Panelists (from left to right): Rebecca Mercuri (Bryn Mawr College),
Lance Hoffman (George Washington University), Richard White (former U.S.
Representative), David Anderson (Democracy Online Project), Chip Rabinowitz
(Diversified Dynamics), Jim Adler (VoteHere.net), Paul Craft (Florida State
Division of Elections).
Public Statement by Rebecca Mercuri presented at the National Press Club on January 18, 2000.
(This event, sponsored by George Washington University's Democracy Online Project's National Task Force and their Cyberspace Policy Institute, was entitled "A Debate on Computerized Voting: A New Solution for a New Generation of Voters." For further information, see: www.democracyonline.org and www.cpi.seas.gwu.edu)
Good Afternoon. Thank you for the opportunity to express my opinions on the subject of computer precinct and Internet voting today at the National Press Club.
I am opposed to all of the resolutions proposed by the Democracy Online Project Task Force for today's debate. My negative opinion on electronic balloting systems is not new, as I have made similar statements in expert testimony and position papers on this subject for the last decade. Most recently, I was one of the experts on the Gore recount team, where my affidavit explaining the necessity of a hand recount was presented as part of the briefs to the 11th Circuit Court of Appeals and was referenced in the first U.S. Supreme Court case on this matter.
The reasons for my opposition to the use of fully-electronic balloting and vote tabulation systems are numerous, many of which are detailed in the handout I have provided. Further information may be found on my website at www.notablesoftware.com.
In 1988, Roy Saltman authored the document "Accuracy, Integrity, and Security in Computerized Vote-Tallying" at the National Bureau of Standards (now the National Institute of Standards and Technologies). He painstakingly described the numerous flaws existing in punch-card systems, many of which were only revealed to the general public for the first time during the recent election crisis. Most people were shocked to hear these facts, including many members of the press, but those of us who have examined elections and election systems for decades were not at all surprised that what we knew to be true, that "all votes do not count," was now finally being admitted as fact by some of the election officials and vendors involved. This was no news to Florida either, in 1988 close to a quarter-million ballots were discarded in a similarly contested U.S. Senate race. Why Florida did not then choose to make changes in the manner in which they conduct their elections, is a question that should be asked.
But now, the clamor over the hanging-chad phenomenon has caused many public officials to fear that their election systems are obsolete, and there is a rush to replace the paper-based and lever machines with new, 21st century, computer technology. What is being overlooked, though, is the fact that Roy's book also addressed serious fundamental flaws with computer precinct voting and off-site balloting.
Let me read from page 40 of Roy's document:
"In a typical machine, the voter's choices are entered into a temporary storage unit. The storage unit controls a display, visible only to the voter, of the choices made. With this feedback, the voter is given some reason to believe that the desired choices have been entered correctly into the temporary storage, but no independent proof can be provided to the voter that the choices have, in fact, been entered correctly for the purpose of summarizing those choices with all others to produce vote totals."
Thirteen years later, precisely what Roy said is what all of the current DRE and Internet machines still do. The system may show you how you think you voted, but there is no way to know that this ballot is ever stored or counted properly. Vendors insist that they have provided fail-safe mechanisms, including audit trails, encryption, double or triple redundant storage and so on, but in fact these mechanisms are not sufficient and the machines can and do fail. I have documentation of a DRE failure in November's election in New Jersey where certain candidates from major parties received 0 votes at the end of the day. Upon inquiry, the manufacturer explained that no votes were "lost" and insisted that no votes were "cast" for these candidates, but this was simply not the case. As more computerized machines are deployed, we have gradually heard of more occurrences of similar failures and anomalies.
Now the computer industry has established standards for secure system certification. Such certification is typically performed for devices purchased by the Department of Defense, and was mandated by Congress under the Computer Security Act of 1987. Congress, though, exempted itself from compliance with the Act, hence they have never certified the accuracy and integrity of any computer-based voting systems used in Federal elections. This loophole must be changed. The existing standards are far from perfect, but they are the best assurance mechanism that the computer industry has at present. It is important to understand that the Federal Election Commission does not now have voting system standards in place. Instead, the vendors use an obsolete set of FEC suggested practices which were never adopted by all of the States.
I assert, then, that if a computer voting system vendor wishes to claim that their system is secure and accurate, they should voluntarily submit their product for certification under the current DoD standard, known as the Common Criteria. The Common Criteria has 7 levels, and level 4 would be the minimum appropriate for use with voting systems. NIST should be authorized to conduct such evaluations, and in the meanwhile, national standards for voting system assessment can be formulated, and appropriate laws passed.
Some further problems: Although some (not all) States prohibit convicted felons from voting, there are no States which prohibit felons (or foreign nationals) from participating in the manufacture and maintenance of voting machines, nor from owing voting machine companies (as some do).
Recently, a major software manufacturer, convicted last year of unfair business practices, announced its intention to form a consortium for the creation of new voting systems. Only a few months ago, this same firm admitted to having been the recipient of a lengthy undetected Internet attack on its own proprietary materials. Should a monopolistic organization, incapable of protecting its own assets from malicious hackers, be entrusted with our votes? This is not an isolated case, certain other voting vendors have equally dubious past track records.
Now in considering Internet voting, in addition to the problem of assuring that ballots are correctly cast, there are a host of other difficulties. How does one insure that a vote remains anonymous? Or that it is being cast by the registered voter? Or that the voter is not being coerced or monitored while voting? Internet voting may make it easier for the techno-savvy elite to cast ballots, while potentially disenfranchising or at least creating a digital divide for the poor, elderly, rural, and disabled voters who do not have equal access to the Web. Incidentally, these fears are not new, Roy Saltman also addressed these issues back in 1988.
In essence, what the computer industry currently has to offer in the way of voting systems, is a nicely packaged Pandora's box of unverified software. If communities continue to procure these boxes, whose contents they do not know or understand, on the basis of "trust us" recommendations from the manufacturers, one thing is certain. Some years down the road the box will open to reveal yet another election fiasco, but this time instead of hanging chad, we will have disappearing electrons. Next time, there will be no recount since we will be told, like some voters were in New Jersey, that "no votes were ever cast."
Some final thoughts: The Internet is not a safe medium for voting, and it should not be used at all for elections. Only DRE systems that also provide a printed paper ballot, similar to that produced by a bank ATM, that the voter can independently check for correctness and deposit for mandatory recounting should be considered for use, but no systems like this currently exist. Communities should therefore proceed prudently with their evaluations of new equipment, and wait for the Federal government to set strong standards for certification before replacing any existing voting systems. Forums such as today's debate, where issues can be discussed, can assist in the process of assessing the merits and problems with proposed solutions.
In conclusion, yes, our voting systems need to be improved, but hastily jumping out of the frying pan into the fire is certainly not the way to improve them.