Electronic Voting: What You Need To Know

Author's Note | In July of 2003, I sat down for an extended, free-wheeling interview in Denver with three of the smartest people I have ever met. Rebecca Mercuri, Barbara Simons, and David Dill have been at the forefront of the debate surrounding the rise of electronic touch-screen voting machines in our national elections. Sufficed to say, they are three computer scientists/engineers who are as well versed on these matters as anyone you will ever meet. Scroll quickly to the bottom of this interview before reading to view their CVs.

If you are completely new to this, the issue in brief: In the aftermath of the 2000 election, Congress passed the Help America Vote Act. After much wrangling, it appears the powers that be have settled upon electronic touch-screen voting machines as the solution. There are, however, a number of serious concerns about the viability of these machines that have been raised. The matter strikes to the heart of our democracy. If the votes are not counted properly, our democracy is broken forever. More data on this is linked below, after the CVs.

Key: 'WP' is me; 'RM' is Rebecca Mercuri; 'DD' is David Dill; 'BS' is Barbara Simons. These three scientists deserve great thanks for making this complicated and important issue so clear.

WP: The ideal voting technology would have five attributes: anonymity, scalability, speed, audit and accuracy. Explain the importance of these five attributes.

BS: Voting has to be anonymous; that's how we do voting in this country. Scalability means that when you build the system, you have to be able to use it for however many people who come to vote. It might work well for a small number of people, but not work for a large number of people. Speed is pretty clear-cut; it has to be fast and convenient, so there are no long lines of people waiting to vote. Audit means you must be able to know what happened after you vote. You must be able to prove the votes.

WP: So with 'audit,' you're talking about recounts.

DD: The basic idea of audits in banks, for example, is that you can reconstruct the results from the original records. In voting that means being able, even if your election system fails, or if you question it, being able to figure out what the vote totals are for an individual candidate from the original records. The original records were the paper ballots.

BS: Accuracy simply means we want to be sure the votes are accurately reported and counted.

WP: How does this Direct Recording Electronic Voting Machine (DRE's) abrogate any of these five requirements?

BS: It doesn't necessarily abrogate all these requirements. We are particularly concerned about audit ability.

RM: But it's not just that. With these machines, two of these requirements turn out to be in provably direct conflict. You want anonymity, but you also want audit ability. The problem you have is that those two things cannot really coexist to the fullest extent. The way that we do audit ability is that we track all transactions that happen.

Say you go to a bank ATM. The entire transaction is auditable because there's a camera, you put in a card, you have a password, and so on. At the end of the day, the withdrawal record matches the amount of money that was taken out of the bank. Audit ability and anonymity are in direct conflict because with these voting machines you have to, in some sense, shut off the audit capabilities during most critical part, which is the casting of the vote. The normal audit trail that we in computer science are used to providing is every transaction. It is everything that is happening. If something happened at 4:15, say, we're involved in proving what happened at 4:15.

What we're asking for in these Direct Recording Electronic machines is to have anonymity as well as audit ability coexisting. What the vendors have provided is an elaborate scheme whereby the votes are recorded on some sort of cartridge or recording device, but they are not recorded in sequence. They actually randomize them. They are not recorded sequentially, and by virtue of not being recorded sequentially, we don't know exactly what happens in the voting process. Something could happen in the randomization process, and that's part of the issue.

WP: It is sounding like you have to sacrifice either anonymity or audit ability, or else come up with a way to have both coexist peacefully.

RM: That's exactly it.

BS: What we are talking about is in some sense a simpler problem, which is still not done properly, which is just making sure the vote gets accurately recorded. Even on this simpler problem, these Direct Recording Electronic machines fail, because they don't have any way to verify the votes.

DD: If you look at this auditing problem, there's an audit gap between the voter's finger on the touch screen and the record that is made inside the machine. With DRE's as they currently work, the voter cannot tell what is being recorded inside the machine. What you really need to have is a workable audit trail, when you've got this funny anonymous system, is that the voter, before they leave the voting booth, has to be able to check that their vote has been properly recorded.

There's another company that has a fancy cryptographic scheme called VoteHere. The way they explain some of what we've said is that there are two phases to voting where you want two guarantees. One of them is making sure the voter's vote is correctly recorded. The way they say it is, "Cast As Intended." The second phase is adding up all the votes from all the precincts, which they call "Counted As Cast." These fancy schemes deal with the "Counted As Cast" problem very well, and they have various ways to deal with the "Cast as Intended" problem.

The more primitive solution that is talked about - what is available now that we can do - is either use a paper ballot system like an optical scan system, where you're filling out a paper ballot and you just put that in the ballot box, and that's the voter verified audit record. Or, and this was Rebecca's idea, is to take the touch screen machines and put a printer on it - in fact, they already have printers - and it will print the ballot, and the voter can look at that to make sure it has the right stuff on it. That then goes into the ballot box.

WP: It strikes me - and you can correct me if I'm wrong about this - but it seems like these things you are describing with the verified voting records technologies are pretty profoundly revolutionary, over and above whatever is going on with these DRE's. I've been voting for a while now. My precinct in Boston uses those old-school monster voting machines where you yank the big lever and the curtain comes across behind you in the booth, and you throw all the vote switches, and you yank the handle back. I don't have a clue if the machine recorded my vote. I get no verification. I just haul the handle, make the sign of the cross, and hope it got recorded.

You are talking about not only making sure that the technology within these systems functions in such a way that the votes are actually recorded, but you're adding the extra layer - giving the voters verification that their vote has been counted and recorded. Given what happened in Florida, that strikes me as one of the better ideas I've heard in a very long time.

BS: I don't think it is all that revolutionary. I voted on those old handle machines when I lived in New York, and of course there was no way to verify. But there are other systems people use to vote, like optical scans, which have been around for a while. With those, you do see your vote, and you do get a piece of paper. There is no additional technology needed. In the old days, people used paper to vote. Actually, in some sense, the lever machines you use are a step backwards. They took away the ability of the voter to make sure that the vote was at least cast the way they intended.

