Electronic Voting
The
contents of this webpage and website are Copyright © 2000 - 2007 by Rebecca
Mercuri. All Rights Reserved. All material is protected by copyright
attributed to Rebecca Mercuri where she is the sole author, or the
original sources otherwise.
I am available for
comment, consultation, expert testimony, and lectures on electronic
vote tabulation, and can be contacted via the information at the
top of this page. Members of the press and researchers seeking
interviews and quotation permissions may find it helpful to look at
the guidelines posted here. I would
appreciate it greatly if calls can be limited to the hours of 10AM -
6PM, U.S. Eastern Time, weekdays.
Follow links to
full text of papers and articles. Papers not linked may be available
on request. As this website is now getting rather long, I've highlighted
certain "must read" papers and articles using red asterisks (*). For a good overview of the subject, search for
these first and read the text at their adjacent links.
Statement
I am adamantly opposed
to the use of fully electronic or Internet-based systems for use in
anonymous balloting and vote tabulation applications. The reasons for
my opposition are manyfold, and are expressed in my writings as well
as those of other well-respected computer security experts.
At the present
time, it is my strong recommendation that all election officials REFRAIN
from procuring ANY system that does not provide an indisputable, voter verified
paper ballot.
Communities have
gradually discovered that manually prepared paper balloting systems, augmented
with assistive paper ballot-marking devices for use by the disabled and
those with literacy and language issues, can typically be procured and
maintained for considerably less than half of the price for a Direct Recording
Electronic (DRE) with touch-screen or push-button input, or DRE/VVPAT (DRE
with ballot-printer) system. Ballot-marking devices do not need to be electronic
or computer-based. Opscan ballots can be entirely hand-counted. The opscan
+ ballot-marking configurations promise to increase voter confidence
by offering the best in terms of reliability, usability and recountability,
as well as being highly cost-effective.
Since 2003, because
of unresolvable problems with the implementation and deployment of the DRE/VVPAT
systems, and the difficulties experienced in using the VVPATs in recounts,
I have also recommended (and continue to recommend) that municipalities ONLY
purchase the opscan + ballot-marking systems.
A detailed explanation
of these points, along with my suggestions regarding the selection of appropriate
voting equipment, is provided in the full text of this statement,
available *here*.
Table of Contents
|
ELECTRONIC VOTING UPDATE
|
Think About It:
Scientists
had been warning
for years about the devastation that might result from a major hurricane
on the Gulf Coast. But the U.S. Congress failed
to provide $35M to fully fund previously approved projects to build and
improve levees, floodwalls and pumping stations in the Lake Pontchartrain
region. The federal government did, though, allocate
some $37M to Louisiana under the Help America Vote Act, primarily for
the purchase and upgrade of fully electronic voting systems that provide
no mechanism for independently auditing ballots and vote totals.
|
Voter Verified Paper Ballots -- An Informational
Brochure:
An explanatory
brochure has been prepared in response to the myths and misinformation
that are currently being circulated by those who are opposed to independent
election auditing. "Facts About Voter
Verified Paper Ballots" can be downloaded, printed on double-sided
paper, and freely distributed (if in its entirety and unedited).
|
The Act that is not
helping America Vote:
The 2002
Help America Vote Act (HAVA) legislation authorized $3.8B
in federal spending, with a substantial portion of these funds
allocated to US states and terrirories for the purpose of replacing
their punch card and lever voting machines and making voting systems
accessible to the disabled. To obtain the money, an implementation
plan must be submitted to the Election Assistance Commission by
January 1, 2004. Note that states are not required to purchase
computerized voting systems, they can still obtain mark-sense (optically
scanned) products, but in order to receive certain of the equipment
funds, the plan must indicate that the state will replace all of its
lever and punch card machines by the first election for Federal office
held after January 1, 2006.
The Presidentially
appointed 4-member HAVA Election Assistance Commission, in addition
to approving each of the state plans, will also be responsible
for administering a host of other tasks, not the least of which include
overseeing a 14-member Technical Guidelines Development Committee
and a 110-member Standards Board, and making provisions for "testing,
certification, decertification, and recertification of voting system
hardware and software by accredited laboratories." The Technical
Guidelines Committee must produce a set of recommended voluntary voting
system guidelines nine months after appointment, and it is understood
that these guidelines would be the ones used by the laboratories in their
certification and testing processes.
Only problem is,
the members of the HAVA Commission were appointed nearly a year late.
