Rebecca Mercuri,
Ph.D. |
Updated 9/1/10 |
P.O. Box 1166 -- Dept.
EV Philadelphia, PA 19105 |
notable AT
notablesoftware DOT com |
215/327-7105 or
609/587-1886 10AM-6PM U.S. Eastern Time, Mon.-Fri. (Please try the 609 number first) |
www.notablesoftware.com |
I am available for comment, consultation, expert testimony, and lectures on electronic vote tabulation, and can be contacted via the information at the top of this page. Members of the press and researchers seeking interviews and quotation permissions may find it helpful to look at the guidelines posted here. I would appreciate it greatly if calls can be limited to the hours of 10AM - 6PM, U.S. Eastern Time, weekdays.
Follow links to full text of papers and articles. Papers not linked may be available on request. As this website is rather long, I've highlighted certain "must read" papers and articles using red asterisks (*). For a good overview of the subject, search for these first and read the text at their adjacent links.
Statement
I am
adamantly
opposed to the use of fully electronic or Internet-based systems for
use in anonymous balloting and vote tabulation applications. The
reasons
for my opposition are manyfold, and are expressed in my writings as
well as those of other well-respected computer security experts.
At the
present time,
it is my strong recommendation that all election officials REFRAIN from
procuring ANY system that does not provide an indisputable, voter
verified paper ballot.
Communities
have gradually discovered that manually prepared paper balloting
systems, augmented with assistive paper ballot-marking devices for use
by the disabled and those with literacy and language issues, can
typically be procured and maintained for considerably less than half of
the price for a Direct Recording Electronic (DRE) with touch-screen or
push-button input, or DRE/VVPAT (DRE with ballot-printer) system.
Ballot-marking devices do not need to be
electronic or computer-based. Opscan-style ballots can (and should) be
entirely
hand-counted. Paper ballots increase voter confidence by offering the
best in terms of reliability, usability and recountability, as well as
being highly cost-effective.
Since 2003, because of unresolvable problems with the implementation and deployment of the DRE/VVPAT systems, and the difficulties experienced in using the VVPATs in recounts, I have recommended AGAINST the purchase of these devices.
A detailed explanation of these points, along with my suggestions regarding the selection of appropriate voting equipment, is provided in the full text of this statement, available *here*.
Table of Contents
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Danger to Democracy #1National Popular Vote (NPV) legislation has been creeping into state after state. Fot those of you who don't know what it is, NPV, when fully enacted, would MANDATE that states cast their electoral votes, NOT how the voters of those states intended, but rather to the winner of the NATIONAL popular vote. Yup, YOUR electors would be REQUIRED to cast their Presidential votes to the AGGREGATE US highest vote-getter, REGARDLESS of who the winner was in the state itself. I can't imagine how this could even remotely be deemed Constitutional (remember the concept of States' Rights?) but it would likely take a team of Harvard-educated lawyers to argue this point before the U.S. Supreme Court. If enough states (they only need a total of 270 electors) are stupid enough to allow their legislatures to pass the bill and their Governors sign it, then we're ALL hosed, even if your own state doesn't sign on. |
Danger to Democracy #2The same group that has been promoting NPV is also hawking Instant Runoff Voting (IRV). Certainly not coincidentally, the key founder of the organization behind both of these absurdities is none other than John "the spoiler" Anderson. IRV is getting a foothold with naieve communities who would like to believe the snake oil salesmen's claims that by making the voting selection process harder (not easier) this somehow further enfranchises beleaguered minority groups and third party candidates. The reason why I'm mentioning IRV here is again because of the voting machines. Heck, we can't even prove that these devices (whether DREs or scanners) are adding 1+1=2 properly. It's all a trade secret and we're not allowed to check the algorithms. How can we ever hope to verify that the complicated math needed to generate the IRV totals has been programmed and implemented correctly? If you find yourself in a conversation with anyone supporting IRV, just ask them to show you ON PAPER how to tally the election and then watch them squirm. Make sure your municipality, county, and state does not fall for IRV. For more on how to help oppose IRV, check out www.instantrunoffvoting.us . |
