Ignoring for the moment the security problems that are known about the machines, the lack of transparency is a show stopper. Voting systems should be designed so that the public has every reason to believe that their votes are being counted. Even if the computers do not cheat, the very fact that cheating is so easy with computers means that a more transparent voting mechanism is needed.

To understand the loss of transparency from e-voting, imagine that the upcoming Presidential election is decided by electronic voting machines in some places where the results don't agree with pre-election and exit polls. Why should we accept such a result? No one can watch as the electronic ballots are being handled or counted -- it all happens invisibly in the circuits of computers. There is no way to double-check the results -- the "recounts" of electronic voting machines are actually "reprints" of previously reported votes, regurgitated from the electronic memory of the machine.

If one set out to design systems to prevent checks and balances, it would be hard to outdo current paperless e-voting machines. Electronic voting in its current form is equivalent to handing over the counting of votes to private groups who count the ballots behind closed doors -- and then destroy them before anyone else can do a recount.

Perhaps we could accept paperless e-voting if we knew that the voting machines were infallible. But computer technologists know better. More specifically, we know that the supposed protections for e-voting are non-existent or deeply flawed. The (optional) Federal standards don't discuss security in any depth. The testing laboratories are paid by the voting machine companies, and refuse to explain what they do even to election officials. The one design of an e-voting machine that leaked out on the Internet was found to have incredible design blunders with respect to computer security. Before every election, tens of thousands of machines are delivered at least a day in advance to poorly secured polling places, and even to the homes of poll workers. Although the "redundant memories" and "electronic audit trails" of these machines are touted by vendors and election officials, candidates are routinely denied access to this information by the courts. In the one known case where the audit trails were examined, they were found to have been scrambled by three independent bugs in the machine software. There are hundreds of documented "glitches" in e-voting equipment, including lost votes, most of which are unexplained because there have been almost no in-depth technical investigations. Finally, due to the lack of transparency of any aspect of this equipment, there is no way to tell how many other problems have occurred that we don't know about.

Paper voting systems are, of course, also subject to inaccuracies and fraud. But the best paper systems have been shown experimentally to be highly accurate (and they allow recounts if inaccuracies are expected). With reasonable election procedures, fraud can be minimized -- ballots must be forged or altered one-at-a-time and every such ballot represents a risk to the perpetrator. But a single error in e-voting software, or a single "rogue programmer" could affect thousands of votes, possibly without detection.

If we put more effort into improved election procedures rather than looking to expensive new technology to solve all our voting problems, we can make paper ballot systems much more trustworthy than paperless electronic voting systems can be -- at least for the near future.

1. First and foremost, there is no perfect voting system because of the significant human factor involved (voters, staff and pollworkers primarily).

2. DRE touchscreen voting units are stand-alone and not connected to the Internet, which substantially minimizes any risk of intrusion by someone externally, as you have with a networked automated system.

3. There are significant checks and balances built into the design of these systems that would alert the election administrator if anyone had attempted to tamper with the system.

4. The DRE system used by Riverside County will not allow the PCMCIA cartridge (redundant memory that records the votes) to be interchanged with another unit, or the unit will not operate. The voter activation card which brings up the official ballot cannot be reused, unless the pollworker activates it.

5. In addition to both federal and state testing procedures, the election official conducts significant pre-election and post-election testing to ensure that the voting units are accurate. In addition, California has instituted a “parallel monitoring” program in which DRE voting units are tested in official election mode on Election Day. The California Secretary of State’s Office reported that its parallel monitoring program for the March 2004 primary was 100% accurate on all DRE units tested by its independent contractor for this major election.

6. More valid votes can be counted because these units preclude “over-voting,” or choosing more than the required choice in a specific contest, which minimizes the risk of inadvertent errors by the voters. And every ballot image can be printed for the purpose of a manual recount.

7. Our currently-certified DRE voting systems offer “verifiable voting” through a review screen in which the voter can “verify” each choice made and , those intentionally left blank or change his/her vote before the final electronic ballot is cast. It was demonstrated in Nevada in September 2004 that the redundant paper verification by the voter is not utilized by the vast majority of voters; and even with that very short ballot, the average time to verify selections both on the screen and the redundant paper tape was 64% longer, as reported by observers who timed voters. Printers jam, and voters wil mistake that breakdown as the electronic voting unit malfunctioning, not the printer.

We will learn more about this option when a longer ballot is used on November 2nd. It is an extraordinary redundant cost when paper ballots are currently available for those who wish to use them. However, it is not necessary to penalize the majority when there is not a demand by the majority for this added complexity and expense in the polls, which only increases operational risks on Election Day, when there is no demonstrable problem. Instead, it is designed to counter misperceptions rather than reality. On November 2nd, 2004, mechanical lever machines, paper punchcard systems and other paper-based voting systems will be used, the former without any audit trail, and the latter, which is being phased out in many states because of greater human error. There are far greater risks of error with these aged systems than exists with more accurate DRE voting systems. Who, in academia, would regress 30 years ago to typewriters and ditto machines for their teaching future leaders of America? Yet, paper advocates are crusading for this regression in our democracy when improved systems have been proven to perform and have, in fact, improved the integrity of the vote. There is a high level of confidence among voters because they know how automation has improved the quality of their lives. Is there a risk with our computer-operated automobiles, airplanes or medical devices that dramatically affects our life and safety? Yes, there is risk in anything we do including walking in the crosswalk; but there is no doubt these voting systems work successfully with the proper management, planning and training. Without these factors, there will be greater risk in any operation, irrespective of discipline or profession.

9. When working with multi-thousands of paper tapes, paper ballots, or paper sheets, the more fallible element invariably is the human being who is spending hours in the recount process. We used stacks of 25 paper ballots to lessen the number of times we would have a panel have to do it again because of the fatigue factor creating miscounts. This is why computers are used to prepare major federal/state budgets, because the accountability and accuracy are far greater than a human being using a slide rule or an adding machine with a tape.

