This is a another paper by Bob Fleischer, who is on our list, but busy
still with a new job and so he has given me permission to send. He
says, "Paper ballots, hand counted, are the 'gold standard' around the
world, and guidelines are published that make for reliable results
even in those parts of the world where corruption is the norm."
Good reading for today with all the elections going on.
[This talk was given to a gathering of election officials in Ashfield,
Software and Voting. I'm a computer professional. I've been a computer
systems consultant for over 30 years, and have most recently worked in
computer security, wireless, and software testing. I have a masters'
degree in computer science from MIT.
elections, but I'm not. There are just too many risks associated
with computer systems as used in elections. Computerization is
essential to many aspects of modern life, e.g., electronic funds
transfer, but it is not in any way necessary for the conduct of
elections. We need to increase public trust in elections; the
additional risks associated with computers in elections destroy that
The workings of computerized election systems are complex, hard to
understand (even for experts), hidden, and commonly held as secrets by
private interests. These are all characteristics we shouldn't want
for the foundation of our democracy. Most disconcerting, however, is
that computerization greatly increases the opportunities for election
tampering and sabotage.
(Common wisdom in this state and nation says that these risks of
tampering remain just theoretical possibilities, that they haven't
actually affected any major elections in significant ways. Given the
high value of winning elections, I think it is highly likely that
tampering will be attempted. Some people claim that there is already
a lot of evidence of attempted, and even successful, tampering. Our
nation, and our media, is understandably reluctant to investigate this
Errors -- accidental or deliberate?We all have our favorite stories
about computer errors -- bugs, glitches, whatever -- that mess up our
email, our bank account, or a space probe. Some errors are "innocent"
-- simple human mistakes on the part of programmers. Many errors we
encounter these days, however, are deliberate. A whole industry has
arisen to produce software to protect us against deliberate damage,
malicious entry, or tampering to our personal computers and to the big
computer systems that run our modern infrastructure. We probably all
know horror stories about people losing their email and all their work
to computer "viruses", and occasionally we hear about major databases
and corporations being "hacked".
Any kind of error -- innocent or deliberate -- can affect the computer
systems we rely upon, including any computer systems used in
elections. Innocent errors tend to be unbiased in their effect --
they are blind to the candidate, party, or issue involved in a vote.
Usually, over the long run, innocent errors tend to cancel each other
out. Even innocent errors may sometimes be "big". Such an error can
change the outcome of an election -- we have to be on the lookout for
Remember the not so old saying: "To err is human; to really foul
things up requires a computer"!
different risk. Software is as malleable as putty: once malicious
entry is made to a computer system, almost any change is possible.
And, as with putty, it is easy for a software attack to cover its
tracks and change things back. Unlike putty, the attacker doesn't
need "hands on" to make the change. Also unlike putty, the change can
lie unseen, with no visible effect, until Election Day.
So what could malicious software -- "malware" -- do to tamper with an
election? Point shaving is one likely tactic: taking a few votes
from one candidate and giving them to the preferred candidate on each
machine. The error on each machine is small, but they add up. Unlike
innocent errors, all these errors on every machine would favor the
same side. (One clue that an error is not "innocent" is consistent
bias in one direction.) One study has shown that a change of one out
of every 87 votes in Ohio would have changed the outcome of the 2004
presidential election -- that may require only a handful of votes to
be changed per machine, especially a DRE. Would you notice that small
an error on a machine? More particularly, would anyone notice if many
machines had a similar error in the same direction?
Another possible way that malicious software could bias an election is
through "defaulting" the occasional undervote to the favored
candidate. Nothing looks wrong with such a situation -- in fact,
everyone thinks reducing undervotes is a good thing. What's the
undervote percentage in your town? What if all those un-cast votes
went to the same candidate?