December 2003 January 2004
Our
Democracy is in Danger of Being Paralyzed
Bill Moyers
Reclaiming
Local Media
Paul Cienfuegos
What
You Need to Know About Electronic Voting
William Rivers Pitt
Will
the 2004 Election by Stolen With Electronic Voting Machines?
William Rivers Pitt
Myths
of the Hermit Kingdom
Eric Sirotkin
Heresies
in Pursuit of Peace
Eric Sirotkin
The
Empire Strikes Out
Kenny Ausubel
Relationships
and Culture
Nita Simons
The
Movie Mystic
Stephen Simon
Tai
Chi and Qigong
Bill Douglas
A
Relationship Practice
Kayla M. Starr, MPH
Cosmic
Calendar
Salina Rain
What You Need To Know About Electronic Voting
By William Rivers Pitt
In July of 2003, William Rivers Pitt sat down with Rebecca Mercuri (RM), Barbara Simons (BS), and David Dill (DD), who have been at the forefront of the debate surrounding the rise of electronic touch-screen voting machines in our national elections. They are three computer scientists/engineers who are as well versed on these matters as anyone you will ever meet. In the aftermath of the 2000 election, Congress passed the Help America Vote Act (HAVA), and although the powers that be have settled upon electronic touch-screen voting machines as the solution, there are a number of serious concerns about the viability of these machines. The matter strikes to the heart of our democracy: if the votes are not counted properly, our democracy is broken forever.
Explain the five attributes of an ideal voting technology: anonymity, scalability, speed, audit and accuracy.
BS: Voting has to be anonymous; that’s how we do voting in this country. Scalability means that when you build the system, you have to be able to use it for however many people who come to vote. It might work well for a small number of people, but not work for a large number of people. Speed is pretty clear-cut; it has to be fast and convenient, so there are no long lines of people waiting to vote. Audit means you must be able to know what happened after you vote. You must be able to prove the votes.
“Audit” means recount?
DD: The basic idea of audits in banks is that you can reconstruct the results from the original records. In voting that means being able, even if your election system fails, or if you question it, being able to figure out what the vote totals are for an individual candidate from the original records. The original records were the paper ballots.
BS: Accuracy means we want to be sure the votes are accurately reported and counted.
How does this Direct Recording Electronic Voting Machine (DRE’s) abrogate any of these five requirements?
RM: With these machines, two of these requirements turn out to be in provably direct conflict. You want anonymity, but you also want audit ability. The problem you have is that those two things cannot really coexist to the fullest extent. The way that we do audit ability is that we track all transactions that happen … What we’re asking for in these Direct Recording Electronic machines is to have anonymity as well as audit ability coexisting. What the vendors have provided is an elaborate scheme whereby the votes are recorded on some sort of cartridge or recording device, but they are not recorded in sequence. They actually randomize them. They are not recorded sequentially, and we don’t know exactly what happens in the voting process. Something could happen in the randomization process, and that’s part of the issue.
It sounds like you have to sacrifice either anonymity or audit ability, or else come up with a way to have both coexist.
BS: What we are talking about is in some sense a simpler problem, which is just making sure the vote gets accurately recorded. Even on this simpler problem, these Direct Recording Electronic machines fail, because they don’t have any way to verify the votes.
DD: If you look at this auditing problem, there’s an audit gap between the voter’s finger on the touch screen and the record that is made inside the machine. With DRE’s as they currently work, the voter cannot tell what is being recorded inside the machine. What you really need to have is a workable audit trail, so the voter can check that their vote has been properly recorded before leaving the voting booth … what is available now that we can do is either use a paper ballot system like an optical scan system, where you’re filling out a paper ballot and you just put that in the ballot box, and that’s the voter verified audit record. Or, and this was Rebecca’s idea, is to take the touch screen machines and put a printer on it—in fact, they already have printers—and it will print the ballot, and the voter can look at that to make sure it has the right stuff on it. That then goes into the ballot box.
