Senate
Elections, Reapportionment & Constitutional Amendments
Are
A Critical Look at the Federal Testing and
Certification Process
Debra
Bowen, Chair
VICE-MAYOR
KELLY J. FERGUSSON: Good afternoon
and welcome to the Menlo Park City Council Chambers. I’m Kelly Fergusson, the vice-mayor of
Here in
SENATOR
DEBRA BOWEN: Thank you very much, and
I want to acknowledge Nate Pinkston who’s here from
Ira Ruskin’s office, right back here.
Thank you very much for being here with us. And I want to thank everyone for joining us
today.
This is the third informational
hearing in this committee’s ongoing effort to look at the mechanical workings
of our electoral process and how they can be improved and specifically how
public confidence in the results of elections can be improved. Last week, we looked at the concept of using
open-source software in our election systems.
And in mid-January, we looked at where
Today we will look at the
certification process itself—how it works, how it doesn’t work, how it might be
improved. To everyone who is looking at
the agenda wondering where Diebold and the other voting machine vendors—Independent
Testing Authorities and the Secretary of State are today—all I can tell you is
that they were all asked to attend and all refused. Clearly, each of them plays a significant
role in this process, and their testimony is critical to helping the Legislature
and the public determine whether they should or should not have confidence in
the equipment that is used to cast and count ballots. Since asking nicely for participation hasn’t
worked, it will be time to turn up the heat a little bit to get these parties
to Sacramento for a hearing in March. I
hope we can do this without the use of the subpoena power.
The three things that I want to focus
this hearing on and want to keep us coming back to are as follows:
One, the question of transparency in the
testing process and the fact, that once the machine is certified, it is not
tested again.
Two, the relationship between the
vendors and the Independent Testing Authorities, we will take testimony on the
question of the relationship, question of conflict of interest, and the
question of whether or not there is an incentive for the testing authorities to
find bugs, holes, or problems, given who is paying the bill for the testing, and
again, what we might do to change or improve on that situation.
Third, the very adequacy of the
standards that the ITAs test against and whether it is really
meaningful in terms of the actual conduct of an election. We could have the greatest,
most transparent, and most independent test in the world. But if the standards are either too low or
don’t test what needs to be tested, then what does it mean to pass a test?
We have a distinguished panel of
experts on hand to help us answer these questions and address these
issues. I’d like them to come forward at
this point. As you will notice on the
agenda, we also have a comment section at the end of the hearing. If you would like to
testify, I would appreciate your signing in with the Senate Sergeant-at-Arms in
the back of the room, not because we want to know your name, your social
security number, or any other personal information about you, including whether
you’re registered to vote or how you voted, but because we like to be able to
manage our time so that everyone who wants to speak has an opportunity to do
so.
So with that, let me ask Professor Avil Rubin, Professor Dan Wallach, Professor David Dill,
and Professor Peter Neumann to the hearing today. And again, thank the City of
VICE-MAYOR
FERGUSSON: Thank you.
SENATOR
BOWEN: Let me ask Professor Rubin to
start us off.
PROFESSOR
AVIL RUBIN: Thank you, Senator
Bowen, and Members of the Committee. My
name is Avi Rubin, and I’m a computer science
professor at
This hearing is about testing. And so while there are many things that I
would love to talk about and could talk to no end about, about electronic
voting, I’m going to focus on testing today.
And I think it’s important to understand, when we limit the discussion
to testing, what the limitations of testing are. You cannot test for security the same way
that you test for functionality. So
while testing can be effective at determining whether a particular machine
performs certain actions when it’s running under expected conditions, testing
for security, which would be unexpected conditions or a malicious adversary,
cannot be done in the same way.
And I
thought of an analogy to give you to illustrate how security testing is very
different from functionality testing.
Imagine if you had a large vault that was protected with a large
combination lock and you wanted to test how secure it was. There are all kinds of things that you can
do. You could take a big power drill and
see how hard it was to drill a hole into it.
You can drop it and see if it breaks.
You can look for worn out parts on the dials to see if after a while you
could figure out what the combination was.
But let’s say that this safe was set with a combination of 1-2-3-4. If you didn’t have a test in your testing
plan that said, see if the combination is 1-2-3-4, you might be able to perform
all kinds of tests and think that you can conclude that it’s secure. But if the combination is 1-2-3-4, nobody
would agree that this safe is secure.
It’s not a perfect analogy, but it kind of illustrates that, you know,
an attacker might walk in, and the first thing they might try would be 1-2-3-4
and they got in, whereas a test could not possibly be designed for that
circumstance.
The
first step in certifying and testing a voting machine in
There
are specific functionality tests that take place. Some are defined for DREs, and some are
defined for optical scans. These are
hands-on tests, testing all the features of the machines to make sure they’re
correct.
While
I’ve described some of the good things that are going on in
It’s
important to incent ?? these Red
Teams so that they’re rewarded for finding problems with them as opposed to be
rewarded for not finding problems with them.
If you give this to the security experts and you incent them to find
problems, if there are problems, they’re more likely to find them, obviously.
The
testing reports that result from the different tests that take place for
security and for functionality need to be posted publicly, and it’s my
understanding that that is the case in
There’s
currently no testing of the audit process.
So for example, in the case where there are DREs with voter-verified
paper trails, the long ribbon, which I’m not a big fan of, they don’t test what
it would be like to do a recount. If
you’re going to test the voting system and you’re going to do 1 percent manual
recounts, you need to test the manual recounts.
There are no tests right now required of the procedures that are part of
the certification, not just the voting machine, but they should test those
procedures. And there’s no institutionalized
code review. There’s not a requirement
that software experts be able to analyze the code that’s running inside of the
machines.
The
Let
me wrap up with some recommendations and some of the things that I skipped for
the sake of time, I hope will go through, when you ask questions. I recommend making all the testing reports
publicly available in their entirety, performing penetration and Red Team tests
on all voting equipment, that testing by these qualified, independent security
experts be done, such as the RABA team that analyzed the systems in Maryland,
and that all of their test results be made public, testing the accessibility
features with the same rigor as the others, and continuing the volume testing
and the parallel testing.
Finally,
I should say that I think
SENATOR BOWEN: All right.