WP: In Massachusetts, we had an interesting little mini-scandal with these old handle machines after the 2000 election. They realized that the machines, the interior works, hadn't been cleaned in something like thirty years, and this led to substantial vote loss.

RM: Those traditional lever machines were actually invented by Thomas Edison. They came up with those machines because there was so much vote fraud going on - ballot stuffing and so forth - but the traditional lever machine is fully mechanical. The great thing about them is that you can crack open the back and see how it works. If there is a question whether one specific machine is working correctly, you can open up and look at the gears and the odometers like they have in cars, and you see the gears connected to the levers. It is like looking into a piano - you can watch the hammer strike the string and make the tone.

The problem, and the difference between those lever machines and these new DRE's, is that the DRE's are basically using electrons. I actually have a lot more faith in the old lever machines. I can't open the DRE and look inside and see that the button I pushed on the touch screen is being recorded inside the device. It's invisible. You can see in the old machines if a lever is connecting to the wrong place, or if there was some foul play.

The other issue is that if someone were going to do some foul play and throw an election, they'd have to go around and mess up an incredible number of those old machines, one machine at a time and one lever at a time. With these DRE's, if there's some mistake in the programming - even if it is not intentional, just some bad code - it could affect all of them, the whole quantity of the DRE's. It might not just be your city. It might be your state. It might be all the DRE's in all the counties in all the states that were provided by the manufacturer who let the bad code get by them.

WP: Explain to me what kind of non-malicious, general screw-up errors can manifest themselves in these DRE's.

BS: Your readers will recall when our spaceship crashed into Mars because one group involved was using feet to measure things and another was using meters. That's one example, but you might say that this was not a software error. The point is that the code was written such that it didn't work.

RM: Some of these problems are very simple. The addition of a semi-colon or an equals sign in the wrong place in a line of code can completely change the programming. This would be someone who just slipped up. There are plenty of examples of this happening. In the midterm elections down in Dallas, Texas, people tried to vote on the new touch-screen machines. They found that, no matter where they touched on the Democratic side, it would vote for the Republican candidate. These people were pretty upset, and it just kept happening and happening. In Texas they have early voting, and this problem showed up in the early voting. If this had happened on Election Day, who knows what would have transpired? They might have had to shut down voting in all of Dallas.

The Democratic Party went to court over this. They had affidavits demonstrating that there were machines making this error. Ultimately it was decided that seventeen of the machines were somehow misaligned. I don't know how that could happen, but it was decided that they were misaligned, and those machines were taken out of service.

WP: What are the names of the companies making these DRE's?

RM: Diebold, Sequoia and ES&S. Those are the big three.

WP: What kind of testing are these three main companies doing to ensure that the misplaced equals sign, the misplaced semicolon, the misaligned machine, is not happening?

DD: I've tried to find out. What kind of testing that goes on in these companies is something we don't know. They won't tell us a thing about their code or what they do to test it.

BS: Even if we could see the code, that wouldn't be sufficient. Even if we could see the code, and even if we could convince ourselves that the code was correct, we still wouldn't know that it was the code that was running on election day.

DD: That is actually a much harder technical problem than most people would think. With current hardware, it is very difficult to make sure that the program running on the machine is the program we think is running on the machine.

There is a general theme of secrecy, which is frustrating to me. I understand some of the reasons for secrecy. It is frustrating to be because claims are made about these systems, how they are designed, how they work, that frankly I don't believe. In some cases, I don't believe it because the claims they are making are impossible. I am limited in my ability to refute these impossible claims because all the data is hidden behind a veil of secrecy.

What testing do the manufacturers do? Who the hell knows? Once it gets out of the manufacturers, we are reassured by everyone about the qualification process. There is something called the NASED Qualification Process. NASED is an organization called the National Organization of State Election Directors which has affiliated with it something called the Election Center, which I believe is a private organization. The Election Center oversees the NASED qualification process. There are Independent Testing Authorities, though their level of independence is unknown. There are three of them, called SYSTEST, CYBER and WYLE. The conventional wisdom about WYLE is that they deal with hardware and firmware. Some vendors have found out the hard way that they actually deal with all of the software that goes into the voting machine. They are the ones dealing with the software that I am most concerned about.

If you go to their web pages, it says, "If you'd like to know something about us, please go to hell" in the nicest possible way. They refer you to the Election Center, which will carefully explain to you that they scrutinize every line of code. When I was on the California Task Force dealing with all this, along with another computer scientist named David Jefferson, we wanted to know what these Independent Testing Authorities (ITA's) do. They were all invited. Everybody else on the Task Force, which included some election officials at both the state and local level, and a few people of various political affiliations, wanted to know what these Test Authorities do. So we invited them to speak to us.

SYSTEST came and spoke to us. It turns out that they are one of the small ones. They don't deal with the big stuff, and they don't deal with the software inside the voting machines. The other two, which are apparently very close, are CYBER and WYLE. They refused to come visit us. They were also too busy to join us in a phone conference. Finally, out of frustration, I wrote up ten or fifteen questions and sent it to them via the Secretary of State's office. They didn't feel like answering those questions, either.

These Test Authorities use the word 'Certified' as if it were some magical holy blessing. It's been 'Certified.' Well, what does that mean? We didn't get any answers. My friend David Jefferson has been involved in Internet voting and some other election-related issues for a while now. A couple of years ago, he got the right passwords to call up WYLE and ask them what they do, and he got a description. The basic description, according to David, is that they bake the machines to see if they die. The drop them to see if they break.

And then what they do is run scripts over the computer program to check for bugs. A script is just another computer program to check for superficial things. There is no human involved. They don't want functions that are too long, and they don't want functions with multiple exit points. They say 'Modules,' but they are basically talking about chunks of code. It is basically nothing more than a style-checker, like running a spell-check. The problem with running a spell-check...

WP: ...is that you miss the homonyms.

