For information on the task force report, go to: http://www.ss.ca.gov/elections/taskforce.htm

August 1, 2003

These are the comments of Computer Professionals for Social Responsibility (CPSR) regarding the California Secretary of State's Ad Hoc Touch Screen Task Force Report (the Report). With offices in Palo Alto, CA, CPSR is a public-interest alliance of computer scientists and others concerned about the impact of computer technology on society. CPSR was formed in 1983, and has members throughout the country.

CPSR began research on voting systems in the mid 80's. We have researched election systems, observed elections, commented on voting systems standards, and participated in the administration of elections. In 1994, CPSR sent a team to the Republic of South Africa to assist that nation in the historic elections of that year. We have written numerous papers and reports on elections systems and spoken at elections administration conferences. Our work has been reported in newspapers, magazines such Wired magazine, and broadcast media.

CPSR commends you for forming a task force to examine touchscreen-type voting systems (also known as Direct Recording Electronic or DRE systems), an issue of immediate importance to Californians and all Americans. By setting standards and adopting new practices, California has often led the nation. We hope California will once again lead the nation towards elections of greater security and confidence. This will not be easy however, as complex issues are involved, and elections appear easy only to those who have not been closely involved with their administration.

The Task Force Report emphasizes four topics: voter confidence, computer security, administrative security, and voter verification. CPSR has comments on each of these topics.

Voter Confidence

Voter confidence is the foundation of legitimate government, and hence is critical to democracy. The Report correctly emphasizes that voter confidence has been eroded by problems with election systems, most notably the 2002 Florida presidential election. The Report goes on to declare that new election systems must not further compromise voter confidence, describing this possibility as a "disaster"⁽¹⁾. CPSR could not agree more strongly. The consequences of a second technology-driven elections disaster, so soon after the disturbing Florida election, could very well have seriously detrimental effects on the nation and on the well-being of average Americans.

For this reason, it is critical that widely-deployed elections technologies be as immune from failure as possible. It would be catastrophic for an election to be "stolen," or for that to appear to have happened, and the report discusses this possibility extensively. Nearly as catastrophic would be for an election to be "mislaid,": for some number of ballots to be lost, or their votes unreadable, or the votes to be readable but for there to be uncertainty in interpreting what is read.

CPSR agrees that the possibility of election fraud is a concern worthy of serious discussion. However, the available evidence suggests the majority of serious elections problems are due not to fraud but to more innocent errors: equipment failures, accidents, errors in judgment, and the like. These in fact seem to have been the major problems in Florida. To the ordinary voter, fraud and error may look quite similar, and in some cases measures to prevent one also prevent the other. But not always. It is critical to ensure that voting systems protect against both fraud and error.

Computer Security

The report states that it is possible for the programming of DRE equipment to be modified by unauthorized personnel. The task force was divided on how realistic a possibility this is. A paper published after the Report asserts that this is a very real possibility. A team of computer security experts from the Information Security Institute of Johns Hopkins University examined source code for an actual DRE voting system. Their conclusions are highly critical:

We found significant security flaws: voters can trivially cast multiple ballots with no built-in traceability, administrative functions can be performed by regular voters, and the threats posed by insiders such as poll workers, software developers, and even janitors, is even greater.⁽²⁾

The authors also found defective implementation of encryption, including use of a static encryption password hard-coded into the software. This means that anyone with access to the software source code could trivially bypass the security. Furthermore, a knowledgeable person with access to a DRE unit could use straightforward techniques to discover the encryption password, even if they had never seen the source code nor even knew what type of encryption was used nor how it was implemented.

CPSR is not persuaded that the casting of multiple ballots is quite as trivial as the authors above assert. However, the authors make a good case for the software being amateurish in design and execution. In particular, the writers of the software did not appear to have a basic grasp of software security issues. Consequently, a DRE with deep and obvious security flaws has been used in many elections. This situation is deeply disturbing and unacceptable.

As the quotation above alludes, unauthorized modification of computer programs is only one aspect of computer security. Other problems include inappropriate changes to voted ballots, erasing of ballots, and adding of ballots. Also, there is a special problem with any record, such as a typical DRE memory or a Vote-O-Matic ballot, where votes are recorded as a ballot position without identifying the actual candidate voted for. In this case, there is the possibility that the ballot contents are unmodified, but the key that explains what the votes mean is changed.

