Ensuring the Integrity of Electronic VotingObviously, no election method can be fair if the votes are not counted and processed fairly and accurately. The Federal Election Commission oversees the establishment of voting system standards, but we believe that additional safeguards are necessary for voting systems that use electronic direct-recording equipment (DRE). Electronic voting is inherently vulnerable to tampering, and absolute integrity cannot be ensured unless the following precautions are taken.First, all DRE systems for public voting should automatically produce paper backup ballots. No matter how tight computer security may be, someone must ultimately have access to the system, and computer data files are simply too easy to delete or manipulate. Paper ballots in sealed ballot boxes cannot be easily ``deleted'' or manipulated as long as they are in the custody of more than one person (and even if they are lost, the electronic votes will still be available). The paper ballots should be clearly readable both by the voter and by machine. The paper ballots should always be used to verify the accuracy and integrity of the electronic votes. Procedures should be established to reconcile any discrepancy between the electronic and paper votes. If properly implemented, a combination of electronic and paper ballots can provide much better integrity than either mode can provide by itself. Second, all public DRE voting systems should be based on open computer architecture and open-source software. ``Black boxes'' and proprietary software are unnecessary and should never be used for public voting systems. Closed systems are an invitation to tampering or outright subversion of the electoral system. The source code for the software used to count and process votes should be available for public scrutiny. The public has a fundamental right to know how its votes are counted and processed, and that right takes precedence over the proprietary interests of any voting system manufacturer. Any manufacturer who insists on keeping its systems proprietary or its source code secret should be disqualified from competition. The philosophy of ``security through obscurity'' may be appropriate when the data to be secured is of value only to the party providing the security, but it is completely inappropriate for public voting systems. Although closed systems can be more secure against ``outside'' attacks, they are much more vulnerable to ``inside'' corruption. Outside attacks can be thwarted by common sense and access restrictions. For example, voting systems deployed in the field should have no editors or software development tools installed on them, and the secure data and software on them should be protected by a rigorous password protection protocol. Inside corruption, on the other hand, can only be prevented by ensuring that all insiders (engineers, programmers, managers, administrators, election officials, politicians, etc.) are trustworthy, which is virtually impossible. Finally, online voting in general elections should be prohibited for the foreseeable future--and perhaps should never be allowed (except in certain exceptional cases, such as handicapped voting or voting at remote military bases). Fascinating though the possibility of online voting may be, it opens the door for all kinds of technical, administrative, and security problems in return for trivial benefits for the typical voter. Paper backup ballots would not even make sense for online voting, so it could not possibly be secure. The integrity of our voting system is far too important to risk just to save voters a short drive to their precinct or to impress ourselves with our technological sophistication. Men died for our right to vote, and we can endure some trivial inconveniences to help ensure the integrity of our voting system. To recapitulate, the integrity of electronic voting can be ensured only if the following precautions are taken:
|