Can engineers save the electorate? - Embedded.com

Can engineers save the electorate?

Many voters encountered touch-screen monitors when they headed to the polls this past election Tuesday. Touch screens, along with other electronic voting technologies, were rolled out largely in reaction to the chaos and uncertainty surrounding the 2000 election controversy in Florida, after which demands for the modernization of the voting process issued from all quarters of the nation. But, as most engineers and programmers know, technology is not the panacea (or the demon) the public sometimes expects it to be. In fact, it creates as many questions as it answers.

Those questions are the subject of Shop-Talk, a new feature on embedded.com, in which industry experts debate issues related to embedded technology. Don't miss this opportunity to eavesdrop on a group of bright, opinionated, and diverse engineering personalities as they hash out the best way to implement electronic voting-or whether it's even a good idea at all.

(To find out who these guys are and what they do, just click on their names to read their bios.)


Michael Barr
Many people seem to take the position that electronic voting is less trustworthy than paper-based balloting, and I'm concerned about that as well. But I think we should also consider some of the positives that electronic voting has to offer.

Having moved to a different county this fall, I had the experience of using a brand new touch screen electronic voting machine for the primary and an older paper-based system for the general election. The older system was one where you draw a line segment and feed the ballot into an optical scanner. Going “backward” like this gave me food for thought.

Some of the really great things about the touch-screen system are:

– The ease with which you can change your mind or correct a mistake; I would've had to ask for a new paper ballot to do that when I voted.

– A guarantee that you've cast all your votes for a particular position; what if I only drew one line on the paper when I was allowed to “vote for no more than three” judges? What if I drew four lines? Who will warn me?

– A guarantee, via a final review screen, that I have voted on all the items I care too — and that the machine has understood all of my votes; the optical scanner won't beep and reject a ballot if the ink is too weak on one line or there are multiple votes where there shouldn't be.

Finally, and maybe sitting in front of a computer all day, gave me an edge here, the electronic system seemed more intuitive and foolproof.

John Canosa
Interesting that you are concerned about it being less trustworthy. Because of its importance I believe that we can spend the money to build a very fault tolerant system. Remember, several states had error rates (tainted ballots) greater than 2-3% in the 2000 election; an electronic system can certainly be developed that is more reliable than that. And perhaps it is my naive belief in the general honesty of man, but I think that with the proper security measures, tampering can be made less of an issue than it is the current system.

That being said, my gut tells me that it would be a big mistake to roll out electronic voting too fast. While those of us in the technology industry think this is a no-brainer, there is still a very substantial part of the population that is still quite computer-phobic.

To make matters worse, most of these people are from the older population, who happen to be the most avid voters in the country. The last thing we need to do is to scare off a sizable number of voters when turnouts are already embarrassingly low. It will be interesting to see Florida's second chance at an electronic system since they happen to have a large elderly population — they really screwed up the first attempt in 2001. I would be interested in hearing the answer to three questions:

Did the turnout of elderly voters change substantially? Were those people who did vote able to understand, navigate and vote for their candidate of choice? And exactly how long did it take the average elderly person to make their selections and enter their ballots (long lines were a big cause of the outcry in 2001)?

On the bright side, I heard there were independent election supervisors in Florida from those two bastions of democracy, Russia and Albania, to make sure things went smoothly. Vote early and often!

Jack Ganssle
Should everything that can be computerized be computerized?

Perhaps that sounds like the rambling of a Luddite, but just because we can do something doesn't mean that we should.

The only reason to computerize voting is to give a more accurate vote faster and cheaper. To date, it's not at all clear to me that we can gain accuracy — or at least trusted accuracy — or cheaper votes. At least not with the current state-of-the-art.

Accuracy will require software that really works, 100% of the time. This is not like the Space Shuttle, which requires software that works a few hundred times. The vote problem is compounded by tens of millions of transactions, and is mediated by untrained non-experts at the polls, not rocket scientists.

