Glenn Reynolds, of Instapundit fame, writes in an article at Tech Central Station about the virtues of paper ballots.

This echoes an argument I’ve been making for some time now, namely that the voting process is not a problem that benefits from a high-tech solution. He focuses almost exclusively on the fact that paper ballots are less confusing and more distinctive from voter to voter than punch card, graphite-oval, or touch-screen ballots.

All of these are very good points, but he doesn’t even touch on what I think is the biggest potential risk in the high-tech voting systems that everyone seems to be spending loads of money on: the system itself.

You’ve probably never heard of Ken Thompson, one of the fathers of the UNIX operating system. In the early 1970s, he re-implemented UNIX in the new C programming language. In doing so, he introduced an almost totally undetectable back door into the system

When you log in to a UNIX system, you interact with a program called login (or you used to, anyway). This program asks for your username and password, and checks to see whether they’re correct. If they are, it allows you access to the system. Thompson’s hack was to modify the login program so that it would accept both your password or a password he specified and hard-coded into the system as valid.

This would be obvious to anyone looking at the source code for the login program, so Thompson modified the compiler — the program that turns source code, written by programmers, into machine code, understood by computers — to recognize when it was compiling a copy of the login program, and insert his back door.

Now, the compiler itself has source code, so Thompson also modified the compiler to recognize when it was compiling itself, so it would insert both the code for putting the back door in login. He then re-compiled both the compiler and login. Neither program’s source code held any clue as to what was going on, but all subsequent copies of login would allow Ken Thompson access to the machines they were installed on.

Thompson himself told this story in a speech, “Reflections on Trusting Trust”, that he gave accepting the Turing award from the Association for Computing Machinery in 1995.

The moral is obvious. You can’t trust code that you did not totally create yourself. (Especially code from companies that employ people like me.) No amount of source-level verification or scrutiny will protect you from using untrusted code. In demonstrating the possibility of this kind of attack, I picked on the C compiler. I could have picked on any program-handling program such as an assembler, a loader, or even hardware microcode. As the level of program gets lower, these bugs will be harder and harder to detect. A well installed microcode bug will be almost impossible to detect.

Keep in mind that this isn’t some schmo saying that this is “almost impossible to detect”, it’s Ken Thompson. This is like Michael Schumacher saying that a car is “very fast”, or Bill Gates saying something is “expensive”. It’s all in the frame of reference. If Ken Thompson says that something would be “almost impossible” to spot in computer software, you might want to believe it.

The Federal Election Commission’s draft standards for voting systems miss this point entirely. They specifically state, in fact, that compilers don’t have to be tested. The source code of the voting system is to be examined, but compilers, databases, and operating systems just have to be checked that they “were not modified”. There’s no information on how this is to be done; and somehow I doubt they’re running checksums on all the compilers used.

This, in my mind, is the best reason to avoid electronic voting systems. The whole point of computerization, of anything, is to allow a whole bunch of things to happen automatically, with no human attention or involvement. It seems clear that this is precisely what you don’t want in an election.

We’re told that we need all these gewgaws to handle the enormous number of votes that are cast, but this just isn’t true. We might need the gewgaws if all the votes are going to be counted in a central location, as they are now, but why should we assume that’s necessary? In yesterday’s election, there were over 200 polling places in Fairfax County, Virginia. In one of them, seven people voted. In another, 2180. The average was about 1190 people per polling place.

Assuming it takes about five seconds to count a single vote — probably a conservative estimate, as you’re just looking for an ‘X’ and incrementing some kind of counting device — it would take about 90 minutes to count all the votes from a single polling place (and keep in mind that the polling places of today are set up with the constraint that there are only so many of those expensive voting machines, and that counting is easy. If you assumed that counting was to be done by hand but that the only equipment required were some ball-point pens, you could probably get the count time down to 30 minutes without too much trouble). You can either set up the people doing the count — the same people who manned the polls in the first place — in assembly-line fashion, each person concerned with only one question, handing the ballots off to the next person to count the next race, or you could supply voters with a separate slip of paper for each race in the election. There are logistical advantages to both methods, but in any case it wouldn’t take that long.

Presumably, the whole process would be observed by a number of people: someone from each political party, reporters, people from the area, etc. It’d be impossible for someone to become confused by the placement of names on the ballot dictated by the requirements of some machine. Voters who make a mistake would ask for a new ballot form, watching while their spoiled ballot was shredded in front of them. Changing ballots at the last minute — as happened in Minnesota due to the death of Paul Wellstone — would require nothing more than a photocopier and a supply of the ballot paper.

Save money, improve the process, and reduce the possibility of fraud, all at once! Amazing. For some reason, though, it seems to be taken as a given that our voting process must involve apparatus of some kind. As long as that’s accepted uncritically, I can’t see matters improving much.