electronic ballots eliminate the cost of producing paper ballots and help ensure that everyone can cast their votes in a language of their choice.

In the past, voters with vision, hearing, motor, or other limiting disabilities could only vote with the assistance of an election official. DRE voting makes it possible, for the first time in U.S. history, for disabled voters to cast their votes in private without assistance from anyone. With DRE voting, every United States citizen can participate in the secret ballot system equally.

When it comes to efficiency, DRE voting systems are unparalleled. The onboard computers of DRE voting equipment completely eliminate any intermediate processing of paper ballots. Voters can cast their votes and have them tallied more quickly than by any other method. This results in faster vote counts and shorter lines at polling centers which, in turn, increases voter participation by enticing those voters who would otherwise balk at long lines.

Perhaps the most alluring feature of DRE voting systems is that they help prevent accidental undervoting and overvoting. If voters accidentally forget to select a candidate, or forget to vote on an issue, the voting software can remind them and give them a chance to correct their mistake before casting their votes. Likewise, overvoting is not possible with DRE voting systems. The voting software will not permit voters to select more than one candidate for the same political office. And, only DRE voting systems can simultaneously prevent undervoting and overvoting.

When properly implemented, DRE voting systems offer the best possible security because even technical experts cannot tamper with the results, let alone election officials. At present, DRE systems are rarely implemented properly and usually pose undue risk to the security of recorded votes. Still, this should not deter their use, because all voting systems have an element of security risk that must be managed accordingly.

Improving DRE Voting

Like every voting system, DRE voting systems are not perfect, and various solutions have been proposed to resolve the problems with these systems. Of course, many opponents of DRE voting propose that these systems should be abandoned in their entirety, despite the fact that every other available voting system has similar flaws. Rather than rallying for the removal of problematic DRE voting systems, perhaps it would be wiser, and more beneficial, to investigate and incorporate effective solutions to their problems.

Opponents of DRE voting are right when they argue that the most important aspect of democracy should not be entrusted to private interests. To instill voter confidence, a voting system must be completely transparent. Secretive system vendors continue to tarnish the reputation of DRE voting systems. By refusing to share system designs, source code, and test results, DRE system vendors expose the American electorate to incredible risk. Without public oversight, voting equipment and the results of elections cannot be fully relied upon.

Fortunately, public oversight is easy to achieve through open source code and open testing. There are many watchdog organizations that have a vested interest in inspecting and verifying the correct operation of DRE voting machines; yet these organizations are excluded from the DRE certification process. To receive federal approval, a DRE vendor need only submit their system to a single testing authority. The test results, and the system itself, remain the private property of the vendor. It is surprising that federal guidelines do not require that voting system source code and test results be made public, since most activities which impact American society on such a fundamental level are open to public scrutiny and comment.

In response to these concerns, DRE system vendors often claim that their systems are a "trade secret" and that they are entitled to the privacy afforded by trade secret laws. This argument would have merit if these vendors were producing software for the private sector, and it might even have merit in the public sector if the software were not critical to the proper functioning of American democracy. However, given the importance of reliable and accurate elections, the only appropriate approach is to require vendors to release system source code and test results as a prerequisite for federal certification. Furthermore, to gain the widest margin of safety, voting systems should not receive federal approval until after a period of public inspection and comment. Independent oversight would also motivate federally approved testing authorities to do the best possible job, lest independent inspectors embarrass the testing authorities by discovering significant flaws that had been missed. Granted, this would slow the pace of voting system proliferation, but that is not necessarily a bad thing, especially when it might result in substantially increased voter confidence.

An interesting compromise between opponents and proponents of DRE voting is the Voter Verifiable Paper Audit Trail (VVPAT), also known as the Mercuri Method. Originally proposed in a doctoral thesis, Mercuri (2002) gives the following summary:

[The Mercuri Method] requires that the voting system print a paper ballot containing the selections made on the computer. This ballot is then examined for correctness by the voter through a glass or screen, and deposited mechanically into a ballot box, eliminating the chance of accidental removal from the premises. If, for some reason, the paper does not match the intended choices on the computer, a poll worker can be shown the problem, the ballot can be voided, and another opportunity to vote provided. At the end of the election, electronic tallies produced by the machine can be used to provide preliminary results, but official certification of the election must come from the paper records. (p. 50)

These requirements effectively address the misgivings of DRE voting opponents, and seem to transform DRE voting equipment into a fully auditable system; however, there is a problem with this approach.

