Opponents of unauditable e-voting technology often talk about the threat of fraud. They worry that somebody will compromise a voting machine or will corrupt the machines’ software, to steal an election. We should worry about fraud. But just as important, and more likely, is the possibility that software bugs will cause a miscount that gives an election to the wrong candidate.

This may be what happened two weeks ago in a school board race in Fairfax County, Virginia. David Cho at the Washington Post reports :

School Board member Rita S. Thompson (R), who lost a close race to retain her at-large seat, said yesterday that the new computers might have taken votes from her. Voters in three precincts reported that when they attempted to vote for her, the machines initially displayed an “x” next to her name but then, after a few seconds, the “x” disappeared.

In response to Thompson’s complaints, county officials tested one of the machines in question yesterday and discovered that it seemed to subtract a vote for Thompson in about “one out of a hundred tries,” said Margaret K. Luca, secretary of the county Board of Elections.

“It’s hard not to think that I have been robbed,” said Thompson, whose 77,796 recorded votes left her 1,662 shy of reelection. She is considering her next step, and said she was wary of challenging the election results: “I’m not sure the county as a whole is up for that. I’m not sure I’m up for that.”

And how do we know the cause was a bug, rather than fraud? Because the error was visible to voters. If this had been fraud, the “X” on the screen would never have disappeared – but the vote would have been given, silently, to the wrong candidate.

You could hardly construct a better textbook illustration of the importance of having a voter-verifiable paper trail. The paper trail would have helped voters notice the disappearance of their votes, and it would have provided a reliable record to consult in a later recount. As it is, we’ll never know who really won the election.

As expected, an independent study of the Diebold electronic voting machines purchased by the state of Maryland has found that “The system, as implemented in policy, procedure, and technology, is at high risk of compromise.” The study was commissioned by the state and performed by SAIC. A Washington Post story by Brigid Schulte reports that SAIC “found 328 security weaknesses, 26 of them critical”.

The report is available to the public only in heavily redacted form, which in itself does not inspire confidence. What is in the redacted version is bad enough; for example, it reports that the Diebold machines didn’t even bother to encrypt the vote totals before sending them to the Board of Elections.

Diebold, which had previously said we should trust their unspecified security mechanisms, now says that we should trust them to implement unspecified fixes for these problems.

In case you have any remaining confidence in unaudited electronic voting systems, consider this: a Diebold executive told the Washington Post that the fixes will be made to the Maryland machines, but not to the 33,000 Diebold electronic voting machines already in use outside of Maryland.

To a technologist, law and policy debates sometimes seem to be held in a kind of bizarro world, where words and concepts lose their ordinary meanings. Some technologists never get used to the bizarro rules, but some us of do catch on eventually.

One of the bizarro rules is that you should be happy when the other side accuses you of lying or acting in bad faith. In the normal world, such accusations will make you angry; but in bizarro world they indicate that the other side has lost confidence in its ability to win the argument on the merits. And so you learn to swallow your outrage and smile when people call you a scoundrel.

Which brings us to Brigid Schulte’s electronic voting article in this morning’s Washington Post. The article reports that the computer scientists’ campaign for more secure (and less secret) electronic voting technology is getting some real traction, especially in light of the recent Johns Hopkins report detailing severe flaws in a Diebold e-voting product. The computer scientists’ progress is certified, bizarro style, by none other than the head of the Federal Election Commission’s Office of Electrion Adminstration:

“The computer scientists are saying, ‘The machinery you vote on is inaccurate and could be threatened; therefore, don’t go. Your vote doesn’t mean anything,’ ” said Penelope Bonsall, director of the Office of Election Administration at the Federal Election Commission. “That negative perception takes years to turn around.”

You can’t buy that kind of bizarro endorsement!

Eugene Volokh offers an interesting post on “guided voting,” a simple idea with important implications.

Voters often rely on the recommendations of others, such as political parties, interest groups, or well-informed individuals. For example, if I have a friend on the local school board and I trust her judgment about school-board matters, I might follow her advice about how to vote in the next school board election. This may be a perfectly rational decision for me to make – my friend’s choices may advance my beliefs more than my own decisions would, if the differences between her political views and mine are outweighed by her superior understanding of school board issues. Many voters would probably feel the same way about taking voting advice from political parties or interest groups.

Prof. Volokh suggests that if voting is done over the Net, then some centralized web site could provide guided voting services to users. The user would tell the site how his vote should be determined, and the site would then prepare a little computer program designed to cast the user’s votes in accordance with his preferences. A voter might choose to accept advice from several sources, with some procedure for resolving disagreements among those sources.

From a purely technical standpoint, guided voting could be used with any voting technology. With non-electronic technology, a guided voting service could print out a sort of checklist that the voter could take into the voting booth. With electronic voting technology, the guided voting service could print out some kind of bar code, which the voter might feed into a scanner in the voting booth.

This might seem at first like a questionable idea, but it doesn’t differ much from what many people already do. Most people make up their minds before they reach the polling place. And most people, I would expect, rely heavily on the recommendations of others in deciding how to vote. Guided voting is just another step down a well-trodden road.

The more problematic aspect of Prof. Volokh’s post is in his suggestion that recommenders collect and use statistics about how many votes they are influencing.

Moreover, guided voting would for the first time let groups actually measure exactly how influential its recommendations are. The [system’s] organizers can tell each group how many voters in each district followed its recommendation. They can even count the votes in which this group’s recommendation made the difference, rather than just being redundant of the other recommendations that the voter was following.

So when group X comes to a legislator to lobby him about some issue, it won’t just say “We have 2000 members in your district” or “We’ll spend $30,000 in your district on this issue.” Rather, it will for the first time be able to say “Our recommendation last election changed 15,000 votes in your district. What will you do to make sure that we recommend you next time?”

These kinds of statistics are not a necessary consequence of guided voting. Although Prof. Volokh’s centralized-website system would gather these statistics, a less centralized guided voting system need not do so. And in my view, it’s important to maintain the secrecy of each vote, so that nobody can tell for sure who is voting for which candidate.

In any case, some kind of guided voting seems inevitable, given the complexity of many ballots and the advance of technology.

Recently, researchers at John Hopkins and Rice Universities reported serious security flaws in electronic voting technology sold by Diebold. I haven’t yet had a chance to read the paper carefully, but I know all of the authors and I would be very surprised if they are wrong. Eric Rescorla discusses the paper and Diebold’s response.

This story follows a common pattern, in which a company claims that its secret technology is secure, only to have the security claim collapse when the system’s design finally does become known. This happens so often that security experts now routinely discount security claims that have not been subject to public scrutiny.

The researchers’ results should not be taken as evidence that Diebold machines are less secure than other secret systems. Most likely, all of the secret systems suffer from a similar level of problems. If Diebold fixes the reported problems, then Diebold’s systems will probably be more secure than their competitors.

This effect is what makes legislation like H.R. 2239 so important. Secrecy makes it difficult for vendors to differentiate their products based on security, since the secrecy makes it so difficult for a buyer to tell a secure product from an insecure one. Opening the systems up for inspection allows vendors to compete based on security, and that competition helps everybody.