December 2000, Revised 19 March 2001
As the world watched the electoral drama unfold in Florida at the end of 2000, my phone started ringing off the hook. "Wouldn't all our problems be solved if they just used Internet voting?" "Was that butterfly ballot really as confusing as they claim?" "And what exactly is the difference between a pregnant and a dimpled chad?" I spoke with numerous reporters, several state officials, and many colleagues and friends. And even while the actual outcome of the Presidential election remained unknown, it became clear that throughout the United States, people were soon going to be taking a hard look at their voting equipment and procedures, and trying to figure out how to improve them. After they finished scrutinizing and debating the events in Florida, what everyone really wanted to know was what new technology their state could buy that would ensure that in future elections all votes would be fairly counted. But, I'm afraid, there are no easy answers.
I began studying electronic voting when I was a graduate student in 1994. After I berated an undergraduate for deploying a poorly implemented electronic voting system on the engineering school servers and advertising it as a way to provide confidential feedback about courses and professors, my advisor challenged me to design a better system -- one that really would provide for secret balloting and prevent people from stuffing the ballot box. After several days of library research I returned to my advisor to report that this appeared to be a completely solved problem.
I had found several papers in the theoretical computer science literature that described secure and private secret balloting schemes. These papers seemed to take into account most of the important issues I could think of, and the schemes they described sounded like they would work. But I couldn't find any evidence that the authors had actually implemented any of these schemes. So, I spent the next year learning more about the cryptographic protocols behind these schemes and implementing a working prototype of an electronic voting system called 'Sensus', which allowed voters to cast secure and private ballots over the Internet. This would eventually become my masters degree project.
Sensus was based on an algorithm published by Fujioka, Okamoto, and Ohta in 1993. It used a cryptographic technique called a blind signature to maintain ballot secrecy, while simultaneously ensuring that each eligible voter could vote only once. Essentially, voters prepared their ballots using a computer program that encrypted them and created a unique digital fingerprint of each ballot. The program then multiplied the numbers in the fingerprint by a random factor and sent the result, along with the voter's digital signature, to a computer run by the election authority called a validator. The validator checked the voter's digital signature and made sure the voter was eligible to vote and had not yet voted. The validator then digitally signed the randomized fingerprint and returned it to the voter. The voter's computer then divided out the random factor, resulting in a ballot fingerprint signed by the validator. However, since the validator signed the version of the fingerprint that was multiplied by the random factor, the validator had no way of knowing what the original fingerprint looked like, or which voter it was associated with. The voter's computer then sent the signed fingerprint and the corresponding encrypted ballot to another computer called the tallier. The tallier used the signed fingerprint to verify that the ballot was certified by the validator, and provided an acknowledgement to the voter that the ballot was acceptable. The voter then sent the tallier the key necessary to decrypt the ballot for tallying. Variations on this scheme have since been implemented as part of a number of other student projects, including an ongoing project at MIT. Josh Benaloh, Berry Schoenmakers, and other researchers have also proposed more sophisticated schemes that allow election observers to cryptographically "prove" that all the votes in an election have been tallied correctly.
I continued studying both traditional and electronic voting as part of my dissertation work, and created an electronic voting resources web page to share the information I had gathered with anyone else who was interested. This web page was soon indexed by all the major search engines and became the first stop for anyone looking for electronic voting information. By the time I graduated and started working at AT&T Labs-Research in 1996, I was receiving electronic voting inquiries on a regular basis from the press, researchers, and government officials.
In 1997 I was approached by the Center for Information Law and Policy at the Villanova University School of Law to help design the technical aspects of an electronic voting system trial for Costa Rica. I enlisted my colleagues in the secure systems research department at AT&T, and together we began analyzing the requirements and outlining a system design. Many of the requirements were conveyed to me through an interpreter during an all-day meeting at the office of the electoral tribunal in San Jose, Costa Rica. What the tribunal had in mind was to use the personal computers recently purchased for the country's elementary schools as voting terminals at each polling place. By connecting the computers via the Internet, they hoped to enable a centralized system for checking voter registration that would allow voters to vote at any polling place -- not just their assigned precinct. The computers would also have to be capable of fetching the appropriate ballot for each voter (determined by where he or she lived), and for transmitting the ballots for central tallying. The motivations behind this project seemed to be to demonstrate the technological sophistication of the Costa Rican people and to save the government money. It seems that the government spends a lot of money each election day bussing people around the country so they can get to their home precinct (for reasons not entirely apparent to me, people in Costa Rica do not update their voter registration when they move within the country). By allowing people to vote at any precinct, they hoped to save money.
