TCS Daily


Why No Paper Trail?

By Nick Schulz - November 8, 2006 12:00 AM

I voted in Maryland on Tuesday, in a suburb of Washington, DC. We used the electronic touch screen voting machines. The experience went smoothly, was straightforward and pleasant enough.

But when I got to the end of voting I hit the button that tells me to submit my ballot. After doing that, I expected the machine to print out a record of my votes. But nothing was printed. That was it. I walked away, asked a poll worker if there was anything else I was to do and he said, "nope, that's all."

As I sit after midnight watching the election results roll in, here is something I simply do not understand: Why do the electronic touch screen machines not print out a paper record of votes?

As I type this, the networks have called the Maryland Senate race for Ben Cardin (D) over Michael Steele (R). But the Washington Post, which had called the race for Cardin, has now withdrawn its call. Moreover, Steele is not conceding. This race is very close and, even though the polls have been closed in Maryland for hours, the winner is still not clear.

And so I wonder why there is no paper record.

ATM machines print out paper records. Gas pumps print paper records. Avis rental car return attendants print out paper records. Amtrak ticket machines print paper records. But not voting machines?

It may be when all is said and done Cardin will win by a large enough margin, Steele will concede and there will be no questions. But I keep thinking about something my colleague Glenn Reynolds wrote in his last column about election fraud before the election: "I also hope... that we'll see a real move to make sure both that the process of voting, and the process of counting votes, is improved."

After voting in this election, I can only conclude the process of voting is easier in many respects, which is good. But the process of counting votes can't possibly be said to have improved when there is no paper record.

UPDATE - A reader named Steve writes in: "I used to think a paper trail for voting would be a good idea. It would be great to go home and look up your vote on the web using a serial number that couldn't be traced to you. But upon further reflection, I think it is a bad idea. The problem is that an employer or union boss or other party could demand to see your receipt as proof that you voted they way he wanted you to vote. This would be illegal, of course, but the fact is it would certainly happen."


Categories:

30 Comments

Time for the next Amendment
And it must be taken up on war footing and completed well before the 2008 Presidential election. Here is my amendment, as ammended by Zelduh.

"a: Elections to all public offices, from POTUS down, shall have an INDEPENDENTLY VERIFIABLE paper trial, no matter what devices are used".

"b: ABSOLUTELY NO 'SECRET' OR 'PROPRIETARY' PROGRAMMING CODE SHALL BE USED IN ANY VOTING MACHINE, SO THAT the integrity of every voting machine can be independently certified and verified by any reputable investigator."

California machines
The machine I voted with in Colleeforneeeuh had a paper trail, but not for the individual voter.

Two requirements of voting technology that we all should ask for are:
(1) Verifiability of election tally while keeping individual votes private in that they could not be traced to individuals or correlated with votes in other races. Anyone should be able to download the data and verify the counts.
(2) Verifiability by an individual voter that his vote counted as he voted. Anyone should be able to download the data for each race and verify that their vote was counted as they intended. This would require a paper receipt, which, if they wanted to protect their privacy, they could just shred.

It can all be done with the magic of prime numbers. Upper division math... Something that a significant percentage of our electorate could thoroughly understand, and a decent high school math student could perform the verifications.

We had it right
The mechanical lever machines previously in use provided verifiability. At the end of the election, under the eyes of observers, the machines can be locked and sealed. If there is any question in the future that the counting mechanism was correctly set, it can be examined. The counters do not reset, and can be rechecked in the future without hanging chads or smudged pencil marks.

Their principle disadvantage: they don't meet the ADA requirements. Technically, that can be corrected: build new ones with the works on a platform that can be raised and lowered. Motorize it, with manual crank backup.

Reduce the need for recounts by allowing electronic readout to a handheld counter. This would be the proper use of the technology, so long as the mechanical counters remain visible.

Digital watches may or may not be a neat idea. Electronic voting booths are definitely not.

