With the potentially massive vote fraud risks posed by the emergence of computerized voting machines in public elections nationwide and the suddenly mushrooming demands for closer scrutiny of these new systems every voter should strive to understand the issues involved, even though they are complex, and seek to influence the national dialogue on how these machines should be built, tested, and deployed. In non-technical language the author explores these complex issues including the question of setting technical standards and offers real, achievable policy solutions that can address the risks to our democracy posed by these new machines.
E-Voting – Proposed Strategies for Safeguarding the Electoral Process
by Kevin McDermott
Oak Park Coalition for Truth & Justice
January 24, 2004
E-Voting – Proposed Strategies for Safeguarding the Electoral Process
As a lifelong Information Technology (IT) professional I am a firm believer in the benefits of IT to society. IT can simplify, enhance, and increase the reliability of nearly any operational process, especially those involving counting and tabulating. Voting is, of course, a classic exercise in large scale tabulation requiring quick and accurate processing, so it is only natural to apply IT to the voting process. I envision a day when all voting for public office is fully automated and perhaps even carried out over the Internet. I believe this scenario is not just reasonable, it is inevitable.
But my experience in the IT world has also made me fully aware of the limits of technology and its susceptibility not only to error, but to fraud. I have personally been involved in two small scale elections handled over the Internet and both were marred by cheating. Fortunately, these elections determined only the makeup of the boards of directors for small non-profit organizations and not for public office. None-the-less, in each case the election had to be held over again, and in each case the entire episode could probably have been avoided had the organizations’ election organizers heeded the advice of the technical team advising them on security risks.
Now, with the potentially massive security risks posed by the emergence of computerized voting machines in public elections nationwide and the suddenly mushrooming demands for closer scrutiny of these new systems every voter should strive to understand the issues involved, even though they are complex, and seek to influence the national dialogue on how these machines should be built, tested, and deployed.
The role of standards
Unless you work in a technical field you may not be familiar with the process of setting standards within an industry. Standards are used to govern the way products are made, the way processes are set up and monitored, whether safety and environmental requirements are met, and a number of other complex tasks. Standards ensure that the outcomes of these tasks are always delivered in a uniform and consistent manner. Standards allow a manufacturer to produce a product with the same precision and accuracy regardless of when or where the manufacturing process takes place. Standards allow your web browser to access any web site on the Internet and display it to you correctly, no matter where the web server is located or who wrote the computer programs that make up the web site. Standards allow your cell phone to work throughout the U.S., though not necessarily in Europe, since the Europeans - and much of the rest of the world - build their cell phones according to a different standard. In fact, our modern technological society would not be possible without standards.
Standards exist in the voting machine industry too. The Federal Election Commission publishes the Voting System Standards (VSS), most recently updated in April of 2002 and available from the FEC web site. The VSS dictates how computerized voting machines should be built and tested. The 2002 version addresses several current topics such as creating verifiable audit trails, but it does not require paper ballots. However, many of the machines being deployed today follow the previous version of the VSS published in 1990, a standard created well before the emergence of the Internet, the dotcom revolution, or the rise of the network hacker. Furthermore, the VSS is a voluntary standard and states are not required to follow its guidelines, though most do. To accompany the VSS the National Association of State Election Directors (NASED) developed and administers a testing and certification program (also voluntary) that uses an Independent Testing Authority (ITA) chosen by NASED to certify whether manufacturers’ voting machines comply with the VSS. NASED has currently authorized only three such ITAs, Wyle Laboratories, CIBER, and Systest Labs. Beyond the VSS and NASED ITA testing requirements a number of states also mandate additional testing and certification of voting systems by their own staff and technical resources prior to purchasing any machines.
