Electronic Voting

National Popular Vote (NPV) legislation has been creeping into state after state. Fot those of you who don't know what it is, NPV, when fully enacted, would MANDATE that states cast their electoral votes, NOT how the voters of those states intended, but rather to the winner of the NATIONAL popular vote. Yup, YOUR electors would be REQUIRED to cast their Presidential votes to the AGGREGATE US highest vote-getter, REGARDLESS of who the winner was in the state itself. I can't imagine how this could even remotely be deemed Constitutional (remember the concept of States' Rights?) but it would likely take a team of Harvard-educated lawyers to argue this point before the U.S. Supreme Court. If enough states (they only need a total of 270 electors) are stupid enough to allow their legislatures to pass the bill and their Governors sign it, then we're ALL hosed, even if your own state doesn't sign on.

Here's what it really means and why it's on my evoting website -- states that have unauditable voting will be incentivised to increase their bogus vote totals for President well beyond what they need to do to win their own state, enough so that they can shift the national total to the candidate of their choice! This is no problem for places like Ohio, where observed variations in the number of persons who sign the polling book from the number of ballots recorded on the machines, in over 80% of precincts, is somehow considered "normal" -- or in Florida where the citizens vote on paper ballots read by optical scanners but prohibited from review via manual recounts. Basically, if NPV becomes law, then the Crooks are in Control for sure. To find out the status of NPV in your state, check www.saveourstates.com -- if it does not say "enacted" yet, then let your State Senator, State Representative and Governor all know RIGHT AWAY that this is a HORRIBLE idea that should not become law.
     

An explanatory brochure has been prepared in response to the myths and misinformation that are currently being circulated by those who are opposed to independent election auditing.  "Facts About Voter Verified Paper Ballots" can be downloaded, printed on double-sided paper, and freely distributed (if in its entirety and unedited). Although DREs with VVPBs are an improvement over DREs without them, because of numerous issues related to the construction and use of VVPBs (some of which are noted below), since 2003 I have recommended AGAINST the purchase of these devices. Ballots should be prepared on paper (not computers) and counted from the paper (preferably by humans).

The 2002 Help America Vote Act (HAVA) legislation authorized $3.8B in federal spending, with a substantial portion of these funds allocated to US states and territories for the purpose of replacing their punch card and lever voting machines and making voting systems accessible to the disabled.  To obtain the money, an implementation plan had to be submitted to the Election Assistance Commission by January 1, 2004. States were NOT required to purchase fully computerized voting systems, they could obtain mark-sense (optically scanned) products that use paper, but in order to receive certain of the equipment funds, the plan had to indicate that the state would replace all of its lever and punch card machines by the first election for Federal office held after January 1, 2006. New York was the only state that decided to retain its lever machines.

The Presidentially appointed 4-member HAVA Election Assistance Commission, in addition to approving each of the state plans, was also to be responsible for administering a host of other tasks, not the least of which included overseeing a 14-member Technical Guidelines Development Committee and a 110-member Standards Board, and making provisions for "testing, certification, decertification, and recertification of voting system hardware and software by accredited laboratories."  The Technical Guidelines Committee was to have produced a set of recommended voluntary voting system guidelines nine months after appointment, and it was understood that these guidelines would be the ones used by the laboratories in their certification and testing processes.

What actually occurred was that the members of the HAVA Commission were appointed nearly a year late and the establishment of HAVA Committees and Boards were similarly delayed. Thus, the Technical Guidelines were NOT available by the time that state implementation plans were due. This resulted in 9 states requesting HAVA extensions, and many others contracting to purchase voting systems that could not possibly be HAVA compliant, since no official HAVA standards yet existed. A further setback occurred at the beginning of 2004, when the National Institute of Standards and Technologies (NIST) announced that it had to curtail all work related to HAVA (despite their named role in the legislation), due to Federal budget cuts (funds were later reinstated for the election project).

