Introducing technology into the election process has many advantages. The casting of votes becomes far easier, encouraging people to participate. The results appear within a couple of hours, which enhances the confidence of the candidates and the voters in the process and results. This in turn reduces incidents of post-election violence. In the long-term it reduces organizational and implementation costs significantly and compared to traditional paper voting, increases the efficiency of election management. While most people recognize and appreciate these advantages, they find it difficult to accept the fact that it is also a lot more secure than manual voting.
The reason is simple. It is a common human failing that what you cannot see you don’t trust. The teller at the bank counter counts a wad of notes faster than your eye can follow, but because they have done it up-front, most of us will trust the process. Similarly, the candidates and their representatives at the polling booths in Pakistan feel more comfortable when they see a battery of teachers emptying ballot boxes onto the table and counting votes. However, we all know that human error, fraud and manipulation leading on to violence are central to electoral processes in many third world countries and Pakistan is no exception.
The security of paper-based manual balloting with a manual count is extremely low. The fact that there are just single copies of each paper ballot makes them extremely vulnerable. Paper ballots can be destroyed, tampered with, manipulated, intercepted, lost, forged, or fraudulently pre-marked. Ballot boxes can be lost or stuffed with fraudulent votes. Every step from voting to counting to final tally, and at every else in between are subject to human error, malicious or otherwise. Yet there are many politicians and analysts who are not willing to allow the introduction of a well-designed, special-purpose system that reduces the possibility of results tampering and eliminate fraud. They question its security, secrecy and safety. This article considers critical aspects of e-voting – security and auditing of voting machines, identification of voters, risk-limiting audit and creating a paper trail.
The logistics and warehousing involved in automated elections can be a complex undertaking. However, it is miniscule compared to the scale of logistics and warehouses routinely handled by project managers of large mail-order companies like Amazon and Ali Baba and manufacturing giants like Toyota. Election commissions worldwide store EVMs and election paraphernalia under lock and key, with armed security, surveillance cameras and access control. It would be next to impossible for unauthorized persons to access the machines and any tampering can be easily detected in the pre-election audits. A few days prior to the elections, the e-voting system is audited independent of vendors and preferably by computer security and telecom experts. If a pre-election audit is completed successfully and the automated election system gets the approval of all parties, it will increase the public’s confidence that will result in more voters willing to participate.
Biometric voter authentication (BVA) deters fraud by preventing people from attempting to vote multiple times but NADRA admits that at best it can recognize fingerprints of 82% voters. The anti e-voting lobby in Pakistan cite this as one of the weaknesses of the system. They don’t realize that voter authentication is a completely distinct and separate process from e-voting. Voter authentication can still be performed in the traditional method, even while e-voting proceeds independently and with all the attendant benefits. The pioneers of e-voting did not immediately adopt BVA. Brazil and Venezuela went ahead with automated elections and later shifted to BVA, while the Philippines, India, Bulgaria, Colombia and the USA added BVA to supplement the traditional process.
In fact, to protect the secrecy of the vote, any connection between the voter’s identity and the vote cast is avoided. A secret vote is the essential integrity safeguard because it enables voters to cast their ballot with full independence. A well-designed e-voting system further ensures secrecy by completely randomizing the votes cast and uses sophisticated algorithms to ensure that votes are never stored in sequence. There is so much that technology allows that can never be achieved by a manual system and yet the less informed are bent on creating suspicion around e-voting.
A well designed tamper-proof and tamper-evident system allows for risk-limiting audits that guarantee the legitimacy of results. A risk-limiting audit (RLA) checks a random sample of voter-verifiable paper ballots, giving strong evidence to support the reported election results. The audit stops as soon as it finds strong evidence that the reported outcome was correct. If the reported outcome was wrong because ballots were miscounted, it triggers a full recount that corrects the outcome before the election results are certified. RLAs provide strong assurance that the final outcome matches the ballots cast. Contests with wide margins can be audited with very few ballots, freeing up resources for auditing closer contests, which generally require checking more ballots.
Unlike manual systems, a well-designed e-voting system produces multiple copies of every data point both in electronic and paper-based forms, creating a very rich audit trail that cannot be circumvented. It also ensures that data is never lost, modified or destroyed. Audit trails give all stakeholders in the election the possibility to verify that the results reflect the will of the voters. Such systems have become the ‘Gold Standard’ in automated elections, providing both electronic records and corroborating paper records of the vote. The vote is verified by the voter-verified paper report (VVPR) but cannot be traced back to the voter. This double set of records provides a concrete means to audit the election after the conclusion of the voting.
As a best practice, well-designed voting systems furnish physical proof of all votes cast, in case a recount is needed. A printed paper ballot is now a mandatory component of automated election systems as it facilitates the most common audit performed after closing the polling centers on election day: comparing vote receipts against tally reports. With paper trails, post event audits can also be carried out upon request from any of the parties involved. A paper trail for audit is neither a complex nor expensive feature. As soon as the ballot is cast, EVMs with integrated printers automatically generate a voter verified paper trail (vote receipts). Printers represent 8-10% of the cost of voting machines and use the internal batteries of the voting machines.
Finally, the e-voting solution to be implemented has to be proven in multiple countries with different geographies and particular circumstances; and the company deploying the technology must have diverse experiences deploying voting technologies on a massive scale, as elections are unique projects. Its nature is fundamentally different from any other technology project: implementation happens on one day, it is nationwide, a large portion of the population uses the technology within eight or so hours on a pre-determined day, the project cannot be postponed, deployment means a massive logistical operation and coordination, and implementation mistakes could have drastic negative consequences for the entire country.
In the vast majority of countries that are discussing the implementation of an e-voting solution, the entire discussion revolves only around the voting machine equipment itself. Neglected is the question how this hardware will operate in ten or hundred thousand of polling locations on a single day without failure. An IT graduate may probably be able to put together a system that records votes electronically and totals the votes. The difference between a solution that works in a meeting room and a system that is trusted, immune to attacks and is working in a pre-determined timeframe nationwide is however fundamental. Ignoring the deployment aspect of electronic voting during initial discussions is another reason why implementation projects fail when election modernization is run on significant scale.
A well-designed automated election system should be both tamper-proof and tamper evident. When an automated election system lends itself to detailed scrutiny of its software source code at all levels, as well as its security mechanisms for data storage and transmission, it succeeds in providing ample guarantees that will foster the confidence of both election authorities and voting public alike.