Testimony of Michael I. Shamos
Before the State
Government Committee of the
My name is Michael Shamos.
I have been a faculty member in the
From 1980-2000 I was a statutory examiner of electronic
voting systems for the Secretary of the Commonwealth and participated in every
electronic voting system examination held during those 20 years. From 1987-2000 I was a statutory examiner of
electronic voting systems for the Attorney General of Texas and participated in
every electronic voting system examination held during those 13 years. In all, I have personally examined over 100
different electronic voting systems. The
systems for which I have participated in certification were used to count more
than 11% of the popular vote in the
I am not here today as an advocate for or against electronic voting systems. I am here because of my experience with such systems and to assist you in assessing their risks. I believe that the decision whether to adopt or approve a particular voting system or type of voting system is an engineering question that must be answered by a calm and thorough discussion of rational risks and countermeasures. It should not be influenced by emotional outburst.
Security in computer systems is a constant battle against intruders who are constantly developing ever more sophisticated methods of attack. Likewise, the developers of voting systems are deploying countermeasures to prevent these attacks. The battle lines are rapidly changing and no static set of guidelines is sufficient to protect or satisfy the public that electronic voting is safe.
Electronic voting can be made reliable with a thorough combination of design, manufacture, certification, testing and rigorous administrative and security controls. The systems must be used properly according to stated protocols. If this is done, then electronic systems are far more secure than any systems that employ physical ballots. The reason, briefly, is that physical ballots require handling by human beings. Any time a human is able to touch another person’s ballot there is the opportunity to alter it, destroy it, hide it or substitute a different ballot. This is true no matter how well-designed the voting equipment and tabulation system may be. By contrast, alteration of ballot images in a properly designed electronic system is nearly impossible.
The issue we face is whether electronic systems can be
relied upon if individual voters are unable to see what happens to their votes
because the only record of their votes is maintained inside a machine. Direct-recording electronic systems (DREs)
were first used in
This is not the result of luck, but requires constant vigilance by county and precinct officials to ensure that the machines are operated properly and that procedures are followed. As with any type of device, failures of various kinds may occur, and they have indeed occurred with every type of voting system. Occasionally machines even fail in such a way that votes are lost, just as they might be if a fire broke out in a polling place. But no one has ever developed a credible scenario under which even an insider could alter votes on a DRE in a way that would evade detection.
I believe that we must evaluate every security loophole seriously, but the existence of a vulnerability does not mean that the correct answer is to ban electronic voting. The solution is to modify the system to eliminate the vulnerability.
The Committee staff provided me in advance with some questions the Committee seeks to have answered.
The use of voter-examined ballots accomplishes one thing, and one thing only. It tells the voter that the machine understood whom he was voting for. It tells the voter nothing about whether his vote was counted and the voter has no assurance that the paper he saw pass through the machine will be properly archived for use in a recount.
Paper records in voting are
generally not worth the paper they’re printed on. Pieces of paper can be lost, altered,
replaced or augmented. In the counting
process, they must be handled by humans, and any time a human has the
opportunity to touch a ballot he has a chance to alter it. This was seen in
If paper records are not reliable,
then how can voters be confident that their correct vote is being
recorded? In DRE systems certified in
The question remains – how can we know that the ballot image being stored correctly corresponds to the choices made by the voter. The answer that is simple – we test the machines to verify that they are performing properly. It’s clear that we have to test them during the election as well as before and after.
A January 4, 2004 report of the CalTech-MIT Voting Technology project concluded that paper audit trails in electronic voting are not useful and in fact undermine public confidence in elections.
There is
nothing wrong with electronic records – they’re used everywhere and relied
upon. The reliance comes from
testing. If a voting machine contains a
bug or malicious code, then it contained it at the start of the election. That means we can impound the machines and
the software and test them at will to determine whether anything is amiss.
If the
machines are working, then the write-once electronic records are much more
reliable than any paper records. They
can’t be altered and even fabricating them initially in a credible and
undetectable way is not feasible.
The
notion that paper can be used for effective recounts is just a pipe dream.
There is
no simple answer to this question. If
the true margin of victory is a very small number of votes, say 10, then any
system may contain defects to alter the result.
Even the FEC standard allow one error in 500,000 ballot positions, which
can work out to 1 in every 2000 votes counted in error. The result of a very close election is liable
to be swung by any number of innocent factors.
The real
question is could the results of an election in which the true margin is
substantial be altered, deliberately or inadvertently, without being detected,
and the answer to that is no, provided that the voting system is certified,
tested and properly used. The reason is
that no method is known to alter the outcome of an election with undetectable
code.
Not
realistically. Opponents of electronic
voting make the point that it is possible to hide malicious code so that even a
detailed reading of the program by experts would be unlikely to reveal its
presence. However, the examples they
give involve hiding a single line of code.
The only
way for malicious code to be distributed effectively is for it to emanate form
the machine’s manufacturer. The reason
is that once the machine is delivered, any alteration to its software can be
easily detected. This manufacturer-originated
code would have to contain a substantial amount of code to detect party and
candidate names; it would have to know the dates of all the primary elections
in all the jurisdictions of the country into the future; it would also need a
demographic database so that the results in different precincts could be
altered in a way that is consistent with the political makeup of each
jurisdiction. It is not possible to both
hide this massive code from inspection, have it not reveal itself during
testing, yet magically spring to life during the election and do its damage.
Standards. I don’t believe that it is sufficient for a
voting system to conform to FEC standards.
The standards are weighted heavily toward physical and electrical
performance and not enough toward software security.
Testing. Testing a certain fraction of voting machines
during the election is important for public trust. A group of inspectors should be empowered to
visit polling places unannounced at the start of voting and commandeer a voting
machine after it has been initialized for counting. The machine would be used to cast predefined
sample ballots during the day and would not be used by actual voters. If there is any bug or code present that
would alter votes, this test will reveal it.
Administrative procedures. It has long been a
vulnerability that software for voting machines is distributed by system
vendors directly to election jurisdictions.
Even though they are only supposed to distribute certified releases of
software, it is common for these procedures to be circumvented. Under no circumstances should software be
supplied directly to a jurisdiction by a manufacturer. The software should be sent only to the
Bureau of Elections, where it can be tested and permanently archived. Only then should certified copies be sent to
jurisdictions.
Source code. There is
considerable debate whether all software used in voting systems should be made
public. I believe that all tabulation
software should be public. I don not
believe that all security software should be made public because it constitutes
a roadmap for intruders. However, all of
the software, both security and tabulation modules, should be held in source
code form by the Bureau of Elections for audit purposes. For over 20 years the Bureau of Elections has
imposed this as an administrative requirement on voting system vendors although
it is not required by statute. It should
be required by statute.
Segregation of candidate names, parties and
voting positions. Manipulation of an election through software
is only possible if the software is aware of the names of candidates, their
party affiliations or the ballot positions in which they appear. If the software cannot tell where a candidate
appears on the ballot or who he is, votes cannot safely be shifted from one
candidate to another. Therefore, a sound
expedient is to insist that the vote capture software be unable to determine
any of this information. A simple was to
accomplish this is to display candidate names and office titles only in visual
graphic form so the software cannot read them but a human can.
Audit chips. It is argued that a
small number of election system manufacturers control a large proportion of the
voting machines used in the