The VSS, however, isn’t the only set of standards addressing voting machines. The Institute of Electrical and Electronics Engineers, Inc. (IEEE) is currently developing their own version called “P1583 (D5.0) Draft Standard for the Evaluation of Voting Equipment 2003” available (for a fee) at the IEEE online store. Perhaps more importantly, the recently passed Help America Vote Act (HAVA) sets up a new 15 member Technical Guidelines Development Committee chaired by the Director of the National Institute of Standards and Technology (NIST - formerly known as the Federal Bureau of Standards), that will become a functional part of the FEC. The Technical Guidelines committee, in conjunction with NIST, will develop its own set of standards. This NIST standard – also called the HAVA standard – will most probably become the actual standard used by all election jurisdictions in the U.S. NIST will almost certainly tap into the expertise of IEEE in developing the newly mandated HAVA standard, and it is possible that both the HAVA and IEEE standards may converge to a point of substantial similarity in their recommendations and requirements.
But the mere existence of standards is not sufficient to ensure that a voting system is secure and safe from breakdown or subversion. First, the standards have to be written in a manner that accommodates the needs of all important constituencies. Second, the standards must be enforced. Under the current voluntary guidelines strict enforcement is not mandated, though most vendors do try to meet the requirements of the VSS. Third, the standards need to be surrounded by a set of procedures for physical security (e.g. keeping the warehouses that store the voting machines locked and safeguarded), for applying software and hardware fixes and upgrades, for training of elections personnel, and for auditing of everything from purchase decisions to software control procedures to elections management processes.
On Dec. 10-11, 2003 NIST held a symposium at its headquarters outside of Washington DC titled “Building Trust and Confidence in Voting Systems” that attracted representatives from every constituency involved in the current debate (an archived webcast of the entire proceedings is available at http://vote.nist.gov/ ). The symposium did not attempt to reach hard conclusions about future directions. It did, however, succeed quite well in laying out the competing arguments from each of the constituencies who have voiced a stake in the outcome of the debate. The arguments are at the same time both logical and visceral, as befits a debate about an issue as fundamental to democracy as voting rights.
Most of the leading computer experts who have raised alarms about e-voting including Prof. David Dill of Stanford, Prof. Rebecca Mercuri of Harvard, Prof. Avi Rubin of Johns Hopkins and Prof. Doug Jones of the University of Iowa presented their cases to the NIST symposium. For those who are unfamiliar with the arguments of these respected academics, they are mostly variations on a single vexing problem. That problem is, simply, that the security of software can never be guaranteed. Complex software will always contain bugs and flaws because it is written by humans, and humans always make mistakes. Modern software is also very complex, sometimes containing several million individual instructions, known in the IT vernacular as “lines of code”. As an example, Microsoft’s Windows operating system is thought to contain over ten million lines of code. Microsoft operates an extensive, expensive system for identifying bugs, yet many still appear in Windows, as evidenced by the frequent release of “security patches”. This is not because Microsoft doesn’t want to produce bug free code. It’s simply impossible to do so.
In fact, the scientific consensus on the impossibility of building bug-free code or even building testing procedures that can catch all bugs borders on unanimity. Scientific certainty on this vulnerability stops just short of a mathematical proof, and some scientists feel that such a mathematical proof of non-testability may eventually be found. Suffice it to say that unintentional bugs and errors in complex software can never be eliminated, and no amount of testing, no matter how rigorous, can be expected to reveal all of the unintentional bugs in complex software. But the problem of finding defects in software becomes far more difficult when trying to uncover not just accidental errors, but malicious programming code that a clever programmer has hidden. Prof. Rubin of Johns Hopkins stated during his presentation at the NIST symposium that it is categorically impossible to test for this sort of malicious code, and therefore the current processes used by elections officials, which rely heavily on the testing of software to certify that voting systems are reliable, can never produce trustworthy systems.
