The Direct Recording Electronic Voting Machine (DRE) Controversy: FAQs and Misperceptions

The Direct Recording Electronic Voting Machine
(DRE) Controversy: FAQs and Misperceptions
Updated March 7, 2007
Eric A. Fischer
Senior Specialist in Science and Technology
Resources, Science, and Industry Division
Kevin J. Coleman
Analyst in American National Government
Government and Finance Division

The Direct Recording Electronic Voting Machine (DRE)
Controversy: FAQs and Misperceptions
Summary
Most voting systems used in U.S. elections rely on computers in some way. The
most computerized is the direct recording electronic voting machine, or DRE. In this
system, votes are recorded directly onto computer memory devices. While DREs
have been in use since the early 1990s, questions about their security and reliability
were previously a relatively minor issue, even following the November 2000
presidential election and the subsequent congressional deliberations leading to the
enactment of the Help America Vote Act of 2002 (HAVA, P.L. 107-252).
However, at least two factors led to a sharp increase in public concerns about
DREs, beginning in 2003. First, the voting accessibility provisions in HAVA
promote the use of DREs, which have been the only kind of voting system that can
meet the HAVA requirements to permit persons with disabilities, including
blindness, to vote privately and independently. Second, potential security
vulnerabilities with DREs were publicized as a result of several studies. Several bills
were introduced in the 109^th Congress that would address these issues in different
ways; a number of similar bills have been introduced thus far in the 110^th Congress.
In the public debate about DREs, there has been some confusion about what the
problems and issues are, arising to a significant degree from the complexity of DREs
and of elections in general. This confusion can lead to misperceptions about facts as
well as issues and options for resolving them. Several points are worth noting:
DREs do have unique security concerns and have only recently been studied by
the scientific community. However, most problems in recent elections were not
associated with DREs. Security flaws in them are not known to have compromised
any elections, and it is not clear how much of a threat those vulnerabilities pose to
election integrity in practice, especially in comparison to other kinds of threats. The
different models of DREs in current use vary substantially in design, and problems
that one model exhibits may not occur in others. Many of the problems that have
occurred are procedural, not weaknesses in the technology itself.
It is not clear whether the unique security problems posed by DREs are best
addressed by requiring that they produce paper ballots or by other means. While
paper has useful security properties and is well-known, other methods exist that
might be superior. Furthermore, paper ballots used with DREs (called voter-verified
paper audit trails, or VVPAT) are largely unproven and it is not clear how well they
can meet HAVA requirements for accessibility or other goals such as usability.
As the 110^th Congress considers proposals relating to DREs, salient issues might
include the lack of information about DRE security, especially in relation to other
systems and other components of election integrity; potential conflicts with HAVA
requirements that might be associated with the proposals; how those proposals might
impact voter confidence; and what impacts they might have on future innovation that
could greatly improve the transparency and integrity of elections. This report will be
updated in response to major developments.

Contents
FAQs and Misperceptions...........................................2
Problems with DREs...........................................2
Were DREs the source of most election problems since 2004?......2
Have DREs been thoroughly tested in the scientific community?.....4
Are there any unique security concerns with DREs?...............5
Have DRE security flaws compromised any elections?............6
Do security flaws in DREs pose the greatest threat to
election integrity?......................................7
Do all types of DREs have the same problems?..................8
Do problems with DREs result from weaknesses in the
technology itself?......................................9
Is certification of DREs under federal and state voting system
standards sufficient to make them secure?...................9
Voter-Verified Paper Audit Trails (VVPAT).......................10
Can DREs be made sufficiently secure without a paper ballot?.....10
Does a VVPAT ensure that a voter knows how votes were recorded
on a DRE?..........................................11
Are paper-based ballots the most secure?......................12
Are paper ballots essential to ensure transparency in an election?...14
Does VVPAT violate ballot secrecy?.........................14
Do paper ballots pose only a minor inconvenience for persons
with disabilities?.....................................14
Is VVPAT a proven technology that is simple to implement?......15
Recounts and Audits..........................................16
Is an audit of an election the same as a recount?.................16
Will a partial recount determine if fraud occurred?...............16
Are hand counts more accurate than machine counts?............17
Possible Issues for Congress........................................18

The Direct Recording Electronic Voting
Machine (DRE) Controversy: FAQs and
Misperceptions
Most voting systems used in federal, state, and local elections in the United
States rely on computers in some way. The most computerized is the direct recording
electronic voting machine, in which votes are recorded directly onto computer
memory devices. DREs are the most technologically advanced of current voting
systems. They and other forms of electronic voting offer substantial promise for¹
improving elections for both voters and election officials.
Questions about the security and reliability of DREs were a relatively minor
issue until 2003. Two factors led to a sharp increase in public concerns about them:
(1) the Help America Vote Act of 2002 (HAVA) requires at least one voting machine
in each precinct to fully accommodate disabled voters and DREs are the only system
that currently meets this requirement; and (2) the security vulnerabilities of DREs
were widely publicized as the result of several studies released in 2003.²
Much of the debate over DREs has focused on whether they should be required
to produce a paper ballot that can be verified by the voter as a solution to potential
vulnerabilities. This approach is often called the voter-verified paper audit trail^th^th
(VVPAT). Bills to require VVPAT were introduced in the 108 and 109
Congresses, but there is divided opinion about both VVPAT and the security
vulnerabilities of DREs, particularly with respect to the comparative vulnerabilities
of other voting methods and various other aspects of election administration.
Proposals to require that DREs use VVPAT or another method of verification have
been seen by some observers, including many computer-security experts, as the
method of choice for addressing the concerns. However, others, including many
election officials,³ believe that VVPAT is unnecessary or even counterproductive and
that security issues are best addressed through other approaches.
The public debate about DREs and VVPAT has led to some confusion about the
problems and issues involved, and as a consequence, the options that might resolve

¹ See, for example, Caltech/MIT Voting Technology Project, Voting: What is, what could
be, July 2001, [http://www.vote.caltech.edu/reports/2001report.htm]; National Research
Council, Asking the Right Questions about Electronic Voting, (Washington, DC: National
Academies Press, 2005).
² For in-depth discussion, see CRS Report RL32139, Election Reform and Electronic Voting
Systems (DREs): Analysis of Security Issues, by Eric A. Fischer.
³ See, for example, CRS Report RL32938, What Do Local Election Officials Think about
Election Reform?: Results of a Survey, by Eric A. Fischer and Kevin J. Coleman.