Are you describing revolutionary voting record verification technologies? My precinct in Boston uses those old-school voting machines where you yank the big lever … [but with] no verification. You are talking about not only making sure that the technology within these systems functions in such a way that the votes are actually recorded, but you’re adding giving the voters verification that their vote has been counted and recorded.
BS: I don’t think it is all that revolutionary. But there are other systems people use to vote, like optical scans, which have been around for a while. With those, you do see your vote, and you do get a piece of paper. There is no additional technology needed.
RM: The traditional lever machine is fully mechanical. The great thing about them is that you can crack open the back and see how it works. If there is a question whether one specific machine is working correctly, you can see the gears connected to the levers. The problem, and the difference between those lever machines and these new DRE’s, is that the DRE’s are basically using electrons. I actually have a lot more faith in the old lever machines. I can’t open the DRE and look inside and see that the button I pushed on the touch screen is being recorded inside the device. It’s invisible. You can see in the old machines if a lever is connecting to the wrong place, or if there was some foul play. If someone were going to throw an election, they’d have to mess up an incredible number of those old machines, one machine at a time and one lever at a time. With these DRE’s, if there’s some mistake in the programming—even if it is not intentional, just some bad code—it could affect all of them, the whole quantity of the DRE’s.
What kind of non-malicious, general screw-up errors can manifest themselves in these DRE’s?
RM: Some of these problems are very simple. The addition of a semi-colon or an equals sign in the wrong place in a line of code can completely change the programming. This would be someone who just slipped up. There are plenty of examples of this happening. In the midterm elections down in Dallas, Texas, people tried to vote on the new touch-screen machines. They found that, no matter where they touched on the Democratic side, it would vote for the Republican candidate. These people were pretty upset, and it just kept happening and happening. In Texas they have early voting, and this problem showed up in the early voting. If this had happened on Election Day, who knows what would have transpired? They might have had to shut down voting in all of Dallas. The Demo-cratic Party went to court over this. They had affidavits demonstrating that there were machines making this error. Ultimately it was decided that seventeen of the machines were somehow misaligned.
What kind of testing are the three main companies making these DRE’s (Diebold, Sequoia and ES&S) doing to ensure that the misplaced equals sign, the misplaced semi-colon, the misaligned machine, is not happening?
DD: What kind of testing that goes on in these companies is something we don’t know. They won’t tell us a thing about their code or what they do to test it.
BS: Even if we could see the code, that wouldn’t be sufficient, and even if we could convince ourselves that the code was correct, we still wouldn’t know that it was the code that was running on election day.
DD: That is actually a much harder technical problem than most people would think. With current hardware, it is very difficult to make sure that the program running on the machine is the program we think is running on the machine. There is a general theme of secrecy. I understand some of the reasons for secrecy. But it is frustrating to me because claims are made about these systems, how they are designed, how they work, that frankly I don’t believe. In some cases, I don’t believe it because the claims they are making are impossible. I am limited in my ability to refute these impossible claims because all the data is hidden behind a veil of secrecy … what they do is run scripts over the computer program to check for bugs. A script is just another computer program to check for superficial things. There is no human involved. They don’t want functions that are too long, and they don’t want functions with multiple exit points. They say “Modules,” but they are basically talking about chunks of code. It is basically nothing more than a style-checker, like running a spell-check. The problem with running a spell-check …
… is that you miss the homonyms.
DD: Right. The concept of running one of these style-checkers on a program is, at the end of the day, you know the functions are short and they don’t have multiple exit points. You don’t have any clue if they are doing the right thing at security holes or anywhere else. After this process, there are several other steps. There is something called an “Acceptance Test.” When the machines get delivered to either the state or county government, they power them up and put them through the paces to make sure they work. Basically, they sign a form that says they got the thing and it’s not busted. Before each election, and sometimes after each election, they have something called a Logic and Accuracy Test where, to one degree or another, they will try casting some votes on the machine to make sure they come out right. That’s basically all there is to it.
