{"id":274,"date":"2010-09-01T11:14:21","date_gmt":"2010-09-01T16:14:21","guid":{"rendered":"http:\/\/blog.law.cornell.edu\/voxpop\/2010\/09\/01\/electronic-voting-and-direct-democracy\/"},"modified":"2010-09-01T11:14:21","modified_gmt":"2010-09-01T16:14:21","slug":"electronic-voting-and-direct-democracy","status":"publish","type":"post","link":"https:\/\/blog.law.cornell.edu\/voxpop\/2010\/09\/01\/electronic-voting-and-direct-democracy\/","title":{"rendered":"Electronic Voting and Direct Democracy"},"content":{"rendered":"
<\/a>In this post, I’d like to connect a specific area of my expertise\u2014electronic voting (e-voting)\u2014to issues of interest to the legal information community. Namely, I’ll talk about how new computerized methods of voting might affect elements of direct democracy<\/a>: that is, ballot questions<\/a>, including referenda<\/a> and recall<\/a>. Since some readers may be unfamiliar with issues related to electronic voting, I’ll spend the first two parts of this post giving some background on electronic voting and internet voting. I’ll then discuss how ballot questions change the calculus of e-voting in subtle ways.<\/p>\n The images of officials<\/a> from 2000 closely scrutinizing punchcard ballots during the U.S. presidential election tend to give the<\/a> mistaken impression that if we could just fix the outdated technology we used to cast ballots, a similar dispute wouldn’t happen again. However, elections are about “people, processes, and technology”<\/a>; focusing on just one of those elements disregards the fact that elections are complex systems<\/em><\/a>. Since 2000, the system of election administration in the United States has seen massive reform, with a lot of attention paid to issues of voting technology.<\/p>\n In the years after 2000, this system that had mostly “just worked” in previous decades was now seen as having endemic, fundamental problems. During the turn of<\/a> the 20th century, frauds involving ballot box-stuffing, vote-buying, and coercion were the major policy concern and the principal focus of reform<\/a>. In contrast, at the turn of the 21st century, the prevalence of close, contentious contests\u2014e.g., see this example of an analysis of New Jersey elections<\/a>\u2014often put the winning margin well within the “error”<\/a> or “noise” level associated with ballot casting methods.<\/p>\n In 2002, Congress passed the Help America Vote Act (HAVA)<\/a>, which provided the first federal funding for election administration, created the Election Assistance Commission (EAC)<\/a> and established the first federal requirements for voting systems, provisional balloting<\/a>, and statewide voter registration databases. As my colleague Aaron Burstein<\/a> and I argue in an article currently in preparation, in terms of advancing the state-of-the-art in voting\u00a0 technology, HAVA conspicuously focused on providing funds that had to be spent quickly on types of voting systems that were then available on the market or soon would be available. The systems on the market at the time\u00a0were invariably of a specific type: “Direct Recording Electronic” (DRE) voting machines<\/a>, in which the record of a voter’s vote is kept entirely in digital form.<\/p>\n In the years since the passage of HAVA, computer science, usability, and information systems researchers have highlighted a number of shortcomings with this species of voting equipment. Three principal critiques voiced by this community are:<\/p>\n Now, in 2010, many states have passed laws<\/a> requiring auditable voting systems, and increasing numbers of election officials are moving from DRE-based systems to optical scan systems. Despite these reforms which have, in my opinion, moved e-voting in the right direction, the specter of internet voting looms large.<\/p>\n During public talks I am often asked, “When will we vote over the internet?” People have an intuitive feeling that since they’re doing so much online, it makes sense to vote online, too. However, we need to recognize what kinds of activities the internet is good for, and voting is perhaps the last thing we want to happen online.<\/p>\n Things that we do online now that require high security, such as banking, are not anonymous processes; there is a named record associated with each transaction. Yet the secret ballot is a very important part of removing coercion and vote-buying from possibly corrupting influences on the vote. (See this superb article by Allison Hayward: “Bentham & Ballots: Tradeoffs between Secrecy and Accountability in How We\u00a0 Vote”<\/a>.)<\/p>\n Moreover, banks and other online establishments can purchase insurance to contain the risk of losses due to online fraud (although there are some indications that even this is becoming more difficult due to the increased sophistication and magnitude of online banking fraud). But there is still no firm that offers insurance for computer intrusions and attacks, or simply just errors, because it is very difficult to estimate the magnitude and likelihood of such losses. The “value” of a vote is very different from the value of currency: the value of your vote doesn’t just matter to you as a voter; it also matters to other voters. (“Vote dilution,” for example, is when processes conspire to render one voter’s vote more or less effective than another’s.) Also, it can be very hard to estimate the fitness of a given piece of software; said another way, we haven’t yet figured out how to write impervious or bug-free software.