Rebecca Mercuri's Statement on Electronic Voting
Copyright © 2001 and 2007 by Rebecca Mercuri All Rights
mercuri AT acm DOT org http://www.notablesoftware.com
I am adamantly opposed to the use of any fully electronic or Internet-based
systems for use in anonymous balloting and vote tabulation applications.
The reasons for my opposition are manyfold, and are expressed in my writings
as well as those of other well-respected computer security experts.
To briefly summarize my opinion (based on nearly two decades of research)
on this matter I state the following:
- Fully electronic systems do not provide any way that the voter can
truly verify that the ballot cast corresponds to that being recorded, transmitted,
or tabulated. Any programmer can write code that displays one thing
on a screen, records something else, and prints yet another result.
There is no known way to ensure that this is not happening inside of a voting
- Electronic balloting systems without individual print-outs for examination
by the voters, do not provide an independent audit trail (despite manufacturer
claims to the contrary). As all voting systems (especially electronic)
are prone to error, the ability to also perform a manual hand-count of the
ballots is essential.
- No electronic voting system has been certified to even the lowest level
of the U.S. government or international computer security standards (such
as the ISO Common Criteria or its predecessor, TCSEC/ITSEC), nor has any
ever been required to comply with such. Hence, no current electronic
voting system has been properly validated as being secure.
- There are no required standards for voting displays, so computer ballots
can be (and have been) constructed to be as confusing (or more) than the
butterfly style used in Florida 2000, giving advantage to some candidates
- Electronic balloting and tabulation makes the tasks performed by poll
workers, challengers, and election officials purely procedural, and
removes any opportunity to perform bipartisan checks. Any computerized
election process is thus entrusted to the small group of individuals who
program, construct and maintain the machines.
- Although convicted felons and foreign citizens are prohibited from
voting in U.S. elections (in many states), there are no such laws regarding
voting system manufacturers, programmers and administrative personnel.
Felons and foreigners can (and do!) work at and even own some of the voting
machine companies providing equipment to U.S. municipalities.
- Encryption provides no assurance of privacy or accuracy of ballots
cast. Cryptographic systems, even strong ones, can be cracked or hacked,
thus leaving the ballot contents along with the identity of the voter open
to perusal. One of the nation's top cryptographers, Bruce Schneier,
has expressed his concerns on this matter, and has recommended that no computer
voting system be adopted unless it also provides a physical paper ballot
perused by the voter and used for recount and verification. Another leading
cryptographer, David Chaum, has also expressed his endorsement of paper ballot
- Internet voting (whether at polling places or off-site) provides avenues
of system attack to the entire planet. If the major software manufacturer
in the world cannot not protect its own company and products from an Internet
attack, one must understand that voting systems (created by this firm or
others) will be no better (and probably will be worse) in terms of vulnerability.
It is a known fact that the computer industry does not have the capability,
at present, to assure a safe, reliable election using only electronic devices.
Thorough investigation of vendor claims, and failures of performance in actual
elections, have demonstrated the existence of major flaws and serious vulnerabilities.
Communities that rely on promises of security and accuracy when purchasing
electronic voting systems, run the severe risk that they will administer
an election whose results may someday be contested -- but they will not be
able to provide an independent audit which can ascertain the content of the
true ballots cast. In short, Florida all over again. Even worse,
system defects may be revealed years after an election, making all earlier
- Off-site Internet voting creates unresolvable problems with authentication,
leading to possible loss of voter privacy, vote-selling, and coersion.
Furthermore, this form of voting does not provide equal access for convenient
balloting by all citizens, especially the poor, those in rural areas not well
served by Internet service providers, the elderly, and certain disabled populations.
For these reasons, off-site Internet voting systems should not be used for
any government election.
Communities have discovered that manually prepared paper balloting
systems, augmented with assistive paper ballot-marking devices for use
by the disabled and those with literacy and language issues, can typically
be procured and maintained for considerably less than half of the price
for a Direct Recording Electronic (DRE) with touch-screen or push-button
input, or DRE/VVPAT (DRE with ballot-printer) system. Ballot-marking devices
do not need to be electronic or computer-based. Opscan ballots can be entirely
hand-counted. The opscan + ballot-marking configurations promise to increase
voter confidence by offering the best in terms of reliability, usability
and recountability, as well as being highly cost-effective.
It is therefore incumbent upon all concerned with elections to REFRAIN
from procuring ANY system that does not provide an indisputable, anonymous
paper ballot which can be independently verified by the voter prior to casting,
used by the election board to demonstrate the veracity of any electronic
vote totals, and also available for manual audit and recount.
Since 2003, because of unresolvable problems with the implementation
and deployment of the DRE/VVPAT systems, and the difficulties experienced
in using the VVPATs in recounts, I have recommended (and continue to recommend)
that municipalities ONLY purchase the opscan + ballot-marking systems.