As a computer scientist, I know that the worst problem that could happen is that you have someone at the company, such as a programmer who knows all the details of the code, or a mysteriously overqualified janitor, who could basically insert something malicious into the code. Given the fact that they are using the “C” programming language, we know that such an act can be concealed. They wouldn’t even have to change the program. They could just change some of the results of the program. Malicious code could be concealed in ways that are practically impossible to detect by any means, and certainly wouldn’t be detectable given what we understand to be the detection and inspection process.
The computer scientist who oversees elections in Georgia told us that, by Black Box Testing, this logic and accuracy testing, he could catch any malicious code. It is completely ridiculous. If you go to the Microsoft Excel spreadsheet program, and go to row 2000, column 2000 and type a specific thing, you will get something like a flight simulator. The Microsoft programmers, even though it is a firing offense, can slip this stuff into the programming code so none of the testing people can discover it. They are called “Easter Eggs.” If you type “Easter Eggs” into a Google.com search, you’ll get instructions on how to find all these things in Microsoft software programs.
Without even knowing very much about how these systems work, computer scientists know that you can put malicious code into a program, you can change the results of an election, and it can’t be detected by inspection or testing. Period.
What are the ways that this process could conceivably be subject to fraud?
DD: There
are insider attacks, which we know could be successful if someone chose to
do that. What people worry about with PCs is not so much Microsoft hacking
them, but outside people coming in over the internet with viruses or something
you download. That is an outsider attack. In order to be confident about your
code, about a system that is security-sensitive, you have to do a very careful
analysis of the design and the software itself. It has to be done by real
pros, and it is a very labor-intensive process. That has not been done, to
my knowledge, with any of these voting systems. Without that kind of analysis,
you can be guaranteed that there will be gaping security holes. People are
just going to make mistakes, because it is too hard to do otherwise.
Without a careful security analysis, you can’t know what kind of outsider attacks may be possible. Except in the case of the Johns Hopkins paper from last October, where they managed to get their hands on the code through Diebold’s carelessness and lack of security. Two graduate students noticed what turned out to be severe security blunders. I don’t think it is important to emphasize whether people can hack these particular machines in these particular ways, although I find the problems these grad students found to be worrying. I think the most important thing about that is that it disproves any claim that the manufacturers or the independent testing authorities are actually carefully scrutinizing this code, or for that matter, know anything about computer security. I think we have conclusively disproven that there is anything in this process that guarantees these things are secure.
RM: One of the other problems brought out by the Johns Hopkins report was this issue of “Smart Cards,” the things you use to cast your vote. If you had this Diebold code, you could manufacture your own Smart Cards and have a pocket full of them, and maybe cast additional votes. My issue, simply, is that it is easier than that. You don’t have to be an insider in the vote machine company.
At the polling places, you have the people who are making the Smart Cards. The Smart Cards are sitting there in a pile. The interesting thing about these Smart Cards is that the voter comes to the polling place, and data is put on the Cards. The idea, as the vendors have been telling us, is that the voters take that card and go to the machine, and the card only lets them vote once. Otherwise, you could vote 20 times. There is nothing to prevent a poll worker from manufacturing some more Smart Cards, sticking them into the machine, and voting several times. There is absolutely nothing to stop some corrupt poll workers from doing this. In fact, what this whole thing was trying to prevent—they say we are using DRE’s because we don’t want to have these problems with paper ballots, with people taking the papers out and substituting another ballot—these same crooked people who would tamper with ballots are the same people who would make a few more Smart Cards and vote extra at the end of the day.
BS: One of the things you can do, and you don’t have to be all that clever to do it, is change a small percentage of votes one way. If you’re really smart, you’ll change an even smaller percentage of votes the other way, so it won’t be obvious. If you’re smarter still, you’ll do this randomly. If you’re smarter still, you have something called a Random Number Generator, and maybe every hundred votes you make sure is Republican, and every five hundred votes you change to Democrat. If you try to repeat this, if you run the code again on the same input, you’ll get different results, because you randomly decide what to change. Because it is random, it is different each time. You will still do the changing of 100 in one column and 500 in the other, but it will be different.
