The issue of paperless, computerized voting systems is about to hit the airwaves again.  There is an incredible amount of disinformation regarding these systems.  There is also a lot of big money behind the disinformers.  The reason is obvious.  All you have to do is consider the stakes - and there are no stakes greater than elections for representatives for U.S. federal and state offices.  

The key questions to consider are: What are the costs?  What are the risks?   What are the benefits?

Simply stated, there is not an honest, experienced computer professional in the world who would advocate computerized, paperless voting because the risks are too high.    Computers can't be secured from hacking.  That's it.  That's all. 

Who doesn't know that every single major corporation in the country has been hacked at some time?  Why do you buy virus software and firewalls?   Are they 100% successful?  OF COURSE NOT! Consider the population of people who manage voting locations.  How technically savvy are they likely to be?   (Think of your old Aunt Sally).  

If these computerized, paperless voting systems are installed in your precinct, you might as well stay home and not bother to vote - because I guarantee you the results of the election will be fixed - not on a precinct by precinct basis - because that's not necessary to swing the election.  All it takes is to find statistically significant precincts in statistically significant states. 

That's not to say that computers can't be used in elections.  Computerized voting systems have the potential to be the best thing that ever happened to voting - but only if the systems are well designed with integrity of the ballot as the primary consideration.   

What does integrity of the ballot mean? 

It means that the results of electronic voting must be verifiable to both the voter and the candidates who are running for office.  This is the crux of the issue with electronic voting.   A totally electronic system does not meet the requirements of verifiability for either the voter or the candidates. 

Integrity of the ballot also means that the results of the election can be audited and proved with 100% certainty that the reported results are correct.   Both candidates should be able to perform the audit and arrive at the same results.

The only way to ensure integrity of the ballot is to have a hard copy of it - meaning a paper ballot. 

To ensure integrity of the ballot, a computerized voting system should be a TOOL to produce a PAPER BALLOT that goes into a LOCKED BALLOT BOX.  That's the ONLY way that computers should be used in elections.  It makes voting easy and it is VERIFIABLE.    Any variations on that design should be considered a scam to steal your vote. 

Because there is so much at stake with these computerized voting systems, the disinformers have a list of possible 'solutions' to offer that they claim will ensure the integrity of the ballot.  It's important to understand why they don't meet the requirements for integrity so that no matter who the scammers put on TV to sell you on the idea of computerized paperless voting, you won't be fooled.

Open Source  

In computer systems, there are two forms of instructions that constitute a computer program.  There is the source code that is readable by the programmer and there is executable code that is readable by the machine.  The process of producing machine executable code from source code is called a compile.  A compile produces a file of binary codes (1's and 0's  on/off) that the machine understands. 

The proponents of ‘Open Source’ believe or pretend to believe that by being able to read the source code, they can find flaws in the code that would make electronic voting more secure and more accurate.  They think they will be able to detect cheating as well as bugs.  While they might find problems in the source, that secures nothing.  The act of compiling the source code changes it so that what is reviewed is not guaranteed to be what is executed on Election Day. 

Besides, a knowledgeable person can modify the executable code so that it no longer matches the source code anyway.  The replacement of the executable code can be a wholesale replacement or a patch.  The point is that Open Source is not a viable solution.  All it would provide is a false sense of security and it solves nothing in terms of integrity of the ballot. 

Voter Receipt

This is another one of those false sense of security alternatives presented by the disinformers.  They try to make people think that voting systems are the same as bank ATM's.  The difference obviously is that an ATM is a machine transaction between two entities - both of which have a stake in the accuracy of the transaction.  The neighbors of the bank customer are not affected by the transaction. 

Think about this - What good is an individual receipt?   Are all the people in San Francisco going to get together a week after the election so that their 'receipts' can be put together and counted to verify the electronic totals?   Because that's the only way that a computerized vote count could be verified with a 'receipt'. 

Testing and Certification

This is a necessary step to ensure that the election officials have setup the candidates correctly, the machines are working properly and that the code appears to do what it is supposed to do.  It is perfunctory testing at best - rather like the testing that a speaker does to ensure that his slide projector will work for a presentation. 

While nobody would argue against doing this because it is necessary, it does not guarantee that the code that is tested and certified is the same code that will be executed on Election Day. There is also a control problem just in the sheer number of precincts, polling places, machines and people involved in the process.  

As stated above, a knowledgeable person can modify executable code.  Another consideration is, what if a last minute bug is found in the ‘tested and certified’ code?  What is more important?  Fixing the bug or running tested and certified buggy code?     

Internal Audit Trail

An internal audit trail, also known as logging can give only a gross statistic on the number of voters who ostensibly cast ballots.  While this number should match the number of voters on the sign-in sheet, it does nothing to address the problem of the accuracy of the recorded vote nor the verifiability requirements for the voters and the candidates. 