Danger to Democracy #3Perhaps because Americans are considered to be notoriously lazy, our election officials would rather find excuses for not hand-counting all of the ballots in order to verify the results produced by the computers. Of course, the reasons given for not checking the totals at each precinct (before the ballots are removed and have a chance to mysteriously wander away) are often ones of cost or expedience. As it turns out, a small team of vote counters (perhaps drafted as for jury duty), using a simple bin (not binary) method should be able to hand-tabulate all but the most complex ballots in time for the 11 o'clock news (assuming that the polls close at 8PM). (For the computer scientists, it helps to recall that a bin sort is O(n).) Of course there are plenty of mathematics wonks, and even a few Congressfolk, who would like us to believe that a random percentage audit is all that is necessary to confirm the electronic tallies. This is provably untrue. Even so, such formulas require that increasing percentages be audited if anomalies are detected, so you might as well just count all the ballots from the get-go to avoid the further hassle. For a detailed explanation of why partial audits don't work, see my post on the CNET Defensive Computing blog at news.cnet.com/8301-13554_3-9876062-33.html . Oh, and if someone tells you that if people touch the ballots they'll change the votes, just explain that page feeders could be used with opaque projectors to display the papers without human handling. |
Voter Verified Paper Ballots -- An
Informational Brochure:An explanatory brochure has been prepared in response to the myths and misinformation that are currently being circulated by those who are opposed to independent election auditing. "Facts About Voter Verified Paper Ballots" can be downloaded, printed on double-sided paper, and freely distributed (if in its entirety and unedited). Although DREs with VVPBs are an improvement over DREs without them, because of numerous issues related to the construction and use of VVPBs (some of which are noted below), since 2003 I have recommended AGAINST the purchase of these devices. Ballots should be prepared on paper (not computers) and counted from the paper (preferably by humans). |
The
Act that did not help
America Vote:
The 2002 Help America Vote Act (HAVA) legislation authorized $3.8B in federal spending, with a substantial portion of these funds allocated to US states and territories for the purpose of replacing their punch card and lever voting machines and making voting systems accessible to the disabled. To obtain the money, an implementation plan had to be submitted to the Election Assistance Commission by January 1, 2004. States were NOT required to purchase fully computerized voting systems, they could obtain mark-sense (optically scanned) products that use paper, but in order to receive certain of the equipment funds, the plan had to indicate that the state would replace all of its lever and punch card machines by the first election for Federal office held after January 1, 2006. New York was the only state that decided to retain its lever machines.
|
But
vendors said their voting machines were certified:
U.S. voting systems, beginning in 1990, have been certified under a system originally established by the Federal Election Commission (FEC) and a private group, the National Association of State Election Directors (NASED). Testing fees are paid, by the vendors, to certain qualified Independent Testing Authorities and examinations are conducted secretly without any results (other than a final passed status) issued publicly. This certification was, at first, based on the FEC guidelines adopted by only 37 of the states and criticized by technologists as flawed. (See my detailed comment The FEC Proposed Voting Systems Standard Update.) According to their website, even "the FEC recognizes that the Help Americans [sic] Vote Act of 2002 will fundamentally alter the long term application of the Standards, including testing." Some problems with the FEC standard included the lack of a requirement that vote tallies be independently auditable, the allowance of trade-secret code that may not be able to be inspected should an election contest question the proper functionality of a voting system, the use of commercial software products in balloting and tabulation systems without any inspection at all, and no provision for re-examination or decertification when problems are later identified. Even when additional state certification inspection has been performed, there may be no guarantee that any particular system has been appropriately configured prior to deployment. Revelations that uncertified software was used in at least two California elections (including the Gubernatorial recall) led to the mandate that voter verified paper ballots be added to their fully-electronic voting systems. |
What
about Internet voting?