Consider the adage of Segal's Law: "A man with a watch knows what time it is. A man with two watches is never sure." When employing the Mercuri Method, election officials are left with two audit trails at the conclusion of an election -- an electronic audit trail from the DRE equipment and a paper audit trail that, presumably, has been verified by the voter. Both sets of records are subject to tampering because the same election officials are responsible for administering them. Requiring the paper record to serve as the official tally effectively reduces the DRE system to little more than a sophisticated printing device. Moreover, when a discrepancy is found, it will be practically impossible to determine which record is correct. Favoring the paper record over the electronic one doesn't actually solve the problem, even if it does make DRE opponents more comfortable.

Harris (2004) is fundamentally opposed to DRE voting and claims: "Any computerized voting system that requires us to trust a few computer scientists and some corporate executives constitutes flawed public policy" (p. 64). Apparently, what is needed is a tamper-proof system of record keeping that can give an authoritative answer about the outcome of an election without entrusting that election to a limited group of people. Many computer scientists believe that this cannot be done, but researchers at the California Institute of Technology and the Massachusetts Institute of Technology have shown otherwise.

The Future of DRE Voting

The Secure Architecture for Voting Electronically (SAVE) is a product of the CalTech/MIT Voting Technology Project. It uses a computer programming method known as N Version Programming to achieve new levels of security, accuracy, and reliability. The SAVE system uses redundancy at every level to thwart election fraud. The entire approach relies on cooperation between independently programmed modules to register, record, verify, tally, and audit electronic votes. No single part of the system is responsible for recording or tallying the vote; therefore, no single act of fraud (or error) can corrupt it. By design, the SAVE system allows elections to have the lowest margin of error imaginable.

The SAVE system is composed of many independent computer software systems. When a vote is first introduced to the system (by the voter), it is digitally signed and encrypted using modern cryptographic techniques to prevent tampering. The secure voting record is then submitted to a group of independent witness modules, which verify the original digital signature and encrypt the vote again using their own digital signatures. These doubly encrypted votes are then forwarded to redundant aggregator modules that ensure that a certain number of witness modules agree on the contents of the vote -- a technique known as thresholding. Selker & Goler (2004) remark that:

The thresholding characteristic provides improved reliability and verifiability while enforcing security. Still, unscrupulous or careless developers could write some of these systems. By having several different implementations of each module, we guard against a few of these systems being compromised from the inside intentionally or from outside attackers. (p. 94)

If the required threshold is reached, the recorded vote is encrypted, digitally signed a third time, and returned to the voter for verification. Because so many redundant systems are involved, and because each voting transaction is digitally signed and encrypted, voters are assured that the verified vote is the one that was cast. By design, the SAVE system will allow election localities to employ whatever witness modules they wish, perhaps crafted by political parties, watchdog organizations, or even the localities themselves. Such a system would prevent any single organization from controlling, let alone tampering with, the voting record. The voting results could only be corrupted by a large scale conspiracy of all witness and aggregator modules -- a possibility that decreases dramatically with each additional module.

Moreover, with so many groups involved in the process, and with each layer of the system using advanced encryption techniques that are considered secure enough for use by the United States military, vote tampering is effectively prevented. If there is any question about the integrity of the results, the encrypted electronic record of each voting transaction is stored in many independently auditable locations. When deployed, the capabilities of the SAVE system should satisfy the legitimate concerns of opponents of DRE voting systems.