DD: Right. The concept of running one of these style-checkers on a program is, at the end of the day, you know the functions are short and they don't have multiple exit points. You don't have any clue if they are doing the right thing at security holes or anywhere else. After this process, there are several other steps. There is something called an 'Acceptance Test.' When the machines get delivered to either the state or county government, they power them up and put them through the paces to make sure they work. Basically, they sign a form that says they got the thing and it's not busted. Before each election, and sometimes after each election, they have something called a Logic and Accuracy Test where, to one degree or another, they will try casting some votes on the machine to make sure they come out right. That's basically all there is to it.

As a computer scientist, I know that the worst problem that could happen is that you have someone at the company, such as a programmer who knows all the details of the code, or a mysteriously overqualified janitor, who could basically insert something malicious into the code. Given the fat that they are using the 'C' programming language, we know that such an act can be concealed. They wouldn't even have to change the program. They could just change some of the results of the program. Malicious code could be concealed in ways that are practically impossible to detect by any means, and certainly wouldn't be detectable given what we understand to be the detection and inspection process.

The computer scientist who oversees elections in Georgia told us yesterday that, by Black Box Testing, this logic and accuracy testing, he could catch any malicious code. It is completely ridiculous. If you go to the Microsoft Excel spreadsheet program, and go to row 2000, column 2000 and type a specific thing, you will get something like a flight simulator. The Microsoft programmers, even though it is a firing offense, can slip this stuff into the programming code so none of the testing people can discover it. They are called 'Easter Eggs.' If you type 'Easter Eggs' into a Google.com search, you'll get instructions on how to find all these things in Microsoft software programs.

Without even knowing very much about how these systems work, computer scientists know that you can put malicious code into a program, you can change the results of an election, and it can't be detected by inspection or testing. Period.

RM: You have to give at least some credit to this computer scientist from Georgia. He at least tests these machines. Some states just take the things out of the box from the manufacturer, plug it in and run their hands over it a few times, and then send it off for the voters to use. He, at least, takes the trouble to try and test them out.

DD: Yes. This man does the best testing of anybody in the country.

WP: That's not very comforting.

DD: There is just no way to test for the problems we are worried about. He is doing the best job he can.

BS: We actually heard on Tuesday morning from one of these software representatives that their software, which is 100,000 lines of code, is bug-free. That is highly unlikely.

RM: If that is true, there is a way to confirm it. We have a thing we use in the United States called the "Common Criteria." The highest level under the certification process of the Common Criteria is Level 7. This means you have to have mathematical proof for every single line of your code that it all works exactly as specified. To date, no one has done that with anything but the most simplest module. The claims we heard on Tuesday are impossible. He'd have to be super-human to accomplish this. It could be done, theoretically, but it would take forever, for that length of code, to achieve Level 7 certification. It would take longer to prove it than it would to write the code.

DD: Let me be clear. I am not a security expert, and my voting expertise is what I have picked up in the last six months. My research area is formal verification, which is mathematical proofs of the correctness of things, so I can confirm what Rebecca just said.

RM: I am a security expert.

WP: We have talked about the non-malicious errors and glitches that can take place in these DRE codes, and in the machines themselves. What kind of malicious actions could be taken by someone against these machines? What are the security gaps? What are the ways that this process could conceivably be subject to fraud?

DD: There are insider attacks, which we know could be successful if someone chose to do that. What people worry about with PCs is not so much Microsoft hacking them, but outside people coming in over the Internet with viruses or something you download. That is an outsider attack. In order to be confident about your code, about a system that is security-sensitive, you have to do a very careful analysis of the design and the software itself. It has to be done by real pros, and it is a very labor-intensive process. That has not been done, to my knowledge, with any of these voting systems. Without that kind of analysis, you can be guaranteed that there will be gaping security holes. People are just going to make mistakes, because it is too hard to do otherwise.

Without a careful security analysis, you can't know what kind of outsider attacks may be possible. Except in the case of the Johns Hopkins paper from last week, where they managed to get their hands on the code through Diebold's carelessness and lack of security. Two graduate students noticed what turned out to be severe security blunders. I don't think it is important to emphasize whether people can hack these particular machines in these particular ways, although I find the problems these grad students found to be worrying. I think the most important thing about that is that it disproves any claim that the manufacturers or the independent testing authorities are actually carefully scrutinizing this code, or for that matter, know anything about computer security. I think we have conclusively disproven that there is anything in this process that guarantees these things are secure.

BS: Diebold has claimed that the code which was downloaded is not the code running on their machines. There is no way to verify that this is true or not. There is reason to believe that the code which was downloaded is certified.

RM: One of the other problems brought out by the Johns Hopkins report was this issue of "Smart Cards," the things you use to cast your vote. If you had this Diebold code, you could manufacture your own Smart Cards and have a pocket full of them, and maybe cast additional votes. My issue, simply, is that it is easier than that. You don't have to be an insider in the vote machine company.

At the polling places, you have the people who are making the Smart Cards. The Smart Cards are sitting there in a pile. The interesting thing about these Smart Cards is that the voter comes to the polling place, and data is put on the Cards. The idea, as the vendors have been telling us, is that the voters take that card and go to the machine, and the card only lets them vote once. Otherwise, you could vote 20 times. What happens when there are no voters in the room at the end of the day, or in the middle of the day? What if some of the other poll workers have walked away?

There is nothing to prevent a poll worker from manufacturing some more Smart Cards, sticking them into the machine, and voting several times? There is absolutely nothing to stop some corrupt poll workers from doing this. In fact, what this whole thing was trying to prevent - they say we are using DRE's because we don't want to have these problems with paper ballots, with people taking the papers out and substituting another ballot - these same crooked people who would tamper with ballots are the same people who would make a few more Smart Cards and vote extra at the end of the day.

BS: One of the things you can do, and you don't have to be all that clever to do it, is change a small percentage of votes one way. If you're really smart, you'll change an even smaller percentage of votes the other way, so it won't be obvious. If you're smarter still, you'll do this randomly. If you're smarter still, you have something called a Random Number Generator, and maybe every hundred votes you make sure is Republican, and every five hundred votes you change to Democrat. If you try to repeat this, if you run the code again on the same input, you'll get different results, because you randomly decide what to change. Because it is random, it is different each time. You will still do the changing of 100 in one column and 500 in the other, but it will be different.

