by Bruce Scheier, leading technical expert and voice of reason on computer security.
Four years after the Florida debacle of 2000 and two years after Congress passed the Help America Vote Act, voting problems are again in the news: confusing ballots, malfunctioning voting machines, problems over who's registered and who isn't. All this brings up a basic question: Why is it so hard to run an election?
A fundamental requirement for a democratic election is a secret ballot, and that's the first reason. Computers regularly handle multimillion-dollar financial transactions, but much of their security comes from the ability to audit the transactions after the fact and correct problems that arise. Much of what they do can be done the next day if the system is down. Neither of these solutions works for elections.
American elections are particularly difficult because they're so complicated. One ballot might have 50 different things to vote on, all but one different in each state and many different in each district. It's much easier to hold national elections in India, where everyone casts a single vote, than in the United States. Additionally, American election systems need to be able to handle 100 million voters in a single day -- an immense undertaking in the best of circumstances.
Speed is another factor. Americans demand election results before they go to sleep; we won't stand for waiting more than two weeks before knowing who won, as happened in India and Afghanistan this year.
To make matters worse, voting systems are used infrequently, at most a few times a year. Systems that are used every day improve because people familiarize themselves with them, discover mistakes and figure out improvements. It seems as if we all have to relearn how to vote every time we do it.
It should be no surprise that there are problems with voting. What's surprising is that there aren't more problems. So how to make the system work better?
-- Simplicity: This is the key to making voting better. Registration should be as simple as possible. The voting process should be as simple as possible. Ballot designs should be simple, and they should be tested. The computer industry understands the science of user-interface -- that knowledge should be applied to ballot design.
-- Uniformity: Simplicity leads to uniformity. The United States doesn't have one set of voting rules or one voting system. It has 51 different sets of voting rules -- one for every state and the District of Columbia -- and even more systems. The more systems are standardized around the country, the more we can learn from each other's mistakes.
-- Verifiability: Computerized voting machines might have a simple user interface, but complexity hides behind the screen and keyboard. To avoid even more problems, these machines should have a voter-verifiable paper ballot. This isn't a receipt; it's not something you take home with you. It's a paper "ballot" with your votes -- one that you verify for accuracy and then put in a ballot box. The machine provides quick tallies, but the paper is the basis for any recounts.
-- Transparency: All computer code used in voting machines should be public. This allows interested parties to examine the code and point out errors, resulting in continually improving security. Any voting-machine company that claims its code must remain secret for security reasons is lying. Security in computer systems comes from transparency -- open systems that pass public scrutiny -- and not secrecy.
But those are all solutions for the future. If you're a voter this year, your options are fewer. My advice is to vote carefully. Read the instructions carefully, and ask questions if you are confused. Follow the instructions carefully, checking every step as you go. Remember that it might be impossible to correct a problem once you've finished voting. In many states -- including California -- you can request a paper ballot if you have any worries about the voting machine.
And be sure to vote. This year, thousands of people are watching and waiting at the polls to help voters make sure their vote counts.
Last weekend, frightened emails circulated around Travis County. At least one voter tried to select a straight-party Democratic ticket. When proofing the ballot, George Bush was selected for President.
Travis County Clerk Dana DeBeauvoir and the local democratic party were quick to spread the word that this was "human error and was not a machine malfunction."
They're doing the right thing to get the word out and ask voters to proof their ballots. But they're missing the point about voting system design. User errors are symptoms of design flaws.
The way it happens is this. "After pressing ENTER after marking Straight Democrat, some voters inadvertently turn the SELECT wheel one click through the ballot while meaning to go to the final "PROOF" page. If you hit enter at that point, your cursor is over the first candidate on the ballot: Bush/Cheney."
For the few steps, the user follows a pattern to make selections, and suddenly, the pattern changes. If the user doesn't notice they change, they accidentally select the wrong candidate.
Like the infamous "butterfly ballot" in Florida, this is a design flaw with the user interface.
These types of design flaws can be uncovered with usability testing. There are well-known techniques for detecting and fixing problems in the user interface that lead users to make mistakes.
But we don't do usability testing in Travis County. Before elections, the county does "logic and accuracy testing" to prove that the voting system generates the right results when voters make valid selection. The county puts out press releases explaining how this testing proves that the voting system is reliable.
But we don't test what happens when voters make mistakes. Usability testing is critical for all sorts of systems -- particularly systems where user choices have serious consequences like voting.
The lack of usability testing -- and the lack of rigorous security testing -- show that voting administration hasn't yet caught up to the responsibility of electronic voting.
On September 7, Nevada became the first state in the US to vote using electronic voting machines producing a voter-verifiable paper trail. The $9.3 million system was provided by Sequoia Systems.
There were a few delays, but no major problems, with 261,000 people voting. According to the AP story, "Several machines failed to start, and some printers jammed in Douglas and Carson City counties. Poll workers simply replaced them with functioning models."
The stored paper ballots were used to audit the election results. Six thousand ballots were sampled. Secretary of State Dean Heller said that the audit shows no variations in tabulation results.