Election ex machina: should voting machines be trusted?

When election of public officials through
public voting was instituted in the US,the framers of the constitution
had no inkling about how large the voting public would one day become. Beside logistical problems that
accidentally enfranchise goldfish and the many issues surrounding voter
registration a growing concern is the reliability of electronic voting
machines. As electronic voting machines are being installed, concerns about their reliability are being raised and legal battles ensue. In a Finnish election the system lost 2% of
all electronic votes. About 60% of American votes are cast on
paper ballots, but it might increase locally after problems with voting machines. The real fear is not that people might misvote due to misunderstandings or that votes might be miscounted, but that the machines themselves might be biased or easily tampered with. Can we trust the machines? Or are elections by their nature too messy for these problems to matter?

Voting is more
complex than it seems; when there are more than two candidates or issues there
are many ways of selecting which one will win, even in idealized cases. Voting theory has found many
criteria of good voting systems, but unfortunately they contradict each other. Hence any real
voting system will have to decide which criteria to use and accept some flaws. In addition elections involve people with strong agendas willing to bend or break rules, human fallibility and the logistical demands of rapidly and accurately handling the votes.

Electronic voting can solve many practical problems, but just like voting theory there are several contradictory demands. Votes should be secret, one per person, valid and non-tradeable. The machines also need to be accessible to people with disabilities, cheap, able to respond to the voters intent and possible to check for tampering and bias.

Bruce Schneier explains some reasons why voting machine security is hard.
Voting occurs
relatively rarely, so there is less accumulation of experience. There
are also lower incentives to keep the machines secure – if people lost
money from erroneous votes there would be a stronger demand for
accurate machines. The manufacturers have a vested interest in keeping their flaws secret,
and given the secret nature of voting it is hard to audit the system or
create a backup system if the electronic one would fail.

The key problem is to prove that votes are cast and counted correctly. At least in many US states there is legislation against  systems enabling voters to prove how they voted (to prevent voter intimidation and vote selling), yet election officials are not allowed to see how voters voted. In principle the problem can be solved through cryptographic means but it requires everybody to trust the software implementation. Some systems produce receipts for the voter that do not contain how they voted but allow them to see that their vote was tallied correctly. But even such systems are in need for auditing, and the auditing process has often lacked transparency or independence.

Do we really need exact voting? In situations with
a relatively clear majority "noise" is not going to affect the situation. But
when races are close, when dealing with parties close to election thresholds or in small constituencies it would matter. If the losses
were completely random it would be less of a problem: while it might be
unappealing to admit that there is a bit of randomness involved in the voting
process it is not unfair. But if the losses and switches favour one candidate over
another, then they are unfair.

It is even more troubling that some voting
machine companies are political donors or have conflicts of interest: they can hence not be regarded as politically neutral. In many voting systems the functionaries are politically active, but care is taken to ensure that votes are counted and tallied by groups where not everybody belongs to one side. In an electronic system this balancing cannot be achieved. While there is no evidence that any e-voting
machine fraud has taken place, it is not inconceivable that it could be done –
and that is deeply worrying. The possibility that voting is rigged is enough to undercut trust in democratic institutions and their legitimacy, a trust that is necessary for a substantive democracy. The citizens need to
feel that the elected representatives are legitimate: even if they do not agree
with who ends up in power they should at least be put there by a mutually
agreed on system they have good reasons to trust.

Would giving up vote secrecy help? It would make auditing easier and possibly make the system as a whole more transparent. The idea that votes should be secret is actually relatively new and not necessarily obvious. John Stuart Mill argued against the introduction of the secret Australian ballot system in Britain in 1859 ("Considerations on Representative Government"). He argued that voting is not a right but a trust, and votes ought to be public for the same reason parliamentary votes should be public – to prevent collusion and selfishness. "The duty of voting, like any other public duty, should be performed under the eye and criticism of the public". Publicity, not secrecy, guarantees security. "Secrecy is justified in many cases, imperative in some, and it is not cowardice to seek protection against evils which are honestly avoidable", but he argues that secrecy in voting ought to be the exception rather than the rule. Others were not so certain voting was not a right or that there would not be coercion or bribery; in the end the secret ballot system was accepted in 1872. Today most people in the West take secret ballots for granted and we might even feel intimidated if we had to justify our voting.

Yet Mill’s argument for openness seems to apply to electronic voting software. The software is performing a public function and should do it under the eye and criticism of the public. It is entirely possible to have open source voting software that anybody could scrutinize for flaws or biases. In the security community the consensus is that security cannot reliably be achieved by keeping the details of a system secret: it is the system itself that has to be strong enough to withstand attackers knowing its internals. Having a watchful public and independent auditing would do wonders to both establishing trust and security.

Programmers and system designers working on
crucial systems do have an ethical obligation to ensure that they function as
intended and fail in acceptable ways – regardless of whether they are missile defence
systems, hospital automation or voting systems. The bigger the stakes, the
stronger this obligation becomes. Safeguarding the democratic process is a pretty big stake.

Transparent systems with independent auditing (where failed audits would cause financial losses for manufacturers) seems to be the way of making electronic voting reliable. Conversely, struggling to achieve this goal is also important for the concerned citizens. As John Stuart Mill said: "Nothing has so steadying an influence as working against pressure."