I also voted in Maryland, using an advance paper ballot...
... as recommended by Gov. Ehrlich, because of the debacle with the voting machines during the primaries.

Maryland no longer requires an oath that one will be absent on election day to use the advance paper ballot. I have reservations about this advance procedure from a (small-R) republican perspective, but used it anyway because I feared the machines would not work well.

It turns out that 9% of Maryland voters used advance ballots. These will not be counted until Friday at the earliest, I am told. Many races are within the margin of the advance ballots -- and no one knows whether Republicans or Democrats were more likely to request such ballots.

I haven't seen the local or national press pick up on this yet.

Why would a paper trail help?
Please, someone explain this to me. I've heard pleas for a paper trail for years now, but no explanation of what function they would serve.

Is the theory that, in the event of a really close race, of if there were suspicions of fraud, everybody who voted would get together and pool their paper receipts to count them up?

This strikes me as totally fantastic. The method is useless unless 1) everybody keeps their receipt, 2) the receipts are absolutely forgery-proof, and 3) everybody who voted sends their receipt to the recount officials.

Realistically speaking, all three of these are highly implausible. In the aggregate, there is a 0% chance of this happening. So, what's the point? Please enlighten me.

paper is useless in this application
ATM machines, gas pumps, ticket sales of various types, all involve money transfer. Voting does not, and won't as long as a poll tax is unconstitutional. So you won't be getting a receipt any time soon. I just voted with an old-fashioned paper balot, and I didn't get a receipt either, so don't be too distraught.

A paper receipt would tell you nothing at all about how and electronic machine officially tallied your vote. With modern electronics it would be no trick at all to print one thing on your receipt, and send something else altogether over the wires or into its little electronic memory. There's no way you can check that. An electromechanical device somewhat like a teletype or an old cash register would be relatively foolproof as it can't be reprogrammed invisibly.

The other way to spruce things up would be to start counting election fraud as a genuine crime, with severe penalties for deliberate attempts to game the system. But that won't happen because it involves punishing actual criminals (horrors!), some spokesman for a favored minority group will claim that he's "intimidated" and therefore "disenfranchised", and too many parties have vested interests in how things are (think traditional "party machines" such as those in Chicago or St Louis). The actual hardware isn't the problem. Speaking of which ... I note that the software here ignores paragraph breaks. What's up with that?

format
Looks like the paragraph breaks don't show up in "preview" but do show up in the post. That's just bad programming. Somebody should get a job at Diebold.

Butler County, OH - Paper here!
Electronic voting machines here print a paper record as part of the confirmation process. Voter is asked to review paper printout that scrolls on the lower right of the machine before final submission of the ballot.

Paper receipts are for chumps
While BoscoH's requirements for voting technology sound good, they are actually useless. They don't provide any real accountability or verifiability. Let's assume that I'm a evil vote manipulator, call be DiBold! Consider the following easy manipulation:

First let's establish the paper trail requirements:
a) each ballot is assigned a unique number for tracking - the number is not correlated to the individual voter
b) each voter is given a paper receipt showing the tracking number and how the vote was recorded

Sounds Great! Except that I'm DiBold the Manipulator!

The easiest manipulation would be to siphon off a small percentage of the straight-line votes (say 5-10%) and give those votes to the party of my choice. So how is this done? It's easier than getting the dead to vote...

c) I capture the unique tracking number of the first straight-party ticket vote for the "wrong" party
d) Then for 5-10% of the straight party voters I'll
- record your vote correctly to the touch screen, giving you that warm and fuzzy feeling
- I'll print your paper receipt with your now non-unique tracking number
- Then I'll record your vote incorrectly to the database with a new unique tracking number

When the votes are tallied the unique numbers will correctly match the number of voters. You'll check the database with your paper receipt and get the warm glow of certitude that your vote was correctly recorded while I steal the election.

The paper trail
will be with the county, in a sealed container, to be opened in case of a dispute.

There may or may not be any paper given to the voter.

That is my idea.