them. The questions and answers that follow address selected issues and
misperceptions concerning DREs and VVPAT, in an effort to clarify and inform the
ongoing policy discussion.
FAQs and Misperceptions
Questions that arise frequently with respect to the controversy surrounding
DREs and possible misperceptions in the debate can be classified into three
categories: those relating to DREs themselves, those that relate to paper audit trails,
and those that relate to recounts and audits. Questions in each of those categories are
addressed in turn below.
Problems with DREs
Were DREs the source of most election problems since 2004?
Voters in various jurisdictions across the country experienced difficulties with the
voting process in the November 2004 election, and to some extent in 2006, but
problems with DREs were a comparatively minor issue on the whole. Both during
and after the elections, the media reported issues with voter registration, the rules for
counting provisional ballots, the length of time required to vote, absentee ballot
problems, and allegations of voter intimidation and fraud, along with reports about
malfunctions of voting equipment, including DREs.
A number of malfunctions relating to DREs were covered prominently in media
reports on election problems, particularly problems in Franklin County, Ohio, and
Carteret County, North Carolina (discussed in greater detail below), in 2004, and
Sarasota County, Florida, in 2006. Various glitches and procedural problems were
reported with DREs in other states as well, but machine malfunctions that could not
be attributed to human error were the exception in 2004 according to a compilation
of media reports by the Election Reform Information Project.⁴ Two significant
problems were reported in 2006.⁵ One was “vote flipping” on touchscreen machines,
in which a voter reports that the DRE displayed a different choice (usually adjacent
on the screen) from the one the voter intended. This problem could be caused by
inaccurate touching of the screen by the voter, or by miscalibration of the screen. A
potentially more serious problem was an apparent discrepancy in ballot totals in the
race for the House seat in Florida’s 13^th congressional district, where the apparent
undervote in the Sarasota County part of the district was several times that in parts
of the district in other counties. However, the most likely explanation for the high

⁴ Election Reform Information Project, The 2004 Election, December 2004,
[ h t t p: / / www.e l e c t i onl i n e .or g/ Por t a l s / 1/ Publ i c a t i ons / El e c t i o n % 2 0 R e f o r m% 2 0 B r i e f i n g% 2

09.pdf].

⁵ —— — , The 2006 Election, November 2006, [http://www.electionline.org/Portals/1/
Publications/EB15.briefing.pdf].

undervote appears to be faulty ballot design, not a hardware or software problem with
the DREs.⁶
In comparison, many problems have been associated with provisional and
absentee ballots. A survey⁷ sponsored by the federal Election Assistance
Commission (EAC) and performed by Election Data Services⁸ found that in 2004 at
least 1.9 million voters cast provisional ballots nationwide, which were counted or
not according to different rules in the various states. In Ohio, which required that a
provisional ballot be cast in the voter’s home precinct, approximately 22% of the

157,714 provisional ballots cast in the state were not counted (nearly 34,000 ballots).

The percentage of provisional ballots counted by states ranged from 0% (Idaho) to

100% (Maine), with an average of about 50%.

With respect to military and overseas voters, a survey of 761 local election
officials by the National Defense Committee, a private organization, reported that
126,952 absentee ballots were mailed to members of the military and citizens living
abroad in 2004, and 94,359 were returned and counted in 2004.⁹ More than 30,000
of the absentee ballots in this survey (approximately 26%) were not returned at all,
were disqualified for procedural reasons, or were returned too late to be counted.
Long lines also plagued voters in many states in 2004, with some waiting hours
to cast a ballot (one Ohio voter reportedly waited 10 hours to vote). While it is
impossible to know how many voters abandoned lines without voting, long lines
impede the voting process and create a final obstacle at the polling place for those
who turn out to vote.¹⁰ In 2006, problems with voter registration and polling-place
administration were more commonly reported.
Among other sources, the Election Incident Reporting System, affiliated with
the Verified Voting Foundation, a VVPAT advocate, recorded 42,841 complaints
about the 2004 election, 11% of them relating in whole or part to voting machines.¹¹

⁶ Laurin Frisina, Michael C. Herron, and others, “Ballot Formats, Touchscreens, and
Undervotes: A Study of the 2006 Midterm Elections in Florida,” working paper, December

3, 2006, available at [http://www.dartmouth.edu/~herron/cd13.pdf].

⁷ Election Assistance Commission, “Election Day Survey,” October 3, 2005,
[ ht t p: / / www.eac.gov/ el ect i on_sur ve y_2004/ t oc.ht m] .
⁸ EDS [http://www.electiondataservices.com] is a private consulting firm founded in 1977
that works on election administration, redistricting, and related matters.
⁹ National Defense Committee, Military and Overseas Absentee Voting in the 2004
Presidential Election, Mar. 30, 2005, [http://www.nationaldefensecommittee.org/pages/
absentee_voting.html ].
¹⁰ Many states require that employers provide employees time off to vote, generally about
two hours during the time the polls are open. Additional time to vote, if an employer
permitted it, would likely be unpaid time. Long lines may also make voting more difficult
for certain disabled voters.
¹¹ Election Incident Reporting System, “Nationwide Election Incidents: Election Year

2004,” [https://voteprotect.org/index.php?display=EIRMapNation&cat=ALL&search=

(continued...)

Most of the complaints in that data set related to registration or polling place
problems.
The major alternative voting system to DREs is optical scan, which uses paper
ballots, usually marked by hand, that are read electronically. In 2006 almost half of
voters used optical scan, and 40% used DREs.¹² While technologically far simpler
than DREs, optical scan systems are not immune from problems, and many of the
difficulties reported in 2004 and 2006 were for these systems. However, media
reports and statements by activists and others sometimes do not distinguish between
the two types, lumping them together as “electronic voting systems.” To the extent
that voters, in contrast, reserve this term for DREs, public confusion and
misunderstanding about the source of voting-system problems can result. In addition,
if such reports and statements fail to distinguish between procedural and
technological problems, mishaps that result from human error may be erroneously
regarded as problems with the technology.¹³
Have DREs been thoroughly studied in the scientific community?
DREs have been tested by scientists, but the systems have not generally undergone
the kind of open scientific scrutiny that might be expected. They are proprietary
machines, and manufacturers require confidentiality agreements of those who wish
to acquire them. Testing is done as part of federal and state certification processes,
but detailed results are not publicly available at present. More detail has been
provided in only a relatively few cases, such as the analysis of software obtained
from a manufacturer’s unsecured website in 2003, subsequent studies by the states¹⁴
of California, Maryland, and Ohio, and a few independent reports. Most of those

