The essential points of this presentation are these:
2.1 In Current Vote-Casting and Counting. Over 55% of American voters now vote with computer-readable and computer-tallied ballots, or cast their votes directly into vote-tallying computers without ballots by using touch-screens or push-buttons. Computer-readable ballots, using either holes or marks as choice-indicators, have been in use since the 1960s. Such ballots may be fed into precinct-located computers, or collected, transported, and fed into centrally located computers for counting and summarization. Non-ballot, direct recording voting systems, which must be precinct-located, have been in significant use only in the past five years. The two essential technical processes, regardless of system type, are vote-casting and vote-tallying. The vote-casting process may be carried out in two steps: first, by the voter filling out a computer-readable ballot and second by the reading of the ballot; or in one step: by the voter directly entering choices into a computer. Vote-casting, from a technical viewpoint, is a machine-sensing of a voter's choice and a conversion of that choice to a machine-processible signal. Vote-tallying is caused to occur by machine logic that is designed into software and hardware.
2.2 In Future Vote-Casting and Counting. In the future, there may be more use of on-line voting, in which the voter, remotely stationed at a terminal or terminal-like device, is connected by communications to a central computer facility. The central facility would need to have, on-line, the complete registration database for those voters expected to vote by that method. Voting by phone, which fits this model, has been tried in a few communities. Whether voting by phone becomes more widespread remains to be seen; general acceptance will depend on characteristics such as user-friendliness, ability to attract additional voter participation (over current methods), cost-effectiveness, and security. Voting at a personal computer (PC) with a communications connection to a central computer is a similar possibility; a blank ballot would be communicated to the PC from the central computer, the voter would vote on-screen, and the filled-out ballot would be transmitted back to the central location.
The use of fax machines to transmit absentee ballots is a step in the direction of on-line voting. A bill that would enable use of faxed ballots in Federal elections has been introduced in Congress as an amendment to the Uniformed and Overseas Citizens Absentee Voting Act. With a traditional fax system, the ballot would be printed out at the receiving end, but a computer system with a communications interface could be arranged to receive a fax directly without it being printed. However, the faxed ballot would need to be seen by a human (who may also see the sender's name to verify registration) in order to be voted, whether printed or not. The next step towards on-line voting is e-mail, which is a computer-to-computer interchange, but also intended for human interpretation. The final step is electronic data interchange or EDI, which is a computer-to-computer interchange, but in which the ballot is strictly formatted using standard rules. Then, the ballot can be processed by a computer program at the receiving end without human intervention, thus preserving confidentiality at that point.
2.3 In Voter Registration and Sign-In. Computerized databases are now widely used to maintain lists of registered voters, but maintenance of accurate lists is not easy, due partly to the high mobility of the American public. The U.S. Postal Service is widely used to help in verifying addresses. Accurate updating of the voter registration database as well as precinct boundary definition can be made easier by automated reference to a computerized map of jurisdiction geography, including listings of all residence identifications and multi-family dwelling designations. Ability of the voter registration database to automatically acquire driver's license and death record information could contribute to assurance of an accurate list. A computer system storing the voter registration database, if it had on-line access capability, could make possible access to the database from terminals at precinct locations on election day, to help in the sign-in (registration verification) process.
Special forms of information technology may be used for personal identification for voter sign-in on election day, e.g., computer-based signature matching, but for on-line voting systems allowing voting from phones or remote terminals, voter identification could require the use of more advanced techniques, such as cryptographic-based digital signatures.
2.4 In Automated Ballot Generation. Generation of ballot or screen layouts for vote-counting equipment is an important computer application. In a consolidated election in one of the larger counties, in which Federal, state, and local government offices as well as referenda and other questions may be simultaneously contested, the number of different ballot styles required, due to the presence of incongruent districts, may be quite large. The necessary number of styles may be multiplied by two, three, or more, if ballot rotation (alternating the top position among opponents) is required by law. The use of a computer for ballot generation may reduce the likelihood of an error in the provision of ballot styles to particular precincts. The coordination of the vote-tallying software with the ballot-generation software is a necessity; an error would result in mis-assigned votes.
