Lentis/Electronic Voting

This chapter of Lentis discusses electronic and Internet voting. Electronic Voting machines became popular shortly after the 2000 election difficulties and have slowly lost support due to verification, security and reliability concerns. This chapter specifically analyzes the rise and fall of the Direct Recording Electronic voting machine in America with a focus on social factors.

Direct Recording Electronics

 * Main page: DRE Voting Machine

The most common electronic voting machines are Digital Recording Electronics, or DREs. These machines directly store user input in electronic memory. Input is usually achieved through touchscreens. Each DRE machine tabulates its own votes, but precincts must tabulate and verify overall votes by physically transporting the machines themselves or securely encrypted smart-cards to a central tabulation system.

[We] inform the public of the problems with relying on electronic voting machines to record and count our votes, without the backup of a voter-verifiable audit trail.

DRE voting machines tend to have weaknesses which are widely criticized. A lack of transparency in the software and hardware, a lack of auditable paper trails and physical security weaknesses are all issues found in many DRE machines.

Paper-based Electronic Voting
The other commonly used electronic voting method uses paper ballot as usual, but counts those ballots electronically. This method won't be covered in great detail, but is important because it is a sort of transitional state in the social transition to electronic voting. These are less vulnerable to attacks because there is guaranteed to be physical evidence to recount.

History of Electronic Voting Machines
The first DRE in America was the Video Voter machine used in two Illinois counties in 1975. It is used through 1980 by numerous counties. Modern E-Voting took off around 1988 with systems like the Electrovote 2000 and the Microvote systems.

Motivations for electronic voting
As of 2000, only 12.4% of voters used DREs. The voting methods in place were simple paper ballots, punch card machine types, mechanical lever machines, and optical scan technology. Simple paper ballots are where the voter checks off a name and the vote is then hand-counted by poll workers. Punch cards are read and tallied by machine after the voter punches out their selection. Mechanical lever machines work by incrementing a counter for each candidate which is then recorded by poll workers. Finally optical scan voting machines also automatically read paper ballots, but unlike punch card machines, optical scan reads bubbled, checked or X's marks written on ballots. These voting types were still in use in the 2000 Presidential Election which served to highlight many of their problems.

For more detailed background info on the voting types: Wikipedia page on Voting Machines

2000 Presidential Election

 * Main page: 2000 Presidential Election

The 2000 Presidential Election between Governor Bush of Texas and Vice-President Al Gore was one of the nation’s closest and most controversial elections. At the end of the voting day, Florida had not yet declared a winner for the state. Without Florida, neither candidate had the requisite 270 Electoral votes to be declared president. The month that followed had numerous recounts, each with a different vote total. Ultimately the election was decided in the Supreme Court in the case of Bush v. Gore where the ruling said that the recounts were done and therefore Bush had won the election based on the most recent recount with a margin of victory of 537. The questions that many were asking after the election are: 'Why did the recounts take so long?' and 'why did they yield different results?'

Problems in the Florida Election

 * Main page: United States presidential election in Florida, 2000

There were two major problems in Florida during the 2000 election: hanging chads and the butterfly ballot. Hanging chads occurred during punch-card style voting if the voter did not completely remove the tab when making their selection. The remaining tab sometimes caused the vote to go uncounted in the machine that tallied the votes. Another reported problem was the butterfly ballot, a punch card design which featured candidates on both sides of the punch holes. The problem was when voters tried to vote for the candidate second down on the left side, they instead voted for the first candidate down on the right side. These problems and others led to invalidated votes due to "no-voting" (no candidate selected) and "over-voting" (multiple candidates selected). In the 2000 election, 111,000 votes were not counted in Florida due to "over-voting" alone. These problems caused voter frustration much of which was aimed at the voting systems in place. This public opinion led to election reform bills and the huge increase in the usage of DREs over the coming years.

[These problems served] to disenfranchise voters in some communities, and that this feeling of disenfranchisement had led some to question whether the promises of democracy existed for them at all.

The increased use of DREs
The public opinion of paper-based voting systems after the 2000 election led to election reform nationwide. Two specific examples are the Florida Election Reform Act of 2001 which passed with only 2 out of 160 Florida legislators against the bill and the nationwide Help Americans Vote Act of 2002. To meet the requirements of these acts, many precincts chose to use DREs as their new voting systems. In 2002, 22% of voters used DREs, and by 2004, this number had risen to 29%.

