Friday, Nov. 3, 11 a.m. ET

Electronic Voting

Avi Rubin
Voting Security Expert, Maryland Election Judge
Friday, November 3, 2006; 11:00 AM

Avi Rubin , an expert on electronic voting security and a Maryland election judge, was online Friday, Nov. 3 at 11 a.m. ET to take questions about voting procedures on Election Day.

A transcript follows

Rubin is a professor of computer science at Johns Hopkins University, and technical director of the Hopkins Information Security Institute. He is the author of, "Brave New Ballot: The Battle to Safeguard Democracy in the Age of Electronic Voting."


Avi Rubin: Let me introduce myself. I'm Avi Rubin, a computer science professor at Johns Hopkins University. I've just written a new book, "Brave New Ballot: The Battle to Safeguard Democracy in the Age of Electronic Voting," about the problems with electronic voting and Diebold's machines in particular, as well as my experience dealing with them and state and national officials after my report came out about Diebold in 2003. I look forward to spending an hour with you today and attempting to answer your questions.


Rockville, Md.: What is the most secure/accurate/every vote counts/idiot proof method of voting? Touch screen, punch, lever pull, scantron, dropping color-coded rocks representing the candidate of your choice into a burlap sack held by a member of the local constabulary, and then collected by the regional high priestess? Please consider ease of counting and voting in your answer.

What is the most fun/confusing system? Butterfly ballot, sudoku, crossword ballots? Bonus points if you can answer in the form of a haiku.

Why are my questions never posted on these discussion forums?

Avi Rubin: Okay, your question will be posted, as well as my answer.

I believe that no system is fool proof, but that paper ballots with precinct-count optical scan is the best technology out there for voting. The paper ballots can be marked by hand, or with a touch-screen ballot marking machine. As long as the voters check the paper ballot before they submit it, I think that this system can work. Is it perfect? Far from it. It requires procedures to be defined and followed, but it is the best hope we have right now of running our elections in a trustworthy manner.


Redding, Conn.: Have you heard anything about the possibility that Jim Webb has been incorrectly identified on Virginia electronic voting machines as "Jim James," instead of "Jim (James A.) Webb"?

Avi Rubin: Yes, there was a story about this in the Washington Post. Apparently names are being shortened to fit on the summary screen. This is a terrible design decision.


Glen Burnie, Md.: Mr. Rubin - I've been reading over the past several days about a problem with the Sequoia Voting Systems machines. According to what I've read, the machines include a yellow button on the back that when pressed (twice), puts the machine in "manual mode", allowing the user to cast as many votes as desired after following several screen prompts. It is quite frightening to believe that if a poll worker is distracted for long enough, a knowledgeable person could use this method to commit fraud. Or worse yet, that a poll worker or administrator him or herself could do it.

Please tell me these machines are not in use in Maryland.

Avi Rubin: These machines are not used in Maryland. Furthermore, many of the election administrators in California have disabled this "feature" on the machines. It is really designed to be used in small rural areas that don't have the smartcard encoders. Also, the machine beeps really loudly when the yellow button is pushed, and it has to be held in for three seconds and then pushed again. I think this is definitely a design mistake, but not nearly as serious as the problems with the Diebold machines that we do have in Maryland.


Bethesda, Md.: What checks will be run on the 2006 electronic election results to identify which votes were genuine vs. fraudulent?

Avi Rubin: Unfortunately, the system we are using in Maryland, the Diebold Accuvote TS does not have any mechanism for performing independent audits, and recounts are not possible. There is no tangible record of each vote in the form of a physical ballot. So, it's a bad situation, but there are no checks in place to do this. The closest thing is that Maryland is running parallel testing where machines are taken out of polling places on election day and used in mock elections in phantom precincts, as though they were really being voted on. Then the votes are totaled. There is no plan in place suggesting what to do if the parallel testing reveals that the machines are getting the wrong tallies, but at least we would know that something was wrong.


Carlisle, Pa.: Early voters in both Florida and Texas have already encountered touch screen machines that flip their votes for Democratic candidates to a review screen showing votes for Republicans. How could this still be happening two years after the very same problems in the 2004 election? Are voting machines really so much more difficult to get right than ATM machines?

Avi Rubin: My understanding about the early voting problems is that the screens are miscalibrated, so that when voters pick a candidate, sometimes a different candidate is recorded, and they don't see that until they get to the summary screen. This is absolutely unacceptable. I don't see how such systems could have made it through testing and certification and still have this problem.

And, yes, voting machines are much more difficult to get right than ATM machines, but more on that later.


Claverack, N.Y.: What I don't get is how we went from "a poorly designed punch ballot in Florida" to "the solution is computerized voting systems." What does one have to do with the other? Everyone got so fixated on how "old" the systems were that they lost sight of the actual goal: a reliable, transparent system whose integrity could be verified.

