Electronic voting has improved since the 2004 elections. however, many problems with security, reliability, and operation still remain.

Moreover, the paper trails themselves pose new and unexpected problems, says David Dill, a Stanford University computer science professor and the founder of VerifiedVoting.org, one of the leading proponents of mandatory paper trails for e-voting machines. Paper-trail systems may fail for mechanical reasons or through human error, as they did in Ohio this year.

Troubled Past

In 2002, Congress provided $300 million to states to replace troublesome punch-card and lever machines with new voting systems. Many states chose touch-screen voting machines, which vendors claimed were faster, easier to use, and more reliable than other voting methods.

Then in 2003, reports surfaced criticizing machines made by Diebold Election Systems for numerous security problems, and arguing that testing and certification procedures for evaluating all voting machines were flawed. For example, according to security researchers who viewed the Diebold source code, the database of votes in the Diebold tabulation software was not password-protected, so a hacker could have manipulated the vote totals and altered the log to erase evidence of fraud. Such a problem could be discovered if more-stringent certification methods were used.

Though touch-screen machines have worked well in many places, there were widespread reports of mechanical problems with the machines prior to and on election day, delayed delivery of results, and instances where employees of e-voting machine makers upgraded software or otherwise modified the systems on election day, which could have introduced bad code that changed the results, either accidentally or on purpose.

Photograph: Katherine Lambert

In 2004, public outcry against touch-screen machines and the call for paper trails to bolster the integrity of voting results reached its height. That caused many states to mandate paper trails or to instead adopt optical-scan systems, which use a paper ballot that voters mark.

Each kind of system continues to be deployed. Political consulting firm Election Data Services, which tracks voting-machine usage nationwide, estimates that 40 percent of voters will cast ballots on touch-screen machines this year, and that about 42 percent will cast them either on optical-scan machines or on traditional paper ballots. Others will cast ballots on different systems, such as punch-card machines, which are still used in at least two states.

And at least 30 percent of U.S. counties have changed voting equipment since 2004, so this year's election marks the first use for lots of new hardware on a large scale. That is not good news, according to Kimball Brace, director of Election Data Services, which tracks voting-machine use. "History has shown that the first time you implement new voting equipment, you're much more likely to have a problem."

Maryland's September primary was a case in point. Problems with the new e-voting systems due to human and mechanical errors were so severe that the governor called for a return to paper ballots in November's general election.

Also, the security of touch-screen machines--and even of optical-scan units--remains a significant concern.

Security Strife

In May, Finnish computer security expert Harri Hursti working on behalf of voting activist group Black Box Voting, announced his discovery of a new security vulnerability in Diebold's touch-screen machine; some security experts subsequently deemed this the most severe hole yet found in an electronic voting machine.

The vulnerability involves a feature in Diebold's system that allows election officials or company workers to update software on a machine. Hursti and others argue that anyone who has even brief access to a machine could upload malicious code to it. Voting machines are often left unattended in polling places or at poll workers' homes for days before elections. Diebold, in a statement, described the vulnerability as "theoretical" and low-risk. Still, the firm said it would fix the problem.

Then in June the Brennan Center for Justice released results of a year-long study of voting systems tallying more than 120 security problems involving voting systems made by the top three vendors--Diebold, Election Systems and Software, and Sequoia. The study, conducted by election officials and computer security experts, concluded that the easiest way to tamper with an election would be to introduce software that switched votes from one candidate to another. It found that few states had effective methods for detecting such rogue code.

The report surprised few people, since previous studies had cited many of the same security problems, but it did provide a comprehensive look at security issues across all voting systems, not just beleaguered Diebold. Voting machine makers have responded to this report and to previous ones by asserting that the probability of someone hacking a machine is low and that procedural safeguards act as a check on malicious activity. But Stanford's Dill argues that the integrity of elections shouldn't rely on procedures' being followed perfectly, in view of human fallibility and of past elections in which poll workers often didn't follow prescribed procedures.

Researchers also found that several voting systems incorporated wireless communication devices that made them especially vulnerable to remote attack by someone using a PDA. Disabling the wireless component wouldn't secure the machine, researchers said, because an attacker could design software to re-enable the wireless component. Only New York and Minnesota currently prohibit wireless components in voting machines. California bans wireless tech in touch-screen machines only.

As is the case with traditional hacks, an attacker would have to know the line code to crack a system in this way, but a knowledgeable perpetrator could do it quickly. That makes an insider working for the voting machine's manufacturer the likeliest attacker. Diebold machines are even more vulnerable because the firm accidentally exposed its code via an Internet-accessible server.

Even if all of these flaws are fixed, no computer can be 100 percent secure--that's where verified paper trails come in.

Happy Trails?

VerifiedVoting is also fighting to have states with paper-trail laws on their books conduct mandatory hand audits of paper ballots after each election. The audits would compare a random sampling of 1 percent (or more) of the paper votes against the electronic votes, to help authorities verify the accuracy of the electronic votes and detect malicious or malfunctioning code. Currently only 13 states require mandatory random hand counts. "With paper trails, questions about 'When do they look at them? How do they protect them? What happens if a discrepancy is discovered?' are still largely unresolved in most parts of the country," Dill says. He believes they're likely to be resolved only after disastrous elections occur

The May primary in Cuyahoga County, Ohio's most populous, illustrates what might occur as states roll out new equipment. During a three-month investigation of the election, researchers found disturbing discrepancies in the vote totals between paper-trail ballots and electronic ballots. In addition, 10 percent of the ballots were classified as "destroyed, blank, illegible, missing, taped together, or otherwise compromised."

Some paper-trail rolls lacked ID numbers, so researchers couldn't match them to the right machines. And evidently some poll workers tried to resolve printer problems either by shutting down and restarting voting machines or by removing and replacing their memory cards. Such interference can result in votes being erased from the card or otherwise lost if poll workers fail to preserve the chain of custody of the cards. It can also disrupt the vote summaries on a machine, making it more difficult to reconcile vote totals with the number of voters listed as having cast ballots.

Due to the lack of complete data, the investigators couldn't rule out the possiblity that software computational errors caused some of the vote discrepancies. Diebold has said that the study used improper methods and that votes were not lost, because officials still had the electronic records from the machines. County election officials said that they could provide explanations for some discrepancies, but investigators have yet to verify them.

"I don't think that Cuyahoga's experience suggests that paper trails are bad," says Chapin. "But if they'd had to use the VVPAT as a ballot of record, they would have been in trouble."

Michael Vu, director of the Cuyahoga County Election Board, says he was generally happy with the machines and paper trails. The problem, in his opinion, was inadequate training of poll workers in how to set up the machines and address glitches with machines and paper rolls before and during the election.

"We had 7000 poll workers," Vu says, "and there's always a huge learning curve in moving to new systems. The last shift in voting technology we had was 24 years ago."

Slowly, some of the problems with electronic voting systems are being corrected; and as election officials gain experience, errors caused by inadequate training may decrease. But the sporadic, temporary nature of the job makes any increase in the needed level of poll workers' training problematic. Issues with security holes remain as well, and still-new paper trails can do only so much to help.