As a result, many of the computer scientists advocate what has come to be known as the Voter Verified Paper Ballot (VVPB). There are two variations on VVPB. One variant calls simply for the printing of paper ballots that can be viewed and approved by voters and that are then saved by the voting machine to provide a means for a physical recount. In this version, the e-voting machine records the actual vote and the paper ballot exists solely as an audit trail for recount, if necessary. The other variant calls for the paper ballot to be printed by the e-voting machine and then fed into a second machine that counts the paper ballot as the actual vote cast. This second method is known as the “Mercuri Method”, named after Prof. Rebecca Mercuri of Harvard.
In sharp contrast to the view of the computer scientists, some election officials voiced the belief that the problem is significantly overblown. Although not discounting the potential problems identified by the computer scientists, these officials maintain that the procedures they already have in place are sufficient to uncover the kind of wide spread fraud or large scale subversion foreseen by critics.
Although only a few representatives from the twenty three states that sent their Secretaries of State or Directors of Elections spoke at the symposium, the consensus appeared to be that the alarms being raised by the computer scientists fail to take into account the numerous levels of safeguards that election officials have built into their procedures over many decades. These representatives also voiced concern that some of the technical solutions proposed by various critics could not be logistically implemented in real life polling places.
The most common complaint heard was that paper ballots create a set of potential nightmare scenarios for elections officials because of their inherent unreliability. Although at the moment paper solutions carry substantial appeal because they can be recounted and audited, they also introduce substantial problems including the maintainability of the printers at the polling places. One election official reported that the most commonly used repair tool in any polling place is a wire coat hanger. The durability of the paper record, the readability of that record (especially by those with disabilities such as vision impairment), the secrecy of the record, and the trustworthiness of the record all present a series of problems that have not been thoroughly addressed in any of the paper ballot proposals presented at the symposium. But election officials must deal with these real world problems, and so they resisted calls for immediate introduction of paper ballots in connection with touch screen voting machines.
Although the vendors of voting machines play the role of villain in most reporting on the e-vote issue, it would be unfair to categorize all vendors as evil manipulators of our electoral process. Certainly the danger exists that such manipulation can, and perhaps has, happened, but this does not mean that all vendors are necessarily evil, or even that they are all adversaries in the process of trying to create trustworthy computerized systems. If we assume for a moment that at least some vendors are honest, then we should take a moment to understand the problems they too face.
It is instructive to note the complaint of one senior engineer from ES&S, one of the largest makers of voting machines. According to this engineer, in the wake of a recent declaration by the California Secretary of State mandating paper audit trails for all voting machines installed in that state a representative from ES&S presented a list of ten questions to the Secretary of State’s office asking how the paper system should actually function. According to the ES&S engineer, the Secretary of State’s office could not answer any of the ten questions, presumably because none of the questions had been thought through yet. None-the-less, ES&S and all other vendors were required by the ruling to provide only machines that used a paper ballot system, even though the state itself could not describe how that system should operate.
If we, as activists, want to see trustworthy voting machines, we need to understand that the vendors can only build what states will buy, and if the states cannot define what the machines should do, the vendors will not be able to build them.
Advocates for the Disabled
In what is surely the most poignant irony of this entire issue, one of the fiercest arguments opposing the computer scientists’ efforts to rethink computerized voting machines comes from groups that advocate on behalf of the disabled, and particularly of the blind. Jim Dickson from the American Association of People with Disabilities, in one of the most emotionally moving presentations of the entire symposium, spoke eloquently about his life long struggle as a blind person to vote without having to rely on someone else to fill out his ballot. Because of the touch screen machines’ ability to interact with a voter via computerized speech, these machines give him the first opportunity he has ever had to vote unassisted without worrying about whether the polling place worker or anyone else who had assisted him had changed his vote before submitting it.
Computer scientists, naturally, make the argument that with current touch screen machines visually
impaired voters will still not know if their votes have been recorded as intended. But the larger issue raised by Mr. Dickson is that HAVA specifically addresses the concerns of people like him with disabilities, and it took decades to get this legislative help passed. If activists were to insist on rolling back HAVA in its entirety, Jim and the people he represents would see a legislative victory decades in the making snatched away with no certain promise of return.