As well, HAVA Committees and Boards have yet to be established.
Thus, the Technical Guidelines were NOT available by the time that state
implementation plans were due. This resulted in 9 states requesting
HAVA extensions, and many others contracting to purchase voting
systems that can not possibly be HAVA compliant, since there does
not yet exist any official HAVA standards. A further setback occurred
at the beginning of 2004, when the National Institute of Standards and
Technologies (NIST) announced that it had to curtail all work related to
HAVA (despite their named role in the legislation), due to Federal budget
cuts.
Those of us (including
myself) who had worked hard for this bill are sorely disappointed
that the VITAL security aspects of its implementation continue to be
stalled, while the equipment purchases are allowed to proceed. Write
your congressfolk and urge them to get things moving. You are welcome
to attach a copy of the statement by Rebecca Mercuri
on HAVA and Electronic Voting to your letter.
|
But vendors say their voting
machines are certified:
Voting
systems are currently certified under a system established by
the Federal Election Commission (FEC) and the National Association
of State Election Directors (NASED). This certification is based
on the 2002 FEC guidelines that were only adopted by 37 of the states
and have been criticized by technologists as flawed. (See my detailed
comment The FEC Proposed Voting
Systems Standard Update.) According to their website, even
"the FEC recognizes that the Help Americans Vote Act of 2002 will fundamentally
alter the long term application of the Standards, including testing."
Some problems with the FEC standard include the lack of a requirement that
vote tallies be independently auditable, the allowance of trade-secret
code that may not be able to be inspected should an election contest question
the proper functionality of a voting system, and the use of commercial
software products in balloting and tabulation systems without any
inspection at all. Even when additional state certification inspection
has been performed, there may be no guarantee that any particular system
has been appropriately configured prior to deployment. Revelations
that uncertified software was used in at least two California elections
(including the Gubernatorial recall) led to the mandate that voter
verified paper ballots be added to their fully-electronic voting systems.
The
Institute of Electrical and Electronics Engineers has chartered
Project
P1583 to develop a technical standard of requirements and evaluation
methods for election voting equipment. Based on the structure
of the 2002 FEC guidelines, this performance standard will provide
detail necessary for increased assurances of voting product accessibility,
accuracy, confidentiality, reliability, security and usability. The
voter verified ballot concept is being heavily
debated in the working group meetings, and it is unclear how it will
eventually be reflected in this standard -- but the current view is that
it will not be a requirement. Although there are currently no mandates
for this IEEE standard's actual application to the certification of voting
equipment, it is thought that the states may replace their use of
the FEC guidelines with this new document, and that the results of the
IEEE project could be incorporated into the HAVA standard (which does
not yet exist).
|
What about Internet voting?
Internet
voting is risky due to its sociological and technological problems.
Absentee balloting does not provide the safeguards of freedom from
coercion and vote selling that are afforded via local precincts.
Internet voting creates additional problems due to the inability of service
providers to assure that websites are not spoofed, denial of service
attacks do not occur, balloting is recorded accurately and anonymously,
and votes are cast by the appropriate person. The government's
website warns that "it is the citizen's responsibility to maintain
the latest anti-virus software for their computer" in order to assure
safety, yet they fail to acknowledge the fact that anti-virus software
can only protect against known malware (new ones appear constantly,
and could occur during an election season) and server-based attacks are
still possible. Certainly citizens overseas should have an opportunity
to vote, but perhaps this could be handled by setting up remote balloting
precincts at the U.S. Embassies, or by creating bi-partisan poll-worker
teams on military bases?
Back in 2000 when
the U.S. Department
of Defense first tried Internet voting they spent $6.2M so that
84 voters could cast ballots. This time, the DoD has engaged Accenture,
the Bermuda-based consultancy arm of the former Arthur Andersen (can
we spell Enron?) group at a cost of $22M
to oversee its SERVE project for
military personnel and overseas citizens. Accenture recently
acquired election.com (the firm that provided Internet voting
services that were disrupted by the Slammer worm during a Toronto election
on January 23, 2003) from a Saudi investment
group, Osan Ltd. that had owned 51.6% of the company.
News Flash! Following
issuance of an analysis
by four computer scientists who were members of the SERVE Security
Peer Review Group, the Pentagon decided to scrap plans for the use of
this technology to cast ballots in the 2004 Presidential election. But
it's far from gone -- R. Michael Alvarez, co-director of the Caltech/MIT
Voting Technology Project, who has a $1.8M grant to monitor the SERVE
project, wants this "experiment" to continue, as does Accenture's eDemocracy
Services group. Stay tuned.