As always, follow the money.
It costs money to add printers and paper, and they're also just one more thing that can need attention from pollworkers on Election Day, whether it's clearing paper jams, or loading fresh paper, or whatever else.

There are also debates over just what should be on a "receipt" -- should it say, "You voted, good job, go have a beer now"? Should it say "Thanks for voting, Fred K. Smith; here's who you voted for"? Should it be somewhere in the middle of these extremes, and just where? There's history that argues against anything that can be tracked to individuals, as people have been pressured by unions, or by employers, or by other groups to vote a certain way in certain races, and to produce proof that they had done so.

There's no system that *cannot* be gamed, at least to some degree, if you assume enough people in authority with malice. It's a question of getting as close to the ideal as is practical, but defining "practical" isn't as easy as it looks. Working loose the funding to overhaul voting systems is tough, because Congress feels like they already covered that with the "Help America Vote Act"; I've heard Sen. Dodd say so with my very own ears, and other Congressfolk have said similar things.

It doesn't help matters for some of the loudest opposition to e-voting to be led by shrill anti-Bush partisans who insist on grand conspiracy theories (yes, Bev Harris, I'm talking to you). There are also lots of other constituencies that have interests in the minutiae of reforming the voting process, whether it be visually-impaired voters, or people who are non-literate in English, or people who want to reduce fraud, or people who want to make registering to vote even easier, or many others. It also doesn't help that the process for getting voting machines certified is laborious, with even the most minor of changes requiring extensive review; nor does it help that HAVA had a deadline for spending the money it allocated, but didn't allow for the unconscionable lag in getting the Election Assistance Commission up and running.

I've been very impressed personally with the ES&S Automark -- it's a touchscreen machine that takes the voter's choice and automatically fills in an optical-scan paper ballot. There are still a few bugs to be worked out, but it seems to address most of the serious concerns I've ever seen raised on e-voting. Still, many jurisdictions were required by HAVA to have already bought new equipment that had been "certified", even if it didn't have any form of paper record associated with it. Still, few if any states seem willing to sack up and pay for new voting machines on their own, and the Feds aren't interested in providing more money at the moment.

Not so sure
I am ok with a, not with b. I like the machines and they're perfect for most elections where races aren't close. It's the close ones where a paper system would be good

ood point
a lot of folks i know like the levers -- good point about ada, but we should be able to update for that

nick

Extremely interesting
I did not know this, many thanks, I wonder if people will pick up on it -- not sure it will make a difference but it is really interesting nonetheless.

nick

Newspaper consortium
The newspaper consortium in Florida in 2000 was able to determine, thanks to paper records, that Bush won. If there had been no paper records, thay could not have gone back and demonstrated that. Redundancy is not a bad idea. I like the electronic machines, and nothing is foolproof of course, but I'm surprised there's no paper record. Plus, a printout would be nice to have :)

nick

good point
on election frauf

interesting
sems like that couldn' hurt -- in maryland there's a summary digital page, and that's useful, but a paper system that's redundant might be a good idea too i'm not dogmatic about this, i did just think the whole thing weird

ns

I disagree...
A voting machine could be used to generate very secure ballots if designed properly. If you were to generate a hash of the registered personal information for a voter using say... the SHA1 algorithm, you could hand every voter a mathematically unique voter card without relying on something as funky as social security numbers. All the machine would see is say... 003bfe829ec80d74d9ea4e4729b77c0661d1ff64 along with a series of options selected. You take that, print it out along with say... a holographic seal generated for each voting precinct in the country and you've got yourself a much harder ballot to fake.

The voting precincts can then scan in the ballots, check the hash value against what they have and be guaranteed to a pretty reasonable degree that only registered voters were voting. Not only that, but with a proper trust chain based on a PKI model you could end up with a very, very secure system. The only problem is that it relies on three assumptions: voter registration groups will abide by the law, precincts will turn away those without the proper code/id and people are willing to give up some of their anonymity when they actually cast their ballot in order to have an increased ability to trust the results of the election and secure the worth of their vote.

