Saturday, July 12, 2008

How an iPhone debut is like an election

I'm an iPhone junkie. I waited in line yesterday morning to get my iPhone, but I only had two hours, and after my time was up, I had made only minor progress, while the line grew pretty long behind me, so I abandoned my newfound iPhone junkie friends and left the Apple store (well, the line outside the Apple store) empty handed. Only later did I learn that the line was moving so slowly because of glitches in the system caused by so many simultaneous activations. John Markoff said it well in his NYT article today.

The setback was a classic example of the problems that can follow when complex systems have single points of failure. In this case, the company appeared to almost invite the problems by having both existing and new iPhone owners try to get through to its systems at the same time. 'There are certainly lessons in preparedness,' said Richard Doherty, a consumer electronics industry consultant who is president of the Envisioneering Group in Seaford, N.Y. He compared the day with Christmas morning, “the acid test for many years” for electronics companies because customers contact them in droves after opening presents and trying to get gadgets to work.

Of course, the Apple problems, as described in this article, are instructive when considering using electronic systems in elections. The debut of the Apple iPhone caused an unprecedented stress on their system on a single day, and there was no way for Apple to stress test their system in preparation for that day. I'm sure they performed many tests, and they clearly had plenty of notice to prepare for yesterday, and still, the system failed in unexpected ways when faced with the actual flash crowd of iPhone enthusiasts. That's not to say such a system will always fail. Sometimes it will work fine. But the takeaway from this is that a large, complex system, such as an election, running on a particular day, with no opportunity for a realistic to-scale test, may fail on election day in ways that cannot be predicted.

For this reason, it is important to keep systems as simple as possible, plan for contingencies, and assume the worst might happen. If it does not, there will have been no harm in having been prepared. But in the unfortunate circumstance where things do fail, as they did yesterday for Apple, we will all be better off for having been cautious.

Thursday, July 03, 2008

"Paper ballots" not "paper trails"

I've noted some confusion in discussions with reporters recently, and I have to assume that this confusion is somewhat widespread. The issue is whether or not a "paper trail" resolves the problems with electronic voting. The term "paper trail", in my opinion, is an unfortunate one. When I first got seriously involved in this issue in 2003, many of us advocated paper trails as a solution to paperless DREs. The thinking was that if every vote is recorded on a piece of paper and that paper was audited by the voter, then a correct tally could be produced by counting the papers. This could be used to audit the machines, or as the definitive ballots. In theory, this seems reasonable, but it doesn't work in practice, and the theory is a bit flawed as well.

As I describe this, keep in mind that the underlying premise is that the software-only DREs should not be trusted. Software often fails in unexpected and unexplainable ways, and in the case of national public elections, there is a threat that the software could have been rigged or modified, or just be plain old buggy. The bottom line is that elections are more trustworthy if we don't have to trust the software. So, given that premise, paper trails only provide some benefit if the papers are actually counted. Otherwise, the machines are just as vulnerable as ones that don't have paper trails. Unless there is a policy for checking the ballots, and unless voters actually inspect the paper trails, we might as well just use DREs because the paper trails are useless under those circumstances. In practice, things are actually worse. Vendors have developed paper trails that are unwieldy, difficult to count, printed with fading ink, and prone to failure and paper jams.

All of my experience with paper trails on DREs leads me to believe that instead of "paper trails" what we need are "paper ballots". In paper ballot systems, ballots are produced as in traditional elections, and these are the official ballots of record. By using touch screen ballot marking devices to create paper ballots (or even allowing people to mark them by hand), we avoid all of the problems of the paper trails. We end up with ballots that can be counted multiple ways, and which provide tangible evidence of the intent of each voter.

So, my advice is to abandon the term "paper trail", to abandon DREs with paper trails, and to start talking about paper ballots.