Electronic Voting

Rebecca Mercuri, Ph.D.

Updated 1/5/2017

P.O. Box 1166 -- Dept. EV
Philadelphia, PA  19105

notable AT notablesoftware DOT com

215/327-7105 or 609/587-1886
10AM-6PM U.S. Eastern Time, Mon.-Fri.  (Please try the 609 number first)

http://www.notablesoftware.com


The contents of this webpage and website are Copyright © 2000 - 2017 by Rebecca Mercuri. All Rights Reserved. All material is protected by copyright attributed to Rebecca Mercuri where she is the sole author, or the original sources otherwise.

This website has been updated to repair links in the earlier version and also includes commentary related to the 2016 U.S. Presidential Election and its aftermath. To report broken links, please notify me via the above contact information (preferably email).

I am available for comment, consultation, expert testimony, and lectures on electronic vote tabulation, and can be contacted via the information at the top of this page.  Members of the press and researchers seeking interviews and quotation permissions may find it helpful to look at the guidelines posted here. I would appreciate it greatly if calls can be limited to the hours of 10AM - 6PM, U.S. Eastern Time, weekdays.

Follow links to full text of papers and articles. Papers not linked may be available on request. As this website is rather long, I've highlighted certain "must read" papers and articles using red asterisks (*). For a good overview of the subject, search for these first and read the text at their adjacent links.

Statement

I am adamantly opposed to the use of fully electronic or Internet-based systems for use in anonymous balloting and vote tabulation applications.  The reasons for my opposition are manyfold, and are expressed in my writings as well as those of other well-respected computer security experts. 

At the present time, it is my strong recommendation that all election officials REFRAIN from procuring ANY system that does not provide an indisputable, voter verified paper ballot.

Communities have gradually discovered that manually prepared paper balloting systems, augmented with assistive paper ballot-marking devices for use by the disabled and those with literacy and language issues, can typically be procured and maintained for considerably less than half of the price for a Direct Recording Electronic (DRE) with touch-screen or push-button input, or DRE/VVPAT (DRE with ballot-printer) system. Ballot-marking devices do not need to be electronic or computer-based. Opscan-style ballots can (and should) be entirely hand-counted. Paper ballots increase voter confidence by offering the best in terms of reliability, usability and recountability, as well as being highly cost-effective.

Since 2003, because of unresolvable problems with the implementation and deployment of the DRE/VVPAT systems, and the difficulties experienced in using the VVPATs in recounts, I have recommended AGAINST the purchase of these devices.

A detailed explanation of these points, along with my suggestions regarding the selection of appropriate voting equipment, is provided in the full text of this statement, available *here*. 

Table of Contents

  • State Reports




ELECTRONIC VOTING UPDATE

Danger to Democracy #1

National Popular Vote (NPV) legislation has been creeping into state after state. A large push for this backdoor run around the U.S. Constitution has developed following the 2016 Presidential Election. For those of you who don't know what it is, NPV, when fully enacted, would MANDATE that states cast their electoral votes, NOT how the voters of those states intended, but rather to the winner of the NATIONAL popular vote. Yup, YOUR electors would be REQUIRED to cast their Presidential votes to the AGGREGATE US highest vote-getter, REGARDLESS of who the winner was in the state itself. I can't imagine how this could even remotely be deemed Constitutional (remember the concept of States' Rights?) but it would likely take a team of Harvard-educated lawyers to argue this point before the U.S. Supreme Court to stop it, if enacted. If enough states (they only need a total of 270 electors) are stupid enough to allow their legislatures to pass the bill and their Governors sign it, then we're ALL hosed, even if your own state doesn't sign on.

Here's what it really means and why it's on my evoting website -- states that have unauditable voting will be incentivised to increase their bogus vote totals for President well beyond what they need to do to win their own state, enough so that they can shift the national total to the candidate of their choice! This is no problem for places like Ohio, where observed variations in the number of persons who sign the polling book from the number of ballots recorded on the machines, in over 80% of precincts, is somehow considered "normal" -- or in Florida where the citizens vote on paper ballots read by optical scanners but are prohibited from review via manual recounts. Basically, if NPV becomes law, then the Crooks are in Control for sure. To find out the status of NPV in your state, check http://www.saveourstates.com -- if it does not say "enacted" yet, then let your State Senator, State Representative and Governor all know RIGHT AWAY that this is a HORRIBLE idea that should NOT become law.

Your voice on this CAN make a difference! On April 15, 2011, I contributed an OpEd column to Hawai'i Reporter explaining why Governor Abercrombie should veto the Hawai'i House and Senate NPV bill. IT WAS STOPPED! The article is here: Hawai'i's Instant Runoff Voting Legislation -- Veto Needed -- please read and use for talking points to oppose the scam of NPV.      

Danger to Democracy #2

The same group that has been promoting NPV is also hawking Instant Runoff Voting (IRV). Certainly not coincidentally, the key founder of the organization behind both of these absurdities is none other than John "the spoiler" Anderson. IRV is getting a foothold with naieve communities who would like to believe the snake oil salesmen's claims that by making the voting selection process harder (not easier) this somehow further enfranchises beleaguered minority groups and third party candidates. The reason why I'm mentioning IRV here is again because of the voting machines. Heck, we can't even prove that these devices (whether DREs or scanners) are adding 1+1=2 properly. It's all a trade secret and we're not allowed to check the algorithms. How can we ever hope to verify that the complicated math needed to generate the IRV totals has been programmed and implemented correctly? If you find yourself in a conversation with anyone supporting IRV, just ask them to show you ON PAPER how to tally the election and then watch them squirm. Make sure your municipality, county, and state does not fall for IRV. For more details on what's wrong with IRV, read James Langan's research paper, Instant Runoff Voting: A Cure That is Likely Worse Than the Disease.