RM: These are parts of the basic underpinnings of computer science, but in actual fact, the more simple things are the ones we have been able to observe. There have been precincts where vote totals for entire candidates on these machines have come up to zero. This has happened to Republicans and Democrats. There is something wrong there.

When these vendors are asked by the newspapers about this, the vendors claim those votes were never cast. The vendors say those voters chose not to vote in those positions. All of them? In every other machines, those candidates had votes. These are simple malfunctions. Once it's done, it's done, and there's no way to go back and reconstruct it.

DD: Election officials love to believe that people go into the voting booth just for show, just to convince their friends that they are going in to vote, and then they don't vote for anybody. This is how they explain missing votes.

RM: They now have a fancy word for this: "Undervoting." They believe that, in huge numbers, people go in by the hundreds of thousands and deliberately choose not to vote.

WP: Sounds like faking an orgasm.

(Laughter)

DD: With something as important as elections, the government and the sellers of the machines ought to have the burden of proof on them to prove to us that the machines are working correctly, and that the election results are accurate. All of democracy is founded on the idea that the loser of an election understands that they lost fair and square, that the election represents the will of the electorate, and that they have to deal with that. If you have a situation where there is any doubt about the election, you have the kind of lasting bitterness that there is from Florida in 2000, and from Georgia in 2002. If we get into elections with outcomes that people don't believe in, where the candidates challenge the honesty of the machine, people are going to feel less and less confident in the results of elections run on these machines.

BS: I want to get back to those undervotes quickly. I think it is very unlikely in major elections, when there are only one or two candidates or positions on the ballot that people would go in with the intention of not voting. But when you have a long ballot, like you get in California, and you get to the point where you have to vote for judges, and you've never heard of any of them, many people may not vote for them. That kind of undervote is frequently legitimate. It is when there are major races, races that are pretty much what the election is about, and you don't get votes. That's when you have to be suspicious.

BS: I think that most of the comments we are making about security apply to the big three companies: Diebold, Sequoia and ES&S. What we see these three companies doing is not adequate at all.

DD: I don't see the smaller companies being much better than the big three. The basic problem is that they all float down to the lowest level, because doing everything right costs more money and takes more time. They want to get the machines out as quickly and cheaply as they can get away with, while still satisfying their customers. They have a certain set of regulations they have to satisfy. They know what the independent testing authorities are going to look at, and they don't do anything they don't need to beyond that. We can pretty much count on the security of most of these machines not being good. There are a few very computer-science-oriented companies. VoteHere is the only one I can think of. They have a different attitude on security because that is their selling point.

RM: Now that there is increased interest in voter-verified systems, there are companies coming out with new systems. You can still stick with the "mark-sense" systems, the optical scan systems, the paper ballots. The problem with those is that there are many people, blind or otherwise handicapped people, who cannot use the mark-sense system. They want to be able to vote, too. They don't want to just vote at home, or vote with assistance. They want to vote on their own in the polling places, and they should be entitled to do that. That is what the Help America Vote Act has granted them. It says people with disabilities should have the same access. We believe this completely, and also believe they should have the same access to reliability.

WP: I suppose you talked about the insider tampering, but I haven't heard you talk about the outsider, and there's a couple of them, aren't there? The judges or the poll workers. Are they able to tap in?

DD: Let me comment about that. So what I've said about outsiders is that without a careful security analysis, we don't know. Right? We don't know enough about the machines, and you have to know about the machines, you know, and what the outsider attacks are going to be, except in the case of this Johns Hopkins paper from last week, where they managed to get their hands on the code through Diebold's carelessness.

WP: Lack of security.

DD: In a half an hour, two graduate students in that group had noticed what turned out to be severe security blunders. Now I don't think it's important to emphasize whether people can hack these particular machines in these particular ways, although I find the problems they found to be worrying. I think the most important thing about that is that this proves any claims that the manufacturers or the independent testing authorities are actually carefully scrutinizing this code or, for that matter, know anything about computer security. I think we've conclusively disproven that there's anything in the process that guarantees these things are secure.

BS: One quick comment. Diebold's response is that the code that was downloaded is not the code that's running on their machines; but, of course, they are not willing to let us look at the code that's running in the machines to verify whether or not that's true. And there's reason to believe that the code that was downloaded was certified.

RM: Well we believe that, though we've never really confirmed that. But we do have someone who did certification in Iowa for many years, and he saw earlier versions of the code. And he said it was the same and it had the same problems that he had told them five years ago. So we really don't know for a fact with that code, but what we can say is that one of the problems with the Diebold code that was pointed out by the Johns Hopkins Report was this business about the Smart Cards. Pretty much, if you had this code, you could manufacture your own Smart Cards and have a pocket full of them and maybe cast additional votes. But my feeling about that is that it's easier than that. And it is to your question about not having to be an insider in the voting machine company.

At the polling places, you have the people, who are making the Smart Cards. The Smart Cards are sitting there in a pile. What happens is the voter steps up, they put some electronic stuff on the Smart Card, which the idea the vendors have been telling us is that the voter can take that card, they go to the machine and it only lets them vote once. Otherwise you could keep sticking it back in and vote 20 times. Without the card you could just step up and vote 20 times. So they give them this card to enable them to do that. What happens when there's no voters in the room at the end of the day, or in the middle of the day when there's no voters in the room? And maybe some of the other poll workers have walked away?

There's nothing that prevents a poll worker from manufacturing some more Smart Cards, walking around to the machine, sticking a couple of them in, and then at the end of the day, oh, there was these three guys who didn't vote. Well, we'll just sign them in. Now you have the numbers are even. So it's a perfect attack and there's absolutely nothing that stops corrupt coworkers. And, in fact, what this whole thing was trying to prevent, these same crooked people who would want to do that would be the same crooked people who would make a few more Smart Cards, stick them in the machine and vote extra at the end of the day. I don't see why that wouldn't happen.

