http://www.wheresthepaper.org/ElectionLawDec20.htm
Teresa Hommel
www.wheresthepaper.org
Statement Against the Acquisition and Use
of
Electronic Voting Systems in New York
Before the Assembly Committee on Election
Law
December 20, 2004
Thank you for
the opportunity to appear before you today. My name is Teresa Hommel. I have
been working as a citizen activist on the subject of electronic voting for the
last 18 months. My professional credentials are that I have worked with
computers since 1967 as a programmer, technical writer, corporate trainer, and
consultant.
I will
address the selected issue “What lessons should New York take from the
experience of the 2004 election to ensure electoral access and participation,
particularly with regard to the implementation of HAVA and NVRA?
I caution
New York against passing any law that would allow our state to move forward
with the purchase and use of electronic voting systems that are either
unverifiable, or allowed to be used without verification.
I recommend
two alternatives to electronic voting: One is to keep our old lever machines,
and add one accessible ballot-marking device per polling place. The other is to
switch to paper ballots and precinct-count optical scanners, with one
accessible ballot-marking device per polling place. Electronic voting systems
already in use should be required to add printers to produce voter-verifiable
paper ballots, and Boards of Election must be required to audit each computer’s
work by counting the voter-verified paper ballots and reconciling differences
between the computer and paper tallies.
My comments
are organized as answers to several questions.
A. What are
the requirements for legitimate, democratic elections?
B. What
happened in New York state on November 2 in regard to computerized elections?
C. Can
computers serve the requirements for legitimate, democratic elections? If so,
how?
D. What are
the problems with surprise random recounts?
E. Can
Boards of Elections manage secure computerized voting and vote tabulating
systems?
F. Should
all voters use the same exact voting technology?
G. What are
the alternatives to computerized elections?
A. What are
the requirements for legitimate, democratic elections?
Elections are
about the will of the people selecting our public servants.
Legitimacy
of elections, and our representative government, requires that ordinary people
can participate in the conduct of elections and oversee election procedures.
Any obstacle to participation, observation, and ability to verify election
results undermines our democracy.
B. What
happened in New York state on November 2 in regard to computerized elections?
On November
2, Saratoga county conducted its election, in part, with electronic voting
equipment that prevented multipartisan observation and confirmation of election
tallies.
I spoke to
some voters in that county who were uncomfortable with the use of unverifiable
voting equipment. Also, one voter feared that the machine might be switching
votes from one candidate to another in its internal memory, and that the
machine might accidentally allow some voters to cast more than one ballot. The
town clerk of Clifton Park said that no such problems had been reported.
Nevertheless,
the voters had a sense of unease and suspicion.
C. Can
computers serve the requirements for legitimate, democratic elections? If so,
how?
Dr. Rebecca
Mercuri developed the concept of the voter-verified paper audit trail, or
VVPAT. VVPAT was intended to solve two problems with computerized elections.
First, a
voter can't tell if his or her ballot is being correctly recorded in computer
memory.
Second, no
one can observe the computer’s internal tally process or confirm its accuracy.
The proper
use of the VVPAT converts both vote-recording and vote-tallying to paper-based
procedures, which enables ordinary people to observe.
During the
election, the voter-verified paper ballot enables each voter to observe that
his or her votes are recorded correctly on paper (a permanent, non-electronic
material).
After the
election, an audit of the VVPAT enables election observers to observe that the
votes on paper ballots are tallied correctly, and that any discrepancies between
electronic tallies and paper tallies are reconciled.
An audit is
more than a recount. It starts with a recount, but then all discrepancies
between the computer tally and paper tally are reconciled.
Dr. Douglas
Jones of the University of Iowa and three-time chairman of Iowa's board of
voting system examiners, in a recent email, described the
reconciliation/investigation that would reconcile discrepancies between the
computer and VVPAT vote tallies.
The electronic record and the printed record are both viewed as
fallible and subject to subversion. A
hacker can hack into a computer and corrupt data. A counterfeiter can print up counterfeit ballots and swap them
for the real ones. We can adopt
technical means to defend against either attack, but if we adopt laws that say:
In the event of a disagreement, the paper dominates.
Then all you need is a good counterfeiter, while if your rules say
In the event of a
disagreement, the electronic copy dominates.
Then, all you need is a good hacker. The rule I would prefer to see says:
In the event of a disagreement, an investigation must be
initiated in order to
determine which copy is most likely to be correct...
