Testimony of Michael I. Shamos
My name is Michael Shamos.
I have been a faculty member in the
From 1980-2000 I was a statutory examiner of electronic
voting systems for the Secretary of the Commonwealth and participated in every
electronic voting system examination held during those 20 years. From 1987-2000 I was a statutory examiner of
electronic voting systems for the Attorney General of Texas and participated in
every electronic voting system examination held during those 13 years. In all, I have personally examined over 100
different electronic voting systems. The
systems for which I have participated in certification were used to count more
than 11% of the popular vote in the
I am not here today as an advocate for or against electronic voting systems. I am here because of my experience with such systems and to assist you in assessing their risks. I believe that the decision whether to adopt a particular voting system or type of voting system is an engineering question that must be answered by a calm and thorough discussion of rational risks and countermeasures.
The fundamental question before you is whether the right to vote is compromised or enhanced by direct-recording electronic (DRE) voting machines. A second issue is whether such machines should be required to produce pieces of paper that can be examined by voter to verify their votes and also serve as original ballots in the event that a recount is demanded.
Voter enfranchisement is a complex issue that is influenced by many factors, some of which relate to the process of voting. A voter who decides to stay home because she does not trust the voting method is disenfranchised just as much as a person who is improperly denied registration or who cannot vote because she is outside her home district on Election Day and has not been able to obtain an absentee ballot. Some of the factors that influence a voter’s decision to vote or not are:
These beliefs may not derive from facts, which may be unknown to the public, but can be greatly influenced by rumor, anecdote, and newspaper stories. Hearings of this type are very important because they enable all points of view to be expressed.
DRE machines have been used successfully in the
A second issue is whether machine failures are so numerous or frequent that they actually interfere with the orderly process of voting. That is a matter of reliability of a specific brand of machine and is dealt with through proper certification, testing and maintenance.
A different type of complaint is that the candidate choices can be misprogrammed so that the voters are not presented with the proper slate of candidates. As with paper ballots, which can be misprinted, the remedy is careful proofreading, a chore generally performed with great thoroughness by representative of the major political parties. A different form of misprogramming might cause votes for candidate A to be counted for candidate B. The protection against that is adequate testing once the ballot has been programmed.
Another type of allegation is that knowledgeable insiders, or even the machine manufacturer, could manipulate votes as they are cast or even after they are cast to cause a predetermined outcome. This possibility does not exist with machines that are properly designed and tested. All effective DREs employ write-once memories which by definition cannot be altered after they are written. If the software for such machines is carefully administered, then any alteration to the software can be detected. Furthermore, the authorized software can be tested, even after an election, to determine whether it contained any inherent or deliberate flaws. In the entire history of DRE voting no one has demonstrated that votes were or could have been manipulated by an insider.
There have been numerous stories in the press recently of a variety of design defects in popular DRE systems. Many of these contentions, not all, have merit. For example, a system that inadvertently allows a voter to vote more than once, or allows a voter to connect a keyboard or other device to a voting machine during an election should never have been certified and should not be used. There is no meaning to a contention that DREs as a class of voting system are safe or unsafe. Each type of machine is different. Some are well designed and others are poorly designed. Some are physically reliable and others are not.
It has been asserted that the solution to all of the above problems is to add a paper mechanism to a DRE machine that will allow a voter to examine her ballot before taking the final step of casting it, permitting her to see with her own eyes that the ballot is correct and at the same time producing a permanent paper record of the vote for recount.
The idea has a certain intuitive appeal. However, such a feature accomplishes one thing and one thing only – it demonstrates to the voter that the machine correctly captured her preferences at the start of the process. It provides no assurance whatsoever that the ballot that was viewed has been counted or ever will be counted. The reason is that anytime a piece of paper can be touched by human hands it can be manipulated. It can be altered, mutilated or lost. An entire box of ballots can be substituted or entirely new ones substituted. The paper feature only assures the voter that there is no programming error in the ballot capture process – a useful thing to know but one that can be accomplished in numerous other ways. And this assurance comes at great cost. Not only will new machines have to be designed, built test, procured and deployed, but the feature adds yet another component to the machine that can fail, and failure of physical components such as a printer with ink and paper is much more likely than failure of electronic components.
Worse, it announces to the voter that the process of voting is so insecure that the intervention of the public is needed to ensure safety. If before boarding an airplane the passengers were asked to inspect the engines, I doubt that confidence in air travel would be enhanced. A January 4, 2004 report of the CalTech-MIT Voting Technology project in fact concluded that paper audit trails in electronic voting are not necessary and actually undermine public confidence in elections. Likewise, several other projects have proposed open source safe software for voting that do not require pieces of paper.
