Verifiable Voting Loses (Again) On Election Day
To paraphrase the late President Gerald Ford: “our long national nightmare is not over” – at least when it comes to the integrity of the U.S. voting system.
True, Tuesday’s Presidential election in the U.S. didn’t result in deadlocked vote counts, hanging chads or court challenges. But all the ingredients were there. First among them: a hackneyed and insecure vote collection system that fails to protect the integrity of individual ballots.
It’s hard to overstate the mess that is the U.S. election system. Unlike almost every other advanced nation (and quite a few developing nations), the U.S. has no independent, central authority that supervises national elections. Rather: the business of running elections falls to the states and – more specifically – to local communities. The result: voters living in two neighboring states – or even two neighboring towns – might have entirely different experiences casting their vote on election day. Those differences might range from the design of the ballot, to the system used to cast it, to the process by which that ballot is tabulated locally and added to the state-wide election totals.
Not that there haven’t been improvements. As late as the 2000 election, many cities and towns still relied on balky, manual, punch card and mechanical, lever-based ballot boxes dating to the early decades of the 20th century. After the debacle of the 2000 Presidential election between Al Gore and George W. Bush and the spectacle of the “hanging chad,” the US Congress passed the Help America Vote Act of 2002 (HAVA), requiring states to replace aging voting systems and improve election administration. Among other things, HAVA established the Election Assistance Commission (EAC) to certify electronic voting systems, help states comply with the law and provide funds to states to purchase updated voting systems.
In those ways, HAVA was instrumental in pushing cash-strapped state and local governments to upgrade voting equipment, but critics say it merely replaced one problem -unreliable mechanical voting systems- with another: unreliable electronic voting systems.
And each election brings fresh evidence of this. The Election Protection Coalition reported that it received 88,600 complaints on Tuesday. Among them were anecdotal reports of electronic voting systems that changed votes from Barack Obama to votes for Mitt Romney, and vice versa. In other counties, poll workers struggled to bring electronic voting systems online in time to open the polls, or experienced crashes and other problems with tabulation systems that required them to shut down voting for periods of time.
Even more troubling were reports from the critical, swing state of Ohio, where a last minute software update, described in some reports as “experimental” was pushed out to vote tabulation systems in 39 counties, including some of the most populous in the state in the days before Tuesday’s vote.
To look a bit deeper into this incident, I spoke with Matt McClellan, a spokesman for Ohio Secretary of State Jon Husted on Tuesday and he explained that the software update was merely a custom module, commissioned by the state from elections software firm ES&S. Once installed on the vote tabulation systems in county offices, it would convert XML format results reported by ES&S voting systems into an Microsoft Excel spreadsheet file that could be more easily uploaded to the Secretary of State’s central tabulation system.
“There’s no reason to be concerned. This doesn’t touch the vote tabulation software,” McClellan told me, adding that the Secretary of State had the blessing of the EAS to make the change without needing to recertify ES&S voting systems.
Brian Hancock, the Director, Voting System Testing and Certification at the EAS confirmed that the Commission had given Ohio the green light to make the change – but also admitted that the Commission didn’t consider the change “de minimus,” either – the term the EAS uses to describe changes that don’t require recertification of voting systems.
There are a bunch of problems with what both McClellan and Hancock are saying. For one thing: the addition of a new reporting tool on a certified system clearly violated Federal rules that the EAS is supposed to enforce. The EAS’s “Voting System Testing & Certification Manual” makes it clear, in section 3.5, that any software or firmware change to a certified voting system requires retesting and re-certification of the system by an approved voting system testing lab.
That makes sense: without a thorough audit of the new application or update and thorough testing the voting system after that software is installed, it’s impossible to know that the software does what it is supposed to do – and nothing else – or that it doesn’t introduce instability to the voting system that might hinder its operation on election day. McClellan argued that it was a totally separate application that didn’t “touch” the tabulation system. A Federal District Court Judge agreed: refusing to grant an injunction that would prevent use of the systems because the software in question didn’t pose “actual and imminent harm” to the voting process.
Of course, any application security expert would tell you that it’s impossible to know that without first studying the software in question. And Hancock, of the EAS, readily agreed that it would be better for the EAS to review any proposed software change to certified systems, but said that the agency lacked the resources to do that – and would risk driving states to abandon the voluntary system if it did. As a result, the EAS has to bend the rules in some cases. “Look, you’ve got to draw the line somewhere and, in doing so, it may seem somewhat arbitrary,” he told me.
As it turned out, the mystery update didn’t become a flashpoint of controversy. President Obama’s superior ground operation built a substantial enough margin of victory, 50.1%, in Ohio that the vote wasn’t contested. Beyond that, he won in enough other swing states that it didn’t matter anyway.
However, had the election hinged on Ohio, as many predicted, and had Ohio hinged on a few thousand votes from critical Cuyahoga County, where ES&S systems are used, speculation would immediately turn to the mystery “reporting tool” installed at the last minute. And, without any attestation of the legitimacy of that update, or prior review of the software in question, it would be impossible for anyone in either party to disprove the rumors. That, in turn, would put the integrity of the Ohio vote and the presidency into doubt. And that, not to put it too bluntly, would have been a disaster.
Hancock of EAS argued that it’s impossible to make any software “100 percent reliable.” That may be true. But this is certainly one of those cases where it doesn’t pay to make “perfect” the enemy of “good.” And a quick look around will tell us that there are software-based systems in use every day -from ATMs to avionics – that are designed to be both secure and reliable and to protect the integrity of the data they manage. As this article points out, if state governments set the same high bar for the code running voting systems as they do for the code that runs slot machines, the public could have much greater confidence in the integrity of their votes. Of course, casinos and slot machine vendors know that if gamblers believe their machine is rigged, they won’t bother to use it. Unfortunately, the same is true of voters – but at a much higher cost to society.