|
I. Introduction
Like many people, I was initially excited about the
idea of using computers and the Internet to cast and count votes. I've been an advocate
for using new technologies to improve democracy for seven years now, and at first
online voting seemed to be a way to improve democracy that was just as promising
as other projects I'd undertaken, such as online voter education and Internet disclosure
of money in politics.
In fact, at the first meeting of California's Internet Voting Task Force, back in
the Spring of 1999, I was the person in the room suggesting that we all agree that
Internet voting is something California should pursue. I'm grateful that my fellow
task force members rejected my suggestion, because in the months that followed my
own opinion changed dramatically. The more I learned about the complexities of the
voting process, the more I realized how difficult and potentially dangerous Internet
voting could be.
I have some concerns about using computers at the polling place as well, but I also
have more confidence that my concerns about computerized voting may be addressed
through sound technology and good public policy. To help inform the discussion, I've
developed a list of ten things I want people to know about voting technology. The
items on my list address issues raised by the two resolutions the Democracy Online
Project's National Task Force has asked us to consider: 1) "The 107th Congress
should approve national standards for computer precinct voting"; and 2) "The
107th Congress should appropriate funding for the implementation of remote Internet
voting by 2004". In the conclusion of my remarks, I'll return to these two resolutions
and provide some recommendations that will help us move forward with new voting technology
in a thoughtful and responsible way. I also encourage you to visit the California
Voter Foundation's web page on voting technology, featuring resources to help shape
an informed debate on this topic, including news articles, studies, commentary and
links. This resource is available online at www.calvoter.org/votingtechnology.html.
II. Ten Things to Know
About Voting Technology
1. Voting is not like any other transaction.
The first remark I usually hear on the subject of Internet voting is, "I can
shop online, I can bank online, why can't I vote online?" The answer is that
voting is not like those transactions. Credit card companies and banks tolerate a
degree of fraud in all of their transactions. We could not similarly accept some
degree of fraud in the voting process. And, when you make a deposit to your checking
account over the Internet, your bank sends you back a message confirming the transaction
and the amount of your deposit. But if we are to preserve our right to cast a secret
ballot, then we would not want to vote online and have our election agencies send
back to us a note confirming our choices.
Casting a secret ballot in a fair and democratic election is, in fact, unlike any
other kind of transaction. Think about it: each person only gets to vote once, in
a limited time frame, and every voter must be authenticated while at the same time
preserving that voter's right to cast a secret ballot. Voters must be confident that
their votes have been accurately recorded and the voting system must create an audit
trail in case a recount is needed that also preserves the secret ballot. It is not
impossible to build an online voting system, but it's important to realize that to
do so creates unique challenges because voting is unlike any other transaction.
2. There are two kinds of Internet voting: polling place
Internet voting, and remote Internet voting.
It's important to distinguish between polling place Internet voting and remote Internet
voting, which is voting from home or work. Both remote and polling place Internet
voting use computers in the voting process and both use the Internet to transfer
ballots to the central counting center. The important difference between the two
methods is ownership of the computer that's acting as a voting machine. With polling
place Internet voting, the voting machine is owned and controlled by election officials.
With remote Internet voting, the voting machine is owned and controlled by either
the voter or their employer.
In our January 2000 report, the California Internet Voting Task Force made this important
distinction between polling place and remote Internet voting, and concluded that
while polling place Internet voting can and should be explored, remote Internet voting
could greatly expose the voting process to fraud. For this reason we made no prediction
of when, if ever, remote Internet voting would be possible.
3. Remote Internet voting is highly susceptible to voter
fraud.
A voting machine owned and maintained by a county election office can be controlled,
but a third party machine, owned by the voter or their employer, is highly susceptible
to attack. For example, a remote Internet voter could unknowingly download a "Trojan
Horse" or virus that sits on the voter's computer. When the voter opens his
Internet ballot on his computer desktop, at that point the ballot is no longer encrypted
and would therefore be susceptible to manipulation by a virus or malicious code.
A Trojan horse could then, for example, rearrange the appearance of the voting boxes
on the ballot, leading you to believe, for example, that you voted for the incumbent
but actually returning your ballot with a vote for the challenger. You would then
send your ballot back encrypted to your election agency, and since we cast a secret
ballot neither you nor your election agency would know that your vote had not been
properly recorded.