Progressive activists are really worried about the problems with these newly conceived voting systems, and one of the main things that bugs them is who the Board of Directors are for a number of these Big Three companies. These boards are comprised of some serious hard-core conservative Republican activists. And despite the uproar that this has caused within the ranks of the left wing, there are some very interesting groups of people who are having trouble accepting the information that you are bringing to them. How is this not some sort of bipartisan, one sided partisan issue?
DD: It bothers me deeply that there are major conservative contributors running these companies. On the other hand, if you think about it, everybody has a conflict of interest. Everybody has political opinions. Everybody has economic interests that deal with the government. So there is no way to get some sort of independent, super-objective neutral voting machine company. It’s always suspect, regardless of the sterling character of people in the companies, which is why you need an independent check on everything. So trust is not a good thing in election systems. The only people you should be trusting are groups of people with opposing interests, such as election observers from different political parties.
This is a cause that seems to have a tremendous amount of grass roots appeal. I’ve probably been doing more grass roots activism than any other people in this room. Unfortunately, I am an incompetent activist. But people just come to me. They read the web page and ask how they can help. They are so concerned. On the other hand, most of the opposition to what we are talking about is coming from what you would think of as progressive and good government groups. A lot of these groups have taken an official position. They have very pragmatic concerns—is it going to disrupt plans to buy equipment that will be replacing equipment that they hate? Will the equipment be unreliable? Will it add expenses to things? Will people buy what they feel is inferior equipment? They have legitimate concerns. Unfortunately, they’re missing another legitimate concern which is the computer reliability and security issue.
It sounds like the decision has already been made to commit to this course, and they just don’t want to hear about anything that’s going to disrupt that decision.
DD: I think that’s exactly right. These people have been working on this issue for a long time. They’ve made deals that were very hard to hammer out. They think they’ve got something satisfactory and they don’t want people coming in and changing the rules.
RM: Some people are also afraid, like the League of Women Voters. I believe that they are actually afraid that if people think that we have to have a piece of paper, then we shouldn’t trust the computer and we shouldn’t trust elections, and that makes us even more afraid. What we’re saying is the opposite. If you have just the computer, then we know people are going to have questions in their minds. If, on the other hand, you have these pieces of paper and the people can see the pieces of paper and there are poll workers who can see the pieces of paper, and when we all play an active role in making sure that those are counted correctly and that the procedures are done correctly, it’s all a visible and open process and we’ve now opened it back up to the people, so that we the people, the citizens, are the ones who are conducting the elections, not the election officials.
BS: I’d like to comment a bit on the League of Women Voters and some of these other groups. I think there’s something else that’s going on. The people making these decisions don’t have a good technical background and I think, in some cases, they are a bit afraid of technology. They want to believe. When they are told that you can trust these systems, they initially did believe it and they want to believe it because it makes life so much easier. And these machines are so much nicer compared to the punch cards. You don’t have to worry about hanging chads and they can be made very easy to use and they can figure out how to operate them because they’ve done ATM’s. And then we come along, the sort of spoil sports, and say, wait a minute, you can’t trust these machines. And people don’t like that.
I personally have been in battle with The League of Women Voters. I joined the League of Women Voters a few months ago over this, because I was concerned about voting. Shortly thereafter, there was a letter in The Times from the president basically saying paper ballots aren’t really necessary, which got me very nervous. I wrote to her, and almost immediately thereafter a statement appeared on their website saying you don’t need voter verifiable paper ballots, that paper’s not a good idea, it has all these problems. Their statement is so bad it actually has a claim about something being a way of doing security which is just a joke. I mean, you’d flunk a student for making a claim that you get security through this method of keeping the information in different parts of the machine and in different formats. That doesn’t give you the security. They refused to take it off their website.