3.1 Vote-Casting. Proper accounting for all computer-readable ballots is an internal control issue, and inaccurate computer reading of the voters' choices is an engineering issue, involving both hardware and software. Among ballot types, the pre-scored punch card (of the "votomatic" type) continues to be selected for use in jurisdictions including about 40% of U.S. voters, yet its capability to very accurately record voter's choices, as well as its capability for reproducing those choices in a recount, is in serious doubt. The problem is the pre-scoring which may, through incorrect punching or rough handling, cause extra chad to fall out, or cause hanging chad to be forced back into the ballot card, thereby misstating the voter's choices to the computer. The National Institute of Standards and Technology (NIST) recommended the elimination of pre-scored ballot cards in 1988, but this recommendation carried no mandatory requirement, and very little elimination of pre-scored ballot cards has occurred. NIST's recommendation was not a Federal Information Processing Standard (FIPS), but even if it were, such standards may not be applicable to Federal elections at this time. Whether or not minimum performance requirements, such as accuracy requirements for ballot reading, should be mandatory is a policy issue that needs investigation.
There has been additional concern expressed about the human factor in the use of the "votomatic" type card. A lawsuit filed in St. Louis in 1990, and a recent review of Atlanta ballots have raised the possibility that more undervotes and overvotes occur with these ballots in precincts populated by the less-educated than in other precincts. The unusual voting patterns seen in the Mack v. McKay 1988 Florida U.S. Senate contest (and commented on publicly by knowledgeable observers) in which these ballot card types were used may indicate a similar problem. It would seem that research into this issue could be valuable, and this research could either concentrate on this specific problem, or be concerned generally with the human factor in the use of various configurations of voting equipment. However, there is no Federal program to sponsor or focus such research.
A question of accuracy is of concern also in the use of mark-sense ballot cards, in which the voter indicates his or her choice by making a mark (with pen or pencil) at an indicated location on the card. The issue is the long-term accuracy of the mark-sensor in the reader and its capability to distinguish mark from no-mark, given the variability of voters of all ages, strengths, and abilities, in the presence of card stock variations and smudges made by the voters. Performance checks of such equipment when initially procured do not constitute adequate understanding of its operational performance in real elections, and there have been no reported examinations of the accuracy of the sensing of voters' choices achieved in real elections by this type of equipment. Again, there is no Federal program to sponsor or focus such research.
The issues with non-ballot systems, such as direct entry and on-line voting systems, are more complex. The paper audit trail, i.e., the hard-copy ballot independently generated by the voter, is no longer present. Internal controls to assure correctness must be more exacting than with ballot-card systems, because there are no ballot cards to recount on an independently managed computer or to partially manually recount by random selection of a small percentage of the precincts. (These specific controls for ballot-card systems are requirements in some states. Others impose no such controls.) With non-ballot systems, the accuracy of receipt by the computer of the voter's choices is an issue, but an important and additional question is whether the hardware and software are designed to operate correctly on the received data. Even if the computer is caused to assure the voter by visual indication that it is operating correctly on the voter's choices, there is no real assurance, without some authoritative and neutral third-party involvement, that the computer has not been programmed to lie. This is more of a vote-tallying question than a vote-casting question.
Important issues with any form of remote voting, whether fax or computer-to-computer transmission, are confidentiality, integrity of the transmission, and originator authentication. NIST has informed the Department of Defense, the assigned administrator of the Uniformed and Overseas Citizens Absentee Voting Act, of the need to consider these issues. A solution for computer-to-computer transmission may be in the application of cryptographic techniques, a subject with which NIST is familiar. Currently, NIST is studying the national infrastructure requirements for management and distribution of cryptographic keys used for purposes of integrity and authentication. Remote voting is an application, in addition to the commercial, financial, and regulatory interchanges that NIST is already considering, that could benefit from use of such techniques.
