Shamos: Why e-voting paper trails are a bad idea

PITTSBURGH--Many computer scientists have been arguing for years that electronic voting machines absolutely must sport paper trails that can be verified by the voter and subsequently used in manual recounts.

It's a formal policy position of the U.S. arm of the Association for Computing Machinery, the professional organization of computer scientists. Stanford University's David Dill even created the pro-paper-trail Verified Voting Foundation and has co-authored an article for us that argues against Internet voting, too.

But support of paper trails is not unanimous. Michael Shamos, a professor of computer science at Carnegie Mellon University who teaches an e-voting class and has been a consultant to the Pennsylvania government since 2004, believes that electronic methods of tabulating votes actually tend to be more secure than paper-based ones.

In addition to reviewing the source code of some electronic voting systems under nondisclosure agreements, Shamos has been an e-voting consultant for Texas and Nevada. An April 2004 paper he wrote says that e-voting systems do have risks but paper isn't the answer (and suggests alternatives). In it, he quips that out of a million or so computer scientists and mathematicians, only 100 or so have signed a statement calling for paper trails; it drew an angry response posted at Verified Voting's Web site.

I sat down with Shamos on Friday at his home near Pittsburgh's Shadyside neighborhood, a few blocks from campus, to talk about e-voting and the Pennsylvania primary that is scheduled to take place on April 22. Following is a lightly edited (I abbreviated some of my questions and some of his answers) transcript of our conversation.

Q: How many different e-voting systems does Pennsylvania use?
Shamos: The number of different systems we use in Pennsylvania has gone down one because one was decertified. We're down to 9 or 10. We have one of the most diverse voting systems of any state in the country. We have only 67 counties.

It means that if you were to mount a statewide manipulation, you couldn't do it. There's some security in numbers.

How many voting machines in Pennsylvania produce voter-verified paper trails?
Shamos: We don't have paper trail systems in Pennsylvania. Please don't use the term "paperless." It's a construction of the advocates and it's false and misleading. They're not paperless. They just don't produce a contemporaneous paper that the voter can view.

The word "paperless" is really insidious. The word "less" is meant to imply that they're thereby missing something. Whoever decided to come up with the term "paperless" deserves a left-handed prize for their imagination. It's wonderful for them. Paperless.

Would you agree that a paper trail is important?
Shamos: I wouldn't agree to that. No. Why is it important?

Should I try to answer that?
Shamos: You'll give me an answer. It won't be a good answer.

If you have voter-verified paper audit trails, voters can actually look at a physical representation of their cast vote, which provides a check against election fraud or malfunction. Without that paper trail, an intentional or unintentional glitch in the machine can skew the election and not be detected.
Shamos: The theory of the voter verified paper trail is that, at the time the voter is in the booth, the voter sees double. They're assured that their correct choices are recorded on the physical medium. Regardless of what's on the machine, it's on the paper. The paper drops into the box, nobody has any clue what's in the box, how many pieces of paper are going to be added to the box, subtracted to the box.

Every manipulation of elections that's been proven has involved the manipulation of paper.

And in every election, we see paper ballots that don't match up. It's much worse with paper trails. This creates a severe legal problem in states where the paper trail is the official ballot, Ohio for example. Such states always ignore the law. They have to ignore the law. Twenty percent of paper trails (tend to be) missing or illegible.

If they're a computer printout, why would they be illegible?
Shamos: The real reason is that the printers are made in China and as you saw recently with Ed Felten, they can't even produce legible numbers. They're crap.

(Often what happens) is that it jams and the printer overprints. The voters don't notice because they're not used to this. Another thing that happens is that the bag (of printouts is returned and can be manipulated).

Over and over again, some number around 20 percent doesn't exist or can't be read. What the law requires is that the electronic count, presumed accurate, must be discarded, and 20 percent of the electorate must be disinfranchised. Yet advocates claim that a paper trail is the most reliable mechanism. How can it be reliable if 20 percent is lost?

I'm not saying you can't make a reliable paper trail. You can use ATM technology. The reason we don't use ATMs is that they cost 10 times as much as voting machines.

The Holt bill failed. If it hadn't failed, it would have outfitted these (voting machines) with cheap printer parts. You won't hear that from the advocates. They will never admit that a paper trail machine loses votes.

When you say "advocates," who or what do you mean?
Shamos: Let's start with VerifiedVoting.org. And we can go all the way to the EFF and the League of Women Voters. There are numerous organizations that have taken the position that paper trails are the only way to safeguard elections, no matter that they lose 20 percent of votes.

Let's assume that 100 percent of voters verify the paper trial, though experimental numbers are closer to 8 percent. How are we going to make use of the paper trail? One is with an audit (that looks at statistical sampling and discrepancies). But if a discrepancy is found, we will not accept any of the electronic totals. That works, assuming that all of those pieces of paper got created correctly, and are subject to the same kind of security safeguards that the advocates insist on for electronic machines.