Thank you. It’s hard to know
whether to start here or hear from all the panelists. But I think what I’ll do is go through the
panelists because, that way, if you all have disagreements amongst yourselves,
I will have a better idea what to ask.
And my guess is that you won’t all be in total agreement on
everything—that’s as it should be—or not.
Let’s
go next to Dan Wallach, Professor of Computer Science at Rice University, and
thank you very much for joining us from Texas, and please accept our wishes
that our good California weather take whatever bug it is that you brought with
you that it’s not a computer bug and dispatch immediately. (Laughter)
PROFESSOR DAN WALLACH: Thank you, Senator Bowen,
Members of the Committee. It’s a
pleasure to be here today.
So I
am an associate professor at
So
I’ve been working on voting since about 2001, when they first introduced these
machines in
So
let’s see. When you want to talk about
testing, testing is always done with respect to some standard. So Avi spoke about
testing. I want to speak about the
standards that you test to. So recently,
the EAC and NIST promulgated the 2005 voluntary voting system guidelines. We have a copy right here on the table…
SENATOR BOWEN: Let me stop you for just one moment. I am told, that with the microphones in this
system, you have to get the mike very close to you and that there are people in
the back who can’t hear. So let me do a
little test. I’m going to talk; and if
you can’t hear and you’re in the back, please raise your hand. If you can’t hear from the back, let me know.
Okay. Now we’re going to do a test of the
microphones at the panel, and I will ask you to just repeat again that little
part about this being an engineering challenge because I think it’s worth
hearing again. And then I will ask
people in the back, who you can’t see, to report. And you won’t know if I am accurately
recording the results on this test (laughter) because it’s not transparent.
PROFESSOR WALLACH: Okay. So the engineering problem of microphones is
not unlike the engineering problem of voting machines. It’s a different threat model.
SENATOR BOWEN: Okay.
I’ve got an okay in the back, so I’m assuming that this has been a successful
test and that now everyone who is here will have all of the testimony.
PROFESSOR WALLACH: Thank you.
So
the 2005 standards are definitely an improvement over the 2002 standards. However, they have very little to say about
critical issues that can affect vulnerabilities and security in voting
machines. In particular, there’s no
significant attention paid to the software engineering process used to develop
these systems. When you want to build a
system that you intend to be reliable, that you intend to be robust, that you
intend to be secure, if you want it to actually be all those things, that has
to be part of your design plan from the very beginning that affects how you
write your software; it affects all the processes that you use; it affects how
you hire people; it affects the tools that you use and generally makes the
process much more expensive and much slower.
But in return, you get a higher-quality result.
And
when you look at the way critical systems, like, say, airline control software,
you really don’t want your plane falling out of the sky. That would be bad, oops, sorry about
that. And as a direct result, companies
like Boeing invest huge amounts of money in their software development and
qualification. None of this is done
presently for voting systems. The ITA
process, the VVSG standards have effectively nothing to say about the process
behind the software. And if you get the
process wrong, you’re guaranteed that the result will be broken. And even in
SENATOR BOWEN: But one of the questions that I’m going to ask
all the panelists is, If there is a way to test, given the number of polling
places and the number of voting stations in California, if, realistically,
there is a way to test whether or not every electronic piece of voting
equipment is actually running the code that has been certified. So I’m going to ask all of you to address that.
PROFESSOR WALLACH: So one thing that you will often hear
described as a possible solution—and this is what they call hash-code testing—where
you ask the computer what it’s running, and it gives you a magic number. And if the magic number is what you expect,
then you say, great. But that’s kind of
like asking somebody who walks into a bank, Are
you a bank robber? Why, no, I’m not. (Laughter)
So, well, okay, then. Go right ahead.
So
actually, the process of verifying that the software in the machine is the
software that you wanted to have in the machine is a very interesting,
technical problem. To me, it’s an
open-research problem. Probably the only
area where we have any traction on any similar problem in the computer industry
is, of all places, in game systems. Sony
and Microsoft are very, very concerned that you don’t
run pirate games in your Xbox or your PlayStation, that you only run software
that has the Microsoft stamp of approval and Microsoft gets the appropriate
royalty payment. So I think we might
actually be able to leverage the sort of technology that’s in, you know, a
cheap Xbox. That same sort of technology
may very well have a place in voting systems.
But to date, no existing voting system does anything like that.
SENATOR BOWEN: Can you just describe a little more for us,
how that works?
PROFESSOR WALLACH: Okay.
So the way that game systems verify that they’re running official
software is, that when the hardware first powers up, it begins to download the
game from the CD. And that process
involves checking that certain features of the disk are as they’re supposed to
be. So with the original PlayStation, it
checked that there were some blocks that had incorrect check zones. It turns out that a normal CD burner will
refuse to write incorrect check zones.
So if you burned a disk, it would be correct and that’s not
correct. So Sony deliberately put errors
on the CD and they checked those, sort of a funny trick.
In
more recent systems like the Xbox, they used cryptographic techniques and made
sure that they—well, what is the operating system is digitally signed such
that—and then the game console actually has the appropriate cryptographic key
materials to verify that Microsoft in fact blessed this particular game.
This
hasn’t stopped enterprising people from rewiring their game systems to be able
to play pirate games. But
if someone to rewire a voting machine to run pirate voting software, that would
be a physical modification that could be detected on physical inspection, if a
voting machine were built the same way game machines were built.
SENATOR BOWEN: So there’s no way you can modify a game, an
Xbox or a—these are all devices I’m not personally familiar with. (Laughter)
You cannot modify the software or the firmware in such a way that it
will run a CD that’s not authentic without modifying the hardware in a way
that’s physically visible?
PROFESSOR WALLACH: So curiously enough, there was a particular
game for the Xbox. It was a 007 James
Bond-themed game. And
this particular game had a vulnerability in it.
And people were able to attack the game in order to highjack the system
and then install Linux on their Xbox.
It’s kind of a bizarre thing. So
if you Google for the 007 exploit, you’ll see all these details. And that actually leads to an important
point. Even if you use techniques, such
as cryptographic signatures to authenticate that software is official, the
software still has to be built to appropriate standards.
SENATOR BOWEN: Right.