Need I say more?
(If so, see the World Democracies and Press Quotes sections.)
|
Who created the Voter Verified Balloting
concept?
Rebecca
Mercuri did. She first described it in her paper: "Physical Verifiability of Computer
Systems" presented at the 5th International Computer Virus
and Security Conference in March 1992, and the concept also appeared
in her Doctoral Dissertation, defended October 27, 2000. She coined
the phrase in her comment: "Explanation
of Voter-Verified Ballot Systems"in The Risks Digest,
ACM Committee on Computers and Public Policy, Volume 22, Issue
17, July 24, 2002, and an artist's rendering of a "Mercuri Method"
voting system (they need not be so elaborate) appeared in her October
2002 IEEE Spectrum article, "A Better Ballot
Box." This design concept was deliberately never patented
by Dr. Mercuri so that it could be freely incorporated into election
systems.
Note that a "voter verified paper ballot" (VVPB) or
"voter verified paper audit trail" (VVPAT) is NOT the same as a
"voter verifiable audit trail" (VVAT). Many vendors and some scientists
believe that an audit trail of electronically recorded ballots can
be made secure (possibly through encryption or other mechanisms), but
no such systems have yet been validated through rigorous mathematical
proofs, nor can they be independently confirmed for correctness by non-technical
poll workers, election officials or ordinary citizens. A great demonstration
showing why electronic audits and pre-election testing are inadequate can
be viewed at: www.wheresthepaper.org.
Simply adding paper "receipts" to the system is not sufficient. The
voter must be required to perform an action that confirms that their
choices have been recorded correctly on the paper, hence making it a
verified (rather than just "verifiable") ballot in a legal sense. The
paper ballot must not provide any feature that could be used to violate
voter privacy or encourage coercion and vote selling. These voter verified
paper ballots should be used to produce the certified vote totals and
be available for scrutiny in case of election contest or recount. When
properly implemented, the "Mercuri Method" ensures that paper ballots
will not be removed from the polling place nor added to the ballot box.
Accept no substitutes! Be sure your systems (and laws) will require a
true "voter verified paper ballot" (VVPB) or "voter verified paper audit
trail" (VVPAT).
|
Some
Pockets of Sanity:
- Congressman (and former Princeton
physicist) Rush Holt has
introduced House Bill
H.R. 2239, the Voter Confidence and Increased Accessibility
Act of 2003 that would mandate a voter-verified manual audit capacity
for computerized balloting systems, prohibit the use of undisclosed
software source code and wireless communication devices, and accelerate
HAVA payment schedules to states. See his comments in the Congressional
Record. Senator Robert Graham has introduced the
companion bill S. 1980 into
the Senate. Write to your U.S. Representative and Senators
and encourage their support of this important legislation.
- The
Communications Workers of America (an AFL-CIO affiliate) issued
a resolution on August 25, 2003 to "endorse and support the use of
only DRE and touch screen machines with the ability to provide the voters
with a view of a paper ballot that is stored and available for audits."
The full text of the resolution with contact info is available
here.
- Manhattan
Borough President C. Virginia Fields has developed a detailed
set of voting
accessibility recommendations in conjunction with the Center
for Independence of the Disabled in NY using the feedback of
100 disabled individuals who tested 8 different voting machines.
- The Civil Rights Division of the U.S.
Department of Justice issued a memorandum opinion
affirming that voting systems that include contemporaneous paper records,
allowing voters to confirm that their ballots accurately reflect their
choices, do not violate HAVA or ADA laws, so long as a similar capablility
(such as can be provided by audio equipment) is available for use.
This could include tactile ballots,
an inexpensive (non-computer) alternative for the visually-impaired
that has been used successfully in Rhode Island, Canada, Peru, and
Siera Leone.
- Florida's
Congressman Robert Wexler
and Palm Beach County Commissioners Burt Aaronson and Addie Green have
filed a federal lawsuit, citing the equal protection clause of the U.S.
Constitution and claiming that it is unconstitutional for 52 counties in
Florida to have a means to conduct a recount, while the 15 touchscreen counties
cannot perform one.