DD: There's sort of a hierarchy of potential security problems, and you can look at who might be the bad guy. Having the voters be the bad guys, that has its plusses and minuses. You've got a whole variety of voters you can't control, can't do background checks. They're not necessarily people you know. So it's perhaps more probable that they would be bad guys. Having them be able to fool with the machine would be especially bad. Pollworkers are somewhat the same. It's very hard to get good pollworkers, you know. You're really not going to do background checks on them. There may be stuff where pollworkers have access that voters don't have access. And there is a difference between some voter like me making some fake Smart Cards and a pollworker using their little machine to make some fakes in Smart Cards. So there's some subtle differences.

WP: So at the end of the day, basically, when Snieder in The Denver Post today says "I have security in my office. It's not like I let any Tom, Dick and Harry into my alarmed, cameraed and locked server room said Snieder. He uses 220 Diebold optical scanners for elections in Adams County." That does not fill you with warm and cuddly comfort.

DD: Well, first of all, I'm talking about the insider attack, which is somebody changing the code in his machines before he gets them. Secondly, you know, I'm glad that he has physical security on his machines. That's a good thing. How hard is it to bribe the night watchman or whatever you need to do? It's not that hard. On the other hand, people don't have to work that hard to find some way to subvert these machines.

DD: We talk about how lousy the security with these machines is. That's really kind of a side issue. I think it's very true and it's a big problem but it's kind of a side issue. This problem with the insider attacks, even with the best security, cannot be stopped. We'd like to improve the security, but that's not the main thing we want. The main thing we want is this audit trail on the side to double check it, so if there is a problem with the security, we can catch it.

RM: Or a malfunction.

DD: Yeah. Or a simple malfunction.

RM: Any problem, we're going to know it. At the end of the day there's going to be a box of paper ballots and if this secured properly and we're talking about not just being secured by being in a locked paper box. We can also put codes on the bottom using all the pictographic schemes so that somebody can't substitute it. It would be demonstrated that that had to be the ones that were in the box on election day. So you can't just take one out and put another one in like people thought, you know, might be going on in Florida or in places where the punch cards are in with the optical scanning ones. If we make it a better ballot box then we'll add additional code that would make sure that that paper is actually secure.

WP: I have a multi-tiered question in which we'd cover a couple of different issues. The sort of real left wing progressive activist types are the ones who are really worried about the problems with these newly conceived voting systems, and one of the main things that bugs them is some very simple research into who the Board of Directors are for a number of these Big Three companies. That simple research reveals these Boards as being comprised of some serious hard-core conservative Republican activists. How much you might know about that? I also want to get into the fact that, despite the uproar that this has caused within the ranks of the left wing, there are some very interesting groups of people who are having trouble accepting the information that you are bringing to them. I also want to talk a little bit about how this is not some sort of bipartisan, one sided partisan issue.

DD: So the first thing is, is it a right wing conspiracy? It bothers me deeply that there are major conservative contributors running these companies. On the other hand, if you think about it, everybody has a conflict of interest. You wouldn't want your pavement company running a voting machine company because they have a real interest in who gets elected, because they're going to get pavement contracts from them. And that's true of everybody. Everybody has political opinions. Everybody has economic interests that deal with the government. So there is no way to get some sort of independent, super-objective neutral voting machine company. It's always suspect, regardless of the sterling character of people in the companies which is why you need an independent check on everything. So trust is not a good thing in election systems. The only people you should be trusting are groups of people with opposing interests, such as election observers from different political parties.

Now in terms of the political realities of this, it seems that progressives are the people who are most energetic and passionate about it . I suspect that there would be a general rule that people who have lost a lot of elections lately are inclined to be more passionate about this than people who have won a lot elections lately.

On the other hand, this is a cause that seems to have a tremendous amount of grass roots appeal. I've been probably doing more grass roots activism than any other people in this room. Unfortunately, I am an incompetent activist. But people just come to me. They read the web page and ask how they can help. They are so concerned. On the other hand, most of the opposition to what we are talking about is coming from what you would think of as progressive and good government groups. A lot of these groups have taken an official position.

They have a bunch of very pragmatic concerns about, is it going to disrupt plans to buy equipment that will be replacing equipment that they hate? Will the equipment be unreliable? Will it add expenses to things? Will people buy what they feel is inferior equipment? They have legitimate concerns. Unfortunately, they're missing a legitimate concern which is the computer reliability and security issue.

WP: It sounds a little bit like the decision has already been made to commit to this course, and they just don't want to hear about anything that's going to disrupt that decision.

DD: I think that's exactly right. These people have been working on this issue for a very long time. They've made bunch of deals that were very hard to hammer out. They think they've got something satisfactory and they don't want people coming in and changing the rules.

RM: Some people are also afraid, like the League of Women Voters. I believe that they are actually afraid that if people think that we have to have a piece of paper, then we shouldn't trust the computer and we shouldn't trust elections, and that makes us even more afraid. What we're saying is the opposite. If you have just the computer, then we know people are going to have questions in their minds. If, on the other hand, you have these pieces of paper and the people can see the pieces of paper and there are poll workers who can see the pieces of paper, and when we all play an active role in making sure that those are counted correctly and that the procedures are done correctly, it's all a visible and open process and we've now opened it back up to the people, so that we the people, the citizens, are the ones who are conducting the elections, not the election officials.

BS: I'd like to comment a bit on the League of Women Voters and some of these other groups. I think there's something else that's going on. The people making these decisions don't have a good technical background and I think, in some cases, they are a bit afraid of technology. They want to believe. When they are told that you can trust these systems, they initially did believe it and they want to believe it because it makes life so much easier. And these machines are so much nicer compared to the punch cards. You don't have to worry about hanging chads and they can be made very easy to use and they can figure out how to operate them because they've done ATM's. And then we come along, the sort of spoil sports, and say, wait a minute, you can't trust these machines. And people don't like that.

BS: I personally have been in battle with The League of Women Voters. I joined the League of Women Voters a few months ago over this, because I was concerned about voting. Shortly thereafter, there was a letter in The Times from the president basically saying paper ballots aren't really necessary, which got me very nervous. I wrote to her, and almost immediately thereafter a statement appeared on their website saying you don't need voter verifiable paper ballots, that paper's not a good idea, it has all these problems, blah, blah, blah. Their statement is so bad it actually has a claim about something being a way of doing security which is just a joke. I mean, you'd flunk a student for making a claim that you get security through this method of keeping the information in different parts of the machine and in different formats. That doesn't give you the security. They refused to take it off their website.