And I think that that’s a point that we want to pursue, as many people
have asked me—and again, I will ask the panelists--many people have said to me,
look, I use an ATM machine all the time and it is manufactured by Diebold, and
it seems to be a fairly reliable piece of computer engineering. Why is it that the voting systems don’t
function in the same, secure manner?
PROFESSOR WALLACH: So my stock answer to that is that there is
nothing anonymous about an ATM. The ATM
takes a picture of you when you use it and you put in your pin, and there’s a
record and it gives you a receipt.
Anonymity isn’t part of the problem.
If anything, the last thing they want is anonymity. If I go to my bank and say, I didn’t make this
withdrawal, they say, Well, what’s
this picture of you standing in front of our ATM?
With
voting, we seem to feel that anonymity if valuable. If you go back 150 years or so, people voted
by standing up and say, I vote for Bob. And if we want to
go to a world where votes are not anonymous, then that simplifies the
engineering problem. But because we want
to avoid voter coercion and bribery, our country and most other countries have
moved to anonymous voting, and the anonymity is part of what makes the
engineering problem more challenging.
SENATOR BOWEN: So the fundamental challenge from a software
engineering standpoint—and if I can put this into terms that you can
understand, even if you don’t own an Xbox—is that once you combine the desire
for privacy with the desire for absolute security, it becomes much more
difficult to build?
PROFESSOR WALLACH: Absolutely.
SENATOR BOWEN: I think that’s a really critical point for
people because they do know that their airplanes fly on software and that that
software works pretty well, and they do know that their ATMs work, and so they
wonder, Why can’t this work for voting?
Another
question, I think along that line, you alluded to earlier in your testimony,
and that has to do with just plain old devotion of resources. What kind of resources are
expended in developing and testing?
Let’s use three examples. Again,
I’ll ask any of the panelists to weigh in on this. One would be ATM machines. The second would be, since you raised it,
airplane software. And third, how about
nickel slot machines? What kind of
resources do we expend assuring that the results in nickel slot machines, which
have nickels at stake, not governance, are accurate?
PROFESSOR WALLACH: So David Dill probably knows more about
airplanes than me. So I’ll focus on slot
machines and ATMs. (Laughter)
So
I’ve recently become enamored with economic game theory and incentives. And you can explain a lot by looking at the
incentives behind things. In slot
machines, regardless of their denomination, and with ATMs, all the parties have
an incentive to look over their shoulder.
Banks want their ATMs to be reliable and robust because otherwise people
will steal money. Or, people will
complain or maybe leave the bank because, Well, your ATM, I asked for $200 and it gave me $100. You know, forget you. I’m going to another bank.
So
both the banks and the customers have an incentive. They both want accuracy. Of course, the customers would be happy to
get free money, and the banks maybe wouldn’t mind if you got less. But that sort of
averages out. And everybody’s watching
the system, and everybody makes sure it works.
Slot
machines are very similar in the sense that the casinos that run them tend to
be for-profit ventures. And if the
machine pays out more often than the odds that are printed in front of the slot
machine, then the casino loses money. So
if it’s one thing that casinos know how to do is count their money. And they can figure out exactly how much
money every machine has paid out. And
even if they can’t detect that one particular incident was erroneous, over
time, over days or weeks, they can clearly determine that this machine or that
machine has been paying out more or less.
And then they’ve got those video cameras all
over the ceiling, and they can figure out, Was
there somebody who went and got an extraneous payout? Now they’ve got pictures; and now they’ve got
all the evidence they need. And in fact,
in 1998, in Nevada, some inspectors, whose job it was to check the slot
machines, were actually tampering with the slot machines, such that, when you
put in a particular series of bets, then you get a big payout.
So
first, the inspector goes and dorks with the slot machine and then his
compatriots come in later and do the funny bets and make the big payout. Why were they caught? Because they were trying to
extract too much money too fast.
So that’s a fine example of something where it was only caught because,
well, you know, the parties have an incentive.
The casino, the house wants to make sure that it’s not paying out too
much.
In
voting, it’s unclear where the analogous incentive is, and that’s part of the
problem. In voting systems, the
concern—and not that I would point the finger at any particular insider or
developer or anybody—but you have to be concerned that any of them might be
malicious, and you need a system engineer to work, despite the fact that any of
them could be malicious.
SENATOR BOWEN: So in other words, you’re basically asking the
engineering and the process to overcome the privacy limitations or the
anonymity? You have to have a system
that’s so robust, so many checks, that it doesn’t matter that it’s not…
PROFESSOR WALLACH: I would like the president of a voting machine
company to be able to walk in and tell you with a straight face, even if I’m
partisan, even if I want to throw the election, I can’t because my system is
built in such a way.
SENATOR BOWEN: And can you test for that?
PROFESSOR WALLACH: Can I test?
SENATOR BOWEN: Yes.
PROFESSOR WALLACH: You can engineer for it; but all the way from
the very beginning, you can’t slap that on as an afterthought.
SENATOR BOWEN: So you’re saying that has to be built into the
engineering?
PROFESSOR WALLACH: From day one.
SENATOR BOWEN: How would that be different than what things
look like right now, the way systems have been developed?
PROFESSOR WALLACH: So there are a lot of different proposals for
how voting machines ought to be built.
And the place to start as a baseline for a very well-designed, simple,
and cost-effective voting system is mark-sense paper ballots. That’s where you fill in the bubble or
connect the dots between two arrows and where you have the counter in the
precinct, so there’s a scanner bolted to the top of the ballot box, this means
that you have—the scanner can reject something if you vote for two candidates and
you’re only allowed to vote for one, it can just say, Error. At least in
With
a system like that, if the software in the tallying machine is messed up, then
you have Plan B. You can go back to the
original paper ballots.
SENATOR BOWEN: And how would you know if the software in the
tallying machine is messed up or not functioning properly?
PROFESSOR WALLACH: So this is where you can either do statistical
techniques, such as, you know, the 1 percent random audits, and you might
furthermore, just randomly choose precincts and count everything again. Furthermore, you could—usually,
the press wants to know who won the night of the election. But certification of the election happens
several days later. In the interim, there’s
no reason why you couldn’t have a separate mechanical system separately recount
the ballots. And if the scanner in the
precinct was accurate, you should get the same answer. And if it was different, then that’s
interesting, and then you might want to investigate in more detail.