My colleagues and I soon realized that this was going to be a difficult problem to solve. While the tribunal wanted to use the PCs already in the schools, it was apparent that a large percentage of the population was not computer literate and would be unable to use a standard PC equipped with mouse and keyboard without substantial training. No budget was available for purchasing touchscreens, so we searched computer stores and electronics catalogs for an alternative solution. Light pens seemed to offer a potential solution, as they could be added to a standard PC at a fraction of the cost of a touchscreen monitor and required little training to use.
The US crypto export rules in effect at the time proved to be another obstacle, as it soon became clear that we would be unable to export cryptographic software developed in the US to Costa Rica. And even if we could use the best cryptography, it was questionable as to whether most voters would trust a system based on mathematical functions that they could not understand. We eventually decided to forego the cryptographic protocols for ensuring secret ballots, and instead rely on a physical separation between the voter authentication computers and the voting terminals. Because this system was designed to use at a polling place, poll workers could operate the authentication computers and, upon authenticating a voter, could unlock a voting terminal, allowing that voter to cast one vote. This solution would not work if voters were to cast their votes from home or from unattended voting kiosks, but it seemed workable for a system designed for use at staffed polling places.
Ultimately, the Costa Rican government got cold feet and decided to cancel the electronic voting trial, so our design was never completed or tested. A few months later we were approached to work on another electronic voting project, this time by the state of Florida. We had one meeting with the Florida officials before their project was put on hold indefinitely after evidence of widespread absentee ballot fraud was discovered in Miami. At the time that we worked on these projects, our group was aware of the awesome responsibility associated with designing voting technology, but this really hit home two-and-a-half years later as we discussed the 2000 Presidential election in Florida. "They could have been using our system," said one of my colleagues over lunch one day. And we all laughed uncomfortably, relieved that they weren't.
Mechanical lever voting machines have been in use in parts of the United States since 1892. Voters pull levers that correspond with the candidates and issues they wish to vote for. When a lever is pulled it causes a counter wheel to rotate. At the end of an election, officials open up the back of each machine to read the counter wheels and determine how many votes were cast for each candidate. By the 1960s, these machines were used by about half the voters in the US. These machines were appealing because they allowed election results to be determined quickly, and because they were able to thwart the voting fraud schemes that had become widespread using paper ballots.
One of the main disadvantages of lever machines is there is no ability to audit them and to "recount" individual ballots. If the machine malfunctions and a counter wheel fails to turn, no record exists from which a proper tally can be determined. Sometimes levers are mislabeled (either accidentally or deliberately). And lever machines are also difficult to test exhaustively, as a person has to manually enter large numbers of votes into each machine that is to be tested. These machines have also been known to cause confusion when recording and tallying write-in ballots. And because of their size and weight, these machines are expensive to store and transport. Lever machines are still in use in 15% of counties in the US. However, because they are no longer manufactured, it is becoming difficult to obtain spare parts for them. During the 2000 Presidential election, New York City voters reported that levers were broken off of some machines, making it impossible for them to vote for some local offices.
