April 1, 2004Why the ultimate e-government effort failed to get off the ground.
n 1997, a glimmer of revolution appeared in a tiny, overlooked office in the Pentagon.
Thousands of surveys from U.S. citizens and soldiers living abroad during the 1996 election poured into the Federal Voting Assistance Program, a 13-person office that administers absentee voting for 6 million military service members and other Americans living overseas. As it does after every election, FVAP asked its constituents what problems they encountered in exercising their most basic democratic right.
The results weren't heartening. Then and now, voting from abroad can be a cumbersome, time-consuming affair, an electoral crapshoot with international mail as the dice. Some voters in remote areas of foreign countries rely on moribund local postal systems that might not deliver absentee ballots by Election Day. Some voters claim they never even receive ballots from their home districts. (There are more than 13,000 voting districts in the United States.) Some absentee ballots must be postmarked prior to Election Day. Others must be signed by a notary public, whose services the voter must find and pay for. Some counties throw out ballots that arrive late. Local officials decide which ones are too mangled to read.
Federal officials have no power to write uniform election procedures. Statistics are slim for how many people are effectively disenfranchised by these absentee voting hurdles, but anyone familiar with the Byzantine process will tell you that thousands of ballots go uncounted.
FVAP officials knew voters were frustrated. But after the 1996 survey, they found out they also were impatient. By then, the Internet had enraptured Americans. Real life flourished virtually online. You could buy books, register your car and send messages to astronauts in the space shuttle. E-commerce and e-communication abounded. When would e-government catch up? People wanted to know, "When are we going to be able to vote by computer?" says Polli Brunelli, the director of FVAP.
The voting office spent the next several years devising a plan to let some voters send their ballots over the Internet, instead of through the mail. In 2002, spurred by the clamor for voting reform following the 2000 Florida recount debacle in which overseas ballots were hotly contested, FVAP launched the most ambitious, complex and expensive online voting initiative in U.S. history, the Secure Electronic Registration and Voting Experiment. The experiment would involve 100,000 voters-only .0009 percent of the total number of voters in 2000.
But it never saw the light of day.
FVAP asked 10 experts, including political and computer scientists, to inspect SERVE and determine whether it would keep votes private and tamperproof. Given the 269-vote margin in Florida that officially separated George Bush from Al Gore, SERVE couldn't tolerate error, accidental or intentional. But before the panel could complete its final report, four computer scientist members, among them the most vocal and well-known opponents of Internet voting, penned a scathing rebuke of the system, saying security flaws and design weaknesses made it an easy target for digital saboteurs.
The scientists' dire warning resounded within the Bush administration, as did its pointed reference to the Florida debacle and razor-thin recount. Ten days after the group leaked a copy of its findings to The New York Times, Deputy Defense Secretary Paul Wolfowitz issued a terse memo canceling SERVE for the general election, "in view of the inability to ensure the legitimacy of votes that would be cast."
In the gigantic Defense Department budget, the $22 million that FVAP-which one project member calls "a flea on the giant ass of the Pentagon"-spent on SERVE was a pittance. But the story of how the project came to life, and how it died, is a cautionary tale of government's romantic and sometimes tragic love affair with the Internet.
THE REVOLUTION NEARS
SERVE is a grandchild of a get-out-the-vote drive dating to the Civil War, when states created portable polls so troops could vote from the battlefield. When war moved overseas in the 20th century, local governments struggled to get ballots to the front lines. But no federal law required them even to try. That didn't change until 1986, with enactment of the Uniformed and Overseas Citizen Absentee Voting Act. The law guaranteed troops, their dependents and civilians and federal workers abroad the right to cast absentee ballots in federal elections. It was the most significant voting reform since the 1965 Voting Rights Act, which enfranchised black Americans.
But even now, some military service members don't vote because they don't receive their ballots on time, or because they don't know how to obtain them. And the State Department reports widespread lack of knowledge of electoral procedure among civilians overseas.
Online voting was supposed to make the process easier. In the late 1990s, amid the national electronic ecstasy, state election officials saw online voting "fast approaching," says Cameron Quinn, the former elections director in Virginia. But many hesitated to sign on. By nature, election administrators are a risk-averse lot. Their job is to detect fraud, but as long as there have been elections, they've also stood accused of perpetrating it.