- California
will be requiring that voter verified paper ballots (VVPB) be added
to their touchscreen and direct recording electronic (DRE) voting
machines by 2006. Other states with VVPB requirements include:
Illinois, New Hampshire, Oregon and Wisconsin. States with VVPB legislation
or requirements pending (these need your support to be finalized) include:
Connecticut, New Jersey, New York, Virginia,
and Washington. Active statewide VVPB campaigns are going on in Colorado, Maryland,
and Vermont (add
your state to this list by emailing mercuri @
acm.org with your web link).
- Check
out all of the I-Team 8 (WISH-TV Indianapolis, IN) investigative reports
linked to their "Will Your Vote
Count?" page. They are digging deep, doing their research well, asking
the right questions, and some of the transcripts from vendor interviews are
so slick they practically slide off your computer screen! They've turned
up concerns over software changes, vote total "glitches" and a recent
election worker dismissal. Kudos, and more reporters should follow their
lead.
|
Mark your Calendar:
No upcoming
events to announce. Check back here periodically for updates.
|
| The articles linked below in my
writings section provide an illustration
of the magnitude of problems encountered with electronic voting
equipment and offer some suggested solutions. My analyses are based on
computer science and engineering facts, and are not politically motivated.
Please read these materials carefully before contacting me for further
clarification or assistance. |
World Democracies
Election officials
in world democracies often want to believe that the situations
in the USA are dissimilar to those in their own countries. Although laws
and procedures may be different, the computer introduces universal
vulnerabilities to privacy, accuracy, and security in elections. All
democratic nations should be advised to use caution in their deployment
of new systems, and avoid those products that do not produce a
voter-verified paper audit trail.
The United Kingdom
and other European countries have begun initiatives to convert
all or part of their voting to electronic balloting (kiosk/DREs
and/or Internet-based) systems. Europe appears to be rushing ahead
to deploy computer voting technologies with serious sociological and
technological downsides, such as lack of auditability, and increased
opportunities for vote selling, monitoring, coercion, and denial
of service attacks. During mid-October, 2002 I visited England, on the
invitation of the Foundation for Information
Policy Research, to meet with and brief members of the UK
Cabinet and Parliament regarding this subject, and to provide technical
lectures at the Royal Academy of Engineering and Cambridge University.
My comments to the Cabinet are on the Cabinet Office's official website
at http://www.edemocracy.gov.uk
(search for Mercuri) -- a mildly corrected version is posted *here. I
also formally submitted an additional
follow-up comment as part of their "In the Service of Democracy"
consultation, which explains why Internet voting is not appropriate
for UK democratic elections. Media coverage of my UK tour can
be found over in my press section.
Information on the electronic voting project in Ireland can be found at
http://www.evoting.cs.may.ie.
The Brazilian government
converted to fully electronic voting in 2000, deploying over
400,000 kiosk-style machines. Although their elections are
often compared to those in the US, they are actually quite different
because the voters cast ballots by using numbers assigned to each
candidate (this is necessary because of a high degree of illiteracy
in the country). Concerns regarding accuracy of the self-auditing systems
caused the legislature to mandate a retrofit of 3% (some 12,000
machines) to produce a paper ballot that the voter could peruse
and deposit in a box for recount (the first large-scale use of the
"Mercuri Method" -- described more fully in "A
Better Ballot Box?"). These paper-trail machines were
successfully used during the October 6, 2002 election, and it
is believed that the rest of their machines will eventually be retrofitted
as well. Further discussion on this subject can be found in the article:
*"The importance of recounting
votes" by Michael Stanton (originally published in Portuguese
as "A importância da recontagem de votos", on the website
of the Agência O Estado de São Paulo, November 13,
2000). There is also an informative website: Brazilian Electronic Voting Forum by
Amilcar Brunazo Filho.
US Voting Rights Act
In the wake of the
Florida 2000 election, a number of voting rights bills were proposed
in Congress. On May 22, 2001, the U.S. House of Representatives
Committee on Science convened a Hearing on Improving Voting Technology:
The Role of Standards. I was joined on the invited panel by
Dr. Stephen Ansolabehere (MIT), Mr. Roy Saltman (NIST - retired), and
Dr. Doug Jones (University of Iowa).
These hearings resulted in House Bill H.R. 2275, the Voting Technology
Standards Act of 2001, issued from the Subcommittee on Environment,
Technology, and Standards on June 27, 2001, which was presented
with the bipartisan co-sponsorship of Congressman Vern Ehlers and
Congressman Jim Barcia. Eventually this bill was incorporated into
H.R. 3295, the Help America Vote Act of 2002. The final version can
be found at http://thomas.loc.gov.
