Testimony of Michael I

Testimony of Michael I. Shamos

Before the United States Commission on Civil Rights

Washington, DC, April 9, 2004

My name is Michael Shamos. I have been a faculty member in the School of Computer Science at Carnegie Mellon University in Pittsburgh since 1975. I am also an attorney admitted to practice in Pennsylvania.

From 1980-2000 I was a statutory examiner of electronic voting systems for the Secretary of the Commonwealth and participated in every electronic voting system examination held during those 20 years. From 1987-2000 I was a statutory examiner of electronic voting systems for the Attorney General of Texas and participated in every electronic voting system examination held during those 13 years. In all, I have personally examined over 100 different electronic voting systems. The systems for which I have participated in certification were used to count more than 11% of the popular vote in the United States in the year 2000.

I am not here today as an advocate for or against electronic voting systems. I am here because of my experience with such systems and to assist you in assessing their risks. I believe that the decision whether to adopt a particular voting system or type of voting system is an engineering question that must be answered by a calm and thorough discussion of rational risks and countermeasures.

The fundamental question before you is whether the right to vote is compromised or enhanced by direct-recording electronic (DRE) voting machines. A second issue is whether such machines should be required to produce pieces of paper that can be examined by voter to verify their votes and also serve as original ballots in the event that a recount is demanded.

Voter enfranchisement is a complex issue that is influenced by many factors, some of which relate to the process of voting. A voter who decides to stay home because she does not trust the voting method is disenfranchised just as much as a person who is improperly denied registration or who cannot vote because she is outside her home district on Election Day and has not been able to obtain an absentee ballot. Some of the factors that influence a voter’s decision to vote or not are:

Efficiency, simplicity and convenience of the voting process
Perception of fairness
Protection from having one’s vote invalidated by overvoting or mismarking a ballot
Belief that the vote cannot be manipulated
Belief that one’s vote will be counted

These beliefs may not derive from facts, which may be unknown to the public, but can be greatly influenced by rumor, anecdote, and newspaper stories. Hearings of this type are very important because they enable all points of view to be expressed.

DRE machines have been used successfully in the United States for over 20 years. Complaints about them, both rational and irrational, have been raised since their introduction. Among the valid complaints is that machines occasionally fail because they have parts that wear out or break. Every machine of any type that has ever been made can fail. The issue in electronic voting is (1) whether the failure results in the loss of any votes that were cast prior to the failure. In properly designed DRE systems the answer is that no votes are lost. The reason is that acceptable DREs record all ballot images in multiple redundant memories, and some of these memories cannot be altered or erased once they are written. Thus, if a power failure of malfunction occurs, no votes are destroyed.

A second issue is whether machine failures are so numerous or frequent that they actually interfere with the orderly process of voting. That is a matter of reliability of a specific brand of machine and is dealt with through proper certification, testing and maintenance.

A different type of complaint is that the candidate choices can be misprogrammed so that the voters are not presented with the proper slate of candidates. As with paper ballots, which can be misprinted, the remedy is careful proofreading, a chore generally performed with great thoroughness by representative of the major political parties. A different form of misprogramming might cause votes for candidate A to be counted for candidate B. The protection against that is adequate testing once the ballot has been programmed.

Another type of allegation is that knowledgeable insiders, or even the machine manufacturer, could manipulate votes as they are cast or even after they are cast to cause a predetermined outcome. This possibility does not exist with machines that are properly designed and tested. All effective DREs employ write-once memories which by definition cannot be altered after they are written. If the software for such machines is carefully administered, then any alteration to the software can be detected. Furthermore, the authorized software can be tested, even after an election, to determine whether it contained any inherent or deliberate flaws. In the entire history of DRE voting no one has demonstrated that votes were or could have been manipulated by an insider.