3.2 Vote-Tallying. The major issue in vote-tallying for any type of computerized election equipment is the correctness of the tallying software combined with the ballot-generating software, if any. While there have been voluntary "Performance Standards" developed by the Federal Election Commission (FEC) and accepted by several states that recommend reviews of vote-tallying application software prior to its purchase (see 5.2), these voluntary standards do not address reviews of installed software that is ready to be used in an election. Application software, when installed, is associated with management software (e.g., an operating system) and utility software such as compilers and disk management routines, any of which could be the location of a virus or other damaging routine. NIST discussed this issue in its 1988 report (see 5.3). To reiterate, the assurance of correctness of tallying and associated software is absolutely essential in direct recording and on-line systems, where there are no hard-copy ballots that could be used for purposes of system validation.
A policy issue, if the software is privately owned, is whether it should be available to the general public for review or only available to specifically selected reviewers and certifiers. An issue is whether tallying software should be privately owned at all.
Internal controls and computer security techniques can protect against alteration in tallying and associated software. Examples of techniques are stringent physical access controls, and digital signature techniques used to generate hash values whose constancy guarantees lack of change in a computer program. Policy and program issues include not only the phased development and packaging of these techniques, and their effective dissemination, but the assurance that they will be applied, either because they are mandatory or because election administrators understand and appreciate their necessity of deployment. No program for this exists at present.
3.3 Voter Registration. The most prominent issue in voter registration has been the decline of public participation (i.e., turnout) in voting in general elections from about 63% in 1952 and 1960 to about 50% in 1988 and 55% in 1992. The long-term decline has been in the face of increased ease of registration, e.g., mail registration, forms available at motor vehicle bureaus, deputy registrars at malls, etc. Experts who have made well-known sociological and socioeconomic studies of the reasons for this phenomenon include Ruy A. Teixeira, Curtis Gans, and Raymond E. Wolfinger.
While the fundamental solution to this issue may not be an application of technology, technology may provide necessary support for policy implementation. For example, it is well recognized that those states that allow registration to continue to or nearly to election day, i.e., North Dakota (no registration requirement), Maine, Minnesota, and Wisconsin (election-day registration permitted), and Utah (registration closes five days before election day), are among the states with the highest levels of public participation. Reasons given for the need to close registration at some longer time before election, 30 days in some states, are to verify addresses and to provide voting lists to precinct officials of persons who may vote at their locations. It would seem that state-wide applications of information technology could shorten this time in the more urban and less administratively efficient states, but only a study of how this could be done, and the costs involved to do it, could demonstrate the effectiveness of this proposal. The additional knowledge provided to Congress by such a study could assist in the writing of legislation related to voter registration.
Another proposed solution to the apparent registration barrier is to eliminate it. Researchers note that public participation in voting is much higher in most democratic countries of Europe, and that these countries have no voter registration. This raises the issue of how individuals are to be officially identified for voting purposes. At least one state (Virginia) identifies its voters by their social security numbers. So-called "motor-voter" legislation may effectively make the driver's license an official means of identification. Are these identification methods sufficient to abolish registration, or would some official "identity card" be required? Here, election administration and computerization concepts intersect with civil liberties considerations.
4.1 Congressional Responsibility for Elections. Article I, Section 5 of the Constitution states that "Each House [of Congress] shall be the judge of the elections, returns and qualifications of its own members..." Additionally, Article I, Section 4 states that "[t]he times, places, and manner of holding elections for Senators and Representatives shall be prescribed in each State by the Legislature thereof; but the Congress may at any time by law make or alter such regulations..." This supervisory responsibility of Congress is generally interpreted to apply to elections for President and Vice-President, as well as to elections for members of Congress itself. Thus, Congress could pass the Federal Election Campaign Act that established the Federal Election Commission with power to regulate expenditures for Presidential election campaigns, and have the act survive constitutional challenge.