The State of Florida purchased their punch card voting system about 20 years ago to replace the lever machines they were using at the time. Interestingly, it's been reported that the mechanical machines were sold to the State of New Jersey, which still uses them in some counties (I used them the first three years I lived in New Jersey -- I found them pretty easy to use, except for the fact that at 5-foot-2 I had trouble reaching the top row of levers). The Florida punch card machines are manufactured by a company called Election Resources Corporation and known as Votomatic machines. The cards used by these machines are printed with rows of marks where holes can be punched. The names of the candidates are not printed on the cards themselves, but rather on a ballot holder device that looks something like a book with cardboard pages. When the card is properly inserted into the ballot holder, one column of holes is visible through the "spine" of the book. Each hole lines up with the name of a candidate printed on the book's pages. Election officials try to print candidate names only on the left side of each two-page spread, so that the holes are to the right of the candidates names. But sometimes they end up with ballot layouts that use both the left and right sides of the page. Having used this system -- butterfly ballots and all -- when I lived in St. Louis, I can assure anyone who insists that the system shouldn't be that difficult to figure out, that indeed it is. Especially when two page "butterfly" layouts are used, the system can be quite confusing even to someone with 20-20 vision and good hand-eye coordination. The Associated Press recently quoted one of the inventors of the Votomatic system as saying that he had never intended it to be used with a butterfly layout.
And, it turns out that the 2000 Presidential election was not the first time that there were law suits over Votomatic ballot confusion. In 1987 it was found that ballots cast in predominantly black wards in the city of St. Louis were more than three times as likely to be improperly punched -- and therefore not counted -- as those cast in predominantly white wards. A federal judge subsequently ruled that the punch card system used in St. Louis "denies blacks an equal opportunity with whites to participate in the political process." The judge ordered the city to increase voter education in black wards and count improperly marked ballots by hand.
Another kind of punch card ballot system called Datavote reduces voter confusion about which hole to punch by printing the candidate names directly on the ballot. However, Datavote systems can cause problems and added expense because most elections require voters to use multiple ballot cards. In precincts where these systems are used, under votes are common when voters forget to vote in the races listed on the back of the punch cards, or neglect to vote all of the punch cards they are given. Sometimes Datavote systems also have a high rate of over votes for reasons that are not entirely clear. Datavote cards are voted using a special mechanical hole punch device that cleanly removes the chad from each hole a voter punches.
Besides the difficulty in understanding and marking punch card ballots, these ballots have also been known for a long time to be difficult to tally accurately. Votomatic systems suffer from the frequent occurrence of hanging, swinging, pregnant, and dimpled chad. These terms have now become household words in the US and the butts of many jokes. But in early November 2000, most Americans had never heard these terms. The word chad first came to my attention when I read Roy Saltman's 1988 National Bureau of Standards report "Accuracy, Integrity, and Security in Computerized Vote-Tallying" while working on my dissertation. Saltman described a large number of problems with punch card ballots, and highlighted the chad problem in particular. Despite these warnings, punch card systems remain in use in 20% of counties in the US.
One of the issues that Saltman discussed was that most punch card systems in use in the US use pre-scored cards, in which the spots where holes can be punched are perforated. It is these perforations that lead to many of the chad problems. Saltman suggested that punch card systems would be more accurate if they used cards without perforations and required voters to use a spring-loaded stylus to punch their cards. Over a decade later this suggestion does not appear to have been widely adopted. Many of the problems with partially punched cards in Florida would probably have been avoided if pre-scored cards had not been used. But I have been unable to find recent statistics on the extent to which non-scored cards are used and their impact on the percentage of uncounted ballots. It does appear that the problems associated Datavote cards (which are non-scored except when used for absentee ballots) are not related to chads, providing additional evidence that scoring is a factor.
A November 1988 New Yorker article by Ronnie Dugger also contained a scathing analysis of the use of punch card ballots as well as other computerized voting systems. Dugger described the St. Louis case as well as a number of other computer-related vote counting problems and dubbed "the inexact science of divining what the voter intended in the case of a mere indentation or whether the card reader counted a hole that was partly or wholly blocked by a hanging chad" as "chadology."
