The Iconoclast Subscribe to The Iconoclast
April 21, 2008 9:00 AM PDT

Shamos: Why e-voting paper trails are a bad idea

Posted by Declan McCullagh

Carnegie Mellon's Michael Shamos, pictured here in his home in Pittsburgh, says that paper trails are hardly the solution to worries about the security of electronic voting machines, and when mandated by law, stifle further research.

(Credit: Declan McCullagh/News.com)

PITTSBURGH--Many computer scientists have been arguing for years that electronic voting machines absolutely must sport paper trails that can be verified by the voter and subsequently used in manual recounts.

It's a formal policy position of the U.S. arm of the Association for Computing Machinery, the professional organization of computer scientists. Stanford University's David Dill even created the pro-paper-trail Verified Voting Foundation and has co-authored an article for us that argues against Internet voting, too.

But support of paper trails is not unanimous. Michael Shamos, a professor of computer science at Carnegie Mellon University who teaches an e-voting class and has been a consultant to the Pennsylvania government since 2004, believes that electronic methods of tabulating votes actually tend to be more secure than paper-based ones.

In addition to reviewing the source code of some electronic voting systems under nondisclosure agreements, Shamos has been an e-voting consultant for Texas and Nevada. An April 2004 paper he wrote says that e-voting systems do have risks but paper isn't the answer (and suggests alternatives). In it, he quips that out of a million or so computer scientists and mathematicians, only 100 or so have signed a statement calling for paper trails; it drew an angry response posted at Verified Voting's Web site.

I sat down with Shamos on Friday at his home near Pittsburgh's Shadyside neighborhood, a few blocks from campus, to talk about e-voting and the Pennsylvania primary that is scheduled to take place on April 22. Following is a lightly edited (I abbreviated some of my questions and some of his answers) transcript of our conversation.

Q: How many different e-voting systems does Pennsylvania use?
Shamos: The number of different systems we use in Pennsylvania has gone down one because one was decertified. We're down to 9 or 10. We have one of the most diverse voting systems of any state in the country. We have only 67 counties.

It means that if you were to mount a statewide manipulation, you couldn't do it. There's some security in numbers.

How many voting machines in Pennsylvania produce voter-verified paper trails?
Shamos: We don't have paper trail systems in Pennsylvania. Please don't use the term "paperless." It's a construction of the advocates and it's false and misleading. They're not paperless. They just don't produce a contemporaneous paper that the voter can view.

The word "paperless" is really insidious. The word "less" is meant to imply that they're thereby missing something. Whoever decided to come up with the term "paperless" deserves a left-handed prize for their imagination. It's wonderful for them. Paperless.

Would you agree that a paper trail is important?
Shamos: I wouldn't agree to that. No. Why is it important?

Should I try to answer that?
Shamos: You'll give me an answer. It won't be a good answer.

If you have voter-verified paper audit trails, voters can actually look at a physical representation of their cast vote, which provides a check against election fraud or malfunction. Without that paper trail, an intentional or unintentional glitch in the machine can skew the election and not be detected.
Shamos: The theory of the voter verified paper trail is that, at the time the voter is in the booth, the voter sees double. They're assured that their correct choices are recorded on the physical medium. Regardless of what's on the machine, it's on the paper. The paper drops into the box, nobody has any clue what's in the box, how many pieces of paper are going to be added to the box, subtracted to the box.

Every manipulation of elections that's been proven has involved the manipulation of paper.

And in every election, we see paper ballots that don't match up. It's much worse with paper trails. This creates a severe legal problem in states where the paper trail is the official ballot, Ohio for example. Such states always ignore the law. They have to ignore the law. Twenty percent of paper trails (tend to be) missing or illegible.

If they're a computer printout, why would they be illegible?
Shamos: The real reason is that the printers are made in China and as you saw recently with Ed Felten, they can't even produce legible numbers. They're crap.

(Often what happens) is that it jams and the printer overprints. The voters don't notice because they're not used to this. Another thing that happens is that the bag (of printouts is returned and can be manipulated).

