Think paper trails will make elections secure? It’s not that simple
ASK THIS | February 01, 2006
Roy Saltman's 'Ask This' was posted on Feb. 1. Two readers appended critical comments after that. Here are Saltman's original 'Ask This,' followed by the comments and his responses to them.
By Roy G. Saltman
Q: Many election administrators argue that paper trails for electronic votes are unnecessary but a growing number of states mandate them because of pressure from computer scientists and others. What are the concerns of those who want paper trails?
A: Paper trail advocates, who typically don’t run elections, believe that software cannot be proven to be correct and that there may always be undiscovered errors. These individuals claim that the possibility exists that a malicious programmer could change the software to switch votes from one candidate to another. Thus, they believe that paperless systems should not be used.
For additional Watchdog.org coverage
on voting machine issues, click here.
Q: What are the reasons for the resistance to them, such as from Maryland state elections administrator Linda Lamone, Georgia’s leading technical expert Brit Williams, and Conny McCormack, election administrator of the nation’s largest local jurisdiction, Los Angeles County?
A: Many individuals who actually run elections, such as Lamone and McCormack, and some computer scientists experienced with the technology, such as Williams, believe that the computer programs in question are sufficiently limited in scope and the testing is good enough that malicious errors can be found. Administrators don’t want to add the extra function of printing to the election equipment. Adding another function is costly and more equipment increases the likelihood of breakdowns. Also, they don’t want to be concerned with testing, printing and preserving paper records. Furthermore, audio may be easily implemented with touchscreen voting systems, allowing visually impaired voters to vote by themselves. The latter is a requirement of the Help America Vote Act of 2002. That accounts, in part, for the large number of touchscreen systems purchased after passage of that act.
Q: Can security controls and computer program correctness be made good enough so the public should have no qualms over paperless records, or is that goal not achievable? Is the deciding factor technological or do voters want them for their own comfort?
A: The process of testing and transporting programs from the vendor to the using state is done in a special way in Maryland and Georgia. The program produced by the vendor is first assigned a “digital signature” through a computational process. The digital signature is a binary numeric code that will remain constant if, and only if, the program is not altered. Then, the program, along with the digital signature, is sent to two different locations: to the NIST’s (National Institute of Science and Technology’s) National Software Reference Library and to a Voting Systems Testing Laboratory. That laboratory is accredited by the Election Assistance Commission on NIST’s recommendation. After the program is tested and approved by the Voting Systems Testing Laboratory, it is sent by that organization to the using state. The digital signature on NIST’s copy and on the state’s copy received from the VSTL must match. After that, the state performs acceptance testing on the program.
I heard about Georgia's system from a presentation by Brit Williams at an NIST symposium in December 2003. I read about Maryland's procedure in an appendix to a report by the Election Center of Houston, TX, in May 2005. The fact that the Election Center put the set of Maryland procedures in a separate appendix indicates to me that the procedures are new, and not every state knows about them. There is no one place where all the procedures used by each state may be found.
Advocates for paper trails assume that there are programmers who are so clever that their malicious code will not be found, or that the vendor and the VSTL are in massive collusion to let malicious code through and either the state’s employees are in on the fraud or they are not clever enough to discover the bad program.
There is also the problem of threats from “insiders.” See the answer, below, to the question about the Leon County (Florida) experiment.
Q: If security is not achievable without paper, do voters actually check that their receipts match their intentions? Why not make the results more human friendly so that voters will be more likely to check them?
A: It has been shown by videotaping actual voters in Nevada (without identifying or recording their choices), that very few voters actually review their receipts. The result is that the receipts not checked could be incorrect, since they are generated by a computer program that is not trusted. Unchecked receipts cannot serve as an audit trail, but production of a paper audit trail was the sole point of adding the receipts. Additionally, the receipts are typically spooled in the order of voters using the voting machine, allowing for a voter to be identified with his or her choices.
If receipts are used, there must be a fixed procedure in place to cover a situation when a voter claims that the receipt does not match his or her choices.
One possible solution is for the voter, before accepting the receipt, to demand to vote again without showing a poll worker the content of the receipt. In most states, up to three attempts to vote are allowed. In this case, the individual voter is protected against fraud (if the malicious programmer was clever enough not to perform the vote-switching twice in a row), but the incorrect computer program is not discovered, so that other voters who do not review their receipts are not protected.
