The Risks Digest, ACM Committee on Computers and Public Policy
Forum on Risks to the Public in Computers and Related Systems
Volume 22: Issue 17, July 24, 2002

Explanation of Voter-Verified Ballot Systems

Rebecca Mercuri <mercuri@acm.org>
Wed, 24 Jul 2002 15:54:47 -0400

This note is an explanation of the necessity for a Voter Verified Physical Audit Trail for Electronic Balloting Systems, by Rebecca Mercuri, Ph.D., Assistant Professor of Computer Science at Bryn Mawr College.  Electronic voting info: http://www.notablesoftware.com/evote.html  mercuri@acm.org, Phone: 609/895-1375, 215/327-7105.

Many of the new voting products now being purchased in the US are self-auditing in that they produce {\it only} an internal electronic audit of the ballots cast. Some of these machines have been sold with trade secret protection such that it is not possible to independently examine the machines for correct operations (except perhaps under court order, and even there the examination may be required to be sealed or not disclosed).

This situation, which is becoming more common as fully-electronic (DRE/kiosk) voting systems are introduced, means that the voters as well as the poll workers and election officials have no way to verify that their ballots are recorded, transmitted and tabulated properly.  Machines have failed in actual use and independent recounts have not been provided. (See reports in press accounts.)

Some systems re-create a set of ballots, on paper, after the election, which is presented for recount purposes.  Since this set of ballots is self-generated, errors in the equipment may be reflected in the self-audit, with the appearance of being correct.  There is no way to determine whether this after-the-fact paper reflects the true contents of the ballots cast. Only if the voter has the opportunity to review the paper generated at the time of voting, that will be used in the recount, is an independent audit possible. In the same way, if the system is used to self-report its stored ballots, its true error rate can not be ascertained.

It is essential, therefore, that voters be able to create a physical or paper ballot that is deposited at the polling place when their vote is cast. This ballot, which can be scanned in or hand-counted since it is human-readable, would be used to verify any machine-generated tallies produced from electronic (DRE) voting systems.  Only in this way can the voters be assured that their ballot will be available for an independent recount.

Congress is now in conference on the Voting Rights Act bills H.R. 3295 and S. 565.  The Senate bill refers to "audit capacity'' and "error rate'' although the House bill does not mention these specifically.  It is imperative that the compromise bill refer to a "physical audit capacity'' or even more specifically a "voter verified independent physical audit capacity'' (or audit trail) in order to prevent self-auditing systems from continuing to be accepted and used for elections in the United States.

Further explanation follows below:

All Direct Recording Electronic (DRE) voting systems must provide a physical audit trail that is reviewed by the voter at the time their ballot is cast.  (DRE voting systems are those that are constructed as to be self-contained, where the voter makes ballot choices that are directly entered onto electronic data recording devices.  These would include stand-alone kiosks as well as networked machines.)  The physical audit trail could consist of a printout that the voter can examine independent of any computerized display.  If a voter determines, at the time of balloting, that the printout does not reflect the votes they just cast on the machine, there must be a procedure where the electronic and paper ballot can both be voided and another opportunity to vote allowed.  The reviewed and accepted printout would be deposited into a ballot box for subsequent optical scanning or hand-counting in order to produce the true results for the election.  Totals provided by the DRE devices can be used to provide early returns, but the final result (in case of dispute) should be determined from the paper ballot set.  The voter-verified physical ballots must be those which are used and preserved as the permanent audit trail for the election.

Since it is, in principle, impossible to verify that a computational device is free from programming errors or nefarious code, no electronic voting system can be verified for 100% accuracy, reliability, and integrity.  It is also, in principle, impossible for a computational device to provide full fail-safe internal verification, hence any ballot audit produced from self-stored data could reflect errors or manipulation that occurred between the time the voter cast their ballot and the time the ballot was recorded.  Errors and manipulation of ballots can also occur if data is transmitted between devices or over networks.  It is essential, therefore, that each voter provide an independent check of their ballot at the time of voting, using human-readable media as the manual audit capacity for the voting system.

Confidence in the electronic recording devices can be assured only if the voters have an independent way of verifying that their ballots were cast and submitted for counting (and re-counting) as intended.