RM: They’re saying that they are speaking to computer scientists and yes, there are some computer scientists who believe that the paper ID is not the way to go and that there are some flaws with the way that we’re doing things. But those people have yet to demonstrate that any of the things that we’ve said are incorrect because, in fact, all the things that we say are based on computer science theory which they, of course, have to subscribe to as well. But they have their own reasons for saying that. One of the interesting things in California is that when the vendors were asked about the printers, first some of the vendors said, well, putting in printers would be expensive. Turns out, they already have printers in the machines because they print out zeroes at the beginning of the day and totals at the end of the day. So it’s no more expensive. Just have a little bit more different printers to do the paper stuff. They audit it by taking the stuff that’s inside the computer, that we don’t really know how it got in there and whether it’s correct, and they actually print it out on pieces of paper. And they count some of it. If they’re printing it out anyway, why don’t they print it out and let us see it when we vote? It’ll save them a lot of time. They want to print it out after the fact.
BS: Without these voter verifiable paper ballots or some equipment, which we don’t yet know how to do, there is no way to do a recount.
DD: What people have done is redefine recount to mean something other than what you think it means. So I’ve taken to saying, there’s no way to do a meaningful recount.
RM: Or an independent recount. The recount is dependent upon the vendor. You have to take the vendor cartridges, put them in the vendor machine, and they have to be read using software provided by the vendor. There’s no way for me, a computer scientist, to read those cards, even if they gave me a card which they say I cannot have because it’s proprietary and it’s owned by the county. But even if they could give me a card and I was allowed to read it, that would be illegal because I would have to use the secret code that is allowed to read the card. This is terrible. There is no independent way to do a recount.
BS: We basically are handing over our elections to a small number of private corporations DD: Somebody coined a phrase that I liked: Instead of voter verified elections we have vendor verified elections. One point is about voter confidence. There are people who feel that by raising these concerns voter confidence will be undermined. What they really mean there is we’ll undermine voter participation. Particularly on the prgressive side. People understand that voter turnout has been a tremendous problem. They need to get people out to vote and they don’t want them to feel that their vote doesn’t count, even if they’re using these touch screen machines.
I don’t believe there’s any reason not to vote. For example, if you want to have politicians see common sense and stop buying touch screen machines, the only way to make yourself be heard is to vote, right? I don’t know what’s happened in the past but I don’t think there’s wholesale election fraud going on at this time. But I can’t prove it, which is the whole problem.
When people speak about voter confidence, they need to think about it in this other way: It’s the voters having confidence that the results of the election are sound. It’s not just a voter participation problem; it’s a question of accepting the results of elections. I think we have a moral obligation to tell the truth and I don’t think that someone else could say that if somebody sees a serious problem they should be quiet about it so people won’t worry. I mean, people have to worry or else, obviously, the problem’s not going to get fixed. It’s been going on too long and people like Rebecca have been complaining about it too long to believe that suddenly it’s just going to get fixed unless we raise a real fuss.
RM: I think that it’s very, very important for people to start lobbying. If they’re concerned about this, they must start lobbying all these groups. Congressman Rush Holt, (NJ), has a bill in Congress on this (House Resolution 2239). People need to get their Congressman to endorse that bill and make sure it also gets a compromise bill in the Senate. We need to have the public demand this legislation. Rush Holt’s bill is really important because he’s raising four important points which people have completely misinterpreted. They think that by having voter verified ballots we’re going to make it longer before the disabled will be able to vote. His bill actually says we want verified ballots. They need to be required, but he also accelerates the time in which the disabled are going to get the new machines.
Also, he wants the code to be opened. He says there should be no secret code. Of course, the vendors can protect their stuff with copyrights and patents. That way, if somebody tries to copy their code and sell it in their machine, they can sue them just like anybody else. But that the voters need to have the ability to actually see the code and be able to verify that.
The last part of Holt’s concern is about modems, the telecommunications devices, because the vendors are saying that they can use those devices to send the data at the end of election date to the main precincts. Holt does not believe that there should be any communications, especially wireless, where anybody could be sending in packets.
Unfortunately we have a new trend in this country that was started in 2000. If you protest an election and you want a recount, you’re now called a sore loser and it’s unfortunate but it is your legal right. If you’re a candidate you have the legal right to ask for a recount if you can demonstrate that there’s something wrong. Well, now, the recount is just push a button, it prints out the same thing, that’s the same totals and you can’t go any further to see if the machine was really working
This is what
Rush Holt’s bill is aiming to deal with?