Constitutional amendments have changed the manner of choosing the President and Vice-President (Amendment XII), eliminated race as a bar to voting (XV), caused U.S. Senators to be directly elected (XVII), given voting rights to women (XIX), given the Presidential vote to the District of Columbia (XXIII), barred the use of the poll tax in Federal elections (XXIV), and lowered the voting age to 18 (XXVI). The Voting Rights Act of 1965 and its amendments have significantly changed the nature of the electorate in the South. While some Federal statutes are interpreted as applying to Federal elections only, the difficulty in the states of maintaining two voter registration lists and two sets of voting procedures has virtually assured application of Federal laws to state and local government elections. (Mississippi attempted to maintain dual voting lists, but dropped that in 1984.) Thus, S.250, the voter registration legislation that was passed in the previous Congress but successfully vetoed by President Bush would have assuredly been applied by the states to non-Federal as well as Federal elections, had it been enacted into law.
4.2 The Computer Security Act of 1987. Are votes cast by citizens in Federal elections covered by the Computer Security Act (P.L. 100-235)? The purpose of the act is to create a means for establishing minimum acceptable security practices for improving the security and privacy of "sensitive information" in "Federal computer systems."
"Sensitive information" means, in the act, "any information, the loss, misuse, or unauthorized access to or modification of which could adversely affect the national interest or the conduct of Federal programs..." Votes in Federal elections probably qualify as sensitive; modification of votes to change the outcome of a Federal election would likely be classified as affecting the national interest.
A "Federal computer system" is defined in the act as "a computer system operated by a Federal agency or by a contractor of a Federal agency or other organization that processes information (using a computer system) on behalf of the Federal Government to accomplish a Federal function." Now, Federal elections are a Federal function and the President, Vice-President, and members of Congress are Federal officials; consequently their election should be classified as "on behalf of the Federal Government." Therefore, it seems that a state or local government, an "other organization" that processes information (using a computer system) for Federal elections, is using a "Federal computer system."
Thus, it would appear at first that the responsibility given NIST under the act to "devise techniques for the cost-effective security and privacy of sensitive information in Federal computer systems" applies to votes cast in Federal elections. However, there is more.
Under the act, it is the responsibility of each Federal agency to identify each Federal computer system which is within or under the supervision of that agency and which contains sensitive information. Now, as has been shown above, Congress is ultimately responsible for Federal elections, and therefore it must be the agency to identify the Federal computer systems employed for Federal elections. Now, let us look at the act regarding the definition of "Federal agency."
The act states that "the term 'Federal agency' has the meaning given such term by section 3(b) of the Federal Property and Administrative Services Act of 1949." That definition currently reads as follows:
The term "Federal agency" means any executive agency or any establishment in the legislative or judicial branch of the Government (except the Senate, the House of Representatives, and the Architect of the Capitol and any activities under his direction).
Thus, the Senate and the House of Representatives are not Federal agencies under the Computer Security Act. Therefore computer systems used to receive and tally votes in Federal elections cannot be identified for purposes of the act, nor are plans for their security required to be developed, nor are employees involved with them required to receive computer security training, all of which are required of other Federal computer systems. It is ironic that the very type of data through which we express our fundamental democratic choices seems to be the one class of sensitive data not fully covered by the Computer Security Act.
5.1 The 1975 NIST Report. In 1974, the General Accounting Office (GAO) requested that NIST (then called the National Bureau of Standards, NBS) undertake a systems analysis of computerized voting, because of difficulties experienced in the initial uses of this technology. GAO paid for the one-year study; it was completed in 1975 and entitled Effective Use of Computing Technology in Vote-Tallying (NBSIR 75-687 or NBS SP 500-30). The report was widely disseminated.
The report included descriptions of hardware, software, and administrative problems encountered in fourteen elections in which computer technology was used. Recommendations of the report included specific techniques that could be applied to protect the security and assure the accuracy of all aspects of computerized vote-tallying. Among the techniques recommended were improvements in the procedures used to design and develop computer programs used for vote-tallying, the extensive use of audit trails and other internal control techniques, and additional documentation to verify the results of elections. It was pointed out that security requirements were similar to those needed for sensitive financial and record-keeping systems, and that both management and technical procedures could be used.