There have been numerous stories in the press recently of a variety of design defects in popular DRE systems. Many of these contentions, not all, have merit. For example, a system that inadvertently allows a voter to vote more than once, or allows a voter to connect a keyboard or other device to a voting machine during an election should never have been certified and should not be used. There is no meaning to a contention that DREs as a class of voting system are safe or unsafe. Each type of machine is different. Some are well designed and others are poorly designed. Some are physically reliable and others are not.

It has been asserted that the solution to all of the above problems is to add a paper mechanism to a DRE machine that will allow a voter to examine her ballot before taking the final step of casting it, permitting her to see with her own eyes that the ballot is correct and at the same time producing a permanent paper record of the vote for recount.

The idea has a certain intuitive appeal. However, such a feature accomplishes one thing and one thing only – it demonstrates to the voter that the machine correctly captured her preferences at the start of the process. It provides no assurance whatsoever that the ballot that was viewed has been counted or ever will be counted. The reason is that anytime a piece of paper can be touched by human hands it can be manipulated. It can be altered, mutilated or lost. An entire box of ballots can be substituted or entirely new ones substituted. The paper feature only assures the voter that there is no programming error in the ballot capture process – a useful thing to know but one that can be accomplished in numerous other ways. And this assurance comes at great cost. Not only will new machines have to be designed, built test, procured and deployed, but the feature adds yet another component to the machine that can fail, and failure of physical components such as a printer with ink and paper is much more likely than failure of electronic components.

Worse, it announces to the voter that the process of voting is so insecure that the intervention of the public is needed to ensure safety. If before boarding an airplane the passengers were asked to inspect the engines, I doubt that confidence in air travel would be enhanced. A January 4, 2004 report of the CalTech-MIT Voting Technology project in fact concluded that paper audit trails in electronic voting are not necessary and actually undermine public confidence in elections. Likewise, several other projects have proposed open source safe software for voting that do not require pieces of paper.

Belief that paper records are more secure than electronic ones because they can be read by humans is naïve. People are more comfortable with pieces of paper because they can touch and understand them. But comfort is not the same thing as security. An unalterable electronic record is far more secure than an alterable paper one. Constant reference is made by DRE opponents to the fact that in commercial transactions one often obtains a paper receipt. This is true of face-to-face purchases, but no paper receipts are used in huge banking and foreign exchange transfers amounting to over $2 trillion in value each day. Surely if electronic records were insecure someone would have found a way to divert such a huge stream of money. Likewise, if a paper trail were a solution to the problem, the world’s largest banks would have adopted it.

Two weeks ago, Taiwan held a presidential election. Out of 13 million votes cast, the winning margin was less than 30,000 votes, less than three-tenths of one percent. To achieve this result, the national election commission invalidated over 330,000 ballots, more than 11 times the margin of victory. What technology was used in this election? None. They used hand-counted paper ballots.

The world’s largest democracy in terms of number of voters is India, with about 670 million registered voters and 900,000 voting booths. The entire country, which has more than 600,000 villages, adopted DREs, without paper trails, after extensive consideration of security concerns.

Security in computer systems is a constant battle against intruders who are constantly developing ever more sophisticated methods of attack. Likewise, the developers of voting systems are deploying countermeasures to prevent these attacks. The battle lines are rapidly changing and no static set of guidelines is sufficient to protect or satisfy the public that electronic voting is safe.

Electronic voting can be made reliable with a thorough combination of design, manufacture, certification, testing and rigorous administrative and security controls. The systems must be used properly according to stated protocols. If this is done, then electronic systems are far more secure than any systems that employ physical ballots.

This is not the result of luck, but requires constant vigilance by county and precinct officials to ensure that the machines are operated properly and that procedures are followed. As with any type of device, failures of various kinds may occur, and they have indeed occurred with every type of voting system. Occasionally machines even fail in such a way that votes are lost, just as they might be if a fire broke out in a polling place. But no one has ever developed a credible scenario under which even an insider could alter votes on a DRE in a way that would evade detection.