In 1999, California started flirting with e-voting, and commissioned a Cabinet-level panel of technology and voting experts to consider an online pilot project. Their findings sent a chill through the elections world. While the Internet could help millions of voters, "technological threats to security, integrity and secrecy of ballots are significant," the reviewers wrote. At first, "There was a general excitement," says David Jefferson, a panel member and former computer scientist with Compaq. But a dozen meetings later, "The mood of the entire group shifted," he says. Jefferson was one of the chief skeptics.
Officials were stunned that California, the vanguard of all things "e," would balk, says Virginia's Quinn, whose state ranks second to California in technological innovation. "It gave [officials] the heebie-jeebies."
FVAP was undeterred. In the 2000 election, officials tested a rudimentary system, called Voting Over the Internet (VOI), with 84 volunteers. Technologically, the project succeeded. It proved local officials could send ballots abroad, and that voters could return them anonymously.
But again, the specter of online attack and trickery reared its head, thanks partly to Jefferson, who sat on a group that reviewed the VOI effort. FVAP officials listened, and in a June 2001 report wrote that strong security and privacy were essential to any online voting system. Defense officials should address technical issues before bringing a full-fledged voting system online-particularly one affecting tens of thousands of voters-FVAP concluded.
Which is why, the following year, election experts were befuddled when the office eschewed its own advice and awarded technology giant Accenture a contract to build SERVE.
Why did FVAP jump when others flinched? Some read a passage in the fiscal 2002 Defense Authorization Act to "carry out a demonstration project . . . [of] an electronic voting system" as a mandate. But the language mentions only "uniformed services voters," not the civilians who outnumber soldiers by a ratio of 10-to-1, and who also would be part of SERVE.
"It was an ambitious schedule," says Brunelli, the FVAP director. The law required implementation of the demonstration project by 2004. Already, about half the states that had expressed interest in SERVE had dropped out, leaving only seven participants. Voters from 50 counties within those states would volunteer to vote online.
But FVAP officials needed to know every possible security weakness. So they went to the reputed expert-David Jefferson. And they invited three computer scientists, all outspoken critics of electronic voting systems, to help review the system. The group included Avi Rubin, an associate professor at Johns Hopkins University and a rising star in the computer science world. Rubin made his reputation as "the e-voting guy," he says, after writing a bombshell report on flaws in the software source code of electronic voting booths made by Diebold Inc. that made the machines vulnerable to manipulation. Rubin's findings emboldened e-voting critics, and made him the undisputed nemesis of voting equipment manufacturers.
Choosing Jefferson and Rubin to audit Internet security is a bit like striking a match in an atmosphere of pure oxygen: You're guaranteed explosive results. "We explicitly involved people that we knew would say SERVE is a bad idea," says Thad Hall, an elections expert with the Century Foundation, a think tank in Washington, and one of the other review panelists.
They got what they were looking for. Rubin, who had labeled the Diebold code a threat "to the essence of democracy," now calls SERVE "the worst idea I've ever heard." In his mind, Internet voting compounded the existing problems of voting software, because the personal computer and the Internet were inherently unstable and unsafe. Rubin had lashed out against electronic voting hundreds of times in the media.
Indeed, the press helped make Rubin a star skeptic. In 1997, the New York Times reported that Rubin, then working with AT&T Labs, had traveled to Costa Rica and advised its government against Internet voting. Following that, he landed a spot on a National Institutes of Standards and Technology panel to assess the idea in the United States; the panel concluded that it was unsafe.
"I wonder why they even invited me," Rubin says of FVAP. But he knows why he said yes. Jefferson told him he had to participate, because if anyone could show FVAP the security weaknesses, it was the two of them.
In October 2003, the group of 10 SERVE reviewers met at the Reston, Va., offices of Accenture. The discourse, according to those present, was detailed, wide-ranging and argumentative. "We raised every kind of legitimate horror story that you could imagine," says panelist Mike Shamos, co-director of the Institute for Electronic Commerce at Carnegie Mellon University, and one of the few scientists who have backed Internet voting.