¹¹ (...continued)
&go=Apply+filter&tab=ED04], n.d.
¹² See, for example, Election Data Services, “Almost 55 Million, or One-Third of the
Nation’s Voters, Will Face New Voting Equipment in 2006 Election,” Press Release,
October 2, 2006, available at [http://www.edssurvey.com/images/File/ve2006_nrpt.pdf].
¹³ Of course, such connections are not always in error. For example, if DREs require more
complex procedures than optical scan systems, that could create more potential for human
error.
¹⁴ Tadayoshi Kohno, Adam Stubblefield, Aviel D. Rubin, and Dan S. Wallach, “Analysis
of an Electronic Voting System,” Johns Hopkins Information Security Institute Technical
Report TR-2003-19, July 23, 2003, [http://avirubin.com/vote.pdf]; Science Applications
International Corporation (SAIC), “Risk Assessment Report: Diebold AccuVote-TS Voting
System and Processes” (redacted), SAIC-6099-2003-261, 2 September 2003, (link not
available); Maryland Department of Legislative Services, “A Review of Issues Relating to
the Diebold AccuVote-TS Voting System in Maryland,” January 2004, [http://mlis.state
.md.us/Other/voting_system/final_diebold.pdf]; Maryland Department of Legislative
Services, “Trusted Agent Report: Diebold AccuVote-TS Voting System,” prepared by
RABA Technologies Innovative Solution Cell, 20 January 2004,
[http://mlis.state.md.us/Other/voting_system/trusted_agent_report.pdf]; Ohio Secretary of
State, “Statewide Voting Systems,” October 18, 2005, [http://www
.sos.state.oh.us/sos/HAVA/hava.aspx?section=4]; Harri Hursti, “Diebold TSx evaluation:
Critical security issues with Diebold TSx,” May 2006,
[http://www.bbvdocs.org/reports/BBVreportIIunredacted.pdf]; David Wagner, David
(continued...)

studies focused on DREs made by Diebold, one of several manufacturers of these
systems.
HAVA has established some procedures, including the formal involvement of
the National Institute of Standards and Technology (NIST) and the science and
technology communities, in the standards-development and certification processes
(§214 and §221). These and other factors may lead to an increase in the involvement
of scientists in the study of DREs and other aspects of election administration. That
has already happened to some extent, with, for example, the establishment of the
Voting Technology Project by the California Institute of Technology and the
Massachusetts Institute of Technology,¹⁵ the involvement of the American
Association for the Advancement of Science (AAAS) and the National Research
Council in election reform issues,¹⁶ and the awarding of a major grant by the National
Science Foundation to several institutions to establish a center for voting technology
research.¹⁷
Are there any unique security concerns with DREs? DREs currently
in use have a unique set of security vulnerabilities, which has been demonstrated by
several of the studies cited above (See footnote 12). It results from the same feature
— reliance on a computer for casting and recording of votes in a single machine —
that gives DREs their capabilities in accessibility, usability, and efficiency. Because
the machines rely on complicated software, it is at least theoretically possible that
someone could insert hidden computer code that would add, subtract, or change
votes. There are several things that such malicious code, or malware, might do. In
the best known potential exploit, the hidden code would cause the DRE to record a
different vote from what the voter sees on the face of the machine. Another
possibility is that the malware could change vote totals after they had been recorded
but before they are downloaded for tallying.
While an optical scan or punchcard counter could also be programmed to record
a different vote from that intended by the voter, with those systems the ballot that the
voter saw is preserved as part of normal practice and can be checked independently

¹⁴ (...continued)
Jefferson, and Matt Bishop, “Security analysis of the Diebold AccuBasic interpreter,”
[ [ h t t p : / / www.s s . c a .gov/ e l e c t i ons / vot i n g_ s y s t e ms / s e c u r i t y _ a n a l y s i s _ o f _t he _di e bol d_a c c u
basic_interpreter.pdf], February 2006]; Ariel J. Feldman, J. Alex Halderman, and Edward
W. Felten, “Security Analysis of the Diebold AccuVote-TS Voting Machine,” September

13, 2006, [http://itpolicy.princeton.edu/voting/ts-paper.pdf].

¹⁵ Caltech-MIT/Voting Technology Project, [http://www.vote.caltech.edu].
¹⁶ See, for example, Committee on Scientific Freedom and Responsibility, American
Association for the Advancement of Science, “Statement on the Importance of Research on
the U.S. Voting System,” February 2005, available at [http://www.aaas.org/spp/sfrl/
committees/csfr/VotingStatement.pdf]; National Research Council, “Letter report on
Electronic Voting,” July 20, 2006, [http://www7.nationalacademies.org/cstb/
letter_evoting.html ].
¹⁷ The institutions involved include five universities — Johns Hopkins, Rice, Stanford,
California at Berkeley, and Iowa — and SRI International See Avi Rubin, “ACCURATE,”
[http://accurate-voting.org], September 30, 2005.

by another machine or a human. That is not possible with a DRE, where the choices
the voter sees on the face of the machine are ephemeral — they are reset when the
voter casts the ballot. The actual record of the voter, preserved on an electronic
medium, is not something the voter ever sees. In that way, DREs are like lever
machine voting systems, in which casting a ballot advances mechanical counters,
which the voter cannot see, and resets the levers for the next voter. The difference
is that any tampering with lever machines would have to be done one machine at a
time, whereas malicious code need be inserted into DRE software only once, before
it is loaded onto the machines. As with lever machines, lost or changed votes could
result from malfunction as well as intentional tampering.
It is generally recognized that this vulnerability of DREs poses at least a
theoretical risk. The controversy arises over whether it poses a significant risk in
practice, and, if so, what is the most appropriate response. Some DRE proponents
claim, for example, that the design of DREs prevents the writing of malware that
could change votes in a predictable way in practice. Others claim that following
appropriate security and audit procedures is sufficient to prevent successful
tampering and that modern DREs, when properly managed, have less risk of losing
votes through malfunction than any other voting system. Many DRE critics state, in
contrast, that those claims are wrong or cannot be substantiated, and that the only
effective solution is a permanent paper ballot that the voter has verified, or some
other method of verification that is independent of the technology used to cast and
count the votes. In fact, most experts believe that it is impossible to prove that a
complex system, such as a DRE or any other voting system,¹⁸ is secure against all
possible threats. The question is rather whether they can be made sufficiently secure
to make the risk from attempts at tampering acceptably low.
Have DRE security flaws compromised any elections? There were
no substantiated reports from any state of compromised elections due to security
flaws that involved computer hacking or similar attacks in 2004.¹⁹ As one observer
has noted, “Unlike paper ballots, in the history of DREs, no one has found any
evidence of the machines being used for fraudulent purposes.”²⁰ Malfunctions occur,
but most problems that have occurred with DREs can be attributed to human

¹⁸ Even the most technologically unsophisticated voting system — the hand-counted paper
ballot — is complex in practice because of the procedures required to generate, control, cast,
and count the ballots.
¹⁹ Just after the November 2004 election, a New York Times article about electronic voting
problems noted that “There is also no way to be sure that the nightmare scenario of
electronic voting critics did not occur: votes surreptitiously shifted from one candidate to
another inside the machines, by secret software…It’s important to make clear that there is
no evidence such a thing happened, but there will be concern and conspiracy theories until
all software used in elections is made public.” (“About Those Election Results,” New York
Times, November 14, 2004). Whether making voting-system software available for public
inspection is the best or even an appropriate solution to security concerns remains
controversial (CRS Report RL32139, Election Reform and Electronic Voting Systems
(DREs): Analysis of Security Issues, by Eric A. Fischer).
²⁰ Arrison, Sonia, “In Praise of E-Voting Machines,” July 8, 2005,
[ h t t p : / / www.t echnewswor l d.com/ s t o r y/ 44476.ht ml ] .

