"The fact that banks can be robbed is not a valid justification for keeping your money in a shoebox. The reasons are that (1) the chance of a robbery is low; (2) even if money is stolen you will not necessarily suffer a loss; and (3) the bank keeps only a small portion of its assets in the form of cash. Why should voting systems be held to a standard of perfection when nothing else in society is? Nonetheless, electronic voting watchdogs insist that election equipment must be perfect or it is totally unusable. The analogy between voting systems and the bank is particularly apt because (1) the chance of a system being tampered with successfully is low; (2) even successful tampering does not necessarily result in the wrong candidate being elected; and (3) only a small portion of the vote is cast on one machine."This is a misstatement of the views on security held by "electronic voting watchdogs", of course, and he also glosses over the inconvenient fact that 70% of losses due to fraud in banks are perpetrated by knowledgeable and malicious insiders, who are ideally situated to bypass any security measures. It is certainly naïve to seriously state that exploits would be limited to one machine. But fundamentally it is a delightfully circular argument, since by definition, successful tampering would go undetected - and, thanks in part to Shamos, would be almost certainly impossible to detect. Many of my colleagues (perhaps more so, for those gaining financially by their involvement with electronic voting industry) seem to utterly miss the essential point. Computerized voting systems are actually national defense systems deserving a much higher standard of protection than conventional applications, such as mere banking software. Undetected widespread covert manipulation of computerized voting systems is the functional equivalent of invasion and occupation by a foreign power. In either case, the American people lose control of their destinies, perhaps permanently. Covert manipulation of voting systems could even be worse in one key way than mere invasion, since the "electoral coup" would appear to occur with the illusion of the manufactured consent of the governed, and there would be no "tanks in the street" to galvanize resistance. Voting systems used in American federal elections grant regulatory powers over the world's largest economy, disbursement authority for the federal procurement budget, control of the composition of the Supreme Court and federal judiciary, and command of the world's only superpower military. Yet despite the fact that our computerized voting systems represent the most irresistible target for insider manipulation in the history of the world, they are not currently given even the level of protection of systems I'm familiar with in banking and financial services. Shamos agrees:
What auditing an election really means is verifying that the software was working correctly, that no unauthorized acts or steps occurred during the election (such as resetting the counters to zero) and maintaining intermediate records so that votes will not be lost in case of an equipment or power failure. Auditing does not, and cannot, mean the ability to rebuild each individual ballot after the polls have closed.
These logical impossibilities do not prevent states from imposing the audit requirement, vendors from attempting to satisfy it, and examiners from certifying the systems anyway. On many occasions I have recommended certification of a system that had an imperfect auditing mechanism. The reason is that I felt the audit trail was adequate under the circumstances. (my emphasis)In other words, he actually believes an independent audit of a DRE's internal electronic vote tally is a "logical impossibility", and he calls that "adequate". In banking, we'd call that "grounds for termination for cause", assuming we found out before the Bank Examiner or FDIC did; otherwise, the Board of Directors could be facing serious jail time. The fact that national security systems, protected by such a casual standard of security, are nevertheless still allowed to be used to elect our leaders is a national scandal, and a disgrace to my profession. And as we shall see, HR 811 continues the historical pattern of misunderstanding the nature and seriousness of the threat, while at the same time focusing on utterly ineffective countermeasures. Blunder #7: It's a good idea to inspect the source code HR 811 states that election officials will be required to provide "the source code, object code, and executable representation of the voting system software and firmware to the Commission, including ballot programming files", which will then be made available to the public on request. For years, our voting equipment vendors have insisted on classifying their software as a trade secret, naturally leading to the presumption that they have something to hide. Clearly, public disclosure of their software must be a good thing? Well, actually, no. If a malicious insider at Diebold or ES&S truly wanted to corrupt vote tabulation logic, he or she would hardly put it in the official release handed over to the EAC. And there's simply no reason to trust that any software delivered to the EAC would bear any relationship whatsoever to the logic that actually runs on voting devices in an election. Consider that the source code disclosure requirement is unenforceable in practice - there are a lot of hardware and software components inside voting equipment. Not only proprietary software developed by voting equipment vendors, but also mass market consumer products like Microsoft Windows, and also a host of highly complex, very specialized software from vendors, many of them offshore. Surprisingly those other vendors simply have no interest at all in giving away their crown jewels to their competition. But HR 811 as written would require depositing tens of millions of lines of source code with the EAC; even if it