E-voting predicament: Not-so-secret ballots

Two Ohio activists have discovered that e-voting machines made by Election Systems and Software and used across the country produce time-stamped paper trails that permit the reconstruction of an election's results--including allowing voter names to be matched to their actual votes.

Making a secret ballot less secret, of course, could permit vote selling and allow interest groups or family members to exert undue pressure on Ohio residents to vote a certain way. It's an especially pointed concern in Ohio, a traditional swing state in presidential elections that awarded George Bush a narrow victory over John Kerry three years ago.

Ohio law permits anyone to walk into a county election office and obtain two crucial documents: a list of voters in the order they voted, and a time-stamped list of the actual votes. "We simply take the two pieces of paper together, merge them, and then we have which voter voted and in which way," said James Moyer, a longtime privacy activist and poll worker who lives in Columbus, Ohio.

Once the two documents are merged, it's easy enough to say that the first voter who signed in is very likely going to be responsible for the first vote cast, and so on.

"I think it's a serious compromise," said David Dill, a Stanford University computer science professor who has followed electronic voting issues closely. "We have a system that's very much based on secret ballots. If you have something where voters are involuntarily revealing their votes, it's a very bad practice."

Moyer and fellow activist Jim Cropcho tested this by dropping by the election office of Delaware County, about 20 miles north of Columbus, and reviewing the results for a May 2006 vote to extend a property tax to fund mental retardation services (PDF). Their results indicate who voted "yes" and who voted "no"--and show that local couples (the Bennets, for instance) didn't always see eye-to-eye on the tax.

Patrick Gallaway, communications director for Ohio Secretary of State Jennifer Brunner, a Democrat, said on Friday that his boss had already been planning to begin a "comprehensive" review of e-voting machines as part of a campaign pledge she made before taking office in January. He said the review now is likely to include a look at the ES&S voter privacy concern as well.

ES&S machines are used in about 38 states, according to the Election Reform Information Project, created by the Pew Center on the States. Of those states, Arkanasas, Iowa, North Carolina, Ohio, and West Virginia are among those using ES&S iVotronic machines with paper audit trails.

Other suppliers of electronic voting machines say they do not include time stamps in their products that provide voter-verified paper audit trails. Sequoia Voting Systems and Hart Intercivic both said they don't. A spokesman for Diebold Election Systems (now Premier Election Solutions), said they don't for security and privacy reasons: "We're very sensitive to the integrity of the process."

An ES&S spokeswoman at the Fleishman-Hillard public relations firm downplayed concerns about vote linking. "It's very difficult to make a direct correlation between the order of the sign-in and the timestamp in the unit," said Jill Friedman-Wilson. (ES&S iVotronic machines are used in 10 Ohio counties, mostly in the center of the state, according to a map on the BlackBoxVoting.org watchdog site.)

"That is so fatally flawed," Friedman-Wilson said about Moyer's and Cropcho's analysis. "It doesn't take into consideration any of the times that there would be interaction with a voter and a poll worker before the ballot is activated." As for the interaction of Ohio open records law with ES&S logs, she said that "it is most appropriate that the secretary of state's office and others who are responsible for carrying out elections respond to questions regarding Ohio election law and procedure."

One explanation is ES&S had never expected that the paper with the time stamps, known as a voter verified paper audit trail, or VVPAT, would be made public under state open records laws.

A report evaluating ES&S security prepared by Compuware auditors two years for the Ohio secretary of state--marked "Confidential" but available on the Internet (PDF)--does warn about keeping electronic time stamps. It says that the electronic representation of votes, called the Cast Vote Records, "should not have time stamp associated with it" and must be randomized to protect privacy.

But the auditors viewed timestamps on the physical printout, called the audit log, as needed to detect "tampering" with the ES&S iVotronic hardware. "All actions to the iVotronic are recorded in the audit log with a time stamp," the report said. "This includes opening and closing the polls, voting, inserting invalid voting cards, loss of power, and supervisor access."

David Wagner, a professor of computer science at the University of California, Berkeley, said electronic storage of votes in the order that voters cast them is a recurring problem with e-voting machines.

"This summer I learned that Diebold's AV-TSX touchscreen voting machine stores a time stamp showing the time which each vote was cast--down to the millisecond--along with the electronic record of that vote," Wagner said in an e-mail message. "In particular, we discovered this as part of the California top-to-bottom review and reported it in our public report on the Diebold voting system. However, I had no idea that this kind of information was available to the public as a public record."

