| Rebecca Mercuri,
|P.O. Box 1166 -- Dept.
Philadelphia, PA 19105
notablesoftware DOT com
10AM-6PM U.S. Eastern Time, Mon.-Fri. (Please try the 609 number first)
I am available for comment, consultation, expert testimony, and lectures on electronic vote tabulation, and can be contacted via the information at the top of this page. Members of the press and researchers seeking interviews and quotation permissions may find it helpful to look at the guidelines posted here. I would appreciate it greatly if calls can be limited to the hours of 10AM - 6PM, U.S. Eastern Time, weekdays.
Follow links to full text of papers and articles. Papers not linked may be available on request. As this website is rather long, I've highlighted certain "must read" papers and articles using red asterisks (*). For a good overview of the subject, search for these first and read the text at their adjacent links.
opposed to the use of fully electronic or Internet-based systems for
use in anonymous balloting and vote tabulation applications. The
for my opposition are manyfold, and are expressed in my writings as
well as those of other well-respected computer security experts.
it is my strong recommendation that all election officials REFRAIN from
procuring ANY system that does not provide an indisputable, voter
verified paper ballot.
have gradually discovered that manually prepared paper balloting
systems, augmented with assistive paper ballot-marking devices for use
by the disabled and those with literacy and language issues, can
typically be procured and maintained for considerably less than half of
the price for a Direct Recording Electronic (DRE) with touch-screen or
push-button input, or DRE/VVPAT (DRE with ballot-printer) system.
Ballot-marking devices do not need to be
electronic or computer-based. Opscan-style ballots can (and should) be
hand-counted. Paper ballots increase voter confidence by offering the
best in terms of reliability, usability and recountability, as well as
being highly cost-effective.
Since 2003, because of unresolvable problems with the implementation and deployment of the DRE/VVPAT systems, and the difficulties experienced in using the VVPATs in recounts, I have recommended AGAINST the purchase of these devices.
A detailed explanation of these points, along with my suggestions regarding the selection of appropriate voting equipment, is provided in the full text of this statement, available *here*.
Table of Contents
|Danger to Democracy #1
National Popular Vote (NPV) legislation has been creeping into state after state. Fot those of you who don't know what it is, NPV, when fully enacted, would MANDATE that states cast their electoral votes, NOT how the voters of those states intended, but rather to the winner of the NATIONAL popular vote. Yup, YOUR electors would be REQUIRED to cast their Presidential votes to the AGGREGATE US highest vote-getter, REGARDLESS of who the winner was in the state itself. I can't imagine how this could even remotely be deemed Constitutional (remember the concept of States' Rights?) but it would likely take a team of Harvard-educated lawyers to argue this point before the U.S. Supreme Court. If enough states (they only need a total of 270 electors) are stupid enough to allow their legislatures to pass the bill and their Governors sign it, then we're ALL hosed, even if your own state doesn't sign on.
|Danger to Democracy #2
The same group that has been promoting NPV is also hawking Instant Runoff Voting (IRV). Certainly not coincidentally, the key founder of the organization behind both of these absurdities is none other than John "the spoiler" Anderson. IRV is getting a foothold with naieve communities who would like to believe the snake oil salesmen's claims that by making the voting selection process harder (not easier) this somehow further enfranchises beleaguered minority groups and third party candidates. The reason why I'm mentioning IRV here is again because of the voting machines. Heck, we can't even prove that these devices (whether DREs or scanners) are adding 1+1=2 properly. It's all a trade secret and we're not allowed to check the algorithms. How can we ever hope to verify that the complicated math needed to generate the IRV totals has been programmed and implemented correctly? If you find yourself in a conversation with anyone supporting IRV, just ask them to show you ON PAPER how to tally the election and then watch them squirm. Make sure your municipality, county, and state does not fall for IRV. For more on how to help oppose IRV, check out http://www.instantrunoffvoting.us .
|Danger to Democracy #3
Perhaps because Americans are considered to be notoriously lazy, our election officials would rather find excuses for not hand-counting all of the ballots in order to verify the results produced by the computers. Of course, the reasons given for not checking the totals at each precinct (before the ballots are removed and have a chance to mysteriously wander away) are often ones of cost or expedience. As it turns out, a small team of vote counters (perhaps drafted as for jury duty), using a simple bin (not binary) method should be able to hand-tabulate all but the most complex ballots in time for the 11 o'clock news (assuming that the polls close at 8PM). (For the computer scientists, it helps to recall that a bin sort is O(n).) Of course there are plenty of mathematics wonks, and even a few Congressfolk, who would like us to believe that a random percentage audit is all that is necessary to confirm the electronic tallies. This is provably untrue. Even so, such formulas require that increasing percentages be audited if anomalies are detected, so you might as well just count all the ballots from the get-go to avoid the further hassle. For a detailed explanation of why partial audits don't work, see my post on the CNET Defensive Computing blog at http://news.cnet.com/8301-13554_3-9876062-33.html . Oh, and if someone tells you that if people touch the ballots they'll change the votes, just explain that page feeders could be used with opaque projectors to display the papers without human handling.