PROFESSOR DAVID DILL: So I wanted to comment on
this and also on your question about what measures are
taken with other things. You know, I
have a lot to say about the certification process. And when I came in
here, I was thinking, What’s the most important thing I can say in a few
minutes? And I think the most important
thing I have to say is actually going to be somewhat in conflict with what the other
members of the panel are saying; although, maybe after more discussion, we’ll
agree.
There’s
a natural tendency for computer security people to think about tightening up
the security of the machines.
SENATOR BOWEN: Let me stop you just for one moment to ask you
to introduce yourself…
PROFESSOR DILL: I’m sorry.
SENATOR BOWEN: …audio
only.
PROFESSOR DILL: Yes. I was just diving into an answer of a
question.
SENATOR BOWEN: Yes, please.
PROFESSOR DILL: I’m David Dill. I’m a professor of computer science at
So
I’ve been worrying about this certification issue and looking at some of the
things that have happened recently in states such as Pennsylvania and Florida
where the certification process has worked against the adoption of the kinds of
equipment that we prefer because computer security concerns in some sense have
trumped what I think should be the real concerns which are the auditability of
the machines. Ultimately, we can pull
out all the stops and try to make these machines as secure as we possibly can. That would be an extremely costly and
time-consuming process.
At
the end of that process, we would still have machines that we couldn’t trust
because we can all think of ways that they could have been corrupted by their
manufacturers if by no one else. And so
in that situation, you have to stop trying to make the technology better and
start thinking hard about how can we make the technology so it can be double
checked? So that’s really a focus on
auditability of equipment. And not just the auditability of the equipment but the
auditing procedures that are routinely invoked.
So I think
But
the flip side of it is it not only—you know, well, its lousy but at least it’s
expensive and takes a long time.
(Laughter) But the process is
very costly and introduces a lot of delays, and I see this as harming voters
because it has been a barrier to the deployment of improved equipment, equipment
that is more auditable, more accessible, and more useable than the equipment we
have on the market now. It’s created an
oligopoly of a small number of major vendors who dominate the process. And I think that we need to resist the urge
to just say we should make certification more stringent. In some ways, we do need to make it better
and more stringent. In other ways, we
also need to streamline the process and make it less costly and difficult for
manufacturers to get through. Now this
is a case of wanting to have my cake and eat it too, and I realize that what
I’m setting up here is a very, very hard problem, but I think that we need to
appreciate the difficulty of the problem and think it through carefully rather
than saying, Okay, we just need to go
take the processes that they use for
safety, critical systems, such as airplanes, and use them in voting machines.
In
fact, when I was on the IEEE Voting Standards Committee called the P-1583
Committee, one of the guys on the committee was an expert in software safety
and hardware safety and in fact had worked on some of the networking apparatus
inside the Boeing 777 which, you know, the certification of the hardware and
software in that airplane, which is a completely different process, costs
hundreds of millions of dollars. And he proposed that the same standards, which
had already been written, be used for voting machines. And the reaction of
other people in the committee was, Well,
if we did that, the State if
SENATOR BOWEN: I guess the obvious question is, if it is that
expensive to use an engineering and security process
that are trustworthy or to certify a machine as trustworthy, should we be using
machines?
PROFESSOR DILL: Well, that’s a very good question. I think it’s—you know, I’m a computer
scientist, so it would be difficult for me to say, oh, just don’t use
computers. (Laughter) But I’m willing to go that far if it’s the
right thing to do. And I don’t think
it’s really necessary. I think what we
need are computers where you can double check everything that they do. Just treat those computers as people that you
don’t know and give them an equal level of trust, which is basically none. You have to have in place checks and
balances. Even if you have a completely
manual process where people fill out the ballots by hand and count them by
hand, you have trust issues because the people counting the ballots are just as
untrustworthy as the computer. And so in
that case, you need to rely on checks and balances in order to make sure that
the ballots are properly counted. You
would want to have them counted by several people of different parties looking
at the ballots at the same time and put in place a lot of those other
procedures. Essentially the same thing
can be used to make computerized vote counting work, but the entire process
relies on having a trustworthy record that has been verified by the voters,
whether you do the process manually or whether your computers are involved in
the process. There has to be some manual
counting, but I don’t think—I’m not going to advocate that it needs to be all
manual.
SENATOR BOWEN: I think the question that arises very often is
not the question so much of—I think your point’s well taken about the fact that
everyone is potentially untrustworthy.
But the manual systems of counting rely on the fact that many people
would have to collude in order, statistically, to change the outcome, and they
also rely on the fact that one or many people can observe the counting process
and the recounting process and the fundamental difficulty with having that
level of trust established when a count or a recount is being done in a way
that is not even potentially transparent.
Response?
PROFESSOR DILL: I don’t know whether you’re saying this is
only true in the case of 100 percent manual counting. Those are essential properties that you need
to have with a trustworthy voting system, and I think that can be achieved with
paper ballots, whether they’re counted by machine or by hand, so long as you
have enough hand counts that you’re double checking the machines that are
involved. But the principles you’ve
stated are exactly right.
SENATOR BOWEN: You’re talking about at the central level as
well because one of the concerns that we had is not just what’s happening at
the polling place with an individual machine but what happens at the central
tabulation point where votes from the various polling places are collected and
assembled. And there, I think what you’re
talking about, the checks and balances, just simple steps, such as posting the
number of people who have voted at a particular polling place when the polling
place is closed so that, if there is a polling place where it is reported that
320 people cast their ballots on that day at 8:01 p.m. and three days later it
appears that 820 people cast their ballots that day, you know that something is
wrong without even knowing what the count is.
PROFESSOR DILL: Yes. In
many states this happens and nobody checks.
So an election is a complicated thing.
So from the point where the ballots go out to the voters, no matter what
kind of ballot they are, till the final recount and whatever, every part of
that process has to have checks and balances and has to be auditable. So we’ve been
focused very much on electronic voting, but the same principles apply
everywhere in the process.
SENATOR BOWEN: Okay.
Peter Neumann. And I have more questions
than I can even begin to know where to start.