Can a "black box" electronic system ever be as transparent as a paper ballot?

Avi Rubin: I think that an electronic voting system where there is no paper record of the vote cannot possibly be as transparent as paper. In the precinct where I worked as an election judge on Sept. 12, in the Maryland primary, a candidate's wife came to observe. Unfortunately, she could not watch votes being recorded. She could not watch ballots being counted, and she could not actually see anything. She just stood around until the machines computed the totals, and then we posted them on the wall. Her husband had not done well, and she left. That is not what I call a transparent process.


Cheverly, Md.: Last night, I caught part of the HBO documentary on the ability to hack Diebold voter machines. I have some knowledge of data bases and programming and can see how this is done. Why is there no outcry throughout America, particularly the elected officials on this issue? Even if they do not understand the finite details, the principle alone should have both camps up in arms.

Avi Rubin: I think that people are starting to catch on to the dangers of electronic voting. In Maryland, an unprecedented 170,000 people requested absentee ballots. I think that this is a statement against the machines.


Harrisburg, Pa.: I discovered (being involved in the selection of voting machines) that one of the best ways to learn how bad these machines are was to ask competitors what they thought of their competition. It appears to me that all of these machines are meant to be used only twice a year and are shoddily made. As you may have heard, they ran a test in Pennsylvania and a Carnegie Mellon professor was successfully able to alter the results without being detected. What are your thoughts on how well these voting machines are made?

Avi Rubin: I have only had a chance to evaluate the software in the Diebold system. That machine is very poorly made. But, I think the bigger question has to do with the idea of using electronic paperless machines in the first place. Even the best made electronic voting system is not good enough. There has to be a way to publicly observe the counting of the votes. There has to be a way to conduct independent audits that are not tied to what is being audited. I think that the gold standard for a voting system is to build it in a such a way that no trust is required in any of the software. That is achievable, but it is the opposite of the way DREs are being built today.


Silver Spring, Md.: There has been much discussion about whether voters have confidence in our new voting process. How much confidence should we have in a process that has been redesigned to eliminate any possibility of independent count checks, and eliminate any possibility of recounts? Consider too what could have motivated these changes. Those who redesigned the voting process either did not know they were eliminating these important means of ensuring the winners really got the most votes, or they knew and did not care, or they knew and specifically intended to remove them. None of this inspires confidence in our new voting system.

Avi Rubin: I have been accused before of lowering the public's confidence in voting. In fact, I do believe that if a system is bad, that there should be no confidence in it. Misplaced confidence is something to be corrected not supported.


Columbia, S.C.: Avi,

I have heard that the most widely cited exit poll results will be held back so that they tally with the "official" results. Do you know if this is true? If so, won't it make detection of machine vote counting malfunction (accidental or fraudulent) more difficult to detect?


Avi Rubin: I don't know anything about this.


Rockville, Md.: We do have reasonable concerns about the new form of electronic voting and are well minded to seek paper trails and other ways to verify a vote. However, paper ballots have been around and abused for a long time. Is it possible that some of this suspicion of the new generated by those who can and do manipulate paper ballots and do not want to loose that craft?

I know it sounds paranoid, but there are several areas where we are given an opportunity for something new and many are against it. Fluorides in water. Nuclear power. Windmills. Hydroelectricity. Genetic good.

Avi Rubin: The big difference is that fraud related to paper ballots requires one to commit more fraud to affect more votes. We call this retail fraud. Electronic voting systems are susceptible to wholesale fraud, where the amount of effort required to change additional votes is zero once someone figures out how to rig the software. It's a fact that the same software runs on many different machines, and that software by its nature is likely to have bugs and to be easy to manipulate in undetectable ways.


Alexandria, Va.: Did you see the HBO documentary, "Hacking Democracy", and what, if any, steps can we take to avoid the electronic tampering of the Diebold voting and scanning machines that were demonstrated in the film.

Avi Rubin: I saw this last night. I believe that four days before the election, it's a little too late to be asking what we can do to avoid the problems shown in that film. It is entirely possible that the damage has already been done. For optical scanners, such as the ones featured in the documentary, it's critical to do manual audits after the election. For DREs, well, I suggest not using them in elections. There is no way to audit.


Washington, D.C.: Dr. Rubin,

I am concerned about the state of erosion in voter confidence in the nation as a result of this controversy. You may regard this question as less than flattering and the last time you appeared on a Post chat, my question was ignored then--I hope it won't be today. As a result of your rising national profile, you have started a successful business venture that provides data security and is enormously profitable. In addition, you have secured $1.5 million in funding from the National Science Foundation, with David Dill, Peter Neumann and others, to build the "perfect voting machine." My question is, with these for-profit ventures, how can you identify yourself as a strict academic? You have strong commercial interests at this point. Isn't this a conflict of interest?