If you think this scenario is far-fetched, consider this: already some Internet users
have unknowingly downloaded programs known as "spyware" that keep track
of their computer usage and page visits without their knowing it and report this
information via the the user's Internet connection to commercial and marketing interests.
Already the vast majority of Internet users visit web sites that set "cookies"
in their web browsers used to track their online movements. Few even know what a
cookie is, let alone know how to remove one or how to set their browser preferences
to refuse them altogether.
Consider also the fact that remote Internet voting will give rise to a whole new
wave of voter fraud attacks from people living in foreign countries as well as those
who previously had no interest in elections but enjoy a good hacking challenge. The
Pentagon detected more than 22,000 attempts to probe, scan, hack into, infect with
viruses or disable its computers in 1999 alone, and anticipates the number of attacks
will only increase with time. And let's not be naive about our country's record on
voter fraud. Though voter fraud is not as much of a problem here as it has been in
other countries, history shows that in close races some campaigns do resort to cheating
in order to win. Automating the voting process gives one person the ability to make
a much greater impact when they attempt to cheat.
When you consider the likely increase in attempts at voter fraud, combined with the
low level of computer literacy we have now, both among users and the election community,
it is unrealistic to think we are ready for remote Internet voting anytime soon.
4. Remote Internet voting may erode our right to cast a
secret ballot and lead to political coercion in the workplace.
Currently we cast our ballots in a private polling booth, and in some counties voters
place their ballots inside an envelope so that poll workers and other voters won't
catch a glimpse of their votes before they drop their ballot into the ballot box.
Polling place Internet voting can preserve the secret ballot and the sanctity and
privacy of the polling place. Remote Internet voting, on the other hand, can lead
to voting from work, which is where most of us connect to the Internet during the
day. And for many of us, our workplace computers are far from private.
If we were to vote from work, our coworkers or supervisors might casually or deliberately
watch us as we make our choices. Even if they aren't standing over your shoulder,
the company intranet could easily retain a copy of your ballot. These are not insurmountable
obstacles, but it does mean that if we allow for voting in the workplace, we'll need
new policies to protect employees from potential political coercion in the workplace.
New policies would need to be developed to protect the right to cast a secret ballot
in the workplace on your employer's computer, and such policies would contradict
with existing laws that assert an employer's right to review any material their employees
create on a company computer, including personal email. Simply put, voting in the
workplace could be a nightmare for employers and employees alike, and if we were
to move forward with remote Internet voting in the future we'd be wise to prohibit
voting in the workplace altogether.
5. Remote Internet voting poses a threat to personal privacy.
How would we authenticate remote Internet voters? Authenticating voters is one of
the primary steps we take to protect our elections from fraud. We have to make sure
that people are eligible to vote, vote only once, and cast their own ballots.
Using a pin number in combination with other pieces of personally identifiable information,
as the Arizona Democratic Party did in its March 2000 Primary, is not sufficient
to protect our elections from vote selling, vote swapping, and voter fraud. Digital
signatures may be an option, and we have a long way to go before that technology
is widely understood and accepted by the public, and digital signatures still cannot
protect Internet voters' ballots from a Trojan horse attack.
The most secure way to authenticate voters is to use biometric scanning procedures,
such as retinal or finger-printing scans. I, like many Americans, find such security
measures invasive, and believe it would be unwise to sanction government agencies
to begin collecting sensitive biometric data on American citizens. There is a general
rule I follow: for every degree of convenience we gain through technology there is
usually a corresponding loss of privacy. Remote Internet voting would make voting
more convenient, but that convenience will come at a price that, in my opinion, is
too high.
6. There is a huge politics and technology information gap.
In my seven years of working in politics and technology, I have found there are unfortunately
too few people who have a working knowledge of both fields. This huge gap between
politics and technology appears to be widening, not closing over time, and is becoming
increasingly evident around the issue of Internet voting. Many of the political experts
who talk about Internet voting don't appreciate the technological dangers of voting
online. Then there's the technologically-savvy but politically naive people who say,
"Wouldn't it be great if we could vote on everything?", failing to understand
either the benefits of representative democracy or the complexities of the voting
process. If we are going to close the politics and technology gap, we are all going
to have to make a great effort to educate the experts and bring people from diverse
fields together online and offline through conferences and public meetings. It's
going to take a lot of work, but if we address the politics and technology information
gap it will make for better public policy in every area impacted by technology.