Over and over again, some number around 20 percent doesn't exist or can't be read. What the law requires is that the electronic count, presumed accurate, must be discarded, and 20 percent of the electorate must be disinfranchised. Yet advocates claim that a paper trail is the most reliable mechanism. How can it be reliable if 20 percent is lost?

I'm not saying you can't make a reliable paper trail. You can use ATM technology. The reason we don't use ATMs is that they cost 10 times as much as voting machines.

The Holt bill failed. If it hadn't failed, it would have outfitted these (voting machines) with cheap printer parts. You won't hear that from the advocates. They will never admit that a paper trail machine loses votes.

When you say "advocates," who or what do you mean?
Shamos: Let's start with VerifiedVoting.org. And we can go all the way to the EFF and the League of Women Voters. There are numerous organizations that have taken the position that paper trails are the only way to safeguard elections, no matter that they lose 20 percent of votes.

Let's assume that 100 percent of voters verify the paper trial, though experimental numbers are closer to 8 percent. How are we going to make use of the paper trail? One is with an audit (that looks at statistical sampling and discrepancies). But if a discrepancy is found, we will not accept any of the electronic totals. That works, assuming that all of those pieces of paper got created correctly, and are subject to the same kind of security safeguards that the advocates insist on for electronic machines.

The problem is that when you vote electronically, multiple copies of your ballot image are recorded in memory. (Once a memory card is removed it becomes virtually impossible to tamper with.) Those systems are perfectly safe from after-the-fact tampering. They may not be safe from before-the-fact tampering.

Compared to paper and its vulnerability to after-the-fact tampering?
Shamos: I'm not advocating that we blindly trust machines. We have to have a way to make sure the (record is correct). If anything happens to that piece of paper, if it gets substituted or lost, there's absolutely no way to reconstruct the election. that's unlike an electronic system, which is if one memory fails you have the other.

The security on ballot boxes is much lower than the security on voting machines themselves. In order to do anything with those pieces of paper, they have to be handled by people. What do you think happens?

If I want to screw up an election, all I have to do is modify five votes. Then we have to do a manual recount (which is vulnerable to tampering and ballot-stuffing).

One way to address that problem is to use some kind of cryptographic mechanism, like a digital signature, on each piece of paper.
Shamos: You have stated that one can put various cryptographic codes on the ballots to ensure their authenticity. The fundamental problem is that they're not human-readable.

When someone votes for Hillary, it prints out an invalid bogus code. We put it under a scanner later.

You could have a second machine created by a second manufacturer that validates the digital signature on a ballot.
Shamos: The voter could go over to a second machine and say, yes or no, this is a valid ballot. Then the (person who wants to throw an election) goes to the second machine and tampers with that component, too.

The fundamental difficulty with paper trails is that they're ridiculously kludgey. The problem is that once you mandate paper trails, it cuts off research. There would be no reason to use anything else because it would be illegal.

Only in the United States, or in one jurisdiction.
Shamos: What we really want are end-to-end verification systems. I want to be able to tell that my vote was counted. These paper trails do not provide end-to-end verification. No serious manufacturer is working on end-to-end verification. We're not making any progress toward that end except in the theoretical journals. Why? Because the idea of paper trails has completely gummed up the works.

We're going electronic. The next generation is convinced they're going to vote from their cell phones. (It's going to happen.)

The real problem is reliability. The systems fail. Furthermore, the code isn't good. The code is riddled with bugs, most of which don't affect the accuracy of the tally. But we don't know when those conditions occur.

Does that mean you're suggesting that we should be voting from insecure home computers even if they're running Windows 98?
Shamos: I can point you to a mechanism (in a paper by Avi Rubin and Dan Wallach) that would allow secure voting on insecure terminals. The notion that the Internet is just not secure enough to do anything important is just wrong. It's not insurmountable. The right people aren't thinking about it because you gotta have a paper trail.

Do you think an increasing number of your colleagues are coming around to your point of view?
Shamos: No. I wouldn't expect them to. (They may be very good technologists, but) they don't know anything about elections. They don't know how votes are counted.

