CSC 379: Ethics in Computing  
  Summer II 2006  
 
 
 
  CSC 379  
 
HOME
  
 
Announcements
  
 
Homework & Grading
 
 
TEXTBOOK
  
  COURSE OVERVIEW  
  This course is a survey of the ethical issues involved in computing. It discusses the way that computers and software pose new ethical questions or pose new versions of standard moral problems and dilemmas. It stresses case studies that relate to ethical theory.  
     
  INSTRUCTOR  
  Edward F. Gehringer
Office: 2301 Partners I
(919) 515-2066
Office hours:
MW 2:45-3:45
efg@ncsu.edu		  
     
  TEACHING ASSISTANT  
  Ahmed Bakir
abakir@ncsu.edu
919-641-6642		  
     
  Lecture 14: Voting Systems
 
   
Lecture 14: Voting Systems
  
   

The Florida election debacle. The November 2000 Presidential election was one of the closest in American history. In five states, the candidates were separated by less than 1% of the vote. As the night wore on, it became clear that the next President would be whoever won the state of Florida, with its 25 electoral votes. Texas Governor George W. Bush had a lead, but Vice President Al Gore was narrowing the margin as votes came in from traditionally Democratic parts of the state. Finally, at 2:16 AM Eastern time, the networks began calling the state, and therefore the presidency, for Bush. Vice President Gore conceded. But, barely an hour later, the count tightened to the point that the winner was unclear. Gore called for a recount in four counties. And thus began the saga of recounts, legal maneuvers, and court challenges that dragged on for 35 days and became known as the Florida election debacle.

In this crisis, computers were not part of the problem, but they were widely expected to be part of any future solution. For years it had been known that voting and vote-counting methodologies were not accurate enough to give a clear winner in a very close race. But the odds against such a razor-thin margin were long, and the budgets of election boards were meager, so that few people assigned much urgency to the problem. Later analyses revealed that Bush was correctly declared the winner, based upon the rules for counting votes. But there was compelling evidence that Gore might well have prevailed if the Palm Beach County ballot had not been laid out so confusingly.

The problem of accurately recording and counting votes ties together a number of issues that we have studied, or will study, this semester—software reliability, which is closely related to software safety; database privacy, since counts must be done accurately without revealing the vote of any individual; hacking, which could compromise the integrity of the count; and intellectual-property rights to the vote-counting software.

The challenge of counting votes accurately. In the 2000 Presidential election, more than two million voters who went to the polls did not have any vote counted in the race for President. Ballots on which no votes are counted are called residual votes. Residual votes consist of overvotes, where a voter appears to have tried to vote for more than one candidate, and undervotes, where the voter does not vote for any candidate for a particular office, or where the voter's choice cannot be discerned. In addition to residual votes, some voters simply vote for a candidate other than the one they were trying to choose. No one can measure how often this happens, but preliminary research suggests it might happen quite often. Manufacturers of voting systems should try to prevent such errors from happening due to bad UI design. In addition, large numbers of disabled voters have difficulty using certain kinds of voting equipment, or cannot use the equipment without disclosing their votes to others.

Of course, voters are not the only source of error in vote-counting. As we will see later, vote-counting software may also contain accidental or malicious bugs that affect the count. To guard against this prospect, a good voting system allows for an independent recount. This means that each voter's choice must be recorded on paper or some other medium, which can then be counted by hand or by some other technology if the need arises.

Five basic kinds of voting systems are used across the country. Paper ballots are the least common, used by only 1.8% of voters in the 2000 election. Lever-based voting machines were widely used during the 20th century, but since they have not been manufactured for many years, spare parts are becoming hard to locate. Nonetheless, these machines were still used by 17.8% of voters in the 2000 election. Punch cards came into use in the 1960s, and were the most common system in 2000, used by 34.4% of voters. Optical-scan equipment has replaced earlier technologies in many regions of the country, including Wake County. It was used by 27.5% of voters in 2000. Another new technology is direct-recording electronic (DRE), based on touch screens, or interfaces similar to an ATM's. It was utilized by 10.7% of voters in 2000, but was used by 50 million voters in 2004.