mistakes or procedural errors, rather than security issues. In one of the most
celebrated DRE malfunctions in 2004, voting machines in Carteret County, North
Carolina, stopped counting ballots once 3,005 voters had voted, although they
appeared to continue accepting votes. Poll workers expected the machines to
accommodate 10,000 voters. An estimated 4,500 votes were lost as a result,
attributable to a lack of human oversight in upgrading machine capacities rather than
a security breach or an attempt to commit fraud.²¹ Because of a close vote in one
county race, a second election was required to resolve the contest, a very rare
occurrence.
The widely reported problem of an overcount in Franklin County, OH, in 2004,
occurred when a laptop was used in a precinct to communicate the unofficial tallies
from a DRE memory cartridge to the central office. The total number of voters
casting ballots in the precinct was 638, but the number initially reported as casting
a vote for President exceeded 4,500. The memory cartridge itself and other
redundant memory for the DRE contained the correct count, and the error was
quickly discovered and corrected.²² The problem was diagnosed by the DRE vendor
as a technical flaw relating to communication between the memory cartridge and the
laptop, and controls were added to prevent the problem in future.²³ The undervote
problem in 2006 in Sarasota County, Florida, which some have attributed to
hardware or software problems with the DREs, is discussed earlier in this report.
Aside from the unique security challenges posed by DREs, human interaction
with electronic voting machines involves a chain of custody that parallels any other
type of voting equipment or method. In this regard, there have been reports of
questionable behavior by poll workers, election officials, and vendors with respect
to DREs, as with other voting methods. It is not likely that most poll workers possess
the knowledge to alter lever, optical scan, or DRE voting machines, and security
measures should be designed to address the unique characteristics of each type of
voting system to prevent tampering and fraud. Nevertheless, some observers point
out that a successful attempt to tamper with DRE software may be especially difficult
to detect. If so, discovery of any resultant fraud could be unlikely. Some also believe
that the threshold for investigation of possible election fraud is too high in many
states and that, as a result, many attempts at tampering may go undetected, no matter
what voting system is used.
Do security flaws in DREs pose the greatest threat to election
integrity? While current DREs have unique security flaws, it has not been
established that they pose a greater risk to the integrity of elections than other kinds
of problems. The unique concern about DREs and, to a lesser extent, other
computer-assisted voting systems, such as optical scan, is the risk from malware,

²¹ Mark Schreiner, “N.C. Electronic Voting Tallies Up Widespread Confusion,” Wilmington
Star-News, Nov. 17, 2004.
²² Robert Vitale, “No New Discrepancies Found in Vote Tally,” The Columbus Dispatch,
November 27, 2004.
²³ Board of Elections, Franklin County, Ohio, “ELECTION 2004: A Report to the
Community,” February 11, 2005, available at [http://www.electionline.org/Portals/1/
Resource%20Library/Franklin.County.OH.2004.pdf].

described above. Some experts and activists are concerned that hidden malware
could be successfully implanted by an insider, during manufacture or at some other
point before distribution, and could be used to impact elections at the national level
without detection. For this reason, some observers consider security flaws in DREs
to be of major concern to the integrity of elections.
All voting systems have security vulnerabilities, and about 60% of voters in
2006 used systems other than DREs.²⁴ Optical scan systems were used by more
voters, and security vulnerabilities have also been demonstrated with those systems.²⁵
However, the proportion of voters using DREs could continue to increase as a result
of HAVA’s accessibility requirements, since DREs are currently the only kind of
voting system that is generally agreed to meet those requirements.
There are many other potential threats to the integrity of elections. Most are not
related to voting-system technology.²⁶ Possible threats include such things as voter-
registration fraud, voter intimidation and misdirection, absentee-ballot fraud, flawed
election procedures, poor ballot design, poor functional design or maintenance of
voting equipment, and significant procedural error. Recent evidence indicates that
most lost votes result from voter registration, polling place, and usability problems,
not security issues.²⁷ Some experts argue that such flaws pose a greater threat to the
integrity of elections than recent concerns about DRE security, and too much
attention is currently being paid to the latter. Unfortunately, there does not appear
to be sufficient information available to determine objectively which kinds of threat
should be of highest priority to counter, although some observers argue that software
attacks are the least difficult type to mount against voting systems.²⁸
Do all types of DREs have the same problems? DREs are actually
more diverse than any other kind of voting system currently in use. There are several
different kinds, by several different manufacturers. First introduced in the 1970s, the
systems vary significantly in age, capability, and features. Some present voters with
a full-face ballot and register choices via microswitches that the voter presses.
Others present ballot pages on a computer screen and register choices via a

²⁴ Election Data Services, Press Release.
²⁵ See, for example, Harri Hursti, “Critical Security Issues with Diebold Optical Scan
Design,” The Black Box Report, July 4, 2005,
[http://www.blackboxvoting.org/BBVreport.pdf]; Brennan Center Task Force on Voting
System Security, “The Machinery of Democracy: Protecting Elections in an Electronic
World,” 2006, [http://www.brennancenter.org/stack_detail.asp?key=97&subkey
=36343&init_ke y= 10].
²⁶ For a discussion of technological and some other threats, see National Institute of
Standards and Technology, “Developing an Analysis of Threats to Voting Systems,”
October 7, 2005, [http://vote.nist.gov/threats/index.html].
²⁷ Caltech/MIT Voting Technology Project, Voting: What Is, What Could Be, July 2001,
[http://www.vote.caltech.edu/reports/2001report.htm]; Charles Stewart III, “Residual Vote
in the 2004 Election,” Caltech/MIT Voting Technology Project Working Paper #25,
February 2005, [http://vote.caltech.edu/media/documents/wps/vtp_wp25.pdf].
²⁸ Brennan Center, “Machinery of Democracy.”

touchscreen mechanism, point-and-click device, or some other mechanical method.
Only more recently manufactured DREs have accessibility features for persons with
disabilities. Older models are also more likely to have problems and may have been
the source of most of the lost votes attributed to this kind of voting system in the

2000 election.²⁹

While at some level DREs all share the vulnerability to malware discussed
above, security features and vulnerabilities also vary among types and models of
DRE. Consequently, a failure or weakness identified or experienced with one
particular system will not necessarily be applicable to others.³⁰ That is also true with
respect to other technological issues such as reliability. For example, the DREs that
failed in Carteret County, NC (discussed above), were an older model with more
limited computer memory than more recent systems.
Do problems with DREs result from weaknesses in the technology
itself? DREs have vulnerabilities, as noted above, but most of the incidents
identified with those voting machines appear to have resulted from procedural
problems rather than any inherent weakness in DRE technology itself.³¹ DREs are
computer-based systems, as are optical scan counters, many voter registration
databases (as required in all states by HAVA starting in January 2006), and other
aspects of election administration, and they are subject to the same problems as any
computer-based system. But preventable problems that result from human error,
such as administrative or procedural mistakes, and problems that occur with optical
scan ballot counters, not DREs, are often conflated in the public eye with weaknesses³²
in DRE technology.
Available evidence also indicates that DREs, when properly implemented, can
provide performance substantially superior to the systems they replace. A study on

