Section of Science and Technology
American Bar Association
Summer 2004 pp. 10 - 13
[John D. Gregory is General Counsel, Policy Branch, Ministry of the Attorney General (Ontario, Canada). Views in this note are not necessarily those of the Ministry.].
In this electronic age, many governments are trying to increase their capacity to use information and communication technology, and many citizens expect to deal with their governments electronically. It is natural that attention has turned to using these technologies for voting.
Further, in the wake of the problems with old-fashioned voting systems in the 2000 presidential election, many people are tempted to push voting into the computer age. Congress has voted large sums to help states do just this.
However, in its year-end review of 2003, Fortune magazine called electronic voting the “worst technology of the year”. A number of problems have been exposed in many states over the past couple of years with different systems. To analyse them properly and to account for their legal implications, one should start by sorting out the technology. One can usefullly think of three separate stages of the use of technology in the electoral system:
i) Electronic Registration of Voters
ii) electronic voting in person, through voting machines – e.g. touch-screen voting
iii) electronic voting from remote location, through the Internet or kiosks.
Because these systems present questions of authentication in the context of public information systems, they are of interest to those who analyse electronic filing systems in the courts. E-filing also presents issues of identity and integrity and control, and the results of improper filing, while not perhaps as broad in impact as voting fraud, undermine the rule of law in a similar way.
For this reason the Electronic Filing Committee of the Science and Technology Section of the ABA has spun off a working group on electronic voting. Now in its earliest stages, this working group aims to set out an appropriate legal framework for analyzing e-voting in its various forms. It is not part of the group’s mandate to make political judgments, but in a constitutional democracy, the law underlies the politics. Citizens will feel more secure in their use of technology if the law as well as the technology is sound.
 Electronic Registration
Before you can vote, you have to register. Registration has long been the focus of efforts to improve participation in elections, whether to overcome racial disadvantages or to involve people whose culture or poverty tend to keep them out of the mainstream. Congress has frequently legislated to make registration easier. For example, the National Voter Registration Act of 1994 required all states to allow people to register to vote at driver’s licensing offices.
Now several states – Arizona is one - allow people to register over the Internet, either through the Department of Motor Vehicles (DMV) or with the elections office, but relying on driver’s license identification.
It is fair to say that these states generally do not rely on any electronic means of authentication to ensure that the people registering in this way are entitled to vote. They provide instead a selection of other security measures that make Internet registration at least as good as the low-tech alternatives, which often include mail-in registration. Whether any of the alternatives is secure enough is a separate question.
Some states ask for a Social Security number of people registering through the DMV, in person or online. Some states also send a confirmation of registration to the address that the state already has in the driver’s licence records, with instructions that it not be forwarded.
Several states take the signature from the driver’s records and associate it with the electoral records as well. Signatures tend to be used to check the validity of absentee ballots.There is little checking of voter identity when voters show up at the polls. Indeed there is quite a debate whether such checking is acceptable, or whether it tends to discourage from voting people less likely to have the appropriate identification or people who feel intimidated by being asked.
Arizona’s law asks for an electronic signature , which is a fairly demanding creation. However, the “policy authority” for electornic signatures has determined that the voter’s intention is sufficiently securely indicated by the express authorization to the driver’s record office to transfer the registration application and the digitized signature on file to the election office. This, and the design of the communications system in the government, is considered good enough.
While some of the state systems for registration by Internet might be vulnerable to individual deceptions, they seem relatively secure against large-scale fraud, by which a lot of registrations could be wrongfully created in the name of nonexistent, dead or inattentive alleged residents of the state.
In-Person Electronic Voting
A number of systems are available to let voters express their preferences by electronic means. Many of them are touch-screen devices that are intended to eliminate problems such as mismarked ballots, hanging chads, and other ambiguous or invalid results. The results, of course, also are very quickly counted, so the outcome of the election is known sooner.
These systems do not present authentication questions – voters identify themselves in the usual way when they come to the polling station to vote. The criticisms of e-voting technology have focused on how one knows what votes are being recorded in response to the touching of the screen. Is the software reliable and who can tell? It is often secret or alleged to be proprietary. To what extent is one at the mercy of the technicians of the companies that provide the technology, and can we trust them? One company had a convicted felon in a senior management position, and a corporate executive who vowed to help one party win an election. Its technicians also admitted to changing the program being run in an election, to “patch” difficulties after it had been ceritified by the state. These unapproved changes were revealed only by happenstance.
In Florida in early 2004, a county election machine failed to count 124 votes, i.e. there was evidence that there were that many more voters than votes counted. Yet the election was decided by 12 votes. In another vote, in California, the machine reported a number of votes far in excess of the number of registered votes in the county. And how can one be sure that the numbers are right even when they are within the “expected” numbers, i.e. when they do not have obvious problems as in these examples?
What should the law say about such situations? Does using machines with such vulnerabilties violate constitutional or statutory rights to vote? What is the legal value of public confidence?
The difficulty of auditing the results is problematic. If the software does not produce an accurate result, one cannot just run it again to get a better outcome. Many experts advocate having the machines create a paper trail that the voter can see at the time of voting, which would be available to check afterwards (a “voter verified audit trail”.)
Finally, if the machines just stop working, are people denied their right to vote. What alternatives are available?