Does that mean that you think that some of the fuss over Diebold is overblown?
Shamos: The equipment is not as reliable as it should be. The software is not designed as well as it could be. The manufacturers are secretive. I've been involved in a number of source code audits of voting systems and these audits always produce a huge list of vulnerabilities. I've never found bugs that interfere with the integrity of an election. But you don't want them there.

(Take the case of the reported problems with the Diebold GEMS tabulation system). I don't think it's utterly fatal to electronic voting machines in the United States. What the advocates will tell you is that that bug is just the tip of the iceberg and if they were granted access to the source code, they would find more. I would agree with them on that.

If the codes were published, there would be a period of time when these vulnerabilities would be found--a lot of buffer overflow errors--and then they would be fixed. And everyone would know it's fixed.

The naysayer thinks it's throw-the-election-to-Republicans code. That's not there. It's horrible spaghetti code, lack of software engineering. These things have to satisfy every quirk of the voting laws in all 50 states.

So you're saying it's easier to hack an election with paper ballots than it is with electronic ones?
Shamos: I say, and the advocates are forced to admit it, that there's never been any evidence that a DRE machine has been tampered with in an election. They say that doesn't mean it never happened. I agree with that. But I believe deeply that if people were out there trying to hack elections we would see evidence of failed attempts.

To believe that in the lack of evidence means that the first person who hacked an election got it right. Remember Robert Tappan Morris and the Internet worm? I would get worried if we start to see systematic evidence (of increasingly robust) attacks. But we've never seen any of those. That's what consoles me. I have to believe that a really improbable event did not occur: that someone found the perfect hack the first time.

Isn't it optimistic to think that officials and auditors will necessarily be able to detect the first real attack on e-voting machines?.
Shamos: Technology is always required in elections. The days of the hand-counted ballots are over. You can design technology in a way that makes the problems readily apparent or that they're disguised. My position is that when a problem is found, it's an engineering problem.

When a bridge collapses, do we outlaw bridges or do we inspect bridges of similar design? If the design itself is fundamentally flawed, then those bridges are going to have to be taken out of service and rebuilt. If there's a fix, however, you can add a bracing member.

What's happened (in discussions of electronic voting) is that a strong, loud populous advocacy voice said "We are computer scientists and know quite well the vulnerabilities of electronic voting systems and those vulnerabilities are so severe that the democratic process is at risk." I don't think those conclusions are justified.