But, Peter, let’s turn to you. I’ll ask you all to reintroduce yourself
again.
MR. PETER NEUMANN: Peter Neumann. I’m the principal scientist at Computer
Science Laboratory at SRI. I’ve been in
computers for over 50 years. As I
mentioned to you last week, in security for over 40, and in the voting analysis
and discussion of evaluations and certification and so on for close to 20 years
now. I would refer the audience to the
testimony, the written testimony, that I gave for you last Thursday, which is
not on your website, and I went into considerable detail about why openness in
the process is essential.
I’d like
to begin by saying that there is no discrepancy between what Avi and Dan said
and what Dave said but, rather, there is a sum of the two that is
important. The voting process is an
end-to-end integrity problem where essentially everything along the way is a
weak link. We have nothing but weak
links, whether it’s the registration process or the voter authentication
process or the ballot preparation or the entering of the vote onto the screen
or a punch card or whatever or a box-sense card, the counting of the ballots,
the potential for manipulation and misuse and accidents exist in every single
step. So auditing and oversight and
openness are absolutely essential throughout the entire process, and any
self-respecting computer security person is not going to say, that if we had a
perfect voting machine, it would solve all the problems. There is no such thing as perfect security,
especially when you consider the problems of insiders who are trusted to be
able to do all sorts of nasty things or to make accidental mistakes that could
alter the results.
So I
think the important thing here for this particular testimony is that the
federal voluntary standards are very weak.
They are a little better than the 2002 standards which were a little bit
better than the 1990 standards, but they are still enormously deficient. I have the stack of paper here which
represents the current voluntary voting system guidelines, hundreds of
pages. Each item is a sentence or
two. And the level of detail is minimal. The amount of vulnerabilities that are not
included is enormous.
I’d
like to pick up on your previous question on the flight recorder, the ATMs, and
the gambling. The $1.7 million Harris
scam from many, many years ago was a progressive machine payoff that was
triggered by some insiders. There’s one
example. There are various other
cases. But the
gambling industry very quickly realized that they needed a tremendous amount of
oversight; otherwise, they would be losing a great deal of money if there was
in fact scams.
The ATM situation is a very
interesting one. You’ve already heard
how there are detailed audit trails and cameras and everything. Last night, I had dinner in
SENATOR
BOWEN: I really want to stop and
highlight that point because, while I may not own an Xbox or a Game Cube or
whatever they are, I do spend a lot of time and do a lot of commerce and
business online. And sometime ago, I
started printing out pages of well-known websites. What I got instead, of example, the check-in
page for an airline or an online auction site, instead of getting the item, I
got a page of computer code. It started
printing that, and I have a little collection of pages of computer code where I
should have seen a chart to asking you which seat on an airplane I wanted or
whether or not I wanted to bid another dollar for—I’m not going to tell you
which option site it is or what I was buying—but I’m sure you can find out,
really. (Laughter)
MR.
NEUMANN: One of my favorite stories
on that line was way back in 1964, I think it was,
when in the MIT time-sharing system the entire unencrypted password file came
out as a cookie, the message of the day.
(Laughter) And it turns out that
there was a shortsighted design flaw in the editor that was used. And the person who designed this system never
assumed that two people would be editing two different files in the same
directory at the same time. And it turns
out that the temporary files got interchanged and out comes the password file
as the message of the day, and the message of the day became the password
file. (Laughter) Things like this happen all the time. And if you look on my website, you’ll see a
list of literally thousands of cases of things where something was supposed to
go right and in fact it went horribly wrong.
The third case, though, is avionics where in my lab in 1973 we built the
world’s first fly-by-wire system prototype for NASA, and this was a system that
was over-engineered enormously. It had a
probability of failure of five orders of magnitude, better than the hardware
that was used to develop it. And the
point there echoes what Dan said, that you have to engineer it in. You have to build the system to be robust in
the first place. Now if you do that, the
cost is not that great. The problem is
that most of the systems that we are forced to trust, even if they’re not
trustworthy, were not designed with security in mind. And the problem then is you can’t retrofit
security into something that was never designed to be secure in the first
place. And the answer to the question, Does it cost more or is it massively
prohibitively expensive is quite different from the question in the aviation
situation. In the aviation case, the
cost of the 777 mainframe, the airframe, is enormous. And the cost of the very redundant computer
system is negligible by comparison.
In the case of the money machines,
nobody really wants to sink a lot of money into the development because the
marketplace is relatively limited, and there’s no real incentive to do it
right. Now there may be a lot of reasons
for that, but I’m not going to go into why one might want to design systems
that could be easily rigged, for example.
This is something I’m not going to get into. But it appears, that not only are the
standards very weak, not only is the software engineering that goes into the
system very bad, not only are the evaluation processes paid for by the vendor
and proprietary, but subsequent to the evaluation, most of the vendors wind up
changing the system in a way that is not audited and in a way that is not
accountable in any sense.
The experience I had over a decade ago
in
SENATOR
BOWEN: Technical term, right?
MR.
NEUMANN: Technical term, right. (Laughter)
So my conclusion is very simple, that it is absolutely essential, as we
said last week, to have a great deal of openness, but it has to be openness
throughout the entire process, in that every step along the way is a potential
weak link. So why don’t we subject
ourselves to your questions. From last
week, I want to applaud you and thank you so much for doing this. The questions you asked last week were very
much indicative of the fact that you really understand what’s going on here.
SENATOR BOWEN: I’m not sure I want that responsibility. (Laughter)
PROFESSOR RUBIN: I want to interject something
on the aviation analogy—
SENATOR BOWEN: Yes.
PROFESSOR RUBIN: --because I hear it a
lot. David mentioned the hundreds of
millions of dollars that would be required to develop software using the
processes that are used for avionics, and it’s
actually much harder because you’re not worried about one of the developers of
the airplanes trying to make it crash, and there’s a big difference.
MR. NEUMANN: This is true.
Good point. (Laughter)
SENATOR BOWEN: It’s very interesting. Let me actually go to a question that keeps
coming up, which is, people are saying you have to engineer it in. How do you do that? What does that actually look like if you’re going to create a system where you have engineered
in…
MR. NEUMANN: In my humble experience, I have several
efforts. I live in a very high-end
research world where, for most of my professional career, I’ve been involved in
systems that were very trustworthy, that were survivable, that were very reliable,
that were highly secure; we were human safe.