RM: Yes. Why do we have laws on the books in all the states that say that
you can have a recount when what they’re respectively saying is, sorry
you lost, just shut up and go away and don’t bother me any more. And
that’s exactly what’s going on.
RM: Yes. Why do we have laws on the books in all the states that say that you can have a recount when what they’re respectively saying is, sorry you lost, just shut up and go away and don’t bother me any more. And that’s exactly what’s going on.
DD: I agree with Rebecca. We’re not talking about baseball games here. This is the foundation of democracy. I think a candidate has a duty to his supporters, if he believes there’s anything wrong with an election, to go in there and find out if there’s anything wrong. And in fact, he or she has a duty to democracy to do that. We all want to believe that election is fair. Unless we go in and audit those things occasionally, we’re not going to know that.
BS: I think the Rush Holt bill is the only chance we have for the ’04 elections, because these machines are already in widespread use and are being purchased by more states.
One of the things that worries me about Rush Holt’s bill is, as of today, all of the endorsers are Democrats. One of the pleas I would make to the people who read this article is to really work at making this a non-partisan issue. Try to bring more Republicans into the Rush Holt bill and whatever they do, don’t make this into a partisan issue because if it becomes partisan, that’s the kiss of death, in my opinion.
BS: We know that there are Republicans who feel this way and so the main thing is that we’ve got to get them to sign up. That’s all. We’re not asking anybody to do anything which is un-American. In fact, this is sort of quintessential American. This is what the country’s all about. But people need to contact their Congressman and Senators and let them know that they need to sign onto this bill.
You have been charged with trying to drag the electoral process back two centuries by bringing this stuff up.
DD: I just want an electoral system I can trust. And I think everybody else in this country wants it, too. I happen to have the technical background to be quite confident that there’s no reason to trust the machines that we’re deploying now. So I’m raising the concern. I think there may, in fact, be super-high-tech solutions to this problem in the not too distant future that provide much better election security than we have now. And are significantly less difficult to deal with than maybe some of the solutions we’re talking about. So I’m certainly not against technology since I marinate in it to the exclusion of all other activities. My greatest worry is really an erosion of confidence in the elections. When people can no longer trust the elections I think that that will undermine the legitimacy of everybody in government and I wouldn’t like to see that happen.
RM: My feeling is that it is a bamboozling of the American public. We’re trading away a lot of the checks and balances that we have always had in elections. What we’re being told is not the full truth about what is actually going on and I think that we’re giving away much more than we’re getting.
For more information on Electronic Voting and to find out what you can do to help Congress pass H.R. #2239 visit www.verifiedvoting.org.
David L. Dill has been a Professor of Computer Science at Stanford since 1987. He has an S.B. in Electrical Engineering and Computer Science from Massachusetts Institute of Technology (1979), and an M.S and Ph.D. from Carnegie-Mellon University (1982 and 1987). His primary research relates to the theory and application of formal verification techniques to system designs, including hardware, protocols, and software.Rebecca Mercuri is the founder of Notable Software and Knowledge Concepts. A computer scientist, she has been employed by and consulted for many Fortune 100 firms, including AT&T Bell Labs, Intel, Merck, and RCA. Her specialties are interactive systems, microprocessor applications, computer security and forensics. Dr. Mercuri holds Ph.D. and M.S.Eng. degrees from the University of Pennsylvania as well as a M.Sci. from Drexel University. Barbara Simons received her Ph.D. in 1981 in computer science from the University of California at Berkeley. In 1980 she joined the Research Division of IBM, and she is currently a member of the Application Development Technology Institute in the IBM Software Solutions Division.
William Rivers Pitt is Managing Editor of truthout.org, and a New York Times and international best-selling author of three books: War On Iraq,(Context Books), The Greatest Sedition is Silence, (Pluto Press) and Our Flag, Too: The Paradox of Patriotism, (Context Books).