<\/p>\n Finally, as I mention above, the voting systems that the market has responded with in recent years leave a lot to be desired in terms of security, usability, and reliability. Internet voting essentially takes systems like those and adds the complications of sending voted electronic ballots over the public internet from users’ personal computers\u2014neither of which are reliable or secure\u2014with no VVPR.<\/p>\n We are far from the day in which highly secure processes can happen over the public internet from users’ computing devices. We will have to make significant technical advances in the security of personal computing devices and in network security before we can be sure that internet votes can be cast in a manner that approaches the privacy and security afforded by polling place voting.<\/p>\n Unfortunately, most designs for internet voting systems are un-auditable. Since these systems lack a paper trail, it is impossible to tell whether the voted ballot contents received at election headquarters correspond with what the voter intended to vote. The answer here would seem to be cryptographic voting systems, where the role of a paper trail is played by cryptographically secure records that can be transmitted over the network. Systems of this type have become increasingly more sophisticated, easy to use, and easy to understand, and have even been used in a binding municipal\u00a0election here in the U.S.<\/a><\/p>\n Elections don’t just elect people in the U.S.; in many states, voters vote on elements of direct democracy, specifically ballot referenda and recall questions. However, we should be even more concerned about opportunities to game these kinds of contests — and, equivalently, about how errors introduced by ballot casting methods for ballot questions could affect how we govern — than we are about the risks of voting fraud in candidate races.<\/p>\n It’s difficult to compare the importance of candidate elections to that of ballot questions. Certainly, ballot questions can be as simple as asking the voters to approve of city ordinances, such as increasing the amount of square footage for single-family homes<\/a>. And, of course, on even-numbered years divisible by four, we elect the President of the United States, which unequivocally changes how our entire country is governed and operates. In between these two extremes are elections that many people don’t vote on, from judicial elections to highly contentious ballot propositions (like Proposition 8 in California<\/a>), or transportation tax bonds that can result in hundreds of millions of dollars for local firms.<\/p>\n Can we compare the risks involved with candidate elections and ballot questions? In some sense, being able to bound the risk of fraud or error causing the election of the wrong candidate is similar to that resulting in “electing” the wrong decision in a ballot question; it’s equally difficult to compare the relative importance of elected contests and to decide on some level of likelihood that a contest runs a high risk of being targeted for attack or <\/a>might be especially sensitive to errors in the count. Polling may help, but it’s far from perfect<\/a>. However, ballot questions have one aspect that should make this process a bit easier: rather than having the considerable uncertainty of what policies a potential candidate may institute once elected, ballot measures are concrete policy proposals or actions where we know very well what will happen if they are passed. This would seem to make ballot questions more attractive to attack; the uncertainty involved with what candidates may do is not present, so the net benefit of a successful attack, all other things being equal, should be larger.<\/p>\n Are there special risks involved with ballot questions that we should be concerned about in the face of electronic voting methods? Certainly. First, ballot propositions are invariably at the end of the ballot; hence, they’re referred to as “down-ticket” contests. Post-election auditing<\/a>, where a subset of ballot records are hand-counted as a check against the electronic results, often doesn’t include ballot questions. To be certain, states like\u00a0California require post-election auditing of all contests on the ballot. But there are many states that do not do comprehensive election auditing; they either don’t do any auditing at all or focus their auditing attention on top-ticket contests on the ballot (for more, see Sections 1 and 2 of: “Implementing Risk-Limiting Post-Election Audits in California”<\/a>).<\/p>\n While we have seen little evidence of fraud using newer computerized voting systems compared to the massive record of paper ballot fraud in our country’s past, this should serve as little comfort. Just as in finance, where “past results are no indication of future performance,” adversarial security is similar. That we haven’t seen much evidence of computer fraud involving voting systems doesn’t mean it isn’t happening and doesn’t mean it can’t happen. Multi-million dollar ballot questions and constitutional amendments are exactly the kinds of law-making activities in which I expect to see the first evidence of outright computerized election hacking. This rings\u00a0especially true if we start using the public internet for casting ballots. While foreign interests or hackers out of the reach of US law enforcement might certainly be interested in top-ticket candidate contests, the opportunities to affect state and local law as well as economic interests embodied in ballot questions would seem to be especially attractive.