Danger to Democracy #3

Perhaps because Americans are considered to be notoriously lazy, our election officials would rather find excuses for not hand-counting all of the ballots in order to verify the results produced by the computers. Of course, the reasons given for not checking the totals at each precinct (before the ballots are removed and some have a chance to mysteriously wander away) are often ones of cost or expedience. As it turns out, a small team of vote counters (perhaps drafted as for jury duty), using a simple bin (not binary) method should be able to hand-tabulate all but the most complex ballots in time for the 11 o'clock news (assuming that the polls close at 8PM). (For the computer scientists, it helps to recall that a bin sort is O(n).) The counting could even be live-streamed on Facebook from every precinct, so all can see the results in real-time! Of course there are plenty of wrongheaded mathematics wonks (including even some at lofty places like Princeton and MIT), and even a few Congressfolk, who would like us to believe that a random percentage audit (or partial audit) is all that is necessary to confirm the electronic tallies. This is provably untrue. Even so, such formulas require that increasing percentages be audited if anomalies are detected, so you might as well just count all the ballots from the get-go to avoid the further hassle. For a detailed explanation of why these incomplete audits don't work, see my post on the CNET Defensive Computing blog at http://news.cnet.com/8301-13554_3-9876062-33.html . Oh, and if someone tells you that if people touch the ballots they'll change the votes, just explain that page feeders could be used with opaque projectors to display the papers without any human handling.

Voter Verified Paper Ballots -- An Informational Brochure:

An explanatory brochure has been prepared in response to the myths and misinformation that are currently being circulated by those who are opposed to independent election auditing.  "Facts About Voter Verified Paper Ballots" can be downloaded, printed on double-sided paper, and freely distributed (if in its entirety and unedited). Although DREs with VVPBs are an improvement over DREs without them, because of numerous issues related to the construction and use of VVPBs (some of which are noted below), since 2003 I have recommended AGAINST the purchase of these devices. Ballots should be prepared on paper (not computers) and counted from the paper (preferably by humans).

 The Act that did not help America Vote:

The 2002 Help America Vote Act (HAVA) legislation authorized $3.8B in federal spending, with a substantial portion of these funds allocated to US states and territories for the purpose of replacing their punch card and lever voting machines and making voting systems accessible to the disabled.  To obtain the money, an implementation plan had to be submitted to the Election Assistance Commission by January 1, 2004. States were NOT required to purchase fully computerized voting systems, they could obtain mark-sense (optically scanned) products that use paper, but in order to receive certain of the equipment funds, the plan had to indicate that the state would replace all of its lever and punch card machines by the first election for Federal office held after January 1, 2006. New York was the only state that decided to retain its lever machines.
The Presidentially appointed 4-member HAVA Election Assistance Commission, in addition to approving each of the state plans, was also to be responsible for administering a host of other tasks, not the least of which included overseeing a 14-member Technical Guidelines Development Committee and a 110-member Standards Board, and making provisions for "testing, certification, decertification, and recertification of voting system hardware and software by accredited laboratories."  The Technical Guidelines Committee was to have produced a set of recommended voluntary voting system guidelines nine months after appointment, and it was understood that these guidelines would be the ones used by the laboratories in their certification and testing processes.
What actually occurred was that the members of the HAVA Commission were appointed nearly a year late and the establishment of HAVA Committees and Boards were similarly delayed. Thus, the Technical Guidelines were NOT available by the time that state implementation plans were due. This resulted in 9 states requesting HAVA extensions, and many others contracting to purchase voting systems that could not possibly be HAVA compliant, since no official HAVA standards yet existed. A further setback occurred at the beginning of 2004, when the National Institute of Standards and Technologies (NIST) announced that it had to curtail all work related to HAVA (despite their named role in the legislation), due to Federal budget cuts (funds were later reinstated for the election project).
Those of us (including myself) who had worked hard for this bill were sorely disappointed that the most salient aspects of its implementation were stalled, while initial equipment purchases were allowed to proceed under grandfathered and obsolete standards. Many municipalities (including in California, Florida and elsewhere) purchased voting equipment that subsequently had to be replaced due to non-compliance, system failures, and security and auditability concerns. It has taken years to only partially unwind the many problems caused by the feeding frenzy generated by overzealous voting system vendors seeking the HAVA funds, fueled by gullible election officials who were intimidated into doling the money out for products that were not yet ready for prime time. Some of this unnecessary waste of funds could have been avoided, had Congress merely extended the HAVA deadlines, or had the appointments and work proceeded on schedule.

But vendors said their voting machines were certified:

U.S. voting systems, beginning in 1990, have been certified under a system originally established by the Federal Election Commission (FEC) and a private group, the National Association of State Election Directors (NASED). Testing fees are paid, by the vendors, to certain qualified Independent Testing Authorities and examinations are conducted secretly without any results (other than a final passed status) issued publicly. This certification was, at first, based on the FEC guidelines adopted by only 37 of the states and criticized by technologists as flawed.  (See my detailed comment The FEC Proposed Voting Systems Standard Update.)  According to their website, even "the FEC recognizes that the Help Americans [sic] Vote Act of 2002 will fundamentally alter the long term application of the Standards, including testing." Some problems with the FEC standard included the lack of a requirement that vote tallies be independently auditable, the allowance of trade-secret code that may not be able to be inspected should an election contest question the proper functionality of a voting system, the use of commercial software products in balloting and tabulation systems without any inspection at all, and no provision for re-examination or decertification when problems are later identified. Even when additional state certification inspection has been performed, there may be no guarantee that any particular system has been appropriately configured prior to deployment. Revelations that uncertified software was used in at least two California elections (including the Gubernatorial recall) led to the mandate that voter verified paper ballots be added to their fully-electronic voting systems.