All elections rely on the good will of a large number of election officials to accurately tabulate and report on the results of an election. The highly decentralized U.S. election system helps to minimize the risk of election fraud on a national level. Still, as long as people are involved, there will be attempts (and perhaps successes) at election fraud, no matter which voting system is employed. This fact does not give sufficient reason to prohibit a given voting system, but it does give a criterion for selecting the best one. The best voting system is one that minimizes the risk of election fraud while maximizing accuracy and all other performance factors. By this measure, a properly designed and administered DRE voting system is clearly the best choice. Voter Verifiable Paper Audit Trails offer a good means of discouraging and detecting election fraud, but they are still vulnerable to the same kind of tampering that affects all paper-based voting. While it is true that currently available DRE voting systems are significantly vulnerable to election fraud, they should not be abandoned in favor of inferior paper-based systems. Instead, they should be continually upgraded to superior electronic voting systems so that the United States electorate can be confident that elections are conducted with the best voting systems available.


Adler, J. (2003, December 10-11). Confidence -- What it is and How to achieve it. NIST Symposium on Building Trust and Confidence in Voting Systems. Gaithersburg, MD. Retrieved November, 2006, from http://www.votehere.com/papers/NIST_121003.pdf

Avižienis, A. A. (1995). The Methodology of N-Version Programming. Software Fault Tolerance (Chap. 2). John Wiley & Sons. New York, NY. Retrieved November, 2006, from http://se2c.uni.lu/tiki/se2c-bib_download.php?id=1146

Bannet, J., Price, D., Rudys, A., Singer, J., & Wallach, D. (2004). Hack-a-Vote: Security Issues with Electronic Voting Systems. IEEE Security & Privacy, 2(1), 32-37. Retrieved October, 2006, from http://www.cs.rice.edu/~dwallach/pub/hackavote2004.pdf

Brennan Center Task Force on Voting System Security (2006, June 27). The Machinery Of Democracy: Protecting Elections in an Electronic World. Brennan Center For Justice at NYU School of Law. New York, NY. Retrieved October, 2006, from http://www.brennancenter.org/dynamic/subpages/download_file_39288.pdf

Burr, W., Kelsey, J., Peralta, R., & Wack, J. (2006, November). Requiring Software Independence in VVSG 2007: STS Recommendations for the TGDC [Technical Guidelines Development Committee for the EAC]. National Institute of Standards and Technology. Retrieved December, 2006, from http://vote.nist.gov/DraftWhitePaperOnSIinVVSG2007-20061120.pdf

Gross, G. (2004, October 19). Critics, supporters prepare for U.S. e-voting. IDG News Service. Retrieved December, 2006, from InfoWorld [electronic version], http://www.infoworld.com/article/04/10/19/HNreadyevoting_1.html

Harris, B. (2004). Black Box Voting: Ballot Tampering in the 21st Century. Talion Publishing. Renton, WA. Retrieved October, 2006, from http://www.blackboxvoting.org/book.html

Help America Vote Act of 2002, Pub. L. 107-252, 42 U.S.C. 15301-15545. Retrieved October, 2006, from http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=107_cong_public_laws&docid=f:publ252.107

Jones, D. W. (2005, October 7). Threats to Voting Systems: A position paper for the NIST workshop on Threats to Voting Systems. Gaithersburg, MD. Retrieved November, 2006, from http://vote.nist.gov/threats/papers/threats_to_voting_systems.pdf

Jones, D. W. Voting and Elections Web Site. http://www.cs.uiowa.edu/~jones/voting/

Mercuri, R. (2002, October). A Better Ballot Box? IEEE SPECTRUM, 46 50. Retrieved November, 2006, from http://www.notablesoftware.com/Papers/1002evot.pdf

Pippin, J. (2005, July 14). Carteret Tosses Voting System [Electronic version]. The Daily News. Jacksonville, NC. Retrieved December, 2006, from http://www.jdnews.com/SiteProcessor.cfm?Template=/GlobalTemplates/Details.cfm&StoryID=33486&Section=News

Robinson, S. (2004, April). Works in Progress: Trustworthy Cryptographic Voting Systems. SIAM News. 37(3). Retrieved November, 2006, from http://www.its.caltech.edu/~siam/article_voting_siam_news.pdf

Rubin, A. D. (2006) Brave New Ballot. Morgan Road Books. New York, NY.