DD: My first reaction to these things was simply, it's OK to disagree with me. But go get some competent technical advice. Don't produce things that are just embarrassing. And they're not hearing it.

RM: They're saying that they are speaking to computer scientists and yes, there are some computer scientists who believe that the paper ID is not the way to go and that there are some flaws with the way that we're doing things. But those people have yet to demonstrate that any of the things that we've said are incorrect because, in fact, all the things that we say are based on computer science theory which they, of course, have to subscribe to as well. But they have their own reasons for saying that. One of the interesting things in California is that when the vendors were asked about the printers, first some of the vendors said, well, putting in printers would be expensive. Turns out, they already have printers in the machines because they print out zeroes at the beginning of the day and totals at the end of the day. So it's no more expensive. Just have a little bit more different printers to do the paper stuff.

Then they said, well, how about buying the paper? And then they had this whole issue about, oh, we're going to have to archive the paper and it's going to cost us all this paper, there'll be paper jams. Turns out, California has a law that says that you have to print out the paper afterwards. They've got to print it out anyway. That's the way they audit it. They audit it by taking the stuff that's inside the computer, that we don't really know how it got in there and whether it's correct, and they actually print it out on pieces of paper.

BS: And then they count some of it.

RM: And they count some of it. Why don't they, if they're printing it out anyway, why don't they print it out and let us see it when we vote and they're going to print it out anyway. It'll save them a lot of time. No, they want to print it out after the fact and the voters will know that theirs are the ones that are being counted.

BS: Without these voter verifiable paper ballots or some equipment, which we don't yet know how to do, there is no way to do a recount. You do a recount, you go up to the machine and say, "Dear machine, would you please tell me what the numbers are?" and the machine says back to you, "They're the same numbers I gave you before, you dummy." Right? So what does it mean to do recount?

DD: What people have done is redefine recount to mean something other than what you think it means. So I've taken to saying, there's no way to do a meaningful recount.

RM: Or an independent recount. The recount is dependent upon the vendor. You have to take the vendor cartridges, put them in the vendor machine, and they have to be read using software provided by the vendor. There's no way for me, a computer scientist, to read those cards, even if they gave me a card which they say I cannot have because it's proprietary and it's owned by the county. But even if they could give me a card and I was allowed to read it, that would be illegal because I would have to use the secret code that is allowed to read the card. This is terrible. There is no independent way to do a recount.

BS: We basically are handing over our elections to a small number of private corporations. I mean, there's something kind of scandalous about this.

DD: Somebody coined a phrase that I liked: Instead of voter verified elections we have vendor verified elections. One point is about voter confidence. There are people and I worry about this myself, that by raising these concerns will undermine voter confidence. What they really mean there is we'll undermine voter participation. Particularly on the progressive side. People understand that voter turnout has been a tremendous problem. They need to get people out to vote and they don't want them to feel that their vote doesn't count, even if they're using these touch screen machines.

I don't believe there's any reason not to vote. For example, if you want to have politicians see common sense and stop buying touch screen machines, the only way to make yourself be heard is to vote, right? I don't subscribe to the idea that there's been any election that's necessarily been stolen using touch screen machines. It's a risk for the future. I don't know what's happened in the past but I don't think there's wholesale election fraud going on at this time.

BS: But you can't prove it.

DD: But I can't prove it, which is the whole problem.

WP: And that's the inherent risk of that possibility hanging over this whole process that really is the ultimate point.

DD: So when people speak about voter confidence, they need to think about it in this other way: It's the voters having confidence that the results of the election are sound. It's not just a voter participation problem; it's a question of accepting the results of elections.

The second point is that what we're noticing is that the grass roots have a lot of sympathy with the position we're expressing. They understand it intuitively and they share the same fear that we have. The civil rights organizations, I think, don't necessarily have the support of their base.

BS: Like the LCCR.

DD: The Leadership Conference on Civil Rights. It's a consortium of 180 civil rights organizations.

BS: And AFL-CIO, ACLU, AARP...

DD: Many of which are huge. The NAACP, also. But many of those individual organizations have not taken a position. I have a feeling that if they went and explained it objectively to their membership that a lot of their members would say, yeah, I think we'd better do something about this problem. So I'm not sure that these progressive groups have that much support from their membership. It's more the specialists in voting rights and whatever who have been working on this particular problem.

There's one last thing that I wanted to say. I think it's a great quote and it never gets into anything I ever say and probably for good reason. Albert Einstein said, "Make everything as simple as possible but no simpler." I think we're violating that when we try to simplify elections too much with this equipment. I think it should be as simple as possible, but when you start sacrificing integrity and cutting corners in order to simplify it more than it can be simplified, you've made a serious mistake.

BS: As far as these organizations that have taken public positions against voter authenticated paper ballots, one of the interesting things that we hear is, we find the same arguments coming at us from different people. It just makes me think that there's a small number of individuals who are going around lobbying these groups before we get to them, basically, and convincing them that this paper ballot is a bad idea, that people will have trouble with it. We heard yesterday that African Americans can't deal with it, they can't deal with this stuff. They can't read the paper ballot. It's going to disenfranchise them. This guy said, this is in front of several African Americans, I was thinking, my God, this is really insulting. It's insulting.

DD: There are studies by social scientists, particularly political scientists and on voting behavior, where they can show statistically there's certain things like punch cards, and maybe central optical scan, where you send your ballots into the central office and they run it through a scanner in batch mode.

RM: 'Batch mode' means running them all together.

DD: The studies show that this has a statistically discriminatory effect. It's not explained how that happens. Maybe the African American voters or whatever minority they're looking at are voting for the first time and aren't as familiar with the ballots. They can't really explain the phenomenon. But when you come to some of the better paper-based technologies, like precinct-based ones, the data is so thin that they can't prove that there's any discriminatory effect. I think that the advantages of touch screen machines to minority groups are being vastly overstated. At least there isn't strong evidence for it.