10. Most importantly, election officials affirm an oath of office to ensure the integrity of the vote, along with thousands of citizen volunteers (pollworkers) and staff. These are the guardians of our democracy, and attest to the fact that DRE voting systems have been successfully used throughout our nation for the past 20 years without any evidence of fraud or manipulation. Will errors be made occasionally? Yes, because of the human factor that exists with every voting system. But the checks and balances in place, as well as the dedicated cadre of professional election officials and volunteers, will assure that if any human glitches occur, they will be addressed. However, DRE voting systems are proven to be far more accurate, reliable, efficient and cost-effective than any paper-based system over the long term.

The risks associated with electronic voting are much the same as the risks associated with voting over the past 40 years. There is the risk of programming errors, the risk of stuffing the ballot box. And there is the risk is that people will be given a wrong ballot and will vote in elections in which they are not entitled to participate.

Programming errors happen with punch cards, they happen with optical scan ballots, and they happen with DREs. As long as something other than a human being is counting the ballots there will be the potential for programming errors. But election administrators are aware of these potential errors these and work actively to prevent them. The risk of a programming error in a DRE is, I believe, lower than the risk of a programming error for other voting systems. The reason is that DREs and the software that runs them are more rigorously tested than paper based voting systems. In paper based voting systems election administrators proof the paper ballots to ensure the accuracy of the candidates and contests. This is separate from the testing of the computers that will count the ballots. Those computers are tested separately to make sure that the ballots they tally are consistent with the marks on the paper ballot. For DREs the proofing of the candidates and contests is incorporated into the testing of the tally. This results in a greater volume of tests, a broader scope of tests, and integration between the input and output of votes and results.

The second risk of someone stuffing the ballot box also applies to both paper based and electronic voting systems. I believe there's less risk with electronic voting systems With paper systems the empty ballot box is displayed at the opening of the polls. With DREs the zero report is printed showing that there have been no votes cast on the machine. In order to stuff a DRE ballot , a person would have to somehow get their hands on a DRE activation card (these are kept under tight security), and then vote multiple times. It would be extraordinarily difficult to do that undetected. When all is said and done, it's far easier to reproduce a paper ballot than it is to get an activation card. That doesn't mean it's easy to stuff a paper ballot election, it's nearly impossible. But if there is a risk, it's greater with paper ballots, not DREs.

Finally, there is risk that the voter will be given the wrong ballot (This was the situation in Orange County, CA in March). It's like issuing the wrong DRE activation code, and the risks of it occuring are probably similar in both systems.

I can assure you that the security surrounding the electronic voting machines is greater than the security of voting systems at any point in our history. DREs are kept under lock and key and under video surveillance 24/7. Anyone who wants to tamper with the machines while they are in the election administrator's possession would be detected before they could do so. While the DREs are out at polling places there are numerous security precautions taken to insure that no tampering takes place. Numbered tamper-indicating seals, physical separation of the DREs and the activators, zero reports that are verified before any DRE is put into operation, etc. prevent tampering. During election day the presence of pollworkers and voters acts as another deterrent to those who would tamper with DREs.

Even if someone has the technical skill to hack into a voting system, either electronic or paper based, they will still have to have access to the voting machines to tamper with them. Election administrators have security precautions in place to prevent or detect attempted tampering.

I have several considerations about the current crop of electronic voting machines.

1. The principle for voting in the U.S. is to have ballots cast in secret and counted in public. With electronic voting machines using code that's a trade secret to record and count the ballots, that isn't counting the ballots in public. And it is not clear that the secrecy of ballots is maintained when the electronic voting machines may record the order in which ballots are cast. A paper on privacy in electronic voting machines may be found here, under "Electronic Voting."
2. A standard principle of auditing of electronic systems for financial records is to maintain multiple independent copies of the data. For example, double-entry bookkeeping is done with the totals to balance, so as to help ensure the integrity of the system. Translated to the voting world, it means that there needs to be multiple independent records of vote records if they are recorded electronically. The simplest approach to ensuring a permanent immutable independent copy of the vote for non-networked electronic voting machines is to print a copy of the vote cast. Printing a copy of the ballot also gives the opportunity to the voter to verify that his or her choices have been properly recorded.

A better idea is to have the printed paper actually be the official ballot. In-polling place optical scanning systems have lower error rates and provide for meaningful recounts. The paper optical scan ballots can be marked by hand (such as for absentee ballots or in polling places), or marked using an electronic voting machine interface. The electronic voting machine interface can be made accessible to the voter just the same way that DRE (Direct Recording Electronic) voting machines can be made accessible. And an optical scanner ballot verifier can be used to allow visually- or reading-impaired voters to verify that their ballot correctly reflects their intent. Several commercial systems of this type currently exist. A variant of such a system is being developed by the Open Voting Consortium. At a forum on the Computer History Museum on Octobet 1, 2004, Bill Gates was asked about voting machines, and responded that he thought voting machines should print paper ballots that the voter can verify and place in regular ballot box.

I believe it is reasonable for voting machine vendors to maintain intellectual property rights on their systems through copyright and patent protection. I do not believe that it is reasonable for public elections to be performed on systems that are trade secrets. Voting machine and tabulation systems should all have their software code, hardware specifications, and requirements and test documents all published on the web. Tests performed by each Independent Testing Authority (ITA) should be made public. Secrecy of these systems and tests does not engender trust. Security through obscurity is poor security indeed. Linux has had fewer security problems (and they've been fixed faster) than Microsoft Windows and its variants. The secrecy of Microsoft Windows source code has not helped that much in securing that system.