One popular alternative to punch card systems are optical-scan systems, used in 40% of counties in the US. These systems are similar to the systems used to administer college entrance exams and other standardized tests. Voters use a pen or pencil to fill in an oval or connect dots on a paper ballot. A machine scans these ballots to count the votes. Both punch card and optical-scan systems suffer from the problem that voters may improperly mark their ballots, causing the ballot-counting computer to count them incorrectly or not at all. And both kinds of ballots can be tampered with during the counting process. However, in many precincts where optical-scan ballots are used, a scanner is available in each precinct so that voters can feed their ballots into the scanner themselves and check to see if it is accepted by the machine. If the machine reports that the ballot is mismarked, the voter can correct the problem and submit it again. In precincts where such a scanner is available, the percentage of uncounted ballots is often reduced by roughly a factor of five (when no scanner is available, optical-scan and punch card ballots result in similar percentages of uncounted ballots). Similar improvements might be possible if punch card readers were available at precincts as well.
In the aftermath of the 2000 Presidential election, people are calling for a voting system in which every vote cast will be counted. They want systems in which it is not possible for a voter to mark a ballot in such a way that it will not be counted. And they want systems that will allow for accurate recounts without the risk of ballot tampering or the need to argue about what constitutes a vote. Vendors of computerized voting systems, often referred to as direct recording electronic (DRE) systems, claim to have an answer. A computerized voting machine that allows voters to register their votes using a touch screen, ATM-machine like terminal, or a panel with buttons and lights, could ensure that voters do not unintentionally vote for too many or too few candidates. Indeed, in the 9% of counties in the US where these machines are already in use, the feedback from voters is generally positive. Voters typically find the machines easy to use, and like the fact that the machines warn them if they fail to vote for a particular office and do not permit overvotes. I used one of these machines in New Jersey this year, and found it quite simple to use -- although a carelessly designed ballot could probably render even a DRE machine difficult to use and confusing to voters.
While DRE machines may be easy to use, produce unambiguous results, and don't involve paper ballots that might be tampered with, they are not without problems. DRE machines must be trusted to accurately record each vote as the voter entered it. If the machines do not record a vote accurately, or fail to record it at all, there is no record to go back to for a recount (as with lever machines). It has been argued that recounting paper ballots (punch card, optical-scan, etc.) is imperfect because of the risk of tampering or even accidental damage. However, when the recount is necessary due to computer failures during the first count -- especially when those failures were not malicious -- it appears to be quite useful to have the paper ballots available to recount. Indeed, there have been many documented cases of ballot counting machines that were accidentally programmed incorrectly or had the wrong software installed. Upon investigation -- usually triggered by unexpected or bizarre election results -- the problems were discovered and corrected and the ballots recounted. In fact, during the November 2000 US Presidential election a computer glitch was discovered in Roosevelt County, New Mexico that caused 533 absentee ballots not to be counted properly. These ballots had been voted "straight party" by the voters, but the computer had not been programmed to allocate these votes to the all of the corresponding party's candidates. Because optical-scan ballots were used, the software was fixed and two days after the election all of the ballots were rescanned. Without physical ballots to rescan, it might not have been possible to correct this problem.
DRE proponents argue that a properly designed and tested DRE machine should not suffer from programming errors, accidental or malicious, and should include internal audit logs that should make it possible to recover from accidental errors. Whether this is really true in practice remains a debatable question. While experts agree that a malicious programmer could write computer code that alters votes and even alters the audit logs to match, they disagree on whether such tampering would be detectable. Carnegie Mellon University professor and experienced voting machine tester Michael Shamos has gone so far as to challenge skeptics to tamper with a DRE system of his choosing, and see if he can detect the tampering. So far nobody has taken him up on his challenge.
I tend to think that with sufficient review and oversight, we should be able to deploy DRE machines that have a very low risk of failure (through either accidental error or fraud). I don't think we can build a perfect machine, but we should be able to build a machine with risks lower than the risks associated with a paper ballot system. I do not know enough about existing DRE systems to know whether any of them are good enough today, but have heard about enough problems to be suspicious. In the November 2000 election, a Sequoia Pacific DRE machine in New Jersey apparently failed to record about 50 votes (this was determined after observing that in one local race, none of the second-listed running mates received any votes on one voting machine, while they received approximately the same number of votes as the first-listed running mates on all the other machines). Last I heard the problem was still under investigation and the reason for the failure remained uncertain. A spokesman for Sequoia Pacific told a reporter that the machine had not actually lost any votes because the "votes were never cast." But to the voters, it apparently looked like their votes had been cast. Such failures cannot be corrected after the fact in a DRE system, and are clearly problematic.