Under HAVA, the certification program was restructured under the Election Assistance Commission (EAC) and Thomas Wilkey, the individual formerly responsible for this task under NASED, was appointed as the EAC's Executive Director, where he has continued to perform oversight of the testing and certification tasks. The EAC generated a new set of Voluntary Voting System Guidelines, which was approved in December 2005, far too late to have any systems tested and deemed compliant in time for the 2006 HAVA deadline for replacement of lever and punch card systems. Though there were some slight improvements, these guidelines suffered from most of the same problems as did the FEC standard (as noted above and in my comment to the EAC). A proposed revision (including the MIT/NIST-proposed Orwellian concept of Software Independence -- that a voting machine could contain software but somehow be independent of it) was issued for public comment in 2009 as VVSG 1.1, but portions were harshly criticized (including earlier by myself) and it has not yet been approved.

Many of the voting systems that have been certified under the 2005 EAC standard were subsequently found to be faulty in actual elections or via independent studies (reports commissioned by state or local governments are posted at http://www.eac.gov/testing_and_certification/voting_system_reports.aspx ). The list of certified voting systems can be found at 
http://www.eac.gov/testing_and_certification/certified_voting_systems.aspx but these are only the current certifications. Obsolete certifications cannot be easily checked, nor is the older equipment recalled.

What about Internet voting?

Internet voting is risky due to its sociological and technological problems. Absentee balloting does not provide the safeguards of freedom from coercion and vote selling that are afforded via local precincts. Internet voting creates additional problems due to the inability of service providers to assure that websites are not spoofed, denial of service attacks do not occur, balloting is recorded accurately and anonymously, and votes are only cast by the authorized voter themself. The government's website warned that "it is the citizen's responsibility to maintain the latest anti-virus software for their computer" in order to assure safety, yet they failed to acknowledge the fact that anti-virus software can only protect against known malware (new ones appear constantly, and could occur during an election season) and server-based attacks are still possible. Certainly citizens overseas should have an opportunity to vote, but perhaps this could be handled by setting up remote balloting precincts at the U.S. Embassies, or by creating bi-partisan poll-worker teams on military bases?
Back in 2000 when the U.S. Department of Defense first tried Internet voting they spent $6.2M so that 84 voters could cast ballots.  Subsequently, the DoD engaged Accenture, the Bermuda-based consultancy arm of the former Arthur Andersen (can we spell Enron?) group at a cost of $22M to oversee its SERVE project for military personnel and overseas citizens. Following issuance of an analysis by four computer scientists who were members of the SERVE Security Peer Review Group, the Pentagon decided to scrap plans for the use of this technology to cast ballots in the 2004 Presidential election.  But it's far from gone -- the DoD dabbled with the concept of Internet voting prior to the 2008 election and was shot down again by the same scientists on many of the same grounds. We'll likely see some variation of this project surface again as we near 2012.
Need I say more? (If so, see the World Democracies and Press Quotes sections.)

Who created the Voter Verified Balloting concept?

Rebecca Mercuri coined the phrase in her comment: "Explanation of Voter-Verified Ballot Systems" in The Risks Digest, ACM Committee on Computers and Public Policy, Volume 22, Issue 17, July 24, 2002. Mercuri first addressed this concept in her paper: "Physical Verifiability of Computer Systems" presented at the 5th International Computer Virus and Security Conference in March 1992, and a more detailed description appeared in her Doctoral Dissertation, defended October 27, 2000. An artist's rendering of a "Mercuri Method" voting system (they need not be so elaborate) appeared in her October 2002 IEEE Spectrum article, "A Better Ballot Box."

The earliest description of a "ballot behind glass" was provided by Tom Benson in The Risks Digest, Volume 2, Issue 22, March 4, 1986 and elaborated on by Kurt Hyde in The Risks Digest, Volume 2, Issue 24, March 8, 1986. The difference between these methods and Mercuri's involves her requirement for a deliberate verification step, and also the recognition of the paper ballot as the authoritative record of the voter's choices (in the event of a dispute, the paper version would prevail over any electronic data).

This design concept was deliberately never patented by any of the inventors so that it could be freely incorporated into election systems. Shortly after the November 2000 Presidential election, the Avante company submitted a patent application that incorporated much of this prior art (including block diagrams very similar to those displayed at Mercuri's October 2000 dissertation defense and at a subsequent publicly-attended ACM talk she presented in November 2000, at the Sarnoff Center, situated just a few blocks down the road from Avante's offices). Avante has tried (largely unsuccessfully) to pursue infringement claims against some of the vendors who have implemented ballot printers.

Note that a "voter verified paper ballot" (VVPB) is not the same as a "voter verifiable audit trail" (VVAT). Many vendors and some scientists believe that an audit trail of electronically recorded ballots can be made secure (possibly through encryption or other mechanisms), but no such systems have yet been validated through rigorous mathematical proofs, nor can they be independently confirmed for correctness by non-technical poll workers, election officials or ordinary citizens.

A great demonstration showing why electronic audits and pre-election testing are inadequate can be viewed at: www.wheresthepaper.org. Simply adding paper "receipts" as some have proposed, to the system, is not sufficient. The voter must be required to perform an action that confirms that their choices have been recorded correctly on the paper, hence making it a verifiED (rather than just "verifiABLE") ballot in a legal sense. The paper ballot must not provide any feature that could be used to violate voter privacy or encourage coercion and vote selling. These voter verified paper ballots must be used to produce the certified vote totals and be available for scrutiny in case of election contest or recount.

Think about it:

  • Scientists had been warning for years about the devastation that might result from a major hurricane on the Gulf Coast. But the U.S. Congress failed to provide $35M to fully fund previously approved projects to build and improve levees, floodwalls and pumping stations in the Lake Pontchartrain region. The federal government did (prior to Katrina) allocate some $37M to Louisiana under the Help America Vote Act, primarily for the purchase and upgrade of fully electronic voting systems that provide no mechanism for independently auditing ballots and vote totals.

