Testimony of Michael I. Shamos
Before the Environment, Technology, and Standards Subcommittee of the
June 24, 2004
Chairman: My name is Michael Shamos. I
have been a faculty member in the
I am here
today to offer my opinion that the system we have for testing and certifying
voting equipment in this country is not only broken, but is virtually nonexistent. It must be re-created from scratch or we will
never restore public confidence in elections.
I believe that the process of designing, implementing, manufacturing,
certifying, selling, acquiring, storing, using, testing and even discarding
voting machines must be transparent from cradle to grave, and must adhere to
strict performance and security guidelines that should be uniform for federal
elections throughout the
There are a number of steps in the process of approving and using voting systems that must be distinguished. The process of “qualification” is testing to determine whether a particular model of voting system meets appropriate national standards. Unfortunately, no such standards currently even exist. The Federal Voting System Standards (FVSS), formerly known as the FEC Standards, are incomplete and out of date.
For example, one of the principal election security worries is the possibility of a computer virus infecting a voting system. Yet the FVSS place virus responsibility on the voting system vendor and do not provide for any testing by the Independent Testing Authority (ITA). Furthermore, the standards do not even require that a voting system contain any virus detection or virus removal software at all: “Voting systems shall deploy protection against the many forms of threats to which they may be exposed such as file and macro viruses, worms, Trojan horses, and logic bombs. Vendors shall develop and document the procedures to be followed to ensure that such protection is maintained in a current status.” It is hardly reassuring to have the fox guarantee the safety of the chickens.
Even if there were suitable standards, it is a significant question how to assure the public that a particular machine meets them. The current process of qualification testing by Independent Testing Authorities certified by the National Association of State Election Directors (NASED) is dysfunctional. As proof I need only cite the fact that the voting systems about which security concerns have recently been raised, such as Diebold Accuvote, were all ITA-qualified. Some of these systems contain security holes so severe that one wonders what the ITA was looking for during its testing.
wonder, but one cannot find out. The ITA
procedures are entirely opaque. The
NASED website contains this peremptory statement: “The ITAs DO NOT and WILL NOT
respond to outside inquiries about the testing process for voting systems, nor
will they answer questions related to a specific manufacturer or a specific
voting system. They have neither the
staff nor the time to explain the process to the public, the news media or
jurisdictions.” I don’t believe that
either Congress of the public should allow ITAs to behave this way. Did I say “ITAs”? Allow me to correct that. For hardware testing, there is only a single
NASED-certified ITA: Wyle laboratories of
It should be understood that qualification to standards addresses only one part of the problem. A qualified machine may not meet state statutory requirements even if it functions perfectly. A further examination, called certification, is needed to learn whether the machine can actually be used in a given state. Even a certified machine may fail to function when purchased unless it is tested thoroughly on delivery, a form of evaluation known as acceptance testing. I am not aware of any state that makes such testing a statutory requirement.
Assuming that the machines operate properly when delivered, there is no assurance that they will be stored, maintained, transported or set up properly so they work on Election Day. While many states provide for pre-election testing of machines, in the event of a large-scale failure they can find themselves without enough working machines to conduct an election.
The machines may work according to specification but if they have not been loaded with the appropriate set of ballot styles to be used in a polling place they will be completely ineffective. The process of verifying ballot styles is left to representatives of the political parties, who may have little interest in the correctness of non-partisan races and issues.
In this whole discussion we have ignored the matter of where the software used in the machine comes from. It may have worked when delivered by the vendor but may have been modified or substituted, either deliberately or innocently, by persons known or unknown. We need a central repository for election software to which candidates and the public has continuous access, so it may be known and verified exactly what software was used to present the ballot and tabulate the results.
I was provided in advance with three question to which I understand the Subcommittee desires answers.
1. How should the accreditation of testing laboratories and the testing and certification of voting equipment be changed to improve the quality of voting equipment and ensure greater trust and confidence in voting systems?
Testing laboratories should be certified and rigorously monitored by the EAC, or such other national body as Congress may create. The cost of testing should be shouldered by the states on a pro-rata basis, possibly out of HAVA funds. The laboratories should certainly not be paid by the vendors, which is the current method.
In testing laboratories we face the paradoxical situation that it is bad to have just one, but it is also bad to have more than one. A single laboratory has scant incentive to do a good job, but every incentive to please its customers, namely the vendors. If there are multiple laboratories, however, then some will acquire the reputation of being more lax than others, and the vendors will seek to have their system tested by the most “friendly” laboratory. This problem can be alleviated by monitoring the performance of the laboratories and according the vendors no role in their selection.
existence of Federal standards and ITAs has actually had a counterproductive
effect. Many states that formerly had
statutory certification procedures have abdicated them in favor of requiring no
more from a vendor than an ITA qualification letter, and in some cases even
2. What can be done to improve these processes before the 2004 election, and what needs to be done to finish these improvements by 2006?