Avi Rubin: Okay, I will answer your question. I'm sorry if you did not get a response last time, but there are many more questions here than I can answer. My company that you mention, Independent Security Evaluators (, has had a policy since it was founded that we do not do any work related to electronic voting, for the reasons that you mention. In fact, we have consistently turned away that kind of work. We evaluate corporate systems for security problems, and then we report on them back to our clients. In some instances we help them fix those problems.

I understand from your posting that you are questioning my motives, but I believe that my research speaks for itself. The fact that e-voting machines are not auditable, are not transparent and do not allow recounts is true whether I am running a successful company or not. You also refer to the ACCURATE center from the National Science Foundation. This center was funded as a five-year effort over six different institutions, including Hopkins, Stanford, Berkeley, SRI, Rice and U. Iowa. The NSF believed that e-voting research is still needed before we can deploy this technology in real elections, and that is why they funded this center at a rate of $7.5 million (correction from your posting). The NSF does not throw that kind of money at a problem unless they believe that it is a real problem.


Ashburn, Va.: Why do you think the mainstream media have been so complicit in this assault on our democracy? Do you think it's a reflection of a general lack of interest in or understanding of technology, or do you think it's something more sinister?

Avi Rubin: I actually believe the mainstream media is catching on. I've seen stories about the risks electronic voting in every mainstream publication and on every TV and radio channel. I believe that it's the kind of issue that requires education. Once people are informed of the risks, the problem is easy to grasp.


Rockville, Md.: As an election judge in Maryland, maybe you can answer this question for me -- Can I request a paper ballot on Tuesday when I go to the polls?

If I can't, and considering all of the real problems with the touch-screen machines (AND even without those, the perceived problems), would it not be good policy to require polling places to have paper ballots for those that request them? I really feel that there should be an option for those wary of the touch-screen.

Avi Rubin: You cannot.

The solution, in my opinion, is not to give people a choice of paper or electronic. The people with the paper may have confidence in their votes being recorded correctly, but we should not allow for electronic voting machines for people who don't understand the risks. We just need to get rid of the DREs.


out of the loop: I understand Diebold systems are used in international elections as well - this can't be good - right?

Avi Rubin: I am not aware that Diebold is being used anywhere outside of the United States.


Germantown, Md.: Would Diebold machines be better with open source software, in your opinion?

Avi Rubin: I think that the open source question/debate is a distraction. We need to build systems that don't require trusting any software component. Then it won't matter that much.

My personal feeling is that anything related to public elections should be just that -- public. It seems arrogant for voting companies to think that they have some right to hide the code from voters who want to see how the voting machines work.

But, if we had systems that did not require trusting any of the software components, through proper audit of optical scan and paper ballots, this debate would probably go away quickly.


Gaithersburg, Md.: The Maryland elections board has made a point of discussing same-day testing of the machines to occur concurrently with the voting. What is your opinion of the efficacy of this method?

Avi Rubin: I have addressed this in a previous reply. This is called parallel testing, and I believe it is critical to do this testing if you are using DREs. I believe that there are many problems that can still arise even with parallel testing, but there are classes of wholesale fraud that parallel testing, implemented properly, is likely to catch, and so I am a strong supporter of doing this testing.


Ashburn, Va.: You say that paper ballots with precinct optical scan is the best technology out there. However, after viewing the "Hacking Democracy" documentary last night on HBO, my confidence in the optical scan ballots, or more particularly in the electronic tallying of those ballots, was quite shaken. The compromised Diebold optical scan vote machine in the documentary looked much like the machines used in Loudoun County. What procedures are in place (or should be in place) to prevent such tampering of the vote tallies? If I were an election official or monitor, I would demand a full manual count of the paper ballots before allowing a precinct tally or an election to be certified.

Avi Rubin: You've answered your own question. Manual counts will detect the problems. I believe that it is possible to get statistical confidence by randomly sampling the machines. Only when there are discrepancies do you need to count more of them. In today's elections, I don't think it is possible to count all of the ballots in large precincts by hand, and that process would be error prone as well. What we need to do is use scanners and then audit, audit, audit.


Arlington, Va.: Why is there so much resistance in certain states about implementing a paper trail for all voting machines? Currently, more than twenty states have such laws. Why are the others still resisting? It seems like a small cost to ensure than our elections are fair.

Avi Rubin: In Maryland, there was an attempt by the house of delegates to get legislation in place to require paper ballots. Unfortunately, due to political wrangling between Democrats and Republicans, the bill died in committee. I have hope that such a bill will become law before the 2008 election.