|Voter Verified Paper Ballots -- An
An explanatory brochure has been prepared in response to the myths and misinformation that are currently being circulated by those who are opposed to independent election auditing. "Facts About Voter Verified Paper Ballots" can be downloaded, printed on double-sided paper, and freely distributed (if in its entirety and unedited). Although DREs with VVPBs are an improvement over DREs without them, because of numerous issues related to the construction and use of VVPBs (some of which are noted below), since 2003 I have recommended AGAINST the purchase of these devices. Ballots should be prepared on paper (not computers) and counted from the paper (preferably by humans).
Act that did not help
The 2002 Help America Vote Act (HAVA) legislation authorized $3.8B in federal spending, with a substantial portion of these funds allocated to US states and territories for the purpose of replacing their punch card and lever voting machines and making voting systems accessible to the disabled. To obtain the money, an implementation plan had to be submitted to the Election Assistance Commission by January 1, 2004. States were NOT required to purchase fully computerized voting systems, they could obtain mark-sense (optically scanned) products that use paper, but in order to receive certain of the equipment funds, the plan had to indicate that the state would replace all of its lever and punch card machines by the first election for Federal office held after January 1, 2006. New York was the only state that decided to retain its lever machines.
vendors said their voting machines were certified:
U.S. voting systems, beginning in 1990, have been certified under a system originally established by the Federal Election Commission (FEC) and a private group, the National Association of State Election Directors (NASED). Testing fees are paid, by the vendors, to certain qualified Independent Testing Authorities and examinations are conducted secretly without any results (other than a final passed status) issued publicly. This certification was, at first, based on the FEC guidelines adopted by only 37 of the states and criticized by technologists as flawed. (See my detailed comment The FEC Proposed Voting Systems Standard Update.) According to their website, even "the FEC recognizes that the Help Americans [sic] Vote Act of 2002 will fundamentally alter the long term application of the Standards, including testing." Some problems with the FEC standard included the lack of a requirement that vote tallies be independently auditable, the allowance of trade-secret code that may not be able to be inspected should an election contest question the proper functionality of a voting system, the use of commercial software products in balloting and tabulation systems without any inspection at all, and no provision for re-examination or decertification when problems are later identified. Even when additional state certification inspection has been performed, there may be no guarantee that any particular system has been appropriately configured prior to deployment. Revelations that uncertified software was used in at least two California elections (including the Gubernatorial recall) led to the mandate that voter verified paper ballots be added to their fully-electronic voting systems.
about Internet voting?
Internet voting is risky due to its sociological and technological problems. Absentee balloting does not provide the safeguards of freedom from coercion and vote selling that are afforded via local precincts. Internet voting creates additional problems due to the inability of service providers to assure that websites are not spoofed, denial of service attacks do not occur, balloting is recorded accurately and anonymously, and votes are only cast by the authorized voter themself. The government's website warned that "it is the citizen's responsibility to maintain the latest anti-virus software for their computer" in order to assure safety, yet they failed to acknowledge the fact that anti-virus software can only protect against known malware (new ones appear constantly, and could occur during an election season) and server-based attacks are still possible. Certainly citizens overseas should have an opportunity to vote, but perhaps this could be handled by setting up remote balloting precincts at the U.S. Embassies, or by creating bi-partisan poll-worker teams on military bases?
created the Voter Verified Balloting concept?
Rebecca Mercuri coined the phrase in her comment: "Explanation of Voter-Verified Ballot Systems" in The Risks Digest, ACM Committee on Computers and Public Policy, Volume 22, Issue 17, July 24, 2002. Mercuri first addressed this concept in her paper: "Physical Verifiability of Computer Systems" presented at the 5th International Computer Virus and Security Conference in March 1992, and a more detailed description appeared in her Doctoral Dissertation, defended October 27, 2000. An artist's rendering of a "Mercuri Method" voting system (they need not be so elaborate) appeared in her October 2002 IEEE Spectrum article, "A Better Ballot Box."
