You'll hardly ever see this combination of requirements in any other situation: a collection of separate secrets that must be public when they're all put together. And it's one of the most important things society does, and everybody has to trust the process.

Even worse: if something goes wrong, you usually can't run the election over again.

So it’s important to prevent mistakes. But mistakes are not the only danger. If people have the money the power to change the election's results, they can be tempted to make the change—and get even more money and power.

From paper to electrons

Most elections in most places have used paper ballots. To vote, a voter marks a piece of paper (the ballot) and puts the paper in a locked box. The boxes are collected together and opened, and then the votes on the ballots are counted. This can be harder than it sounds. For example, “ballot stuffing” is when somebody adds extra ballots to the ballot box.

When computers were invented, many people tried to use computers to improve elections. In fact, computers are used in many ways for elections today, often without problems. For example, many voters can visit a web site to find the place where they are supposed to vote, the date of the election, the names of candidates, and so on. People can also discuss elections on web sites and mailing lists. This works pretty well.

People have also used computers to count votes. This hasn’t always worked well. Starting in the middle of the 20th Century, computers were used in two ways:

1. Voters still mark pieces of paper, and the computers count the votes.

2. Voting machines record the voters' choices inside computer memory, just like storing data on an iPod. This is a computer version of mechanical voting machines using levers and gears, which were invented much earlier.

Those two uses for computers might look similar, but they're very different.

The first process is reliable, so long as people don’t blindly trust the results from the computer. Election officials check some of the results by randomly recounting them by hand. This proves that the computer was accurate. If the hand count comes out different from the computer count, the election officials don't trust the computer. They spend extra time and money to count all the votes by hand.

The second process is unreliable, because there is no way to check the computer's results. Even if someone proves that the computers had a programming bug, or were maliciously altered, there is no record of how people voted—except what the computers tell you.

Why do people use computers for elections in the first place?

Computers make many things cheaper and easier. People have tried to use computers to get these benefits for elections. Sometimes that has worked, sometimes not. Here are some of the benefits people have hoped to gain from using computers in elections:

They're fast. All other things being equal, everybody wants to know the results of elections as fast as possible. (In any case, fast results make a better story for the TV news.) Computers have helped produce election results faster.

They're cheap. Counting paper ballots with machines can save money on paid election workers. Election officials who buy computerized voting machines usually expect them to be cheaper than paper ballots, but these machines have often turned out to be much more expensive in practice, mostly because they break a lot. So some uses of computers in elections have saved money, but some have been very costly.

They're flexible. Many elections officials have hoped this flexibility would make voting easier for disabled people. And someday it might, but it hasn't worked well so far. It’s pretty easy to add equipment to an electronic voting system to read a ballot to a blind person, but it can take a very long time to vote this way. Blind people who can read Braille are probably better off with Braille ballots, which are used in some places and can be part of a paper ballot system. In any case, people with severe sight problems are only a small part of the disabled. Someday, computers may be a great help to voters with disabilities. In any case, it’s worth remembering that when elections are not accurate or trustworthy, everybody loses, including voters with disabilities.

What are the risks of using computers for elections?

Computers have drawbacks as well. No one has found a safe way to use them, unless votes are stored on paper ballots so someone can check the results later

Computer memories can change very fast, and the changes often leave no trace. So if a computer memory fails, votes can be lost forever.

For somebody who wants to steal an election, putting votes in a computer memory make things easier. Consider the “ballot stuffing” example we discussed above. To stuff a paper ballot box, a criminal has to steal or make some paper ballots, mark them up ahead of time, and slip them into the box unseen. But if the votes are all inside the computer memory, the criminal just needs to rearrange the computer memory. The criminal can even reprogram the voting machines to change the votes all by itself!

It's hard to check that the computer is accurate. Most machines use programs that only the manufacturer knows. Sometimes, election officials hire independent experts to check the programs (called auditing), and some election officials even require manufacturers to put open source code (see http://www.hackerteen.com/opensource.php) on the machines. But they often can't be sure that the code they audited is the same as the programs that run later in the polling places.

How would someone use these weaknesses to steal an election? Imagine a district where a lot of people are expected to vote for Candidate D. On the morning of the election, a technician could come into the polling place to start the machines and could slip a chip into each one that says, "Throw away half of all the votes for Candidate D." Election workers often take voting machines home with them the night before an election. (This is called a “sleepover.”) Or, machines are often left unlocked and unguarded at the voting place. Both of these situations provide opportunities for a criminal to manipulate the election machine.

Computer voting machines have been designed with safeguards to prevent people from stealing votes and to prevent malfunctions from losing votes, But these don't solve the problem, because of the unique problems of voting we mentioned before: keeping each individual vote secret.

Electronic voting machines can be hacked in several ways. Like any computer, a voting machine has a main computer program, an operating system, and other pieces of software, which can be hacked. A well-placed agent working at the company that made the machines could hack all of that company’s machines, affecting the election of a whole country at once.

Election equipment can be hacked after it’s delivered to each place that conducts the election, too. The machines are stored in warehouses between elections, have to be transported to polling places, and as mentioned above, are often are left in unlocked rooms overnight before the election. So the machines are vulnerable to being hacked one at a time when they are left alone. In some cases, it is possible for a voting machine to be hacked by a voter during the election itself.

Hacking the main voting program may require considerable skill. It might be easier to deliberately misconfigure the voting machine. This can happen accidentally too, so if the hack is discovered, it might look like an accident. It’s easy to leave a candidate off of the ballot for one contest, or else leave that contest off the ballot all together. Some people might notice, but since there are no permanent records, it could be hard to prove.

One creative way to hack a voting machine is with a virus. For each election, the voting machine needs to be loaded with the names of candidates, what offices they are running for, and so on. A virus added to this data can hack some of the software on the voting machine.

For many voting machines, it is surprisingly easy to introduce a virus. Sometimes a memory module such as a thumb drive is used to update the voting machines, and a virus can be put on this memory module. Sometimes WiFi or similar wireless communications are used to update the voting machines. A virus can be sent along with this wireless data. It may even be possible for someone near the warehouse storing the voting machines—perhaps in a car nearby—to deliver a virus wirelessly.

Because electronic voting machines have turned out to have so many problems, many places require electronic voting machines to also print a paper ballot and save all the ballots to verify that the electronic memory is correct. This requires extra equipment and paper. Electronic voting machines are already pretty expensive, and the added expense of making paper ballots can make electronic voting machines very expensive. Even though it’s expensive, some places that use electronic voting machines are adding printers to them. Some places are not adding printers, and hoping everything is OK. Some places are getting rid of their electronic voting machines and switching to paper ballots that can be read by a computer.

Further reading:

You may find the following information useful and informative. Not all of the following sources agree on what the real problem is. Neither do they agree on what the best solution is. As you probably suspected, you’ll have to decide whose argument you find more persuasive, and think critically about all the information you read, including this web page.