Additionally, the report concluded that:
5.2 The Federal Election Commission (FEC) Performance Standards. The FEC began to operate in 1975, and while its major function was and continues to be the monitoring of Presidential campaign expenditures, its founding legislation required it to include a section called the National Clearinghouse on Election Administration. The clearinghouse, with a very small staff, has the general mission of undertaking contract studies and distributing new information on election administration to state and local government administrators.
In 1980, the Congress adopted a law in which a paragraph called on the FEC:
Although no additional Congressional legislation was forthcoming, the FEC decided to proceed, by contract to the same individual, with the development of performance standards. With this minimal level of effort, the standards were completed in draft in 1989 and finally issued in 1990. Again, the FEC made no formal arrangement with NIST to permit NIST to contribute to the development, although the 1975 NBS/NIST study was cited in the standards document as providing "much of the groundwork for the standards development..." When the draft standards were issued for public comment, NIST submitted such a comment. The draft standards contained no quantitative accuracy requirement whatsoever for sensors reading voters' choices, and NIST's comment proposed that such a requirement should be included. This requirement was added to the standards.
The FEC standards are not primarily internal control requirements for a government to operationally manage its election. The focus is on testing of the equipment, not on the whole system for voting. The performance standards include functional requirements, minimum hardware and software characteristics, documentation requirements, and test-evaluation criteria. Hardware requirements include operation without unrecoverable error within a prescribed time interval and within prescribed environmental conditions. Software standards include "preferred" modular-design concepts and use of either high-level or assembly language programming. Testing under the standards is seen as "qualification," a process to verify that the vendor's own performance specifications have been met by the product. Capability to meet state and local government specifications, called "certification" and "acceptance" is not seen by the FEC as a proper function of its standards.
The FEC standards were characterized as "seriously flawed" by Election Watch, a citizens group, then of Pacific Palisades, CA. Among the concerns presented were the tacit approval in the standards of the continued use of pre-scored punch cards, and the failure to require vendors to make public source codes of vote-tallying programs. It is true, also, that the FEC standards only require "selectively in-depth" examination of source codes and that automated software testing tools may be used in the process of checking the vendor's software "if they do not duplicate vendor testing." It is not clear how software could be adequately reviewed "selectively" and if the major tools available to a reviewer cannot be used.
5.3 Accreditation of Independent Test Authorities. To make the FEC standards useful, independent test authorities (ITAs) are needed to test the election equipment against the standards and against vendor claims. A program of accreditation of ITAs has been started by the FEC, in cooperation with the National Association of State Election Directors (NASED), a professional association of state directors of elections.
There is an official program for accreditation of testing authorities available through NIST. It is called the National Voluntary Laboratory Accreditation Program (NVLAP) and its procedures have been made public and announced in the Federal Register as part of the U.S. Code of Federal Regulations. The FEC was made aware of this program, and in addition, NIST software engineering experts working for NIST's Computer Systems Laboratory (CSL) were introduced to FEC personnel. The FEC has, so far, chosen not to use the official NVLAP program, or to utilize, in an official arrangement, NIST's software engineering experts who have experience in adapting the NVLAP procedures to software testing.
5.4 NIST's 1988 Report. In 1986, the John and Mary R. Markle Foundation, a privately funded foundation headquartered in New York City approached NIST/CSL and requested that it submit a grant request to undertake a new study of computerized voting. A page-one article in The New York Times in the summer of 1985 had stated that a computer program widely used to tally votes in Presidential elections was seen to be vulnerable to tampering, and that the company selling the program "has been accused of helping to rig elections." The Markle Foundation, which was aware of NIST's 1975 report, wanted these charges to be investigated and wanted recommendations made to assure the integrity of computerized elections. A result of the NIST effort funded by the Markle Foundation was Special Publication 500-158, Accuracy, Integrity, and Security in Computerized Vote-Tallying, published in August, 1988. While the project was underway, the Computer Security Act of 1987 was enacted, and the report may be characterized as one of the first major results under that act.
NIST again analyzed difficulties in certain recent elections, including those cited in The New York Times article. NIST's recommendations concerned software, hardware, operational procedures, and institutional change. Recommendations were extensive, and only a limited number can be reported here.