The Presidential report Securing The Homeland Strengthening The Nation(3)

The need for homeland security... is not tied to any specific terrorist threat. Instead, the need for homeland security is tied to the underlying vulnerability of American society and the fact that we can never be sure when or where the next terrorist conspiracy against us will emerge.

Under this analysis, elections systems should be considered a possible terrorist target. Thus, the probability of terrorist attack on election systems is hard to quantify but must be considered possible. The best approach is to choose election technologies that do not present systematic opportunities for attack.

As we note above, these security issues relate to possible frauds, but also possible errors. Thorough computer security protects against not only miscreants, but also problems such as power surges, spilled cups of coffee, and plain old mistakes.

When considering computer security, the Report considers only the program, and is silent on the broader issues of computer security beyond modification of computer programs. The Report does note that a thorough threat analysis was beyond the mandate and resources of the Task Force. We suggest that Secretary Shelley pursue a thorough threat analysis of DRE voting systems, working with other states and the Federal Election Commission where possible. Absent this threat analysis, the security of DRE systems is unknowable, hence no DRE system can be referred to as "secure."

Administrative Security

The Report notes that current acceptance testing for voting equipment should be improved. CPSR agrees.

The report also notes that pre-election "Logic and Accuracy" tests should be improved. CPSR notes that poor logic and accuracy tests have caused numerous elections problems in the past. While progress has been made, this is still a problem area. Clear standards are called for.

DREs present two special problems for logic and accuracy tests. Each "ballot" of a logic and accuracy test for a DRE must be produced by hand, by voting the test ballot on the DRE itself. The problems are:

1. This process is time-consuming on a DRE, so DRE logic and accuracy tests tend to be small. Unfortunately, logic and accuracy tests are often already too small to catch important mistakes. Thus DREs introduce either a hidden security weakness (logic an accuracy testing of reduced effectiveness) or a hidden cost (increased expenses associated with logic and accuracy testing).
2. It is difficult to correctly generate a series of test ballots on a DRE without a single error. It is much more likely that an election worker will make a mistake in entering test ballots than that an actual voter will make such a mistake, because the voter only has to remember one set of votes: the votes they wish to make. The DRE tester has a much more difficult problem. Consequently, election workers must conduct DRE logic and accuracy tests with extreme deliberation and caution, as even a single error requires that the entire logic and accuracy test be repeated. In practice, this results in logic and accuracy tests that are smaller yet, to the point where the test is testing for little besides a stuck button or a completely nonfunctional DRE.

One "solution" to this problem is to perform the logic and accuracy test by inputting ballots using a different method than the voter would use, for example by inputting them automatically using a communications port. However, this method tests only part of the DRE. The parts of the DRE that display contests to the voter and record the voters choices are left untested. Furthermore, a maliciously-modified DRE could easily pass a logic and accuracy test of this type, and still not count votes correctly.

These problems could be addressed by automated testing of DREs. However, no automated DRE testing device is available that is suitable for logic and accuracy tests, and such a device would be very difficult to build and unquestionably very expensive. Unfortunately, CPSR can offer no attractive course of action. Logic and accuracy tests are simply more difficult to conduct on DREs than on other election systems. The only available courses of action is to rely less on logic and accuracy tests, by improving security and reliability elsewhere in the election system in a way that compensates for this limitation of DREs.

The Report discusses voter verification (meaning verification of votes by the voter, not authentication of the voter by the election system) as a method of improving DRE security (see below). This compensates for weaknesses in the logic and accuracy test. Because a voter's votes are recorded on a durable, human-readable record, security and reliability of the DRE are of less extreme importance. Logic and accuracy tests should still be conducted, at least to prevent defective devices from causing chaos in polling places. But since the voter's intent is safely captured in a different record, the well-understood procedures for handling paper ballots protect the DRE component of the system from the inherent weaknesses of logic and accuracy tests on DREs.

Voter Verification

The Report goes into considerable detail discussing the means by which voters using a DRE might verify that their votes will be correctly counted.

CPSR notes that it is critical that voters have confidence that their votes are correctly counted. This confidence is produced by a ballot that resists tampering, is difficult to forge or destroy, and can be examined and understood by the ordinary voter without recourse to expert opinion or special equipment. Various technologies have been proposed to meet this requirement, but to date only one has been used in elections: a paper ballot marked with the voter's votes (including contests not voted), in plain language understandable to the voter. Unless and until a technology is developed that offers equal or superior security at an equal or superior price, CPSR strongly advocates that the votes of every voter be recorded in plain language on paper at the time that the vote is cast, and that the paper ballot be retained in ballot boxes and treated as an official elections document. All DREs should produce a paper ballot that may be inspected by the voter prior to completing the voting act. No DRE that lacks this capability can be considered secure or reliable.