Ohio got it exactly right
I voted in Ohio yesterday using Diebold electronic voting machines that had a paper trail. They did it exactly right. The paper tape was behind a plastic window, so you could see it but were not intended to take it. The process was that after you went through the electronic ballot they would print a summary of your votes on the screen and on the paper, at which point you were asked to verify both displays and then press a button that would cast your vote. You could go back at any time.

Why this is good: regardless of any software hijinks inside the computer, if people verify the paper tape before casting their vote, then the machines will have a paper audit trail of all votes cast there. That means that, if necessary, a manual recount can occur that would be as good or better than any manual recount of punch card ballots.

Why voting receipts are a TERRIBLE idea: because it facilitates voter manipulation and intimidation. Imagine a business offering discounts or free merchandise in exchange for voting receipts showing votes for certain candidates or issues. Imagine an employer or union boss requiring proof (off the record, of course) of voting in a certain way. The only way to maintain the integrity of the vote is to keep it secret, just between the voter and ballot box.

Providing a receipt does nothing to improve the audit trail when the machines thmeselves provide an effective one. All it does is open the system to people who want to literally buy votes or bully people into voting their way.

Congratulations to Diebold and Ohio for getting it right!

It's Already Happening....
TO: Nick Schulz
RE: ....I'm Sure

"A reader named Steve writes in: "I used to think a paper trail for voting would be a good idea. It would be great to go home and look up your vote on the web using a serial number that couldn't be traced to you. But upon further reflection, I think it is a bad idea. The problem is that an employer or union boss or other party could demand to see your receipt as proof that you voted they way he wanted you to vote. This would be illegal, of course, but the fact is it would certainly happen."" -- Nick Schulz, citing Steve

In our household run for public office we had a number of people say they would vote for the candidacy, but they could not support it.

Why?

Out of fear that their name would come before their boss/union leader as supporting a candidate they didn't approve of.

All this because of McCain & Feingold.

Regards,

Chuck(le)

Better cryptography is not the answer
CodeMonkey: as a fellow software simian I'm familiar with the techniques you are describing. While these are state of the art methods, the problem is that hackers won't attack these systems by taking on their strongest aspects. In other words, they won't try to crack SHA1 and the PKI certificate protocols directly, they will work with human factors and go after the weak points in the overall system, which almost always involve human fallibility.

So how do you protect against that? As the saying goes, sunshine is the best disinfectant. You need to make the whole system more accessible, not less. That's the only way that the people in charge of guaranteeing the integity of the voting process can do their jobs. Putting everything behind the impenetrable wall of a one-way hash only guarantees that if someone does manage to game the system, it'll probably be next to impossible to prove it.

The problem with electronic voting is that the storage medium is essentially invisible. A visible paper trail is a solution to that. Allow people to inspect a secure printout (i.e., one that stays with the machine) before they cast their ballot. That allows voters to verify that no matter what kind of error or fraud takes place in the software, if an audit is done using the paper trail their vote will be counted correctly. And that's really about the best you can do.

There was a paper trail - sort of
I too voted in Maryland (Laurel). I noticed there was a printed piece of paper dangling out of the back of the voting machine - like a cash register receipt. I did not dare touch it or get close enought to read it for fear of being accosted by the precinct police. Sorry I didn't ask what was on it.

Here was my electronic voting plan from the beginning. Use touch screens. At the end, it prints out a scannable paper ballot filled in just as you voted. You hand that in or feed it yourself into a reader. You then have 1) electronic count, 2) paper trail, 3) second count for verification, 4) backup system, 5) a way to easily reproduce and recount the votes.

That's a lot of what I said
I said that the voting precinct would have your hash and all of the information used to generate it, so it would be verifiable for them. Then the voting machine would generate a paper ballot for you that you would give them to tally up or put through one of the old scantron machines. That, and I said the weakness is ultimately with the willingness of the government to tolerate inaccuracy, intimidation by race/age baiters and poverty pimps like Al Sharpton and Jesse Jackson among other human weaknesses :)

Almost a plan
One question: what does the scannable paper ballot look like? Is the part of the ballot that is scannable also human-readable? If so, fine. If not, that's a flaw because the voter has no way to verify that what they voted for is what got printed on the ballot.