All voting systems have their vulnerabilities. Paper ballots take a long time to count, and the count may not be particularly reliable, though it is easy to check by recount. Lever voting machines have the lowest rate of residual votes, but do not produce any audit trail that can be used for recounting; if a wheel fails to turn when a lever is pushed, there is no way to determine the real number of votes for that candidate. Punch cards suffer from a variety of problems that are now well known, including overvoting, hanging chads, and dimpled chads. The Votomatic system used in Florida seems to be more vulnerable to these problems than the Datavote system used in other parts of the country. But the Datavote system prints candidate names on the ballot, and is therefore impractical for jurisdictions like Los Angeles, which has to print ballots in seven different languages, as well as maintain a stock of different ballots for each set of precincts that comprise different electoral districts. Also, it seems susceptible to undervoting when voters forget to vote for races printed on the back of the cards.

Direct-recording electronic systems prevent overvoting, but the Caltech/MIT Voting Project found them to have as high a rate of residual votes as punch cards, 3.0%. This may be because many voters never use ATMs and do not come into contact with touch screens outside the voting booth. After the 2000 debacle, Florida counties bought tens of thousands of DRE machines, but still experienced problems like machines that took three times longer than expected to boot up, that reset themselves spontaneously, and, in one precinct, that apparently failed to record about 1800 votes. Further, while DRE systems can print out a record of each voter's choices, an error in recording the vote is almost certain to show up in the printout, which means that there is no way to audit the accuracy of current systems.

The National Election Studies found that an average of only 0.73% of voters said they deliberately did not vote for President. Therefore, a large number of residual votes are evidently due to mistakes. Technology influences the number of mistakes, as illustrated by the experience of Detroit, where the rate of residual votes went from 3.1% in 1996 to 1.1% in 2000, after precinct-counted optical-scan voting replaced punch cards. The National Commission on Federal Election Reform rates a residual rate of > 3% as "unacceptable." In 2000, residual rates in the forty largest counties ranged from 0.3% in Minneapolis, Milwaukee, and St. Louis to 6.4% in Palm Beach County, Florida.

The risks of vote-counting software. Even if every voter's vote could be captured accurately, the integrity of elections would still not be assured. Vote-counting software could still add votes incorrectly. Counting votes is not a trivial task, because of factors such as ballot rotation (so that no particular candidate is listed first on all ballots), straight-party voting, split precincts, cross-filed candidates, vote-for-many offices and primary lockout (where a voter is prohibited from voting for candidates of more than one parthy in a primary).

Most votes are counted by proprietary programs whose code is not revealed to the general public or to the election officials in charge of certifying votes. The courts have protected the rights of these companies to prevent anyone from independently auditing their tabulating software. Since it is impossible to verify that vote-tabulating programs are doing what they are supposed to and nothing more, it is impossible to determine whether manipulation of votes is taking place.

But aren't these programs tested? Certainly they are, but all of the pre- and post-election testing of the vote-counting programs proves nothing about the accuracy of vote totals. Recounts of elections can only demonstrate that a program is tabulating consistently, not accurately. A time bomb, worm, virus, or Trojan horse, or even worse, an unintentional error in the program's code, would remain undetected in a recount. This is not just a theoretical possibility. After the 2000 ordeal, Palm Beach, Broward, and Miami-Dade Counties replaced their punch-card machines with touchscreen systems. In 2002, these systems lost critical votes in close elections and recorded undervotes of up to 48% for governor in some precincts. But the most serious flaw encountered to date may be a vulnerability in Diebold electronic voting systems discovered in May 2006. A feature built in to allow software upgrades was shown to be exploitable by hackers to modify the vote-counting software. However, the company points out, to manipulate this feature, an intruder would need physical access to each voting machine.

Nor can a voter be given a receipt to prove that his/her vote was recorded correctly. The system could print one set of candidates on the receipt and record another set. Since all votes must be secret, the system cannot keep a record of who voted and when, so there would be no way to determine whether the receipt was accurate. Beyond that, the existence of receipts could be used to implement vote-buying on a large scale.