  • The Civil Rights Division of the U.S. Department of Justice issued a memorandum opinion affirming that voting systems that include contemporaneous paper records, allowing voters to confirm that their ballots accurately reflect their choices, do not violate HAVA or ADA laws, so long as a similar capablility (such as can be provided by audio equipment) is available for use. This could include tactile ballots, an inexpensive (non-computer) alternative for the visually-impaired that has been used successfully in Rhode Island, Canada, Peru, and Siera Leone.

Mark your Calendar:

I will be presenting an inauguration eve lecture titled -- Reengineering Elections in the USA -- for the Princeton ACM/IEEE Computer Society on Thursday, January 19, 2017, at 8:00PM. Further information can be found on the calendar at: http://princetonacm.acm.org/meetings/mtg1701.org. This meeting is free and open to the public, with no advance registration required. The talk is available for presentation at other locations, please contact Rebecca Mercuri for scheduling.

The articles linked below in my writings section provide an illustration of the magnitude of problems encountered with electronic voting equipment and offer some suggested solutions. My analyses are based on computer science and engineering facts, and are not politically motivated. Please try to read some of the *red starred* materials before contacting me for further clarification or assistance.


World Democracies

Election officials in world democracies often want to believe that the situations in the USA are dissimilar to those in their own countries. Although laws and procedures may be different, the computer introduces universal vulnerabilities to privacy, accuracy, and security in elections. All democratic nations should be advised to use caution in their deployment of new systems, and avoid those products that do not produce a voter-verified paper audit trail.

The United Kingdom and other European countries have begun initiatives to convert all or part of their voting to electronic balloting (kiosk/DREs and/or Internet-based) systems. Europe appears to be rushing ahead to deploy computer voting technologies with serious sociological and technological downsides, such as lack of auditability, and increased opportunities for vote selling, monitoring, coercion, and denial of service attacks. During mid-October, 2002 I visited England, on the invitation of the Foundation for Information Policy Research, to meet with and brief members of the UK Cabinet and Parliament regarding this subject, and to provide technical lectures at the Royal Academy of Engineering and Cambridge University. The transcript of my comments to the Cabinet are posted *here. I also formally submitted an additional follow-up comment as part of their "In the Service of Democracy" consultation, which explains why Internet voting is not appropriate for UK democratic elections.  Media coverage of my UK tour can be found over in my press section. Information on the electronic voting project in Ireland can be found at http://www.evoting.cs.may.ie. Thanks to the unflagging efforts of this group and others (including myself) who strongly protested the change from paper and pencil voting, in 2009 it was announced that "the Government has decided not to proceed with electronic voting in Ireland." Over in the Netherlands, the Dutch group "We Don't Trust Voting Computers" successfully hacked a NEDAP voting machine, turning it into a chess-playing device. On October 1, 2007, the District Court of Amsterdam decertified all NEDAP voting computers currently in use there. Further information at http://wijvertrouwenstemcomputersniet.nl/English .

The Brazilian government converted to fully electronic voting in 2000, deploying over 400,000 kiosk-style machines.  Although their elections are often compared to those in the US, they are actually quite different because the voters cast ballots by using numbers assigned to each candidate (this is necessary because of a high degree of illiteracy in the country). Concerns regarding accuracy of the self-auditing systems caused the legislature to mandate a retrofit of 3% (some 12,000 machines) to produce a paper ballot that the voter could peruse and deposit in a box for recount (the first large-scale use of the "Mercuri Method" -- described more fully in "A Better Ballot Box?"). These paper-trail machines were successfully used during the October 6, 2002 election, and it is believed that the rest of their machines will eventually be retrofitted as well. Further discussion on this subject can be found in the article: *"The importance of recounting votes" by Michael Stanton (originally published in Portuguese as "A importância da recontagem de votos", on the website of the Agência O Estado de São Paulo, November 13, 2000). There is also an informative website: Brazilian Electronic Voting Forum by Amilcar Brunazo Filho.

History of the Help America Vote Act

In the wake of the Florida 2000 election, a number of voting rights bills were proposed in Congress. On May 22, 2001, the U.S. House of Representatives Committee on Science convened a Hearing on Improving Voting Technology: The Role of Standards.  I was joined on the invited panel by Dr. Stephen Ansolabehere (MIT), Mr. Roy Saltman (NIST - retired), and Dr. Doug Jones (University of Iowa).

These hearings resulted in House Bill H.R. 2275, the Voting Technology Standards Act of 2001, issued from the Subcommittee on Environment, Technology, and Standards on June 27, 2001, which was presented with the bipartisan co-sponsorship of Congressman Vern Ehlers and Congressman Jim Barcia. Eventually this bill was incorporated into H.R. 3295, the Help America Vote Act of 2002 (HAVA). Details of the election legislation in the 107th Congress (2001-2002) can be found here. Although the HAVA bill authorized spending of over $4B on new voting systems, it did not mandate that voter verified paper ballots be available for independent recount. (This is discussed further in the California section below.) It was hoped that the related voting system standardization efforts created by the EAC/TGDC, as authorized by the bill, would provide additional safeguards, but sadly, the application of these controls has not been universally mandated in the United States, leaving it up to the states (and in some cases, municipalities within the states) to decide whether or not paper ballots should be used or even allowed to be recounted (see Florida below).

California

The California State Elections Code contains a number of sections that are directly relevant to US and international electronic voting issues.