Accuracy requires that the software internals be well-known. Are you sure there isn't a back-door? With the political parties descending to ever-deeper levels of corruption and elections representing (in total) billions of dollars, fraud is pretty tempting. It's pretty clear that anything that can be hacked will be, all of the time. Voting is gonna have to be absolutely hack-proof.

It will have to use perfect software to gain the public's trust. And for now perfect software remains an oxymoron.

How do we audit the vote? Without paper backups, there's no way I can see. Yet most states have laws that require audits if the vote is very close.

What if the machine crashes? What if power goes down? Suppose just two votes get lost — aren't there constitutional issues there? Doesn't universal suffrage mean that losing votes is unacceptable? Suppose failures are more common in highly ethnic areas (just due to random chance) — what will the Supreme Court read into that?

Now, we know paper votes are less than perfect; but introducing a new system requires higher levels of perfection, with everyone believing that the vote is accurate.

I don't think e-votes will be cheaper than paper ballots, at least for many years. It's too easy to contest digital votes. There's so much FUD out there today that any lawyer can befuddle the process by raising concerns. Paper votes, for better or worse, have a couple of centuries of jurisprudence behind them. The Florida mess in 2000 was awful, but suppose it had been entirely digital?

That's sort of like the death penalty today. Fact is, it's much more expensive to send someone to the chair than lock them up for life, because of the costly appeals process (except maybe in Texas…).

Rebecca Mercuri has written much on this, and it's worth a gander.

E-voting will come, but not till a lot of fundamental issues get addressed.

Bill Gatliff
I think I'm with Jack on this one.

What problem does electronic voting actually solve? Our insatiable American desire for instant gratification, which in this case takes the form of a rapid vote tally? That's hardly a reason to rip up a system that's worked pretty well for so long. And since most polling places are staffed by pizza- and coffee-powered volunteers, I really question the economics of making the process electronic, too.

That leaves you with the supposedly improved abilities for electronic systems to generate an “accurate” vote tally, which is something that sounds good, but isn't achievable in practice.

Now admittedly, I'm not well-versed on the nuances of all the proposed electronic voting systems. But as far as I can tell, they're all the electronic equivalent of dropping tokens into bags — one token per voter, one bag per candidate. How exactly would that be an improvement in accuracy over a paper ballot?

I agree that Florida 2000 was a miserable experience, one that I'm not anxious to repeat any time soon. But the part that people seem to get hung up on was how it exposed “weaknesses” of paper balloting that I'm not so sure are real weaknesses — and besides, we've been livingwith them for a long time already so their existence was hardly news.

Forget about “hanging chads” for a moment. The fact that the contested districts in Florida had paper ballots meant that the results of a recount could command the same weight as the original count, because you were counting the same thing the second time around. How do you duplicate this electronically, when all you're doing to get the new results is clicking, “count me again”? A database query is not an equivalent operation to a keystroke tally, so to take the second set of numbers at all is like starting a comparison between apples and orangutans.

Ok, so what if you don't like the results of the electronic recount, or the numbers actually do change? In the paper ballot case, you can chalk up the differences to inherent errors in the process, which are well known and characterized. In the case of a supposedly “accurate” electronic system, what do you do? Is it a software bug? Is it a hardware problem? And what becomes the status of those votes when such an error is uncovered? You certainly can't keep them, because you've entrusted their entire safekeeping to a system that is now known to be faulty. In contrast, even if today's volunteer voting judge dumps a Pepsi into the (paper) ballot box, you've still got something.

Now, about those hanging chads and other errors inherent to a paper ballot system. This is where Florida got into trouble in my opinion. In order to “count” those ballots, they replaced a machine having a quantifiable error rate with humans that could achieve, at best, a comparable but unquantifiable accuracy. And then everyone freaked out (except me), when the numbers came back different. D'oh! I would have been very suspicious if the numbers hadn't changed!

I think that a more logically sound approach in Florida's situation would have been to treat those cards like all the rest, and say that if the machine could read them then the vote would be counted; otherwise, you have to throw them out or risk bringing on those fruit vs. animal comparison scenarios. Florida let emotions prevail over logic, however (what did you expect, they had lawyers and politicians in the same room!), and ended up with hairy applesauce.

