May 30, 2004
DRE Voting Systems as currently sold
are a Danger to Democracy
1. The security problems with these machines are not widely-enough
recognized or understood, and as a result these machines have
been put in place for use by an estimated 30% of American voters
in November 2004.
a. Lack of technical knowledge about computers, computer
security, and Information Technology ("IT") standards has
prevented timely recognition and understanding of the dangers
posed by unauditable DREs.
b. Most average voters, accessibility advocates, and election
officials have assumed that DREs have the same kinds of
security features and behind-the-scene processing that assure
the correctness of transactions conducted with ATMs, ticket
kiosks, etc., but this is not true.
1) DREs do not have end-of-election reconciliation procedures
comparable to end-of-day reconciliation procedures
performed by bank tellers, retail cashiers, etc.
2) Capturing information from the human world into the
computer is error-prone. For this reason, both the
electronic records of all ballots cast and the final
tallies tabulated from those ballots should be subject
to ordinary professional-quality IT reconciliation. At
present, however, vendors claim that such procedures
are unnecessary, and BoE do not want to perform them.
3) In effect, BoEs want to delegate the work of recording
and tabulating votes to the computers, and do not wish
to provide the oversight that they would recognize as
necessary if they delegated these tasks to people. Yet
the computer is only a mechanism created by people, and
requires similar oversight -- which is provided, in the
IT world, by end-of-day reconciliation, also called
c. Due to lack of knowledge about computers and IT standards,
many BOEs have accepted the use of computers without
arms-length evaluation of:
1) Vendor's claims about their products
2) Certification reports
3) The many failures of computerized voting systems (these
have been trivialized as "glitches" by vendors who insist,
without providing any factual evidence, that election
outcomes have not been affected).
2. "Trust-me" elections are contrary to democracy.
a. DREs prevent human oversight of ballot-recording and vote-
b. Most DREs offer no way to independently confirm correct
recording of ballots or correct tabulation of final tallies.
c. Even if DREs produce a voter-verified paper audit trail
so that independent confirmation of ballot recording and
tabulation is possible by performing an ordinary business-
style audit procedure, BoEs lack the resources needed to
perform such procedures, and wish to limit them efforts to
recounts of a tiny percentage of randomly selected precincts.
c. It is inappropriate for voters in a democracy to accept
d. If an open door to election fraud exists, history suggests
that fraud will surely occur.
3. DREs are more easily corrupted than DRMs (Direct Recording
Mechanical lever machines).
a. Length of access time required to corrupt one or more machines
versus magnitude of effect.
1) To corrupt DRMs requires one person to have access for
minutes or hours to each machine.
2) To corrupt the software, recorded ballots, or final
tallies in all DREs in the USA that were made by a
particular vendor requires:
a) One insider or hacker to have less than a second
access per DRE (by using an automated script in one
computer anywhere in the world), or
b) One insider who has no access to the DREs, but who
distributes a corrupt "patch" which the vendor's
technicians install with or without knowing that it
is corrupt. This could have happened in Georgia, 2002,
because the software in the Diebold systems was
replaced repeatedly up to two days prior to the
3) Multiple studies have revealed the ease of access and
corruption of DRE election systems.
b. Ease versus difficulty to detect corruption.
1) With a week of training, one person can inspect DRMs
and find corruption within minutes or hours.
2) With years of training, one person can inspect DREs
for years and not find all corruption in the software.
c. "Public oversight" provided by government employees versus
inability to oversee (defacto privatization of elections).
1) BOEs have many competent workers who can safeguard
and fix DRMs.
2) BOEs have few/no competent workers who can safeguard
and fix DREs, or oversee the work of vendors (thus, use
of DREs requires dependence on service contracts and
"trust-me" relationship to vendors).
3) Major vendors have sold their equipment only with
trade secret agreements that prevent public inspection
of the voting system, including hardware, software, etc.
4) Comment: Recent news reports reveal the dependence of
BOEs on their vendor's technicians. BOEs lack expertise
to oversee the work performed by these technicians.