Richmond, Va.: Usually it is the State General Assembly that has the ability to create laws for paper with DRE machines. Why does the public not demand the change? Voter turnout increases every year. People are satisfied with their machines and ease of use.

Avi Rubin: See my last response.


Washington, D.C.: Could you address the only paper-trail count, which occurred in Ohio, that showed that there is an error rate on the paper trail by 10 percent or more? In Ohio, the paper trail is the official ballot of record. Doesn't it concern you that the margin of error for the paper trail is greater than the margins for optical scan and DREs together?

Avi Rubin: One of the most unfortunate consequences of the exposure of the security problems with DREs has been the introduction of poorly designed paper trails. When I was advocating paper as the solution to the security risks of DREs, I did not have in mind the kind of designs that Diebold and others have come up with. Those paper trails are unwieldy, introduce privacy compromises, and are difficult to count and not likely to lead to proper audits. I don't advocate them, and I've posted about this in my blog at

This is why I think the best solution is paper ballots and not paper trails.


Severna Park, Md.: For several cycles, we used optical scan voting machines, where you are handed a large, heavy paper ballot and asked to use a marker to complete the center part of an arrow that points directly to your candidate's name. When done, you walked over and a poll worker observed as you slid the ballot into a scanning machine that sucked the ballot inside.

They, obviously, also allowed for the ballots to then be counted by hand if need be. I have to say that I never felt any of the apprehension or worry that I do now with the touch screen systems. It was clean, effortless and obvious how to use. Today's systems, not so much.

Avi Rubin: I lived in New Jersey when these systems were being used in Maryland, so I have never seen it, but I've heard a lot about this system, and it seems like a perfectly reasonable one.


Washington, D.C.: Please tell me that during this parallel testing on election day, that those performing the tests will use completely fake ballots with fake candidates. Call me cynical or a conspiracy freak, but I can see something like that slipping through the cracks ("We didn't have time to change Ehrlich and O'Malley on the testing ballot to Jefferson and Lincoln.")... and the tallies from those tests "accidentally" being added to the actual vote totals.

I guess what I'm asking is, how tight are the controls on this testing going to be?

Avi Rubin: I am not sure how tight the controls will be. But, using fake ballots with fake candidates would defeat the purpose of parallel testing. The goal of the testing is to fake out any malicious software on the voting machine, so that it cannot tell that it is being tested. With fake anything the malicious code could be programmed to behave correctly, and only cheat when nothing was faked.

But, you do bring up a good point. It would be terrible if the parallel testing votes ended up getting counted. In parallel testing, you are supposed to also feed the votes in with the demographic representation of the "precinct" you are simulating. If you don't, the software might be able to tell that this was a parallel test.


Aston, Pa.: How are you and your family voting this election; at the poles or absentee ballot?

Avi Rubin: My wife and I will be voting at the polls. I'm working as an election judge in my home precinct, so I can vote there. I am not a fan of absentee voting in general. You lose the advantages of a private ballot. Absentee voting introduces the possibility of vote selling and voter coercion. When I voted in the primary, I felt hypocritical voting on a Diebold DRE, but that's what we have here, and I don't see how my voting absentee would change the security of this election. In fact, the mad rush to absentee voting might lead to administrative nightmares that could have their own affect on the accuracy and integrity of the vote count.


St. Paul, Minn.: Given the likelihood of fraud, mistake, etc., in this election, and coupled with draconian new ID laws that will effectively prevent certain citizens from exercising their Constitutional right to vote, what is your impression of the efficacy of postelection lawsuits to amend the problems? Have you been approached by any groups preparing to sue?

Avi Rubin: I have heard a lot about preparations by candidates to sue after the election. I have not been personally approached about this, but several of my colleagues have been. I think that having a voting system where it is impossible to check whether or not the tally is indeed representative of how people voted will lead to increased litigation, although I have no idea how the courts are going to decide what to do. The DRE machines leave no tangible, trustworthy evidence of how people voted.


Avi Rubin: I want to thank everybody for your questions. I regret that there were many, many more questions than I had time to answer. I'm a pretty fast typist, and I've been answering non-stop for the last hour. I am encouraged by the amount of attention that I see this issue getting. I hope that this election will run smoothly, and I also hope that if it does people will not use that as an excuse to say that there are no problems with DREs. My biggest hope is that in 2008 and beyond we will move towards verifiable, auditable and transparent elections.

And don't forget to vote! If you don't, then you are positively guaranteed that your vote will not be counted.


Editor's Note: moderators retain editorial control over Live Online discussions and choose the most relevant questions for guests and hosts; guests and hosts can decline to answer questions. is not responsible for any content posted by third parties.

© 2006 The Washington Post Company