1. It is impossible to test a voting system on the same scale as on Election Day. You might be able to test 100 machines or even 1,000 machines, but on Election Day, there will be hundreds of thousands of machines and millions of voters. This scale is guaranteed to introduce challenges that cannot be observed in pre-election testing of the equipment. The system must be designed to withstand and recover from unexpected failures due to this scale. Furthermore, when you consider that elections are security-critical events with motivated adversaries, you have to take into account both accidental and deliberate attempts to cause failure and disruption. Thus, testing will not be representative of the possible failure modes in a real election, as adversaries are not likely to attack the test system.
   
   
2. With the exception of some early voting in some states, elections are on one specific day, and that day is known far in advance to all potential attackers. Federal standards require that all voting machines contain real time clocks, which makes matters worse for the security of existing voting systems. The existence of one “flag day” for the attackers means that they can prepare long in advance and make sure their attack does not show any trace before the actual election.
   

All of these factors lead to an expectation that things will go wrong in many places and imply that we will not know about many of them before the election. So, it is important to stress recovery as a guiding principle in voting system design. Unfortunately, the Direct Recording Electronic (DRE) machines that have no paper trail and no paper ballots, but as used in many states, are a terrible model for recovery. For example, in North Carolina, in 2004, there was an election using electronic voting machines in which a memory cartridge filled up, causing thousands of votes to be lost.

Transparency
Elections, by their very nature, lend themselves to disputes and suspicion, especially when the results appear to be close. The recent Mexican election, where the losing candidate refused to concede defeat is an example of what can go wrong when people mistrust the election mechanism. Thus, it is important that every step in the process be as transparent as possible to the public. These steps include preparing the ballots; recording, counting, and aggregating the votes, and announcing the results. Dispute resolution and recovery should also be transparent. This means that recounts should not only be possible, but the public also should be able to observe it.

DREs lack transparency in many respects. Voters cannot see their votes recorded correctly. The counting takes place inside a computer, and there is no capability for a recount. In contrast, paper ballots can be counted and recounted in full view of the public. Election oversight by outsiders, such as foreign election observers is of minimal value with non-transparent systems such as DREs. There is little anyone can see or do when all of the recording and counting takes place inside a computer.

Auditability
Does the voting system provide an independent audit trail that does not depend on the information that is being audited? This is an important point. Diebold has argued that their DREs provide an audit trail because the electronic results can be printed and the resulting paper ballots can be counted. However, this kind of an audit is not independent. If there is an error in recording the votes, the paper ballots that are printed will reflect that error as well. Consider, by contrast, the case of paper ballots that are hand or machine marked and then fed through an optical scanner. To audit the scanner, the paper ballots could be counted by hand or with another scanner made by a different manufacturer. The audit in such a case is independent of the code in the scanner that is tested.

When considering the potential for fraud in an election system, it is important to distinguish between wholesale fraud and retail fraud. Retail fraud is the traditional ballot stuffing, where each act of fraud requires its own effort and exposure. To double the amount of fraud, an attacker doubles the risk of getting caught. Wholesale fraud on the other hand is when an attacker can scale up the fraudulent activity with no additional effort and no proportional increase in the chance of getting caught. The less transparent or auditable a voting system, the more likely it is to be vulnerable to wholesale fraud. Furthermore, even retail fraud is a bigger threat in an electronic system than in one that uses paper ballots. A memory card may contain thousands of votes on it, and can easily fit up a person's sleeve or in a pocket. Whereas thousands of paper ballots occupy much more space than that and are harder to manipulate.

The voting system that I believe provides the best auditability, security, transparency, and recovery is called a ballot marking system, such as a touchscreen machine that voters use to make their selections. However, the machine does not count any votes. Instead, it produces a paper ballot that the voter can review. It is the same ballot the voter might have marked with a pencil, but it contains no stray marks. During the voting process, the voter is prevented from voting for too many candidates in a race, and is warned about voting for too few. If there is a problem with the paper ballot that is produced, the voter can shred it and try again. If the ballot is fine, then the voter puts it into a ballot box. At the end of the election, the poll workers count the ballots. The easiest way is to feed them through an optical scanner. When coupled with proper audit procedures, this results in a highly transparent process that easily lends itself to observation.

After considering the properties of security, recovery, transparency, and auditability, it is clear that ballot marking systems are far superior to DREs, and in my opinion, they are the technology of choice for voting in public elections.

Avi Rubin is professor of computer science at Johns Hopkins University and technical director of the information security institute. He is the author of Brave New Ballot: The Battle to Safeguard Democracy in the Age of Electronic Voting (Random House, 2006) and President and Founder of Independent Security Evaluators (securityevaluators.com), a computer security consulting firm. Rubin is also the director of the NSF ACCURATE center.