Voter-verified paper receipts. An ingenious way around this problem is to generate a receipt, but not give it to the voter. This is the essence of the "Mercuri method," invented by Bryn Mawr College computer scientist Rebecca Mercuri. In this scheme, the machine generates a paper receipt listing the candidates that the voter has chosen. However, the receipt is shown to the voter behind a transparent plastic or glass panel. If it is accurate, the voter accepts it, and the machine drops it into a receptacle below; if not, an election official can be summoned to invalidate the ballot. In case the vote tally is called into question, the receipts can be op-scanned to determine whether it was accurate.

When supervisors in Santa Clara County, California, voted in February 2003 to adopt DRE systems without paper receipts, a number of prominent computer scientists protested. Over 300 computer scientists and other experts joined the campaign, and the supervisors soon changed their minds and agreed to adopt a pilot system that prints receipts. This started a trend that is now snowballing; Illinois and New Hampshire were the first states to pass laws requiring printed verification. Now several other states, including North Carolina, have passed similar laws, and seven counties in Nevada used DRE machines with printers in 2004.

Not everyone thinks this is a good idea. Among them are the American Association for Persons with Disabilities, which argues that the need to verify paper would prevent blind voters and others from casting a secret ballot--an ability they have just gained with the advent of new technologies. So does the League of Women Voters, which cites the tendency of printers to cause delays and lengthen lines at polling places--which in itself will keep some people from voting And, should the electronic and printed totals disagree, which is more likely to be correct? Skeptics point out that ballot-box tampering with the paper receipts is much more likely, since the paper is handled by more people and can be manipulated by someone without technological expertise. There are, for example, 100,000 people in the United States who are prepress operators. This means that it is easy to find people who know how to print and modify documents.

In a July 7, 2004 hearing before the House Committee on Administration, Maryland's Administrator of Elections Linda Lamone cited several practical problems that arose in field tests of voter-verified paper ballots: Voters don't want to take the time to verify that their choices have been correctly recorded; people don't want to call attention to themselves or reveal their vote if they think there was an error in recording; and they may think the machine made a mistake when it actually didn't.

These problems have sparked proposals for other kinds of verification. For example, voting machines could contain audit devices made by third parties, which could be responsible for recording all votes that are cast. Then in order to steal an election, one would have to compromise not only the DRE machine, but also the audit device, to achieve exactly the same result. Or a auditable record could be made on a write-once memory card that would serve as the official ballot. A good discussion of the pros and cons of paper audit trails can be found in the "Pros and cons" section of this article. See also this debate between advocates and opponents of paper.

Open source. Could the concept of open source come to the rescue? Suppose the source code for the counting software was open for anyone to see. This might help, but it would not solve the problem (see "Open Systems"). First of all, there would be no guarantee that the code that was open to inspection was actually the code that was in use. Second, publication of the source code would arm potential intruders with precise knowledge about the system's vulnerabilities. Incidentally, detractors have alleged that this is a problem with all open-source software.

In practice, though, these vulnerabilities have not resulted in wholesale election fraud. One of the primary defenses is the lack of uniformity in voting equipment, ballot positions, and ordering of races across a state or across the country. Since a large deviation in any particular precinct is likely to be noticed, in order to throw a major election, one would have to sabotage the voting systems in many different precincts, which have different combinations of machinery and candidates. Any conspiracy large enough to accomplish this is likely to unravel.

Of course, a small conspiracy to alter software would have been capable of throwing the Florida Presidential count, if only someone had known in advance how close it would be. But no one could predict that. So any software vote-stealer is faced with the well-nigh impossible task of stealing just enough votes to make a difference, but not enough to raise suspicion. This should not make us sanguine about the possibility of fraud, but it does explain why it is not especially common.

Internet voting. The 2000 election cycle also witnessed the first use of the Internet for conducting elections for public office, when voters were allowed to vote online in the Arizona Democratic Presidential primary and the Reform Party Presidential primary. These elections, though, were run by the parties themselves, not by state election officials. The only government-run Internet elections to date have been in Geneva, Switzerland and Estonia. These elections have been a success, but the number of Internet voters has been much smaller than it would be in the U.S. Private elections are routinely conducted over the Internet; most corporations allow shareholders to vote online, and a variety of organizations like unions, colleges, and professional societies are looking to the Internet to save time and expense.