The Report discusses the possibility of verification using "electronic" means. We are aware of certain proposals for voters to verify their votes by use of technologies such as smart cards or homomorphic encryption⁽⁴⁾. It's worth noting that these approaches have serious problems. (A smart card is used by some DREs to authorize voters to vote on the DRE, but voter verification is an entirely different application.) Consequently, these efforts seem to have stalled, with no realistic deployment date in sight. In many cases, the basic problem is cost: it has proven difficult to get the price of a secure artifact containing smart technology within even ten times the cost of a piece of paper.

Thus it would be a mistake to plan the security of California's elections around new voter verification technologies, because these technologies are not certain to arrive, or to be cost-effective when they do arrive. The most proven media for durably and securely recording votes is paper. Thus, while CPSR has no theoretical objection to new verification technologies, there are not currently any suitable alternatives to paper, nor will there be soon.

Instead of searching in vain for alternatives to paper, CPSR urges that effort instead be directed towards better integrating paper ballot printing with DRE technology. Many DREs already include a printer, and new DREs appear to be required to have one (5)

The report indicates a number of requirements that voting systems must meet. These requirements come from practical election administration considerations, court orders, and state and federal law, including the Help America Vote Act (HAVA):

• Blind and visually-impaired voters must be able to vote a secret ballot.
• Election materials must be produced in multiple languages.
• Emerging standards may cause DRE equipment currently in use to fall out of compliance, possibly leaving counties with expensive equipment that they will be unable to use in elections.

CPSR addresses each of these concerns in turn as they relate to DRE voting systems.

Blind And Visually-Impaired Voters Must Be Able To Vote A Secret Ballot._New elections systems are mandated to meet this requirement. Some DRE systems permit blind voters to vote in secrecy, by listening and responding to audio cues. This is beneficial to blind and visually-impaired voters and furthermore complies with a legal mandate.

The Report details some mechanisms by which blind and visually-impaired voters could verify a paper ballot. CPSR considers the approaches outlined in the Report acceptable, and calls for the development and deployment of paper ballot verification tools for blind and visually-impaired voters.

However, DREs with out voter-verifiable ballots should not be excused with the argument that verification devices required by blind voters are not yet ready. Verifiable ballots are required by all voters now.

Temporarily, blind and visually-impaired voters will have to choose between the secrecy of their ballot and their right to verify it. That situation is unacceptable and must be corrected as quickly as possible. But with a voter-verifiable paper ballot, blind and visually-impaired voters are at least given the option to verify their ballot, albeit under compromised circumstances.

Ultimately, all voters must be able to vote and verify the accuracy of their ballot in secret.

Election Materials Must Be Produced In Multiple Languages. Multiple language requirements greatly increase the complexity of elections. While CPSR supports the inclusive goals of multi-lingual elections, our experience with multi-lingual elections makes us acutely aware of the complexity introduced into voter education, registration, poll-worker training, and ballot preparation.

Furthermore, for DREs without a voter-verifiable paper ballot, multilingual elections introduce enormous complexity, because logic and accuracy tests must be conducted in each language. Not only does this require additional time, but poll workers will often not be proficient in all languages supported.

However, DREs with a voter-verifiable paper ballot rely less on the logic and accuracy test. (This test is of limited practical use for DREs in any case.) Consequently, DREs with a voter-verifiable paper ballot are better suited to multi-lingual voting, because the integrity of the election no longer depends on the ephemeral screen of a DRE, which in some cases displays contents that poll workers will be unable to interpret.

In some cases, it may be more convenient for recounts if the paper ballot has the voter's votes printed in all of the languages of the election. But so long as the ballot is printed in the same language as the voter voted in, the system will work.

The report raises some concern about printers supporting multiple character sets. However, multiple character sets are if anything less problematic for printers than they are for display screens. DREs that display ballot choices in multiple character sets should have no problem printing ballots in multiple character sets.

Thus a printed, voter-verifiable ballot, utilized correctly, can lessen the complexity and increase the security of multi-lingual elections.