magically materializes, it would be far more than any one person could hope to read, much less understand with complete clarity. But even if I could somehow get my hands on an accurate copy of the hundreds of thousands of pages of all the vendors' closely-guarded source code, I'm still wasting my time. Here's an example to explain why: simply looking at the official source code for Windows, Microsoft Office, and all the hundreds of other software applications and components I've installed over time tells me precisely nothing about the true, current state of my individual PC here in Minneapolis. I cannot tell by inspecting the official source code whether my particular PC has malware, spyware or, worst of all, a rootkit. Much less can I possibly know precisely how a particular application on my PC will behave at an arbitrary time in the future by looking at source code. It's the same for voting systems, or any real-world computing device. If source code inspection could allow us to reliably predict how a particular instance of a program will actually work in the field, Microsoft Windows would be a rock-solid, bulletproof product - after all, tens of thousands of programmers spend their professional careers scrutinizing its source code every day. It's simply goofy for serious IT professionals to state that it would be anything more than a sham to "inspect" whatever source code that HR 811 manages to dredge out of the vendors. Worse yet, it misleads the public, making it seem as if IT professionals have superhuman powers to "know" the source code is benign, and to "know" precisely what it will and won't do, and to "know" where and how it is actually running in a particular device - when of course, we do not. Source code inspection is simply a quality assurance technique we use in an environment where we are reasonably sure that the source code we're looking at will be the same as is run, but it is hardly a security mechanism. For it to be so, we would have to trust the vendor, as well as every link in the rest of the very long chain of individuals involved in the end to end process of manufacturing, deploying, configuring, testing, operating, storing and monitoring the equipment and software. This magical level of trust is, well, inappropriate when dealing with national defense systems. Blunder #6: It's a good idea to inspect the executable code, too If source code inspection is ultimately a waste of time, what about the other stuff HR 811 would mandate the EAC to collect for our perusal - the "object code" and "executable representation" of the source code? Even in the highly-controlled, regulated and audited environment of a bank or brokerage house, it is extraordinarily difficult in practice to know precisely what software components are executing on which devices at any given time. But in theory, with specialized equipment and intensive hands-on effort, a skilled computer forensics auditor could rigorously examine each hardware component of an election system and compare the detailed contents of the installed software components to the version of the executables registered with the EAC. If they trust their forensic software, of course, and if they always accurately report their findings. Care to bet the Republic on that? But wait; there are tens, if not hundreds of thousands of devices to potentially check, so not only is this extreme degree of forensic comparison impossible to contemplate doing for every voting device prior to every election, it's also ultimately pointless. Since real-world computer systems involve complex inventories of hundreds or even thousands of application program modules, firmware, device drivers and operating system components, static inspection alone will never be able to reliably determine what those components will actually do at any given point in time. There's simply no reason to believe that a given executable corresponds to the given source code, and no way to truly know what the executable is doing - except by running it. I'd ask my colleagues who disagree to consider how you would detect "Cheating with Hardware - Malware Loader" as described in this study? Blunder #5: It's also a good idea to test and certify voting systems HR 811 calls for what appear to be improvements to the independent testing and certification of voting equipment. For example, it prohibits direct conflicts of interest between vendors and testers, allows EAC to randomly select the laboratory, requires public disclosure of test results, and even allows an expert named by the EAC to observe the testing process. Sounds good, right? Well, no, actually. It is a truism in my profession that the purpose of testing is to find "bugs" - not to indicate that a piece of software contains no flaws. It's a subtle point, but what it really means is that if I've found 100 errors, there is simply no magic oracle that will then tell me "well, that's all, we're done, no more bugs". If it was possible to test quality - much less security - into any piece of software, well... Microsoft Windows would be the bug-free, highly secure platform we all know it to be, since Microsoft has the world's most sophisticated automated testing tools, thousands of paid testers, and hundreds of thousands of people worldwide who volunteer to help. Yet even so several critical Microsoft security defects have been reported every month for the last several years. But not to pick on Microsoft; just take a look at some of these other recent security issues for several thousand other vendors; in every case these security flaws were discovered after completion of formal testing. Take your time; the list is 685 pages long. Of course, Michael Shamos (consultant on the certification of electronic voting systems, for six states, going back to 1980) still has a charming faith in the power of testing:
"One may readily argue that no reasonable sequence of tests can exercise every possible logical branch of a complex computer program. So be it. Neither can any such test guarantee that the navigation system of a 747 is working properly, or that it will continue to work during flight, but for some reason this fact does not keep me from flying. (The reason is probably that plane crashes are statistically rare.)"I'm not sure Shamos really meant to contrast aviation software to voting systems; they lie worlds apart. Aircraft systems are typically tested to demonstrate a "Mean Time Between Failure" of between 12,000 and 21,700 hours - that's just one failure every 500 to 900 days in-flight. On the other hand, the National Institute of Standards and Technology has recently agreed that even the pitifully lax standard for voting equipment, on average one failure every 168 hours (!) - that more or less ensures a substantial number of machines will "crash" during any given election - is not worth bothering about anymore and should be removed. But the real problem is Shamos' analogy totally misses the point: commercial plane crashes are "relatively rare" in part because avionics does not have an adversarial insider threat model. By that I mean no one at Boeing could possibly benefit from subverting the stated mission of the organization, by injecting malicious software to deliberately crash their planes. On the other hand, consider the benefits accruing to insiders at ES&S, Diebold and Sequoia - much less at the county election office - from subverting the stated mission of their organization, by injecting malicious software to deliberately change the outcome of elections. As socially-responsible professionals we must openly acknowledge the inherent limitations of our ability to ensure voting is as trustworthy as a critical national security system should be. We cannot and should not ask the public to simply trust the outcome of any testing and certification process, no matter how many "experts" say so. Blunder #4: We need machines to mark our ballots for us Strange as it may seem, some of my colleagues even doubt a voter's ability to even mark a piece of paper without machine assistance. For example, the authors of a study published by ACCURATE (you know, the folks with the $7.5 million grant) entitled "Measuring the Usability of Paper Ballots" were surprised to discover that "over 11% of the [paper] ballots contained at least one error". But they measured "errors" by asking their test voters to vote three times in succession using three different ballots with different layouts; hardly a realistic case. Their conclusion that such a test "is a clear cause for concern, with possible public policy implications such as procedures for handling of narrow margins of victory and recounts" seems overblown. Let me go out on a limb and state I believe that we voters in America, like voters throughout the world, can bravely take command of our own destinies and mark our own ballots. And count them, too. Blunder #3: We should hand-count as few ballots as possible And yet some of my colleagues have argued that paper ballot records are a bad thing. Shamos again:
"Ballot systems are sometimes naively regarded as the safest, a vestige of our faith in the superiority of paper records over the electronic. The dream is that in order to verify the election one need do no more than gather up the ballots and tabulate them a second time. However, ballot systems are not only unsafe but completely unauditable."Well... that's a rather cheeky statement, and it must come as something of a revelation to professional auditors. Here's a quick reality check: if you agree that it is impossible to effectively audit and safeguard paper, stop by your local bank and help yourself to the cash on the way out. Or if you're in Washington, please drop in at the White House and pick up your own copy of the President's Daily Brief; I've heard it's fascinating reading. Paper based processes are not perfectly secure, of course. But there are people who certainly think we've figured out how to audit and safeguard paper-based systems to an acceptable degree of public and commercial confidence over the last few centuries. The bizarre assertion that it is impossible to audit paper election records also must be a surprise to the citizens of Canada, the United Kingdom, New Zealand, Germany, Ireland, Iraq, Palestine... and so on, all of whom not only conduct their elections (exclusively) on paper, but also manage to audit the outcome with an acceptable level of public satisfaction with the results. If you do not believe me, Google the phrase "Disputed Canadian Election". In fact one reason why the outcome of paper-based balloting is so uncontroversial in those countries is that "ballot box stuffing" (that great bugaboo of so many of my colleagues who coincidentally make a living off of the electronic voting industry) in practice seems rather difficult to pull off without being detected. Blunder #2: Computers count ballots better than people This is a supreme article of faith among my technical peers. Yet surprisingly enough, there is little evidence in its favor. In fact, there is a fascinating study from 2001 (interestingly enough, published shortly before HAVA was enacted) which concluded that not only were hand-counted paper ballots the most accurate of all vote counting methods, measuring by residual vote rate, but that every single technological "innovation" of the last century - lever machines, punch cards, optical scan, DRE - actually measurably decreased the accuracy of the voting process. Their conclusion:
These results are a stark warning of how difficult it is to implement new voting technologies. People worked hard to develop these new technologies. Election officials carefully evaluated the systems, with increasing attentiveness over the last decade. The result: our best efforts applying computer technology have decreased the accuracy of elections, to the point where the true outcomes of many races are unknowable.