RM: I think that it's very, very important for people to start lobbying. If they're concerned about this, they must start lobbying all these groups. Rush Holt, my congressman in New Jersey, has a bill in Congress on this. People need to get their Congressman to endorse that bill and make sure it also gets a compromise bill in the Senate and gets pushed through. We need to have these things being pushed through.

BS: I completely agree with everything Rebecca just said. What happens in 20 years when there's a major crisis? What worries me is in 20 years or less, there'll be an election where people will believe that something wrong was done and they won't be able to prove it. They will not be able to prove it and that gets back to the whole notion about competence that David was talking about before, the feeling that some of these progressive organizations are opposed to what we're pushing because they're afraid that we are raising doubts in the voters' minds. I think nothing will raise doubts in the voters' minds more than an election which they feel has been stolen by these machines and there's not a damned thing they can do. I mean, even in Florida, you could see what was going on. You can't see what's going on when these machines are counted.

When we talk about dealing with minorities or people with disabilities and talk about problems with these machines, it's all well and good to make sure that someone gets to vote. You know, people are concerned. They don't want these long lines, they don't want to make it too hard. I want to be able to vote. But you know, there's no point in your voting if your vote ain't going to be counted. Or it's not going to be recorded right. So it makes no sense to focus on voting if you don't know what's going to happen to your vote.

DD: I don't feel bad about raising the alarm. I think we have a moral obligation to tell the truth and I don't think that someone else could say that if somebody sees a serious problem they should be quiet about it so people won't worry. I mean, people have to worry or else, obviously, the problem's not going to get fixed. It's been going on too long and people like Rebecca have been complaining about it too long to believe that suddenly it's just going to get fixed unless we raise a real fuss.

WP: Tell me about House Resolution 2239.

RM: Well, Rush Holt is my Congressman and he's actually a physicist. He was at Princeton, PhD. in physics before he went to Congress and his bill is really an important one because he's raising four points which people have completely misinterpreted. They think that by having voter verified ballots we're going to make it longer before the disabled will be able to vote. His bill actually says, we want verified ballots. They need to be required, but he also accelerates the time in which the disabled are going to get the new machines. He wants to push that forward, sooner, not later. That is an important reason for his bill.

Also in his bill is that he wants the code to be opened. He says there should be no secret code. Of course, the vendors can protect their stuff with copyrights and patents. That way, if somebody tries to copy their code and sell it in their machine, they can sue them just like anybody else. But that the voters and the people need to have the ability to actually see the code and be able to verify that and I'll get back to that in another second.

The last part of it is that he's concerned about these modems, these telecommunications devices, because they're saying that they can use those devices to send the data at the end of election date to the main precincts. If those are connected up to phones it can come in. He does not believe that there should be any especially wireless communications where anybody could be sending in packets.

Getting back to point number three, the business about verifying the code and being able to do that. Unfortunately we have a new trend in this country that was started in 2000. If you protest an election and you want a recount, you're now called a sore loser and it's unfortunate but it is your legal right. If you're a candidate you have the legal right to ask for a recount if you have very strong reason to believe, and you have to demonstrate this, reason to believe that there's something wrong. Well, now, the recount is just push a button, it prints out the same thing, that's the same totals and you can't go any further to see if the machine was really working

WP: This is the stuff that Rush Holt's bill is aiming to try to deal with?

RM: Yes. Why do we even have laws on the books in all the states that say that you can have a recount when what they're respectively saying is, sorry you lost, sore loserman, just shut up and go away and don't bother me any more. And that's exactly what's going on.

DD: I agree with Rebecca. I'm sick of hearing this stuff. We're not talking about baseball games here. This is the foundation of democracy. I think a candidate has a duty to his supporters, if he believes there's anything wrong with an election, to go in there and find out if there's anything wrong. And in fact, he or she has a duty to democracy to do that. We all want to believe that election is fair. Unless we go in and audit those things occasionally, we're not going to know that.

BS: I also want to make a comment on the Rush Holt bill. I think, the Rush Holt bill is the only chance we have for the '04 elections, because these machines are already in widespread use and being purchased. As we know, Maryland just purchased some DRE's and other places from Diebold. Georgia has them, and so these machines are in widespread use already. And they are going to be used in the '04 election and the only hope we have that get something, get these things fixed.

One of the things that worries me about Rush Holt's bill is, as of now, I don't know about today but I think probably still today, all of the endorsers are Democrats. One of the pleas I would make to the people who read your article is to really work at making this, to fight it, and keeping this a non-partisan issue. Try to bring more Republicans into the Rush Holt bill and whatever they do, don't make this into a partisan issue because if it becomes partisan, that's the kiss of death, in my opinion.

DD: Because the Democrats are already pretty much outnumbered so if it's something with a big D stamped on it, it's going to get killed.

BS: I don't want to put this in a negative way and say, we don't know. We know that there are Republicans who feel this way and so the main thing is that we've got to get them to sign up. That's all. We're not asking anybody to do anything which is un-American. In fact, this is sort of quintessential American. This is what the country's all about. But people need to contact their Congressman and let them know that they need to sign onto this bill. And Senators.

WP: I'll ask the obvious stupid question. Are you trying to drag the electoral process back two centuries by bringing this stuff up? Because that's the charge that has been made against you.

DD: No. I just want an electoral system I can trust. And I think everybody else in this country wants it, too. I happen to have the technical background to be quite confident that there's no reason to trust the machines that we're deploying now. So I'm raising the concern. I think there may, in fact, be super-high-tech solutions to this problem in the not too distant future that provide much better election security than we have now. And are significantly less difficult to deal with than maybe some of the solutions we're talking about. So I'm certainly not against technology since I marinate in it to the exclusion of all other activities.

BS: We are also all doing this pro bono, and you can't believe how many hours this stuff takes. We are the ones out there fighting to preserve our democracy. That's what I think we're doing. We are the ones fighting to preserve our democracy.