Another problem with DRE machines is the amount of time each machine is monopolized by a single voter. When paper ballots are used, it is inexpensive to provide enough private booths and equipment (Votomatic devices, pens, etc.) to keep voter lines to a minimum. Even if these ballots are to be scanned in each precinct, the amount of time it takes a computer to scan each ballot is much less than the time it takes a voter to mark it. But when DRE machines are used, each voter must have exclusive access to a terminal for the entire time it takes to mark the ballot. Election officials with experience using DRE machines report that generally about 30 voters per hour can use a single DRE machine. (This is probably similar to the number of voters that can use a lever machine in an hour.) Thus, it takes a large number of machines to serve the voters in each county. The machines are expensive, and each must be configured and tested before every election.
Some vendors are promoting computerized systems that use off-the-shelf PCs as a much less expensive alternative to traditional DRE systems. Besides the significant cost advantage, some vendors claim that there is less of a risk of hardware tampering on such machines since they are not being manufactured for the express purpose of voting. However, because these computers are manufactured as general purpose computers, there are also a lot more areas where things may go wrong and a lot more places where malicious code may be hidden. And conducting an election on them using a general purpose operating system opens them up to a wide range of vulnerabilities.
The apparent lack of a perfect voting technology has lead many people to suggest that we just go back to the old hand-counted paper ballots used in the past in the US, and still used throughout most of the world. A well-designed paper ballot would probably use a separate ballot paper for each race, and include large boxes for voters to use to mark their preferences. In most countries where this system is used, ballots can be tallied very quickly -- sometimes in a matter of hours -- using government employees or citizen panels. But in most of these countries voters are asked to vote in only a few races -- often only one race. With the large number of races and other ballot questions on US ballots, a hand counted paper ballot system would be more cumbersome. As suggested by computer-related risks expert Peter Neumann, it might be practical if used for Presidential voting only, and not for other races. Even if a paper ballot system was practical, problems would remain. Voters could still accidently skip over ballot questions or vote for too many candidates on a ballot. And paper ballots can be tampered with during transport and counting, and are subject to a range of voting fraud schemes that involve vote buying and ballot box stuffing. This option should be considered along with other possible options, but it does not appear to offer a perfect solution either.
Perhaps the questions I heard most frequently following this year's election were questions about Internet voting. As the popularity of online shopping and banking increase, so does voter interest in the possibility of voting from home or work over the Internet. The first governmental election to be conducted over the Internet in the US was the 1996 Reform Party Presidential primary, in which Internet voting was offered, along with vote-by-mail and vote-by-phone, as an option to party members who did not attend the party convention. In 2000 the Arizona Democratic Party offered Internet voting as an option in their Presidential primary. And Internet voting was used in the 2000 Alaska Republican Presidential straw poll as well as in a number of non-binding shadow elections. In the November 2000 Presidential election, a few hundred over seas military personal were given the opportunity to cast their absentee ballots via the Internet.
Most of the Internet voting trials went reasonably well. But given the small scale of the trials and the limited stakes involved, that is not a surprise. The Arizona election, the only large-scale binding governmental election to be conducted via the Internet in the US, did not experience any catastrophic failures, but did suffer from a number of relatively minor problems that would probably have been much more serious if they had occurred in an election in which the outcome was more contentious (one of the Democratic Presidential candidates withdrew during the voting period, leaving only one significant candidate on the ballot). The problems included incompatibilities between the software on some Macintosh computers and the voting system software, errors in voter registration logs that were being used to authenticate online voters, insufficient telephone help support, and a user interface that turned out to be inaccessible to blind voters. Later in the year, a large non-governmental online election to elect members of the The Internet Corporation for Assigned Names and Numbers (ICANN) board suffered from voter registration problems as well as overloaded servers that caused many voters to be turned away from the voting web site.