A corrupt version of software can be used without anyone
5) Why Open-Source software must be required: Unless all
software used in electronic voting and vote-tabulating
systems is openly available for inspection (for example
by being posted on the web sites of BoEs), use of
electronic voting and vote-tabulating systems causes
defacto privatization of elections. This is because:
a) Voters are forced to "trust" BoEs to know how ballot
recording and tabulating is conducted, but
b) BoEs are forced (due to their lack of appropriate IT
expertise and resources) to "trust" their vendors.
c) Only vendors know or control how ballot recording and
tabulating is conducted.
6) Open-Source software is essential but not a panacea,
due to the ease of changing what software is in an
electronic system without people noticing or being able
to detect the change later (this is what happens with
computer viruses, etc.).
4. What knowledge or perspective is lacking?
a. The world of information technology (IT) has standards for
auditing and security, developed over decades of working
with computer systems. Most DREs don't meet these standards.
1) Auditing means any verification, reconciliation or
feedback mechanism that allows independent confirmation
of the accuracy of recorded data and processing results.
2) Security means that the results of normal operation
can be proven correct by independent audit.
b. The IT world recognizes that the capture and processing of
transaction information is error-prone and must be confirmed
by audit. (No one "trusts" transaction-capturing and
-processing computers, we audit them and trust the audit.)
1) To confirm accurate data-capture and processing, you must
compare computer results to independently-created
results that do not depend on the computer's veracity.
2) If the transaction consists of votes on a ballot, we
need a secret ballot that does not identify the voter.
This limits the kinds of auditing mechanisms that can be
used. For example, you cannot use a tracking number that
identifies the voter who cast the ballot.
3) To audit an election conducted with DREs would require:
a) DREs would have to create and allow retention of the
VVPAT. DREs without VVPAT prevent auditing.
b) Comparison of electronically-recorded ballots to
voter-verified paper ballots (the VVPAT).
c) Comparison of electronic tallies to independently-
counted tallies of the VVPAT.
d) People who are willing and able to perform the
comparisons of electronic and paper ballots, and
electronic and paper tallies.
5. The problem is political, not technical.
a. We still have the chance for a verifiable, accessible,
election systems in November, 2004.
1) To develop voting systems that are accessible, secure,
and useable in real-world elections requires the
combined efforts of accessibility advocates, computer
technologists, and election officials.
1) Failure to understand the problems with DREs, as well
as resistance to learning about them, has delayed the
demand for and development of secure, accessible,
2) The problem is political not technical -- technology that
could achieve such systems has existed for many years.
b. Voters who recognize the threat to election integrity posed
by unverifiable computer systems have called for the use of
paper absentee ballots. Loss of voter confidence in the
integrity of upcoming elections can be measure by how
widespread this call is.
c. Individuals, organizations, and institutions that should
respond to issues and challenges with careful attention
to truth have dismissed warnings about DREs with put-offs and
The following responses to warnings about DREs are political.
They demean those who respond, because they evade the issue of
security, and embrace "trust-me" democracy, "can't do"
attitudes, ad-hominem insults, and defense of inaccuracy/fraud
1) "I trust the computer."
2) "The computer is trustworthy."
3) "You don't care about my private and independent vote."
4) "Technologists are bad people (geeks, Luddites,
not as concerned about democracy or my vote as I am)."
5) "Elections are never perfect, and we have to accept that."
6) "There are other problems. If we address them, we don't
have to address the security problem."
7) "We can't do anything other than what we are already
doing, or are planning to do."
8) "There's no way to solve the problems with our elections."
9) "We can't possibly count ballots by hand or optical
10) "We can spend millions for computers and vendor service
contracts but we can't hire enough workers to oversee
the vendor's work or perform election auditing tasks."
11) "We have never detected an undetected error in our
electronically stored ballots or our vote tallies."
# # #
Definitions and Abbreviations:
BoE, Board of Election.
DRE, "Direct Recording Electronic," a computerized voting system such
as those with touch screens.
DRM, "Direct Recording Mechanical," a mechanical lever-type voting
IT, Information Technology, that part of the computer industry that deals
with computerized information management and processing for business,
industry, government, and other entities such as universities.
VVPAT, Voter-verified paper audit trail. VVPAT consists of marked
ballots recorded in a permanent, unalterable way on physical
material (such as paper); VVPAT requires each voter to have an
opportunity to inspect his/her ballot and confirm that it is
accurate, or have it "spoiled" and create a new ballot. All
ballots, once cast, must stored in a secure ballot box until
used in an audit procedure.