²⁹ The Caltech/MIT Voting Technology Project, “Residual Votes Attributable to
Technology: An Assessment of the Reliability of Existing Voting Equipment,” VTP
Working Paper #2, March 2001, [http://vote.caltech.edu/media/documents/wps/
vtp_wp2.pdf].
³⁰ For example, if the data used to draw the ballot on the computer screen are stored in
graphic rather than text format, it may be more difficult for malware planted upstream from
the election jurisdiction to identify the candidates or their affiliations.
³¹ Also, most of the cited security and reliability weaknesses for DREs and optical scan
systems summarized in a recent Government Accountability Office study were procedural
and administrative — and included vendors, testing authorities, and election administrators
— although significant technology flaws were also reported (Government Accountability
Office, Federal Efforts to Improve Security and Reliability of Electronic Voting Systems Are
Under Way, but Key Activities Need to Be Completed, GAO-05-956, September 2005,
[http://www.ga o.gov/new. items /d05956.pdf]).
³² For example, one of the most critical recent accounts of electronic voting includes a list
of more than 100 examples of problems, culled from media reports and other sources. The
list combines various kinds of problems with DREs and optical scan counters and does not
provide an analysis of the kind of system with which the problem occurred or the cause (Bev^st
Harris, Black Box Voting: Ballot Tampering in the 21 Century (High Point, North Carolina:
Plan Nine Publishing, 2003), p. 16 — 55).

the residual vote rate (the percentage of ballots that did not record a vote for
President) between 2000 and 2004 found that jurisdictions that changed to DREs
from any type of voting system lowered the rate, particularly those changing from
punch cards to DREs.³³ While any change in voting system reduced the residual vote
rate, DREs performed comparatively well by this measure. Although the residual
vote rate is an imperfect measure because some voters may intentionally skip one or
more races, it does provide some evidence of voting system performance.
Is certification of DREs under federal and state voting system
standards sufficient to make them secure? In general, certification standards
with appropriate security provisions are considered to be necessary but not sufficient
to achieve an acceptable level of security. They provide only a baseline of features,
controls, and performance that a system should exhibit as part of an overall security
strategy. The DREs in which security vulnerabilities had been discovered in the
studies cited above had in fact been certified under the federal voting system
standards (VSS).³⁴ While it is not clear whether the certification testing of those
systems identified any of the problems that were discovered in the studies, the
process did not in any case prevent those systems from being certified and deployed
with the vulnerabilities present.
The Election Assistance Commission guidelines (called the Voluntary Voting
System Guidelines or VVSG) that are replacing the VSS have more extensive³⁵
security requirements, but the above example shows that certification alone is not
sufficient protection against security vulnerabilities, and it is not generally considered
to be so. There are at least two reasons for this. First, the security threat
environment for information technology in general is constantly evolving, with new
threats arising on a regular basis. Consequently, it is unrealistic to expect
certification under a comparatively static standard to anticipate and protect against
all new kinds of threats that may arise against voting systems that rely on information
technology. Second, the VVSG process leads to certification of technology, but
procedures and personnel are equally important to effective security and often pose
significant vulnerabilities.³⁶ In addition, standards often require compromise to
balance different functions and goals — such as accuracy, security, speed, usability,
and cost — and unless security is considered paramount, it will of necessity be
subject to such compromise.

³³ The largest drop in the residual vote rate was 1.46% (punch cards to DREs), and the
smallest was 0.61% (no change in voting equipment). Charles Stewart III, Residual Vote
in the 2004 Election, Caltech/MIT Voting Technology Project, February 2005.
³⁴ These voluntary standards were developed under the auspices of the Federal Election
Commission, with the most recent version released in 2002 (see CRS Report RS21156,
Federal Voting Systems Standards and Guidelines: Congressional Deliberations, by Eric
A. Fischer). However, the tested systems had been certified under the 1990 VSS, which had
a much less extensive section on security.
³⁵ See CRS Report RL33146, Federal Voluntary Voting System Guidelines: Summary and
Analysis of Issues, by Eric A. Fischer.
³⁶ See CRS Report RL32777, Creating a National Framework for Cybersecurity: An
Analysis of Issues and Options, by Eric A. Fischer.

Voter-Verified Paper Audit Trails (VVPAT)
Can DREs be made sufficiently secure without a paper ballot? If the
vulnerabilities discussed above pose a significant risk for DREs in practice, there are
methods other than adding paper ballots which could be used to address them.
Unfortunately, none of these methods, including paper, have been sufficiently
developed to compare efficacy, practicality, and cost in a meaningful way.
Paper ballots used with DREs — usually called a voter-verified paper audit trail,
or VVPAT — provide a permanent, independent record of votes that can be verified
by the voter before casting the ballot. VVPAT is one of a class of security methods³⁷
called independent verification (IV). These methods have in common the creation
of two truly independent records of the voter’s choices that the voter can verify and³⁸
that can be compared in any audit. Another IV method, audio recordings of ballot
choices, may be more voter-friendly than paper and exhibit superior verifiability.³⁹
The above methods do not provide true voter verifiability, because the voter can
verify the ballot only before it is cast. A third method uses cryptographic
techniques⁴⁰ to allow the voter to verify after casting the ballot that it was counted⁴¹
correctly, without violating ballot secrecy. It also permits voters to verify that no
ballots were changed, added, or subtracted inappropriately — a feature known as
results verifiability. Thus, this method could potentially make the election process
far more transparent than is possible with other approaches.
Methods could also be developed that do not require the voter to separately
verify the choices made on the DRE. Conceptually, this approach would be

³⁷ See Election Assistance Commission, “Independent Verification Systems,” Voluntary
Voting System Guidelines, Vol. 1, Appendix C, December 13, 2005, [http://www.eac.gov/
VVSG%20Volume_I.pdf]. In December 2006, the EAC’s Technical Guidelines
Development Committee effectively replaced the concept of IV with the similar but
somewhat more restrictive concept of software independence, or SI (see
[http://vote.nist.gov/meeting20061204.htm]).
³⁸ Most DREs record three separate electronic records of the voter’s choices, but they are
not independent of each other. They are simply separate recordings of a single event — the
choices generated by the DRE when the voter casts the ballot. IV systems would add
another, separately verified record, usually but not necessarily involving another medium
such as paper or audio.
³⁹ Sharon B. Cohen, “Auditing Technology for Electronic Voting Machines,” Masters
Thesis, Massachusetts Institute of Technology, May 19, 2005, available at
[ ht t p: / / www.vot e .cal t ech.edu/ me di a/ document s / dr a f t % 20a.pdf ] .
⁴⁰ The cryptographic technique of authentication permits a person who receives encrypted
information to verify that the information is authentic — that it is legitimate and has not
been altered in any way. This may be paired with techniques to assure confidentiality —
that the recipient cannot read the information but only verify that it is authentic. One
nonelectronic analogy is the use of a secure envelope that shows evidence of any tampering
and is extremely difficult to counterfeit.
⁴¹ The method is called “end-to-end (cryptographic) IV” in the EAC guidelines.