Belief that paper records are more secure than electronic ones because they can be read by humans is naïve. People are more comfortable with pieces of paper because they can touch and understand them. But comfort is not the same thing as security. An unalterable electronic record is far more secure than an alterable paper one. Constant reference is made by DRE opponents to the fact that in commercial transactions one often obtains a paper receipt. This is true of face-to-face purchases, but no paper receipts are used in huge banking and foreign exchange transfers amounting to over $2 trillion in value each day. Surely if electronic records were insecure someone would have found a way to divert such a huge stream of money. Likewise, if a paper trail were a solution to the problem, the world’s largest banks would have adopted it.
Two weeks ago,
The world’s largest democracy in terms of number of voters
Security in computer systems is a constant battle against intruders who are constantly developing ever more sophisticated methods of attack. Likewise, the developers of voting systems are deploying countermeasures to prevent these attacks. The battle lines are rapidly changing and no static set of guidelines is sufficient to protect or satisfy the public that electronic voting is safe.
Electronic voting can be made reliable with a thorough combination of design, manufacture, certification, testing and rigorous administrative and security controls. The systems must be used properly according to stated protocols. If this is done, then electronic systems are far more secure than any systems that employ physical ballots.
This is not the result of luck, but requires constant vigilance by county and precinct officials to ensure that the machines are operated properly and that procedures are followed. As with any type of device, failures of various kinds may occur, and they have indeed occurred with every type of voting system. Occasionally machines even fail in such a way that votes are lost, just as they might be if a fire broke out in a polling place. But no one has ever developed a credible scenario under which even an insider could alter votes on a DRE in a way that would evade detection.
I believe that we must evaluate every security loophole seriously, but the existence of a vulnerability does not mean that the correct answer is to ban electronic voting. The solution is to modify the system to eliminate the vulnerability. Listed below are recommendations which, if adopted, render paper backups unnecessary.
Standards. I don’t believe that it is sufficient for a voting system to conform to FEC standards. The standards are weighted heavily toward physical and electrical performance and not enough toward software security.
Parallel Testing. Testing a certain fraction of voting machines
during the election is important for public trust. A group of inspectors should be empowered to
visit polling places unannounced at the start of voting and commandeer a voting
machine after it has been initialized for counting. The machine would be used to cast predefined
sample ballots during the day and would not be used by actual voters. If there is any bug or code present that
would alter votes, this test will reveal it.
This method was used in 10 counties in
Administrative procedures. It has long been a vulnerability that software for voting machines is distributed by system vendors directly to election jurisdictions. Even though they are only supposed to distribute certified releases of software, it is common for these procedures to be circumvented. Under no circumstances should software be supplied directly to a jurisdiction by a manufacturer. The software should be sent only to the Bureau of Elections, where it can be tested and permanently archived. Only then should certified copies be sent to jurisdictions.
Source code. There is considerable debate whether all software used in voting systems should be made public. I believe that all tabulation software should be public. I don not believe that all security software should be made public because it constitutes a roadmap for intruders. However, all of the software, both security and tabulation modules, should be held in source code form by the Bureau of Elections for audit purposes. For over 20 years the Bureau of Elections has imposed this as an administrative requirement on voting system vendors although it is not required by statute. It should be required by statute.
Segregation of candidate names, parties and voting positions. Manipulation of an election through software is only possible if the software is aware of the names of candidates, their party affiliations or the ballot positions in which they appear. If the software cannot tell where a candidate appears on the ballot or who he is, votes cannot safely be shifted from one candidate to another. Therefore, a sound expedient is to insist that the vote capture software be unable to determine any of this information. A simple was to accomplish this is to display candidate names and office titles only in visual graphic form so the software cannot read them but a human can.
Audit chips. It is argued that a small number of election
system manufacturers control a large proportion of the voting machines used in
Another way in which audit chips could be used is for instant verification of stored ballot images. The original voting machine stores a ballot image in a write-once memory (such as a non-rewritable CD). After the image is written, the audit chip reads it back and displays a verification screen to the voter. If the voter confirms his choices, the audit chip then makes its own secondary write-once copy on hardware under its sole control. The set of ballot images on the original machine and the audit machine should be identical. If they are not, the machine is impounded for inspection to determine why there is a difference. Neither the original voting machine nor the audit machine can perform any manipulation of the vote without being detected.
Summary. On balance, I believe that DRE machines, when properly tested and administered, are far more secure than any system that is based on any form of paper ballot. The addition of the so-called voter-verifiable audit trail simply complicates the voting process, casts doubt on the integrity of the election and provides no real protection against manipulation of the vote. There are many ways to achieve both voter confidence and accuracy without returning to paper ballots, which were abandoned for very good reasons.
I believe far more serious issue facing the Commission than DRE machines is the fact that in each Presidential election more than 5 million Americans who are outside their home districts are unable to vote because the cumbersome and paper-based nature of absentee voting makes it impossible to for them to comply with the necessary procedures.