I believe that we must evaluate every security loophole seriously, but the existence of a vulnerability does not mean that the correct answer is to ban electronic voting. The solution is to modify the system to eliminate the vulnerability. Listed below are recommendations which, if adopted, render paper backups unnecessary.

Standards. I don’t believe that it is sufficient for a voting system to conform to FEC standards. The standards are weighted heavily toward physical and electrical performance and not enough toward software security.

Parallel Testing. Testing a certain fraction of voting machines during the election is important for public trust. A group of inspectors should be empowered to visit polling places unannounced at the start of voting and commandeer a voting machine after it has been initialized for counting. The machine would be used to cast predefined sample ballots during the day and would not be used by actual voters. If there is any bug or code present that would alter votes, this test will reveal it. This method was used in 10 counties in California during the 2004 primaries.

Administrative procedures. It has long been a vulnerability that software for voting machines is distributed by system vendors directly to election jurisdictions. Even though they are only supposed to distribute certified releases of software, it is common for these procedures to be circumvented. Under no circumstances should software be supplied directly to a jurisdiction by a manufacturer. The software should be sent only to the Bureau of Elections, where it can be tested and permanently archived. Only then should certified copies be sent to jurisdictions.

Source code. There is considerable debate whether all software used in voting systems should be made public. I believe that all tabulation software should be public. I don not believe that all security software should be made public because it constitutes a roadmap for intruders. However, all of the software, both security and tabulation modules, should be held in source code form by the Bureau of Elections for audit purposes. For over 20 years the Bureau of Elections has imposed this as an administrative requirement on voting system vendors although it is not required by statute. It should be required by statute.

Segregation of candidate names, parties and voting positions. Manipulation of an election through software is only possible if the software is aware of the names of candidates, their party affiliations or the ballot positions in which they appear. If the software cannot tell where a candidate appears on the ballot or who he is, votes cannot safely be shifted from one candidate to another. Therefore, a sound expedient is to insist that the vote capture software be unable to determine any of this information. A simple was to accomplish this is to display candidate names and office titles only in visual graphic form so the software cannot read them but a human can.

Audit chips. It is argued that a small number of election system manufacturers control a large proportion of the voting machines used in the U.S., and malicious code distributed by one of them would be enough to swing an election. The argument is further made that it might be very difficult to detect the presence of the malicious software and the software might go to extreme lengths to defeat testing efforts. Even assuming such a scenario is possible, the solution is not to return to pieces of paper. All one need do is provide for the use of an audit chip provided by a third party, such as an accounting firm. The audit chip would receive exactly the same digital signals as the voting machine from the input panel, but would record its own audit trail and perform its own tabulation. If the totals obtained by the audit chip and the machine differed in any particular, the results would become suspect and the software in the machine and the chip could be inspected to determine the source of the discrepancy. This makes it impossible for any central authority to succeed at altering vote totals undetectably.

Another way in which audit chips could be used is for instant verification of stored ballot images. The original voting machine stores a ballot image in a write-once memory (such as a non-rewritable CD). After the image is written, the audit chip reads it back and displays a verification screen to the voter. If the voter confirms his choices, the audit chip then makes its own secondary write-once copy on hardware under its sole control. The set of ballot images on the original machine and the audit machine should be identical. If they are not, the machine is impounded for inspection to determine why there is a difference. Neither the original voting machine nor the audit machine can perform any manipulation of the vote without being detected.

Summary. On balance, I believe that DRE machines, when properly tested and administered, are far more secure than any system that is based on any form of paper ballot. The addition of the so-called voter-verifiable audit trail simply complicates the voting process, casts doubt on the integrity of the election and provides no real protection against manipulation of the vote. There are many ways to achieve both voter confidence and accuracy without returning to paper ballots, which were abandoned for very good reasons.

I believe far more serious issue facing the Commission than DRE machines is the fact that in each Presidential election more than 5 million Americans who are outside their home districts are unable to vote because the cumbersome and paper-based nature of absentee voting makes it impossible to for them to comply with the necessary procedures.