The rules could go on at length about what other things to
examine, such as poll books, event logs, exit polls, and other evidence that
could serve to corroborate one or the other copy.
In February,
2004, both our NY State Assembly and Senate passed bills that would require
electronic voting systems to provide VVPAT.
This would
enable each voter to observe the correct recording of his or her ballot on
paper. That's good.
But neither
bill required an audit. That's a problem. The bills required 2% and 3% surprise
random recounts, respectively, and did not require 100% accuracy.
D. What are
the problems with surprise random recounts?
1.
Trust-the-statistician vs. observation. If observers can watch a count of 2% of the ballots cast, then
your election has 2% legitimacy.
There are
discussions about "statistically significant percentages" on the
internet now, as experts try to analyze the November election, but I am not a
statistician and these discussions leave me in the dust. Voters like me would
be forced to trust the statisticians that 2% is a statistically significant percentage,
because we couldn't check the math or confirm a theory of statistical
significance.
In effect, a
degree in math, statistics, or computer science would become the new "poll
tax" for voter confidence and election transparency.
Of course I
would rather trust Albert Einstein than a technician from Sequoia, ES&S, or
Diebold. But I would rather not have to trust anyone except my local bipartisan
or multipartisan election observers, who are ordinary citizens.
2. Corporate
control. With a 2%
recount, 98% of vote counting would be in private rather than public hands,
raising questions of corporate partisanship, as well as motivation and
opportunity for fraud.
3. Certain
types of computer errors and fraud may not show up in small recounts. These include:
a. Intermittent errors or fraud
triggered by particular combinations of votes and/or particular ballot designs.
b. Legally "insignificant"
vote switches per machine. A recent Yale Study showed that with a single
statewide system, centralized manipulation is facilitated and can swing
elections with one or two vote switches per machine. The study and commentary
are attached, and also online.
Commentary on Yale Study
http://www.wheresthepaper.org/CACM_YaleStudy.htm
Yale Study http://www.wheresthepaper.org/p43_di_franco.pdf
4. Creation
of two classes of voters. 2%
of voters would cast ballots that were confirmed to be tallied correctly. 98%
of voters would cast ballots that were not.
5. In
effect, the requirement for small surprise random recounts mandates unverified
elections. It also
puts the onus on candidates, voters, and political parties to pay for recounts,
or struggle in the courts for the right to verify an election. Honest elections
have to start out with observable procedures.
6. Most
disturbing to me, as a computer professional, is that electronic voting and
vote tabulating systems are being treated as an exception to professional
Information Technology standards. In my work with hundreds of companies and governmental agencies
since 1967, every comparable computer system that I have seen or heard about in
professional use is 100% audited, and discrepancies are reconciled for 100%
accuracy.
It may be
useful to compare the security that we imagine is needed for elections and
banking.
Suppose you
find an error on your bank statement, and you go in with your records, and the
bank officer says, "we didn't audit your account this month, because our
statistically significant random check said we were accurate enough." That
is ridiculous.
Many people
understand that 100% audits with 100% accuracy are needed to prevent or detect
financial fraud, but don't carry this idea over into the world of elections. In
my professional opinion, audits are needed in both worlds for the same reason.
We face an
unspoken argument here.
It is that
elections CANNOT be held to ordinary, routine Information Technology standards.
This idea is based on the unspoken acknowledgement that Boards of Election in
real life cannot perform such audits. They lack not only the intention or will,
but the legal mandate, expertise, staff, and funding.
Moreover,
the need for a secret ballot eliminates the use of most auditing techniques
used by banks, such as tracking numbers. The secret ballot is the reason why
audits of elections need to use voter-verified non-electronic records of the
votes, in other words, voter-verified paper ballots.
E. Can
Boards of Elections manage secure computerized voting and vote tabulating
systems?
My answer is
no, because with a few exceptions I see legislatures refusing to mandate, and
Boards of Elections refusing to perform, audits according to ordinary
professional standards. I've already said that in the professional world, we do
audits because that is the only thing that works. Computer security is defined
as "the results of normal operation are proved correct by independent
audit."
Elections
are not a court of law where a piece of technology is assumed accurate until
proven inaccurate. When people insist on starting out with the premise that
computers are accurate until proven otherwise, we are seeing something very
wrong, and dangerous.
People have
proposed to perform a variety of activities instead of audits of ballots and
tallies. Here are some of the problems.
1.
Certification and inspection of hardware and software, and keeping escrow
copies of software, cannot ensure security.