The problem is that when you vote electronically, multiple copies of your ballot image are recorded in memory. (Once a memory card is removed it becomes virtually impossible to tamper with.) Those systems are perfectly safe from after-the-fact tampering. They may not be safe from before-the-fact tampering.

Compared to paper and its vulnerability to after-the-fact tampering?
Shamos: I'm not advocating that we blindly trust machines. We have to have a way to make sure the (record is correct). If anything happens to that piece of paper, if it gets substituted or lost, there's absolutely no way to reconstruct the election. that's unlike an electronic system, which is if one memory fails you have the other.

The security on ballot boxes is much lower than the security on voting machines themselves. In order to do anything with those pieces of paper, they have to be handled by people. What do you think happens?

If I want to screw up an election, all I have to do is modify five votes. Then we have to do a manual recount (which is vulnerable to tampering and ballot-stuffing).

One way to address that problem is to use some kind of cryptographic mechanism, like a digital signature, on each piece of paper.
Shamos: You have stated that one can put various cryptographic codes on the ballots to ensure their authenticity. The fundamental problem is that they're not human-readable.

When someone votes for Hillary, it prints out an invalid bogus code. We put it under a scanner later.

You could have a second machine created by a second manufacturer that validates the digital signature on a ballot.
Shamos: The voter could go over to a second machine and say, yes or no, this is a valid ballot. Then the (person who wants to throw an election) goes to the second machine and tampers with that component, too.

The fundamental difficulty with paper trails is that they're ridiculously kludgey. The problem is that once you mandate paper trails, it cuts off research. There would be no reason to use anything else because it would be illegal.

Only in the United States, or in one jurisdiction.
Shamos: What we really want are end-to-end verification systems. I want to be able to tell that my vote was counted. These paper trails do not provide end-to-end verification. No serious manufacturer is working on end-to-end verification. We're not making any progress toward that end except in the theoretical journals. Why? Because the idea of paper trails has completely gummed up the works.

We're going electronic. The next generation is convinced they're going to vote from their cell phones. (It's going to happen.)

The real problem is reliability. The systems fail. Furthermore, the code isn't good. The code is riddled with bugs, most of which don't affect the accuracy of the tally. But we don't know when those conditions occur.

Does that mean you're suggesting that we should be voting from insecure home computers even if they're running Windows 98?
Shamos: I can point you to a mechanism (in a paper by Avi Rubin and Dan Wallach) that would allow secure voting on insecure terminals. The notion that the Internet is just not secure enough to do anything important is just wrong. It's not insurmountable. The right people aren't thinking about it because you gotta have a paper trail.

Do you think an increasing number of your colleagues are coming around to your point of view?
Shamos: No. I wouldn't expect them to. (They may be very good technologists, but) they don't know anything about elections. They don't know how votes are counted.

Does that mean that you think that some of the fuss over Diebold is overblown?
Shamos: The equipment is not as reliable as it should be. The software is not designed as well as it could be. The manufacturers are secretive. I've been involved in a number of source code audits of voting systems and these audits always produce a huge list of vulnerabilities. I've never found bugs that interfere with the integrity of an election. But you don't want them there.

(Take the case of the reported problems with the Diebold GEMS tabulation system). I don't think it's utterly fatal to electronic voting machines in the United States. What the advocates will tell you is that that bug is just the tip of the iceberg and if they were granted access to the source code, they would find more. I would agree with them on that.

If the codes were published, there would be a period of time when these vulnerabilities would be found--a lot of buffer overflow errors--and then they would be fixed. And everyone would know it's fixed.

The naysayer thinks it's throw-the-election-to-Republicans code. That's not there. It's horrible spaghetti code, lack of software engineering. These things have to satisfy every quirk of the voting laws in all 50 states.

So you're saying it's easier to hack an election with paper ballots than it is with electronic ones?
Shamos: I say, and the advocates are forced to admit it, that there's never been any evidence that a DRE machine has been tampered with in an election. They say that doesn't mean it never happened. I agree with that. But I believe deeply that if people were out there trying to hack elections we would see evidence of failed attempts.

To believe that in the lack of evidence means that the first person who hacked an election got it right. Remember Robert Tappan Morris and the Internet worm? I would get worried if we start to see systematic evidence (of increasingly robust) attacks. But we've never seen any of those. That's what consoles me. I have to believe that a really improbable event did not occur: that someone found the perfect hack the first time.

Isn't it optimistic to think that officials and auditors will necessarily be able to detect the first real attack on e-voting machines?.
Shamos: Technology is always required in elections. The days of the hand-counted ballots are over. You can design technology in a way that makes the problems readily apparent or that they're disguised. My position is that when a problem is found, it's an engineering problem.

When a bridge collapses, do we outlaw bridges or do we inspect bridges of similar design? If the design itself is fundamentally flawed, then those bridges are going to have to be taken out of service and rebuilt. If there's a fix, however, you can add a bracing member.

What's happened (in discussions of electronic voting) is that a strong, loud populous advocacy voice said "We are computer scientists and know quite well the vulnerabilities of electronic voting systems and those vulnerabilities are so severe that the democratic process is at risk." I don't think those conclusions are justified.