Ballot Boxes Go High Tech
From touch screens to digital 'frogs,' technology to make voting more secure is tricky, but it's coming
By Steven Levy
Newsweek

March 29 issue - The Florida election debacle in 2000 brought us face to face with some bad news: common voting technology can be untrustworthy. Many state and local election officials were already moving toward what they thought was the answer: sleek electronic touch-screen voting terminals where confusion would be eliminated by confusion-free ATM-like technology. Congress sped up the process by passing the Help America Vote Act in 2002, which partly pays for the machines. Now the devices, made by major election suppliers like Diebold and Sequoia, are in 30 states (the only way to vote in Georgia and Maryland), and will be used by about 28 percent of the country in the November elections. But in recent months, computer scientists and security experts have uncovered weaknesses in these gizmos. Many now claim that it's entirely possible to hack an election—deleting electronic votes as if they were misspellings in a word processor, or doing a cut-and-paste from one candidate to another—without anyone's knowing it. That's because there's no way to ensure that the choices punched on the screen will actually be reflected in the final tally. Many experts are concluding that touch screens, the alleged voting technology of the future, are ... untrustworthy.

A new set of players in the election arena—computer scientists and cryptographers—are now developing systems to let—people know that their votes have actually counted. It's a tricky task. The bedrock requirements of any decent voting system are security strong enough to prevent fraud and the anonymity of a secret vote. This makes verification a challenge, because using a simple digital audit trail to re-create what happened on Election Day would mean revealing who voted for whom (violating the principle of secret ballots). But election geeks are finding ways to help solve these puzzles.

The most-talked-about scheme was first conceived in the early 1990s by a graduate student named Rebecca Mercuri. It's now called verified voting (to the dismay of those with alternate ideas, who note that their schemes involve verification, too). The system is a kind of truth serum for touch-screen systems. After a ballot is cast, the choices are not only summarized on the screen but printed out on a piece of paper. The voter looks at the printout and has an opportunity to verify that the choices are actually the ones he or she cast. If so, the vote is approved, and the paper goes into a locked ballot box. (The voter isn't allowed to leave the booth with the printout in hand—it's displayed behind a transparent barrier—to prevent someone from running a vote-buying scheme.) If there's a recount, or if officials want to check the accuracy of the touch screen, the paper ballots are counted. One variation, the VoteMeter, replaces the printout with a readout on a palmtop device that stores ballots securely.

The Mercuri scheme has picked up a lot of momentum. Last year Rep. Rush Holt of New Jersey introduced a voter-verification bill that is now bottled up in committee. Just two weeks ago New York Sen. Hillary Clinton and Florida Sen. Bob Graham unveiled a similar bill in the Senate. And California's secretary of State recently mandated that by 2006 all touch-screen systems should include printers that generate ballots for verification. Six other states have jumped on the paper-trail bandwagon, spurred in part by a campaign on the Internet called "The Computer Ate My Vote." Mercuri herself, who's now at the Kennedy School of Government, is concerned that the scheme might not be implemented correctly, and is now advocating that the actual count should be made not from the computers but from the printed-out ballots. "It's a case of 'Be careful what you wish for'," she says. "I asked myself, 'If these ballots are used to verify the results of machines we don't trust, why not use the ballots as the actual votes?' "

In 1999 a trio of computer scientists suggested a different method. It involves a doodad called a frog, for no particular reason other than that the term has no association with elections. A frog in this sense is a cheap form of digital storage that records votes. It might be a business-card-size piece of plastic with a bit of digital memory. After proving you're eligible to vote, you get a frog from an election official, who initializes it with the ballot appropriate to your precinct. (Bonus: there's no reason you can't get your home ballot if you're at some other location. It's possible to store information on a single CD that could generate any ballot in the country.) If you like, you could get the frog well in advance of Election Day, and use any computer you like to enter the votes. On Election Day itself, you take your frog into the booth and it into the official voting terminal, which reads the frog's content and displays your choices on the screen.

Then comes an "Is that your final answer?" moment: if you're happy with the ion, you press a button to make your vote official. If for some reason the readout did not reflect your choice, or you change your mind, you can reprogram the frog. (This ability to alter the frog means that no one can give you a preprogrammed frog with the assurance that you'll stick with the choices.) After the vote is formally cast, the frog, well, croaks—the memory freezes, and the device takes no changes. You'll leave it behind in case a recount is necessary, but it couldn't be used to revote. Though no one has yet identified many warts in the system, the frog idea seems like a long shot. "It's an attractive method, but no one's picked up on it yet," says co-inventor David Jefferson.

The most sophisticated systems deliver verifiability without a cumbersome, possibly vulnerable, set of printed-out ballots (or discarded frogs). With clever cryptographic algorithms and innovative viewing devices, it's possible to envision a process that provides specific proof after the fact that your vote was included in the total—without compromising the privacy of your ion.

Cryptographer David Chaum, who wrote the first papers on computer-based anonymous voting in the early 1980s, has been experimenting with such schemes. (He's behind the aforementioned VoteMeter.) His latest iteration is Votegrity, involving a device in addition to standard technology (like a touch screen). When you cast your vote, this device generates three images, or "stripes"—bar-code-like objects with encoded information. Each stripe contains your vote in encrypted form, but by some form of mathematical magic, when overlaid on top of each other, the stripes display your ions in plain language. As you vote, this readable output is projected on a small screen inside the voting booth so you can check it for accuracy. Then the paper is divided to separate the stripes, and voters may choose which one to take with them. That same image is stored digitally, and officials will use it to register the actual vote. The decryption process involves techniques to ensure that the votes counted are the same ones the voters saw in the booth.

Where's your verification? The codes are all posted to the Web, and using the encoded receipt and a serial number also printed on the paper, you can go online to check that your encrypted vote was tallied. (Of course, since the image is encrypted, no one can know how you voted.) "The Chaum system is the better ballot box," says Mercuri. "It's the first solution that proves to someone that his or her vote counts."

A similar system sold by software vendor VoteHere provides citizens who want to verify their votes with a tracking code that essentially does the same thing; CEO Jim Adler says that he's working with Sequoia to implement the system, and it's possible that it will be in use in some California counties this November.

Some say that the final frontier of elections is Internet voting. About 46,000 participants in this year's Michigan primary actually pulled virtual levers from cyberspace to cast their votes. But another much publicized venture, the Department of Defense's SERVE program (which would have allowed up to a million armed forces members and expats to choose a president via a Web browser this year), was put on hold after a formal study by top computer scientists pretty much outlined the reasons that the Internet isn't nearly as good a place to vote as it is to buy books or Google one's blind date: the security is dicey, votes aren't secret (computers aren't closed off like voting booths) and, in a pinch, someone could screw up an Internet election by a denial-of-service attack. Most computer scientists interested in voting think that the foreseeable future still lies in polling places.

Now that the academics and propeller-heads are devoting brainpower to the voting problem, there's a possibility of some even more unconventional tech appearing in the ballot box. MIT Media Lab associate professor Ted Selker—a key designer of the ThinkPad laptop while at IBM—has been giving a lot of thought to problems like clearer interfaces, including those that might ensure that newer systems won't exclude blind voters. He's even brainstorming an idea where modified Sony PlayStations could be used as low-cost voting machines.

It's encouraging to see geeks using their brainpower to devise systems that deliver privacy, security and verification. But it's already too late to massively implement these ideas in time for what promises to be another nail-biting general election in November. The die is cast (and the frog is frozen) on a combination of the traditional worrisome technology and the new, even more suspect, unverified touch screens. Here's hoping we're not moving from chad to worse.