<\/p>\n To be sure, there is a lot of momentum behind moving parts of our elections processes online. In some cases, such as online voter registration, the security and reliability risks are small and the net benefits are particularly high. However, I can’t say the same about internet voting, especially in the sense that elements of direct democracy may be particularly attractive to powerful foreign interests and parties outside our collective jurisdiction. The recently passed Military and Overseas Voter\u00a0 <\/a><\/a>Empowerment (MOVE) Act<\/a> has been interpreted to allow states to experiment with\u00a0 online ballot casting, and the relevant agencies charged with implementing the\u00a0 law\u2014the Department of Defense’s Federal Voting Assistance Program (FVAP)<\/a>, the EAC<\/a>, and the National Institute of Standards and Testing (NIST)<\/a>\u2014have collectively interpreted the MOVE Act as requiring them to institute standards and pilot programs for internet voting for military and overseas voters. I’m on record as disagreeing with this interpretation<\/a>, but I can understand that they feel limited-scale pilot projects are appropriate. I predict that the first incontrovertible evidence of computerized vote manipulation will be associated with military and overseas internet voting efforts, and it’s not hard to imagine a down-ticket ballot question as being the focus of such an attack.<\/p>\n Should we re-think our forays into computerized voting? Definitely not. In my opinion, this is more a question of responsible uses of technology in elections than a black or white decision about using computerized voting systems or not. There is much good that stems from the use of computerized voting systems, including improved accessibility for the disabled and voters who don’t speak English, improved usability of ballots on-screen versus what can be accomplished on paper, and the speed and accuracy of computerized vote counts on election night. However, these voting systems must be recountable and auditable, and those audits must be conducted after each election in such a way that we limit the risk<\/a> of an incorrect candidate or ballot measure being certified as the winner.<\/p>\n In contrast to the beginning of the past decade, when election officials were swimming in federal money for the purchase of equipment and trying to spend these funds before a looming deadline, what we really need is regular commitments of federal funding to improve local election administration. With a sustained source of federal funds to budget and plan for technology upgrades, the market will be stable, rather than going through the upheaval of mergers<\/a> and dissolutions<\/a> we have recently seen. Elections are perhaps the most poorly funded of all of the critical elements of democracy in the U.S., and we get what we pay for.<\/p>\n <\/a>Joseph Lorenzo Hall<\/strong><\/a> is a postdoctoral researcher at the UC Berkeley School of Information<\/a> and a visiting postdoctoral fellow at the Princeton Center for Information Technology Policy<\/a>. His Ph.D. thesis<\/a> examined electronic voting as a critical case study in the transparency of digital government systems.<\/p>\n VoxPopuLII is edited by Judith Pratt<\/a>. Editor in chief is Robert Richards<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":" In this post, I’d like to connect a specific area of my expertise\u2014electronic voting (e-voting)\u2014to issues of interest to the legal information community. Namely, I’ll talk about how new computerized methods of voting might affect elements of direct democracy: that is, ballot questions, including referenda and recall. Since some readers may be unfamiliar with issues […]<\/a><\/p>\n","protected":false},"author":50,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[504],"tags":[611,4998,4999,5000,615,612,4997,4991,4992,4994,5001,5002,4996,4993,4995,610,606,614,613],"_links":{"self":[{"href":"https:\/\/blog.law.cornell.edu\/voxpop\/wp-json\/wp\/v2\/posts\/274"}],"collection":[{"href":"https:\/\/blog.law.cornell.edu\/voxpop\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.law.cornell.edu\/voxpop\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.law.cornell.edu\/voxpop\/wp-json\/wp\/v2\/users\/50"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.law.cornell.edu\/voxpop\/wp-json\/wp\/v2\/comments?post=274"}],"version-history":[{"count":0,"href":"https:\/\/blog.law.cornell.edu\/voxpop\/wp-json\/wp\/v2\/posts\/274\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.law.cornell.edu\/voxpop\/wp-json\/wp\/v2\/media?parent=274"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.law.cornell.edu\/voxpop\/wp-json\/wp\/v2\/categories?post=274"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.law.cornell.edu\/voxpop\/wp-json\/wp\/v2\/tags?post=274"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}Background on E-voting<\/h3>\n
\n
\n
\n
Internet Voting<\/a><\/h3>\n
E-voting and Direct Democracy<\/h3>\n
Where Should We Go From Here?<\/h3>\n