I will be conducting a computer forensics seminar/workshop for the Princeton ACM/IEEE Computer Society on November 13, 2010. One of the sections of this short-course will overview voting system investigations. Further information is available at http://princetonacm.acm.org/meetings/mtg1011s.pdf . Advance registration is required and there is a fee for attendance.
|The articles linked below in my writings section provide an illustration of the magnitude of problems encountered with electronic voting equipment and offer some suggested solutions. My analyses are based on computer science and engineering facts, and are not politically motivated. Please try to read some of the *red starred* materials before contacting me for further clarification or assistance.|
Election officials in world democracies often want to believe that the situations in the USA are dissimilar to those in their own countries. Although laws and procedures may be different, the computer introduces universal vulnerabilities to privacy, accuracy, and security in elections. All democratic nations should be advised to use caution in their deployment of new systems, and avoid those products that do not produce a voter-verified paper audit trail.
Kingdom and other European countries have begun initiatives to convert
all or part of their voting to electronic balloting (kiosk/DREs and/or
Internet-based) systems. Europe appears to be rushing ahead to deploy
computer voting technologies with serious sociological
and technological downsides, such as lack of auditability, and
increased opportunities for vote selling, monitoring, coercion, and
denial of service attacks. During mid-October, 2002 I visited England,
on the invitation of the Foundation for
Information Policy Research, to meet with and brief members of the
UK Cabinet and Parliament regarding this subject, and to provide
technical lectures at the Royal Academy of Engineering and Cambridge
University. My comments to the Cabinet are posted *here.
I also formally submitted an additional
follow-up comment as part of their "In the Service of Democracy"
consultation, which explains why Internet voting is not appropriate for
UK democratic elections. Media coverage of my UK tour can be
found over in my press section.
Information on the electronic voting project in Ireland can be found
Thanks to the unflagging efforts of this group and others (including
myself) who strongly protested the change from paper and pencil voting,
in 2009 it was announced that "the Government has decided not to
proceed with electronic voting in Ireland." Over in the Netherlands,
the Dutch group "We Don't Trust Voting Computers" successfully hacked a
NEDAP voting machine, turning it into a chess-playing device. On
October 1, 2007, the District Court of Amsterdam decertified all NEDAP
voting computers currently in use there. Further information at http://wijvertrouwenstemcomputersniet.nl/English .
The Brazilian government converted to fully electronic voting in 2000, deploying over 400,000 kiosk-style machines. Although their elections are often compared to those in the US, they are actually quite different because the voters cast ballots by using numbers assigned to each candidate (this is necessary because of a high degree of illiteracy in the country). Concerns regarding accuracy of the self-auditing systems caused the legislature to mandate a retrofit of 3% (some 12,000 machines) to produce a paper ballot that the voter could peruse and deposit in a box for recount (the first large-scale use of the "Mercuri Method" -- described more fully in "A Better Ballot Box?"). These paper-trail machines were successfully used during the October 6, 2002 election, and it is believed that the rest of their machines will eventually be retrofitted as well. Further discussion on this subject can be found in the article: *"The importance of recounting votes" by Michael Stanton (originally published in Portuguese as "A importância da recontagem de votos", on the website of the Agência O Estado de São Paulo, November 13, 2000). There is also an informative website: Brazilian Electronic Voting Forum by Amilcar Brunazo Filho.
US Voting Rights Act
In the wake
the Florida 2000 election, a number of voting rights bills were
proposed in Congress. On May 22, 2001, the U.S. House of
Representatives Committee on Science convened a Hearing on Improving
Voting Technology: The Role of Standards. I was joined on the
invited panel by Dr. Stephen Ansolabehere (MIT), Mr. Roy Saltman (NIST
- retired), and Dr. Doug Jones (University of Iowa).
