No Leaky Buckets
Needed: Voting Security and Election Results Credibility
"If you cannot trust the way your votes are counted, nothing much else in politics matters!"
   Home     All The Holes     Publications     Demonstrations     Ref-Materials     Legislative      PortuguÍs  

SECURITY in
METHODS of VOTING and VOTE-COUNTING

An Overview: (1) Marian Beddill, Citizen
"If you cannot trust the way your votes are counted, nothing much else in politics matters." (mgb)
The requirements for -- and the status of -- the various systems for voting and vote-counting in Whatcom County, Washington State, the USA and the World are of great interest to their citizens, and to all who care about the democratic and representative method of government of, by and for the people.

Systems for voting and vote-counting must be SARA:
Secure, Accessible, Recountable and Accurate,(2)
in order to be trustworthy and maintain or gain the confidence of the voters.

In business and finance, we would all agree that an Audit is an ordinary and regular practice to verify financial reporting. The purposes of an Audit are ...
  • first, to discourage fraud;
  • second, to instill confidence in the accuracy of the reporting if it is found to be consistent, and
  • third, to enable corrective (and maybe punitive) action if discrepancies are found. Almost by definition, an audit is done by someone else - not the person who manages and prepared the original financial records and reports.
The same is true for voting - an audit should be able to review the original documents, and perform an independent inspection and verification of the summary report, which are the vote-totals for races and issues. The original documents of votes are the ballots cast by and verified by the voter. The reports are the vote-totals by precinct and larger jurisdictions (city, state, etc), and the "Certification" of the election based on those.

Votes are like water - in they get put into and carried in suitable buckets - and we don't want any of them to leak out or to get contaminated. (This analogy gave me the name of a website on the topic: http://NoLeakyBuckets.org .) And, like a bucket which has holes - or may be about to get holes - ALL OF THEM must be plugged in order to maintain its integrity. Nine out of ten is not good enough - even one leak will cause failure of the system - be it water in a bucket or votes in a system of collection, transport, counting and reporting.

My civic action efforts have concentrated on one particular rusty spot in the voting system - computers - for three main reasons.
  • First, I care about democracy, and believe that the government should do its job fairly.
  • Second, I have experience in computer programming, dating back to the very first small computers in the 1960's - that's 40-years of using them and knowing their powers and their foibles.
  • And third, because computers and their programs used for voting replicate their processes (the same program does the same thing for all users, since they are essentially mass-produced), so a built-in error or fraudulent process will do its thing in hundreds or thousands of places, all at the same time and in the same way. Thus the impact on results of a faulty program will be very large. See reason number one.
But there are many pieces in the election management system, and the other are also important - each can be a hole in the elections bucket. The venerable League of Women Voters and thirty-nine other national organizations recently called on the chief election officials of each of the fifty states to take steps to guard the election process for the November 2004 election. They named five areas of concern which merit diligence on the part of citizens concerned about voting integrity. These are that voting may be undermined by:
  • Voter Registration Problems,
  • Erroneous Purging,
  • Problems with new ID Requirements,
  • Difficulties with Voting Systems, and
  • Failure to Count Provisional Ballots.
The LWV approved a statement at their national convention in 2004, which established the SARA rule -- that elections systems must be Secure, Accessible, Recountable and Accurate (2).

Those judgement criteria must apply to all methods of voting. Just to be complete, the several principal ways of casting, collecting and counting ballots in the US should be mentioned.

The main ways of casting ballots include methods the voter uses to indicate their choices -- such as on:
  • paper, hand-counted
  • lever machines, counted with ratchet-wheels
  • punch cards
  • optically scanned marks on paper ballots
  • computers at polling-places on election day - in varying versions:-
    • DRE - direct-recording electronic (no paper) which save only a computer-copy of votes
    • DRE - direct-recording electronic (with a paper ballot and computer-saved votes)
    • ballot generator - the computer prints the ballot with your votes, but does not save the votes within, just makes the paper
  • computers in public places like malls, before election day:-
    • voting stations - special machines (no paper ballot)
  • computers in private places like homes and offices:-
    • internet voting - (no paper ballot)
The main ways of collecting ballots and votes include methods the elections offices use to gather and transport the indications of the ballot choices -- such as:
  • in locked and sealed boxes ("transport cases") holding paper ballots or computer media or both;
  • by telephone calls, verbally;
  • by the internet from polling-places to the central office (no paper ballot);
  • by direct computer (modem) hookup from polling-places to the central office (no paper ballot);
  • by direct two-way radio hookup from polling-places to the central office (no paper ballot);
The main ways of counting votes include methods the elections offices use to tally the choices and prepare summary reports, sometimes at the polling-places and always finally at the central elections office -- such as:
  • manually;
  • by a computer which counts punch-cards, and makes tallies;
  • by a scanner and computer which reads and counts marked paper ballots, and makes tallies;
  • by a computer which reads and counts touches on the screen or other input device, and makes tallies (no paper ballot);
  • by a computer which reads and counts touches on the screen or other input device, and makes tallies and prints a paper ballot.
And finally at the central office:-
  • by a computer which tallies other count sub-totals and prepares summary reports;
With that background -- all of which must be considered in order to fully understand the process of voting and counting votes, let me now concentrate on the voter-verified paper ballot (also referred to as the voter-verified paper audit trail). This is the only known method of full, true auditing of the intent of the voter. It is necessary to have a physical record of the ballot selections made by the voter, which have been verified by the voter before finishing the process of casting her ballot - then placed into the hopper (ballot box) for counting.