But would an electronic system have fared any better? No! Because what Florida actually tried to do was measure something with more precision than the system could deliver, which is a big no-no in any situation. The paper system was known to be able to deliver results within 2% or so of the “true” tally. And yet, they were asking it for a number that was somewhere around 0.1% (the actual numbers escape me, but I seem to recall they were around those ranges). That's like trying to set the thermostat in your house to 74.01 degrees!! You can't do it, and nobody should be surprised by that. And yet…

Sure, a working electronic system could have moved the “noise floor” down to below the 2% that the paper-based system could deliver, but with no fault tolerance in the form of an ability to do a meaningfulrecount and other features that paper offers. I'll take the noisy butmeaningful numbers all day, every day.

And while I'm ranting, don't get me started on that “one person, onevote” b^&*$%!t that came up during that whole fiasco. We've never had that, and Heisenberg dictates that we never will. My wife, being an accountant, knows that better than anyone — when you audit something, you have to know in advance what the accuracy limits of your auditing process are because there are plenty of situations where you either can't precisely tally what it is you've been asked to tally (a bin full of pig snouts at a pork processing plant, true story), or you know that the tally process itself is error prone (adding up the amounts for 10,000 canceled checks).

Voting has always been, and will always be, like that. Electronics won't change that, at best it can only give the illusion that it can while failing to deliver.

At the moment, the only way I could support electronics in the polling process would be in its ability to help someone prepare a paper ballot. I like that because you could quantifiably test that the machine was generating a proper ballot, and you wouldn't have to sacrifice all the other advantages that paper has over an all-electronic system.

Larry Mittag
Ah, the old “if it was good enough for Grandpa it is good enough for me” argument. Always a classic.

The point about error rate is particularly important. There are several sources for error in the current paper-based system. Some of these are:

  1. Voter error #1 (Was Simon the crook and Davis the incompetent, or the other way around?)
  2. Voter error #2 (How many of these turkeys can I vote for?)
  3. Polling error #1 (Spilled coffee)
  4. Polling error #2 (“Lost” ballots)
  5. Counting errors (Hanging chads, simple human error)

A well-designed electronic system is essentially a data collection system. The closer to the data source the information is converted to digital, the better the accuracy. This is particularly true in a balloting process, where the data (i.e. votes) are handled by humans with various failings and agendas of their own.

Note that an electronic system is also subject to perversion. Insertion of a filter at any point could give control of the results. This cannot be a slipshod implementation.

Michael Barr
Bill Gatliff wrote:
At the moment, the only way I could support electronics in the polling process would be in its ability to help someone prepare a paper ballot. I like that because you could quantifiably test that the machine was generating a proper ballot, and you wouldn't have to sacrifice all the other advantages that paper has over an all-electronic system.

That's an interesting point. (You made lots of them actually.)

Suppose for a moment that you and Jack could accept that electronic voting's ability to deliver instant feedback (or some of the user interface issues I mentioned) were worth the cost of doing it right. Now add to the current system a simple final step: once a user sees their final vote onscreen, they are printed a paper ballot.

The way I envision it, the voter would also have a chance to visually check that before their turn at the poll was complete. Then they put the paper receipt/ballot into a collection box. The paper (complete with machine number, but no voter ID) becomes the audit trail for that machine's tally. If the machine crashes, you can always count the paper ballots it had previously created at the end of the day.

Of course, I'm sure adding printers and refilling paper cartridges really hurts the MTBF of these things. But then anyone who argues electronic voting would be cheaper is a fool or a salesman.

Larry Mittag
Michael Barr wrote:
But then anyone who argues electronic voting would be cheaper is a fool or a salesman.

Certainly true here in the U.S., where people argue in the newspapers over the results. Not necessarily true in places where people argue with guns in their hands. A system that was trusted internationally could prevent wars…

Bill Gatliff
Larry Mittag wrote:
Ah, the old “if it was good enough for Grandpa, it is good enough for me” argument. Always a classic.