Certification
and inspection, if accompanied by correction of all errors that are found, can
reduce discrepancies and computer errors found during an audit.
However,
security of computer systems cannot be, and never has been, achieved by
testing, reading software, or comparing software escrowed one day to what is in
the computer on another day.
Even
Professor Avi Rubin, the computer security expert who headed the Johns Hopkins
team that wrote the first report revealing the insecurity of Diebold software,
has stated publicly many times that no examination of software of this
complexity can guarantee security. That is why companies audit. It is
incomparably simpler to recount paper ballots, and reconcile discrepancies
between electronic and paper tallies, than to look at software.
http://avirubin.com/vote/analysis/index.html
I repeat,
100% of computer systems comparable to voting systems are 100% audited, and discrepancies
are reconciled to achieve 100% accuracy.
The phrase
"comparable to voting systems" means computer systems that capture
transaction information from the human world into electronic memory (such as an order to purchase by mail order,
or a financial transaction).
Given the
public exposure of voting systems, and the fact that in most cases they are
overseen by non-technical staff, it would be impossible to control what
software is in the computer during the election, or prevent falsification of
electronic ballots and tallies by insiders, or technicians.
Large Boards
of Elections have computer staffs, but these employees aren't running elections
and overseeing the handling of the voting or vote tabulating equipment. Also,
these employees may not be security experts.
2. When
vendor technicians handle systems that the staff does not know, this opens the
door to fraud.
This is
privatization, pure and simple. Technicians gain unsupervised access to voting
and vote tabulating systems with a casual "I need to check the files"
or "I'll just check how it's working."
Two
affidavits from Ohio last week provide an example. A technician said the
computer needed a new battery and took it apart. Dr. Douglas Jones said that
the incident may have compromised the statewide recount. The affidavits are
attached to this statement.
Flash memory
devices pose another danger. These devices now look like wristwatches, pens,
and cigarette lighters, and would be unrecognized by non-technical staff. A
technician who is not supervised by technical staff can copy the entire
election software and data, including ballots and tally sheets, etc., in less
than a minute. Later the technician can return and restore a modified copy of
the software, ballots and tallies. An entire county or state can be affected.
In contrast,
imagine someone walking off with all the ballots for a county or state.
Everyone would understand what they were seeing.
3. Wireless
communications devices in voting and vote tabulating equipment will enable undetectable
modification of software, ballots, and tallies.
Wireless
communications devices in voting and vote tabulating equipment should be
banned. Regular expert inspection of electronic voting systems must be required
to ensure that wireless communications devices do not somehow appear. These
devices allow alteration of all computer programs, ballots, and tallies by
individuals in remote locations. I would expect all Boards of Election to be
demanding such laws, criminal penalties for violation, and funding for
inspections. Instead, I hear nothing.
Dr. Mercuri
told a story once of inspecting a particular machine. The sales material and
the salesman had said there were no communication devices in the voting system.
She asked to look inside the machine; the salesman opened it up, and there was
the wireless communications device. She said, Oh, I see you have a
whatever-it-was. The salesman slammed the unit shut and escorted her to the
door.
F. Should
all voters use the same exact voting technology?
Some people
have suggested that all voters should use exactly the same voting technology.
This may not
be practical or possible, because not all voters require accessibility devices
or non-English language displays.
When voters with
and without disabilities use what we think of as "the same machine,"
they are not using the same software.
Voters with
disabilities will use accessibility attachments. Internally within the machine,
each attachment is managed by a "driver" (software that handles
communication between the computer and the specific accessibility attachment)
that is different from other drivers (such as those for other accessibility
devices, or the touchscreen or buttons used by able voters). A programmer can
easily identify which voters are using each accessibility device. If an insider
or technician wishes to switch the votes of blind voters, for example, these
voters can be identified because of the devices they would be using.
Voters with
non-English languages face similar problems, because each foreign language
requires a separate font. A font is a set of graphic designs for displayable
characters such as letters and numerals. Even Spanish, which has characters
that are mostly the same as English, requires a character consisting of a tilde
over an "n" character, etc.
The separate
font and processing needed for the computer to display non-English language
ballots thus provide the opportunity to identify voters of specific language
groups. There have been allegations that some voting systems are designed to
enable an insider or technician to easily switch the votes by language group.
This is done by inserting some lines of Visual Basic Script programming in the
font files. Such programming might say, for example: if vote = Kerry, add 1 to
Bush-count; if vote = Bush, add 1 to Kerry-count.