Although this bill authorizes spending of over $4B on new voting systems,
it fails to provide a voter-verified audit trail, available for independent
recount, of ballots cast. (This is discussed further in the California section below.) It is hoped that the related
voting system standardization efforts will provide additional safeguards,
but sadly, the application of these controls has not been universally
mandated.
California
The California
State Elections Code contains a number of sections that
are directly relevant to US and international electronic voting
issues.
Section 15360 requires
that there be "a public manual tally of the ballots tabulated
by those devices cast in 1 percent of the precincts chosen at random
by the elections official." Section 15627 on recounts states: "If
in the election which is to be recounted the votes were recorded by
means of a punchcard voting system or by electronic or electromechanical
vote tabulating devices, the voter who files the declaration requesting
the recount may select whether the recount shall be conducted manually
or by means of the voting system used originally, or both." Section 15629
notes that "The recount shall be conducted publicly." And section
15630 says that "All ballots, whether voted or not, and any other relevant
material, may be examined as part of any recount if the voter filing
the declaration requesting the recount so requests."
One would think
that these requirements would prevent self-auditing voting systems
from being deployed in the state, but such is not the case. Proposition
41, California's Voting
Modernization Bond Act, passed in 2002, mandates that "a
voting system that does not require a voter to directly mark
on the ballot must produce, at the time the voter votes his or
her ballot, or at the time the polls are closed, a paper version or
representation of the voted ballot; this version shall not be
provided to the voter, but shall be retained by election officials
for use during a manual recount or other recount or contest." The key
phrase here is "or at the time the polls are closed" -- this has
been interpreted by vendors and election officials to permit the voting
system to self-generate ballot images from the internal data stored
by the computer during the election, for use in public manual tallies
or recounts. Using such systems, the voter has no way to confirm that the
ballot they intended to cast is identical to the one recorded by the machine.
Hence, such recounts are only procedural in nature, and not truly validatory.
Sadly, the U.S. Congress was similarly vague in their definition of "manual
audit capacity" in the Help America Vote Act of 2002 (Section 301 a. 2),
so lower court rulings will play an important role in determining the implementation
of when the "permanent paper record" must be produced (at the time of voting,
or after the election is over).
I have maintained
that the intention of the U.S. Act, as well as the California Code,
is to allow the voter to view the printed ballot. Finally California's
Secretary of State has agreed (but only after discovering that uncertified
software was used in their Recall and General elections in 2003 and will
continue to be used in their Spring primary election). Your voice is
needed here -- if you are a California voter, request an absentee ballot
prior to the election, or ask to use a "provisional" paper ballot when
you go to the polls, if your County provides only touchscreen DREs that
are not voter verified.
In 2001, Susan Marie
Weber, a citizen of Riverside County, CA, decided to protest the use
of the recently purchased Sequoia Voting Systems' AVC Edge System direct
recording electronic (touch-screen) voting machines in her locality. She
filed a Complaint for Injunctive
and Declaratory Relief against CA Secretary of State Bill Jones
and Riverside County, CA Registrar of Voters Mischelle Townsend,
under 42 U.S.C. §1983 and the Fourteenth Amendment to the United
States Constitution. This appeared as Case No. CV 01-11159-SVW(RZx)
before the Honorable Stephen V. Wilson in the United States District Court
for the Central District of California. Weber obtained testimony
from experts Rebecca Mercuri,
Peter Neumann and
Kim Alexander, all
of which are available here (click on the names in this sentence)
and via http://www.electionguardians.org
(along with additional case materials). The Judge ruled on September
3, 2002 in favor of the State on the basis of only written testimony
without deposition or cross-examination, and without providing an
opportunity to inspect the voting systems in question (although he
criticized one witness for not having done so, even though it would
likely have been a felony to perform such an examination in the absence
of a court order), and various appeals also failed. The ruling allowed
other California counties to proceed with their purchases of self-auditing
voting equipment. Despite this ruling, the new Secretary of State,
Kevin Shelley, decided on November 21, 2003 to require that all computerized
voting equipment be equiped with a voter verified paper trail by July 2006.
Considerable details can be found at http://www.ss.ca.gov/elections/touchscreen.htm.
Numerous county election officials have protested, so this battle isn't
over yet, stay tuned.