The problems that have actually occurred in online elections to date are relatively minor compared with the types of problems that experts fear might occur if Internet voting was used in contentious governmental elections. At an NSF sponsored evoting workshop in October, security experts discussed a wide range of problems. Most significant were probably the vulnerabilities of the personal computer platform and the vulnerabilities of the Internet infrastructure itself. Individuals don't currently have the ability to shield their personal computers from viruses and trojan horses that might manifest themselves on election day. Furthermore, the ability to prevent denial of service attacks against voting servers or voters' Internet connections is limited. Hackers could design attacks to take out large portions of the Internet, or focus on neighborhoods known to support a particular party. Avi Rubin wrote a short essay following the NSF workshop that provides a good overview of these and other security concerns.
The conclusions reached by workshop participants about the security risks of remote Internet voting were similar to the conclusions reached by the California Internet Voting Task Force in January 2000. The taskforce also outline security concerns, and suggested that if Internet voting was to be pursued, it should be introduced in several stages, beginning with Internet voting terminals in neighborhood polling places. This first phase would not really offer any advantage to voters, but it would provide a more controlled environment in which to gain experience with Internet voting.
People often ask me why the security risks associated with Internet voting are different from the risks associated with online banking. Some have even suggested that Automatic Teller Machines be employed for voting, in addition to their primary banking functions. Voting is very different from banking applications for a number of reasons. One of the most important differences has to do with auditing and secret ballot requirements. When you do a financial transaction, generally you get a receipt. And periodically your bank sends you a statement that summarizes all of your transactions for the past month or quarter. You can compare this summary with the receipts you received for each transaction, and determine whether your bank made any errors. Furthermore, every financial transaction is recorded in great detail, along with information about who was involved in the transaction. But in secret ballot elections voters do not get receipts (if they did they could sell their votes or be coerced to vote in a particular way). And audit trails are specifically designed not to reveal the voter associated with each ballot. Also, while financial transactions occur every day of the year, perhaps peaking during certain parts of the business week, major elections occur on just one day. Even if we extended the voting period to several days or even a few weeks when introducing online elections, there will still be a relatively small window of opportunity that will be the focal point for those wishing to disrupt the election.
One of the primary motivations that has been given for remote Internet voting is the possibility of increased voter turnout. The idea of voting at home in ones pajamas seems to be appealing to many. However, little evidence exists to suggest that the availability of remote Internet voting would succeed in bringing substantial increases in voter turnout. And any increase in turnout is likely to impact some voter groups more than others (in particular the people who have Internet connected computers in their homes). Thus, Internet voting could serve to widen the gap that already exists in the way different socioeconomic groups are represented at the polls. Voting reforms such as extending the hours in which polling places are open, making it easier to obtain absentee ballots, and simplifying the voter registration process, have all been introduced with the hope of increasing voter turnout. But these reforms generally result in little if any increases in turnout. The reforms are none-the-less popular because they make it more convenient for those who would vote anyway to vote. And any increases in turnout tend to be among the groups that are already well represented at the polls. Before introducing Internet voting with the primary motivation of increasing voter turnout, it would be good to have convincing evidence that such an effect is likely.
Internet voting may be a good solution for non-governmental elections, especially for organizations that already have experience with vote-by-mail balloting. These elections generally are less interesting targets for hackers, involve smaller numbers of voters, and sometimes have less stringent secret ballot requirements than governmental elections. Internet voting has been used successfully in share holder proxy balloting for several years. Many professional organizations are finding Internet voting to be a cost effective alternative to vote-by-mail.
Many US citizens have begun to wonder whether it is even possible to determine the "will of the people" when an election is as close as the 2000 Presidential election outcome was. In Florida, it appears that the final difference in the tallies for the two top Presidential candidates was smaller than the statistical errors known to be associated with the voting equipment used. Since the error rates for each kind of voting equipment differ, and different voting equipment is used throughout the US (and equipment type even varies from county to county within most states), different error rates will be associated with each precinct. Statistically, in most cases we can expect candidates to be impacted by undercounts according to the proportion of votes they receive in each precinct. Thus, a candidate who does well in a given precinct is likely to lose more votes in that precinct to equipment error than one who does poorly. If it so happens that a given candidate tends to have more supporters in precincts that use equipment with higher error rates, and fewer supporters in precincts that use equipment with lower error rates, that candidate may be at a disadvantage in a close election simply due to the way voting equipment happens to be distributed in the state. Of course there are many other factors that may influence the outcome of a close election as well. But in the 2000 Presidential election, which appears to have been essentially a tie, the outcome may have been partially determined based on the distribution of voting equipment in the State of Florida.
