Testimony to the US Election Assistance Commission from CPSR
This is the testimony of Computer Professionals for Social
Responsibility (CPSR) regarding electronic voting. With offices in Palo
Alto, CA, CPSR is a public-interest alliance of computer scientists and
others concerned about the impact of computer technology on society.
CPSR was formed in 1983, and has members throughout the country.
CPSR began research on voting systems in the mid 80's. We have researched election systems, observed elections, commented on voting systems standards, and participated in the administration of elections. In 1994, CPSR sent a team to the Republic of South Africa to assist that nation in the historic elections of that year. We have written numerous papers and reports on elections systems and spoken at elections administration conferences. Our work has been reported in newspapers, magazines such as Wired magazine, and broadcast media.
CPSR views the formation of the EAC as a hopeful sign. As the EAC website notes, "...voting systems have always been plagued by problems with fraud and inaccuracy." CPSR agrees with the commission that this forceful language is justified. Election systems never have been, and are not likely to ever be, perfect. No system is entirely invulnerable to error or fraud. However, many elections systems still in use offer woefully inadequate security and reliability. Such systems must be replaced, at considerable expense. But it is essential that the replacement systems must be acceptable. Otherwise, voter confidence will be placed in jeopardy.
Consequently, CPSR urges the commission to carefully consider how the resources available for elections can be spent so as to maximize the accuracy and security possible at that level of expenditure. DRE-type (touchscreen) voting systems offer the promise of lower materials costs, but this must be balanced against potentially higher expenses for poll-worker training and voter education. Furthermore, materials cost savings are a false economy, if they come at the expense of election security.
A further problem with DREs is that a meaningful logic and accuracy (L&A) test is all but impossible to conduct. Thus, other security measures must be substituted for L&A testing, to ensure accuracy. These additional security measures absolutely must be provided.
These positions are not without controversy, so we will support them in the context of four topics: voter confidence, computer security, administrative security, and voter verification.
Voter confidence is the foundation of legitimate government, and hence is critical to democracy. Voter confidence has been eroded by problems with election systems, most notably the 2002 Florida presidential election. New election systems must not further compromise voter confidence: the consequences of a second technology-driven elections disaster, so soon after the disturbing Florida election, could very well have seriously detrimental effects on the nation and on the well-being of average Americans.
For this reason, it is critical that widely-deployed elections technologies be as immune from failure as possible. It would be catastrophic for an election to be "stolen," or for that to appear to have happened. Nearly as catastrophic would be for an election to be "mislaid,": for some number of ballots to be lost, or their votes unreadable, or the votes to be readable but for there to be uncertainty in interpreting what is read.
CPSR agrees that the possibility of election fraud is a concern worthy of serious discussion. However, the available evidence suggests the majority of serious elections problems are due not to fraud but to more innocent errors: equipment failures, accidents, errors in judgment, and the like. These in fact seem to have been the major problems in Florida. To the ordinary voter, fraud and error may look quite similar, and in some cases measures to prevent one also prevent the other. But not always. It is critical to ensure that voting systems protect against both fraud and error.
It is possible for the programming of DRE equipment to be modified by unauthorized personnel, although the practicality of such an attack is debated. However, a recent paper asserts that this is a very real possibility. A team of computer security experts from the Information Security Institute of Johns Hopkins University examined source code for an actual DRE voting system. Their conclusions are highly critical:
We found significant security flaws: voters can trivially cast multiple ballots with no built-in traceability, administrative functions can be performed by regular voters, and the threats posed by insiders such as poll workers, software developers, and even janitors, is even greater.
The authors also found defective implementation of encryption, including use of a static encryption password hard-coded into the software. This means that anyone with access to the software source code could trivially bypass the security. Furthermore, a knowledgeable person with access to a DRE unit could use straightforward techniques to discover the encryption password, even if they had never seen the source code nor even knew what type of encryption was used nor how it was implemented.
CPSR is not persuaded that the casting of multiple ballots is quite as trivial as the authors above assert. However, the authors make a good case for the software being amateurish in design and execution. In particular, the writers of the software did not appear to have a basic grasp of software security issues. Consequently, a DRE with deep and obvious security flaws has been used in many elections. This situation is deeply disturbing and unacceptable.