What do we do now?
So, given this current state of uncertainty about electronic voting machines and the conflicting needs of the constituencies involved, what steps should a concerned citizen take now to try to secure the integrity of the American electoral process?
First, we need to understand that there is no quick fix to this set of complex, interlinked problems. We should recognize that any efforts to build a new system of safeguards into a computerized voting process will take careful thought, reasoned design, and rigorous experimentation and testing. The law of unintended consequences lurks menacingly in the shadows in smiling anticipation of those who would move without amply considered forethought. Jumping into action and creating a mandated technical solution, such as some of the more hastily conceived calls for mandated paper ballots, could potentially do more harm than good, or could create a merely palliative treatment of the problem providing only the appearance of improved safeguards. And in so doing it could reduce the level of concern, scrutiny and credibility of criticism surrounding the machines that are installed, and thereby create a false sense that the problem was no longer pressing.
Given the need to move slowly and deliberately, we may want to focus our efforts on several broad objectives, without mandating the detailed means by which those objectives might be achieved. Although this may seem counterintuitive – after all, how can we legislate a solution that we can’t describe in detail – it will, I believe, yield far better long term results. By defining the outcome we want to see, rather than the technical solution we think might provide that outcome, we allow space for the kind of technical innovation and scientific breakthroughs that might provide a powerful solution unforeseen by us today that would meet all the conflicting needs of every constituency. I believe we can insist on a few broad parameters that we can enshrine into law that will protect the integrity of our voting systems while avoiding the trap of legislating specific technology, which may be obsolete by the time the legislation is approved.
The first of these parameters is the insistence on mandatory, legally enforced standards. The NIST and IEEE efforts will, in all probability, produce a robust set of instructions describing how e-voting machines must be built and how they might be tested to yield the greatest likelihood of trustworthiness. Each of these standards creation processes will probably take several years, but they must be allowed to run their course successfully without interference from political influences. Guaranteeing the scientific integrity of this process will be crucial. In light of the findings by the U.S. House of Representatives Special Investigations Division that the government has repeatedly interfered in scientific inquiry and research to fit a political agenda (http://www.truthout.org/mm_01/4.wax.pol.n.science.pdf), the danger of corrupting political influence on the standards process is real and significant. Activists should focus substantial and sustained attention on both the NIST and IEEE efforts. Those who feel uncomfortable with their own level of technical expertise in evaluating standards should seek to build partnerships with technical experts who share their deep concern for the future of our democratic process.
The second parameter is transparency, and this transparency must cover three equally important areas: vendor source code, Independent Testing Authority (ITA) test plans and test results, and the process for ensuring that tested and verified code is actually the exact same code running in machines during an election. Source code is the IT term used to describe the actual computer programs that run any digital machine. In today’s world, the vendors of election equipment keep secret all of their source code. Vendors claim that this secrecy keeps their code safe from hackers. However this argument, known in the computer science community as “security through obscurity”, is rejected by nearly all computer scientists. The most often cited example of failure for security by obscurity is, once again, that of Microsoft Windows, the source code of which is one of the most closely guarded trade secrets in any industry. And yet, anyone with a home computer is painfully aware of the security limitations of Microsoft’s flagship Windows product. The real reason vendors want to maintain secrecy of source code is fear that a competitor will steal their intellectual property. But if all source code were readily and freely available, then any vendor could easily search a competitor’s code looking for stolen or misappropriated intellectual property. Therefore, source code can and must be made freely available in its entirety to anyone wishing to examine it.
While not completely solving the problem of inherently untestable code, making source code open will provide a far higher degree of professional scrutiny, thus making it substantially more difficult to hide malicious or logically incorrect code. This phenomenon of open source code exhibiting greater logical integrity and resistance to outside attack can be seen in practice with the Linux operating system, an open source competitor to Microsoft’s Windows operating system. Though not immune to attack or failure, Linux has proven itself to be a more reliable and secure system in corporate computing environments and is now embraced by IBM, Hewlett Packard and other major computer industry players.
