Teresa Hommel
www.wheresthepaper.org/DREsAreDanger.htm
May 30, 2004
DRE Voting Systems as currently sold
are a Danger to Democracy
1. The security
problems with these machines are not widely-enough
recognized or understood, and as a result these
machines have
been put in place for use by an estimated 30% of
American voters
in November 2004.
a. Lack of technical knowledge about computers, computer
security, and
Information Technology ("IT") standards has
prevented
timely recognition and understanding of the dangers
posed by
unauditable DREs.
b. Most average voters, accessibility
advocates, and election
officials have
assumed that DREs have the same kinds of
security features and behind-the-scene processing that
assure
the
correctness of transactions conducted with ATMs, ticket
kiosks, etc.,
but this is not true.
1)
DREs do not have end-of-election reconciliation procedures
comparable to
end-of-day reconciliation procedures
performed
by bank tellers, retail cashiers, etc.
2)
Capturing information from the human world into the
computer
is error-prone. For this reason, both the
electronic records
of all ballots cast and the final
tallies
tabulated from those ballots should be subject
to
ordinary professional-quality IT reconciliation. At
present,
however, vendors claim that such procedures
are
unnecessary, and BoE do not want to perform them.
3)
In effect, BoEs want to delegate the work of recording
and
tabulating votes to the computers, and do not wish
to provide
the oversight that they would recognize as
necessary
if they delegated these tasks to people. Yet
the
computer is only a mechanism created by people, and
requires
similar oversight -- which is provided, in the
IT world, by end-of-day reconciliation,
also called
auditing.
c. Due to lack of knowledge about
computers and IT standards,
many BOEs have
accepted the use of computers without
arms-length
evaluation of:
1) Vendor's claims about their products
2) Certification reports
3) The many failures of computerized
voting systems (these
have been
trivialized as "glitches" by vendors who insist,
without
providing any factual evidence, that election
outcomes
have not been affected).
2.
"Trust-me" elections are contrary to democracy.
a. DREs prevent human oversight of
ballot-recording and vote-
tabulating.
b. Most DREs offer no way to
independently confirm correct
recording of
ballots or correct tabulation of final tallies.
c. Even if DREs produce a voter-verified
paper audit trail
so that
independent confirmation of ballot recording and
tabulation is
possible by performing an ordinary business-
style audit
procedure, BoEs lack the resources needed to
perform such
procedures, and wish to limit them efforts to
recounts of a
tiny percentage of randomly selected precincts.
c. It is inappropriate for voters in a
democracy to accept
"trust-me"
elections.
d. If an open door to election fraud
exists, history suggests
that fraud
will surely occur.
3. DREs are
more easily corrupted than DRMs (Direct Recording
Mechanical lever machines).
a. Length of access time required to corrupt one or
more machines
versus magnitude of effect.
1)
To corrupt DRMs requires one person to have access for
minutes or
hours to each machine.
2)
To corrupt the software, recorded ballots, or final
tallies in
all DREs in the USA that were made by a
particular
vendor requires:
a)
One insider or hacker to have less than a second
access
per DRE (by using an automated script in one
computer
anywhere in the world), or
b)
One insider who has no access to the DREs, but who
distributes
a corrupt "patch" which the vendor's
technicians
install with or without knowing that it
is
corrupt. This could have happened in Georgia, 2002,
because
the software in the Diebold systems was
replaced
repeatedly up to two days prior to the
election.
3)
Multiple studies have revealed the ease of access and
corruption
of DRE election systems.
b. Ease versus difficulty to detect corruption.
1)
With a week of training, one person can inspect DRMs
and find corruption
within minutes or hours.
2)
With years of training, one person can inspect DREs
for years
and not find all corruption in the software.
c. "Public oversight" provided by
government employees versus
inability to oversee (defacto privatization of elections).
1)
BOEs have many competent workers who can safeguard
and fix
DRMs.
2)
BOEs have few/no competent workers who can safeguard
and fix
DREs, or oversee the work of vendors (thus, use
of DREs
requires dependence on service contracts and
"trust-me"
relationship to vendors).
3)
Major vendors have sold their equipment only with
trade
secret agreements that prevent public inspection
of the
voting system, including hardware, software, etc.
4)
Comment: Recent news reports reveal the dependence of
BOEs on their
vendor's technicians. BOEs lack expertise
to oversee
the work performed by these technicians.
A corrupt version of software can
be used without anyone
noticing.
