In researching my Scientific American column about the dismal prospects for online voting, I interviewed Avi Rubin, Professor of Computer Science at Johns Hopkins University, technical director of Johns Hopkins's Information Security Institute, and author of Brave New Ballot: The Battle to Safeguard Democracy in the Age of Electronic Voting. He's been deeply immersed in the research surrounding electronic voting for decades.
Since I have more room on the Web than I do on the printed page, I would like to share more of our conversation here.
David Pogue: Are there any steps that would make you, a security researcher, comfortable with electronic voting?
Avi Rubin: In principle, I think that paper ballots are far superior to electronic voting machines. Even if the machines are high quality (and none of the current ones on the market have proven to be that), the inability to manually recount, to audit, and to prevent rigging and the potential for widespread, wholesale fraud are deal breakers for purely electronic voting. Paper ballots are not a panacea, but without them there is an opportunity for fraud that is much more widespread.
DP: What if the software in these machines is open source and can be inspected publicly?
AR: Just because software is open source does not mean that it will be subjected to many eyeballs. Voting machine software should most definitely be made publicly available, but we need to realize that it may still have security vulnerabilities. Furthermore, it is extremely difficult, if not impossible, to have an assurance the actual bits that are running inside of a voting machine on election day match the software that was publicly available.
DP: What if voters could look over a printed receipt before leaving the electronic machine?
AR: A voter-inspected paper record can overcome many of the weaknesses of electronic voting. There is no perfect voting system, but the best one that I know is where a touchscreen ballot marking machine is used for voters to make their selections. The machine then prints out a filled-out paper ballot. The voter takes this ballot, inspects it, challenges it and starts over if it is wrong (and reports it), and when a correct ballot is produced, submits it to the polls where it can be optically scanned.
Some random sample of ballot boxes is counted manually and compared to the scanned results, and if there are problems, more stations are manually compared. In case of a very close election or any hint of foul play, the ballots can be counted by hand or by a different brand of optical scanner.
We will never get this perfect. It's too hard a problem. But we can do a lot better than we have so far.
DP: Seems like the prospect of voting by smartphone would be even more vulnerable than the in-person methods, right?
AR: Yes, voting over the Internet or smartphones is a non-starter. You can't control the security of the platform. Remember that you don't even trust the manufacturer of the voting system. You don't want to put control of the outcome of a presidential election in the hands of Samsung or Apple, or millions of app developers.