equivalent to taking a separate snapshot of the ballot choices listed on the face of the
DRE just before the voter casts the ballot.
Security methods other than an independent ballot record might also provide
ways to sufficiently manage any risks. For example, product standards for secure
computing, such as the Common Criteria,⁴² could be combined with sufficiently
stringent engineering and administrative security practices to improve resistance to
tampering.
Does a VVPAT ensure that a voter knows how votes were recorded
on a DRE? One consequence of the secret ballot is that a voter cannot know how
his or her vote is recorded, unless certain cryptographic techniques are used. With
VVPAT, a voter is given the opportunity, before the vote is cast, to review a paper
printout of ballot choices made and to compare them to the choices listed on the DRE
display. If the voter finds a discrepancy, the ballot can be cancelled and a new voting
session begun. However, once the ballot is cast, the voter does not know what was
actually recorded in the DRE’s memory. Any discrepancies between the recorded
vote and the printout can be discovered only by election officials if they compare the
electronic and printed records after the election. The circumstances under which they
would do that will depend on state and local election law and procedures.
True voter verifiability, in which the voter can confirm that the ballot was
counted as intended, is possible without violating ballot secrecy, but is not currently
in use in U.S. federal elections. The simplest way to achieve verifiability is to have
ballots publicly counted and associated with the names of the voters — analogous to
a recorded vote in the House or Senate. A classic example in public elections would
be voice voting for candidates in a town-hall meeting. However, such methods
would eliminate ballot secrecy, which is generally regarded as an important safeguard
against voter fraud and coercion. Other methods, though, could be used that do not
compromise ballot secrecy. For example, cryptographic techniques used in national
security permit a secret message to be authenticated without revealing its contents.
Similarly, they can provide voters the ability to determine that their ballots were
counted accurately without revealing the actual votes cast (see above). Some systems
using this approach have been developed.⁴³
Are paper-based ballots the most secure? There appears to be an
assumption among many VVPAT advocates that paper ballots are far more secure
and less subject to fraud and tampering than are DREs, but whether that is so has not
been established as fact. It is generally accepted that paper has certain desirable
security features compared to electronic records — for example, it is durable; it can
be difficult to alter without detection; and it can be directly inspected without the use
of machines or devices.⁴⁴ However, paper also has several security weaknesses in

⁴² See CRS Report RL32777, Creating a National Framework for Cybersecurity: An
Analysis of Issues and Options, by Eric A. Fischer, for more detail.
⁴³ Ibid.
⁴⁴ This point has been made by several security experts in different public fora, perhaps most
(continued...)

comparison — for example, it is easy to manipulate by hand without specialized
tools; it does not eliminate risk from Trojan horses or other malware if counting is
done with the aid of computers; and, unlike electronic records, it cannot take full
advantage of the protections afforded through the use of cryptographic techniques,
although those techniques are not currently used in public elections in the United
S t at es.⁴⁵
The evolution of voting security can be considered a kind of arms race, with
new technologies developed to combat fraud, and miscreants evolving ways to attack
each new technology in turn. For example, the bribery associated with voice voting
in the eighteenth and early nineteenth centuries was countered by the use of paper
ballots, which evolved into ticket ballots provided by the political parties.
Subsequently, the Australian secret ballot was adopted to combat the fraud that
became associated with the ticket ballot, and the lever machine came into wide use
in part because it prevented certain kinds of fraud that had become prevalent even
with the Australian ballot.⁴⁶ For example, lever machines and DREs prevent a
particularly notorious kind of ballot fraud known as chain voting, in which each voter
obtains a previously marked ballot before entering the poll, deposits that ballot, and
leaves with the unmarked ballot the voter obtained in the polling place. That ballot
is then marked for the next voter. Other classic forms of ballot fraud with paper
ballots include such methods as stuffing of the ballot box, altering or substituting
ballots, and producing fraudulent counts.⁴⁷ At least some of these methods can be
made more difficult with the proper use of voting technology, including lever
machines, DREs, and counting devices, although all of those systems have potential
vulnerabilities of their own. In addition, recent technological advances have made
production of counterfeit ballots and other methods for tampering with paper ballots
potentially more feasible.⁴⁸
The arms-race characteristics of the evolution of voting systems strongly
suggests that VVPAT would have exploitable vulnerabilities that might not yet be

⁴⁴ (...continued)
notably David Jefferson, a computer scientist at Lawrence Livermore National Laboratory
who chaired the California Secretary of State’s Task Force on Internet Voting.
⁴⁵ David Jefferson, “Internet Voting,” PowerPoint presentation, April 4, 2001 (on file).
However, Jefferson subsequently became a supporter of VVPAT.
⁴⁶ Joseph P. Harris, Election Administration in the United States (Washington, DC: The
Brookings Institution, 1934), pp. 1 — 20, 57 — 60, 261 — 264.
⁴⁷ See, for example, ibid., pp. 315 — 382. There do not appear to be any recent
comprehensive studies of ballot fraud (see Lori Minnite and David Callahan, Securing the
Vote: An Analysis of Election Fraud, report, April 14, 2003, available at
[http://www.demos.org/pub111.cfm); however, at least one recent book has compiled
various cases and allegations (see John Fund, Stealing Elections: How Voter Fraud
Threatens Our Democracy, (San Francisco: Encounter Books, 2004).
⁴⁸ Douglas W. Jones, “Chain Voting,” paper submitted for the workshop, “Developing an
Analysis of Threats to Voting Systems,” National Institute of Standards and Technology,
October 7, 2005, available at [http://vote.nist.gov/threats/papers/ChainVoting.pdf].

apparent.⁴⁹ For that and other reasons, a simple reliance on such a technological
solution, or any “magic bullet” countermeasure, is unlikely to be successful. In
general, effective security uses a layered, multifaceted approach that involves
procedural and technological safeguards as well as technology.⁵⁰ One threat analysis
that compared optical scan systems with DREs with and without VVPAT found that
all such systems exhibited vulnerabilities, and that effective countermeasures are
available against them, but that few jurisdictions had implemented such
countermeasures. The study also concluded that random partial recounts and audits
are particularly useful countermeasures, but that such recounts require paper and so
are unavailable for DREs without VVPAT.⁵¹
Are paper ballots essential to ensure transparency in an election?
There is not a generally agreed definition of transparency in the context of elections.
However, it is usually taken to mean that election processes are open and observable
in all of their essential parts, so that tampering, malfeasance, incompetence, and other
threats to integrity are difficult to hide. Voter verifiability is arguably an important
component of transparency, and to the extent that paper ballots provide verifiability,
they can be important to transparency. However, as discussed in more detail above,
the requirement for ballot secrecy as an anti-tampering measure severely limits the
ability of paper ballots to provide verifiability, and other methods may prove superior
when used with electronic voting systems. Consequently, paper ballots are not
essential to ensure the transparency of an election.
Does VVPAT violate ballot secrecy? The secret ballot has long been
recognized as important in the prevention of fraud and coercion in voting.⁵² Some
observers have misunderstood VVPAT as permitting voters to remove the printed list
of ballot choices from the polling place, which would compromise ballot secrecy.
However, that is not how this verification method works. As used in conjunction
with DREs, VVPAT can be seen by the voter but not handled or removed from the
polling place. As a result, they cannot be used by voters to prove how they voted.⁵³