I do not
believe that Congress can act meaningfully in the 130 days that remain before
the 2004 election. Even if it could, the
states would be powerless to comply in so short a time. A saving race is that the mere presence of
security vulnerabilities does not mean that tampering will or is likely to
occur. We have been holding successful
DRE elections in the
For 2006 there are many actions that can be taken:
3. How important is NIST’s role in improving the way voting equipment is tested? What activities should States be undertaking to ensure voting equipment works properly?
I believe that NIST has an useful role to play in developing standards for voting system qualification, but it should not be a dominant one.
NIST claims to have expertise in the voting process, and cites the fact that it has produced two published reports on the subject. The first of these, which appeared in 1975, was a ringing endorsement of punched-card voting, now recognized to be the worst method of voting ever devised by man. The second report, 13 years later, corrected that error. Both, however, were written by a single individual who is not longer with NIST. The NIST voting website, vote.nist.gov, contains a table of 16 “cyber security guidelines” that NIST asserts are responsive to the risks of e-voting. These guidelines occupy more than 2000 printed pages, yet the word “voting” appears nowhere within them.
While it is true that stringent voting machines standards are required, the task of developing them should not be assigned to NIST merely because the word “Standards” is part of its name. For voting standards are unlike any other in that they must be capable of being understood and accepted by the entire public. An airline passenger may place his trust in the pilot to verify that the plane both are about to fly in has been properly maintained. The hospital patient relies on the doctor for assurance that equipment in the operating room will not kill him. The voter has no one to turn to if her vote is not counted and therefore must develop a personal opinion whether the system is to be trusted. Suspicion about the manner of making and testing voting machines harms everyone. Arcane technical standards make the problem worse.
successful, error-free and tamper-free election is not simply a matter of using
a voting machine that obeys certain published criteria. Everything about the process, including the
input of ballot styles, handling of vote retention devices, testing and
subsequent audit must follow controlled protocols. If voting were done in a laboratory, it could
be instrumented and observed carefully by engineers following precise procedures. However, voting is conducted using over one
million volunteer poll workers, many of whom are senior citizens with scant
computer experience. In fact, almost 1.5
percent of the
expertise in the process of voting and the human factors and fears that attend
that process have not historically been within NIST’s expertise. I do not doubt that NIST could acquire the
necessary experience given sufficient time, money and mandate. But the nation does not have that kind of
time. A repeat of the Florida 2000
experience will have a paralytic effect on
Instead, I propose that standards for the process of voting be developed on a completely open and public participatory basis to be supervised by the EAC, with input from NIST in the areas of its demonstrated expertise, such as cryptography and computer access control. Members of the public should be free to contribute ideas and criticism at any time and be assured that the standards body will evaluate and respond to them. When a problem arises that appears to require attention, the standards should be upgraded at the earliest opportunity consistent with sound practice. If this means that voting machines in the field need to be modified or re-tested, so be it. But the glacial pace of prior development of voting standards is no longer acceptable to the public.
I may have
painted a depressing picture of the state of voting assurance in the
1. There are too many
organizations that appear to have authoritative roles in the voting process,
including the FEC, NASED, the
2. There is a
Constitutional reluctance in the
3. The reality is that states cannot assume the expense of conducting multiple elections on the same day using different equipment and procedures, so if standards are mandated for elections involving federal offices they will almost certainly be used for all elections.
4. The current pall
that has been cast over computerized voting in the
I thank you for the opportunity to present testimony here today.
Voting Resume of Michael I. Shamos
Michael I. Shamos is Distinguished Career Professor
Dr. Shamos holds seven university degrees in such fields as physics, computer science, technology of management and law. He has been associated with Carnegie Mellon since 1975.
From 1980-2000 he was statutory
examiner of computerized voting systems for the Secretary of the
Dr. Shamos has been an expert
witness in two recent lawsuits involving electronic voting: Wexler v. Lepore
Dr. Shamos has been an intellectual property attorney since 1981 and has been an expert witness in Internet cases involving the Motion Picture Association of America and the Digital Millennium Copyright Act. He is Editor-in-Chief of the Journal of Privacy Technology, an all-digital publication of the Center for Privacy Technology at Carnegie Mellon.
Further information is available at http://euro.ecom.cmu.edu/shamos.html.