The California State Elections Code contains a number of sections that are directly relevant to US and international electronic voting issues.Section 15360 requires that there be "a public manual tally of the ballots tabulated by those devices, including vote by mail voters' ballots, cast in 1 percent of the precincts chosen at random by the elections official." This section also notes: "In resolving any discrepancy involving a vote recorded by means of a punchcard voting system or by electronic or electromechanical vote tabulating devices, the voter verified paper audit trail shall govern if there is a discrepancy between it and the electronic record." Curiously, Section 15627 on recounts states: "If in the election which is to be recounted the votes were recorded by means of a punchcard voting system or by electronic or electromechanical vote tabulating devices, the voter who files the declaration requesting the recount may select whether the recount shall be conducted manually or by means of the voting system used originally, or both." Section 15629 notes that "The recount shall be conducted publicly" and Section 15630 says that "All ballots, whether voted or not, and any other relevant material, may be examined as part of any recount if the voter filing the declaration requesting the recount so requests." Given all of this, one would think that the paper ballots (either the original ones that were scanned, or in the case of the DRE's, the VVPATs) would be consulted in all recounts. Unfortunately, as occurred in Nguyen v. Nguyen, Case No. 07CC00407 (2007), Orange County California Superior Court, the Judge ruled that the Election Code's allowance for the selection by the voter requesting the recount, means that the requirement that the VVPAT always trump any discrepancies can be disregarded if the requestor chooses to use the recount produced "by means of the voting system used originally." This loophole in the law will likely be opportunistically exploited again until it is closed. (Numerous YouTube courtroom videos from my 2 days of testimony in this matter can be found by using the search string: rebecca mercuri nguyen.)
Proposition 41, California's Voting
Modernization Bond Act, passed in 2002, mandates that "a voting
system that does not require a voter to directly mark on the ballot
must produce, at the time the voter votes his or her ballot, or at the
time the polls are closed, a paper version or representation of the
voted ballot; this version shall not be provided to the voter,
but shall be retained by election officials for use during
a manual recount or other recount or contest." The key phrase here is
"or at the time the polls are closed" -- this has been
by vendors and election officials to permit the voting system to
self-generate ballot images from the internal data stored by the
computer during the election, for use in public manual tallies or
recounts. Using such systems, the voter has no way to confirm that the
ballot they intended
to cast is identical to the one recorded by the machine. Hence, such
recounts are only procedural in nature, and not truly validatory.
Sadly, the U.S. Congress was similarly vague in their definition of
capacity" in the Help America Vote Act of 2002 (Section 301 a. 2), so
court rulings will play an important role in determining the
implementation of when the "permanent paper record" must be produced
(at the time of voting, or after the election is over).
always maintained that the intention of HAVA, as well as the
California Code, is to allow the voter to view the printed ballot prior
to casting it. Finally, in 2004, California's Secretary of State agreed
(but only after discovering that uncertified software was used in their
Recall and General elections in 2003) with this interpretation. Your
is needed here -- if you are a voter living in a municipality that uses
DREs (with or without VVPATs), request an absentee
ballot prior to the election so that you can cast your vote on paper.
That is the only way you can be assured that a) your vote was submitted
intended and b) the ballot you prepared will be available for a manual
recount. I have been voting absentee since DREs replaced the lever
machines in my County in 2004.
Marie Weber, a citizen of Riverside County, CA, decided to protest
the use of the recently purchased Sequoia Voting Systems' AVC Edge
direct recording electronic (touch-screen) voting machines in her
She filed a Complaint for
Injunctive and Declaratory Relief against CA Secretary of State
Jones and Riverside County, CA Registrar of Voters Mischelle Townsend,
under 42 U.S.C. §1983 and the Fourteenth Amendment to the United
States Constitution. This appeared as Case No. CV 01-11159-SVW(RZx)
before the Honorable Stephen V. Wilson in the United States District
Court for the Central District of California. Weber obtained
testimony (at name links here) from experts Rebecca
Mercuri, Peter Neumann
and Kim Alexander. The
ruled on September 3, 2002 in favor of the State on the basis of
only written testimony without deposition or cross-examination, and
without providing an opportunity to inspect the voting systems in
question (although he criticized
one witness for not having done so, even though it would likely have
been a felony to perform such an examination in the absence of a court
order), and various appeals also failed. The ruling allowed other
counties to proceed with their purchases of self-auditing voting
equipment. Despite this ruling, the subsequent Secretary of State,
Kevin Shelley, decided
on November 21, 2003 to require that all computerized voting equipment
be equiped with an accessible voter verified paper trail by July 2006.
The next Secretary of State, Deborah Bowen, decided to conduct a "Top
to Bottom Review" of California's voting systems, which resulted in the
decertification of most of the DREs. Currently only Orange and San
Mateo Counties use DRE with VVPAT. All other Counties in CA use opscan.