California Proposition
23, the None of the Above Ballot Option, failed to achieve enough
votes to pass in the March 7, 2000 election. The lack of a "none
of the above" choice for each ballot race (in all states) creates a
dubious dark hole for election auditing. Traditionally, when one totals
all votes cast in each race, these fall short of the total number of
votes eligible to be cast (usually by around 3%). The "lost vote" (also
called "undervote" or "residual vote") rate tends to differ depending
on equipment and other factors, but it is often also an indicator of
malfunction or tampering. The lack of a definitive "no vote" allows vendors
and election officials to assert that votes were "not cast" when in
fact votes have actually been lost. This situation is becoming more prevalent
with the introduction of multiple recording devices within the voting
machines, and no real way to determine which storage unit has the "correct"
data. It is unfortunate that the U.S. Green Party believes that the
"none of the above" option is contrary to their interest in promoting
proportional balloting, since they are among the most vocal opponents
of this effective auditing requirement.
The California Voter Foundation is an
excellent resource for information about electronic voting initiatives.
Kim Alexander's "Paper or
Plastic?" editorial in the October 20, 2002 San Diego Union-Tribune
is a good place to start reading, but there are many other excellent
commentaries on the calvoter.org
website. The discussion about California's Proposition 43 "The
right to have your vote counted" by Michelle Rubalcava
is a good piece, and U.C. Hastings College of the Law Library
maintains a search engine for California Propositions from
1911 to the present, which is also helpful. Those who are considering
filing for an election recount (anywhere in California) might want
to take a look at the County of Los Angeles Media Kit at: http://regrec.co.la.ca.us/general/mediakit/section8.htm.
Florida
I was requested
by the Democratic Recount Committee to provide a sworn affidavit
regarding the necessity of a hand recount in the disputed Florida
precincts. The testimony was presented as part of the defense brief
in the 11th Circuit Court of Appeals, Atlanta, November 17, 2000.
The document is linked here as a
pdf file, and can also obtained through direct request to the 11th Circuit
Court. Reference to this affidavit was made in one of the briefs
presented to the United States Supreme Court, available at http://www.supremecourtus.gov/florida.html.
Go to the link for "Brief in opposition for respondents Gore
et al. in Nos. 00-836 and 00-837" (you will need Acrobat Reader).
See footnote on page 6 (Acrobat page 13).
Writings by Rebecca Mercuri
This section includes formal papers, commentary, articles,
and other relevant materials on voting and computer security.
The PDF versions for some of these writings may be more suitable
for producing handouts.
"Electronic Vote Tabulation Checks &
Balances," Ph.D. dissertation, defended October 27, 2000 at the
School of Engineering and Applied Science of the University of
Pennsylvania, Philadelphia, PA. The title link here takes you to
the thesis defense announcement and abstract. You can obtain
a copy of the thesis through UMI via their website at http://www.umi.com. The thesis number
is 3003665. They offer a variety of formats of the original double-spaced
document, and they can take credit-card orders. Alternatively,
you can order a paper-bound, single-spaced, full-page version (easier
to read than the UMI printing) by sending a cheque or money order for
$45.00 (U.S. dollars) to Notable Software, P.O. Box 1166, Dept. EV,
Philadelphia, PA 19105 USA. (Those who are manufacturing or evaluating
voting systems will find it helpful to consider two lists of questions I developed
as part of this thesis research. Some of the wording closely follows
the Common Criteria, whose Level 4 assessment I have recommended
as a minimum benchmark for voting system security. The
Common Criteria International Standard Organization's documents are
at http://csrc.nist.gov/cc.)
*"Florida 2002: Sluggish Systems, Vanishing
Votes," (PDF) Rebecca
Mercuri, Inside Risks, Communications of the Association for
Computing Machinery, Volume 45, No. 11, November 2002.
"Verification
for Electronic Balloting Systems," Rebecca T. Mercuri and
Peter G. Neumann, Chapter 3, Secure Electronic Voting,
Dimitris Gritzalis, ed., Advances in Information Security, Volume
7, Kluwer Academic Publishers, Boston, November 2002. ISBN
1-4020-7301-1
*"A
Better Ballot Box?," (PDF) Rebecca Mercuri, IEEE Spectrum,
Volume 39, Number 10, October 2002.
"Computer Security: Quality rather than
Quantity," (PDF) Rebecca
Mercuri, Security Watch, Communications of the Association for
Computing Machinery, Volume 45, No. 10, October 2002. (Note: The
footnote numbering is incorrect in the PDF version.)