Ballot Image on Write Once Memory

Presumably this means writing the ballot to an optical disk.  While this is an interesting idea, it still does not meet the requirements for security and verifiability.  It depends on the integrity of the machine, the code and the people running the election.  There is still no guarantee that the votes cast by the voter are what is written out to the disk.  Devices can be removed and installed in minutes.  Copying files, changing elements and writing new files can be done in minutes.  There doesn’t have to be wholesale fraud to change election results, it only needs to be done in a few key locations.  For these reasons, this is not an acceptable solution. 

Paper Wheel as an audit trail

There are several problems with this method of audit.  First, there would need to be a window to display the printed audit trail.  What if the ballot is bigger than the window?  Is the voter supposed to watch as it prints?  And what if they miss the important part?  Paper wheels are bulky and heavy and they are not easy to audit.  The biggest argument against this method of audit is that it would be very expensive because it would require special hardware specifically designed for this purpose.  Since there are better and cheaper alternatives, this is not a good solution. 

With two ballots electronic and paper, which one is the ballot of record?

This issue is a red herring.  There are only a couple of ways they could be different.  Either there is a bug in the system or the machine was hacked and the electronic vote was changed.  As such, the paper ballot would have to be considered the ballot of record because it was the ballot that the voter reviewed and approved prior to putting it in the ballot box.   

Chain of Custody of Paper Ballots

This is another red herring.  What was the chain of custody before computers?  The chain of custody would be no different than it is for any other kind of paper ballot.  The only difference in a voting system with both electronic and paper ballots is that there would be less incentive to attempt to modify them or add/subtract ballots because of the electronic copy of it goes in a different direction than the paper ballot.  

If there is a paper ballot to back up an electronic vote, electronic votes can be transmitted to ‘election central’.  The results would have to be considered preliminary until a count of the paper ballots.  If it was a good clean election and everything worked properly, the electronic results will match the paper results. 

What happens if the voter looks at the paper ballot and decides it is wrong?

In order to have verifiable results between the electronic system and the paper ballots, a unique identifier must be assigned to a ballot.  The unique identifier ties the paper to the electronic but does not defeat the secret ballot.  If a voter determines that they made a mistake and the printed ballot is incorrect, the unique identifier can be recorded on a spoiled ballot list and the paper ballot can be shredded.  The voter can sign an affidavit saying that they produced a spoiled ballot, that they witnessed the recording of the unique identifier on the spoiled ballot list and that it was accurately recorded and that they witnessed the shredding of the spoiled ballot.  The unique identifiers on the spoiled ballot list can then be entered into the system to cancel the electronic ballots.  The number of affidavits should match the number of cancelled ballots keeping the counts in balance.

Wouldn’t it still be possible to ‘stuff the ballot box’ if somebody is determined? 

If internal controls were built into the system, it would become extremely difficult - if not impossible to modify the election outcome by generating false ballots.  For example, if the time that each selection is made is recorded on the ballot, that time would become an audit feature in itself.  Computer generated ballots (produced en masse to swing the election) would have a consistent timestamp between selections that would be unmistakable.  To program randomness on individual selections within a record would be virtually impossible. A computer scientist with a statistics background could easily identify the fraud.   Just the possibility of analysis of the data by a statistician would prevent all but the most foolhardy from attempting to defeat a dual paper/electronic voting system with internal controls.

Won’t a paper ballot be unwieldy?    

During one of the congressional hearings, in her statement, a local election official held up a long narrow strip of paper that looked like a grocery store receipt for a family of 10.  She announced that the strip of paper would be the ballot from one of their elections.   

This was a scare tactic that was intended to make people think that producing a paper ballot would be unworkable.  It is understandable that an election official might want to eliminate paper ballots.  But, the convenience of an election official is low priority compared to the bigger issues involved. 

This election official’s argument assumes that there can be only one form of a paper ballot.  Since the paper ballot is being printed from a computer system (i.e. not intended to be marked up by the voter), the only requirements for it are that it be readable by the voter so that they can verify their selections.  It doesn’t matter how many candidates or issues are being considered in an election, at the point when the paper ballot is being produced, the question of candidates and issues is a simple ‘yes’ or ‘no’.  Blanks by default are ‘no’.   From a design point of view, this means that a standard 8x11 machine-readable (optical scan) form can be used for the paper ballot.  Since the counting of these ballots would occur in the next few days after an election, the number of locations required for the optical scan systems would be minimal so cost should not be a significant factor.  

Voting by Mail.  

If you are too lazy to go vote on voting day when your ballot is secured and bundled with the rest of the community, then you don't deserve to vote.  It should be obvious that ballots mailed in can be lost or replaced.  There is no way to guarantee that your ballot counts as you intended.   This writer doesn't even like the idea of absentee ballots - except for the military - for the same reason as stated above.  

Given that we know for a fact that voting fraud has become institutionalized as evidenced by computer systems designed for vote fraud, we should do everything possible to secure the vote - and if that means that people who are out of town on voting day - don't get to vote, too bad.  Make better plans next time.  The personal problems of a few shouldn't affect the majority.  

Voting by Internet.

I don't even want to discuss it.  It's out of the question for all the same reasons that apply to paperless, computerized voting - plus more.