⁴⁹ For descriptions of some possible threats, see National Institute of Standards and
Technology, “Threat Analyses & Papers,” October 21, 2005,
[http://vote.nist.gov/threats/papers.htm] .
⁵⁰ See CRS Report RL32139, Election Reform and Electronic Voting Systems (DREs):
Analysis of Security Issues, and CRS Report RL32777, Creating a National Framework for
Cybersecurity: An Analysis of Issues and Options, both by Eric A. Fischer, for more detail.
⁵¹ Brennan Center, “Machinery of Democracy.”
⁵² See, for example, Harris, Election Administration: “It appears that bribery was prevalent
in the colonies without the secret ballot, and constituted in all probability the worst abuse
in colonial elections” (p. 16).
⁵³ There is at least one exception: A voter could write in an agreed-to nonsensical name for
a contest that is not of interest. A corrupt election official could then examine the ballot and
identify that voter’s choices in contests that are of interest. However, this method is
possible for any consolidated ballot (it would not work with lever machines) and would
seem impractical for almost all public elections.

There is one way in which VVPAT can potentially compromise ballot secrecy.
Most current implementations print the ballot choices on a roll of paper. If someone
at the polling place keeps track of the order in which voters use a given DRE, which
is reportedly common practice in some jurisdictions, it would be possible to identify
which voter cast which ballot on that machine. However, there are several possible
countermeasures that could be implemented to combat this vulnerability. In fact, the
only voting method currently in use in federal elections for which violations of ballot
secrecy is a significant potential concern is the absentee or mail-in ballot.
Do paper ballots pose only a minor inconvenience for persons with
disabilities? Paper ballots have long posed problems for voters with disabilities,
including blind voters, some voters with impaired sight, and voters with other types
of disabilities that prevent them from filling out a paper ballot. In the past, a paper
ballot could be filled out by a person designated to do so by a disabled voter, but the
ballot was not secret, and blind voters had no means of verifying that their choices
were properly marked. At a polling place, a disabled voter needed to bring someone
with them or accept the assistance of someone at the polling place, often a stranger.
HAVA changed that arrangement by requiring that polling places provide at
least one voting machine that is accessible to voters with disabilities and provides the
same level of secrecy and verifiability as for other voters (§301(a)(3)). DREs
outfitted with a paper audit trail cannot be verified at present by certain disabled
voters, particularly blind and sight impaired voters. In a Senate Rules Committee
hearing on voter verification in June 2005, Senator Christopher Dodd, a HAVA
cosponsor, noted, “We say in HAVA that every voter must have the right to verify
their ballot before the ballot is cast…all of the legislation or most of it that has been
introduced excludes the ability of the disabled to have the same right. By insisting on
paper, we are denying the people who cannot read because they cannot see, or for
reasons otherwise cannot manually operate the system, a chance to verify what they
have done.”⁵⁴ The accessibility problems with paper ballots are potentially solvable
but would require the use of additional technology, such as electronic reading aids.
One exception is vote-by-phone, used in a few states such as Vermont as the
accessible voting system, in which the system produces a printed paper ballot which
it can then scan and read back to the voter to provide verifiability.
Is VVPAT a proven technology that is simple to implement? While
the basic technology used in VVPAT is proven, the system as a whole is not. The
VVSG include an approved federal standard for this verification method, but it does
not go into effect at the federal level until 2007. VVPAT also adds a significant level
of complexity to DRE voting, both because of the additional technology required and
the effort needed by a voter to compare the on-screen and printed ballots. It also adds
complexity to the administration of an election by requiring procedures for handling
and processing paper ballots in addition to the electronic ballot records. There was
little testing of VVPAT in public elections before the 2006 primaries. Most states

⁵⁴ Statement of Senator Christopher J. Dodd, Senate Rules Committee hearing on voter
verification in federal elections, June 21, 2005, available at
[http://rules.senate.gov/ h earings /2005/062105_hearing.htm] .

now require all voting systems to produce paper ballots,⁵⁵ and experience has been
mixed.
Among the drawbacks of VVPAT cited by critics is the added cost to states (in
addition to the cost of HAVA requirements), the lack of data on its performance, and
problems associated with the technology in actual use. There were reports of jammed
printers in some places in 2004.⁵⁶ Whether a paper trail assists voters in correcting
errors is unknown and probably difficult to measure. What little research is currently
available suggests that voters do not use it effectively as it is currently implemented.⁵⁷
Furthermore, one study found problems in the implementation of VVPAT that, if
uncorrected, could cast significant doubt on its ability to serve as the official ballot
record for recounts.⁵⁸
Recounts and Audits
Is an audit of an election the same as a recount? An election recount
is intended to confirm an election result, because a contest was particularly close or
for some other reason that called the initial result into question. The focus of a
recount is the voted ballot, rather than an examination of voting equipment or voting
processes. Recounts and the methods for triggering them vary by state. Some states
require an automatic (partial) recount for a close race; other reasons for conducting
a recount may include a demonstrated irregularity or other evidence that a result is
questionable and may require a recount, or a formal request by a candidate.
An audit is an in-depth examination of the accuracy of the voting process as a
whole, rather than just the voted ballots or election totals. With proper record-
keeping, an audit can facilitate a step-by-step examination of how a voting machine
recorded cast ballots and computed vote totals to determine whether it performed
accurately. Audits may also review the chain of custody for voting equipment,
printed ballots, registration lists (and the method of compiling them), deployment of
voting equipment, and the vote-counting process. Presumably, an audit can examine
any aspect of the election process that can be measured or recorded.

⁵⁵ Election Reform Information Project, “Voter-Verified Paper Audit Trail Laws &
Regulations,” September 20, 2006, [http://www.electionline.org/Default.aspx?tabid=290].
⁵⁶ Ted Selker, “Processes Can Improve Electronic Voting: A Case Study of an Election,”
Caltech/MIT Voting Technology Project, October 2004, available at
[ h t t p : / / www.vo t e .cal t ech.edu/ me di a/ document s / vt p_wp17.pdf ] .
⁵⁷ See ibid.; Sharon B. Cohen, “Auditing Technology for Electronic Voting Machines,”
Masters Thesis, Massachusetts Institute of Technology, May 19, 2005, available at
[http://www.vote.caltech.edu/media/documents/draft%20a.pdf]; Paul S. Herrnson, “Beyond
the Hanging Chad: The Promise and Performance of Electronic Voting,” PowerPoint
Presentation, University of Maryland, October 26, 2005, available at
[ h t t p : / / www.capc.umd.edu/ r p t s / Beyond_t he_Hangi ng_Chad.pdf ] .
⁵⁸ Election Science Institute, “DRE Analysis for May 2006 Primary, Cuyahoga County,
Ohio,” August 2006, [http://bocc.cuyahogacounty.us/GSC/pdf/esi_cuyahoga_final.pdf].