Proposition 23, the None of the Above Ballot Option, failed to achieve
enough votes to pass in the March 7, 2000 election. The lack of
a "none of the above" choice for each ballot race (in all states)
creates a dubious dark hole for election auditing. Traditionally, when
one totals all votes cast in each race, these fall short of the
total number of votes eligible to be cast (usually by around 3%). The
"lost vote" (also called "undervote" or "residual vote") rate tends
to differ depending on equipment and other factors, but it is often
also an indicator of malfunction or tampering. The lack of a definitive
"no vote" allows vendors and election officials to assert that votes
were "not cast" when in fact votes have actually been lost. This
is becoming more prevalent with the introduction of multiple recording
devices within the voting machines, and no real way to determine which
storage unit has the "correct" data. It is unfortunate that the U.S.
Green Party believes that the "none of the above" option is contrary
to their interest in promoting proportional balloting, since they are
among the most vocal opponents of this effective auditing requirement.
See http://www.calvoter.org for further information on initiatives and election equipment data.U.C. Hastings College of the Law Library maintains a search engine for its extensive California Ballot Propositions Database, which is also helpful.
requested by the Democratic Recount Committee to provide a sworn
affidavit regarding the necessity of a hand recount in the disputed
Florida precincts. The testimony was presented as part of the
brief in the 11th Circuit Court of Appeals, Atlanta, November
17, 2000. The document is linked here
as a pdf file, and can also obtained through direct request to the
11th Circuit Court. Reference to this affidavit was made in Brief
in opposition for respondents Gore et al. in Nos. 00-836 and 00-837 to
the U.S. Supreme Court.
In August of
2002 I testified in behalf of the Plaintiff requesting a recount in
Florida 15th Circuit Court Case No. CA-02-3667-AE Emil P. Danciu v.
Theresa LePore in her Official Capacity as Palm Beach County Supervisor
of Elections, Boca Raton City Canvassing Board, Palm Beach County
Canvassing Board, Susan Haynie, and Bill Hager. Footage of my
demonstration showing that a selection could inadvertently be made
without actually pressing the touchscreen at the candidate's name
location, aired on 60 Minutes. Also revealed during the warehouse
investigation was the fact that these voting machines were never
manually checked for all combinations of candidate selections during
the pre-election testing process.
Florida outlawed the use of touchsreen voting (having previously
outlawed the hanging chad punchcard systems) and now uses optical
scanning throughout the state. Unfortunately, in 2004, Florida also
outlawed the right of voters or candidates to be allowed to audit the
electronically-generated results via a manual recount. (This may have been
partly in response to a federal lawsuit by their 19th District Congressman Robert Wexler
and Palm Beach County Commissioners Burt Aaronson and Addie Green,
citing the equal protection clause of the U.S. Constitution and
claiming that it was unconstitutional for 52 counties in Florida to
a means to conduct a recount, while the 15 touchscreen counties could
not perform one.) Thus there is no way to
independently confirm that the scanners have been programmed correctly,
are not experiencing anomalous conditions (such as treating certain
types of ink as invisible), and have not been tampered with (as Hari
Hursti showed can alter vote totals). See http://onlinejournal.com/evoting/060305BBV/060305bbv.html
for further details. For all of these reasons (plus others related to
voter disenfranchisement), Florida continues to get an F in election
2004-2006, I provided pro bono assistance for the Guciora v. McGreevy
lawsuit, which protested the use of paperless DRE voting machines in
the State of New Jersey on constitutional grounds. The Plaintiff's Complaint
can be found at the links here. I submitted extensive written
testimony on October 16, 2004 that described numerous flaws with
electronic voting systems (lack of provability, malfunctioning that
disenfranchises voters, less accuracy, vulnerability to insider
attacks, lack of transparency, improper vendor responses to software
flaws, inadequate certification, lack of independent ballot audit, and
vendor misrepresentation). My testimony in the remand hearing before
Hon. Linda Feinberg, Superior Court of New Jersey, Law Division, Mercer
County, largely focused on the inability of the vendors to provide a
voter verified paper ballot add-on to the DRE equipment that could be
Federally certified for use, in time for compliance with the newly
enacted New Jersey law requiring same by January 1, 2008. Based on
Feinberg's findings, the Appellate Division decided to remand the
matter to the Law Division in order to monitor compliance with the new
legislation. Although testimony by numerous individuals was presented
by Plaintiffs, the only comments noted in the Appellate
Division Opinion were mine, pertaining to the issue that there were
factors independent of the VVPAT that would make it unlikely that the
AVC Advantage DRE would meet the 2002 FEC standards requirements by
December 2007. As I had predicted, and despite monitoring by the Court,
the VVPATs indeed were not ready by 2008 and the Attorney General
issued two 6-month extensions for compliance, also to no avail.
meanwhile, a trial was scheduled and the Court ordered the State and
vendor to supply voting machines and source code for examination.