Internet voting is risky due to its sociological and technological problems. Absentee balloting does not provide the safeguards of freedom from coercion and vote selling that are afforded via local precincts. Internet voting creates additional problems due to the inability of service providers to assure that websites are not spoofed, denial of service attacks do not occur, balloting is recorded accurately and anonymously, and votes are only cast by the authorized voter themself. The government's website warned that "it is the citizen's responsibility to maintain the latest anti-virus software for their computer" in order to assure safety, yet they failed to acknowledge the fact that anti-virus software can only protect against known malware (new ones appear constantly, and could occur during an election season) and server-based attacks are still possible. Certainly citizens overseas should have an opportunity to vote, but perhaps this could be handled by setting up remote balloting precincts at the U.S. Embassies, or by creating bi-partisan poll-worker teams on military bases? |
Who
created the Voter Verified Balloting concept?Rebecca Mercuri coined the phrase in her comment: "Explanation of Voter-Verified Ballot Systems" in The Risks Digest, ACM Committee on Computers and Public Policy, Volume 22, Issue 17, July 24, 2002. Mercuri first addressed this concept in her paper: "Physical Verifiability of Computer Systems" presented at the 5th International Computer Virus and Security Conference in March 1992, and a more detailed description appeared in her Doctoral Dissertation, defended October 27, 2000. An artist's rendering of a "Mercuri Method" voting system (they need not be so elaborate) appeared in her October 2002 IEEE Spectrum article, "A Better Ballot Box." |
Think
about it:
|
Mark your
Calendar:
I will be conducting a computer forensics seminar/workshop for the Princeton ACM/IEEE Computer Society on November 13, 2010. One of the sections of this short-course will overview voting system investigations. Further information is available at princetonacm.acm.org/meetings/mtg1011s.pdf . Advance registration is required and there is a fee for attendance. |
The articles linked below in my writings section provide an illustration of the magnitude of problems encountered with electronic voting equipment and offer some suggested solutions. My analyses are based on computer science and engineering facts, and are not politically motivated. Please try to read some of the *red starred* materials before contacting me for further clarification or assistance. |
Election officials in world democracies often want to believe that the situations in the USA are dissimilar to those in their own countries. Although laws and procedures may be different, the computer introduces universal vulnerabilities to privacy, accuracy, and security in elections. All democratic nations should be advised to use caution in their deployment of new systems, and avoid those products that do not produce a voter-verified paper audit trail.
The United
Kingdom and other European countries have begun initiatives to convert
all or part of their voting to electronic balloting (kiosk/DREs and/or
Internet-based) systems. Europe appears to be rushing ahead to deploy
computer voting technologies with serious sociological
and technological downsides, such as lack of auditability, and
increased opportunities for vote selling, monitoring, coercion, and
denial of service attacks. During mid-October, 2002 I visited England,
on the invitation of the Foundation for
Information Policy Research, to meet with and brief members of the
UK Cabinet and Parliament regarding this subject, and to provide
technical lectures at the Royal Academy of Engineering and Cambridge
University. My comments to the Cabinet are posted *here.
I also formally submitted an additional
follow-up comment as part of their "In the Service of Democracy"
consultation, which explains why Internet voting is not appropriate for
UK democratic elections. Media coverage of my UK tour can be
found over in my press section.
Information on the electronic voting project in Ireland can be found
at www.evoting.cs.may.ie.
Thanks to the unflagging efforts of this group and others (including
myself) who strongly protested the change from paper and pencil voting,
in 2009 it was announced that "the Government has decided not to
proceed with electronic voting in Ireland." Over in the Netherlands,
the Dutch group "We Don't Trust Voting Computers" successfully hacked a
NEDAP voting machine, turning it into a chess-playing device. On
October 1, 2007, the District Court of Amsterdam decertified all NEDAP
voting computers currently in use there. Further information at wijvertrouwenstemcomputersniet.nl/English .
The Brazilian government converted to fully electronic voting in 2000, deploying over 400,000 kiosk-style machines. Although their elections are often compared to those in the US, they are actually quite different because the voters cast ballots by using numbers assigned to each candidate (this is necessary because of a high degree of illiteracy in the country). Concerns regarding accuracy of the self-auditing systems caused the legislature to mandate a retrofit of 3% (some 12,000 machines) to produce a paper ballot that the voter could peruse and deposit in a box for recount (the first large-scale use of the "Mercuri Method" -- described more fully in "A Better Ballot Box?"). These paper-trail machines were successfully used during the October 6, 2002 election, and it is believed that the rest of their machines will eventually be retrofitted as well. Further discussion on this subject can be found in the article: *"The importance of recounting votes" by Michael Stanton (originally published in Portuguese as "A importância da recontagem de votos", on the website of the Agência O Estado de São Paulo, November 13, 2000). There is also an informative website: Brazilian Electronic Voting Forum by Amilcar Brunazo Filho.