Yes, but with a twist. I did suggest a system that I could support,and I did clearly point out why grandpa's system is currently better than the proposed alternatives.

Larry Mittag wrote:
The point about error rate is particularly important. There are several sources for error in the current paper-based system. Some of these are:

  1. Voter error #1 (Was Simon the crook and Davis the incompetent, or the other way around?)
  2. Voter error #2 (How many of these turkeys can I vote for?)
  3. Polling error #1 (Spilled coffee)
  4. Polling error #2 (“Lost” ballots)
  5. Counting errors (Hanging chads, simple human error)

Which is why I think having a machine help the user prepare his or herpaper ballot is a good thing. Having pictures of the candidates (as is done in Brazil) onscreen might help the user pick the right one, and algorithms could coach the user when they're trying to vote for too many turkeys.

But you have to generate paper and the paper has to be the definitive vote, in my opinion. Otherwise, the system goes to pieces when it encounters a failure mode. And you can't afford that under any circumstances.

Now, the generated paper ballot doesn't necessarily have to look like the one we use now. Myself, I'd go for a thermal paper having ECC'd barcodes and hashes that make each ballot unique and confirm that the ballot was read correctly.

Larry Mittag wrote:
A well-designed electronic system is essentially a data collection system. The closer to the data source the information is converted to digital, the better the accuracy. This is particularly true in a balloting process, where the data (i.e. votes) are handled by humans with various failings and agendas of their own.

In theory, you are right. But the digital medium gets disturbed far more easily than a paper system, which is why I don't think you can use computers for anything other than as a facilitator for a paper-based process. Any system will have errors, but paper gives you farmore options for meaningful recourse than electronic bits.

Larry Mittag wrote:
Note that an electronic system is also subject to perversion. Insertion of a filter at any point could give control of the results. This cannot be a slipshod implementation.

So would that make it powered by Linux, or Win2k? :^)

Seriously, I read on cryptome where someone suggested we use lotterymachines to prepare and record ballots. Interesting idea, not one I'dreadily dismiss in fact.

Bill Gatliff
Michael Barr wrote:
Suppose for a moment that you and Jack could accept that electronic voting's ability to deliver instant feedback (or some of the user interface issues I mentioned) were worth the cost of doing it right.

I don't object to having instant feedback. Using that as the key motivator for designing a fundamentally flawed system is the part I object to. All other features being done properly, it's a nice benefit.

Michael Barr wrote:
Now add to the current system a simple final step: once a user sees their final vote onscreen, they are printed a paper ballot.

Yep.

Michael Barr wrote:
The way I envision it, the voter would also have a chance to visually check that before their turn at the poll was complete. Then they put the paper receipt/ballot into a collection box. The paper (complete with machine number, but no voter ID) becomes the audit trail for that machine's tally. If the machine crashes, you can always count the paper ballots it had previously created at the end of the day.

Why not just count the paper ballot, so you're sure you have the machines on hand? But yes, having a second (but non-evidential) set of numbers in the machines that printed the ballots would be an additional data point that everything was working right. And if nobody contests those numbers, there's no point in not using them. So you may as well use them as the basis for an initial tally.

But the paper has to be the definition of the vote, not the numbersstored in any machine.

Bill Gatliff
Larry Mittag wrote:
Michael Barr wrote:
…But then anyone who argues electronic voting would be cheaper is a fool or a salesman.

Certainly true here, where people argue in the newspapers over the results. Not necessarily true in places where people argue with guns in their hands.

.. and that's different from the USA how? Sorry, couldn't resist…

Larry Mittag wrote:
A system that was trusted internationally could prevent wars…

Yes and no.

In my international travels (which include some non-Western cultures), I have concluded that some of those problems aren't with getting an accurate tally on election day — they're with getting voters to actually vote their conscience, and then with having the results stick.

Many of the 200+ Haitian boat people who washed up on Miami last week were from one village that was (allegedly) getting harassed by Aristide supporters (with guns) because they had suggested that he might not be the most vote-worthy candidate at the next election. The USA has been withholding some UN aid money to Haiti, funds have gotten tight, and so Aristide apparently doesn't have the resources to “campaign” properly in some of the outlying areas. Trouble is, his “campaign contributions” in the forms of cash, food, and jobs, are what a lot of those people need to survive.