Internet voting schemes can be classified into three types. In poll-site Internet voting, the Internet is access from the voting location in a precinct, under the observation of election officials. In kiosk voting, kiosks would be set up in convenient locations like shopping malls or post offices, and would allow voters from many different precincts to vote the ballot appropriate to their precinct. Kiosk voting could be monitored by election officials, or even security cameras, to maintain security and safeguard privacy. The most radical form of Internet voting would be remote Internet voting, whereby voters could cast ballots wherever they could call up a Web browser and authenticate themselves.

Technological risks. Remote Internet voting would undeniably be most convenient, but it also poses the greatest risks. These risks come in several flavors. First, there are risks to the voting client. A malicious payload could be delivered in the form of a virus or Trojan horse that could spy on ballots, prevent voters from casting ballots, or modify ballots according to a predetermined plan. The intruder could target voters in particular demographic groups. No server-side security (SSL, https, etc.) could prevent such an attack, because it would take place before the server ever received the vote. A Trojan horse might be set to trigger on election day, thus disenfranchising many voters.

There are risks to the communication path as well. Perhaps the most obvious is a distributed denial-of-service (DDOS) attack, where clients are installed on many computers (perhaps through viruses) to flood the voting server with packets and prevent it from servicing legitimate attempts to vote. Currently, there is no way to stop a DDOS attack without shutting down the server and diagnosing the attack, which might take several hours. Then there is the danger of spoofing, causing unwitting voters to connect to an impostor site instead of the real voting server. While technologies such as SSL or digital certificates can identify impostors, it is not realistic to assume that all voters will have them in place on their computers, or understand warning messages well enough to refuse communication with the impostor.

Vote-buying. Since the days of the ward bosses a century ago, some candidates have found it more effective to pay voters instead of campaigning for election. Thanks to recent election reforms, this is becoming easier. Voters used to have to vote by secret ballot on election day, unless they were going to be away from home. But, in an effort to bolster sagging voter turnouts, many states, including North Carolina, now allow any voter to request an absentee ballot. In 2000, entrepreneurs noticed that uncompleted absentee ballots could be sold to the highest bidder, and launched vote-auction.com to buy absentee ballots and auction them off to the Presidential candidates, on a district-by-district basis. Whatever the attractiveness of this scheme, it still required a significant effort on the part of the vote-seller, who had to apply for an absentee ballot and mail it to the organizers of the auction. With Internet voting, you can just e-mail your access code, or whatever other password is required to cast a vote, to a party official, who can pay you (e.g., via Paypal or another electronic payment system) and then vote in your place. This abuse cannot occur in regular elections, since no one is allowed to accompany a voter to the voting booth. Ultimately, voice recognition, thumbprint readers, or iris scans could halt these schemes, but they are not yet on the horizon for the average PC user.

Issues of access. When the Arizona Democratic Party moved its Presidential primary to the Internet, they offset some of the substantial cost by cutting the number of polling places where voters could cast a vote in person. As a result, voters without access to the Internet had to travel farther than in other elections. For the poor, who are less likely to have a car at their disposal, this can impose a hardship and diminish turnout. Unless Internet voting is accompanied by large increase in funding for boards of elections, polling places are likely to be cut. Even if they are not, turnout may increase among more affluent voters, just because it will become more convenient for them to vote.

Internet voting could actually improve access for the hundreds of thousands of military personnel who are deployed overseas. In the 2000 election, 29% of them did not receive a ballot, or received it too late to cast a vote. In Florida, there were disputes over whether tardy military ballots should be counted at all. The Pentagon planned a pilot test of Internet voting for military personnel based in seven states, including North Carolina. But after an audit revealed security problems like those listed above, the Pentagon decided not to count the ballots, but still proceed with the experiment. A few weeks later, they decided to scrap it altogether.

Ethical implications. For those involved with choosing a voting system, broad technical knowledge is a necessity. They must also understand the implications of choosing a system favors one group of voters over another, or makes fraud easier. It is not ethical to tout the technical advantages of a particular system without considering how it might change the results of elections. Voting systems are just one example of how many of the ethical concerns we have discussed this semester are brought to bear on a single problem, in ways that would not be immediately apparent to someone without a good technical background and strong ethical principles. This is a reminder that the computer professional always needs to look at the big picture in analyzing a problem and sketching a solution.