Information about the review and testimony in the 2009 (and earlier)
hearings can be found at Professor Andrew Appel's website
and also at the Freedom
to Tinker blog. On February 1, 2010, Judge Feinberg ruled that the
voting machines must be reevaluated to determine whether they are
"accurate and reliable" and required that additional safeguards should
be put in place to discourage tampering. The statement, which noted
"there is simply no evidence to conclude that absent complete access,
coupled with malicious intent to alter the results of an election, the
voting machines have failed to correctly and accurately count every
vote cast" also indicated that all voting systems have vulnerabilities,
so New Jersey's unauditable machines seem (at least to the Court) to be
no worse than other methods (such as those involving paper ballots).
Unfortunately, the ruling did not go far enough to require that the
VVPAT law in the state be complied with, so that there might be some
actual proof that the machines were correctly and accurately counting
every vote cast (or not). And so it goes. Personally, I have felt
strongly that the Plaintiffs' team was missing the boat by focusing on
hacking rather than the Constitutional aspects of assuring verification
and transparency in the election process. Nothing is really proven by
such attack demonstrations, other than that they could potentially
occur -- since independent examinations of the equipment directly
following the elections are routinely
prohibited, we'll never be able to show that tampering was afoot. The
greater likelihood is that malfunctions and misprogramming actually
will (and do) occur. These we have plenty of evidence of, and only with
voter verified paper ballots is it possible to recover from and
mitigate such problems. Perhaps someone else will try to sue on these
grounds, when evidence of machine failure eventually surfaces.
I was asked
to provide comment on New Jersey's draft Criteria for Voter-Verified
Paper Records for DRE voting machines. My response is attached here.
The final version of the State Criteria is posted at http://www.njelections.org/voter_verified_paper_record_criteria.html
. The Attorney General's reports, also available via this website, in
which she (perhaps conveniently?) declines to certify the VVPRS (paper
ballot attachments) for the Sequoia Advantage and Edge DREs, is very
curious, since the AG's office argued in behalf of Defense in the
lawsuit noted above. The Sequoia Advantage DREs are used in 18 of NJ's
21 Counties. You might think that since the AG did certify VVPRS for
two other vendors' voting machines, the Judge might have required that
these be used instead of the Sequoias, but no. Hmmm.
If you vote
in New Jersey, here's what you can do. NJ has a absentee
option where citizens can register to receive paper ballots in the
mail. You will need to re-register as an absentee each year, but it is
a great alternative to using the paperless DREs. Don't trust the Post
Office? If you take your ballot to the County Election Office and drop
it off there (in its sealed envelopes) during their business hours
(extended to the close of polls on election day), you'll know that at
least your vote choices have reached the tabulation center, which is
something that the DREs cannot assure. In case of recounts (which do
happen in NJ) these ballots are the only ones that can actually be
checked without computer intervention.
Writings by Rebecca Mercuri
This section includes formal papers, commentary, articles, and other relevant materials on voting and computer security. The PDF versions for some of these writings may be more suitable for producing handouts.
"Electronic Vote Tabulation Checks
& Balances," Ph.D. dissertation, defended October 27, 2000 at
the School of Engineering and Applied Science of the University of
Pennsylvania, Philadelphia, PA. The title link here takes you
to the thesis defense announcement and abstract. UPenn's Computer and
Information Science Department has (without permission) archived the
University Microfilms version of my thesis at http://www.cis.upenn.edu/grad/documents/mercuri-r.pdf
and it can be downloaded (for free) there. You can also obtain a copy
the thesis through UMI/Proquest by sending an email to
firstname.lastname@example.org -- the thesis number is 3003665. They
various archival quality formats (hardbound, softbound unbound,
microfiche, and microfilm) of the original double-spaced 235-page
document, they can take credit-card orders, and I'll receive a small
royalty. Those who are manufacturing or evaluating voting systems will
find it helpful to consider two additional lists of questions I
developed as part of this thesis research. Some of the wording closely
follows the Common Criteria, whose Level 4 assessment I have
recommended as a minimum benchmark for voting system
security. Further information about the Common Criteria can be
found at http://www.niap-ccevs.org/cc-scheme/
"Verification for Electronic Balloting Systems," Rebecca T. Mercuri and Peter G. Neumann, Chapter 3, Secure Electronic Voting, Dimitris Gritzalis, ed., Advances in Information Security, Volume 7, Kluwer Academic Publishers, Boston, November 2002. ISBN 1-4020-7301-1
*"A Better Ballot Box?," (PDF) Rebecca Mercuri, IEEE Spectrum, Volume 39, Number 10, October 2002.
