Tomorrow, more than a quarter of voters will select their candidates using touch sensitive screens, and each vote
will be stored electronically on digital storage cards, similar to those used in many digital cameras. There's a lot to love about these machines, from their ease of use to the new accessibility options they provide disabled voters. In almost every way, these new machines represent a quantum leap when compared with prior technologies, such as punch cards. Unfortunately, the security provided by the machines is a major exception to this rule.
In 2000, when the reliability of Florida's punch-card counting equipment was cast into doubt, election officials were able to visually inspect and hand count each ballot. Though some votes could not be counted because they were only partially punched, nobody was able to convincingly claim that one candidate's chad was consistently harder to punch than another's. Thus, while errors were present in the counting process, they were essentially random -- the votes lost by both candidates to the infamous hanging chads should have canceled each other out. With many of the new completely electronic systems, there is no reason to believe that the random errors inherent in earlier systems haven't been replaced with systematic directives to switch votes from one candidate to another.
Election officials claim that because each machine has to be both certified and tested before every election, such a vote switching scenario is extremely unlikely. However, since verifying the security of all but the simplest electronic systems is a completely unsolved problem, certifiers can only claim that a given machine is not vulnerable to a small set of predetermined attacks. Moreover, in the one instance where public examination of electronic voting machines was possible, a huge number of potentially exploitable vulnerabilities were discovered -- vulnerabilities that were not uncovered during the certification process. To their credit, election officials claim to have either fixed or mitigated the problems that have been discovered.
Unfortunately, many more problems may remain. There is no way to know.
With traditional paper-based systems, we don't have to rely on the security of the voting systems. Instead, in contested elections, the electronic counting technologies can be sidestepped by manually counting the original ballots. With electronic machines, these original ballots are replaced by bits on a storage card that is never seen by the voter. The machine could have recorded them incorrectly and no one would be the wiser. It's for this reason that many computer security experts have advocated adding a voter-verified paper trail to electronic machines. Even if the machines are programmed to cheat on the electronic totals, the paper can still be recounted. Other solutions, based on cryptographic constructions, go even further. Not only do they allow voters to verify that their vote was cast correctly, but they also allow the voter to ensure that their vote was actually counted.
However, as there's clearly not enough time to implement any of these solutions before this election, the best we can do is keep our fingers crossed and hope that everyone plays by the rules.
ADAM STUBBLEFIELD is a Ph.D candidate in computer science at Johns Hopkins University. In 2003 he was part of a team that discovered multiple vulnerabilities in e-voting systems.