The July 20 report on Diebold (PDF), written by Wagner and five Princeton University researchers for the California secretary of state, cites the electronic time stamp as a voting privacy concern. "If the time when each voter checks in is recorded in the poll log book, an attacker with access to the log book could correlate this data with the timestamps to determine how voters voted," the report says. "Alternatively, observers in the polling place could note the time when target voters cast their votes and find the corresponding vote records in the ballot results file."

Ohio law allows just this. Section 3501.13 of state law says "the records of the board and papers and books filed in its office are public records and open to inspection." Anyone who interferes with the public's right to inspect the records, in fact, is guilty of a misdemeanor.

Having multiple machines and multiple lines can also create a randomization effect, but Moyer says that in his experience as a poll worker there's only one line that feeds into multiple machines. In addition, he says, poll workers log the voter into the ES&S iVotronic, which starts the time-stamped entries and means there's no additional randomization of voters taking different amounts of time to start the process.

A uniquely Ohio problem?
Even though other states do use the ES&S iVotronic paper trails, they don't necessarily make them available for public perusal.

Natasha Naragon, a spokeswoman for the Arkansas secretary of state, said she knew of no way to disable the time stamps on the voting machines' printed output. But, she said, "our law does not allow for public access to our voted ballots" and said they remain sealed unless there's a recount.

Iowa's procedures seem designed precisely to avoid the Ohio situation. "Iowa has an administrative rule, because the paper trail is in voter sequence, that prohibits providing to any of the bodies that have access to the paper rolls any information that would allow them to link individual ballots on paper roll to the voters," said Sandy Steinbach, the state's director of elections.

Computer scientists and security experts say restricting the public's access to e-voting paper trails by tinkering with open records laws is insufficient--it doesn't protect against, for instance, an insider perusing the ballots and reconstructing them.

They do say paper trails are necessary to provide a physical check on what could be a buggy or maliciously programmed machine. But they offer three suggestions: deleting the time stamp, not keeping a list showing in which order people vote, and adding a paper slicer and shuffler to randomize how the physical audit trail is recorded.

Lorrie Cranor, director of the Usable Privacy and Security Laboratory at Carnegie Mellon University, says that "you need to have mixing either in the recording of the orders of the voters or the votes, or preferably both."

"Audit trails are really important, but so is privacy," she said. "Many of the vendors of (e-voting machines) have actually put ID numbers on the paper records, which also could be used to reconstruct which voter is associated with a vote."

Moyer and Cropcho have posted a summary of their findings on their Web site, ThePublicBallot.org.

For its part, ES&S claims that printing out time stamps is recommended by standards adopted in 2002 by the Federal Election Commission.

ES&S spokeswoman Friedman-Wilson pointed to two sections of the standards, one of which says "all audit record entries shall include the time-and-date stamp." The other says error messages, critical system status messages, and a record of a voter "activating and casting each ballot" should be part of the audit log. (It does not, however, explicitly mandate that the outcome of the vote be printed.)

"Because the voter verifiable paper audit trail is one element of the audit function of a voting unit, one could interpret these guidelines as requiring the time stamp have citations within the guidelines," Friedman-Wilson said in an e-mail message.

Johnnie McLean, the deputy director of the North Carolina Board of Elections, said: "Our public records laws don't include that paper record. A voted ballot is considered confidential." In West Virginia, secretary of state spokesman Ben Beakes said: "There would be no way to match the time with the voter because in our poll book system, all you would find is an alphabetical list of the people they voted, not the time they came into the polling place."

Ohio, by contrast, may be unique. "It's my understanding from our legal staff that a public document consists of anything that is in the public domain," said Gallaway, the secretary of state's communications director. "I think that both of those (the time-ordered poll books and the time-stamped paper trail) would be considered that."

That has left computer scientists, already alarmed about the security of e-voting machines, dismayed at the interaction between time stamps and Ohio laws. "Security and privacy and the integrity of the voting system depend not only on the technology, but also on the procedures and the combination of the two," said Stanford's Dill. "This is a case where the combination of technology and procedures are working together to create a privacy threat."

CNET News.com's Anne Broache contributed to this report