"Computer Security: Quality rather than Quantity," (PDF) Rebecca Mercuri, Security Watch, Communications of the Association for Computing Machinery, Volume 45, No. 10, October 2002. (Note: The footnote numbering is incorrect in the PDF version.)
*"MIT vs Mercuri," Rebecca Mercuri, The Risks Digest, ACM Committee on Computers and Public Policy, Volume 22, Issue 26, September 25, 2002. Archived at: http://catless.ncl.ac.uk/Risks/22.26.html.
*"Florida Primary 2002: Back to the Future," Rebecca Mercuri, The Risks Digest, ACM Committee on Computers and Public Policy, Volume 22, Issue 24, September 11, 2002. Archived at: http://catless.ncl.ac.uk/Risks/22.24.html.
*"Explanation of Voter-Verified Ballot Systems," Rebecca Mercuri, ACM Software Engineering Notes (SIGSOFT), Volume 27, Number 5, September, 2002. Also published in The Risks Digest, ACM Committee on Computers and Public Policy, Volume 22, Issue 17, July 24, 2002. Archived at: http://catless.ncl.ac.uk/Risks/22.17.html.
*"Humanizing Voting Interfaces," Rebecca Mercuri, Usability Professionals Association Conference, Orlando, FL, July 11, 2002.
"Uncommon Criteria," (PDF) Rebecca Mercuri, Inside Risks, Communications of the Association for Computing Machinery, Volume 45, No. 1, January 2002.
*"The FEC Proposed Voting Systems Standard Update," a detailed comment by Dr. Rebecca Mercuri, submitted to the Federal Election Commission on September 10, 2001 in accordance with Federal Register FEC Notice 2001-9, Vol. 66, No. 132.
*"System Integrity Revisited," (PDF) Rebecca T. Mercuri and Peter G. Neumann, Inside Risks, Communications of the Association for Computing Machinery, Volume 44, No. 1, January 2001. This was reprinted in the CPSR Newsletter, Winter 2001, Volume 19, No. 1.
*"Internet and Electronic Voting," Peter Neumann, Rebecca Mercuri, Lauren Weinstein, The Risks Digest, ACM Committee on Computers and Public Policy, Volume 21, Issue 14, December 12, 2000. Archived at: http://catless.ncl.ac.uk/Risks/21.14.html. This article was also printed in ACM's Software Engineering Notes (SIGSOFT), Volume 26, No. 3, March 2001.
*"Voting Automation (Early and Often?)," (PDF) Rebecca Mercuri, Inside Risks, Communications of the Association for Computing Machinery, Volume 43, No. 11, November 2000.
*"Corrupted Polling," (PDF) Rebecca Mercuri, Inside Risks, Communications of the Association for Computing Machinery, Volume 36, No. 11, November, 1993.
"Threats to Suffrage Security," Rebecca Mercuri, 16th National Computer Security Conference, September, 1993. (See Conference Panels below.)
*"The Business of Elections," (PDF) Rebecca Mercuri, 3rd Conference on Computers, Freedom and Privacy, March, 1993.
*"Voting-Machine Risks," (PDF) Rebecca Mercuri, Inside Risks, Communications of the Association for Computing Machinery, Volume 35, No. 11, November, 1992.
"Physical Verifiability of Computer Systems," (PDF) Rebecca T. Mercuri, 5th International Computer Virus and Security Conference, March, 1992.
Related Writings by Other Authors
into Vapor," Craig Lambert, Harvard Magazine, November-December
2004, Volume 107, Number 2. This succinct piece provides insight into
the mathematics behind the voting system problem, in terms that a
layperson can readily understand.
*"Election Reform and Electronic Voting Systems
(DREs): Analysis of Security Issues," (PDF),
Eric A. Fischer, Congressional
Research Service, The Library of Congress, November 4, 2003. A
well-balanced overview of voting security threats and vulnerabilities
along with an assessment of strengths and weaknesses of potential
"Usability Review of the Diebold DRE system for Four Counties in the State of Maryland," (PDF), Benjamin B. Bederson, Paul S. Herrnson, University of Maryland, 2002. This study, conducted prior to the Fall primaries, provides an early indication of machine failures with the Diebold equipment (used in Georgia as well as Maryland).