Section 15360 requires that there be "a public manual tally of the ballots tabulated by those devices, including vote by mail voters' ballots, cast in 1 percent of the precincts chosen at random by the elections official." This section also notes: "In resolving any discrepancy involving a vote recorded by means of a punchcard voting system or by electronic or electromechanical vote tabulating devices, the voter verified paper audit trail shall govern if there is a discrepancy between it and the electronic record." Curiously, Section 15627 on recounts states: "If in the election which is to be recounted the votes were recorded by means of a punchcard voting system or by electronic or electromechanical vote tabulating devices, the voter who files the declaration requesting the recount may select whether the recount shall be conducted manually or by means of the voting system used originally, or both." Section 15629 notes that "The recount shall be conducted publicly" and Section 15630 says that "All ballots, whether voted or not, and any other relevant material, may be examined as part of any recount if the voter filing the declaration requesting the recount so requests." Given all of this, one would think that the paper ballots (either the original ones that were scanned, or in the case of the DRE's, the VVPATs) would be consulted in all recounts. Unfortunately, as occurred in Nguyen v. Nguyen, Case No. 07CC00407 (2007), Orange County California Superior Court, the Judge ruled that the Election Code's allowance for the selection by the voter requesting the recount, means that the requirement that the VVPAT always trump any discrepancies can be disregarded if the requestor chooses to use the recount produced "by means of the voting system used originally." This loophole in the law will likely be opportunistically exploited again until it is closed. (Numerous YouTube courtroom videos from my 2 days of testimony in this matter can be found by using the search string: rebecca mercuri nguyen.)

As well, Proposition 41, California's Voting Modernization Bond Act, passed in 2002, mandates that "a voting system that does not require a voter to directly mark on the ballot must produce, at the time the voter votes his or her ballot, or at the time the polls are closed, a paper version or representation of the voted ballot; this version shall  not be provided to the voter, but shall be retained by election officials for use during a manual recount or other recount or contest." The key phrase here is "or at the time the polls are closed" -- this has been interpreted by vendors and election officials to permit the voting system to self-generate ballot images from the internal data stored by the computer during the election, for use in public manual tallies or recounts. Using such systems, the voter has no way to confirm that the ballot they intended to cast is identical to the one recorded by the machine. Hence, such recounts are only procedural in nature, and not truly validatory.  Sadly, the U.S. Congress was similarly vague in their definition of "manual audit capacity" in the Help America Vote Act of 2002 (Section 301 a. 2), so lower court rulings will play an important role in determining the implementation of when the "permanent paper record" must be produced (at the time of voting, or after the election is over). 

I have always maintained that the intention of HAVA, as well as the California Code, is to allow the voter to view the printed ballot prior to casting it. Finally, in 2004, California's Secretary of State agreed (but only after discovering that uncertified software was used in their Recall and General elections in 2003) with this interpretation. Your participation is needed here -- if you are a voter living in a municipality that uses DREs (with or without VVPATs), request an absentee ballot prior to the election so that you can cast your vote on paper. That is the only way you can be assured that a) your vote was submitted as you intended and b) the ballot you prepared will be available for a manual recount. I have been voting absentee since DREs replaced the lever machines in my County in 2004.

In 2001, Susan Marie Weber, a citizen of Riverside County, CA, decided to protest the use of the recently purchased Sequoia Voting Systems' AVC Edge System direct recording electronic (touch-screen) voting machines in her locality. She filed a Complaint for Injunctive and Declaratory Relief against CA Secretary of State Bill Jones and Riverside County, CA Registrar of Voters Mischelle Townsend, under 42 U.S.C. §1983 and the Fourteenth Amendment to the United States Constitution. This appeared as Case No. CV 01-11159-SVW(RZx) before the Honorable Stephen V. Wilson in the United States District Court for the Central District of California.  Weber obtained testimony (at name links here) from experts Rebecca Mercuri, Peter Neumann and Kim Alexander. The Judge ruled on September 3, 2002 in favor of the State on the basis of only written testimony without deposition or cross-examination, and without providing an opportunity to inspect the voting systems in question (although he criticized one witness for not having done so, even though it would likely have been a felony to perform such an examination in the absence of a court order), and various appeals also failed. The ruling allowed other California counties to proceed with their purchases of self-auditing voting equipment. Despite this ruling, the subsequent Secretary of State, Kevin Shelley, decided on November 21, 2003 to require that all computerized voting equipment be equiped with an accessible voter verified paper trail by July 2006. The next Secretary of State, Deborah Bowen, decided to conduct a "Top to Bottom Review" of California's voting systems, which resulted in the decertification of most of the DREs. Currently only Orange and San Mateo Counties use DRE with VVPAT. All other Counties in CA use opscan.

California Proposition 23, the None of the Above Ballot Option, failed to achieve enough votes to pass in the March 7, 2000 election. The lack of a "none of the above" choice for each ballot race (in all states) creates a dubious dark hole for election auditing. Traditionally, when one totals all votes cast in each race, these fall short of the total number of votes eligible to be cast (usually by around 3%). The "lost vote" (also called "undervote" or "residual vote") rate tends to differ depending on equipment and other factors, but it is often also an indicator of malfunction or tampering. The lack of a definitive "no vote" allows vendors and election officials to assert that votes were "not cast" when in fact votes have actually been lost. This situation is becoming more prevalent with the introduction of multiple recording devices within the voting machines, and no real way to determine which storage unit has the "correct" data. It is unfortunate that the U.S. Green Party believes that the "none of the above" option is contrary to their interest in promoting proportional balloting, since they are among the most vocal opponents of this effective auditing requirement.

See http://www.calvoter.org for further information on initiatives and election equipment data.U.C. Hastings College of the Law Library maintains a search engine for its extensive California Ballot Propositions Database, which is also helpful.