A second possible solution is for the voter to call over a poll worker and show that the touchscreen summary of votes differs from the choices shown on the receipt. Now the incorrect computer program may be identified, but the voter certainly has lost his or her privacy of voting choice, an essential requirement of law in most states, if not all.
If paper is to be used to assure public confidence, I suggest using it a way that provides a complete audit trail. A computer-readable “marksense” ballot provides this capability. Such a manually completed ballot has the problem of determining the “intent of the voter” since some voters do not fill out their ballots correctly enough for the computer to sense the choices. Nevertheless, the voter has completed his or her ballot, so that it may serve as a true document for audit purposes.
A new type of voting system provides the voter with a touchscreen, and when the voter is finished voting, a human-readable and computer-readable marksense ballot is printed under computer command. The computer ensures that the ballot will not have an “intent of the voter” problem. Then, the voter handles and reviews the ballot to make sure that it is correct. In either case, the voter deposits the examined ballot in a marksense reader connected to a computer. The touchscreen-generated ballot may be obtained by a visually impaired voter with the aid of audio associated with the touchscreen, and the ballot fed into the reader can similarly generate audio for approval by such a person.
By using paper in the manner that I have suggested, the possibility of the omnipotent programmer or massive collusion to accept incorrect software is prevented. However, paper-based systems have their own possibilities of error, deliberate or inadvertent. There is no perfect system. For example, marksense readers may not be wholly accurate in reading a ballot, particularly a hand-marked ballot, or more than one ballot may be transported through the reader at one time. It is recommended that at least 1% of precincts be manually recounted in every contest, and up to 5% of precincts be required to be recounted in closer contests without a demand from a losing candidate.
Q: Recent news stories in the Miami Herald and the Washington Post have reported on an experiment in manipulation of voting results carried out by Ion Sancho, Supervisor of Elections of Leon County (Tallahassee), Florida. Computer experts—with Sancho’s permission and working through a supervisory computer normally under his control—changed the program stored on a “memory card” that records the summary of votes sensed by optical-scan readers. They were able to change the values of vote summaries reported by the system printer. Is this experiment proof that the democratic process is really in danger from vote-counting fraud?
A: The computer experts first attempted to hack into the vote-counting system from outside and found that they could not do it. That result is not surprising, since Leon County’s system (as well as almost every other voting system) is not connected to any network. However, the experts understood the workings of the system very well by having obtained program codes through a download from an unprotected website of the voting system’s vendor, Diebold, Inc., of North Canton, OH. (This download, obtained by others and widely distributed to computer security experts, had been previously analyzed by Dr. Avi Rubin of Johns Hopkins University.) Sancho and the computer experts have done U.S. voters a favor; they have now reported a method through which an insider, if able to gain control of a supervisory computer, could cause incorrect results to be reported. For every such vulnerability exposed, there is a corresponding control procedure. Now that this entry method is known, the opportunity for it to be used can be easily closed off. All election administrators should be aware of the vulnerability and respond accordingly.
There are important conclusions to be drawn. First, there is a need to be able to recount some fraction of all ballots manually, regardless of the closeness of the reported outcome. Sancho’s system summarizes the votes that voters record on computer-readable marksense ballots. According to Sancho, Florida’s current law does not permit the recounting of ballots supposedly read and counted correctly by computers. This law is a real danger to democracy since, if the computer program is incorrect, the correct results will not be reported. California requires a 1% manual recount of all computer-readable ballots, a law that has been in effect for many years. This procedure, proposed in a published report in 1975 by this author, is absolutely necessary for public confidence in computer-generated results.
A second conclusion that might be drawn is the effect of this experiment on the use of non-ballot, direct recording voting systems. In those cases, there are no ballots that may be manually recounted. The possibility of insider vote-results manipulation increases the pressure to assure a secondary method of vote-counting, not possible with a non-ballot voting system. A mitigating factor is that there are separate voting-counting units in every precinct. In order to report wrong results and get away with it, a manipulator would have to change the results from every single vote counting machine, or else the individual unit results would not add to match the summary.
A third conclusion that may be drawn is that the process of assessment of vulnerabilities to voting systems is not being carried out with sufficient detail. The current set of established procedures, in which a Voting Systems Testing laboratory tests hardware and software before a system is actually used for voting, may need to include tests of security in greater depth than is being done now. Such a set of tests is difficult to carry out without the cooperation of the vendors, who know the inner details of their own systems.
