A loophole in the Federal voting equipment "standards" can explain the high equipment failure rate being observed with some of the new DRE and VVPAT products. Other serious security risks are detailed. This comment was entered into the record in the U.S. Congressional Committee on House Administration's hearing on "Electronic Voting Machines: Verification, Security and Paper Trails."

::::::::

The following comment by Rebecca Mercuri on the subject of "Electronic Voting Machines: Verification, Security and Paper Trails" was entered into the record of the September 28, 2006 hearing by the U.S. Congressional Committee on House Administration.

When I appeared before the U.S. House Science Committee at their May 22, 2001 Hearing on "Improving Voting Technology: The Role of Standards," among my statements was the following:

"To date, no electronic voting system has been certified to even the lowest level of the U.S. government or international computer security standards (such as the ISO Common Criteria or its predecessor, TCSEC/ITSEC), nor has any been required to comply with such. No voting system vendor has voluntarily complied with these standards (although voluntary compliance occurs within other industries, such as health care and banking), despite the fact that most have been made aware of their existence and utility in secure product development."

Over 5 years later, the above statement continues to remain true. Electronic voting systems are less secure and less reliable than any computer-based systems that are deployed in applications where auditability is mandated by law. Why this is so, is (at least in part) because of certain loopholes in the Federal Voluntary Voting System Guidelines (VVSG) that first appeared in the Federal Election Commission (FEC) document set, and were perpetuated into the FEC 2002 and EAC/HAVA 2005 sets, despite vigorous and increasing protest by the scientific and engineering community.

In particular, all versions of the VVSG specify a Mean Time Between Failures (MTBF) rate that allows for many equipment malfunctions during election day to be deemed "within specifications" even when they affect up to 10% of the voting units. Such malfunctions can result in voter disenfranchisement, as we have recently seen in Maryland and elsewhere. This astonishing inadequacy (publicly noted by Dr. Stanley Klein to the EAC in 2004) explains why Cuyahoga County Ohio may have experienced a 10% rate of failure with their Voter Verified Paper Audit Trail (VVPAT), and also why their vendor has not been held accountable for such poor performance. In this day and age, there is absolutely nothing that constitutes rocket science when it comes to printing information on pieces of paper in a reliable fashion. For example, the Diebold company manages to successfully print millions of pieces of paper each day, at their Automated Teller Machines located around the globe. As well, in 4/5 of the U.S. States, millions of lottery tickets are successfully printed, in a secure and anonymous fashion, every single day. But when it comes to voting, instead of using reliable paper printers that can perform a "cut and drop" action following ballot review by the voter, all of the major election system vendors have deliberately chosen to implement VVPATs by using flimsy reel-to-reel paper that violates voter privacy in addition to failing at the rate "deemed allowable" by the Federal standards. It is my belief that this "design for failure" of the VVPATs has been intentionally and deliberately used to undermine the numerous state laws that have been enacted in this regard, and to enable such anti-VVPAT showboating as was displayed by some of the panelists at your hearing on September 28th.

Certainly, Direct Recording Electronic (DRE) voting machines do not have to produce VVPATs on long, thin strips of thermal paper. The VVPAT could take the form of a Voter Verified Paper Ballot (VVPB), such as the optically scanned ballots, used by 60% of U.S. counties and an increasing number of "absentee" voters. The AutoMark is one such product that allows a full range of disability access in the private preparation of an optically scanned paper ballot that is essentially the same as those prepared manually by voters who do not require computer assistance. The Vote-PAD is a mechanical system that also allows disabled voters to privately prepare an optically scannable VVPB.

Another area of great concern involves the security vulnerabilities of computer equipment used in ballot preparation and vote tabulation. Here again, the federal agencies responsible for creating voting system guidelines have continued to perpetuate a loophole that poses a serious risk, that of the blanket exemption from inspection for Commercial-Off-The-Shelf (COTS) software and hardware. As I, and colleagues Vince Lipsio and Beth Feehan, wrote in an article to appear in the November 2006 Communications of the Association for Computing Machinery:

"This loophole is anathema to security or integrity. In other critical computer-based devices (e.g., medical electronics or aviation) COTS components may be unit tested a single time for use in multiple products, with COTS software typically integration tested and its source code required for review to ensure that it is indeed unmodified. In contrast, for voting equipment, this blanket inspection exemption persists, despite having strenuously been protested by numerous scientists, especially in the construction of guidelines authorized by the Help America Vote Act (HAVA). Nevertheless, special interests have prevailed in perpetuating this serious backdoor in the advisory documents used for the nation's voting system testing and certification programs."