Florida

I was requested by the Democratic Recount Committee to provide a sworn affidavit regarding the necessity of a hand recount in the disputed Florida precincts.  The testimony was presented as part of the defense brief in the 11th Circuit Court of Appeals, Atlanta, November 17, 2000. The document is linked here as a pdf file, and can also obtained through direct request to the 11th Circuit Court.  Reference to this affidavit was made in Brief in opposition for respondents Gore et al. in Nos. 00-836 and 00-837 to the U.S. Supreme Court.

In August of 2002 I testified in behalf of the Plaintiff requesting a recount in Florida 15th Circuit Court Case No. CA-02-3667-AE Emil P. Danciu v. Theresa LePore in her Official Capacity as Palm Beach County Supervisor of Elections, Boca Raton City Canvassing Board, Palm Beach County Canvassing Board, Susan Haynie, and Bill Hager. Footage of my demonstration showing that a selection could inadvertently be made without actually pressing the touchscreen at the candidate's name location, aired on 60 Minutes. Also revealed during the warehouse investigation was the fact that these voting machines were never manually checked for all combinations of candidate selections during the pre-election testing process.

During 2007, Florida outlawed the use of touchsreen voting (having previously outlawed the hanging chad punchcard systems) and now uses optical scanning throughout the state. Unfortunately, in 2004, Florida also outlawed the right of voters or candidates to be allowed to audit the electronically-generated results via a manual recount. (This may have been partly in response to a federal lawsuit by their 19th District Congressman Robert Wexler and Palm Beach County Commissioners Burt Aaronson and Addie Green, citing the equal protection clause of the U.S. Constitution and claiming that it was unconstitutional for 52 counties in Florida to have a means to conduct a recount, while the 15 touchscreen counties could not perform one.) Thus there is no way to independently confirm that the scanners have been programmed correctly, are not experiencing anomalous conditions (such as treating certain types of ink as invisible), and have not been tampered with (as Hari Hursti showed can alter vote totals). See http://onlinejournal.com/evoting/060305BBV/060305bbv.html for further details. For all of these reasons (plus others related to voter disenfranchisement), Florida continues to get an F in election integrity.

New Jersey

From 2004-2006, I provided pro bono assistance for the Guciora v. McGreevy lawsuit, which protested the use of paperless DRE voting machines in the State of New Jersey on constitutional grounds. The Plaintiff's Complaint and Brief can be found at the links here. I submitted extensive written testimony on October 16, 2004 that described numerous flaws with electronic voting systems (lack of provability, malfunctioning that disenfranchises voters, less accuracy, vulnerability to insider attacks, lack of transparency, improper vendor responses to software flaws, inadequate certification, lack of independent ballot audit, and vendor misrepresentation). My testimony in the remand hearing before Hon. Linda Feinberg, Superior Court of New Jersey, Law Division, Mercer County, largely focused on the inability of the vendors to provide a voter verified paper ballot add-on to the DRE equipment that could be Federally certified for use, in time for compliance with the newly enacted New Jersey law requiring same by January 1, 2008. Based on Judge Feinberg's findings, the Appellate Division decided to remand the matter to the Law Division in order to monitor compliance with the new legislation. Although testimony by numerous individuals was presented by Plaintiffs, the only comments noted in the Appellate Division Opinion were mine, pertaining to the issue that there were factors independent of the VVPAT that would make it unlikely that the AVC Advantage DRE would meet the 2002 FEC standards requirements by December 2007. As I had predicted, and despite monitoring by the Court, the VVPATs indeed were not ready by 2008 and the Attorney General issued two 6-month extensions for compliance, also to no avail.

In the meanwhile, a trial was scheduled and the Court ordered the State and vendor to supply voting machines and source code for examination. Information about the review and testimony in the 2009 (and earlier) hearings can be found at Professor Andrew Appel's website and also at the Freedom to Tinker blog. On February 1, 2010, Judge Feinberg ruled that the voting machines must be reevaluated to determine whether they are "accurate and reliable" and required that additional safeguards should be put in place to discourage tampering. The statement, which noted "there is simply no evidence to conclude that absent complete access, coupled with malicious intent to alter the results of an election, the voting machines have failed to correctly and accurately count every vote cast" also indicated that all voting systems have vulnerabilities, so New Jersey's unauditable machines seem (at least to the Court) to be no worse than other methods (such as those involving paper ballots). Unfortunately, the ruling did not go far enough to require that the VVPAT law in the state be complied with, so that there might be some actual proof that the machines were correctly and accurately counting every vote cast (or not). And so it goes. Personally, I have felt strongly that the Plaintiffs' team was missing the boat by focusing on hacking rather than the Constitutional aspects of assuring verification and transparency in the election process. Nothing is really proven by such attack demonstrations, other than that they could potentially occur -- since independent examinations of the equipment directly following the elections are routinely prohibited, we'll never be able to show that tampering was afoot. The greater likelihood is that malfunctions and misprogramming actually will (and do) occur. These we have plenty of evidence of, and only with voter verified paper ballots is it possible to recover from and mitigate such problems. Perhaps someone else will try to sue on these grounds, when evidence of machine failure eventually surfaces.

I was asked to provide comment on New Jersey's draft Criteria for Voter-Verified Paper Records for DRE voting machines. My response is attached here. The final version of the State Criteria is posted at http://www.njelections.org/voter_verified_paper_record_criteria.html . The Attorney General's reports, also available via this website, in which she (perhaps conveniently?) declines to certify the VVPRS (paper ballot attachments) for the Sequoia Advantage and Edge DREs, is very curious, since the AG's office argued in behalf of Defense in the lawsuit noted above. The Sequoia Advantage DREs are used in 18 of NJ's 21 Counties. You might think that since the AG did certify VVPRS for two other vendors' voting machines, the Judge might have required that these be used instead of the Sequoias, but no. Hmmm.