Since paper
ballots can be printed in any language, it seems that the ballots of voters
with non-English languages would be more secure if marked by hand or
ballot-marking machine on preprinted paper ballots.
G. What are
the alternatives to computerized elections?
Elections
should not be about computers and computer technology.
Computerized
devices can be used to enable voters with disabilities or non-English languages
to mark or print paper ballots, but I advise against the use of computers to
record ballots.
I support
either one of two solutions for New York.
One is to
keep and maintain our old lever machines, and adding an accessible
ballot-marking device in each polling site. The other is to convert to paper
ballots marked by hand or accessible ballot-marking device in each polling
site, with precinct-count optical scanners.
Optical
scanners are computers, and pose the problem of programming errors, fraud, and
unobservable counting. For example, there were widespread allegations of
falsified tallies from optical scanners in Florida after our November election,
accompanied by refusals by county officials to comply with Freedom of
Information requests to view precinct tally sheets.
Should
optical scanners be 100% audited with multipartisan observation, with 100%
accuracy required? The problems in Florida seem to suggest "yes."
The March
2001 Caltech report called "Revised and Expanded Report: A Preliminary
Assessment of the Reliability of Existing Voting Equipment" said that
hand-marked paper ballots counted by hand or optical scanner rank among the
most reliable of voting systems. This report also said that "the incidence
of [spoiled and unmarked ballots] is highest for voters in counties using punch
cards and electronic machines and is lowest for voters in counties using lever
machines, optically scanned paper ballots, and hand-counted paper
ballots."
Summary:
http://www.hss.caltech.edu/~voting/Executive%20Summary.March30.pdf
Full report:
http://www.hss.caltech.edu/~voting/CalTech_MIT_Report_Version2.pdf
A system
using hand-marked paper ballots, optical scanners, and ballot marking devices
for accessibility is:
1) One of
the most reliable systems available.
2) Inherently
voter-verified.
3)
Incorporates paper ballots that are easy to hand-count where necessary.
4)
Precinct-based optical scanners allow automated counting to satisfy election
officials.
5)
Ballot-marking devices meet multilingual and accessibility needs.
6) For
New York State, it's less expensive
than Direct Recording Electronic systems with VVPAT, both in initial purchase
costs and ongoing maintenance.
Are
computerized elections a political problem?
A woman came
up to me at a meeting and wanted to tell me why she opposed electronic voting.
She said, "I work with Microsoft Windows. My system crashes at least once
a day." Many people have trouble with their Windows PCs, and the systems
are notoriously insecure, but several of our major vendors have built their
voting systems on top of Windows.
The
Resolution on Electronic Voting, endorsed by thousands of computer
technologists, says "Computerized voting equipment is inherently subject
to programming error, equipment malfunction, and malicious tampering."
http://www.verifiedvoting.org/article.php?id=5028
Every study
of electronic voting has said that systems from the major vendors are insecure
and of poor quality. http://www.wheresthepaper.org/links.html#sec
For example,
the RABA report commissioned by the state of Maryland, said, "Given either
physical or remote access ... it is possible to modify the GEMS database. ...
without detection. Furthermore, system auditing is not configured to detect
access to the database." Page 21. http://www.raba.com/press/TA_Report_AccuVote.pdf
A study by
Findlaw showed that in September, 2004, 42% of Americans distrusted electronic
voting.
http://company.findlaw.com/pr/2004/090704.electronicvoting.html
A continuous
flow of bad news from around our country tells us that these systems don’t
work.
To keep
informed you can subscribe to a daily email of voting news from
VotersUnite.org. This group also publishes voting news at
http://www.votersunite.org/electionproblems.asp and at http://www.votersunite.org/info/messupsbyvendor.asp A printout of the latter is attached.
In spite of
all this, it appears that few government officials with responsibility for
elections are paying attention to the constant stream of warnings about
electronic voting, and the expressed distrust by voters. The major media and
some officials, even here in New York, still want to convert to electronic
voting. This is bizarre, and I cannot understand it.
New Yorkers
have a real need. We need election systems that work, and that can be managed by
the kind of staffs who work for our Boards of Election across our state, and
that can be overseen by ordinary citizens -- because multipartisan citizen
oversight is the only thing that ensures election integrity.
Computers can
be made to work reliably, but that's not what I'm seeing with electronic
voting. I'm seeing computers used incorrectly, and a lot of excuses about why
that's how it has to be. I urge New York not to destroy our decent election
system by converting to electronic voting.