7. There is a generational technology gap.
Older people are not as familiar with new technology as younger people are, and surveys
show that younger voters are sometimes intimidated by existing voting technology.
The generational technology gap turns up in many places. The Democracy Online Project's
post-2000 general election survey found that the younger the voter, the more likely
they used the Internet to access election information.
Internet voting polls also find that younger voters find the idea of Internet voting
much more appealing than older voters do. For example, a poll conducted by ABC News
in 1999 found that only 19 percent of Americans age 65 and over would support Internet
voting even if it could be made secure from fraud. Similarly, a year ago the Public
Policy Institute of California surveyed Californians and found that public support
for Internet voting is highest among 18-34 year olds (59 percent) and lowest among
those 55 and over (27 percent). There is no doubt that new technology provides an
unprecedented opportunity to engage alienated young people in the democratic process,
but we must be careful that we don't alienate older voters along the way.
8. Changing technology alone isn't enough; voter education
is also needed.
It made me angry to hear people ridicule Florida's voters for casting their votes
incorrectly. As an experienced voter educator, it no longer surprises me to hear
about the elements in our voting process that voters find confusing. There is an
intolerable lack of reliable, nonpartisan voting information available for U.S. voters;
most of what passes for election information comes in the form of campaign mailers
and thirty second spots designed to confuse, manipulate or scare voters and do just
about anything but inform them.
We take so much for granted when it comes to voter education, and it is shameful
that the United States poses as a model democracy for other countries to emulate
when we make virtually no effort to educate our own voters and prepare them to vote
on Election Day. We can begin to address this problem by appropriating federal and
state funds to nonpartisan voter education efforts. We already spend $31 million
a year on the National Endowment for Democracy to advance democracy abroad; we can
certainly afford to spend at least the same amount to advance democracy at home.
9. Transparency in the voting process fosters voter confidence
and security.
Whatever changes we make to our voting technology, we must not sacrifice the trust
that is gained by having a transparent vote casting and counting process. The old
voting technology that we are talking about replacing, in particular the punch card
ballot, functions in a way that is transparent to the voter. You mark or punch your
ballot, you drop it into a locked box, and the box is transported to the central
counting center by pollworkers where the public can (and often does) watch the counting
of ballots.
Now, as we consider introducing computers into the voting process, we must look at
how transparency may be affected. Whether we are talking about Internet voting or
any kind of computerized voting, one inevitable result is that very few people, and
certainly not your typical voter, have the expertise to review the software used
for a computerized system and know that it is functioning properly. Consequently,
it will require much more faith on the part of the voter in both the voting technology
and their election officials to trust that a computerized system accurately records
and counts their votes. And faith, unfortunately, is something that's in short supply
right now in our democracy, so we must be careful that we don't erode it any further
when we upgrade our voting technology.
10. Software used in the voting process should be open to
public inspection.
One way to build public confidence in computerized voting is to require voting software
code be made public. Election officials often cringe at this suggestion for two reasons:
they think that making voting technology source code public will undermine the security
of the voting process; and they expect that voting technology companies will object
to revealing their source code because it undermines their competitiveness in the
marketplace. In fact, many of the leading voting technology companies are not necessarily
opposed to public source software, and some have already indicated they will comply
with a public source code requirement if it's imposed on everyone.
The first concern -- the public source undermines the security of the voting process
-- reflects the misguided "security through obscurity" approach to software,
which is the idea that keeping your source code secret makes your technology more
secure. In fact, there is consensus in the security industry that public source code
leads to more secure computer systems than closed source.
In fact, the Pentagon, our number one military agency, recently decided to no longer
purchase closed source, commercial software programs from companies such as Microsoft,
Netscape and Lotus to use in its most sensitive systems. The reason given by a Pentagon
official, speaking anonymously to the Washington Post, is because they found that
these closed source programs had too many holes, backdoors and trapdoors that place
the department in greater danger of a computer attack than using public and open
source software would.