*"MIT vs
Mercuri," Rebecca Mercuri, The Risks Digest, ACM Committee
on Computers and Public Policy, Volume 22, Issue 26, September
25, 2002. Archived at: http://catless.ncl.ac.uk/Risks/22.26.html.
*"Florida Primary
2002: Back to the Future," Rebecca Mercuri, The Risks
Digest, ACM Committee on Computers and Public Policy, Volume 22,
Issue 24, September 11, 2002. Archived at: http://catless.ncl.ac.uk/Risks/22.24.html.
*"Explanation
of Voter-Verified Ballot Systems," Rebecca Mercuri, ACM
Software Engineering Notes (SIGSOFT), Volume 27, Number 5, September,
2002. Also published in The Risks Digest, ACM Committee on
Computers and Public Policy, Volume 22, Issue 17, July 24, 2002. Archived
at: http://catless.ncl.ac.uk/Risks/22.17.html.
*"Humanizing
Voting Interfaces," Rebecca Mercuri, Usability Professionals
Association Conference, Orlando, FL, July 11, 2002.
"Uncommon Criteria," (PDF) Rebecca Mercuri, Inside Risks, Communications
of the Association for Computing Machinery, Volume 45, No. 1,
January 2002.
*"The FEC Proposed
Voting Systems Standard Update," a detailed comment by
Dr. Rebecca Mercuri, submitted to the Federal Election Commission
on September 10, 2001 in accordance with Federal Register FEC Notice
2001-9, Vol. 66, No. 132.
*"System Integrity
Revisited," (PDF) Rebecca
T. Mercuri and Peter G. Neumann, Inside Risks, Communications
of the Association for Computing Machinery, Volume 44, No. 1, January
2001. This was reprinted in the CPSR Newsletter, Winter 2001,
Volume 19, No. 1.
*"Internet and
Electronic Voting," Peter Neumann, Rebecca Mercuri, Lauren Weinstein,
The Risks Digest, ACM Committee on Computers and Public Policy, Volume
21, Issue 14, December 12, 2000. Archived at: http://catless.ncl.ac.uk/Risks/21.14.html.
This article was also printed in ACM's Software Engineering Notes (SIGSOFT),
Volume 26, No. 3, March 2001.
*"Voting Automation
(Early and Often?)," (PDF) Rebecca Mercuri, Inside Risks,
Communications of the Association for Computing Machinery, Volume
43, No. 11, November 2000.
*"Corrupted Polling,"
(PDF) Rebecca Mercuri, Inside Risks,
Communications of the Association for Computing Machinery, Volume 36,
No. 11, November, 1993.
"Threats to Suffrage
Security," Rebecca Mercuri, 16th National Computer Security Conference,
September, 1993. (See Conference Panels below.)
*"The Business
of Elections," (PDF) Rebecca
Mercuri, 3rd Conference on Computers, Freedom and Privacy, March, 1993.
*"Voting-Machine
Risks," (PDF) Rebecca
Mercuri, Inside Risks, Communications of the Association for Computing
Machinery, Volume 35, No. 11, November, 1992.
"Physical Verifiability
of Computer Systems," Rebecca T. Mercuri, 5th International
Computer Virus and Security Conference, March, 1992.
Related Writings by Other Authors
*"Election Reform and Electronic Voting Systems
(DREs): Analysis of Security Issues," (PDF), Eric A. Fischer, Congressional Research
Service, The Library of Congress, November 4, 2003. A well-balanced
overview of voting security threats and vulnerabilities along with
an assessment of strengths and weaknesses of potential solutions.
"Usability Review
of the Diebold DRE system for Four Counties in the State of Maryland,"
(PDF),
Benjamin B. Bederson, Paul S. Herrnson, University of Maryland,
2002. This study, conducted prior to the Fall primaries, provides an
early indication of machine failures with the Diebold equipment
(used in Georgia as well as Maryland).
*"Secret-Ballot Receipts and Transparent Integrity,"
(PDF), David Chaum,
Draft, May 2002. Chaum, the inventor of eCash, describes a unique
method where voters can positively confirm their ballots, both at
the polling station and also after the election, to be sure they
are correctly entered into the tallies, without revealing their choices.
This groundbreaking work may eventually form the basis of secure
and auditable future elections.