Rubin, A. D. Brave New Ballot Web Site. http://www.bravenewballot.org

Saltman, R. G. (1988, August). Accuracy, Integrity, and Security in Computerized Vote-Tallying. Institute for Computer Sciences and Technology, National Bureau of Standards. Gaithersburg, MD. Retrieved November, 2006, from http://www.itl.nist.gov/lab/specpubs/500-158.htm

Schwartz, P. M. (2002). Voting Technology and Democracy. New York University Law Review, 77, 625-698. Retrieved October, 2006, from http://www.paulschwartz.net/pdf/votingtech.pdf

Selker, T. (2004, October). Fixing The Vote. Scientific American, 90-97. Retrieved November, 2006, from http://web.media.mit.edu/~selker/publications/sciam-selker-3.pdf

Selker, T., & Goler, J. (2004, October). The SAVE system -- secure architecture for voting electronically. BT Technology Journal, 22(4), 89-95. Retrieved October, 2006, from http://pubs.media.mit.edu/bttj/Paper10Pages89-95.pdf

Shamos, M. I. (1993, March). Electronic Voting -- Evaluating the Threat. Proceedings of the 3rd ACM Conference on Computers, Freedom and Privacy. Burlingame, CA. Retrieved October, 2006, from http://www.cpsr.org/prevsite/conferences/cfp93/shamos.html/view?searchterm=shamos

Shamos, M. I. (2004, April). Paper v. Electronic Voting Records -- An Assessment. Proceedings of the 14th ACM Conference on Computers, Freedom & Privacy. Berkeley, CA. Retrieved October, 2006, from http://euro.ecom.cmu.edu/people/faculty/mshamos/paper.htm

Thompson, K. (1984, August). Reflections on Trusting Trust. Communications of the ACM, 27(8), pp. 761-763. Retrieved, October, 2006, from http://www.acm.org/classics/sep95/

U.S. Government Accountability Office (2006, June 6). Elections: The Nation's Evolving Election System as Reflected in the November 2004 General Election. Washington, DC: Author. (GAO-06-450). Retrieved Octobr, 2006, from http://www.gao.gov/new.items/d06450.pdf

U.S. Election Assistance Commission (2005, December 13). 2005 Voluntary Voting System Guidelines. Volume I: Voting System Performance Guidelines. Washington, DC: Author. Retrieved October, 2006, from http://www.eac.gov/VVSG%20Volume_I.pdf

U.S. Election Assistance Commission (2006). Introduction to the Voluntary Voting System Guidelines. Retrieved October, 2006, from http://www.eac.gov/vvsg_intro.htm

U.S. Election Assistance Commission Web Site. http://www.eac.gov

U.S. Office of Management and Budget (2007). The Budget for Fiscal Year 2007, 295-309. Washington, DC: Author. Retrieved November, 2006, from http://www.whitehouse.gov/omb/budget/fy2007/pdf/budget/other.pdf

VerifiedVoting.Org Web Site. http://www.verifiedvoting.org

Voting Machines: Will the New Standards and Guidelines Help Prevent Future Problems? Joint hearing before the House Science Committee and House Administration Committee (2006, July 19). Retrieved October, 2006, from http://www.house.gov/science/hearings/full06/July%2019/index.htm

Voting Rights Act of 1965, Pub. L. 89-110, 42 U.S.C. 1973aa-1a. Retrieved October, 2006, from http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=browse_usc&docid=Cite:+42USC1973aa-1a

Wagner, D. (2006, July 19). Witness testimony before the House Science Committee and the House Administration Committee. Retrieved October, 2006, from http://www.house.gov/science/hearings/full06/July%2019/Wagner.pdf

Wolter, K., Jergovic, D., Moore, W., Murphy, J., & O'Muircheartaigh, C (2003, February). Reliability of the Uncertified Ballots in the 2000 Presedential Election in Florida. The American Statistician, 57(1), 1-14. Retrieved November, 2006, from http://www.amstat.org/misc/PresidentialElectionBallots.pdf

Copyright (C) 2006-2009 by Robert Pinchbeck, All Rights Reserved