Election reform, the Voting Rights Act, the Help America Vote Act, and related topics -- with special attention to the voting rights of people of color, non-English proficient citizens, and people with disabilities
Dan Tokaji's Blog
- Election Law Blog (Rick Hasen)
- Election Updates (Michael Alvarez & Thad Hall)
- Votelaw Blog (Ed Still)
- Leave it to the Lower Courts: On Judicial Intervention in Election Administration, 68 Ohio State Law Journal 1065 (2007)
- The New Vote Denial: Where Election Reform Meets the Voting Rights Act, 57 South Carolina Law Review 689 (2006)
- Early Returns on Election Reform: Discretion, Disenfranchisement, and the Help America Vote Act, 73 George Washington Law Review 1206 (2005)
Tuesday, June 27
Brennan Center Report on Voting Technology
The Brennan Center today released a report assessing the threats to the most commonly used types of voting technology. Its report includes an analysis of direct record electronic (DRE) machines, both with and without a contemporaneous paper record, as well as paper-based optical scan voting systems. The bad news is that all three forms of voting technology are susceptible to fraud and manipulation, if appropriate procedures aren't in place. The good news is that the report finds that appropriate security protocols can significantly reduce those risks.
While I've only had a chance to review portions of the report, the approach it takes is a welcome one. It goes through in some detail potential scenarios by which attackers might attempt to manipulate election results with each type of system. This provides the sort of comparative perspective that's been missing from much of the advocacy efforts over voting technology. It also makes some helpful, practical suggestions. Among them is the implementation of parallel testing for electronic voting machines, which I've advocated for a long time.
Among the portions of the report that are likely to garner significant attention are those having to do with the utility of a contemporaneous paper record of electronically cast votes, the so-called "voter verified paper audit trail" (aka, VVPAT or VVPT). Those records will only provide an effective check against manipulation if there are automatic audits of a sufficent number of them. (It doesn't appear that the report contains specific recommendations as to what percentage need to be recounted as a routine matter to obtain a sufficient level of confidence in results -- a key piece of information -- but it's possible that I missed it.)
The efficicacy of those paper records also depends on whether voters actually check them. On this point, pages 65-67 of the report are of special interest -- the best analysis I've seen so far of how a sophisticated attacker might try to evade a VVPAT system. Briefly, that attack would involve having both the paper record and the electronic record mis-record the voter's intended choice. If the voter didn't notice, then both records would be accepted. If the voter did notice, then he or she could reject the paper record and vote again, and the second time around the correct choice would be displayed. Some of those who checked would presumably believe that they'd made the mistake.
The VVPAT system will only function as an effective check on such an attack if voters actually check the paper records. The report notes a study by Ted Selker and Sharon Cohen of MIT, finding that only 3 of 108 such "errors" were detected by voters using VVPAT systems. The Brennan Center report expresses skepticism that only 3% of voters would notice such an error in a gubernatorial race. They may be right about that, but the risks of such manipulation are probably greater in a down-ballot race where a fewer number of votes would have to be changed in order to change the result -- and as to which voters are probably less likely to check the contemporaneous paper record.
Moreover, if we hypothesize a sophisticated attacker with access to the software, it wouldn't be difficult to manipulate the print-outs in a way that would escape most voters' notice. Take, for example, the system used in Franklin County, which I described here. That system prints out each choice and change as its made. It allows voters to change their choices at the end of the voting process, in which case a notation would would be made on the paper tape. If I were attempting to mount an attack on such a machine, I'd program it to record a false change on the paper tape at the very end, after the voter has completed the voting process and presses the final "confirm" button. That change on the tape would appear right before the bar code and other items printed out at the end of each voter's ballot. Only the most diligent voter is likely to notice such a change. This doesn't appear to be something that the Brennan Center's report looked at, since it wasn't examining particular features of different VVPAT models actually in use.
I'm not suggesting that such an attack is likely. But if we hypothesize malicious attackers who are sophisticated enough to tamper with a DRE's software, the increased difficulty of "fooling" the VVPAT would seem to be minimal. And that's true even if we assume that a statistically significant number of paper records are automatically audited on a routine basis. All in all, this should be sobering for those who supposed that attaching a printer to DREs was the solution to the security issues that have been raised about this technology.