But I digress . . .

Larry Mittag
Photo-based identification? Do we really need even more advantage for the beautiful people? 🙂

One of the problems with the current paper-based system is that handling is widely distributed. Tie that in with potential rewards for changing the results and you have a recipe for fraud.

An electronic system can be centralized. There is no reason to store information locally in a precinct. The vote can be recorded as a transaction in a central system that can give a positive acknowledgement of the receipt of that vote. Personally, I would build it on a credit-card authorization model rather than a lottery model. They have stronger authentication procedures. Vote by VISA!

Jack Ganssle
Larry Mittag wrote:
Certainly true here, where people argue in the newspapers over the results. Not necessarily true in places where people argue with guns in their hands. A system that was trusted internationally could prevent wars…

That's what it all comes down to — an e-vote system has to work reliably, but also has to be trusted broadly. All political parties, the voters, the courts, and the international community must agree the damn thing works, and irregularities, if any, come from external coercion or whatever.

But getting that trust is a gigantic problem. Software people will have to first pronounce the system bulletproof. Then everyone else has to, somehow, learn to trust the system. But programmers will never reach agreement that any software system with more than 1,000 or so lines of code is perfect.

The old saying is “put two programmers in a room and you'll get three strong opinions.” If the public cannot get consensus from the software community — the experts — trust is a non-starter.

Also, don't forget that these machines must be amazingly configurable. Every district has its own roll of people to vote for, its own unique voting rules (do I vote for one of three people or pick three of five for the school board, or vote yes/no on various referendums, etc, etc).

If net-connected or something for reflashing of these parameters, beyond the obvious net risks, how do you insure each machine is set correctly? What if one machine's cord is kicked out during reflash time? Did you hear about that ship that ran aground because someone kicked out the GPS antenna cable and no one noticed the “no data” flag it showed?

Who's gonna configure this stuff, and test it, and prove its correctness, in every jurisdiction?

John Canosa
Just some topical information: Check out Glitches Hit High-Tech Voting Systems.

Notice the $3.9 Billion that is going to be thrown at this over the next few years.

You have to love the last line “… they never asked for such features.”

Jim Turley
Jack Ganssle wrote:
Who's gonna configure this stuff, and test it, and prove its correctness, in every jurisdiction?

Who does that now? I don't see the problem of correctness getting any worse (nor any better) compared to paper ballots. It must be a terrible proofreading task, making sure ballots are printed correctly. Plus, the counting machines have to be configured to tally the paper ballots correctly. They have to correlate the punched holes with the correct candidate. A small configuration error there could give all of Al Gore's votes to George Bush, and vice versa.

Oh, wait. That's already happened.

Michael Barr
Larry Mittag wrote:
An electronic system can be centralized. There is no reason to store information locally in a precinct. The vote can be recorded as a transaction in a central system that can give a positive acknowledgement of the receipt of that vote.

Hmm. I'm generally more skeptical of things that are centralized and all alike than those that have differences. For example, what if all the world's computers ran one operating system and e-mail client? Add to that monopoly a EULA that says they can update both remotely at any time and you've got a big recipe for trouble. Evolution has taught us that diversity is good.

Bill Gatliff
Jack Ganssle wrote:
The old saying is “put two programmers in a room and you'll get three strong opinions. If the public cannot get consensus from the software community — the experts — trust is a non-starter.

Which is precisely why you have to think about what you'll do next when (not if) the numbers look wrong. When you go down that path, the limitations of an all-electronic system become pretty obvious.

Michael Barr wrote:
Hmm. I'm generally more skeptical of things that are centralized and all alike than those that have differences. For example, what if all the world's computers ran one operating system and e-mail client? Add to that monopoly a EULA that says they can update both remotely at any time and you've got a big recipe for trouble. Evolution has taught us that diversity is good.

Speaking hypothetically, of course. No, wait…

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.