Voter Verification
In an effort to allay many of the transparency concerns with DREs, there has been a push to implement additional ways for voters to verify that their vote is recorded correctly. The HAVA requires that all voting systems allow voters to independently verify that their ballot contains their correct choices before it is cast and be able to correct the ballot should they notice an inconsistency. Such systems are usually referred to as a Voter Verified Paper Audit Trail. To implement a VVPAT on a DRE, a printer is attached to the voting machine that prints out a voter’s selections, which the voter then verifies. This paper ballot is kept with the voting machine to allow DRE results to be audited or for use in a recount, if necessary. Many groups, such as the Verified Voting Foundation and Common Cause, and experts such as Rebecca Mercuri, PhD; Peter G. Neumman, PhD; and Dan S. Wallach, PhD, support VVPAT systems as they feel it addresses the concern that DREs will record votes incorrectly. Despite such widespread support, there are still some issues. Research has shown that many voters do not review their votes or don't recognize when their selections are changed. Another argument made by the American Association of People with Disabilities and Michael Shamos, PhD, JD, among others, against VVPAT systems is that the paper ballots cannot be easily be read by disabled voters. This means that disabled voters must either forgo verifying their vote and risk their ballot not reflecting their wishes, or seek assistance from poll workers to verify their vote, which removes the secrecy from their ballot.

Accessibility
Because DREs are special-use computers, much of the existing body of technology used to provide accessibility to computer systems can easily be adapted for use with these voting systems. These accessories can include headphones and Braille inputs for the visually disabled and sip-and-puff "wands" for the physically disabled. (See the Wikipedia entry on Assistive Technologies for a more complete list.) If voting machines are made fully accessible, then disabled individuals would be able to vote completely without any assistance, ensuring them the ability to have a secret ballot. It is because of these potential benefits that many groups and individuals, such as Jim Dickson, Vice President of Government Affairs for the AAPD have expressed their support for the adoption of accessible voting systems in all polling places, as required by the HAVA. Despite this response to accessible DREs, support has not been unanimous. Groups such as the Silicon Valley Council of the Blind have expressed disappointment in the level of accessibility of these voting systems. Individuals such as Aleda Devies, a handicapped voter, don't believe enough is being done to provide accessibility and object to voting machines providing only limited accessibility features: It is not acceptable to accommodate some members of the disabled population and expect the rest of us to live with “business as usual.” That is discrimination, which is not legal. Accommodating people with different disabilities requires great flexibility in a voting system. What works for and is preferred by certain members of the blind and visually impaired community does not accommodate people with mobility or motor impairments.

Security
One of the largest issues concerning electronic voting is security. There have been many highly publicized events highlighting security problems with DREs that have helped shape a negative public opinion of electronic voting. In 2006, a group from Princeton University released the results of a study describing the many security flaws they found in a Diebold AccuVote-TS voting system. The research also pointed out how quickly and easily malicious programs could be installed on the machines. Also in 2006, the HBO documentary “Hacking Democracy” was released. This documentary followed many of the problems voters had with electronic voting systems during the 2000 and 2004 US elections, as well as highlighted many of the security issues with the voting machines. In an attempt to reduce the number of security concerns with DREs, many groups support the effort to get voting machine manufacturers to release their source code to the public. By open sourcing (see Open-Source Movement) the code, experts and other third parties could review the voting system to find and fix any security issues they discover. Some of the opponents to this open-sourcing, such as the Election Technology Council argue that doing so would provide criminals with additional information with which they could devise more devious and effective attacks on the voting system. Another large group for keeping the code closed-source are the electronic voting system manufacturers. These companies have devoted large amounts of money and time to developing their intellectual property and don't want to release it to the public for free.

DRE voting machines obviously have significant weaknesses given appropriate physical access; preventing tamperers from gaining physical access to voting machines is one main way to ensure the security of voting. This is largely a social issue that lacks a clear technological solution. Bribery of officials is a serious issue, as illustrated in a 1998 Microvote scandal in North Carolina, which threatens the security of the voting process. Without a comprehensive sociopolitical solution to ensuring the legitimacy of election workers and officials, it is extremely difficult for a technological solution to perform adequately.