If you vote in New Jersey, here's what you can do. NJ has a absentee option where citizens can register to receive paper ballots in the mail. You will need to re-register as an absentee each year, but it is a great alternative to using the paperless DREs. Don't trust the Post Office? If you take your ballot to the County Election Office and drop it off there (in its sealed envelopes) during their business hours (extended to the close of polls on election day), you'll know that at least your vote choices have reached the tabulation center, which is something that the DREs cannot assure. In case of recounts (which do happen in NJ) these ballots are the only ones that can actually be checked without computer intervention.

Writings by Rebecca Mercuri
This section includes formal papers, commentary, articles, and other relevant materials on voting and computer security.  The PDF versions for some of these writings may be more suitable for producing handouts.

"Electronic Vote Tabulation Checks & Balances," Ph.D. dissertation, defended October 27, 2000 at the School of Engineering and Applied Science of the University of Pennsylvania, Philadelphia, PA. The title link here takes you to the thesis defense announcement and abstract. A PDF copy of the entire dissertation can be downloaded (for free!) here: http://www.notablesoftware.com/Papers/mercuri-thesis.pdf. You can also obtain a copy of the thesis through UMI/Proquest by sending an email to disspub@proquest.com  -- the thesis number is 3003665.  They various archival quality formats (hardbound, softbound unbound, microfiche, and microfilm) of the original double-spaced 235-page document, they can take credit-card orders, and I'll receive a small royalty. Those who are manufacturing or evaluating voting systems will find it helpful to consider two additional lists of questions I developed as part of this thesis research. Some of the wording closely follows the Common Criteria, whose Level 4 assessment I have recommended as a minimum benchmark for voting system security.  Further information about the Common Criteria and downloadable copies can be found at http://www.commoncriteriaportal.org .

*"Florida 2002: Sluggish Systems, Vanishing Votes," (PDF) Rebecca Mercuri, Inside Risks, Communications of the Association for Computing Machinery, Volume 45, No. 11, November 2002.

"Verification for Electronic Balloting Systems," Rebecca T. Mercuri and Peter G. Neumann, Chapter 3, Secure Electronic Voting, Dimitris Gritzalis, ed., Advances in Information Security, Volume 7, Kluwer Academic Publishers, Boston, November 2002.  ISBN 1-4020-7301-1

*"A Better Ballot Box?," (PDF) Rebecca Mercuri, IEEE Spectrum, Volume 39, Number 10, October 2002.

"Computer Security: Quality rather than Quantity," (PDF) Rebecca Mercuri, Security Watch, Communications of the Association for Computing Machinery, Volume 45, No. 10, October 2002. (Note: The footnote numbering is incorrect in the PDF version.)

*"MIT vs Mercuri," Rebecca Mercuri, The Risks Digest, ACM Committee on Computers and Public Policy, Volume 22, Issue 26, September 25, 2002. Archived at: http://catless.ncl.ac.uk/Risks/22.26.html.

*"Florida Primary 2002: Back to the Future," Rebecca Mercuri, The Risks Digest, ACM Committee on Computers and Public Policy, Volume 22, Issue 24, September 11, 2002. Archived at: http://catless.ncl.ac.uk/Risks/22.24.html.

*"Explanation of Voter-Verified Ballot Systems," Rebecca Mercuri, ACM Software Engineering Notes (SIGSOFT), Volume 27, Number 5, September, 2002.  Also published in The Risks Digest, ACM Committee on Computers and Public Policy, Volume 22, Issue 17, July 24, 2002. Archived at: http://catless.ncl.ac.uk/Risks/22.17.html.

*"Humanizing Voting Interfaces," Rebecca Mercuri, Usability Professionals Association Conference, Orlando, FL, July 11, 2002.

"Uncommon Criteria," (PDF) Rebecca Mercuri, Inside Risks, Communications of the Association for Computing Machinery, Volume 45, No. 1, January 2002.

*"The FEC Proposed Voting Systems Standard Update," a detailed comment by Dr. Rebecca Mercuri, submitted to the Federal Election Commission on September 10, 2001 in accordance with Federal Register FEC Notice 2001-9, Vol. 66, No. 132.

*"System Integrity Revisited," (PDF) Rebecca T. Mercuri and Peter G. Neumann, Inside Risks, Communications of the Association for Computing Machinery, Volume 44, No. 1, January 2001.  This was reprinted in the CPSR Newsletter, Winter 2001, Volume 19, No. 1.

*"Internet and Electronic Voting," Peter Neumann, Rebecca Mercuri, Lauren Weinstein, The Risks Digest, ACM Committee on Computers and Public Policy, Volume 21, Issue 14, December 12, 2000.  Archived at:  http://catless.ncl.ac.uk/Risks/21.14.html.  This article was also printed in ACM's Software Engineering Notes (SIGSOFT), Volume 26, No. 3, March 2001.

*"Voting Automation (Early and Often?)," (PDF) Rebecca Mercuri, Inside Risks, Communications of the Association for Computing Machinery, Volume 43, No. 11, November 2000.

*"Corrupted Polling," (PDF) Rebecca Mercuri, Inside Risks, Communications of the Association for Computing Machinery, Volume 36, No. 11, November, 1993.

"Threats to Suffrage Security," Rebecca Mercuri, 16th National Computer Security Conference, September, 1993. (See Conference Panels below.)

*"The Business of Elections," (PDF) Rebecca Mercuri, 3rd Conference on Computers, Freedom and Privacy, March, 1993.

*"Voting-Machine Risks," (PDF) Rebecca Mercuri, Inside Risks, Communications of the Association for Computing Machinery, Volume 35, No. 11, November, 1992.

"Physical Verifiability of Computer Systems," (PDF) Rebecca T. Mercuri, 5th International Computer Virus and Security Conference, March, 1992.