Rereading...
Apologies if I misrepresented your post. Would you agree that your suggestions mainly target user (voter) authentication, and hence are tactics against voter fraud rather than ballot integrity?

In that light they make more sense, but it has seemed to me that the main concern with the new electronic voting machines is the lack of a secure, physical audit trail. The method of validating voters hasn't changed. Maybe it should, but there are other reasons why that probably won't happen, one of which is the lack of political will to turn away anyone at all. We can fix the audit trail issue just by adding a paper trail, and no encryption is needed for that. (But I see now that that is not what you were saying.)

When I heard we were still going to use the lever machines...
...I breathed a sigh of relief.

My husband went down to the polls at the end of the night (he volunteered to be a "poll watcher"). He observed the way they locked and sealed the machines at the end of the night. Then he and another person were assigned the same two machines (redundancy is a good thing), and they copied down the results for each candidate.

His opinion is that it may take a little more time to tabulate the results; but in view of the fact that Election Day comes only once a year, it is well worth the effort.

two words
Secret Ballot

Paper Trail Misconceptions
I haven't read through all the comments, so forgive me if this has already been pointed out:

A paper trail does NOT involve a take-home receipt. This would be useless for vote audit purposes.


What a paper trail means in terms of vote security is this: You register your vote on an electronic machine. The machine spits out a paper readout that lists your selections. You verify that they were recorded correctly and turn the paper receipt into a secured ballot box. In the event that any questions arise as to the accuracy of the vote count, the paper receipts can be hand counted.


The advantages of electronic voting are speed of use and speed of tabulation. But the machines are subject to innocent errors or malicious hacking. With a verifiable paper trail you ensure that any disputes or suspicions are put to rest with a hand count of the receipts. All the receipts are uniformly printed by the machine - no errant smudge marks, no "hanging chads".


There is NO RATIONAL REASON WHATSOEVER why we can't meld the speed and ease-of-use of electronic machines with the security of verified paper receipts.


The Republican Congress stood in the way of this common sense vote casting reform for six years. Enough is enough.

Paper Trail Misconceptions
I haven't read through all the comments, so forgive me if this has already been pointed out:

A paper trail does NOT involve a take-home receipt. This would be useless for vote audit purposes.


What a paper trail means in terms of vote security is this: You register your vote on an electronic machine. The machine spits out a paper readout that lists your selections. You verify that they were recorded correctly and turn the paper receipt into a secured ballot box. In the event that any questions arise as to the accuracy of the vote count, the paper receipts can be hand counted.


The advantages of electronic voting are speed of use and speed of tabulation. But the machines are subject to innocent errors or malicious hacking. With a verifiable paper trail you ensure that any disputes or suspicions are put to rest with a hand count of the receipts. All the receipts are uniformly printed by the machine - no errant smudge marks, no "hanging chads".


There is NO RATIONAL REASON WHATSOEVER why we can't meld the speed and ease-of-use of electronic machines with the security of verified paper receipts.


The Republican Congress stood in the way of this common sense vote casting reform for six years. Enough is enough.

why no paper trail
After voting in Hagerstown Maryland on Tuesday, the opportunity to express my concerns of no paper trail to an election official presented itself. My suggestion is that the election machines could print out a paper trail much the same as an ATM. There could be two copies, one for the voter and one for the election officials. The election official responded that we have never done it this way in our history. This response was disappointing to me since in our constititution and declaration we have the right to change our government any way we want and insuring the intergity of elections seems like something important. We changed when we went to computerized voting in the first place. The way we vote has changed many, many times. On a personal note, all of my life I have recoiled at the response "we have always done it that way." The spirit of America can be summed up in the sentiment - principle is not bound by precedent.

TCS Daily Archives