Recent posts from The Iconoclast
FBI's Net surveillance proposal raises privacy, legal concerns
Transcript: FBI director on surveillance of 'illegal' Internet activity
FBI, politicos renew push for ISP data retention laws
Shamos: Why e-voting paper trails are a bad idea
FBI nudges state 'fusion centers' into the shadows
Add a Comment (Log in or register) 116 comments (Page 1 of 4)
How can voting machines tabulate NEGATIVE votes?
by basraw April 21, 2008 10:06 AM PDT
Ok MR COMP SCIENTIST ANSWER THAT QUESTION "How can voting machines tabulate NEGATIVE votes?" Watch that movie by that grandmother who went looking for answers. As a computer scientist myself, I would know how to rig the computer to display different results. ITS NOT SECURE!
Reply to this comment View all 3 replies
He makes some valid arguments...
by umbrae April 21, 2008 10:06 AM PDT
However, as a voter I want a receipt to confirm my vote. There could be some sort of dual receipt system: one for the user and one machine readable. The voter can confirm their vote and drop off the machine readable for later use. Things that happen in the machine are a mystery to voters and so many things can go wrong that are never made public. Until an e-vote system has been used for a long period and validated, I think the machine readables should ALWAYS been counted after the election and made public to confirm. Sure there are problems with paper, but most of these things are later discovered. If a machine is altered or compromised we would never know for sure.
Reply to this comment View all 2 replies
SO WE DON'T NEED RECEIPTS FOR ANYTHING???
by jas9990 April 21, 2008 10:14 AM PDT
AND HERE I AM SAVING RECEIPTS FOR EVERY TRANSACTION IN MY LIFE. I GUESS WE CAN NOW TRUST OTHER PEOPLE TO NOT BE DISHONEST CRIMINALS! BECAUSE THIS IDIOT SAID SO. I DON'T KNOW ABOUT YOU PEOPLE, BUT I'M GOING TO RIP UP EVERY RECEIPT AND FINANCIAL RECORD I HAVE. BECAUSE NOBODY WILL EVER, EVER, THINK TO USE MY LACK OF PROOF AGAINST ME.
Reply to this comment View reply
Disappointed
by godofbiscuits April 21, 2008 10:34 AM PDT
I'm a graduate of CMU and I'm kind of disappointed to see faculty from here with responses like these. If "paperless" is wrong, word and deed, then what *is* right? What's his proposed solution?
Reply to this comment View reply
He misses the point of independent verification
by Bernardo Ortiz April 21, 2008 10:35 AM PDT
Let's look at what the US demands of other countries. We want to go in there and independently verify the vote. For any process, you need to be able to send in an independent auditor to be above suspicion. To do this, you must maintain a full paper trail, with who voted for whom such that the auditor can contact individuals at random to verify that the voter in fact exists and that this in fact represents their vote. You only avoid this when you have something to hide, such as cheating in the elections. Remember, Ohio had more votes than residents or registered voters in the last presidential elections, something like 110% turnout.
Reply to this comment View reply
bridge analogy sums it up
by adammasri April 21, 2008 10:36 AM PDT
"When a bridge collapses, do we outlaw bridges or do we inspect bridges of similar design?" An interesting analogy. When a bridge collapses, everyone saw it, everyone can comment on it, everyone can discuss what happened & make sure it doesn't happen again because it is in the public view. The bridge designer & builder don't claim that trade secret laws are violated by independent review. http://www.nj.com/news/index.ssf/2008/03/voting_machine_ maker_threatens.html Voting machines in their current form are built by secretive companies with possible political agendas of their own, with no independent review of machine or code. The people have no way to verify that the machine accurately counted their vote, and an election wasn't stolen at any point in the process. I agree that one day a verifiable paper trail may be unnecessary, but we're not there yet. If you haven't seen the movie, "Hacking Democracy," you need to. The current election system is broken. http://www.hackingdemocracy.com/
Reply to this comment
wow... the nice govt men are trying real hard ha!
by MyRightEye April 21, 2008 10:42 AM PDT
His main point are debunked through personal experience. The way paper ballots are counted creates a very near 100% accuracy for vote counts. The electronic machine have shown IN THE FIELD to be highly inaccurate. This is just propaganda. One of the longest and most detailed reads I have ever seen on CNet. I WONDER WHY!!! NOT!
Reply to this comment View reply
Paper versus Paperless
by emellaich April 21, 2008 10:48 AM PDT
I am not saying that we can't improve things, but I believe the 'paper trail' people are making a typical argument that I see from users all the time. They are actually holding up the 'new' system to a standard higher than the old system. Let's look at old fashioned paper ballets. As an example, we can use the pin punch paper ballets of hanging chad fame. I vote on such a ballet. Then I pull the ballet out and look at it. I can't verify that my vote is correct. I have a piece of stiff paper with a bunch of holes in it. There is no way to know easily what each of those holes mean. Now, I walk the ballot over to a box where I insert it. I have no way of knowing if my vote actually was counted. Its not just the infamous hanging chad. I've read stories about boxes of ballots that are found weeks after the election. Furthermore, ballots are designed to be anonymous. That means that I can never find my ballot again after it is put into the system. If a random poll worker decides to substitute a bunch of ballots with votes for the green party I'll never know it. There is no 'audit trail'. Let's say that a voting booth gets something stuck in the ballot slot so that the ballots don't align correctly, or the pages with the actual candidate names or issues are incorrectly printed or aligned on some number of machines. Once the machines are torn down all we have is a bunch of paper cards with holes. There is no way to know what the voter actually intended to mark on the ballet. I am not saying we should accept shoddy programming filled with open back-doors. However, you should not believe that delaying the roll out of electronic alternatives means that the practice we use instead (paper) is any more secure or reliable. Furthermore, I believe we have a lot of issues to cover before we are ready to go full bore into full electronic traceability. Today, the privacy of our vote is a fundamental factor in the voting process. Let's consider the abuses that can occur if we supply 'proof' of voting. This proof could actually be used as coercion to force voters. Let me give several examples: - A patriarchal culture, one where the father is the head of the household. Dad insists that everyone votes for XYZ candidate and votes against referendum ABC. Mom and the young adults must show their voting receipt. - A religious cult. The head of the cult insists that everyone vote only his way. - Union members pressured to vote the party line. The point is that when votes become personally traceable and visible they also become subject to external pressures and manipulation. There is a reason that voting booths are designed with privacy. Whether it is a paper receipt or the ability to verify your vote on the internet -- these paper trail suggestions threaten to fundamentally change the voting process. Likewise, absentee ballots, cell phone voting, and internet voting may mean that our voters are casting their ballot with some authority figure watching over their shoulder. I propose that the proper question is not whether electronic systems are vulnerable. Its which system that is available to us today is safest, most reliable, most efficient. And for tomorrow, we should consider which system can be improved to meet similar concerns. However, in our debate over the future we need to address the social issues and pressures of voting. First figure out if we really want to change the fundamental principle of a private ballot before we redesign the machines.
Reply to this comment View all 3 replies
why not fix the printers?
by Harlan879 April 21, 2008 10:58 AM PDT
There's nothing wrong with end-to-end computerized systems, if they're done correctly, but this professor seems not to realize that *they don't currently exist*!! The current best technology involves recountable paper ballots, either printed by a computer or marked by hand. (The best solution is a computer interface to a readable paper ballot, which is the only thing that gets counted. Then handicapped people can vote privately, using the computer, but there's only one set of ballots to worry about.) Let's worry about the election of 2032 later, but make sure that the elections of 2008, 2010, and 2012 are fair.
Reply to this comment
Simple solution: optical scanning
by ckm5 April 21, 2008 11:24 AM PDT
That's what I have used in every single election I've voted in. The ballots are easy to use (just draw a line), the votes are counted electronically, and you can always go back and look at the voter marked originals. Heck, you can even count them by hand if you want. Seriously, why does this guy have to make things so complicated. I've been doing computer engineering for almost 20 years, and this is just typical. All of those touch screen systems are a result of an over-engineered solution to a simple problem. And those optical scanning systems? The first time I ever voted (in 1990), they were already in use....
Reply to this comment View all 2 replies
1 | 2 | 3 | 4 | Next 10 Comments >>
Powered by Jive Software
advertisement

