Sunday, November 28, 2004

Electronic Voting 1.0, and No Time to Upgrade

The New York Times
November 28, 2004

Electronic Voting 1.0, and No Time to Upgrade
By JAMES FALLOWS

I TRUST computers. When I first used A.T.M.'s, nearly 30 years ago, I carefully saved receipts in a folder and matched them with the bank's monthly statement. Now I sometimes stuff the receipts in my wallet, but I almost never look at them again. The only banking error I've encountered in all those years was when a human teller left a final zero off a deposit I had made.

I still pore over credit card statements, but mainly to see whether some person, not some machine, has issued the proper refund credit or made an improper charge. I've sent e-mail messages to the wrong people by mistyping an address or hitting the oh-so-dangerous "Reply All" button, but never because the system routes it where it shouldn't go. When I travel, I assume that the e-ticket I booked through my computer will be valid and that frequent-flier miles will show up in my account.

Yet when I went to my polling place in Washington on Election Day, I waited an extra half-hour in line to cast a paper ballot, instead of using the computerized touch-screen voting machine. Am I irrational? Perhaps, but this would not be the evidence.

A columnist in The Washington Post recently suggested that nostalgia for paper ballots, in today's reliably computerized world, must reflect a Luddite disdain for technology in general or an Oliver Stone-style paranoia about the schemings of the political world.

Not at all. It can also arise from a clear understanding of how computers work - and don't. The more you know about the operations of today's widely trusted commercial computer networks, the more concerned you become about most electronic-voting systems.

The phenomenal reliability of the systems we trust for banking, communication, and everything else rests on two bedrock principles. One is the universal understanding in the technology world that nothing works right the first time, and maybe not the first 50 times.

When I worked briefly on a product design team at Microsoft, I was sobered to learn that fully one-fourth of the company's typical two-year "product cycle time" was devoted to testing. Programmers spend 18 months designing and debugging a system. Then testers spend the next six months finding the problems they missed. It is no secret that even then, the "final" software from Microsoft, or any other company, is far from perfect.

Today's mature systems work as well as they do only because they are exposed to nonstop, high-stakes torture testing. EBay lists nearly four million new items each day. If a problem affects even a tiny fraction of its users, eBay will be swamped with reports immediately.

Millions of data packets are being routed across the Internet every second. If servers, domain-name directories or other components cannot handle the volume, the problem will become apparent quickly. Years ago, bank or airline computers would often be "down" because of unforeseen problems. Now they're mostly "up," because they've had so long for flaws to become exposed.

The second crucial element in making reliable systems is accountability. Users can trust today's systems precisely because they don't have to take them on trust. Some important computer systems run on open-source software, like Linux, in which the code itself can be examined by outsiders.

Virtually all systems provide some sort of confirmation of transactions. You have the slip from the A.T.M., the receipt for your credit card charge, the printout of your e-ticket reservation. If your e-mail message doesn't go through, there is still the copy in your "Sent" folder. This is the technology world's counterpart to the check-and-balance principle in the United States government. The first concept, robust testing, protects against unintended flaws. The second, accountability, guards against purposeful distortions.

Which brings us back to electronic voting. On the available evidence, I don't believe that voting-machine irregularities, or other problems on Election Day, determined who would be the next president. The apparent margins for President Bush were too large, in Ohio and nationwide. But if the race had been any closer, we could not have said for sure that the machines hadn't made the difference. [Note: This a fallacious argument, since it has already been proven how easy it was for many of the machines to be hacked and the numbers changed to anything the hacker wanted them to be.] That is because many electronic systems violate the two basic rules of trustworthy computing.

By definition, they have barely been exposed to real-world testing. The kind of thorough workout that Visa's or Google's systems receive every hour happens for voting machines on only a few special days a year. By commercial standards, the systems are necessarily still in "beta version" - theoretically debugged, but not yet vetted by extensive, unpredictable experience - when voters show up to choose a president.

Four years ago, about one-eighth of all votes for president were cast electronically. This year, nearly a third were. How the system would handle that large increase in scale could not have been tested until the presidency was at stake. Worse, most of the electronic systems are not accountable. When I voted this year, I fed my paper ballot through an optical scanner and into a storage box. In a recount, those ballots could have been pulled out and run through the scanner again. If I had used the touch screen, I would have had no tangible evidence that the vote counted or was recountable.

Is that a problem because the chief executive of Diebold, the largest maker of such systems, is a prominent Republican partisan? No. It's a problem because it defies the check-and-balance logic built into every other electronic transaction.

AN inherently untrustworthy voting system might not be the worst distortion in modern politics. My nominee for that honor would be the structure of the United States Senate, where each state has two votes. When it was set up, there was a nine-to-one imbalance in voting population between the largest state, Virginia, and the smallest, Delaware. (Counting slaves, Virginia's edge increased to 12 to 1.) Now it's nearly 70 to 1 (California versus Wyoming), making the Senate our own equivalent of the United Nations General Assembly as a forum for overrepresented small states.

But the spread of voting systems that further erode Americans' faith in their democracy is serious enough. And while the Senate isn't going to change anytime soon, electronic systems can change - and, for the sake of credible democracy, must change - before we choose another president. Extensive discussions are under way at sites like VerifiedVoting.org, CalVoter.org, and the "news for nerds" forum Slashdot.org about inexpensive, practical ways to make automated voting as reliable as, say, buying books online. Their recommendations make sense. But you don't have to trust my opinion. Read them and see.

James Fallows is a national correspondent for The Atlantic Monthly. E-mail: tfiles@nytimes.com.