Teresa Hommel

www.wheresthepaper.org/DREsAreDanger.htm

May 30, 2004

 

 

 

 

DRE Voting Systems as currently sold

are a Danger to Democracy

 

 

 

1.  The security problems with these machines are not widely-enough

    recognized or understood, and as a result these machines have

    been put in place for use by an estimated 30% of American voters

    in November 2004.

 

    a.  Lack of technical knowledge about computers, computer

        security, and Information Technology ("IT") standards has

        prevented timely recognition and understanding of the dangers

        posed by unauditable DREs.

 

    b.  Most average voters, accessibility advocates, and election

        officials have assumed that DREs have the same kinds of

        security features and behind-the-scene processing that assure

        the correctness of transactions conducted with ATMs, ticket

        kiosks, etc., but this is not true.

 

        1)  DREs do not have end-of-election reconciliation procedures

            comparable to end-of-day reconciliation procedures

            performed by bank tellers, retail cashiers, etc.

 

        2)  Capturing information from the human world into the

            computer is error-prone. For this reason, both the

            electronic records of all ballots cast and the final

            tallies tabulated from those ballots should be subject

            to ordinary professional-quality IT reconciliation. At

            present, however, vendors claim that such procedures

            are unnecessary, and BoE do not want to perform them.

 

        3)  In effect, BoEs want to delegate the work of recording

            and tabulating votes to the computers, and do not wish

            to provide the oversight that they would recognize as

            necessary if they delegated these tasks to people. Yet

            the computer is only a mechanism created by people, and

            requires similar oversight -- which is provided, in the

            IT world, by end-of-day reconciliation, also called

            auditing.

 

    c.  Due to lack of knowledge about computers and IT standards,

        many BOEs have accepted the use of computers without

        arms-length evaluation of:

 

        1) Vendor's claims about their products

 

        2) Certification reports

 

        3) The many failures of computerized voting systems (these

           have been trivialized as "glitches" by vendors who insist,

           without providing any factual evidence, that election

           outcomes have not been affected).

 

2.  "Trust-me" elections are contrary to democracy.

 

    a.  DREs prevent human oversight of ballot-recording and vote-

        tabulating.

 

    b.  Most DREs offer no way to independently confirm correct

        recording of ballots or correct tabulation of final tallies.

 

    c.  Even if DREs produce a voter-verified paper audit trail

        so that independent confirmation of ballot recording and

        tabulation is possible by performing an ordinary business-

        style audit procedure, BoEs lack the resources needed to

        perform such procedures, and wish to limit them efforts to

        recounts of a tiny percentage of randomly selected precincts.

 

    c.  It is inappropriate for voters in a democracy to accept

        "trust-me" elections.

 

    d.  If an open door to election fraud exists, history suggests

        that fraud will surely occur.

 

3.  DREs are more easily corrupted than DRMs (Direct Recording

    Mechanical lever machines).

 

    a.  Length of access time required to corrupt one or more machines

        versus magnitude of effect.

 

        1)  To corrupt DRMs requires one person to have access for

            minutes or hours to each machine.

 

        2)  To corrupt the software, recorded ballots, or final

            tallies in all DREs in the USA that were made by a

            particular vendor requires:

 

            a)  One insider or hacker to have less than a second

                access per DRE (by using an automated script in one

                computer anywhere in the world), or

 

            b)  One insider who has no access to the DREs, but who

                distributes a corrupt "patch" which the vendor's

                technicians install with or without knowing that it

                is corrupt. This could have happened in Georgia, 2002,

                because the software in the Diebold systems was

                replaced repeatedly up to two days prior to the

                election.

 

        3)  Multiple studies have revealed the ease of access and

            corruption of DRE election systems.

 

    b.  Ease versus difficulty to detect corruption.

 

        1)  With a week of training, one person can inspect DRMs

            and find corruption within minutes or hours.

 

        2)  With years of training, one person can inspect DREs

            for years and not find all corruption in the software.

 

    c.  "Public oversight" provided by government employees versus

         inability to oversee (defacto privatization of elections).

 

        1)  BOEs have many competent workers who can safeguard

            and fix DRMs.

 

        2)  BOEs have few/no competent workers who can safeguard

            and fix DREs, or oversee the work of vendors (thus, use

            of DREs requires dependence on service contracts and

            "trust-me" relationship to vendors).

 

        3)  Major vendors have sold their equipment only with

            trade secret agreements that prevent public inspection

            of the voting system, including hardware, software, etc.

 

        4)  Comment: Recent news reports reveal the dependence of

            BOEs on their vendor's technicians. BOEs lack expertise

            to oversee the work performed by these technicians.

            A corrupt version of software can be used without anyone

            noticing.

