Testimony of Michael I. Shamos

Before the State Government Committee of the Pennsylvania House of Representatives

Philadelphia City Hall, March 10, 2004



My name is Michael Shamos.  I have been a faculty member in the School of Computer Science at Carnegie Mellon University in Pittsburgh since 1975.  I am also an attorney admitted to practice in Pennsylvania.


From 1980-2000 I was a statutory examiner of electronic voting systems for the Secretary of the Commonwealth and participated in every electronic voting system examination held during those 20 years.  From 1987-2000 I was a statutory examiner of electronic voting systems for the Attorney General of Texas and participated in every electronic voting system examination held during those 13 years.  In all, I have personally examined over 100 different electronic voting systems.  The systems for which I have participated in certification were used to count more than 11% of the popular vote in the United States in the year 2000.


I am not here today as an advocate for or against electronic voting systems.  I am here because of my experience with such systems and to assist you in assessing their risks.  I believe that the decision whether to adopt or approve a particular voting system or type of voting system is an engineering question that must be answered by a calm and thorough discussion of rational risks and countermeasures.  It should not be influenced by emotional outburst.


Security in computer systems is a constant battle against intruders who are constantly developing ever more sophisticated methods of attack.  Likewise, the developers of voting systems are deploying countermeasures to prevent these attacks.  The battle lines are rapidly changing and no static set of guidelines is sufficient to protect or satisfy the public that electronic voting is safe.


Electronic voting can be made reliable with a thorough combination of design, manufacture, certification, testing and rigorous administrative and security controls.  The systems must be used properly according to stated protocols.  If this is done, then electronic systems are far more secure than any systems that employ physical ballots.  The reason, briefly, is that physical ballots require handling by human beings.  Any time a human is able to touch another person’s ballot there is the opportunity to alter it, destroy it, hide it or substitute a different ballot.  This is true no matter how well-designed the voting equipment and tabulation system may be.  By contrast, alteration of ballot images in a properly designed electronic system is nearly impossible.


The issue we face is whether electronic systems can be relied upon if individual voters are unable to see what happens to their votes because the only record of their votes is maintained inside a machine.  Direct-recording electronic systems (DREs) were first used in Pennsylvania in Dauphin County in 1982, 22 years ago, and have been in continuous use since then.  There has never been a single verified case, in Pennsylvania or elsewhere in the United States, of the results of an election being altered by manipulation of DREs.


This is not the result of luck, but requires constant vigilance by county and precinct officials to ensure that the machines are operated properly and that procedures are followed.  As with any type of device, failures of various kinds may occur, and they have indeed occurred with every type of voting system.  Occasionally machines even fail in such a way that votes are lost, just as they might be if a fire broke out in a polling place.  But no one has ever developed a credible scenario under which even an insider could alter votes on a DRE in a way that would evade detection.


I believe that we must evaluate every security loophole seriously, but the existence of a vulnerability does not mean that the correct answer is to ban electronic voting.  The solution is to modify the system to eliminate the vulnerability. 


The Committee staff provided me in advance with some questions the Committee seeks to have answered.


  • How can voters be assured that their votes are being accurately recorded without a paper receipt that they can examine and submit in addition to casting votes on the DRE?


The use of voter-examined ballots accomplishes one thing, and one thing only.  It tells the voter that the machine understood whom he was voting for.  It tells the voter nothing about whether his vote was counted and the voter has no assurance that the paper he saw pass through the machine will be properly archived for use in a recount.


Paper records in voting are generally not worth the paper they’re printed on.  Pieces of paper can be lost, altered, replaced or augmented.  In the counting process, they must be handled by humans, and any time a human has the opportunity to touch a ballot he has a chance to alter it.  This was seen in Florida with punched cards.


If paper records are not reliable, then how can voters be confident that their correct vote is being recorded?  In DRE systems certified in Pennsylvania, multiple audit trails are kept of each ballot image on different storage media.  Some of these media, like write-once memories, are unalterable once they have been written.  It is not commonly known, but one of these storage media is typically paper – it’s just not a piece of paper than can be viewed by the voter.  The multiple electronic copies of the ballot are read back after being written and all must be identical or the machine reports itself as defective.


The question remains – how can we know that the ballot image being stored correctly corresponds to the choices made by the voter.  The answer that is simple – we test the machines to verify that they are performing properly.  It’s clear that we have to test them during the election as well as before and after.


A January 4, 2004 report of the CalTech-MIT Voting Technology project concluded that paper audit trails in electronic voting are not useful and in fact undermine public confidence in elections.


  • How can a recount be performed without a paper record of each vote since the record of the votes will be in electronic form and will almost certainly match a questionable tally?