  • About The Iconoclast

  • Declan McCullagh has covered politics, technology, and Washington, D.C. for over a decade, which has turned him into an iconoclast and a skeptic of anyone who says: "We oughta have a new federal law against this."

Add this feed to your online news reader
Google
Yahoo
MSN

The Iconoclast topics

Latest blog posts from News.com

Featured blogs

Beyond Binary by Ina Fried A look at how technology is changing our lives and at the people behind all that life-changing stuff.

Coop's Corner by Charles Cooper Charles Cooper weighs in on Silicon Valley hijinks, and he doesn't suffer fools gladly.

Defense in Depth by Robert Vamosi Covering the latest in computer viruses and computer crime.

Geek Gestalt by Daniel Terdiman At the tech culture nexus of video games, fire art, and virtual worlds.

Green Tech Fresh green tech news and commentary.

One More Thing by Tom Krazit Tom Krazit takes on the tech phenomenon that is Apple, and keeps a close watch on the chip industry.

Outside the Lines by Dan Farber When business and technology meet, that's when things get interesting.

The Social by Caroline McCarthy Exploring all facets of social media and tech culture.

Underexposed by Stephen Shankland Coverage of digital photography, science, and open-source software.

Resource center from News.com sponsors

advertisement
Welcome (log out) |View profile
Log in | Sign up Why join?
On MovieTome: POINT BREAK 2, yes, you read that right!
Advanced
search
advertisementGet more done with Windows Mobile
Advanced
search
Visit other CNET Networks sites: