Various groups that oppose paperless electronic voting have recommended an alternative: if you really want to be sure your vote is counted, vote absentee. Having studied e-voting, and living in a county with paperless e-voting, I sympathize with the desire for an alternative. But it should be noted that absentee voting offers iffy security as well.

The best alternative to risky e-voting, where feasible, is in-person voting with a paper ballot. This allows the main election safeguard, which is the presence of observers from diverse political parties, to operate: the observers can watch the voter check-in process, watch the ballot boxes, and watch the counting of ballots.

With absentee voting, by contrast, the distribution, validation, custody, and counting of ballots are generally less transparent. You’re pretty much stuck trusting the country clerk and his/her staff. I don’t want to cast aspersions on the virtue of any particular county clerk; but I hope you’ll agree that a more transparent system is better.

Absentee balloting also weakens the secret-ballot guarantee, which requires that nobody can verify how another person voted. This is an important safeguard against vote-buying and intimidation, as it frustrates the vote-buyer’s or intimidator’s ability to know that he got his way. Absentee voting allows the voter to prove to somebody else (say an employer, union boss, or abusive spouse) that the vote was cast a particular way. That’s a serious drawback.

Now it may be that you don’t want to sell your vote, you don’t fear intimidation, and you trust your county clerk. For you, absentee voting might be the best available substitute for e-voting in person. But encouraging widespread absentee voting is not a good public policy response to the e-voting problem.

On August 15, Venezuelans voted in a national referendum on whether to remove President Hugo Chavez. The (Chavez-run) government announced afterward that 58% had voted to keep Chavez in office. The opposition claimed fraud.

The election was held on electronic voting machines. Fortunately, the machines generated a voter-verified paper trail, so that there was some hope of recounting the ballots. Without a paper trail there could have been no recount, and Venezuelans would have had to take the result on faith, or reject it. With a paper trail, there is at least some evidence of how the votes were cast.

What evidence is there for fraud? The opposition says that the election results were inconsistent with exit polling, which they say went 58-42 in the other direction. That’s a big enough swing to raise eyebrows, but it’s hard to evaluate the accuracy of the exit polls based on the information available to me.

The opposition’s other claim is that the voting machines were programmed to cap the number of yes votes (i.e., anti-Chavez votes) recorded on each voting machine. In support of this, the opposition points to the data on machine-by-machine voting results, arguing that machines in the same polling place recorded the exact same number of yes votes too often, that is, more often than would have occurred by chance. That’s a claim that is amenable to statistical analysis. I’ll evaluate it in a future entry.

Tomorrow, July 13, is “Computer Ate My Vote Day”. Rallies will be held in many states across the U.S, to ask state officials to use safe and reliable voting technologies. I’ll be speaking at the New Jersey rally, at noon on the steps of the State House in Trenton.

The League of Women Voters last week rescinded its support for paperless e-voting machines. The decision was driven by grassroots support among the League’s members, overriding a previous policy that was, according to rumor, decreed originally by a single member of the League’s staff. (I can’t find this story on the public part of the League’s site, but it comes from a reliable source, so I’m pretty sure it’s true.)

Also, tomorrow, June 22, there will be a rally in Washington for supporters of voter-verifiable paper trails. The rally runs from 11:45 until 1:00, on Cannon Terrace, just south of the U.S. Capitol, between the Cannon and Longworth House Office Buildings. (Metro stop: Capitol South; enter at the corner of New Jersey and Independence) Speakers include Rep. Rush Holt and other members of Congress.

There are two interesting new posts on e-voting over on ATAC.

In one post, Avi Rubin suggests a “hacking challenge” for e-voting technology: let experts tweak an existing e-voting system to rig it for one candidate, and then inject the tweaked system quietly into the certification pipeline and see if it passes. (All of this would be done with official approval and oversight, of course.)

In the other post (also at Educated Guesswork, with better comments), Eric Rescorla responds to Clive Thompson’s New York Times Magazine piece calling for open e-voting software. Thompson invoked the many-eyeballs phenomenon, saying that open software gets the benefit of inspection by many people, so that opening e-voting software would help to find any security flaws in it.

Eric counters by making two points. First, opening software just creates the opportunity to audit, but it doesn’t actually motivate skilled people to spend a lot of their scarce time doing a disciplined audit. Second, bugs can lurk in software for a long time, even in code that experts look at routinely. So, Eric argues, instituting a formal audit process that has real teeth will do more good than opening the code.

While I agree with Eric that open source software isn’t automatically more secure than closed source, I suspect that voting software may be the exceptional case where smart people will volunteer their time, or philanthropists will volunteer their money, to see that a serious audit actually happens. It’s true, in principle, that the same audit can happen if the software stays closed. But I think it’s much less likely to happen in practice with closed software – in a closed-source world, too many people have to approve the auditors or the audit procedures, and not all of those people will want to see a truly fair and comprehensive audit.

Eric also notes, correctly, the main purpose of auditing, which is not to find all of the security flaws (a hopeless task) but to figure out how trustworthy the software is. To me, the main benefit of opening the code is that the trustworthiness of the code can become a matter of public debate; and the debate will be better if its participants can refer directly to the evidence.