Those of us (including myself) who had worked hard for this bill were sorely disappointed that the most salient aspects of its implementation were stalled, while initial equipment purchases were allowed to proceed under grandfathered and obsolete standards. Many municipalities (including in California, Florida and elsewhere) purchased voting equipment that subsequently had to be replaced due to non-compliance, system failures, and security and auditability concerns. It has taken years to only partially unwind the many problems caused by the feeding frenzy generated by overzealous voting system vendors seeking the HAVA funds, fueled by gullible election officials who were intimidated into doling the money out for products that were not yet ready for prime time. Some of this unnecessary waste of funds could have been avoided, had Congress merely extended the HAVA deadlines, or had the appointments and work proceeded on schedule.

U.S. voting systems, beginning in 1990, have been certified under a system originally established by the Federal Election Commission (FEC) and a private group, the National Association of State Election Directors (NASED). Testing fees are paid, by the vendors, to certain qualified Independent Testing Authorities and examinations are conducted secretly without any results (other than a final passed status) issued publicly. This certification was, at first, based on the FEC guidelines adopted by only 37 of the states and criticized by technologists as flawed.  (See my detailed comment The FEC Proposed Voting Systems Standard Update.)  According to their website, even "the FEC recognizes that the Help Americans [sic] Vote Act of 2002 will fundamentally alter the long term application of the Standards, including testing." Some problems with the FEC standard included the lack of a requirement that vote tallies be independently auditable, the allowance of trade-secret code that may not be able to be inspected should an election contest question the proper functionality of a voting system, the use of commercial software products in balloting and tabulation systems without any inspection at all, and no provision for re-examination or decertification when problems are later identified. Even when additional state certification inspection has been performed, there may be no guarantee that any particular system has been appropriately configured prior to deployment. Revelations that uncertified software was used in at least two California elections (including the Gubernatorial recall) led to the mandate that voter verified paper ballots be added to their fully-electronic voting systems.

Under HAVA, the certification program was restructured under the Election Assistance Commission (EAC) and Thomas Wilkey, the individual formerly responsible for this task under NASED, was appointed as the EAC's Executive Director, where he has continued to perform oversight of the testing and certification tasks. The EAC generated a new set of Voluntary Voting System Guidelines, which was approved in December 2005, far too late to have any systems tested and deemed compliant in time for the 2006 HAVA deadline for replacement of lever and punch card systems. Though there were some slight improvements, these guidelines suffered from most of the same problems as did the FEC standard (as noted above and in my comment to the EAC). A proposed revision (including the MIT/NIST-proposed Orwellian concept of Software Independence -- that a voting machine could contain software but somehow be independent of it) was issued for public comment in 2009 as VVSG 1.1, but portions were harshly criticized (including earlier by myself) and it has not yet been approved.

Many of the voting systems that have been certified under the 2005 EAC standard were subsequently found to be faulty in actual elections or via independent studies (reports commissioned by state or local governments are posted at www.eac.gov/testing_and_certification/voting_system_reports.aspx ). The list of certified voting systems can be found at 
www.eac.gov/testing_and_certification/certified_voting_systems.aspx but these are only the current certifications. Obsolete certifications cannot be easily checked, nor is the older equipment recalled.

Internet voting is risky due to its sociological and technological problems. Absentee balloting does not provide the safeguards of freedom from coercion and vote selling that are afforded via local precincts. Internet voting creates additional problems due to the inability of service providers to assure that websites are not spoofed, denial of service attacks do not occur, balloting is recorded accurately and anonymously, and votes are only cast by the authorized voter themself. The government's website warned that "it is the citizen's responsibility to maintain the latest anti-virus software for their computer" in order to assure safety, yet they failed to acknowledge the fact that anti-virus software can only protect against known malware (new ones appear constantly, and could occur during an election season) and server-based attacks are still possible. Certainly citizens overseas should have an opportunity to vote, but perhaps this could be handled by setting up remote balloting precincts at the U.S. Embassies, or by creating bi-partisan poll-worker teams on military bases?

Back in 2000 when the U.S. Department of Defense first tried Internet voting they spent $6.2M so that 84 voters could cast ballots.  Subsequently, the DoD engaged Accenture, the Bermuda-based consultancy arm of the former Arthur Andersen (can we spell Enron?) group at a cost of $22M to oversee its SERVE project for military personnel and overseas citizens. Following issuance of an analysis by four computer scientists who were members of the SERVE Security Peer Review Group, the Pentagon decided to scrap plans for the use of this technology to cast ballots in the 2004 Presidential election.  But it's far from gone -- the DoD dabbled with the concept of Internet voting prior to the 2008 election and was shot down again by the same scientists on many of the same grounds. We'll likely see some variation of this project surface again as we near 2012.

