Caesar’s wife and Caesar’s voting machine
In this day and age it is important to understand why it is difficult to write a bug-free computer program. An easy example will show you the problem. Imagine that your company makes triangles, and that you want to computerize their testing. So you ask your crack programmer to write the testing code. The requirements are that the triangle tester will type in the lengths of the sides of the triangle, and that the program will tell you if it is an equilateral triangle (three congruent sides), an Isosceles triangle (two congruent sides), a scalene triangle (no congruent sides), or not a triangle.
How do you test for it not being a triangle (meaning you can stop if the object isn’t a triangle)?
• Well, certainly if the length of one side is greater than the length of the other two put together, then it isn’t a triangle.
• And if there are other than three sides it is not a triangle.
So now that we think it is a triangle, what do we do?
• To test for an equilateral triangle we might say that if A equals B, and A equals C, then it is an equilateral triangle.
• To test for an isosceles triangle, we might say that if A equals B but not C, or A equals C but not B, or B =C but not A, then it is an Isosceles triangle.
• To test for a scalene triangle, we might say that if A is unequal to B, and A is unequal to C, and B is unequal to C, then it is a scalene triangle.
So with these five tests we should be done, right? Actually, no. To cover all cases there should be something on the order of seven more tests.
The bad news is that a reasonably good programmer will probably come up with seven tests, leaving six undone. The good news is that these seven tests will cover most cases, and you might go forever without hitting the missing six cases. Or you might hit one of them in which case the program will break or give you a false answer. After all, if you hadn’t tested that no side was greater than the sum of the other two sides, your program would have told you that a 3 by 4 by 8 object was a scalene triangle!
So now we have a program that is about as simple as a program can be, and for which even a good programmer is likely to leave almost half of the possible cases untested for. This means that in a complex program the likelihood of it being bug-free – with all cases tested – is in the slim to none category, with the real answer being a lot closer to none than to slim. Unlike Caesar’s wife, no computer program can ever be completely above reproach.
Now, as it happens, it is hard for any system to really be above reproach. As an example, if you worked in a store as a kid, you know that when taking inventory the count was never perfect. No matter how many times you recounted, you rarely got the same result twice, so management lived with some small amount of error in the counting.
The same thing happens with voting, where there is a certain amount of error in the system. It is generally estimated to be between two and four percent. This means that if the US were imprudent enough to get rid of the electoral college – one of the better inventions of the Founding Fathers, for reasons not actually germane here – and the popular vote was close, the winner would be decided by system error.
To see this more clearly, imagine that 118,557,170 Americans voted in the recent presidential election (which they reportedly did), and exactly 59,278,585 voted for each of the two major candidates (which they may have done). What would the final tally show? Well, assuming a four percent error rate, with an exact tie, the winner could get as much as 64,020,872 votes, and the loser could get as little as 54,536,298 votes.
In fact, in this election 117,340,048 votes were listed as being cast for the two major candidates. Again assuming a four percent error rate and an exact tie of 58,670,024 for each candidate, the winner could show as many as 63,363,626 votes and the loser as few as 53,976,422 votes.
How about if we said the error was an un-realistic two percent? In looking at a tie the winner could get as many as 61,649,728 votes and the loser as few as 56,907,441 votes. On the listed votes for the two candidates, the winner could show as many as 61016825 votes and the loser as few as 56,323,223 votes.
How about if we look at the most reliable system, not implemented anywhere during this election, which is a paper ballot punched or marked, and then machine-verified for readability? (As we recall, this method tests to having a one percent error rate.) With a one percent error rate, given a tie the winner could show as many as 61,649,728 votes and the loser as few as 56,907,441 votes. On the listed votes for the two candidates, the winner could get as many as 60,464,157 votes and the loser as few as 58,093,013 votes. On the listed votes for the two candidates, the winner could get as many as 59,843,424 votes and the loser as few as 57,496,623 votes.
In fact, in this election Mr. Bush was listed as having 60,383,548 votes and Mr. Kerry as having 56,956,500 votes. These results are well within the range of system error. What does this mean? Since some of the small number of third-party votes probably were in error, no matter how you cut it the popular vote was, sadly, once again assuredly compromised by system error in the voting systems as implemented.