As the quotation above alludes, unauthorized modification of computer programs is only one aspect of computer security. Other problems include inappropriate changes to voted ballots, erasing of ballots, and adding of ballots. Also, there is a special problem with any record, such as a typical DRE memory or a Vote-O-Matic punchcard ballot, where votes are recorded as a ballot position without identifying the actual candidate voted for. In this case, there is the possibility that the ballot contents are unmodified, but the key that explains what the votes mean is changed.
The Presidential report Securing The Homeland Strengthening The Nation states in part,
The need for homeland security ... is not tied to any specific terrorist threat. Instead, the need for homeland security is tied to the underlying vulnerability of American society and the fact that we can never be sure when or where the next terrorist conspiracy against us will emerge.
Under this analysis, elections systems should be considered a possible terrorist target. Thus, the probability of terrorist attack on election systems is hard to quantify but must be considered possible. Such attacks would most likely not take the form of violence at polling places, but instead would focus on critical elections infrastructure, or on vote tabulation software. CPSR's experience in South Africa, where terrorists did target the election, supports this conclusion. Terrorists attempted to influence the elections outcome by direct violent attack against central elections facilities, and by attempts to modify election related software. Attacks on polling places were minimal: even with many operatives in the field, there are simply too many polling places for terrorists to target a number sufficient to affect an elections outcome. The best approach is to choose election technologies that do not present systematic opportunities for attack. Electronic voting systems where there is no permanent record of the ballot present special vulnerabilities to hacker-terrorists, and these risks must be considered.
As we note above, these security issues relate to possible frauds, but also possible errors. Thorough computer security protects against not only miscreants, but also problems such as power surges, spilled cups of coffee, and plain old mistakes.
Computer security begins with a thorough threat analysis. Absent this threat analysis, the security of DRE systems is unknowable, hence no current DRE system can be referred to as "secure."
Current acceptance testing for voting equipment should be improved. CPSR notes that poor logic and accuracy tests have caused numerous elections problems in the past. While progress has been made, this is still a problem area. Clear standards are called for.
DREs present two special problems for logic and accuracy tests. Each "ballot" of a logic and accuracy test for a DRE must be produced by hand, by voting the test ballot on the DRE itself. The problems are:
- This process is time-consuming on a DRE, so DRE logic and accuracy tests tend to be small. Unfortunately, logic and accuracy tests are often already too small to catch important mistakes. Thus DREs introduce either a hidden security weakness (logic an accuracy testing of reduced effectiveness) or a hidden cost (increased expenses associated with logic and accuracy testing).
- It is difficult to correctly generate a series of test ballots on a DRE without a single error. It is much more likely that an election worker will make a mistake in entering test ballots than that an actual voter will make such a mistake, because the voter only has to remember one set of votes: the votes they wish to make. The DRE tester has a much more difficult problem. Consequently, election workers must conduct DRE logic and accuracy tests with extreme deliberation and caution, as even a single error requires that the entire logic and accuracy test be repeated. In practice, this results in logic and accuracy tests that are smaller yet, to the point where the test is testing for little besides a stuck button or a completely nonfunctional DRE.
One "solution" to this problem is to perform the logic and accuracy test by inputting ballots using a different method than the voter would use, for example by inputting them automatically using a communications port. However, this method tests only part of the DRE. The parts of the DRE that display contests to the voter and record the voters choices are left untested. Furthermore, a maliciously-modified DRE could easily pass a logic and accuracy test of this type, and still not count votes correctly.
These problems could be addressed by automated testing of DREs. However, no automated DRE testing device is available that is suitable for logic and accuracy tests, and such a device would be very difficult to build and unquestionably very expensive. Unfortunately, CPSR can offer no attractive course of action. Logic and accuracy tests are simply more difficult to conduct on DREs than on other election systems. The only available courses of action is to rely less on logic and accuracy tests, by improving security and reliability elsewhere in the election system in a way that compensates for this limitation of DREs.