And you might say they were over-engineered, and I would say, well,
really, they were architected in such a way that the system had a possibility
of being evolvable over a long period of time, so that as new technology came
along, you could stick it in there compatibly in some way and that you were
building something that had a long-term vision of the future rather than saying,
hey, we’ve got this little widget that’s sitting on a desktop. It doesn’t have any networking. It’s a standalone desktop, personal computer,
and we’re going to suddenly throw it onto the internet with no security in
it. And maybe we’ll add a little
security to make it okay. That is not
the way you go about things, and that is pretty much the way the election seems
to have been evolved.
So I
think the answer is, that if you look at the research over the past 40 years on
developing certain secure systems, there’s a very large number of papers and
for other types and experimental developments that demonstrate how one could
build things that are much more robust, much more predictably trustworthy. This is not a black art, but it’s made of
black art by vendors and developers who don’t understand architecture and
software engineering, testing, certification, building things to be auditable
in the first place.
PROFESSOR WALLACH: So following up on Peter’s point, David Dill
earlier discussed that it’s not clear that the right answer needs to look like
a computer. It might look more like
paper. And part of the engineering problem
is also controlling cost. And if the
cost of an engineering process is just out of control, then you need to
engineer the process and say, well, if we can’t do, if we can’t build the
perfect software artifact, what can we do to compensate for imperfect software
artifact? And that’s where we get into
the checks and balances. This is some
form of a paper audit trail—and there are many, many different ways we can go
into the details of, Should it be a continuous role; should it be individual
cards? Those details we could get
into. But the reason why so many
computer scientists have stood up for the importance of paper is not that we like
dead trees. If you see my office, you
understand that I’m fighting with them all the time. (Laughter)
It’s that paper is something that’s outside of the computer’s
control. Once it’s been printed, it
can’t be unprinted. A software bug or a
software tampering can’t change the ink on the paper after it’s been printed,
and that means that you now have something that’s redundant. You have a digital path and you have a paper
path, and you can’t throw a lot of engineering at the problem and you can make
the sum greater than either of the parts.
Paper
by itself has a long history of election fraud.
And computers, well, they don’t have a long history in elections, but
we’ll see. When you can combine the two,
the paper is a check against the computer, and the computer is a check against
the paper.
PROFESSOR RUBIN: I want to kind of, sort of get back to my
comment on the airplanes which is, I don’t know that we’ve ever faced a
challenge of how do we engineer a security system that proves that the people
who engineered it, the very same people, aren’t cheating? So it not only has to be secure; it has to
carry with it a proof that it’s not doing anything that it’s not supposed to be
doing, and I think that’s a much greater challenge. The two analogous challenges that I think we
have are the anonymity and the privacy, and then the fact that you can’t trust
the builder of the system or any other component. That doesn’t mean they’re not trustworthy,
but we should build systems—and I think we can build systems—where it’s okay if
they’re malicious because we’re not relying on them to be honest.
SENATOR BOWEN: Let me follow up on that with some other
points you made in your first comment.
One
of things that you suggested is a Red Team approach in which we deliberately
set up systems for penetration. I have
heard the criticism level that that is akin to testing a bank, bank-safety
mechanism, by folding up 20 pieces of paper around the room and writing the
combination to the save/safe ?? on
file. In other words, it’s not something
that ever would happen in the real world and that many of the security issues
that computer scientists claim or should be a concern are not real-world
concerns. So, please, gentlemen, defend
your honor.
PROFESSOR RUBIN: Let me give you a quick counter to that.
It
sounds to me like this would be Diebold saying, Our system is totally secure, and it relies on the fact that no one
will see our source code.
(Laughter) And then their source
code happens to leak onto the internet.
Now what about, instead of us publishing a paper and that got read by a
lot of people—Bev Harris who founded, and a couple of other people, kept the
knowledge to themselves, distributed that source code to a few of the wrong
people—the assumption of security by obscurity, which is that the security
mechanisms themselves will remain secret, is well known and has been for
centuries. One of the mantras of
security has been, We reveal how the system is in order to
evaluate it. And
if can still show that the system has security properties, then we can have
confidence in them. But if our
confidence is based on keeping things secret that may or may not actually remain
secret, then I think we have a problem.
SENATOR BOWEN: Anyone else?
PROFESSOR RUBIN: And furthermore, penetration testing is done
in banks. Military people have done this
forever. You give somebody a
get-of-jail-free card, and you say, Have fun. And the question is, Can they get in and do
something they’re not supposed to do?
And if the system is working and, you know, the security guards show up,
they say, Okay. You’ve got me. I’ve got to get an
get-of-jail-free card. I was doing my
job.
MR. NEUMANN: I’ve seen Red Teams where one
group came in and found a whole mess of problems. And a second group then came in and found
another mess of problems. Red Teams and
testing in general are inherently incomplete, but they’re useful in exposing
what are perhaps the most obvious flaws.
In last week’s testimony, I mentioned
some of the more obscure ways of breaking systems, Paul Kocher’s Differential Power Analysis, and Dan Bonet’s ?? Fault Injection, and
various things like that which the Red Team normally would never even think
of. And if a system is designed with the
realistic threats in mind instead of requirements that spends all of those
realistic threats, you get a very different result than if you tried to do a Red
Team on something that was never designed to be secure in the first place.
So on one hand, Red Teams are useful. On the
other hand, they’re not the best solution.
They’re a useful addition. But
again, I come back to having a good architecture and a good software engineering
practice and open this in the entire development which would smoke out a lot of
the problems before anybody has spent a lot of money building these systems,
using them, Red Teaming them, and discovering that they are deeply flawed.
SENATOR BOWEN: Let me go back then to another point that
Professor Rubin made which is that one of the improvements would be to publish
the results of all of the testing that was done at the testing labs. And if you would spend a little more time on
that, please—and in particular, I’m curious about let’s, first, just to make
sure that everybody knows, I’d like to explain what happened with the Diebold
source code and how it is that what was proprietary code became widely known
because I think it’s important as background for people to understand why we’re
concerned. And then let’s say that you
have source code and a proprietary vendor whose proprietary code stayed
proprietary, stayed secret. Of what use
is it to publish the results if testing if no one knows what the underlying
code is?