No software program is perfect, and any voting software program will inevitably have
holes and some problems. If the source code is closed, those who want to manipulate
the outcome of an election will eventually find and exploit those holes. If the source
code is open and public, then the good guys in the security industry can find the
holes first and help fix the software.
One high-profile example of this shift toward public source for high-security operations
is the National Security Agency's initiative to develop "Security Enhanced Linux".
This is a new, security-enhanced operating system that was just released this month.
It's based on Linux, a very successful open source operating system, and anyone in
the world can go online to www.nsa.gov/selinux/ and download its source code. If
the agency entrusted with protecting our national security finds public source code
more secure than closed source code, it should be a clear signal that the election
community would be wise to follow suit.
Of course, we can't assume the good guys are going to forever be reviewing voting
software code, so it's crucial that a continuous recertification process is also
established. Computerized voting machines, unlike punch cards, are based on dynamic,
not static technology. We must anticipate that any computerized system will need
to have security holes fixed, upgrades made, and new computer and Internet protocols
supported.
Even if we have public source voting software, we will still have a limited number
of experts capable of evaluating its reliability. And what some security experts
are saying is that it will be difficult, if not impossible to know for certain if
the software that's been certified and is publicly available is the same software
that's running on your voting machine. It's worth noting that some of the strongest
objections to computerized voting are made by computer security experts. For this
reason, and also to foster voter confidence in new voting technology, it would be
wise to consider a way to use a mix of paper ballots and computers in the voting
process, and to require that paper ballots be counted along with digital ballots
so that we could create a paper audit trail and thwart attempts to rig voting software.
III. Discussion of the two resolutions
"The 107th Congress should approve national standards
for computer precinct voting."
The conduct of elections is a matter currently left up to the states. To impose national
standards for computerized precinct voting would represent a major shift in how U.S.
elections are conducted. However, the Federal Election Commission does have a voting
systems standards group in place. Though its standards are advisory, they have already
been adopted by 31 states. We may not even need legislation to get the remaining
19 states to follow suit; through better public scrutiny of these standards and better
tracking of the states that follow them we could make positive advancements in voting
systems.
If Congress were to adopt any standards for computerized voting, such standards should
include a public source code requirement, and be accompanied by funding for voter
education and a plan to bridge the generational technology gap.
"The 107th Congress should appropriate funding for
the implementation of remote Internet voting by 2004."
For all the reasons I've stated before, we are simply not ready for remote Internet
voting and to set a deadline for when we will be ready would be irresponsible. While
the California Internet Voting Task Force featured remote Internet voting as the
fourth and final stage of an Internet voting process, we also did not make any predictions
for when, if ever, remote Internet voting would be a practical voting alternative.
To adopt this resolution would be a classic case of putting the cart before the horse.
If Congress wants to advance remote Internet voting, it should first articulate the
criteria of such a system before setting a date for its implementation.
IV. Conclusion
New voting technology has many advantages, but it also brings new challenges to
the voting process. And not all current voting technology is inadequate. Many voters
in the U.S. cast ballots using optical scan systems, which are affordable, accurate,
have a paper audit trail that can provide for a recount, and some of which feature
a ballot scanner at the polling place that helps voters avoid overvoting or spoiling
their ballots. Whatever we do to upgrade voting technology, we must ensure that all
voters have an equal chance of having their votes counted.
We need to close the politics and technology gap and continue to bring experts from
different fields together to share information and learn from each other. We need
our elected representatives to demonstrate patience, good judgment and leadership,
and we need the media and public to pay close attention to voting technology policy
as it develops. And we need to get serious about voter education in this country
and spend the public resources needed to prepare people to vote on Election Day.
It is remarkable that the first Presidential election of the new millennium came
down to the question of whether we have more faith in people or machines to accurately
and fairly count votes. The U.S. Supreme Court decided the answer was machines. This
ruling sets a dangerous precedent. Technology can do a lot for us, but it cannot
and should not trump human judgment.
I raise concerns about Internet voting not because I am pessimistic; on the contrary,
I am very optimistic about the opportunities before us to advance and transform democracy
using computers and the Internet. I am critical of voting technology not because
I am opposed to it, but because I cherish democracy and think computerized voting
is both one of the most exciting and potentially dangerous ideas of our time.
|