Voter verification (meaning verification of votes by the voter, not authentication of the voter by the election system) has been advocated as a method of improving DRE security (see below). CPSR advocated in the 1980's that such a capability be mandatory for DREs. This approach compensates for weaknesses in the logic and accuracy test: because a voter's votes are recorded on a durable, human-readable record, security and reliability of the DRE are of less extreme importance. Logic and accuracy tests should still be conducted, at least to prevent defective devices from causing chaos in polling places. But since the voter's intent is safely captured in a different record, the well-understood procedures for handling paper ballots protect the DRE component of the system from the inherent weaknesses of logic and accuracy tests on DREs.
CPSR notes that it is critical that voters have confidence that their votes are correctly counted. This confidence is produced by a ballot that resists tampering, is difficult to forge or destroy, and can be examined and understood by the ordinary voter without recourse to expert opinion or special equipment. Various technologies have been proposed to meet this requirement, but to date only one has been used in elections: a paper ballot marked with the voter's votes (including contests not voted), in plain language understandable to the voter. Unless and until a technology is developed that offers equal or superior security at an equal or superior price, CPSR strongly advocates that the votes of every voter be recorded in plain language on paper at the time that the vote is cast, and that the paper ballot be retained in ballot boxes and treated as an official elections document. All DREs should produce a paper ballot that may be inspected by the voter prior to completing the voting act. No DRE that lacks this capability can be considered secure or reliable. Furthermore, this paper record should be considered the actual ballot of the voter, since it is the artifact the voter validates when the voter takes the final action committing to their vote. Electronic records within DREs can be used to produce a vote tally more quickly, but in case of differences the suspect electronic memory must yield to the more trustworthy physical record.
Some observers have considered the possibility of verification using "electronic" means. We are aware of certain proposals for voters to verify their votes by use of technologies such as smart cards or homomorphic encryption. It's worth noting that these approaches have serious problems. (A smart card is used by some DREs to authorize voters to vote on the DRE, but voter verification is an entirely different application.) Consequently, these efforts seem to have stalled, with no realistic deployment date in sight. In many cases, the basic problem is cost: it has proven difficult to get the price of a secure artifact containing smart technology within even ten times the cost of a piece of paper.
Thus it would be a mistake to plan the security of our nation's elections around new voter verification technologies, because these technologies are not certain to arrive, or to be cost-effective if they do arrive. The most proven media for durably and securely recording votes is paper. Thus, while CPSR has no theoretical objection to new verification technologies, there are not currently any suitable alternatives to paper, nor will there be soon.
Instead of searching in vain for alternatives to paper, CPSR urges that effort instead be directed towards better integrating paper ballot printing with DRE technology. Many DREs already include a printer, and new DREs appear to be required to have one.
The commission is concerned with a number of requirements that voting systems must meet. These requirements come from practical election administration considerations, court orders, and state and federal law, including the Help America Vote Act (HAVA); and include:
- Blind and visually-impaired voters must be able to vote a secret ballot.
- Election materials must be produced in multiple languages.
- Emerging standards may cause DRE equipment currently in use to fall out of compliance, possibly leaving counties with expensive equipment that they will be unable to use in elections.
CPSR addresses each of these concerns in turn as they relate to DRE voting systems.
Blind And Visually-Impaired Voters Must Be Able To Vote A Secret Ballot. New elections systems are mandated to meet this requirement. Some DRE systems permit blind voters to vote in secrecy, by listening and responding to audio cues. This is beneficial to blind and visually-impaired voters and furthermore complies with a legal mandate. However, experience in California suggests that at least some DREs use an audio interface that blind and visually-impaired find cumbersome or even impractical to use. It is critical that blind voters not be offered a voting experience that is secret, but insulting in its lack of consideration of blind voters' needs.
The California Secretary of State's Ad Hoc Touch Screen Task Force Report of 2003 details some mechanisms by which blind and visually-impaired voters could verify a paper ballot. CPSR considers the approaches outlined in the Report acceptable, and calls for the development and deployment of paper ballot verification tools for blind and visually-impaired voters.
However, DREs without voter-verifiable ballots should not be excused with the argument that verification devices required by blind voters are not yet ready. Verifiable ballots are required by all voters now.
Temporarily, blind and visually-impaired voters may have to choose between the secrecy of their ballot and their right to verify it. That situation is unacceptable and must be corrected as quickly as possible. But with a voter-verifiable paper ballot, blind and visually-impaired voters are at least given the option to verify their ballot, albeit under compromised circumstances.