Recognizing that computerized vote counting systems are often unreliable when the vote tallies for two candidates are within 1%, some states automatically recount ballots for races that are that close. With better technology, we may be able to reduce the statistical error associated with vote counting, but it seems unlikely that we will be able to eliminate it entirely unless we are able to develop an entirely electronic system (even for absentee ballots) that we have complete confidence in and which everyone agrees has zero error associated with it.
When an election outcome appears to be within the area of statistical uncertainty of the system, perhaps we would be best off declaring the election a tie. In many states, when two candidates get exactly the same number of votes the election is resolved through a game of chance. In some places, if no candidate gets a clear majority, the election is repeated until one candidate gets a majority. George Washington University Professor David Anderson recently proposed in a Washington Post opt-ed piece that close elections be held again. This idea is controversial, but probably worth further discussion. A new election or even a random outcome may ultimately be more satisfying than knowing that election results were probably determined by the idiosyncrasies of computerized vote counting machines and their distribution in particular precincts.
Assuming we can find a better voting technology, how much would it cost? Cost estimates vary widely. DRE machines cost approximately $5,000 per unit. A system that uses off-the-shelf personal computers might be able to reduce that cost by as much as a factor of 10. Refinements on existing systems -- such as putting scanners in every precinct that uses punch card or optical-scan ballots -- might be substantially cheaper. Quotes in the media indicate that most states looking into replacing their voting equipment are assuming that they will have to spend upwards of $100 million. In November 2000 when I was interviewed for ABC NightLine I had heard estimates of $20-$50 million for a large county. I referred to these estimates in the short clip that actually aired a month later -- but that estimate was probably a little high for most counties. In any case, replacing voting machines will cost a lot of money. And most of that money will have to come out of state and local budgets. Recently introduced Federal legislation includes $100 million in matching grants for states to upgrade their voting equipment, but this doesn't appear to be anywhere near the actual costs that are likely to be incurred.
As I said from the beginning, there are no easy answers. It is my hope that states will proceed cautiously in adopting new voting technologies, first establishing detailed requirements and certification criteria, and rigorously evaluating each candidate technology to see whether it meets the criteria. The Federal government should assist in establishing requirements, but ultimately technology selection decisions are still probably best done at the state and county level, where most election-related decisions are made in the US. Technological systems must have the ability to provide audit trails that will be able to demonstrate that votes have not been lost or miscounted. Their inner workings and complete computer code must be available for the scrutiny of experts (either under a non-disclosure agreement or as part of an open source release). They must be tested for usability using actual ballot questions prior to every election. And while we are investing in new voting equipment, we should also make sure our new equipment is adaptable so that we can provide secret balloting for the visually impaired and other disabled individuals (perhaps by providing special devices for use by those people). We should not rush to embrace new technology, such as Internet voting systems, until we have evaluated it sufficiently and determined that it meets our requirements. The technology development and evaluation necessary to satisfy all of these goals will be expensive. But by spending the money up front, we are more likely to avoid costly law suits and recounts, as well as to maintain public confidence in our electoral process, something that is very difficult to put a price on.
Lorrie Faith Cranor (http://lorrie.cranor.org) has been studying electronic voting systems since 1994. She maintains the e-lection electronic voting mailing list and in 2000 served on the executive committee of a National Science Foundation sponsored Internet voting taskforce. She is a senior technical staff member at AT&T Labs-Research Shannon Laboratory in Florham Park, New Jersey. Her primary research focus is online privacy. The opinions expressed in this article are the author's and do not necessarily represent the views of her employer.