Problems with DREs
As mentioned above, there was an increase in the use of DREs in the early 2000s; there were also problems with this implementation. One example is seen in the 2006 elections where iVotronic voting machines in Sarasota County, Florida lost over 18,000 votes, potentially impacting results of some races (one margin of victory was just 400 votes). Security problems with Diebold voting systems ultimately led California to ban the use of DREs. The use of DREs dropped from 2006 to 2008 from 37.6% to 32.6%

We're trusting the fate of our democracy to technology that's not ready yet.

Moral taught by DREs
Over the course of less than 10 years, DREs went from rapidly increasing to sharply decreasing in use. The poor implementation by the voting manufacturers and government point toward an underlying lack of maturity in the technology. The moral DREs can teach us is that applying a technology before it is ready can lead to its downfall.

For technologies facing similar issues, read about Air Travel Security and Corn Ethanol

Internet Voting
Internet voting is the concept of allowing citizens to cast their ballot from home using an Internet-connected device. Unlike traditional electronic voting as in DREs (discussed above) or Ballot Marking Devices (which complete paper ballots using electronic input such as via a touch screen), Internet voting can be implemented on existing consumer electronics like cell phones.

This section discusses the challenges, advantages, and implementation of Internet voting, particularly as seen in Estonia.

Voting Security
Regardless of how a voting system is designed and implemented, it must have the following properties in order to be secure.
 * Confidentiality - Nobody can find how any person voted.
 * Integrity - The vote count is accurate. Voting integrity requires that each be person may vote once. Those who choose not to vote or are ineligible to vote must not have a vote counted. Nobody may vote on behalf of others. Counting Integrity requires that each vote must be counted correctly and exactly once.
 * Availability - The voting system must be available to all for the duration of an election.
 * Verifiability - Anyone must be able to verify that the above three properties hold. One should not have to have faith in any institution to have faith in the confidentiality, integrity, or availability of the voting system.

Issues with Security Requirements
While availability depends heavily on system implementation, the other three requirements are highly adversarial. In general, when a user casts a sealed ballot, voting integrity can be verified without violating the voter's confidentiality. Once the ballots are unsealed and personally identifiable information removed, counting integrity can also be verified without violating confidentiality. However, for this to ensure end-to-end verifiability (verifiability at every step of the way), the process of unsealing ballots must also be verified.

Current systems in practice
This section will focus on the design used by Virginia's vote by mail system to meet the voting requirements. While the details vary, Virginia's vote by mail model is highly representative of other vote by mail models.

In Virginia's model, voters receive a ballot and an envelope to seal it in. Voters then fill out the ballot, seal it in the envelope, and fill out their information on the envelope. Sealed envelopes and ballots themselves have security measures to prevent forgeries. An example of such envelope is below.

When the vote is received, voting integrity is enforced by correlating a ballot's sealed container to a voter. Envelopes matching someone who has already voted or with invalid or incomplete identification are rejected. At this point, because the vote itself remains sealed, the voter's confidentiality is maintained.

Next, the ballot is unsealed, and the voter's personal information is discarded. Because of the forgery protections on the ballots themselves, the unsealing process is assumed to be secure (i.e. the unsealed ballot used in counting votes is the ballot inside the voter's sealed envelope).

The unsealed ballots are then counted. Since there is no more personally identifiable information correlated with the unsealed ballots, anyone may examine these and verify that they are in fact counted correctly, thus ensuring verifiability of counting integrity.

Internet voting complications
In the above example system, any group with time and access to all paper ballots, their seals, and the state's voter registration databases can verify an election's results. With an internet voting system, it is difficult to verify that a vote-recording database's records are correct and requires more technical knowledge.

Election integrity can also be compromised in a theoretically perfect system: a bad actor may compromise voters' devices and change the vote before it is cast. No system is perfect, but a flawed digital system can be exploited more widely than an analog one.

Despite all efforts to the contrary, consumer electronics are relatively easy to track. For example, web services can often "fingerprint" a device to identify and track a user across sites through means like the user's browser settings. Also see. This website shows you how different parts of your activity can be correlated to you. Because the voting server or any intermediate server could record a fingerprint, verifying confidentiality in a digital system is no simple task.

Internet voting specific issues
While we have previously discussed issues with voting systems in general, we will also discuss issues more specific to internet voting.

Privacy
Internet voting solutions may be developed by private institutions. For example, Voatz was developed by a business and still is used by some US jurisdictions. This requires granting private organizations at least temporary access to voter identification credentials (e.g. driver's license, SSN, address, pictures, birthday) so that the application can verify a voter's identity. User privacy can be compromised if private entities retain this information.