A number of states, including Illinois where I live, mandate that vendors must put a copy of their source code into an escrow account where any election official or any official representative of a political party involved in an election may examine it. But this is insufficient. Anyone must be able to examine this source code at any time and at no charge.
Transparency must also extend to the ITAs, i.e. the three independent testing labs that are currently certified in the U.S. to test vendor supplied e-voting machines to ensure compliance with the FEC’s VSS standard. In today’s environment the ITAs will reveal only to election officials the details about the types of tests they conduct or the results of those tests, and then only with the vendor’s cooperation. But since testing, even given its inherent inability to uncover all possible bugs, is still critical to the trustworthiness of election machinery, the processes by which the ITAs determine compliance with existing (or future) standards must also be open to anyone at any time at no charge.
The final area requiring complete transparency is the process by which election officials determine that the source code certified by the ITAs is actually the same exact source code running in the machines conducting an actual election. Since it has already been shown in California that machines used in actual elections did not match the version numbers of ITA approved machines, and that therefore California used uncertified machines in a real election, the necessity of transparency for this process becomes amply apparent. There are several competing technologies that might address the comparison of code, but no matter what solution a state might choose anyone should be able to see exactly what process is being followed. And if software tools are used to conduct the comparison then the source code for those tools must also be freely available.
The third required parameter is, of course, a voter verified audit trail. But this does not necessarily mean a paper based audit trail. Although at the moment paper solutions carry substantial appeal, they also introduce substantial problems. And it is still possible, even with paper records, to create a system that prints one thing on paper and records another in the voting database. If a total vote count does not produce reason for suspicion - and a clever subverter will ensure that the results look just reasonable enough to allay suspicion - there will be no recount, and the paper ballot audit trail would therefore buy us nothing.
So it is essential to understand that simply mandating a paper ballot does not fix the problem. Implementation methods, i.e. how the paper ballot system actually works, will play a crucial role and they must be clearly defined. Any paper ballot system that does not count the paper ballots themselves is open to the same abuses that plague touch screen machines. And even if we leave fraud or evil intent out of the equation, unreliable printers that jam during an election can invalidate votes or, in the extreme case, even shut down a polling place. Many other potential problems exist with paper records that, if not carefully thought out beforehand, could render an election just as messy as anything we have seen so far.
The final thought to consider on the subject of audit trails is the possibility that something other than paper might still prove to be the most effective solution in the long term. Several competing technologies including a statistical testing methodology from Vote Here, Inc. and a method proposed by Professors Ted Selker and Jonathan Goler of MIT for a “Secure Architecture for Voting Electronically”, as well as other proposed methods may yield a more trustworthy and cost effective solution than some of the scantily defined paper ballot solutions proposed today. By advocating a Voter Verified Audit Trail (VVAT) rather than narrowly specifying a paper ballot audit trail (even the one proposed in the Rush Holt bill - H.R.2239) we will leave ourselves much more room for innovative solutions to emerge. Given the newness of both the technology and the understanding of the problem and its ramifications it seems completely reasonable that the next few years of research will yield a wide range of potentially robust solutions we may not be able to envision today. I will point out again that it is important to legislate outcomes rather than specific technologies. If we legislate away the possibility for discovering and implementing truly innovative solutions we may serve only to worsen the problem.