What if an online attack blocked voters from casting ballots? What if a virus secretly altered their votes? What if terrorists or a hostile government rigged an election?
Shamos grew frustrated with the security critics' absolutist position. They couldn't overcome the idèe fixe that the computer and the Internet made online voting intrinsically dangerous. Shamos countered their scenarios, but frequently his colleagues dismissed him, he says. All the points raised in the skeptics' report were thoroughly debated in meetings, he contends.
Tension grew when the skeptics presented a table showing various ways an attacker might hit SERVE, along with probabilities that each method would be used. Members of the panel howled, Shamos says, because the assertions weren't scientifically formed. "It was all just guessing," he says. "They didn't take a scientific approach" to the review.
The full group had planned to release a report publicly months later, after all 10 panelists had reached consensus. The security experts pledged to write a separate report on SERVE's security features, but few thought they'd preempt the entire group's findings. In January, the skeptics gave an exclusive copy of their report to the New York Times, which ran a story on its Web site. Media coverage the next day followed the Times story, which reported that the critics had determined that SERVE "is inherently insecure and should be abandoned."
The findings sealed SERVE's fate, and engendered animosity toward its authors. Critics dismissed it as a "minority report" by technologists who misunderstood the electoral process. The Information Technology Association of America, a lobbying group, called the findings "academic," and said in a statement, "Life is all about taking intelligent risks to gain meaningful rewards….We call that progress."
But the Pentagon had no interest in taking a risk, intelligent or otherwise, with SERVE. Ten days after the group's report broke in the press, Wolfowitz halted Internet voting in 2004. In practical terms, SERVE was dead.
LEAP OF FAITH
So SERVE sits unused, though the core technology has been developed. Officials will study and test it through experimental means, but may not use it to transmit actual ballots.
Of the dissident group's findings, Brunelli, the FVAP director, says only, "It was four members from a group of 10. I think we need to listen to both sides." One day, she says, "brilliant people" will devise a solution to make online voting safe.
No one doubts that Internet voting could make the democratic process more convenient for potentially millions of people. At the same time, even its proponents acknowledge that an online voting system would make a tantalizing target for hackers. But elections were manipulated before the Internet Age. Rubin and others demand practically airtight security, but that's impossible to achieve in any election. "Every voting system has levels of risk," FVAP wrote in its review of the 2000 voting pilot. The question is whether a risky online system is better than the fraud-prone and sometimes unreliable manual system the country has used for centuries.
Jefferson argues that to build a totally secure online system, you'd have to redesign the entire architecture of the Internet. Companies also would have to build safer computers and operating systems, and consumers would have to replace their old machines. That would take "on the order of a decade, at best," Jefferson says. And unless voters can have some physical receipt of how they voted, to prove their choice in a recount, online voting will never be as safe as other online activities, such as banking or shopping, he contends.
Internet voting advocates call opponents Chicken Littles who overstate dangers and overreact to the possibility of fraud. But some supporters of online voting also have overstated the problems with absentee voting-saying, for example, that FVAP found one-third of overseas voters can't participate in elections. That's not true. The figure stems from a misunderstanding of a limited study FVAP conducted on military voters who chose not to participate in 2000. But it reveals supporters' fundamental conviction that the paper system doesn't serve voters' interests if it prevents, or discourages them, from voting; which, in some cases, it does.
The two sides in the Internet voting debate hold their beliefs with nearly religious conviction. Jefferson believes that to prove a system is absolutely secure requires mathematical equations beyond current human comprehension. Until computers are safe, Jefferson says of SERVE, "I feel a responsibility to kill it. . . . And to keep killing it." Shamos says that while "all the engineering risks they bring up are worthy of serious consideration, that doesn't mean their probabilities are high. . . . We didn't close all the banks the day the first one got robbed."
Ultimately, the government can only cross this digital divide by taking a leap. In the Democratic primary in Michigan earlier this year, voters cast ballots online. So far, no major security breaches have been reported, and by all accounts, voter turnout was up. For a time, it seemed the federal government might blaze a similar trail. But for now, FVAP officials must wait. And all around the world, 6 million must people decide if it's worth their time to try to vote this fall.
April 1, 2004