Emerging Standards May Cause Dre Equipment Currently In Use To Fall Out Of Compliance. The Report correctly focuses attention on this issue. HAVA represents an historic opportunity to upgrade election systems, which is not likely to be repeated. It would be a tragedy for HAVA and the good intentions surrounding it to be squandered on equipment that is only used for a short time.

There is good reason to anticipate that elections equipment standards will be more stringent in the future. The Report itself calls for stronger federal testing standards and procedures. Further, the report makes several pointed recommendations for improvements in the elections equipment testing and oversight process. As the current FEC standards are weak and ineffective, CPSR strongly supports the Task Force's position. From among the Task Force's recommendations, CPSR sees the highest priorities as:

• New standards must be developed.
• Oversight of elections equipment must be increased.
• A national database of elections equipment problems and incidents must be created.

CPSR also agrees that counties must be protected as much as possible from financial impacts from emerging equipment standards. Thus, we strongly recommend that DRE vendors be required to provide an upgrade strategy for DRE equipment. This strategy should cover likely new requirements. Specifically, the upgrade strategy should cover:

• addition of a printer to devices that do not currently have one
• verification of paper ballots by blind voters
• compliance with a software security standard such as the Common Criteria (CC, ISO IS 15408)(6), and/or elimination of the exemptions for "COTS" software components

Conclusion

Elections are the foundation of our democracy, and deserve the best practices and technologies we have to offer. However, experience makes us acutely aware how difficult it is to apply technology to elections. Technology experts have historically been ignorant about the real challenges of elections, while elections officials have often not been well-versed in the limitations of technology. The result has been insufficient concern for the limitations of new voting technology.

Hopefully, experience has made us wiser. The Secretary of State's Ad Hoc Touch Screen Task Force is one hopeful sign that elections technology will now have more careful consideration before deployment. CPSR agrees with many of the points and recommendations of the task force, as noted above.

On certain questions, the task force was strongly divided. These divisions point to trouble areas, specifically regarding DRE security and voter-verifiable physical ballots. As more DRE voting systems are deployed in California, it is critical that these unresolved issues be addressed.

Adequate security safeguards are essential. The threat of deliberate attempts to steal votes or sabotage elections may be hard to quantify today, but weak security provides an unacceptable opportunity for miscreants to develop and execute attacks on our election system. Moreover, adequate security builds confidence in the elections process.

Because of inherent aspects of DREs, logic and accuracy tests are not particularly effective. For this and other reasons, a voter-verifiable paper ballot is essential to the use of DREs in elections. California should mandate the use of printed ballots with DREs at the soonest practical date, and impose purchasing requirements on DRE vendors now that will facilitate this requirement with minimum disruption to elections.

Voters with visual and other impairments must be accorded the same rights as other voters to vote and verify their ballot in secret. Voter-verifiable paper ballots should be deployed as soon as possible, and verification aids for the visually impaired should follow as soon as possible thereafter.

Current efforts including HAVA represent an unprecedented level of interest and effort in improving our nation's election system. We must make the most of this historic opportunity, by setting our standards high enough to ensure confidence in democracy.
Prepared by Erik Nilsson, Chair, CPSR Working Group on Electronic Voting

NOTES

1. Report, p. 26 - Return
2. Kohno T., Stubblefield A., Rubin A., Wallach D.; Analysis of an Electronic Voting System http://avirubin.com/vote.pdf - Return"
3. http://www.whitehouse.gov/homeland/homeland_security_book.pdf - Return
4. A homomorphic encryption scheme is a public-key cryptosystem with the special property than one can compute an operation on plaintexts, say addition, by manipulating only ciphertext. Therefore, someone without knowledge of the private key can compute simple functions of the encrypted data. (Source:http://www.zurich.ibm.com/~sti/g-kk/mobile/homomorphic.html) - Return
5. Report, p. 36: "Both Proposition 41 and the federal Help America Vote Act of 2002 (HAVA), seem to require a paper audit trail be prepared for each polling place. "Section 301(2)(B)(i) of HAVA states that a voting system must produce 'a permanent paper record with a manual audit capacity.' In addition, HAVA states 'this paper record shall be available as an official record for any recount conducted with respect to any election in which the system is used.' " - Return
6. Mercuri, R. Uncommon Criteria Communications of the ACM 2002, 1, 172 - Return

More information about CPSR's work involving Voting, Computers and the Human-Computer Interface