Comments on Mr. Saltman’s response
James Johnson - True Vote Maryland
03/02/2006, 10:26 PM
Roy G. Saltman’s response to James Johnson
Thank you for responding to my comments on your article.
Mr. Johnson writes: “Mr. Saltman may be an expert but a lot of what he writes below lead[s] me to believe that he is not an expert on how historically elections have been manipulated ...”
It has been a hallmark of the members of the many groups that have formed in the past four years to be activists on use of paper trails, or on election fraud in general, that they have made no effort to know the history and literature of their subject and to read the arguments that have been made on all sides. Mr. Johnson, by making this statement quoted above, demonstrates that he fits into this category. Where were such people many years before 2000, when non-ballot lever machines were still being widely used and direct recording electronic systems (DREs) first began to be employed? In 2000, 13 percent of voters nationwide used DREs and 18 percent continued to employ lever machines. We did not hear from them at that time.
My background is in Information Technology and Communications.
I do not have a background that qualifies me to assess electromechanical punch card systems.
My activism is not just about either paper trails of election fraud, but is about achieving reliable computerized voting systems that warrant the trust of Americans voters. If we are to continue to have a representative democracy this is essential.
In the past paper ballots were used because they provided a degree of transparency and the ability to conduct audits and recounts. Any replacement technology must be required to meet these minimum requirements which is the foundation for trust in our elections.
As far as I can discern, your statements above are not in defense of unreliable and un-auditable DREs currently used to conduct election, and neither does it challenge the fact that we have experienced irregularities during previous elections.
I have been involved in the problems of integrity of elections for over thirty years. My two reports published by the National Bureau of Standards, the first in 1975 and the second in 1988, are highly regarded by election administrators and by political scientists involved in researching the socio-economic aspects of elections. These reports have discussed the many ways in which mistakes resulting in incorrect reported results have occurred since the beginnings of computer use in vote-casting and vote-counting in the 1960s. The reports made many recommendations to assure integrity. For example, I was the first person to write (in 1988) that electronic ballot images (EBIs) should be permanently recorded in DREs, a recommendation that was
adopted in the 1990 standards. This recording of EBIs should make the public far more confident about DREs than lever machines, but that has not been the case. The reports are available from the National Institute of Standards and Technology, Gaithersburg, MD. (Ask for NBS SP500-30 [a 1978 reprint of the 1975 report] and NBS SP500-158)
Soon after the debacle of election administration in Florida in November, 2000, Governor Glendenning of Maryland formed the Governor’s Special Committee on Voting Systems and Election Procedures. I was one of two persons specifically invited to speak at the hearing on Jan.4, 2001; the other was Marie Garber, former administrator of the State Administrative Board of Election Laws and former election director of Montgomery County. My presentation and the others that were given were printed in a volume which, I hope, is still available from the State Board of Elections. (I was not a member of the committee and had no hand in the adoption of DREs statewide.)
This past January, my book entitled “The History and Politics of Voting Technology: In Quest of Integrity and Public Confidence” was published by Palgrave Macmillan, and is available online from amazon.com or by special order from any bookstore. On the back of the dust jacket are comments from four distinguished gentlemen who submitted favorable comments on the book. Three are professors and the fourth is Richard G.Smolka, editor of Election Administration Reports. The comment by Charles Stewart, chair of the political science department at MIT is as follows:
“For a quarter-century Roy Saltman has been the world’s most knowledgeable expert about modern voting machines, warts and all. In The History and Politics of Voting Technology, Saltman shares this knowledge with us and demonstrates that the history of voting technology is more than it seems. Bound up in the story of voting machines are stories as old as America itself, including our endless fascination with technology as a panacea and our conflicting (and ultimately irresponsible) visions about how to protect and extend democracy in America. This is a must read for those interested in the politics of election reform and in how technology and politics intersect in the United States.”
I think we all agree that you have stellar credentials on this subject. That is one of the reasons I was surprised to find them used to establish rationales for Election Officials not getting it right. If reliable, auditable and secure systems are to be achieved, it will not be done by providing cover (intellectual or otherwise) for the current generation of insecure and un-auditable systems.