Some VVPAT proposals require that the paper print-out be the ballot of record
in the event of any differences detected between the paper and electronic records.
The basic argument in favor of the position is that the paper ballot is more
trustworthy, since the voter had the opportunity to examine it directly. Others,
however, point out that this approach may actually create vulnerabilities, since
miscreants could simply focus their attacks on the paper ballots. They say it is
preferable to use the entire audit trail to determine the correct outcome in the event
of a discrepancy. In addition, printer-jamming or other problems that prevent DREs
from producing VVPAT ballots could result in a paper audit trail that does not
accurately reflect the ballots cast.⁵⁹
Will a partial recount determine if fraud occurred? Some VVPAT
proposals include the requirement that hand recounts be done of a sample of the
paper ballots and compared to the machine counts recorded by the DREs. The
likelihood that such an approach will detect any irregularities depends on several
factors. To be effective, a sample recount would need to provide for a meaningful
comparison of recount results with original tallies. One way to do that is to recount
entire precincts. The number recounted would need to be high enough to provide a
reasonable probability that inaccuracies would be detected. That number will depend
on the degree of inaccuracy election officials are interested in detecting,⁶⁰ as well as
the probability of detection deemed necessary to serve as a sufficient deterrent to
potential miscreants. At least one analysis has found that random partial recounts can

⁵⁹ Ibid.
⁶⁰ For example, if 5 out of 100 precincts reported results incorrectly, selecting and
recounting only 1 out of the 100 precincts would fail to discover the problem 95% of the
time. Recounting 13 precincts would be needed to lower the detection-failure probability
to 50%. However, if 10% misreported, recounting only 7 would be needed to yield a failure
probability below 50%, but 50 would need to be recounted if only 1 precinct misreported.
Curiously, under this model the number of precincts that need to be recounted does not
change greatly for a given misreporting rate as the total number of precincts increases.
Thus, to detect a 1% misreporting rate with 50% probability among California’s 25,000
precincts requires recounting only 69 precincts. The numbers are determined using a simple
probability calculation analogous to that used to solve the “birthday problem” (what is the
probability that at least two people in a group of a given size share the same birthday?). If
there are 100 precincts, and five are reporting incorrectly, that means 95 of the precincts
have no error. Then, assuming recounting will always detect any error in a given precinct
(not realistic in practice), if a single precinct is chosen at random for a recount, the
probability that the recount would be done on a precinct that reported correctly is 95 out of
100, or 95%. In that case, if a second precinct is counted, the probability that a correctly
reporting one is chosen will be 94 out of the 99 remaining, or 94.9%. The probability that
an incorrectly reporting precinct would be missed in both cases is obtained by multiplying
the two probabilities: 95% * 94.9% = 90.9%. The process is repeated to determine
probabilities associated with adding additional precincts. See also C. Andrew Neff,
“Election Confidence: Comparison of Methodologies and Their Relative Effectiveness at
Achieving It”, December 17, 2003, available at [http://www.votehere.net/papers/
ElectionConfidence.pdf].

be a highly effective countermeasure against several forms of fraud aimed at
computer-assisted voting systems.⁶¹
Are hand counts more accurate than machine counts? VVPAT
proposals often stipulate that recounts of paper ballots must be done by hand. They
often argue that only direct counting by humans can ensure accuracy. That may
indeed be the case in some circumstances, but it is not likely to hold broadly. In
general, humans are not as accurate as machines in performing simple, highly
repetitive tasks such as counting ballots. They tend to make many more errors. That
is one reason why repeated manual recounts may yield different results.
Machine accuracy is especially likely to be higher if the ballot choices made by
the voter are printed, as they are with VVPAT. In contrast, machines are not as good
at judging voter intent if markings are ambiguous or not within machine parameters,
as may be the case if the ballots are marked directly by voters, as in optical scan
systems. Machine miscounts can also result from miscalibration or other technical
failure, or potentially from malware if it has been implanted. However, there are
several ways to guard against such problems.
Possible Issues for Congress
As of the end of 2006, most states required paper ballot records.⁶² However,
neither Maryland nor Georgia, which use DREs statewide, had enacted such
requirements, opting instead to focus on other security approaches. As VVPAT is
used by more states, and more studies of its effectiveness are done, more will be
known about the cost, performance, and any limitations of VVPAT in normal use.
Misperceptions about DREs could have important policy implications as states, and
possibly Congress, consider proposals to require VVPAT for all electronic voting
machines. In particular, the following issues may be worth considering:
Lack of information. There remains considerable uncertainty about the relative
security of DREs in comparison to other voting systems; how security measures such
as VVPAT may impact other important goals such as accuracy, reliability, usability,
and accessibility; and the effectiveness of those security measures. Congress could
direct the EAC to fill those information gaps through appropriate research as states
move to implement VVPAT and other security measures.
Potential conflicts with HAVA requirements. To the extent that states require
paper-based ballots, they may be perceived to be in violation of the accessibility
requirements of HAVA, unless their paper-based systems can be made sufficiently
accessible. Congress might be asked to resolve any such conflicts through changes
to HAVA.

⁶¹ Brennan Center, “Machinery of Democracy.”
⁶² Election Reform Information Project, “VVPAT Laws.”

Voter Confidence. One of the arguments used in favor of VVPAT by some
observers is that it is necessary to help restore voter confidence in the U.S. election
process.⁶³ However, there is little evidence that confidence of the average voter is
affected by this issue.⁶⁴ Even if the adoption of VVPAT does increase confidence in
the electoral process, if that confidence is false — as might be the case if voters
mistakenly believe that a paper-ballot requirement is a “magic bullet” security
measure — that could itself pose a risk to the integrity of elections. Congress may
wish to examine the extent and causes of any decline in voter confidence, and the
impact of various possible measures on it, in considering whether to enact legislation
relating to this matter.
Impacts on Innovation. While the mandating of security requirements such as
VVPAT can result in innovation with respect to those requirements, there is a risk
that the requirements will be written in such a way that other kinds of innovation,
such as potentially superior security measures not using VVPAT, will be difficult to
implement without additional legislation. For example, any law requiring paper
ballots would have to be changed before an alternative independent-verification or
software-independent system, such as those discussed in the VVSG, could be
implemented. Congress may wish to consider ways to ensure that the federal and
state regulatory environment for voting systems does not inhibit such innovation.

⁶³ This point was made, for example, by the Carter-Baker Commission
[http://www.american.edu/ia/cfer/] as one of the reasons for its recommendation that paper
ballot records be required.
⁶⁴ See, for example, Herrnson, “Beyond the Hanging Chad.”