Now, do electronic voting machines make this better or worse? We have to look at three factors.
First, are electronic voting machines sufficiently accurate in terms of knowing that when we push a button the vote will go where it should? Based on the triangle story, it should come as no surprise to know that these machines seem to be a bit buggy, and thus will be accurate some of the time; possibly most of the time; but not all of the time.
Second, are they more or less intuitive to use than pulling down a lever, or punching a hole in a piece of paper? To answer this, we asked one of the people responsible for the original implementation of Citibank’s ATMs what kind of entry error rates they were getting. He pointed out that this was not an entirely fair question, as there was a live bank employee in each ATM location to help those unfamiliar with the system. What was the error rate with someone there to help? About fifteen percent! Thus, although most people are by now well familiar with ATMs and touch screens, there will certainly be some voters who are not familiar with them. Plus, have you ever punched the wrong thing in an ATM? We certainly have!
A third factor is how easily can fraudsters change the results? For a start, since we know that the programming of the device will have bugs, an electronic voting machine without a paper trail makes no sense whatsoever: There is no ability to check what the machine, with its de facto buggy code, says. And we really don’t want everyone using the same un-auditable electronic voting machines, particularly if the machines are networked, as they surely will be. This is because when a bug is discovered, and it can be controlled from a distance, the entire voting process could end up in the hands of some clever teenager abroad.
Was there any tampering with voting machines that lack paper trails in this past election? We have no reason to suspect there was, but note that the lack of audit allowed the following to appear on the Internet, casting unnecessary doubts in the minds of some about the process itself.
• According to several independent sources, about 80 percent of all votes in America are counted by only two companies: Diebold and Election Systems & Software (ES&S). The founders of these two firms, Bob and Todd Urosevich, are brothers.
• Walden O’Dell, chief executive of Diebold Inc., told Republicans in an Aug. 14, 2003 fund-raising letter that he is “committed to helping Ohio deliver its electoral votes to the president next year.”
• Prior to being elected U.S. senator from Nebraska, Republican Chuck Hagel was chairman of ES&S. In 2002, he was elected in a surprise upset, with votes counted by ES&S machines. According to published reports, the Senate Ethics Committee had questions about Hagel’s financial ties to ES&S.
• California banned the use of Diebold machines because the security was so bad.
• There were wide discrepancies between exit polls and official results in Ohio during the 2004 presidential election.
All of these could have been eliminated by using machines with paper trails.
Is it technologically possible to have a paper trail in an electronic voting machine? Well, we know that Diebold makes electronic cash registers that keep a paper tape of what is rung up so that the manager can verify that there is some relationship between what should be in the drawer and what is actually in the drawer. If the paper tape starts at the beginning and ends at the end you are pretty sure that you have all the transactions, and that if the tape is torn you may have a problem. This is the same logic behind not allowing police officers to tear numbered pages out of their log books: We really want to know what was written in the missing pages. One assumes that if a Diebold cash register can have a paper tape, a Diebold voting machine could, too. And if a Diebold cash register can allow the operator to see what is on the inaccessible tape, a Diebold voting machine could, too.
So, assuming that the actual vote is stored on the paper tape, and that, as in the better electronic cash registers, the voter can see what is on the paper (but not get at it) to make sure it reflects their actual vote, this system should work relatively as well as a mechanical device that produces a paper result. The paper will be the actual voting record, to which we can refer if there is any question about the electronic vote.
Only testing can tell whether electronic voting machines with paper audit trails could approach the reliability of having the voter punch or mark a (preferably well designed) paper ballot and then, before it is put into the ballot box, put it into an electronic scanner to make sure it is readable. It at least gets rid of the hanging chad problem and its kin, and just leaves associated data-entry and normal system error.
So, bottom line, can we reasonably trust an all-electronic voting machine, particularly one where the official count is something transmitted by the device to another computer, and where there is no paper ballot that is verifiable by the voter before leaving the voting booth, and available for count later? At this stage in both the development of computers and computer security, we must regretfully say that electronic voting machines with no paper backup are, unlike Caesar’s wife, definitely not above reproach.