 

        5)  Why Open-Source software must be required: Unless all

            software used in electronic voting and vote-tabulating

            systems is openly available for inspection (for example

            by being posted on the web sites of BoEs), use of

            electronic voting and vote-tabulating systems causes

            defacto privatization of elections. This is because:

 

            a)  Voters are forced to "trust" BoEs to know how ballot

                recording and tabulating is conducted, but

 

            b)  BoEs are forced (due to their lack of appropriate IT

                expertise and resources) to "trust" their vendors.

 

            c)  Only vendors know or control how ballot recording and

                tabulating is conducted.

 

        6)  Open-Source software is essential but not a panacea,

            due to the ease of changing what software is in an

            electronic system without people noticing or being able

            to detect the change later (this is what happens with

            computer viruses, etc.).

 

4.  What knowledge or perspective is lacking?

 

    a.  The world of information technology (IT) has standards for

        auditing and security, developed over decades of working

        with computer systems. Most DREs don't meet these standards.

 

        1)  Auditing means any verification, reconciliation or

            feedback mechanism that allows independent confirmation

            of the accuracy of recorded data and processing results.

 

        2)  Security means that the results of normal operation

            can be proven correct by independent audit.

 

    b.  The IT world recognizes that the capture and processing of

        transaction information is error-prone and must be confirmed

        by audit. (No one "trusts" transaction-capturing and

        -processing computers, we audit them and trust the audit.)

 

        1)  To confirm accurate data-capture and processing, you must

            compare computer results to independently-created

            results that do not depend on the computer's veracity.

 

        2)  If the transaction consists of votes on a ballot, we

            need a secret ballot that does not identify the voter.

            This limits the kinds of auditing mechanisms that can be

            used. For example, you cannot use a tracking number that

            identifies the voter who cast the ballot.

 

        3)  To audit an election conducted with DREs would require:

 

            a)  DREs would have to create and allow retention of the

                VVPAT. DREs without VVPAT prevent auditing.

 

            b)  Comparison of electronically-recorded ballots to

                voter-verified paper ballots (the VVPAT).

       

            c)  Comparison of electronic tallies to independently-

                counted tallies of the VVPAT.

 

            d)  People who are willing and able to perform the

                comparisons of electronic and paper ballots, and

                electronic and paper tallies.

 

5.  The problem is political, not technical.   

 

    a.  We still have the chance for a verifiable, accessible,

        election systems in November, 2004.

 

        1)  To develop voting systems that are accessible, secure,

            and useable in real-world elections requires the

            combined efforts of accessibility advocates, computer

            technologists, and election officials.

 

        1)  Failure to understand the problems with DREs, as well

            as resistance to learning about them, has delayed the

            demand for and development of secure, accessible,

            useable systems.

 

        2)  The problem is political not technical -- technology that

            could achieve such systems has existed for many years.

 

    b.  Voters who recognize the threat to election integrity posed

        by unverifiable computer systems have called for the use of

        paper absentee ballots. Loss of voter confidence in the

        integrity of upcoming elections can be measure by how

        widespread this call is.

   

    c.  Individuals, organizations, and institutions that should

        respond to issues and challenges with careful attention

        to truth have dismissed warnings about DREs with put-offs and

        put-downs.

 

        The following responses to warnings about DREs are political.

        They demean those who respond, because they evade the issue of

        security, and embrace "trust-me" democracy, "can't do"

        attitudes, ad-hominem insults, and defense of inaccuracy/fraud

        in elections:

 

        1)  "I trust the computer."

 

        2)  "The computer is trustworthy."

 

        3)  "You don't care about my private and independent vote."

 

        4)  "Technologists are bad people (geeks, Luddites,

            not as concerned about democracy or my vote as I am)."

   

        5)  "Elections are never perfect, and we have to accept that."

 

        6)  "There are other problems. If we address them, we don't

            have to address the security problem."

 

        7)  "We can't do anything other than what we are already

            doing, or are planning to do."

 

        8)  "There's no way to solve the problems with our elections."

 

        9)  "We can't possibly count ballots by hand or optical

            scanner."

 

        10) "We can spend millions for computers and vendor service

            contracts but we can't hire enough workers to oversee

            the vendor's work or perform election auditing tasks."

 

        11) "We have never detected an undetected error in our

            electronically stored ballots or our vote tallies."

 

 

 

 

# # #

 

____________________________________

 

Definitions and Abbreviations:

 

BoE, Board of Election.

 

DRE, "Direct Recording Electronic," a computerized voting system such

     as those with touch screens.

 

DRM, "Direct Recording Mechanical," a mechanical lever-type voting

     machine.

 

IT, Information Technology, that part of the computer industry that deals

      with computerized information management and processing for business,

      industry, government, and other entities such as universities.

 

VVPAT, Voter-verified paper audit trail. VVPAT consists of marked

     ballots recorded in a permanent, unalterable way on physical

     material (such as paper); VVPAT requires each voter to have an

     opportunity to inspect his/her ballot and confirm that it is

     accurate, or have it "spoiled" and create a new ballot. All

     ballots, once cast, must stored in a secure ballot box until

     used in an audit procedure.