Paper ballots are great, but if you want paper ballots to serve as a check on error or fraud in electronic tabulation, you have to do some hand counting.
Hand-count samples are commonly called "post-election audits," and there is a growing consensus among computer scientists who study voting systems that audits are at least as important as the mere existence of the paper.
The report of the Brennan Center Task Force on Voting System Security said it best. From p. 83:
The value of paper ballots without the Automatic Routine Audits is highly
questionable
.
UPDATE: The original title of this diary was that New Hampshie "nailed the case" for audits. The case did not need to be nailed, as some have observed in comments. The primary reminds us why audits are important, because they can offer a basis for reassurance to citizens who have been paying attention to e-voting problems, and are concerned.
Who was on this Brennan Center task force? Howard Schmidt, former chief security office of Microsoft. Ron Rivest, an MIT professor and pioneer in computer security. David Jefferson of the Lawrence Livermore National Laboratories. No conspiracy theorists, these folks.
16 states have come to the realization that audits are essential. And just this week the New Jersey Legislature passed a bill, S.507, with the most rigorous hand audit requirement to date.
It's a pity that New Hampshire does not yet require post-election audits. They have many jurisdictions that hand count, but the towns that use the scanners use the electronic tally unless there is a recount.
There is a good deal of citizen concern about the results of Tuesday's primary, and a post-election audit with a solid chain of custody, an observably random selection process, and a statistically powerful sample of precincts, could put those fears to rest.
Not that citizen fears are without foundation. The Premier (Diebold) AccuVote scanners, as well as the county server which programs them, have earned their reputation. With the particular vulnerabilities of these systems, it would not take many malicious actors to alter the vote in a large number of counties. In fact, it could take as few as two.
From the source code review of California's landmark top-to-bottom review of voting systems (executive summary, p. i)
The Diebold system is susceptible to computer viruses that propagate from voting machine to voting machine and between voting machines and the election management system. A virus could allow an attacker who only had access to a few machines or memory cards, or possibly to only one, to spread malicious software to most, if not all, of a county’s voting machines. Thus, large-scale election fraud in the Diebold system does not necessarily require physical access to a large number of voting machines.
Malicious code could have been programmed into the systems by a single person at the voting machine company, or by a single person working for a vendor of commercial off-the-shelf software (COTS) that is used in the scanners or the server. From page 78 of the Brennan Center report:
We have already discussed how a Trojan Horse might be inserted into both types of DRE systems. The insertion of a Trojan Horse into a PCOS [precinct-count optical scan, the type of Diebold scanner used in NH] scanner would not differ in any significant way. It could be inserted into the main PCOS source code tree, operating system, COTS software, and software patches and updates, etc. In most cases, this would require the involvement of a minimum of one person.
Now hold on. Some guy writing a software update for all the Diebold scanners in the country back in, say, 2006, isn't going to know who is on the ballots in the 2008 primary. From page 38:
Or perhaps her opportunity to insert the attack program came a year before the governor’s race, when she wasn’t sure who the candidates would be and whether she would want to attack the election. In such cases, the attacker could "parameterize" her attack. Under this scenario, the attacker would create an attack program and insert it in the original software, or software updates. The attack program would not specify which race to attack or how. Instead, it would wait for certain commands later; these commands would tell it which votes to switch. These commands could come from many sources, and could be difficult for anyone other than the attacker to find. For instance, the commands could come from the ballot definition file.
Vendors often write the ballot definitions for counties. From page 62 of the Brennan Center report.
If the vendor writes the ballot definition files for many counties in a state, only one person would be needed to trigger and parameterize the attack in many polling places.
If a vendor does not set the ballot definitions for a large number of counties, more participants would be required. But why leave this to chance? Why allow public confidence in elections to diminish further?
The bottom line on the Diebold voting system: it is not trustworthy. From a report of academic computer scientists who analyzed Diebold code for the Secretary of State of Ohio. This report was made public last month.
P.3 (p.121 of pdf)
Our analysis suggests that the Premier [Diebold] system lacks the technical protections necessary to guarantee a trustworthy election under operational conditions. Flaws in the system’s design, development, and processes lead to a broad spectrum of issues that undermine the voting system’s security and reliability. The resulting vulnerabilities are exploitable by an attacker, often easily so, under election conditions.
None of this proves anything about the New Hampshire primary. The cause of election integrity is not well served by shouting "fraud" without solid evidence. But by my count, based on the results of the Democratic and Republican primaries by municipality, and by the New Hampshire Secretary of State'stable of municipalities using AccuVote scanners, these machines counted a heavy of majority of votes in the primary: over 202,000 votes in the Republican primary, and over 243,000 votes in the Democratic primary. That is too many votes to trust to any software, let alone the Diebold junk.
Sign the MoveOn petition for paper ballots and audits by November 2008. The petition will be delivered to local, state, and federal officials. Let them know that an audit that is transparent, observable, and that takes place at the end of a reliable chain of custody is essential to ensuring the confidence of voters and the integrity of our elections.