Remote Electronic Voting (Internet Voting)
Remote voting combines the challenges of online registration – how to determine entitlement to vote – with those of electronic voting – how to determine the accuracy of the vote recorded. Other issues arise as to the anonymity of the ballot and its secrecy. Two brief examples of issues raised by recent developments follow.
On February 5, 2004, the United States Department of Defense formally cancelled a project to use Internet voting for armed forces personnel abroad, for the November 2004 federal elections. It said that the technology was not  secure enough. The Department had spent up to $20 million on the project over the past two years. In late January 2004, a group of computer security experts had severely criticized the Defense plans, and Internet voting generally. The report no doubt had an impact on the decision to discontinue the program.
In Canada in February 2004, Delvinia, a consulting firm, published a report on voter experience with the Markham, Ontario, Internet voting initiative in the advance polls of the municipal election of November 2003. Delvinia reported that the Internet voting system had been quite popular. It noted that only 9% of the voters who had voted in person had not used the Internet voting system because of concerns about its security. It concluded that people were not worried about the security of the system.
Some commentators have read that to say that there are no security issues in Internet voting. This conclusion was not justified on the face of the document. The report did not analyse the strengths or vulnerabilities of the system. It did not even describe how the system worked, technically
Some experts have proposed security designs that they say can resolve the issues in Internet voting. At present there seem to be no systems that combine the features said to be necessary. The question for technology lawyers is the degree to which the law eitehr requires or should require these features before Internet voting is permitted. Constitutional law is not getting easier.
E-Voting versus E-Banking
Some popular commentators say that if we can do online banking, we should be able to do online voting. Here is a brief comparison of the two processes. A number of arguments suggest that Internet voting presents more significant risks than does Internet banking.
· What if the system is down?
- With banks, it doesn’t matter – customer can try again later
- With elections, it does matter – polls have to close
· What if the system is not secure?
- For banking – risk is the client’s (probably by contract) – but banks probably don’t insist. The question turns on the burden of proof of malfunction or proper function
- For elections – risk is the political system’s – credibility, legitimacy of elected people
- It is easier to create mass distortion by corrupting very few technical support workers, compared to how many people one would have to corrupt to distort a paper-based election.
- [Security systems are difficult – Some criteria suggested by experts are not featured in any currently available system, and hacking techniques evolve often a step ahead of security measures.
- A lot of computer security experts do not think any current offering of Internet voting is sufficiently secure – and many do not trust most implementations of electronic voting, even when the voter comes to a polling station to vote.]
· Problem of proof of loss
- If someone alleges they’ve tampered with a bank, one can prove or disprove it independently, by counting the money
- If someone alleges they’ve tampered with the electoral system, there is no “normal” or “before” state that can be checked to prove or disprove the claim (though the system could count numbers of votes cast from particular machines – but probably not who they were cast for, if the number of total votes is right).
·  Problem of restoring proper state
- If someone has tampered with bank records (or the system malfunctions), the participants can restore balance by transferring money to where it belongs. The legal system allocates loss according to negligence, or by statute, among innocent parties if the rogue can’t be found.
- If someone has tampered with the election results (or the system malfunctions), it is very difficult to restore normality without running the election again.
· Problem of individual identification
- Bank identifies customers and links them with transaction, so there is an end-to-end security system
- Voting system wants to identify voters but not link them with transaction (the vote), so there is a break in the end-to-end identification.
· Problem of allocation of risk if something goes wrong
- With banks, risk is client’s, by contract: only two private interests are affected
- With elections, risk is system’s – credibility and legitimacy of government suffers
· Problem of secret ballot (not present with banks)
- Anyone can see what the person is doing if they are in the room with the person and the computer. So there can be domestic or neighbourly pressure on the vote, rather than a vote in private, free of pressure.
· Problem of bought vote (not present with banks)
- Buyer of votes can’t be sure that the vote will stay bought, with a ballot cast in private. With a computer vote, the buyer can watch the vote, or buy the PIN or other security code or device and cast the vote himself.
· General trust issue
- How does person voting know that what he/she selects on the home computer is the choice that the counting computer registers?
o Banks can create a paper receipt (as can in-person voting machines) and receipt can be compared to electronic statement of balance.
o Remote voting does not create an obviously reliable paper trail and individual votes cannot be traced through the system.
o Scrutineers will seldom have the expertise to check the software and hardware before, during, and after the vote.
o Testing the system by re-running it does not cure system problems: it just repeats them.
- Testing the system by random sampling of votes cast, via a paper trail, is inadequate in a close election, because samples may not reflect full population of votes. (Consider opinion polls – accurate within 2%, 95% of the time.)
In short, there is an important difference between resolving bilateral private risks and resolving large-scale (system-wide) political risks
The law requires fair voting systems, and the Supreme Court has considered the requirements in many cases before Bush v Gore. Lawyers can add value to the discussion of whether and how to bring elections into the electronic era.
In the meantime, states should not rush to adopt electronic and a fortiori Internet voting. Different states may more ready than others. They should avoid the temptation to rush in to spend the money that the federal government has made available to upgrade the technology. Public confidence in the system must be maintained through the transition – or at least not be provided with further reasons for dismay.
[March 1, 2004]