NIST recommended that all software to be used in connection with vote-tallying be certified by the state prior to use. After software had been certified, no changes would be permitted without a recertification. Therefore, vote-tallying software should be designed so that specialization for each election could occur by filling in values in tables, and not by programming changes. It was recognized that a review of all support software, such as operating systems and compilers, for absence of hidden code would be difficult, time-consuming, and expensive. Possibly the best that could be done, with the low-cost requirements of local government, would be to assure that support software was obtained from accountable and reliable sources from their catalogs of publicly offered products. The state would retain copies of the certified software, in case it was needed for investigations.
NIST recommended that all software associated with the vote-tallying process be isolated from influences over which the election administration has no control. General-purpose, multi-programmed installations, or borrowed private-sector installations, often used in the past, should not be used in the future. Vote-tallying operations should be run on dedicated computers, under the control of the election administration. This would restrict outside access to software and systems and provide the election administration with full control of its resources, a problem in the past as election administrators had turned over responsibilities to vendors and others. The concept of "trusted systems" was known to exist, but it had not been applied to the integrity of vote-tallying.
Under the category of institutional change, NIST stated that the general concern for integrity and security of vote-tallying systems could be put under the broad concept of "internal control." This body of knowledge has not been used in a systematic way in administration of elections because voting is not a financial transaction. By treating "one vote" as if it were a denomination of currency, much of the knowledge and techniques of internal control could be applied to vote-tallying. NIST recommended that internal-control specialists having computer security knowledge, be used on-staff by election administrators. These specialists would be able to identify system vulnerabilities and devise protective plans consistent with available resources.
6.1 Information Technology in Elections. A Needed Program: It has been shown that there is an increasing use of information technology in elections, both in vote-tallying and in voter registration. Some of the applications of information technology require assurance of characteristics that are usually associated with computer security: identification of a data originator (voter), integrity of the transmission of a message (remotely transmitted ballot), confidentiality of the information (the votes) entered and stored in a computer system, controlled access to the system, and software integrity. The NIST Computer Systems Laboratory has been given responsibility under the Computer Security Act of 1987 to provide guidance to the whole of the Federal Government in protecting sensitive information in computer systems, but its mandate for protection of sensitive information in Federal elections is unclear.
In addition, NIST has other highly useful resources applicable to the needs of elections that use computer technology. NIST has maintained its expertise in software engineering, because of its responsibilities under the Brooks Act (P.L. 89-306) to assure the effective use of computers in the Federal Government. This capability is applicable to the efficient design and testing for assurance of computer programs used for vote-tallying. NIST's competence in the technology of physical measurements contributed to the establishment of NVLAP which can be used now to take advantage of NIST's expertise in both software engineering and physical measurements. NVLAP is available to provide an effective and officially sanctioned program of accreditation of testing laboratories used in connection with procurement by the states of vote-tallying hardware and software.
The U.S. Congress needs to recognize that the increasing use of information technology in elections requires a coordinated and managed effort to assure that technology's effective use, and to assure that the public continues to have confidence in the equipment that calculates the consent of the governed. This effort needs to be led by an organization that already has the technical expertise and the mandate to use that expertise in closely related activities.
6.2 Information Technology and Personal Identification. The issue of personal identification arises in elections through the process of voter registration. Through extension of the "motor-voter" registration concept, the driver's license is likely to become the acceptable identification for voting. Is this sufficiently unique for the integrity of registration lists to be maintained, and if so, could registration be eliminated, as is done in many European democracies? In addition, the social security number is now being widely required by credit reference bureaus and the businesses that subscribe to their services. Is this number satisfactory and appropriate as personal identification?
If not, what is? The Congress may wish to look at this issue, not only for a better understanding for application to voter registration, but for understanding of how personal identification is consistent with civil liberties. The Computer System Security and Privacy Advisory Board, established under the Computer Security Act of 1987, is an appropriate organization to undertake such a study.
Return to CPSR conferences page.
Return to the CPSR home page.
Send mail to webmaster.