Ultimately, all voters must be able to vote and verify the accuracy of their ballot in secret. It is worth noting that technologies based around optical scan ballots, that nonetheless permit blind voter to vote in secret, are presently in the process of certification. This approach may actually offer greater promise for blind and handicapped voters than DREs.
Election Materials Must Be Produced In Multiple Languages. Multiple language requirements greatly increase the complexity of elections. While CPSR supports the inclusive goals of multi-lingual elections, our experience with multi-lingual elections makes us acutely aware of the complexity introduced into voter education, registration, poll-worker training, and ballot preparation.
Furthermore, for DREs without a voter-verifiable paper ballot, multilingual elections introduce enormous complexity, because logic and accuracy tests must be conducted in each language. Not only does this require additional time, but poll workers will often not be proficient in all languages supported.
However, DREs with a voter-verifiable paper ballot rely less on the logic and accuracy test. (This test is of limited practical use for DREs in any case.) Consequently, DREs with a voter-verifiable paper ballot are better suited to multi-lingual voting, because the integrity of the election no longer depends on the ephemeral screen of a DRE, which in some cases displays contents that poll workers will be unable to interpret.
In some cases, it may be more convenient for recounts if the paper ballot has the voter's votes printed in all of the languages of the election. But so long as the ballot is printed in the same language as the voter voted in, the system will work.
Some have raised concerns about printers supporting multiple character sets. However, multiple character sets are if anything less problematic for printers than they are for display screens. DREs that display ballot choices in multiple character sets should have no problem printing ballots in multiple character sets.
Thus a printed, voter-verifiable ballot, utilized correctly, can lessen the complexity and increase the security of multi-lingual elections.
Emerging Standards May Cause DRE Equipment Currently In Use To Fall Out Of Compliance. HAVA represents an historic opportunity to upgrade election systems, which is not likely to be repeated. It would be a tragedy for HAVA and the good intentions surrounding it to be squandered on equipment that is only used for a short time.
There is good reason to anticipate that elections equipment standards will be more stringent in the future. The enabling legislation for the EAC itself calls for stronger federal testing, standards, and procedures. CPSR sees the highest priorities as:
- New standards must be developed.
- Oversight of elections equipment must be increased.
- A national database of elections equipment problems and incidents must be created.
CPSR also agrees that counties must be protected as much as possible from financial impacts from emerging equipment standards. Thus, we strongly recommend that DRE vendors be required to provide an upgrade strategy for DRE equipment. This strategy should cover likely new requirements. Specifically, the upgrade strategy should cover:
- addition of a printer to devices that do not currently have one
- verification of paper ballots by blind voters
- compliance with a software security standard such as the Common Criteria (CC, ISO IS 15408), and/or elimination of the exemptions for "COTS" software components
Elections are the foundation of our democracy, and deserve the best practices and technologies we have to offer. However, experience makes us acutely aware how difficult it is to apply technology to elections. Technology experts have historically been ignorant about the real challenges of elections, while elections officials have often not been well-versed in the limitations of technology. The result has been insufficient concern for the limitations of new voting technology.
Hopefully, experience has made us wiser. The EAC is one hopeful sign that elections technology will now have more careful consideration before deployment.
Adequate security safeguards are essential. The threat of deliberate attempts to steal votes or sabotage elections may be hard to quantify today, but weak security provides an unacceptable opportunity for miscreants to develop and execute attacks on our election system. Moreover, adequate security builds confidence in the elections process.
Because of inherent aspects of DREs, logic and accuracy tests are not particularly effective. For this and other reasons, a voter-verifiable paper ballot is essential to the use of DREs in elections. The EAC should mandate the use of printed ballots with DREs at the soonest practical date, and impose purchasing requirements on DRE vendors now that will facilitate this requirement with minimum disruption to elections.
Voters with visual and other impairments must be accorded the same rights as other voters to vote and verify their ballot in secret. Voter-verifiable paper ballots should be deployed as soon as possible, and verification aids for the visually impaired should follow as soon as possible thereafter.
Current efforts including HAVA represent an unprecedented level of interest and effort in improving our nation's election system. We must make the most of this historic opportunity, by setting our standards high enough to ensure confidence in democracy.
Last modified May 14, 2005 07:30 AM