Computer programming is imprecise - which may seem to be a surprise. Numerous examples may be cited, but the basic thing is that the programmer must anticipate every combination of all the multiple circumstances and ranges and errors of data, and write instructions for what to do. Failing that, the program either crashes or returns some odd result. Problems with accuracy will happen, whether by human error, random disasters or intentional acts. A key question is having a way to recover -- when such happens.

Where can errors happen? How do votes "flow"? see big graphic Starting with the fingers of the voter which -- make input to the ballot -- through saving of the data -- transporting the bundle to the counting center -- doing the tallies -- and finally reporting results. There are many potential weak points -- rusty spots -- which could be or become holes in the bucket. One major one is the ease with which computer records can be changed, and in this case such changes as duplicating the records and using one set for some purposes and another set for others. Some of the computer programs - the software - actually do that, which casts doubt on the validity of all reported outputs.

Funny thing for me to say -- since I am a strong proponent of computer use and have been for 40 years -- but I have no confidence in the use of computers for voting. Computers AND 100-percent voter-verified paper ballots are OK, but not the computer alone.

A closely related thing is how to recover from errors in the voting and elections system, if they happen (or are just alleged to have happened?) In other uses of computers, we have recourse. With banks, merchandise, contracts, etc, we can present receipts, and ask the business to give the money back, etc. In elections, can we un-elect the winner? How many citizens saying there were errors - or probably were - would it take to reverse a certified election? What would be the evidence that would meet court standards to convince a judge or jury? It is not available, because our votes must be kept secret, so there is a very high probability that no case can be made.

Returning to the four criteria - SARA: Security -- nobody else can mess with your votes (complicated with the privacy need). Accessibility -- all who are qualified can cast a ballot. Recountable and Accuracy: That's where computers - alone - fail. The recommendations and requirements for federal and state certification are a cruel joke. The local "L&A" tests are even worse. We cannot review the source code - the actual instructions - since the manufacturers of the software refuse to permit people to see them.

On top of that, software changes are routinely made at the last minute, totally negating any prior checking of the programs.

There is hope, however.

The first law required is for the voter-verified paper ballot. There is a non-computer method and two computer-voting models that satisfy the criteria we have laid out:
  • A paper ballot, marked by the voter and counted manually.
  • A touch-screen ballot generator - it just uses the computer's fancy abilities to print each voters' paper ballot, which is later inserted into the scanning and counting machines, and which can be RE-counted by hand; and
  • A DRE with a paper ballot, now on the market. Nevada just broke the ice, and has used, large-scale for the first time, a DRE with paper ballots.
Finally, and equally as important as the voter-verified paper ballot, is that having the paper ballots has no merit if they are not (or cannot) be used for verification.

The second law required is for the mandatory random recount for system double-checking. Laws should require that some set of precincts be chosen randomly, and all the ballots (which will be paper) from those precincts are brought out and re-counted - best if by hand -- or at least by a different machine from a different vendor.

That's auditing. That would give me confidence in computerized-and-paperized voting.

Marian Beddill
Bellingham
"If you cannot trust the way your votes are counted, nothing much else in politics matters." (mgb)
(1) Adapted from a presentation given in Whatcom County Sept 14, 2004.
(2) Order changed from the LWV original.

Vote-Flow graphic

(Ver.4) (JPEG, 270KB). Shows many of the various routes that votes may take from the voter to the tally (counting); possible recounting, and the certification of the election, under different voting systems.

page last edited 2004-09-18

Apology and Disclaimer: This site is being re-built, and it may not all work yet. If you find an error - especially a broken link - please holler: fix-links@noleakybuckets.org