PROFESSOR
RUBIN: Okay. I’ll address both of those.
Bev Harris was interested in
Diebold. She was studying them. She’s very concerned about electronic
voting. And
she, through a search engine, found a web page—it was actually an FTP site, on
Diebold’s own servers with all of their source code publicly accessible, and
she downloaded it. My theory is that
they had limited their thinking that no one would ever find it so that their engineers
in the field would have access to it, would be able to look at it, although I
don’t know that that’s the case. It
could be they were just careless. Once
that code was downloaded—it was archived in
SENATOR
BOWEN: So if that hadn’t happened,
you wouldn’t have had a basis for evaluating the security issues with regard to
the Diebold voting system?
PROFESSOR
RUBIN: Absolutely. I would not have—I’ve tried very hard to get
my hands physically on a Diebold machine.
They were never cooperative with that.
If we hadn’t seen the source code, we would have just been able to
criticize the general notion of paperless voting but without any of the
specifics that we found when we looked at the code.
The other part of your question was, Why publish all the results of the tests if the public
hasn’t seen the source code?
I think that there are many different
reasons to do this. One of them is
simply, that if the vendors know that all the results of the testing are going
to be published, they might be a lot more careful in how they design these
things, I think there’s a general principle of transparency that the elections
don’t belong to anyone; they belong to the people. And if we want people to have confidence at
every step of the process is being done fairly, and if we don’t show them part
of a testing report, then that’s a reason to raise suspicion as what was in
there.
I’ve been
wondering for almost two years now, What was in the SEIC report in
SENATOR
BOWEN: You look like you need to say
something.
PROFESSOR
DILL: I would like to add another
comment about thinking about security of voting machines. You know, ultimately, we can’t know, no
matter how much effort we put into making these machines secure, we design them
from scratch, and Peter Neumann can do, you know, exactly the best possible
things with every step of the way. We
can’t really know that they’re not going to be 100 percent secure. And even if they are never hacked, we don’t
know that they’re never hacked and that that uncertainty about whether we can
trust the results of the machines really undermines elections because the whole
point of elections is not to be accurate or whatever—I mean that’s a major goal
of elections—but to convince the public that they’re accurate. You know, an election ought to come with some
evidence that the results are sound. And
if you don’t know the security status of your machines or if you don’t have a
way to double check them basically, you don’t know that your elections are
accurate, and that undermines the legitimacy of everybody who’s elected.
SENATOR
BOWEN: And henceforth your emphasis
on the audit as being a critical part of what Peter Neumann and others describe
as an end-to-end process?
PROFESSOR
DILL: Yes, the ability to double check the results of the election. There needs to be evidence and the
election. All the processes have to be
transparent so everybody can see that the results are on the up and up.
SENATOR
BOWEN: Would there be a disincentive
for vendors to build elections software if they expected that the results of
any certification testing would be made public?
Would we still find vendors who wanted to participate in that
marketplace? Anyone?
PROFESSOR
RUBIN: I’ve heard this argument made
many times, that it’s also made in the open-source argument, that if the
vendors don’t have any proprietary advantage or any way to make money or, in
this case, you’re asking if the vendors are too afraid of their reputation
being tarnished, that no one will get into it, and I personally believe that
the government, if they have to foot the bill for this, this is important
enough that they should, I don’t think that we should use this market-forces
argument against trading that off against the transparency of the system.
SENATOR
BOWEN: How do you deal with the
issue of what happens once the machine is certified and that there’s—I can’t
remember who referenced it—but the fact that changes are always made; someone
always finds something, you know?
Firefox, Microsoft, they released the current browser version. Two days later, they release the first
patch. And we
don’t want to set up a system promoting software where we don’t have a
mechanism for solving problems that we’ve discovered that weren’t known or
discovered back at the time of the certification.
MR.
NEUMANN: Let me comment on
that. We have several cases on point
where software was in fact changed dynamically or the configuration of the
system was changed dynamically on election day. We have one vendor who, in creating the ballot
face, actually reprograms the software that has been certified in order to make
the appropriate ballot face appear on the direct recording device. And the way around that is, first of all, to
strengthen the standards that don’t preclude that adequately. The second would be to, if we had the
openness that we’re all asking for, make it effectively impossible for that to
occur in various ways. Avi mentioned,
and Dan also, the possibility of integrity checks and crypto seals and things
of that nature that one could demonstrate that the system that was certified
was in fact the actual system.
On the other hand, the vendors
themselves have found it very convenient to make late changes. Now some of them will say they were necessary
to increase security or to make it reliable or to improve the accuracy of the
results. If that’s the case, then the
system shouldn’t have been certified in the first place. On the other hand, we have no perfect
certification system. We talk about
there’s no such thing as 100 percent security in the system
implementation. There’s also no hundred
percent certainty in the evaluation and certification process.
So we come back to what several of us
are saying here, that all of us, I guess, are saying, which is that there need
to be some sort of end-to-end integrity checks.
And part of that addresses your question. But again, it’s only one little piece out of
the overall end-to-end problem where everything is a weak link. I’m repeating myself, but I think this point
is so important that it needs to be said over and over again.
PROFESSOR
DILL: So I think we need a voting
system that is so robust, that if some problems are found in the software or
the hardware that we can still hold our elections and still at least double
check that the results are okay. In the
worst case, we can hold another election.
So I was trying to think of, from my favorite kind of system, which is a
precinct count optical-scan system, what is the worst possible problem I can
imagine? Maybe it returns totally random
results, and you see that the machines can’t count at all, right? At the very worst, you can go back and hand count all the ballots.
So there’s no problem that you see some last-minute difficulty of the
machines in that case that would prevent you from holding an election or that
would completely compromise the election.
SENATOR
BOWEN: This assumes, though, that we
don’t have the problem that we had in
PROFESSOR
DILL: Yes, yes, that’s why I
specifically—well, let’s see, if the ballot is printed wrong, you have a
problem. I specifically mentioned
precinct count optical scan because, suppose the problem is on election day—the thing melts into a puddle of silicon and
plastic or something, voters can still vote on the paper ballots and they can
still be saved, if there are enough around.