Related Writings by Other Authors

*"Voting into Vapor," Craig Lambert, Harvard Magazine, November-December 2004, Volume 107, Number 2. This succinct piece provides insight into the mathematics behind the voting system problem, in terms that a layperson can readily understand.

*"Election Reform and Electronic Voting Systems (DREs): Analysis of Security Issues," (PDF), Eric A. Fischer, Congressional Research Service, The Library of Congress, November 4, 2003. A well-balanced overview of voting security threats and vulnerabilities along with an assessment of strengths and weaknesses of potential solutions.

"Usability Review of the Diebold DRE system for Four Counties in the State of Maryland," (PDF), Benjamin B. Bederson, Paul S. Herrnson, University of Maryland, 2002. This study, conducted prior to the Fall primaries, provides an early indication of machine failures with the Diebold equipment (used in Georgia as well as Maryland).

*"Secret-Ballot Receipts and Transparent Integrity," (PDF), David Chaum, Draft, May 2002. Chaum, the inventor of eCash, describes a unique method where voters can positively confirm their ballots, both at the polling station and also after the election, to be sure they are correctly entered into the tallies, without revealing their choices. This groundbreaking work may eventually form the basis of secure and auditable future elections.

*"Opening a Can of Electronic Chad," Bill Sterner, Carol Schiffler. A position piece against touch-screen voting from the Citizens for Legitimate Government.  http://www.legitgov.org

"How to Make Over One Million Votes Disappear: Electoral Slight of Hand in the 2000 Presidential Election," Democratic Investigative Staff, House Committee on the Judiciary, August 20, 2001. (A 50 state report prepared for US Representative John Conyers, Jr., Ranking Member, House Committee on the Judiciary, and Dean, Congressional Black Caucus.)

*"Voting and Technology," Bruce Schneier, Crypto-Gram, December 15, 2000. Comments on the November 2000 election, with his endorsement of the original version of Rebecca Mercuri's evote.html webpage. For further reading from Schneier on election topics use the Archives link at: http://www.schneier.com/crypto-gram.html (Read his explanation in the 2/15/01 issue about why Internet voting is not possible, and his scathing comments about iBallot.com's proprietary voting technology claims in the 3/15/01 issue. In the 9/15/02 issue, this expert again confirmed his opposition to Internet elections. The 11/15/16 and 12/15/16 issues provide his thoughts about election security and hacking in the 2016 election.)

*"No voting machine is going to be perfect -- and not just in Florida," Rick Malwitz, Home News Tribune, November 30, 2000. (If you think that direct-entry computerized voting machines are the answer to hanging chad, read this.) A confirming follow-up on this story: *"N.J. critic says booth proved not so fail-safe," Jeff Gelles, Philadelphia Inquirer, January 15, 2000.

"Democracy Under Stress," Ronnie Dugger, Los Angeles Times, November 19, 2000.

*"Disenfranchised by design: voting systems and the election process," Susan King Roth, Information Design Journal, Volume 9, No. 1, 1998. (This early study examines usability issues in various election systems, with the conclusion that newer technologies are not necessarily an improvement for voters.) The pdf can be accessed via: http://www.informationdesign.org/downloads/doc_roth1998.pdf

*"Security Criteria for Electronic Voting," Peter G. Neumann, 16th National Computer Security Conference, September, 1993.  *"Risks in Computerized Elections," Peter G. Neumann, Inside Risks, 5, CACM 33, 11, p. 170, November 1990. (Dr. Neumann has expressed his opposition to fully-electronic and Internet-based democratic elections since the early days of this debate. His Risks newsgroup frequently prints reports of election problems, issues are archived at: http://catless.ncl.ac.uk/Risks.)

"Accuracy, Integrity, and Security in Computerized Vote-Tallying," Roy G. Saltman, U.S. Department of Commerce, National Bureau of Standards Special Publication 500-158, August 1988. (This classic document contains highly relevant material for anyone researching or dealing with voting systems.)

*"Reflections on Trusting Trust," Ken Thompson, Communications of the ACM, Vol. 27, No. 8, August 1984. This important Turing Award lecture explains precisely how it is possible to conceal nefarious programming such that it will never be found in a source code inspection.

A Bit of Levity

"Homer Simpson Vote Flip 2008," Yes, this really does happen with DRE voting machines. I and a room full of folks witnessed a vote flip during a certification examination conducted by Michael Shamos for the Commonwealth of Pennsylvania. The vendor couldn't explain the "anomaly" but the exam continued. Guess what? Dr. Shamos certified the system for use! Not joking. Here's a real one posted in 2012: Vote Flip on Machine. And there are more....

"A Renegade Reciprocal Miracle Chad," Joel Achenbach, Washington Post, November 17, 2000. (A lighter view of the punch card problem)

Join My Email Group

I have created a private email group which I am using to send messages regarding updates to this website and other announcements about relevant articles, conferences, legislative activities, election litigation and my upcoming talks and media appearances. The group is "send-only" so replies go only to me, not to the other group members. Announcements are sporadic, typically only a couple per month. If you are interested in joining, send an email to:

NotableVoting-subscribe@topica.com

Then follow the instructions in the reply message that you will receive, and I will place you on the list. If you join topica (although you don't need to do this to be a mailgroup member), you can review all of the prior messages in the NotableVoting history list at their website. If you tire of the list, you can remove yourself from it by sending a message to NotableVoting-unsubscribe@topica.com and your address will be deleted.

Additional Links

The wealth of materials at these sites may be helpful to those who are interested in voting technology. The links here are in no particular order and should not be construed as endorsements. As web pages and hosts can change rapidly, I take absolutely no responsibility for the content and/or reliability of these links.

                 - Inside Risks
              - Risks Forum Newsgroup