In approaching this complex problem I would advocate that activists befriend their state and local election officials. This may sound surprising to some, but don’t assume that these officials are necessarily your enemy. Many of the officials I have met, both Democrat and Republican, are honest, concerned citizens who care deeply about the integrity of the process they steward. They are not unfamiliar with the concept of vote fraud, and they are not naïve about the potential problems of electronic voting machines, even if they may not always share your (or my) sense of urgency about this problem. It’s important to understand that many of them have spent a good portion of their careers in this field, and they understand the election process at a fundamental level that may not be immediately clear to those of us who are new to the field. Listening to what they have to say, even if we disagree, will not only help us gain a greater understanding of the complexity of the problems faced by those who actually administer elections, but it will also create a much more cooperative relationship that is more likely to produce the results we want than will an openly antagonistic one. It may be helpful to consider a short thought experiment. Next time you speak with an election official think of how you might feel if someone you didn’t know, who had never performed your job, called to tell you that you were doing your job completely wrong and that the fate of American democracy depended on your listening to this stranger and changing your behavior to suit the stranger’s demands. Even if you thought the stranger might be correct, how likely would you be to react positively, or even to listen? If we also think about the legislative approaches that many activists are pursuing, does it seem more likely that legislation will be approved if we have the cooperation and backing of election officials or if we create an adversarial situation?
Building a cooperative relationship will also provide one other major benefit. In my explorations of this issue I have encountered the belief, or at least the feeling, from some activists and even from a few election officials that the only option available is to buy the equipment that the vendors offer, and to look for a vendor who supplies something close to what we’re looking for. But in fact, the process actually works in the opposite direction. The vendors look for instructions from election officials to decide what they should build. This is a very important point to understand because it tells us that we, through our election officials, can and do directly determine what the vendors actually build. In the IT industry this is known as providing the specs. By providing the specs we, the buyers, have the ultimate power to tell the vendors what it is we will buy, and how the machines we buy must function. But the process in place today puts the responsibility of providing those specs squarely in the laps of our election officials. If we don’t develop a cooperative relationship, how likely is it that we will have influence on what those specs say?
In closing, let me repeat the three broad parameters we should demand from our legislators. First, we must have an open, free, and completely apolitical process for standards development. Second, we must have complete transparency of vendor source code, ITA test procedures and results, and election officials’ processes for ensuring that certified source code exactly matches source code in installed machines. Third, we must insist on a Voter Verified Audit Trail, but we should beware of legislating specific technological solutions. Finally, in terms of activist strategy, I believe we will be much better off if we establish cooperative relationships with our election officials.
Most importantly, we must all understand that it is only through our continuing actions that this issue has achieved the level of public awareness that it has, and we cannot slack off in our insistence on moving it to the forefront of public consciousness. The NIST symposium would not have taken place at all, the Rush Holt bill would not have been introduced, and the emergence of this issue in the mainstream press would simply not have happened had it not been for the public debate created by determined e-voting activists. Although we need to recognize that it will be a long and difficult process, this is a struggle we simply must win.
List of voting machine vendors:
Advanced Voting Solutions, Inc. – Frisco, TX
Alpha Data Solutions, Inc. – Detroit, MI
Avante International Technology, Inc. – Princeton Junction, NJ
Barden Technologies (a division of Barden Entertainment) – Detroit, MI(no web site)
Barden Entertainment (contains no info on their Picture-It voting system)
New Particles Corp. (software developer for Barden Technologies)
Diebold Election Systems – Akron, OH
Election Systems & Software, Inc. – Omaha, NB
Election Works / Election Data – Valley Center, CA
Fidlar Election Company – Peoria, IL (web site contains no information on their AccuVote system)
Hart InterCivic – Austin, TX
IVS - Louisville, KY
Parsons Advanced Technologies, Inc. (no web site)
Populex Corporation – West Dundee, IL
Sequoia Voting Systems – Oakland, CA
TekVisions, Inc. - Temecula, CA
Tru Vote International – Nashville, TN
Unilect Corporation – Dublin, CA
Unisyn Voting Solutions – Carlsbad, CA(web site contains no information on their voting system – may be related to Election Works or ILTF)
Vogue Election Systems – Chicago, IL
Vote Here, Inc. – Bellevue, WA
NASED list of approved voting systems