Another massive security loophole that is allowed by the EAC/HAVA voting system guidelines involves the use of telecommunications devices to provide access to critical data for voter authentication, ballot definition, vote transmission, vote count, and voter lists. Although Dr. Felten has demonstrated that computer viruses can be transferred to voting equipment even when network connectivity is not present, the EAC showed an astonishing lack of discretion when it authorized that voting systems could be connected "across a broad range of technologies, including, but not limited to: wireless, microwave, public telecommunications lines, and communications routers." I informed the EAC on September 30, 2005 that "all such channels are not only highly vulnerable but provide avenues for insider as well as extensive outsider exposure to the election data and also potential access to the object code versions of the software running within the balloting and vote tabulation equipment. There is absolutely nothing in the standard that provides any real confidence or confirmation that accuracy, durability, reliability, availability, and integrity can be maintained for voting systems interfaced to telecommunications environments." This is especially true where there is no means provided whereby voters and election officials can independently verify the correctness of electronically recorded ballots and their subsequent vote totals. Regardless, the EAC has deemed that this serious connectivity risk may persist.

As flawed as the 2005 EAC standards are, they are still an improvement over the earlier FEC ones that ignored making any implementation recommendations regarding VVPATs. Since the EAC standards were also issued late, absolutely none of the $3B in HAVA funds will have been spent on "HAVA certified" equipment. Instead, these purchases were made for 2002 and even 1990 certified systems, some of which also fail to adequately satisfy the HAVA disability requirements. As early as 2003, I was publicly calling for a moratorium on all DRE purchases for these reasons. Although the EAC granted an extension for submission of the HAVA state plans, and could have (with the cooperation of Congress) similarly authorized an extension for the equipment purchases until the HAVA voting products were certified and available, this was not done. As Chairman Vernon Ehlers correctly noted in his closing remarks to this panel, and as I have also often said, it is unfortunate that the "cart was placed before the horse" in not requiring that adequate standards were fully in place before the funds were allocated. The result is that the vendors have received a cash bonanza to, in effect, move their "used cars off of the lot," so to speak. Some years down the road, when the new equipment models arrive, no HAVA funds will be left to be spent on them. Nor will any Federal funds be available to compensate communities for replacement of the malfunctioning and inadequate equipment that has, unfortunately and unwisely, been purchased under the HAVA program.

The EAC needs to immediately close the aforementioned loopholes that exist in the voting system guidelines. This can best occur if the voices of scientists (such as myself) who have made extensive contributions to the understanding and deployment of verified voting technologies, and members of the disability community who are not opposed to VVPATs, can be heard. The current exclusionary practices, especially those that display vendor influence and bias, in these official discussion forums must be ceased.

It is not too late to provide all citizens of the United States with the ability to independently verify that the ballots they cast in the 2008 Presidential election have been recorded as they intended. And it is not too late to provide all election officials with voting systems that enable efficient and proper audits of election results without the use of computers. Presently, this is only possible with paper. For now (November 2006 through 2008's election cycles), the only appropriate recommendation that can be made is to allow communities that had obtained the DRE systems to instead provide their paper-based "absentee" ballots for use by all voters, throughout the precincts. In the future, voting system vendors should be encouraged to augment such paper-based systems with additional security controls that improve the detection of ballot alteration or removal attempts. America need not fear that a return to paper-based voting will cause us to be looked upon as Luddites, rather it should focus its attention on providing the best election technology in the world. The current crop of DRE voting machines simply do not fit the bill and should be withdrawn from use.

Authors Website: http://www.notablesoftware.com

Authors Bio:

Rebecca Mercuri has been in the forefront of the voting integrity movement since 1989. She provides expert witness services for elections and other forensic computing matters.