Need I say more? (If so, see the World Democracies and Press Quotes sections.)

Rebecca Mercuri coined the phrase in her comment: "Explanation of Voter-Verified Ballot Systems" in The Risks Digest, ACM Committee on Computers and Public Policy, Volume 22, Issue 17, July 24, 2002. Mercuri first addressed this concept in her paper: "Physical Verifiability of Computer Systems" presented at the 5th International Computer Virus and Security Conference in March 1992, and a more detailed description appeared in her Doctoral Dissertation, defended October 27, 2000. An artist's rendering of a "Mercuri Method" voting system (they need not be so elaborate) appeared in her October 2002 IEEE Spectrum article, "A Better Ballot Box."

The earliest description of a "ballot behind glass" was provided by Tom Benson in The Risks Digest, Volume 2, Issue 22, March 4, 1986 and elaborated on by Kurt Hyde in The Risks Digest, Volume 2, Issue 24, March 8, 1986. The difference between these methods and Mercuri's involves her requirement for a deliberate verification step, and also the recognition of the paper ballot as the authoritative record of the voter's choices (in the event of a dispute, the paper version would prevail over any electronic data).

This design concept was deliberately never patented by any of the inventors so that it could be freely incorporated into election systems. Shortly after the November 2000 Presidential election, the Avante company submitted a patent application that incorporated much of this prior art (including block diagrams very similar to those displayed at Mercuri's October 2000 dissertation defense and at a subsequent publicly-attended ACM talk she presented in November 2000, at the Sarnoff Center, situated just a few blocks down the road from Avante's offices). Avante has tried (largely unsuccessfully) to pursue infringement claims against some of the vendors who have implemented ballot printers.

Note that a "voter verified paper ballot" (VVPB) is not the same as a "voter verifiable audit trail" (VVAT). Many vendors and some scientists believe that an audit trail of electronically recorded ballots can be made secure (possibly through encryption or other mechanisms), but no such systems have yet been validated through rigorous mathematical proofs, nor can they be independently confirmed for correctness by non-technical poll workers, election officials or ordinary citizens.

A great demonstration showing why electronic audits and pre-election testing are inadequate can be viewed at: www.wheresthepaper.org. Simply adding paper "receipts" as some have proposed, to the system, is not sufficient. The voter must be required to perform an action that confirms that their choices have been recorded correctly on the paper, hence making it a verifiED (rather than just "verifiABLE") ballot in a legal sense. The paper ballot must not provide any feature that could be used to violate voter privacy or encourage coercion and vote selling. These voter verified paper ballots must be used to produce the certified vote totals and be available for scrutiny in case of election contest or recount.

• Scientists had been warning for years about the devastation that might result from a major hurricane on the Gulf Coast. But the U.S. Congress failed to provide $35M to fully fund previously approved projects to build and improve levees, floodwalls and pumping stations in the Lake Pontchartrain region. The federal government did (prior to Katrina) allocate some $37M to Louisiana under the Help America Vote Act, primarily for the purchase and upgrade of fully electronic voting systems that provide no mechanism for independently auditing ballots and vote totals.

• The Civil Rights Division of the U.S. Department of Justice issued a memorandum opinion affirming that voting systems that include contemporaneous paper records, allowing voters to confirm that their ballots accurately reflect their choices, do not violate HAVA or ADA laws, so long as a similar capablility (such as can be provided by audio equipment) is available for use. This could include tactile ballots, an inexpensive (non-computer) alternative for the visually-impaired that has been used successfully in Rhode Island, Canada, Peru, and Siera Leone.

I will be conducting a computer forensics seminar/workshop for the Princeton ACM/IEEE Computer Society on November 13, 2010. One of the sections of this short-course will overview voting system investigations. Further information is available at princetonacm.acm.org/meetings/mtg1011s.pdf . Advance registration is required and there is a fee for attendance.