With regard to the “receipt” system used in Nevada, I have made the point that if the voter is the last line of defense against manipulated software, then the voter must lose his or her right to secrecy in order to demonstrate that the receipt is different from the choices shown on the computer screen. The assurance of the secret ballot is the absolute base requirement of voting in this country. A voter should not have to give up this sacred right in order to assure correct recording of his or her vote. Therefore I have written, for example in my response to the questions of the Nieman Foundation, “If paper is to be used to assure public confidence, I suggest using it in a way that provides a complete audit trail.”
This is the kind of leadership I had expected form Mr. Saltman. If precinct based optical scan systems are used that allow the voter to mark their own ballot, both a secret ballot and a reliable audit trail can be provided.
With respect to the software testing process, Mr. Johnson is apparently unaware of the recommendations that I have made to the TGDC that the exemption given to commercial off-the-shelf software (COTS) should be ended, and that the VSTLs (formerly ITAs) should be subject to audit to assure lack of conflict-of-interest and use of the most thorough testing methods. I have made these recommendations also in my book (see p.217).
In connection with the experiment carried out by Ion Sancho in Leon County, Florida, Mr. Johnson states that “Mr. Saltman’s description of the procedure is somewhat questionable. What kind of security expert that ‘understood the working of the system’ would attempt an attack over a network, knowing the systems were not networked? There appears to be something wrong with this description.”
I reply that there is nothing wrong with this description because I spoke with Ion Sancho personally over the phone, and I am reporting what he told me. Obviously, the security expert did not fully believe that the system was not networked until he attempted to hack into it. I believe that emphasizing the lack of network connections is important because there are many people (such as a Maryland state legislator of my acquaintance) who believed or still believe that electronic voting machines are connected to the Internet.
The Maryland Central tabulator systems is connected over the Maryland intranet. I think this might be the source of confusion with the Maryland legislator.
My reference to modems was to those on the central servers, which are used to accumulate votes from precincts. In the case of Diebold systems these are equipped with dial-up modems for maintenance. These are supposed to be disable during the election but only the people responsible for securing them is able to ascertain that.
Diebold and ES&S DREs have an IrDA (Infrared) port installed on each machine. These are said to be disabled using software, but who knows for sure. The presence of these vulnerabilities allow for the possibility that during an election these systems can be manipulated.
Finally, Mr. Johnson has written “The same highly motivated honest officials that lose ballot boxes on their way to being counted can be counted on not to flip a switch enabling these modems. There is no technical reason why the public should be forced to trust these individuals. Today it is even worse as the systems are too complex for local officials who in turn depend on these contractors to run the machines during an election. These contractors are generally not sworn election officials.”
Now, Mr. Johnson has, at this point, identified major problems inherent in our system of election administration. These problems are (1) that a large number of individuals, including many that have been hired temporarily and who must be available for election duty on a normal workday, must carry out an election in every one of the thousands of local jurisdictions that separately conduct them; (2) that elections not only involve machines and people, but the procedures established (which always need review to take into account newly identified risks) to assure proper conduct of the election and to assure its security, and (3) that the persons performing the work of election administration must be adequately trained so that they can correctly implement all of the necessary procedures.
I do not object to the restatement of these problems because they must be put in front of senior election administrators until they are effectively dealt with. However, I can point to where I have written about all these problems previously. For example, in connection vendor responsibilities and conflict-of-interest, see my 1975 report, Conclusions (f) and (g), page 6. My 1988 report has a significant section on the “internal control” function. See section 1.3, pages 2 and 3 for a summary of recommendations, including identification of vulnerabilities, converting them into a set of realistic threats, and concern for “abdication of control” by election administrators “to others, such as vendors or data processing center directors.”
By noting that boxes of voted ballot cards could be lost on the way to being counted, Mr. Johnson recognizes that any system of voting has its own vulnerabilities and risks. There is no perfect system. The problems of election administration enumerated above apply to every system.
I invite Mr. Johnson, whose concerns are clearly in the right direction, to read what I have previously written. Both of us have a strong desire for integrity of elections and assurance of public confidence in how elections are carried out.
I have read some of your previous work. But it is important to note that my comments were responses to what was stated in this article.
My hope is that you will not make it easier for Election Officials, that for whatever reason have not seen fit to insist on specifications and implementations of voting systems that provide the highest levels of security and integrity achievable with this technology.