Verifying a user device is not compromised requires special access to the device, potentially including access to the user's operating system and personal files. This also poses a threat to a user's privacy.

Conformity
In the US, Article I, Section 4 of the Constitution delegates the responsibility of holding and regulating elections to individual states. This poses the potential for internet voting to be a patchwork system in the US, greatly complicating election security audits and possibly confusing voters. If election systems were a primary responsibility of the Federal government, creating consistent, secure internet voting systems could be made easier due to the Federal government's increased amount of resources and expertise compared to any state. Other governments with similar Federal constitutions may experience similar issues.

Accessibility
Not all user devices may be eligible for internet voting. Internet voting applications are likely to require the use of specialized security hardware (e.g. biometric authentication), which could lead to disenfranchisement of voters without newer devices. Internet access is also not equally accessible to all registered voters. Pew Research Center reports only about 3/4ths of Americans have broadband internet access at home.

Trust
Since internet voting systems cannot be verified by the average individual like paper ballots can, the public would have to be convinced that a system is trustworthy. This problem can even be seen with traditional electronic voting in the 2020 US Presidential Election. For example, Dominion Systems has been subjected to numerous claims of integrity issues despite having paper audit trails available. This problem would likely only get worse with an Internet system requiring multiple intermediary servers and electronic storage and vote recording.

Internet Voting in Estonia
Estonia's internet voting, or i-voting, is only concerned with voting, counting votes, and announcing election results. The current internet voting system in Estonia was adopted in 2017. It is based on their General Framework for Electronic Voting which defines the design requirements for their i-voting system:
 * Ensures voters are registered through some legal digital signature.
 * Allows votes to be cast multiple times. This way, if a voter is forced to vote for a specific candidate, they can revote later.
 * Allows voters to verify their vote has been cast properly through multiple different devices; a second device reduces the threat of a potentially compromised device.
 * Designed such that the widest range of specialists can audit the system.

Estonia's Implementation
Estonia’s i-voting system is based on the “envelope scheme” which replicates mail voting procedures that utilize an inner and outer envelope. A user’s vote is encrypted (inner envelope) and digitally signed with the user’s personal information (outer envelope). This two layered system allows polling officials to verify a user is registered to vote with the outer envelope, discard any personal information, and then access the ballot. This is to ensure the confidentiality of voters.

I-voters must use government issued software which has published source code online. Users of the system and outside investigators can ensure the security of the code.

Estonia utilizes their national ID card which doubled as a smart card or an official digital ID on a mobile device. As having one is mandatory, it was very practical for citizens to use. While public computers were made available for voters without their own, using them is recommended against, since prior users could have malicious intent.

Votes are not immediately stripped of their outer envelope until voting has closed. If a voter casts more than one vote, the last one is identified and replaced.

For a voter to ensure their vote was cast properly, they can use a mobile device to see who they voted for prior to voting closing.

Usage of Internet Voting in Estonia
Estonia released internet voting in 2005. They were the first country to offer internet voting for local elections and in 2007 they became the first country to offer it for general elections. I-voting in Estonia has been widely accepted by its citizens as shown by almost 44% of voters voting online in the 2019 general election.



One barrier to entry to internet voting is the use of technology. Older generations often struggle adapting to new systems. Despite this, older Estonians have taken to internet voting. In the 2019 European Parliament elections, i-voters over 55 made up almost 35% of total i-votes with the 25-34 and 55-64 age groups comprising 18.3% and 17.3% respectively.



Impact of Internet Voting in Estonia
Much of Estonia's success has come from its culture and close community. Internet voting is taught in schools to ensure that new voters are aware of the systems at play.

A 2017 security flaw impacting digital IDs forced a recall of 760,000 cards. Digital services had to be suspended and the potential threat of security issues became apparent to the public.

Despite this issue, subsequent elections saw significant increases in i-voting. Part of this boom can be attributed to a security investigation launched in 2019. Various politicians, universities, and citizens participated in a six-month audit to instill trust in the electoral system and expand the number of voices involved.

While Internet voting may make it easier to vote, a 2017 study found no correlation between the rise in Internet voting and an increased voter turnout. Voters did turn to Internet voting, but these voters consisted primarily of those who would have voted anyways rather than new voters.