Why I like paper ballots

If you look at any data sheet for a piece of electronics or any EULA for a packaged piece of software, you will notice terms along the lines of “Life-critical systems” or “Life-support systems”. For example, this is a quote from the last page of the Fairchild Semiconductor 74ls154 data sheet:

As used herein:

  1. Life support devices or systems are devices or systems which, (a) are intended for surgical implant into the body, or (b) support or sustain life, and (c) whose failure to perform when properly used in accordance with instructions for use provided in the labeling, can be reasonably expected to result in a significant injury to the user.
  2. A critical component in any component of a life support device or system whose failure to perform can be reasonably expected to cause the failure of the life support device or system, or to affect its safety or effectiveness.

They need to put these warnings there because if their component fails, somebody will die and they will very likely get sued. Thus, at the very least, they need to be able to pass on the cost of added liability insurance to the purchaser.

The categories of systems where the system could kill people have a remarkably different engineering workflow than normal software. The costs are higher because any flaw, no matter how miniscule, could kill somebody. There is never a single critical string of components, everything needs to have a backup. Ideally, the backup should be constructed differently so that you won’t make the exact same mistake twice. And you want to have a backup computer that takes all of the outputs of the primary computer or computers and works them in reverse, so that you will know if there is a problem. As a general rule, you don’t use Windows or any other “consumer grade” operating system. You may not even use one of the special-purpose embedded operating systems. You don’t even trust the compiler, often times they will disassemble the code and make sure that it is producing what it should be producing.

Have you ever considered the consequences of a voting system being flawed?

If you use a 74ls154 in a pacemaker and it fails, one person dies. If you use a 74ls154 in a fly-by-wire aircraft computer, several hundred, perhaps a thousand people die.

What about if the wrong man becomes president? Now, I’m not trying to minimize the suffering of different groups of people, but you do have to remember that the president does possess the launch codes to the US nuclear arsenal and authority to launch them. The potential problems from the wrong guy winning the election makes September 11th look like small potatoes. Significant injury, my butt.

This is my problem with electronic voting. Delivering an accurate count of the votes is allowed to take time, but even one badly cast vote means something, although not as much as some folks claim. Even a few thousand votes here and there can cause problems, and if they can change one, they can change many.

Securing a vote is hard because of the requirements we have set for it, to protect it from abuse. The main features of the vote are:

  • The vote must be accurate. If the election has a clear margin, you can relax a little, as long as the number of in-dispute votes is dramatically smaller than the margin of victory.
  • Not only must the vote be accurate, it must be provably accurate in retrospect. You need to have the ability to recount.
  • The vote must be anonymous. Once a vote is cast, you should not be able to tell who cast an individual vote.
  • The vote must be free of influence. You should not be able to buy somebody’s vote. Anonymity helps, as does ensuring that the only person who sees the ballot is the person voting.
  • The vote has to be right the first time. If you need to redo a vote, not only do you ruin people’s trust in the voting system, but you also can create unfair situations. If one county is in debate and their vote will decide a presidential election, you can be certain that there will be much campaigning there to tip the tide.
  • The vote must be accessible to people with poor vision, no vision, shaky hands, etc.

The biggest advantage to paper systems is that every step of the way is able to be inspected by people who do not have specialized knowledge. The simplicity of the system creates an easy and comfortable understanding. In San Mateo County, you know that your vote has been recorded correctly into the box because you can watch and understand it the whole way through, from the huge easy-to-read and hard-to-screw-up paper ballot you fill out, through the scanner, into the box. I’m comfortable trusting the computer without inspecting it, simply because if there’s any question, they can open the ballot box and do a hand count.

Consider how many ways you can taint a touch-screen or push-button electronic voting system. Somebody could:

  • Rewrite the software to record votes incorrectly.
  • Switch the wiring on the buttons so you don’t vote for who you think you voted for, potentially also changing the display.
  • Manipulate the memory of stored votes on the storage card.
  • Replace the CPU with a prepared CPU that will change how the vote is recorded.
  • Replace the storage card with a special purpose computer that will change the tabulation.
  • Clear the votes mid-election and flood the line with cronies towards the end.
  • Interfere with the network linkages so that when you send in votes, it will replace the results.

And that’s just off of the top of my head. All of them can be caught, but in order to do so, I would have to be able to open-up the system and inspect it. I would need to be able to dump the current memory and look through it. I would need to be able to disassemble the machine and place the circuit boards in a variety of scanners to make sure that they matched up to what I thought they should be.

And here’s the rub: I could disassemble the memory of the computer and make sure that everything matched up, assuming that I had the opcode reference card for the processor used and a lot of time. I spent four years in college learning how to program, I should know this, although depending on the complexity of the system, it may take months or years. However, I would not be able to look at the circuit boards and figure it out particularly well, especially if the design of the machine was not an open standard with documentation.

I think that it is quite telling that the people who are coming out as the strongest opponents of electronic voting are the engineers, the people who are theoretically pro-technology. If a bunch of aerospace engineers told you that an aircraft just didn’t seem to be safe, would you fly on it? Remember, engineers working on both Challenger and Columbia had bad feelings about safety.

The interesting thing is that there is an acceptable backup that ensures that the system works. For each voting machine, you want to provide a printer — a $100 receipt printer will do — and a glass tube. After you vote, it prints out what you entered. You look at the ballot, decide that you did, in fact, vote exactly like that, and then you pull the lever to send the receipt into the ballot box.

The voting machine manufacturers didn’t provide this by default and have come out against it. That fact, and the variety of other interesting factoids about them is enough for at least 10 different conspiracy theories.

Overall, I have an odd feeling that a direct-entry electronic voting system that’s actually verifiable isn’t actually worth it in comparison to a mark-and-scan voting system like San Mateo County uses. You need to buy one scanner per precinct, instead of many voting computers per precinct. And that’s the biggest thing that the voting machine companies are fearing.

I’m glad that we’ve got Warren Slocum, who actually gets it, in charge of voting where I live.