There is nothing wrong with electronic records – they’re used everywhere and relied upon.  The reliance comes from testing.  If a voting machine contains a bug or malicious code, then it contained it at the start of the election.  That means we can impound the machines and the software and test them at will to determine whether anything is amiss.


If the machines are working, then the write-once electronic records are much more reliable than any paper records.  They can’t be altered and even fabricating them initially in a credible and undetectable way is not feasible.


The notion that paper can be used for effective recounts is just a pipe dream.


  • Could defective hardware or bugs in software decide an election?


There is no simple answer to this question.  If the true margin of victory is a very small number of votes, say 10, then any system may contain defects to alter the result.  Even the FEC standard allow one error in 500,000 ballot positions, which can work out to 1 in every 2000 votes counted in error.  The result of a very close election is liable to be swung by any number of innocent factors.


The real question is could the results of an election in which the true margin is substantial be altered, deliberately or inadvertently, without being detected, and the answer to that is no, provided that the voting system is certified, tested and properly used.  The reason is that no method is known to alter the outcome of an election with undetectable code.


  • Could malicious programming subvert an election?


Not realistically.  Opponents of electronic voting make the point that it is possible to hide malicious code so that even a detailed reading of the program by experts would be unlikely to reveal its presence.  However, the examples they give involve hiding a single line of code.


The only way for malicious code to be distributed effectively is for it to emanate form the machine’s manufacturer.  The reason is that once the machine is delivered, any alteration to its software can be easily detected.  This manufacturer-originated code would have to contain a substantial amount of code to detect party and candidate names; it would have to know the dates of all the primary elections in all the jurisdictions of the country into the future; it would also need a demographic database so that the results in different precincts could be altered in a way that is consistent with the political makeup of each jurisdiction.  It is not possible to both hide this massive code from inspection, have it not reveal itself during testing, yet magically spring to life during the election and do its damage.


  • What could you recommend to the General Assembly to assure voters that their votes are accurately counted?   Do have any recommendations for improving the security of DRE’s?  Do you recommend any changes to the Pennsylvania Election Code with regard to DRE’s?


Standards.  I don’t believe that it is sufficient for a voting system to conform to FEC standards.  The standards are weighted heavily toward physical and electrical performance and not enough toward software security.


Testing.  Testing a certain fraction of voting machines during the election is important for public trust.  A group of inspectors should be empowered to visit polling places unannounced at the start of voting and commandeer a voting machine after it has been initialized for counting.  The machine would be used to cast predefined sample ballots during the day and would not be used by actual voters.  If there is any bug or code present that would alter votes, this test will reveal it.


Administrative procedures.  It has long been a vulnerability that software for voting machines is distributed by system vendors directly to election jurisdictions.  Even though they are only supposed to distribute certified releases of software, it is common for these procedures to be circumvented.  Under no circumstances should software be supplied directly to a jurisdiction by a manufacturer.  The software should be sent only to the Bureau of Elections, where it can be tested and permanently archived.  Only then should certified copies be sent to jurisdictions.


Source code.  There is considerable debate whether all software used in voting systems should be made public.  I believe that all tabulation software should be public.  I don not believe that all security software should be made public because it constitutes a roadmap for intruders.  However, all of the software, both security and tabulation modules, should be held in source code form by the Bureau of Elections for audit purposes.  For over 20 years the Bureau of Elections has imposed this as an administrative requirement on voting system vendors although it is not required by statute.  It should be required by statute.


Segregation of candidate names, parties and voting positions.  Manipulation of an election through software is only possible if the software is aware of the names of candidates, their party affiliations or the ballot positions in which they appear.  If the software cannot tell where a candidate appears on the ballot or who he is, votes cannot safely be shifted from one candidate to another.  Therefore, a sound expedient is to insist that the vote capture software be unable to determine any of this information.  A simple was to accomplish this is to display candidate names and office titles only in visual graphic form so the software cannot read them but a human can.


Audit chips.  It is argued that a small number of election system manufacturers control a large proportion of the voting machines used in the U.S., and malicious code distributed by one of them would be enough to swing an election.  The argument is further made that it might be very difficult to detect the presence of the malicious software and the software might go to extreme lengths to defeat testing efforts.  Even assuming such a scenario is possible, the solution is not to return to pieces of paper.  All one need do is provide for the use of an audit chip provided by a third party, such as an accounting firm.  The audit chip would receive exactly the same digital signals as the voting machine from the input panel, but would record its own audit trail and perform its own tabulation.  If the totals obtained by the audit chip and the machine differed in any particular, the results would become suspect and the software in the machine and the chip could be inspected to determine the source of the discrepancy.  This makes it impossible for any central authority to succeed at altering vote totals undetectably.