Why Computerized Voting is Dangerous

by on September 26, 2006 · 2 comments

A couple of weeks ago, Luis Villa had an excellent comment about the merits of open source voting. I had expressed the opinion that open source voting machines would be preferable to the status quo, but that the ideal outcome would be not to use computers in voting machines at all. Louis responded:

I think you’re discounting how corruptible the current system is, and focusing only on what the current generation of e-voting machines do or don’t do, security-wise. Well done e-voting (particularly including the printing of a reliable paper trail) could be much more reliable than the current mishmash of paper technologies, which as any resident of Florida, Ohio, or Chicago will tell you is deeply insecure already.

This is a good point. Paper ballots clearly aren’t perfect, and so when we’re evaluating the merits of computerized voting, it’s important not to hold them to a standard of perfection that’s not attainable with any technology. But I still think we’d be better off dispensing with computers entirely, as I’ll explain below the fold.


From my perspective, the fundamental goal of democracy is to decentralize political power to the greatest extent possible. Concentrated power is a danger to liberty, and so in the ideal democratic system, every individual has as small an outcome on the outcome of the election as possible. Of course, the ideal, in which everyone has precisely the same impact, is never achieved. All sorts of people, such as celebrities, journalists, rich people, union bosses, etc have a larger impact on the outcome of elections than the average voter. That’s why politicians tend to suck up to those people.

But one class of people whose influence we definitely want to minimize is the people who run the election itself. In general, our election system does do a reasonably good job of that. Imagine if Ohio changed its election rules so that all ballots were sent to the Secretary of State’s office for counting, with no outside observers allowed. This would obviously create enormous temptation (and, if one or more candidates were dishonest, pressure) to miscount the ballots. In 2004, that person would have been in a position to play kingmaker, throwing the presidential election to the candidate of his choice.

Luckily, we don’t run elections that way. Each precinct counts their votes locally, under the watchful eye of representatives of all the candidates, and the totals for each precinct are publicly announced. As a result, no one person, or even small group of people, has the ability to swing the outcome of a major race. Unless it’s already very close, rigging an election for governor, Senate, or president requires the cooperation of dozens of individuals. The chances of keeping such a scheme secret would be very poor.

The difficulty of rigging elections comes from two factors: decentralization and transparency. Decentralization stems from the fact that each precinct reports its results independently of all the others. Transparency comes from the fact that the entire process is generally open to anyone who wants to observe it, and so it’s likely that any fraud will be flagged by somebody.

Luis mentioned Chicago, Ohio, and Florida. I think there are a couple of things that are worth noting about those jurisdictions. First, the problem, as I understand it, is that the people running the election are often corrupt. This is a problem that you can’t really solve with technology. If, for example, those officials are corrupting the election by introducing votes by dead people, a computer has no way of detecting that.

In Florida, I assume Luis is referring to the 2000 presidential election. The interesting thing about that is that we know exactly what is alleged to have occurred there. We know all about hanging chads, butterfly ballots, legal strategems, allegedly stolen ballot boxes, etc. Different partisans disagree about who was more in the wrong, but the facts of what actually happened are extremely well-documented. Moreover, all of those factors put together wouldn’t have been able to swing the election if it weren’t incredibly close in the first place. Even stealing a ballot box–the most blatant of paper vote-rigging crimes–will only swing an election by a few hundred votes. In the 2004 election–still a reasonably close election by most accounts–Bush beat Kerry by about 300,000 votes. It would have required stealing dozens of ballot boxes to change the outcome of that race. Even Ohio was decided by more than 100,000 votes in 2004, a gap that would be very difficult to close with paper ballot fraud.

So that brings us to computerized voting, which I would argue undermines both decentralization and transparency. The transparency part is obvious: For 99 percent of voters, a computerized voting machines is a mysterious black box. The voters punch in their votes, and the machine spits out a result–there’s really nothing that an ordinary voter can verify. A paper trail, which I’ll discuss below, mitigates this problem by is far from eliminating it.

But voting machines also undermine decentralization. This happens for at least two reasons. First, there’s the virus issue. As Prof. Felten has demonstrated, it’s possible to infect a single machine with a virus that can spread over time to all the voting machines in a jurisdiction, which could conceivably be as large as a whole state. (this depends on how promiscuously memory cards are shared among machines in the state).

The second way that decentralization is undermined is that the manufacturers of the machines are a potential source of error. I don’t think it’s very likely that Diebold as a company has deliberately introduced errors in its voting machines, as that would be a difficult secret to keep. But it’s conceivable that the guy who’s in charge of writing Diebold’s software, or the guy on the factory floor who was responsible for loading the software onto machines after they’re manufactured, could introduce a hacked version of the software. It’s also quite conceivable that a corrupt technician would have access to a large enough number of machines that he could swing an election in his preferred direction.

In this sense, the very efficiency of voting machines–the fact that the mechanics of counting the votes is done for us by a computer–is a weakness. Automating the vote-counting process necessarily reduces the number of people who will be involved in each step of the vote-counting process. And the more labor-intensive the voting process is, the more people you’ll need to bring into your conspiracy in order to corrupt the election.

This post is long enough, so I’m going to stop it there. In my next post, I’ll explain why I don’t think open source voting machines or voter-verified paper trails fully address these concerns.

  • http://enigmafoundry.wordpress.com/ enigma_foundry

    Tim: Great Post.

    The observation that efficiency can backfire in unexpected ways is a key insight, and is generally under-recognized in many problems, including our economy, when the just-in-time efficiency speaks of a lack of robustness and recovery from shocks, as well as the possibility of cascading network failures. Subjects explored in depth at John Robb’s excellent blog Global Guerillas. (BTW, this theme comes up again and again in urban planning)

    I would also refer you to Paul Virilio, and his concept of the integral accident. Virilio explores how our technology contains its own accidents. (Sidebar: I find him especially interesting as his faith plays a very important part in his thought, and he proves that the term “Catholic intellectual” need not be an oxymoron)

    There are also important externalities, usually due to unforeseen interactions with other human creations, such as other technology, society, the media or political structures, that contain other types of failures, which Paul explores in his other writings. None of the proponents of e-voting are willing to even consider these hazards.

    I do really fear the types of accidents that this extremely ill-conceived technology could engender. It is an accident, waiting to happen.

  • http://enigmafoundry.wordpress.com eee_eff

    Tim: Great Post.

    The observation that efficiency can backfire in unexpected ways is a key insight, and is generally under-recognized in many problems, including our economy, when the just-in-time efficiency speaks of a lack of robustness and recovery from shocks, as well as the possibility of cascading network failures. Subjects explored in depth at John Robb’s excellent blog Global Guerillas. (BTW, this theme comes up again and again in urban planning)

    I would also refer you to Paul Virilio, and his concept of the integral accident. Virilio explores how our technology contains its own accidents. (Sidebar: I find him especially interesting as his faith plays a very important part in his thought, and he proves that the term “Catholic intellectual” need not be an oxymoron)

    There are also important externalities, usually due to unforeseen interactions with other human creations, such as other technology, society, the media or political structures, that contain other types of failures, which Paul explores in his other writings. None of the proponents of e-voting are willing to even consider these hazards.

    I do really fear the types of accidents that this extremely ill-conceived technology could engender. It is an accident, waiting to happen.

Previous post:

Next post: