http://www.wheresthepaper.org/ElectionLawDec20.htm

 

 

Teresa Hommel

www.wheresthepaper.org

 

Statement Against the Acquisition and Use of

Electronic Voting Systems in New York

 

Before the Assembly Committee on Election Law

December 20, 2004

 

 

Thank you for the opportunity to appear before you today. My name is Teresa Hommel. I have been working as a citizen activist on the subject of electronic voting for the last 18 months. My professional credentials are that I have worked with computers since 1967 as a programmer, technical writer, corporate trainer, and consultant.

 

I will address the selected issue ďWhat lessons should New York take from the experience of the 2004 election to ensure electoral access and participation, particularly with regard to the implementation of HAVA and NVRA?

 

I caution New York against passing any law that would allow our state to move forward with the purchase and use of electronic voting systems that are either unverifiable, or allowed to be used without verification.

 

I recommend two alternatives to electronic voting: One is to keep our old lever machines, and add one accessible ballot-marking device per polling place. The other is to switch to paper ballots and precinct-count optical scanners, with one accessible ballot-marking device per polling place. Electronic voting systems already in use should be required to add printers to produce voter-verifiable paper ballots, and Boards of Election must be required to audit each computerís work by counting the voter-verified paper ballots and reconciling differences between the computer and paper tallies.

 

My comments are organized as answers to several questions.

 

A. What are the requirements for legitimate, democratic elections?

B. What happened in New York state on November 2 in regard to computerized elections?

C. Can computers serve the requirements for legitimate, democratic elections? If so, how?

D. What are the problems with surprise random recounts?

E. Can Boards of Elections manage secure computerized voting and vote tabulating systems?

F. Should all voters use the same exact voting technology?

G. What are the alternatives to computerized elections?

 

 

 

A. What are the requirements for legitimate, democratic elections?

 

Elections are about the will of the people selecting our public servants.

 

Legitimacy of elections, and our representative government, requires that ordinary people can participate in the conduct of elections and oversee election procedures. Any obstacle to participation, observation, and ability to verify election results undermines our democracy.

 

 

B. What happened in New York state on November 2 in regard to computerized elections?

 

On November 2, Saratoga county conducted its election, in part, with electronic voting equipment that prevented multipartisan observation and confirmation of election tallies.

 

I spoke to some voters in that county who were uncomfortable with the use of unverifiable voting equipment. Also, one voter feared that the machine might be switching votes from one candidate to another in its internal memory, and that the machine might accidentally allow some voters to cast more than one ballot. The town clerk of Clifton Park said that no such problems had been reported.

 

Nevertheless, the voters had a sense of unease and suspicion.

 

 

C. Can computers serve the requirements for legitimate, democratic elections? If so, how?

 

Dr. Rebecca Mercuri developed the concept of the voter-verified paper audit trail, or VVPAT. VVPAT was intended to solve two problems with computerized elections.

 

First, a voter can't tell if his or her ballot is being correctly recorded in computer memory.

Second, no one can observe the computerís internal tally process or confirm its accuracy.

 

The proper use of the VVPAT converts both vote-recording and vote-tallying to paper-based procedures, which enables ordinary people to observe.

 

During the election, the voter-verified paper ballot enables each voter to observe that his or her votes are recorded correctly on paper (a permanent, non-electronic material).

 

After the election, an audit of the VVPAT enables election observers to observe that the votes on paper ballots are tallied correctly, and that any discrepancies between electronic tallies and paper tallies are reconciled.

 

An audit is more than a recount. It starts with a recount, but then all discrepancies between the computer tally and paper tally are reconciled.

 

Dr. Douglas Jones of the University of Iowa and three-time chairman of Iowa's board of voting system examiners, in a recent email, described the reconciliation/investigation that would reconcile discrepancies between the computer and VVPAT vote tallies.

 

The electronic record and the printed record are both viewed as fallible and subject to subversion.A hacker can hack into a computer and corrupt data.A counterfeiter can print up counterfeit ballots and swap them for the real ones.We can adopt technical means to defend against either attack, but if we adopt laws that say:

 

††††††††† In the event of a disagreement, the paper dominates.

 

Then all you need is a good counterfeiter, while if your rules say

 

†††††††††† In the event of a disagreement, the electronic copy dominates.

 

Then, all you need is a good hacker.The rule I would prefer to see says:

 

††††††††† In the event of a disagreement, an investigation must be initiated in order to

determine which copy is most likely to be correct...

 

The rules could go on at length about what other things to examine, such as poll books, event logs, exit polls, and other evidence that could serve to corroborate one or the other copy.

 

In February, 2004, both our NY State Assembly and Senate passed bills that would require electronic voting systems to provide VVPAT.

 

This would enable each voter to observe the correct recording of his or her ballot on paper. That's good.

 

But neither bill required an audit. That's a problem. The bills required 2% and 3% surprise random recounts, respectively, and did not require 100% accuracy.

 

 

D. What are the problems with surprise random recounts?

 

1. Trust-the-statistician vs. observation. If observers can watch a count of 2% of the ballots cast, then your election has 2% legitimacy.

 

There are discussions about "statistically significant percentages" on the internet now, as experts try to analyze the November election, but I am not a statistician and these discussions leave me in the dust. Voters like me would be forced to trust the statisticians that 2% is a statistically significant percentage, because we couldn't check the math or confirm a theory of statistical significance.

 

In effect, a degree in math, statistics, or computer science would become the new "poll tax" for voter confidence and election transparency.

 

Of course I would rather trust Albert Einstein than a technician from Sequoia, ES&S, or Diebold. But I would rather not have to trust anyone except my local bipartisan or multipartisan election observers, who are ordinary citizens.

 

2. Corporate control. With a 2% recount, 98% of vote counting would be in private rather than public hands, raising questions of corporate partisanship, as well as motivation and opportunity for fraud.

 

3. Certain types of computer errors and fraud may not show up in small recounts. These include:

 

††††††††††† a. Intermittent errors or fraud triggered by particular combinations of votes and/or particular ballot designs.

 

††††††††††† b. Legally "insignificant" vote switches per machine. A recent Yale Study showed that with a single statewide system, centralized manipulation is facilitated and can swing elections with one or two vote switches per machine. The study and commentary are attached, and also online.

 

††††††††††† Commentary on Yale Study††† http://www.wheresthepaper.org/CACM_YaleStudy.htm

††††††††††† Yale Study†† http://www.wheresthepaper.org/p43_di_franco.pdf

 

4. Creation of two classes of voters. 2% of voters would cast ballots that were confirmed to be tallied correctly. 98% of voters would cast ballots that were not.

 

5. In effect, the requirement for small surprise random recounts mandates unverified elections. It also puts the onus on candidates, voters, and political parties to pay for recounts, or struggle in the courts for the right to verify an election. Honest elections have to start out with observable procedures.

 

6. Most disturbing to me, as a computer professional, is that electronic voting and vote tabulating systems are being treated as an exception to professional Information Technology standards. In my work with hundreds of companies and governmental agencies since 1967, every comparable computer system that I have seen or heard about in professional use is 100% audited, and discrepancies are reconciled for 100% accuracy.

 

It may be useful to compare the security that we imagine is needed for elections and banking.

 

Suppose you find an error on your bank statement, and you go in with your records, and the bank officer says, "we didn't audit your account this month, because our statistically significant random check said we were accurate enough." That is ridiculous.

 

Many people understand that 100% audits with 100% accuracy are needed to prevent or detect financial fraud, but don't carry this idea over into the world of elections. In my professional opinion, audits are needed in both worlds for the same reason.

 

We face an unspoken argument here.

 

It is that elections CANNOT be held to ordinary, routine Information Technology standards. This idea is based on the unspoken acknowledgement that Boards of Election in real life cannot perform such audits. They lack not only the intention or will, but the legal mandate, expertise, staff, and funding.

 

Moreover, the need for a secret ballot eliminates the use of most auditing techniques used by banks, such as tracking numbers. The secret ballot is the reason why audits of elections need to use voter-verified non-electronic records of the votes, in other words, voter-verified paper ballots.

 

 

E. Can Boards of Elections manage secure computerized voting and vote tabulating systems?

 

 

My answer is no, because with a few exceptions I see legislatures refusing to mandate, and Boards of Elections refusing to perform, audits according to ordinary professional standards. I've already said that in the professional world, we do audits because that is the only thing that works. Computer security is defined as "the results of normal operation are proved correct by independent audit."

 

Elections are not a court of law where a piece of technology is assumed accurate until proven inaccurate. When people insist on starting out with the premise that computers are accurate until proven otherwise, we are seeing something very wrong, and dangerous.

 

People have proposed to perform a variety of activities instead of audits of ballots and tallies. Here are some of the problems.

 

1. Certification and inspection of hardware and software, and keeping escrow copies of software, cannot ensure security.

 

Certification and inspection, if accompanied by correction of all errors that are found, can reduce discrepancies and computer errors found during an audit.

 

However, security of computer systems cannot be, and never has been, achieved by testing, reading software, or comparing software escrowed one day to what is in the computer on another day.

 

Even Professor Avi Rubin, the computer security expert who headed the Johns Hopkins team that wrote the first report revealing the insecurity of Diebold software, has stated publicly many times that no examination of software of this complexity can guarantee security. That is why companies audit. It is incomparably simpler to recount paper ballots, and reconcile discrepancies between electronic and paper tallies, than to look at software. http://avirubin.com/vote/analysis/index.html

 

I repeat, 100% of computer systems comparable to voting systems are 100% audited, and discrepancies are reconciled to achieve 100% accuracy.

 

The phrase "comparable to voting systems" means computer systems that capture transaction information from the human world into electronic memory(such as an order to purchase by mail order, or a financial transaction).

 

Given the public exposure of voting systems, and the fact that in most cases they are overseen by non-technical staff, it would be impossible to control what software is in the computer during the election, or prevent falsification of electronic ballots and tallies by insiders, or technicians.

 

Large Boards of Elections have computer staffs, but these employees aren't running elections and overseeing the handling of the voting or vote tabulating equipment. Also, these employees may not be security experts.

 

2. When vendor technicians handle systems that the staff does not know, this opens the door to fraud.

 

This is privatization, pure and simple. Technicians gain unsupervised access to voting and vote tabulating systems with a casual "I need to check the files" or "I'll just check how it's working."

 

Two affidavits from Ohio last week provide an example. A technician said the computer needed a new battery and took it apart. Dr. Douglas Jones said that the incident may have compromised the statewide recount. The affidavits are attached to this statement.

 

Flash memory devices pose another danger. These devices now look like wristwatches, pens, and cigarette lighters, and would be unrecognized by non-technical staff. A technician who is not supervised by technical staff can copy the entire election software and data, including ballots and tally sheets, etc., in less than a minute. Later the technician can return and restore a modified copy of the software, ballots and tallies. An entire county or state can be affected.

 

In contrast, imagine someone walking off with all the ballots for a county or state. Everyone would understand what they were seeing.

 

3. Wireless communications devices in voting and vote tabulating equipment will enable undetectable modification of software, ballots, and tallies.

 

Wireless communications devices in voting and vote tabulating equipment should be banned. Regular expert inspection of electronic voting systems must be required to ensure that wireless communications devices do not somehow appear. These devices allow alteration of all computer programs, ballots, and tallies by individuals in remote locations. I would expect all Boards of Election to be demanding such laws, criminal penalties for violation, and funding for inspections. Instead, I hear nothing.

 

Dr. Mercuri told a story once of inspecting a particular machine. The sales material and the salesman had said there were no communication devices in the voting system. She asked to look inside the machine; the salesman opened it up, and there was the wireless communications device. She said, Oh, I see you have a whatever-it-was. The salesman slammed the unit shut and escorted her to the door.

 

 

F. Should all voters use the same exact voting technology?

 

Some people have suggested that all voters should use exactly the same voting technology.

This may not be practical or possible, because not all voters require accessibility devices or non-English language displays.

 

When voters with and without disabilities use what we think of as "the same machine," they are not using the same software.

 

Voters with disabilities will use accessibility attachments. Internally within the machine, each attachment is managed by a "driver" (software that handles communication between the computer and the specific accessibility attachment) that is different from other drivers (such as those for other accessibility devices, or the touchscreen or buttons used by able voters). A programmer can easily identify which voters are using each accessibility device. If an insider or technician wishes to switch the votes of blind voters, for example, these voters can be identified because of the devices they would be using.

 

Voters with non-English languages face similar problems, because each foreign language requires a separate font. A font is a set of graphic designs for displayable characters such as letters and numerals. Even Spanish, which has characters that are mostly the same as English, requires a character consisting of a tilde over an "n" character, etc.

 

The separate font and processing needed for the computer to display non-English language ballots thus provide the opportunity to identify voters of specific language groups. There have been allegations that some voting systems are designed to enable an insider or technician to easily switch the votes by language group. This is done by inserting some lines of Visual Basic Script programming in the font files. Such programming might say, for example: if vote = Kerry, add 1 to Bush-count; if vote = Bush, add 1 to Kerry-count.

 

Since paper ballots can be printed in any language, it seems that the ballots of voters with non-English languages would be more secure if marked by hand or ballot-marking machine on preprinted paper ballots.

 

 

G. What are the alternatives to computerized elections?

 

Elections should not be about computers and computer technology.

 

Computerized devices can be used to enable voters with disabilities or non-English languages to mark or print paper ballots, but I advise against the use of computers to record ballots.

 

I support either one of two solutions for New York.

 

One is to keep and maintain our old lever machines, and adding an accessible ballot-marking device in each polling site. The other is to convert to paper ballots marked by hand or accessible ballot-marking device in each polling site, with precinct-count optical scanners.

 

Optical scanners are computers, and pose the problem of programming errors, fraud, and unobservable counting. For example, there were widespread allegations of falsified tallies from optical scanners in Florida after our November election, accompanied by refusals by county officials to comply with Freedom of Information requests to view precinct tally sheets.

 

Should optical scanners be 100% audited with multipartisan observation, with 100% accuracy required? The problems in Florida seem to suggest "yes."

 

The March 2001 Caltech report called "Revised and Expanded Report: A Preliminary Assessment of the Reliability of Existing Voting Equipment" said that hand-marked paper ballots counted by hand or optical scanner rank among the most reliable of voting systems. This report also said that "the incidence of [spoiled and unmarked ballots] is highest for voters in counties using punch cards and electronic machines and is lowest for voters in counties using lever machines, optically scanned paper ballots, and hand-counted paper ballots."

Summary: http://www.hss.caltech.edu/~voting/Executive%20Summary.March30.pdf

Full report: http://www.hss.caltech.edu/~voting/CalTech_MIT_Report_Version2.pdf

 

A system using hand-marked paper ballots, optical scanners, and ballot marking devices for accessibility is:

1) One of the most reliable systems available.

2) Inherently voter-verified.

3) Incorporates paper ballots that are easy to hand-count where necessary.

4) Precinct-based optical scanners allow automated counting to satisfy election officials.

5) Ballot-marking devices meet multilingual and accessibility needs.

6) For NewYork State, it's less expensive than Direct Recording Electronic systems with VVPAT, both in initial purchase costs and ongoing maintenance.

 

 

Are computerized elections a political problem?

 

A woman came up to me at a meeting and wanted to tell me why she opposed electronic voting. She said, "I work with Microsoft Windows. My system crashes at least once a day." Many people have trouble with their Windows PCs, and the systems are notoriously insecure, but several of our major vendors have built their voting systems on top of Windows.

 

The Resolution on Electronic Voting, endorsed by thousands of computer technologists, says "Computerized voting equipment is inherently subject to programming error, equipment malfunction, and malicious tampering." http://www.verifiedvoting.org/article.php?id=5028

 

Every study of electronic voting has said that systems from the major vendors are insecure and of poor quality. http://www.wheresthepaper.org/links.html#sec

 

For example, the RABA report commissioned by the state of Maryland, said, "Given either physical or remote access ... it is possible to modify the GEMS database. ... without detection. Furthermore, system auditing is not configured to detect access to the database." Page 21. http://www.raba.com/press/TA_Report_AccuVote.pdf

 

A study by Findlaw showed that in September, 2004, 42% of Americans distrusted electronic voting.http://company.findlaw.com/pr/2004/090704.electronicvoting.html

 

A continuous flow of bad news from around our country tells us that these systems donít work.

To keep informed you can subscribe to a daily email of voting news from VotersUnite.org. This group also publishes voting news athttp://www.votersunite.org/electionproblems.aspand at http://www.votersunite.org/info/messupsbyvendor.aspA printout of the latter is attached.

 

In spite of all this, it appears that few government officials with responsibility for elections are paying attention to the constant stream of warnings about electronic voting, and the expressed distrust by voters. The major media and some officials, even here in New York, still want to convert to electronic voting. This is bizarre, and I cannot understand it.

 

New Yorkers have a real need. We need election systems that work, and that can be managed by the kind of staffs who work for our Boards of Election across our state, and that can be overseen by ordinary citizens -- because multipartisan citizen oversight is the only thing that ensures election integrity.

 

Computers can be made to work reliably, but that's not what I'm seeing with electronic voting. I'm seeing computers used incorrectly, and a lot of excuses about why that's how it has to be. I urge New York not to destroy our decent election system by converting to electronic voting.