"A Preliminary Assessment
of the Reliability of Existing Voting Equipment," The Caltech-MIT Voting
Technology Project, March 30, 2001 (revised). (This paper and other important
reports indicating flaws in all election systems are available at: http://www.vote.caltech.edu/Reports/index.html)
*"Opening a Can of Electronic
Chad," Bill Sterner, Carol Schiffler. A position piece against
touch-screen voting from the Citizens for Legitimate Government.
http://www.legitgov.org
"How to
Make Over One Million Votes Disappear: Electoral Slight of Hand
in the 2000 Presidential Election," Democratic Investigative
Staff, House Committee on the Judiciary, August 20, 2001. (A 50 state
report prepared for US Representative John Conyers, Jr., Ranking
Member, House Committee on the Judiciary, and Dean, Congressional Black
Caucus.)
*"Voting and Technology,"
Bruce Schneier, Crypto-Gram, December 15, 2000. http://www.counterpane.com (Also read
his explanation in the 2/15/01 issue about why Internet voting
is not possible, and his scathing comments about iBallot.com's proprietary
voting technology claims in the 3/15/01 issue. In the 9/15/02 issue,
this expert again confirmed his opposition to Internet elections.)
*"No voting machine
is going to be perfect -- and not just in Florida," Rick
Malwitz, Home News Tribune, November 30, 2000. (If you think that
direct-entry computerized voting machines are the answer to hanging
chad, read this.) A confirming follow-up on this story: *"N.J. critic says
booth proved not so fail-safe," Jeff Gelles, Philadelphia
Inquirer, January 15, 2000.
"Democracy Under Stress," Ronnie Dugger,
Los Angeles Times, November 19, 2000.
*"Disenfranchised by design: voting systems
and the election process," Susan King Roth, Information Design
Journal, Volume 9, No. 1, 1998. (This early study examines usability
issues in various election systems, with the conclusion that newer
technologies are not necessarily an improvement for voters.) The pdf
can be accessed via: http://informationdesign.org/pubs/roth1998.html
*"Security Criteria for Electronic
Voting," Peter G. Neumann, 16th National Computer Security
Conference, September, 1993. *"Risks in Computerized Elections," Peter
G. Neumann, Inside Risks, 5, CACM 33, 11, p. 170, November 1990.
(Dr. Neumann has expressed his opposition to fully-electronic and
Internet-based democratic elections since the early days of this
debate. His Risks newsgroup frequently prints reports of election
problems, issues are archived at: http://catless.ncl.ac.uk/Risks.)
"Accuracy, Integrity,
and Security in Computerized Vote-Tallying," Roy G. Saltman,
U.S. Department of Commerce, National Bureau of Standards Special
Publication 500-158, August 1988. (This classic document contains
highly relevant material for those who are thinking of procuring new
voting systems.)
*"Reflections
on Trusting Trust," Ken Thompson, Communications of the ACM,
Vol. 27, No. 8, August 1984. This important Turing Award lecture explains
precisely how it is possible to conceal nefarious programming such
that it will never be found in a source code inspection.
A Bit of Levity
"Digital Democracy,"
Mark Fiore, February 4, 2004. (A fun animation depicting what we
are getting with paperless voting systems. Wait a minute or so for it
to load, don't press back or next.)
"We
guarantee the outcome," Summer, 2003. (If someone told me
I'd be referring folks to Larry Flynt's website, I would have laughed,
but this parody is great, and G-rated to boot!)
"Electronic Election
Day," Jack G. Ganssle, November 3, 2004! (A frightening but funny
election prediction.)
"A Renegade Reciprocal Miracle Chad,"
Joel Achenbach, Washington Post, November 17, 2000. (A lighter
view of the punch card problem.
Join My Email Group
I have created a
private email group which I am using to send messages regarding updates
to this website and other announcements about relevant articles, conferences,
legislative activities, election litigation and my upcoming talks and media
appearances. The group is "send-only" so replies go only to me, not to
the other group members. Announcements are sporadic, typically only a couple
per month. If you are interested in joining, send an email to:
NotableVoting-subscribe@topica.com
Then follow the
instructions in the reply message that you will receive, and
I will place you on the list. If you join topica (although you don't
need to do this to be a mailgroup member), you can review all of the
prior messages in the NotableVoting history list at their website. If
you tire of the list, you can remove yourself from it by sending a message
to NotableVoting-unsubscribe@topica.com and your address will be
deleted.
Additional Links
The wealth of materials at these sites
may be helpful to those who are interested in voting technology.
The links here are in no particular order and should not be construed
as endorsements. As web pages and hosts can change rapidly, I take absolutely
no responsibility for the content and/or reliability of these links.