It will come as no surprise that some of my colleagues still question whether multiple citizens (each with competing political allegiances, and drawing upon the processing power of the one thousand trillion synapses in the massively-parallel neurocomputer we call a human brain) are collectively better able to interpret voter intent as marked on paper, as opposed to a "dumb" optical scanner. Of course, the people also have to count way up to 500 or so several times. Clearly, a job that calls for a machine. Blunder #1: We don't need to justify using computers Voting is not the first time IT professionals have created a solution in search of a problem, and it won't be the last. And while the IT profession is a leading contributor to our current predicament, it is by no means the only one. The entire end-to-end voting process has broken down and it's in many people's interests to see it remains that way, including our elected officials. No career politician is likely to voluntarily do anything that might undermine the legitimacy of their position. Since the heady days of the 1960s, a new, multi-billion-dollar a year electronic voting industry with world-wide growth aspirations has emerged. Whether the original drive to automate our voting was driven by genuine desire to improve elections, naive faith in progress, blissful ignorance of the potential threats, bad technical advice or coldly calculated self-interest, that industry is now so entrenched it has now become almost impossible to question the original decision to apply computer technology to voting. Surprisingly strong passions are aroused in defense of the machines. In fact, we've had more than enough hands-on independent analysis of voting equipment to confirm what should have been utterly obvious all along: the machines were, are and will remain totally untrustworthy. I think the truth is more cleverly hidden. Voting systems are riddled with so many brazen vulnerabilities that can be exploited through hands-on access that surely some must be deliberate features of the products and no accident. Black Box Voting has documented just how much certain election officials appear to appreciate the "back doors" built into their voting equipment. To the extent that such "features" have actually been exploited by unscrupulous local election officials, they have been co-opted, and certainly will not voluntarily relinquish computerized voting. And worst of all, an extraordinarily dangerous feedback loop is enabled through the unwarranted belief of the trustworthiness of computerized voting technology. A series of deceptive election results over time that remain unchallenged can lead to the manufactured illusion of a shift in the underlying voting patterns of the electorate. Not all at once, and not in every election. But over time, the perception becomes reality, insofar as we can tell. Exit polls and even the weighting criteria for public opinion polls (the so-called "likely voter cutoff model") are all eventually calibrated to match official election results. This nightmare scenario is uniquely enabled by unwarranted trust in computerized voting technology, it is certainly technically feasible to pull off given enough time, and, God help us, could actually be well underway. How can HR 811 overcome the top ten blunders? There are industry best practices that suggest a radically different approach to positively transform HR 811. Personally, I don't want to salvage computerized vote tabulation, much less allow DREs in any form; but regardless of what I might wish, eradication of computerized voting is going to take some time. In the meantime, we need to get legal ballots back on paper, and more and more of them counted by people. HR 811 is on the right track by mandating archival paper ballots as the source of truth in an election. These paper ballot records, if properly used, would allow us to treat electronic vote tallying as a "black box". In engineering terms, "black box" testing means that if we can measure the accuracy of the outcomes, we can ignore all the intermediate steps. Don't manage the process; measure the outcome. In other words: eliminate code inspection, independent testing labs, and certification because ultimately they can provide only "voodoo security". Trumpeting the mere appearance of trustworthiness as the genuine article critically deceives the non-technical public and is profoundly unethical. Setting aside for now the details of the competing proposals, a robust statistically-valid hand check of machine accuracy is certainly feasible. The essential prerequisite (overlooked in HR 811) is to finally get serious about absentee and early ballot chain of custody, and paper-handling procedures in general. They do have good ideas on how to do this in Canada, and we could also consider common-sense measures such as storing early and absentee ballots in a secure third-party facility - like the nearest federally-chartered bank. Whenever the electronic tally, however produced, departs from the mandatory hand count by a defined legal threshold we should fine the responsible vendor on a sliding scale. And require the vendor to pick up the full costs for an expanded hand recount. And unlike HR 811 - and like we do in Minnesota - the criteria for expanding the scope of any hand count should be clearly defined legally and automatically triggered. Although it falls far short of my preferred voting method - 100% in-precinct hand counting with chain of custody reform for all ballot types - this suggested approach radically simplifies HR 811. It eliminates the false sense of security that inspection, testing and certification leave in their wake; it reduces cost to taxpayers, and if done properly and with much tighter control of the ballot paper trail, it should make both accidental and systematic electronic vote mistabulation much easier to reliably detect. On the other hand, it does have the side-effect of significantly reducing the income of those of my colleagues who make all or part of their living through testing and certification work paid for, directly or indirectly, by the electronic voting industry - and ultimately, by us taxpayers. Good luck to them moving on; there's certainly no shortage of honest work elsewhere in the computer security and quality assurance professions. Afterword According to DRE advocate Michael Shamos,
...I believe I and the republic will survive if a president is elected who was not entitled to the office....That's preposterous. A republic falls when power is seized by those not entitled to office. Given the current state of world affairs, I doubt we will be able to confirm Shamos' prognosis for the survival of the republic anytime prior to noon on January 20, 2009. Perhaps, not even then. Whether we will live and die as citizens or serfs is at stake, and it's long overdue to put our legal ballots back on paper and our citizens back at work counting them.