In the wake
of
the Florida 2000 election, a number of voting rights bills were
proposed in Congress. On May 22, 2001, the U.S. House of
Representatives Committee on Science convened a Hearing on Improving
Voting Technology: The Role of Standards. I was joined on the
invited panel by Dr. Stephen Ansolabehere (MIT), Mr. Roy Saltman (NIST
- retired), and Dr. Doug Jones (University of Iowa).
California
The California State Elections Code contains a number of sections that are directly relevant to US and international electronic voting issues.
Section 15360 requires that there be "a public manual tally of the ballots tabulated by those devices, including vote by mail voters' ballots, cast in 1 percent of the precincts chosen at random by the elections official." This section also notes: "In resolving any discrepancy involving a vote recorded by means of a punchcard voting system or by electronic or electromechanical vote tabulating devices, the voter verified paper audit trail shall govern if there is a discrepancy between it and the electronic record." Curiously, Section 15627 on recounts states: "If in the election which is to be recounted the votes were recorded by means of a punchcard voting system or by electronic or electromechanical vote tabulating devices, the voter who files the declaration requesting the recount may select whether the recount shall be conducted manually or by means of the voting system used originally, or both." Section 15629 notes that "The recount shall be conducted publicly" and Section 15630 says that "All ballots, whether voted or not, and any other relevant material, may be examined as part of any recount if the voter filing the declaration requesting the recount so requests." Given all of this, one would think that the paper ballots (either the original ones that were scanned, or in the case of the DRE's, the VVPATs) would be consulted in all recounts. Unfortunately, as occurred in Nguyen v. Nguyen, Case No. 07CC00407 (2007), Orange County California Superior Court, the Judge ruled that the Election Code's allowance for the selection by the voter requesting the recount, means that the requirement that the VVPAT always trump any discrepancies can be disregarded if the requestor chooses to use the recount produced "by means of the voting system used originally." This loophole in the law will likely be opportunistically exploited again until it is closed. (Numerous YouTube courtroom videos from my 2 days of testimony in this matter can be found by using the search string: rebecca mercuri nguyen.)As well,
Proposition 41, California's Voting
Modernization Bond Act, passed in 2002, mandates that "a voting
system that does not require a voter to directly mark on the ballot
must produce, at the time the voter votes his or her ballot, or at the
time the polls are closed, a paper version or representation of the
voted ballot; this version shall not be provided to the voter,
but shall be retained by election officials for use during
a manual recount or other recount or contest." The key phrase here is
"or at the time the polls are closed" -- this has been
interpreted
by vendors and election officials to permit the voting system to
self-generate ballot images from the internal data stored by the
computer during the election, for use in public manual tallies or
recounts. Using such systems, the voter has no way to confirm that the
ballot they intended
to cast is identical to the one recorded by the machine. Hence, such
recounts are only procedural in nature, and not truly validatory.
Sadly, the U.S. Congress was similarly vague in their definition of
"manual audit
capacity" in the Help America Vote Act of 2002 (Section 301 a. 2), so
lower
court rulings will play an important role in determining the
implementation of when the "permanent paper record" must be produced
(at the time of voting, or after the election is over).
I have
always maintained that the intention of HAVA, as well as the
California Code, is to allow the voter to view the printed ballot prior
to casting it. Finally, in 2004, California's Secretary of State agreed
(but only after discovering that uncertified software was used in their
Recall and General elections in 2003) with this interpretation. Your
participation
is needed here -- if you are a voter living in a municipality that uses
DREs (with or without VVPATs), request an absentee
ballot prior to the election so that you can cast your vote on paper.
That is the only way you can be assured that a) your vote was submitted
as you
intended and b) the ballot you prepared will be available for a manual
recount. I have been voting absentee sinc
for its contents. This is a safe-cache copy of the original web site.