I’m interrupting my blogging hiatus again to point you to an important report that I think everyone interested in Howard County and Maryland politics should read: Counting Votes 2012: A State by State Look at Election Preparedness. There’s been a lot of controversy about alleged voter fraud, with calls for voter ID cards and the like. I have my thoughts on that general topic, but for this post I’ll simply note that this report deals with a related but somewhat separate issue, namely potential problems in the counting of votes and in confirming that votes are actually counted correctly. (Related because counting votes properly is a key technique in detecting certain types of fraud, separate in that the concern here is not with verifying that people are eligible to vote, but rather with problems that can occur at the point of voting and afterward.)
In particular I wanted to note the following points:
First, moving to electronic voting machines and (possibly in the future) online voting opens up many new possible problems (not necessarily fraud-related) arising from bugs in voting hardware and related software. As the saying goes, “to err is human but to really screw things up requires a computer.” Voting software bugs can cause hundreds or even thousands of votes to be lost or miscounted (as in one of the examples cited in the report).
Second, for those who want to commit voting fraud, electronic voting provides new opportunities for tampering with votes that are potentially much more effective than having people commit fraud in person (e.g., by voting at multiple polling places, voting as someone else who’s died, or otherwise misrepresenting themselves). Again, the rule of thumb is that human fraud is typically small-scale, while electronic fraud can be an order of magnitude larger.
An example in an unrelated area: You may see from time to time news reports about someone trying (and typically failing) to rob a local bank. This is a high-risk low-reward crime: Most bank robberies are for relatively small accounts, and most bank robbers get caught. A much more serious problem today is criminals taking over the computers of financial personnel at small businesses or government agencies (typically by sending them specially crafted emails containing links to malicious web sites or virus-infected documents) and then generating fraudulent bank transactions that end up transferring money to the criminals. The risk is very low (the criminals are typically based overseas and rarely apprehended or even identified) and a typical crime nets tens or hundreds of thousands of dollars. (See the blog of Brian Krebs, a former Washington Post reporter, for some eye-opening stories about this sort of thing.)1
Finally, for a state that has a lot of resident security professionals and aspirations to be the “Silicon Valley of cybersecurity,” Maryland has at best done a mediocre job of securing its voting machines and associated processes; in the report it was put into the “needs improvement” category overall. In particular, Maryland voting machines do not keep an independent record of votes cast, and therefore cannot be audited post-election to determine whether votes were lost, recorded for the wrong candidates, or fraudulently altered; this lack earned the state an “inadequate” rating in two categories.
It seems to me that ensuring the integrity of the electoral process is a core function of government if anything is. I therefore call on any of you interested in this topic, no matter your party, to read the report and consider how we could get the identified issues addressed in time for future election cycles.
1. According to the official FBI bank crime statistics, there were about 5,000 bank robberies in the U.S. in 2011, with a total amount robbed of about $38 million; average amount taken per robbery was under $9,000. Unfortunately the FBI does not publish comparable statistics on online corporate account takeover fraud (including unauthorized ACH transactions and wire transfers), nor does any other official source I’m aware of. However third party sources (for example this Aite Group report) estimate that account takeover losses are well in excess of $100 million per year.