5)
Why Open-Source software must be required: Unless all
software
used in electronic voting and vote-tabulating
systems is
openly available for inspection (for example
by being
posted on the web sites of BoEs), use of
electronic
voting and vote-tabulating systems causes
defacto
privatization of elections. This is because:
a)
Voters are forced to "trust" BoEs to know how ballot
recording
and tabulating is conducted, but
b)
BoEs are forced (due to their lack of appropriate IT
expertise
and resources) to "trust" their vendors.
c)
Only vendors know or control how ballot recording and
tabulating
is conducted.
6)
Open-Source software is essential but not a panacea,
due to the
ease of changing what software is in an
electronic
system without people noticing or being able
to detect
the change later (this is what happens with
computer
viruses, etc.).
4. What
knowledge or perspective is lacking?
a. The world of information technology
(IT) has standards for
auditing and
security, developed over decades of working
with computer
systems. Most DREs don't meet these standards.
1)
Auditing means any verification, reconciliation or
feedback
mechanism that allows independent confirmation
of the
accuracy of recorded data and processing results.
2)
Security means that the results of normal operation
can be
proven correct by independent audit.
b. The IT world recognizes that the
capture and processing of
transaction
information is error-prone and must be confirmed
by audit. (No
one "trusts" transaction-capturing and
-processing computers, we audit them
and trust the audit.)
1)
To confirm accurate data-capture and processing, you must
compare
computer results to independently-created
results
that do not depend on the computer's veracity.
2)
If the transaction consists of votes on a ballot, we
need a secret
ballot that does not identify the voter.
This limits the kinds of auditing
mechanisms that can be
used. For
example, you cannot use a tracking number that
identifies
the voter who cast the ballot.
3)
To audit an election conducted with DREs would require:
a)
DREs would have to create and allow retention of the
VVPAT.
DREs without VVPAT prevent auditing.
b)
Comparison of electronically-recorded ballots to
voter-verified
paper ballots (the VVPAT).
c)
Comparison of electronic tallies to
independently-
counted
tallies of the VVPAT.
d)
People who are willing and able to perform the
comparisons
of electronic and paper ballots, and
electronic
and paper tallies.
5. The problem
is political, not technical.
a. We still have the chance for a
verifiable, accessible,
election systems
in November, 2004.
1)
To develop voting systems that are accessible,
secure,
and
useable in real-world elections requires the
combined
efforts of accessibility advocates, computer
technologists,
and election officials.
1)
Failure to understand the problems with DREs, as well
as
resistance to learning about them, has delayed the
demand for
and development of secure, accessible,
useable
systems.
2)
The problem is political not technical -- technology that
could
achieve such systems has existed for many years.
b. Voters who recognize the threat to
election integrity posed
by
unverifiable computer systems have called for the use of
paper absentee
ballots. Loss of voter confidence in the
integrity of
upcoming elections can be measure by how
widespread
this call is.
c. Individuals, organizations, and
institutions that should
respond to issues and challenges with careful attention
to truth have
dismissed warnings about DREs with put-offs and
put-downs.
The following responses to warnings
about DREs are political.
They demean those who respond, because
they evade the issue of
security, and
embrace "trust-me" democracy, "can't do"
attitudes,
ad-hominem insults, and defense of inaccuracy/fraud
in elections:
1)
"I trust the computer."
2)
"The computer is trustworthy."
3)
"You don't care about my private and independent vote."
4)
"Technologists are bad people (geeks, Luddites,
not as
concerned about democracy or my vote as I am)."
5)
"Elections are never perfect, and we have to accept that."
6)
"There are other problems. If we address them, we don't
have to
address the security problem."
7)
"We can't do anything other than what we are already
doing, or are
planning to do."
8)
"There's no way to solve the problems with our elections."
9)
"We can't possibly count ballots by hand or optical
scanner."
10) "We can spend millions for computers
and vendor service
contracts
but we can't hire enough workers to oversee
the
vendor's work or perform election auditing tasks."
11) "We have never detected an
undetected error in our
electronically stored
ballots or our vote tallies."
# # #
____________________________________
Definitions and Abbreviations:
BoE, Board of
Election.
DRE,
"Direct Recording Electronic," a computerized voting system such
as those with touch screens.
DRM,
"Direct Recording Mechanical," a mechanical lever-type voting
machine.
IT, Information Technology, that part of the computer industry that deals
with computerized information management and processing for business,
industry, government, and other entities such as universities.
VVPAT,
Voter-verified paper audit trail.
VVPAT consists of marked
ballots recorded in a permanent,
unalterable way on physical
material (such as paper); VVPAT
requires each voter to have an
opportunity to inspect his/her ballot
and confirm that it is
accurate, or have it
"spoiled" and create a new ballot. All
ballots, once cast, must stored in a secure
ballot box until
used in an audit procedure.