*"Secret-Ballot Receipts and Transparent Integrity," (PDF), David Chaum, Draft, May 2002. Chaum, the inventor of eCash, describes a unique method where voters can positively confirm their ballots, both at the polling station and also after the election, to be sure they are correctly entered into the tallies, without revealing their choices. This groundbreaking work may eventually form the basis of secure and auditable future elections.
*"Opening a Can of Electronic Chad," Bill Sterner, Carol Schiffler. A position piece against touch-screen voting from the Citizens for Legitimate Government. http://www.legitgov.org
"How to Make Over One Million Votes Disappear: Electoral Slight of Hand in the 2000 Presidential Election," Democratic Investigative Staff, House Committee on the Judiciary, August 20, 2001. (A 50 state report prepared for US Representative John Conyers, Jr., Ranking Member, House Committee on the Judiciary, and Dean, Congressional Black Caucus.)
*"Voting and Technology," Bruce Schneier, Crypto-Gram, December 15, 2000. http://www.schneier.com/crypto-gram.html (Also read his explanation in the 2/15/01 issue about why Internet voting is not possible, and his scathing comments about iBallot.com's proprietary voting technology claims in the 3/15/01 issue. In the 9/15/02 issue, this expert again confirmed his opposition to Internet elections.)
*"No voting machine is going to be perfect -- and not just in Florida," Rick Malwitz, Home News Tribune, November 30, 2000. (If you think that direct-entry computerized voting machines are the answer to hanging chad, read this.) A confirming follow-up on this story: *"N.J. critic says booth proved not so fail-safe," Jeff Gelles, Philadelphia Inquirer, January 15, 2000.
"Democracy Under Stress," Ronnie Dugger, Los Angeles Times, November 19, 2000.
*"Disenfranchised by design: voting systems and the election process," Susan King Roth, Information Design Journal, Volume 9, No. 1, 1998. (This early study examines usability issues in various election systems, with the conclusion that newer technologies are not necessarily an improvement for voters.) The pdf can be accessed via: http://www.informationdesign.org/downloads/doc_roth1998.pdf
*"Security Criteria for Electronic Voting," Peter G. Neumann, 16th National Computer Security Conference, September, 1993. *"Risks in Computerized Elections," Peter G. Neumann, Inside Risks, 5, CACM 33, 11, p. 170, November 1990. (Dr. Neumann has expressed his opposition to fully-electronic and Internet-based democratic elections since the early days of this debate. His Risks newsgroup frequently prints reports of election problems, issues are archived at: http://catless.ncl.ac.uk/Risks.)
Integrity, and Security in Computerized Vote-Tallying," Roy G.
Saltman, U.S. Department of Commerce, National Bureau of Standards
Special Publication 500-158, August 1988. (This classic document
contains highly relevant material for anyone researching or dealing
with voting systems.)
*"Reflections on Trusting Trust," Ken Thompson, Communications of the ACM, Vol. 27, No. 8, August 1984. This important Turing Award lecture explains precisely how it is possible to conceal nefarious programming such that it will never be found in a source code inspection.
A Bit of Levity
Mark Fiore, February 4, 2004. (A fun animation depicting what we are
getting with paperless voting systems. Wait a minute or so for it to
load, don't press back or next.)
guarantee the outcome," Summer, 2003. (If someone told
me I'd be referring folks to Larry Flynt's website, I would have
laughed, but this parody is great, and G-rated to boot!)
"A Renegade Reciprocal Miracle Chad," Joel Achenbach, Washington Post, November 17, 2000. (A lighter view of the punch card problem)
Join My Email Group
I have created a private email group which I am using to send messages regarding updates to this website and other announcements about relevant articles, conferences, legislative activities, election litigation and my upcoming talks and media appearances. The group is "send-only" so replies go only to me, not to the other group members. Announcements are sporadic, typically only a couple per month. If you are interested in joining, send an email to:
Then follow the instructions in the reply message that you will receive, and I will place you on the list. If you join topica (although you don't need to do this to be a mailgroup member), you can review all of the prior messages in the NotableVoting history list at their website. If you tire of the list, you can remove yourself from it by sending a message to NotableVotingemail@example.com and your address will be deleted.
The wealth of materials at these
sites may be helpful to those who are interested in voting technology.
The links here are in no particular order and should not be construed
as endorsements. As web pages and hosts can change rapidly, I take
absolutely no responsibility for the content and/or reliability
of these links.
- Inside Risks
- Risks Forum Newsgroup