DD: You know, being an engineer involves making choices about the appropriate use of technology. It is not using the highest tech solution to every problem, whether it's appropriate or not. It's focused on solving the problem by the best means that are available. The best engineers will use the best means that are available even if they don't involve any significant technology at all. I think it's the responsibility of everybody in technology to weigh in with their opinions about the appropriate use of technology and the inappropriate use of technology. And I think it's particularly important for academics and educators to do that. I think part of our job in universities is to try to advise the rest of society, and the policy makers, of what the right things to do are. And to share our expertise and that's really what we're trying to do.

My greatest worry is really an erosion of confidence in the elections. When people can no longer trust the elections I think that that will undermine the legitimacy of everybody in government and I wouldn't like to see that happen.

BS: The confidence is very important. I also fear that if there is the capability of undermining elections sooner or later. Somebody will exploit this technology to steal an election. And to me, our democracy and our right to vote and our right to choose the people who run this country is fundamental and if I feel we've lost that then what makes this country special is gone.

RM: My feeling is that it is a bamboozling of the American public. We're trading away a lot of the checks and balances that we have always had in elections. We're trading this off for high-tech, for faster returns, and it's not true, what we're being told is not the full truth about what is actually going on and I think that we're giving away much more than we're getting. We're giving the opportunity to have an entire election stolen, just because of bad code, not even stolen, just screwed up, fouled up.

DD: We're driving too fast along the side of a mountain road with no guardrail. And maybe you won't go over the side or maybe you will. Do you want to risk it? If you do it long enough you'll eventually go off the mountain.

David L. Dill is a Professor of Computer Science and, by courtesy, Electrical Engineering at Stanford University. He has been on the faculty at Stanford since 1987. He has an S.B. In Electrical Engineering and Computer Science from Massachusetts Institute of Technology (1979), and an M.S and Ph.D. from Carnegie-Mellon University (1982 and 1987). His primary research interests relate to the theory and application of formal verification techniques to system designs, including hardware, protocols, and software. He has also done research in asynchronous circuit verification and synthesis, and in verification methods for hard real-time systems. He was the Chair of the Computer-Aided Verification Conference held at Stanford University in 1994. From July 1995 to September 1996, he was Chief Scientist at 0-In Design Automation. Prof. Dill's Ph.D. thesis, "Trace Theory for Automatic Hierarchical Verification of Speed Independent Circuits" was named as a Distinguished Dissertation by ACM , and published as such by M.I.T. Press in 1988. He was the recipient of an Presidential Young Investigator award from the National Science Foundation in 1988, and a Young Investigator award from the Office of Naval Research in 1991. He has received Best Paper awards at International Conference on Computer Design in 1991 and the Design Automation Conference in 1993 and 1998. He was named a Fellow of the IEEE in 2001 for his contributions to verification of circuits and systems.

Rebecca Mercuri is the founder of Notable Software and Knowledge Concepts. Her management skills have been applied to day-to-day operations as well as product development. As a computer scientist, she has been employed by and consulted for many Fortune 100 firms, including AT&T Bell Labs, Intel, Merck, and RCA. Her specialties are interactive systems (multimedia, digital audio, computer graphics), microprocessor applications (real-time and distributed systems), computer security and forensics. An avid educator, Rebecca has taught in various capacities at colleges and universities in PA, NJ and NY, and she has written and presented training courses for industry and government agencies, including the Federal Aviation Administration, the Philadelphia Stock Exchange, and SRI's Sarnoff Center. She publishes extensively, and is interviewed and quoted frequently by the media (including the Associated Press, National Public Radio, New York Times, Wall Street Journal, U.S. News & World Report, The Economist). Dr. Mercuri holds Ph.D. and M.S.Eng. degrees from the University of Pennsylvania as well as a M.Sci. from Drexel University.

Barbara Simons was President of the Association for Computing Machinery (ACM) from July 1998 until June 2000 and Secretary of the Council of Scientific Society Presidents in 1999. ACM is the oldest and largest educational and technical computer society in the world, with about 75,000 members internationally. In 1993 Simons founded ACM’s US Public Policy Committee (USACM), which she currently co-chairs. She earned her Ph.D. in computer science from U.C. Berkeley in 1981; her dissertation solved a major open problem in scheduling theory. In 1980 she became a Research Staff Member at IBM's San Jose Research Center (now Almaden). In 1992 she joined IBM's Applications Development Technology Institute as a Senior Programmer and subsequently served as Senior Technology Advisor for IBM Global Services. Her main areas of research have been compiler optimization, algorithm analysis and design, and scheduling theory. Her work on clock synchronization won an IBM Research Division Award. She holds several patents and has authored or co-authored a book and numerous technical papers. Recently, Simons has been teaching technology policy at Stanford University. Simons is a Fellow of ACM and the American Association for the Advancement of Science. She received the Alumnus of the Year Award from the Berkeley Computer Science Department, the Norbert Wiener Award from CPSR, the Outstanding Contribution Award from ACM, and the Pioneer Award from EFF. She was selected by c|net as one of its 26 Internet“Visionaries” and by Open Computing as one of the “Top 100 Women in Computing”. Science Magazine featured her in a special edition on women in science. Simons served on the President’s Export Council’s Subcommittee on Encryption and on the Information Technology-Sector of the President's Council on the Year 2000 Conversion. She is on the Board of Directors of the U.C. Berkeley Engineering Fund, Public Knowledge, the Math/Science Network, and the Electronic Privacy Information Center, as well as the Advisory Boards of the Oxford Internet Institute and Zeroknowledge, and the Public Interest Registry’s .ORG Advisory Council. She has testified before both the US and the California legislatures and at government sponsored hearings. She was runner-up in the first election for the North America seat on the ICANN Board. Simons was a member of the National Workshop on Internet Voting that was convened at the request of President Clinton and produced a report on Internet Voting in 2001. She also participated on the Security Peer Review Group for the Department of Defense’s Secure Electronic Registration and Voting (SERVE) Project.

Further data on this issue can be found here:
- http://www.verifiedvoting.org
- http://www.verifiedvoting.org/fair_elections.asp
- http://www.notablesoftware.com/evote.html
- http://www.blackboxvoting.com/

* * * * *