SENATOR
BOWEN: If we have paper ballots.
PROFESSOR
DILL: That’s right. But with the precinct count optical scanning
systems, you do. Clearly, with touch-screen
machines that print paper ballots or whatever, if you don’t have some other
paper ballot—there’s an availability problem—there, it’s not so much a question
of computer security. It’s, Are you
pretty confident that your computers will work when they need to? And I think a lot of
the time, the answer is going to be yes.
SENATOR
BOWEN: Professor Rubin, we had a
little discussion earlier in January about an exercise that you use in your
computer security classes where you ask your students to evaluate software
written by others. And it goes, I think,
along with some of what Peter Neumann was talking about with how difficult it
is. And could you help us—help me—as somebody
whose last computer programming class, and first, was Fortran 101 (laughter),
which means I’ve just really dated myself, but how am I with only Fortran 101
in my formal programming repertoire supposed to have any ability to know
whether or not I should be confident about how my vote is being either recorded
or counted? And I’m going to separate
those two because I think they’re different things.
PROFESSOR
RUBIN: Right. I should mention that Dan Wallach also
teaches a course that he does similar exercises with his students. My goal was, I had a theory, a hypothesis,
and I felt it very strongly, that it was much easier for anybody who’s writing software to imbed something malicious in the
behavior of that software than it would be for someone of equal or even greater
expertise to look at that software and find that maliciousness. And so what I did, and I’ve done it now for
about four semesters, is I have the students build software programs. And up until this semester, it was always
voting machines. Now I’m having them
build poker machines because I’m getting a little sick of the voting
machines. (Laughter) So they built these voting machines, and then
they rigged them. And they have
requirements of including an audit trail in the machine and rigging the
election so that the audit trail matches the rigged versions so the audit trail
will not disclose it.
And then what they turn into me are
two different kinds of CDs with their entire system. One is the pre-rigged one, the voting machine
that just works, all the source code and everything, but it’s not labeled as
good or bad, and then the rigged one, and I ask for three copies of each. Then I sit down with my teaching assistants,
and we had about 45 or 44 students in the class working in teams of three or
four. And then we mixed them up, and we
give each team three other projects, and we don’t tell them if they’ve gotten
good ones or bad ones. And we say, Perform a
security evaluation and tell us if you found one of the machines is rigged. And overwhelmingly, these students are missing
the security problems. They’re not
catching it. And that’s considering that
these were graduate students working with a full course load, working, you
know, probably a few hours a week, maybe a little more before it was due, and
putting this thing together to turn in as opposed to a 15-year veteran
programmer spending a year planning their malicious code.
I haven’t done this—I can’t find this
as a scientific experiment, but the intuition is so strong. And it will be clear to, I think, anyone
who’s got a lot of programming experience, that every single line of code,
there are ten different ways to write.
And every five lines of code, there are a hundred different ways to
structure. And
there’s so many choices that you have when you program, that’s the reason that
I think that software is so buggy, that why Microsoft, which has really, really
good programmers, very well trained, and yet they have to issue patches all the
time because it’s just—you have too many choices and it’s too hard. And anywhere and any
one of those choices, you can do something that might even have a perfectly
justifiable reason why you did it but may also introduce a vulnerability.
And I find
one of my greatest challenges, now that I am often speaking to non-computer
scientists, is giving people an appreciation for the nature of software who
haven’t actually programmed themselves.
But I find that there are, in a hundred-line program, there are
limitless ways to do something funny, to make the software behave in an
unexpected way, given an unexpected input.
And it’s extremely difficult, even for the person who wrote it, coming
back to it a year later, to find that or to understand it.
SENATOR
BOWEN: The one, I think, other thing
that I want—a couple of things. One is,
is there any mechanism for
And let me go from the middle out this
time and start with Professor Dill and Professor Wallach and then go on the
edges of this question. Who’s doing work
that
MR.
DILL: I can think of practices that
I like in individual states. It is
easier at the state level to manage a statewide, uniform system. So I don’t really approve of George’s voting
system which is the Diebold touch-screen machines without paper. But they do have a group at
There are a lot of states that have
laws that require broader, random audit than Californians. I think that’s a very good idea but that’s…
SENATOR
BOWEN: That’s a hearing we’ll do
next week, I think.
MR.
DILL: Auditing is another one of
those difficult questions that’s more complicated than it may appear. But we can talk about that when the time
comes. I really would advocate—and here I’m not answering your question—I’m going to something
else—but I would really advocate, it seems to me that the federal government is
moving too slowly. I would love to see a
wonderful federal certification process, partly because the vendors have to
sell machines to all the different states, and it would be great to have more
uniformity so that the machines are less expensive and can get out to market
faster for the benefit of the voters.
However, that doesn’t seem to be where we are and the federal process is
just improving too slowly, and I think that, for the benefit of our voters,
states are going to have to take the lead.
And I would love to see
MR.
WALLACH: So continuing that thought,
I believe in
In
For example, if you can tease apart
the hardware from the software, then you might have—if you standardize the hardware,
then like PCs, you can just mass produce them in clone shops for pennies on the
dollar, and then vendors can compete to do their value add for the
software. So that would mean that right
now, where a county has to buy everything from one vendor or a state buys
everything from one vendor, instead, if they’re all compatible, you can mix and
match. You can imagine buying these
boxes from Dell and Gateway. It doesn’t
matter, as long as they run the official election software. And then for the election software, if
California wants to do its own thing and Texas wants to do its own thing, a
software development group, yes, you need to keep maybe five or six people
employed for a year and you’ll have yourself a new piece of software. So relative to a state budget, that’s not a
whole lot of cash.
So if you really wanted, you could—you
now, if you could standardize the hardware, then you can build your own
software to your own specifications. And
if
SENATOR
BOWEN: I have to laugh because I
cast my first ballot ever in
Then I’ve come to California, and
that’s not our tradition in California, and we pride ourselves generally on
having government that’s open, transparent, and not corrupt in elections that
are fair transparent. And the discussion
here really is about how, as we’ve moved from one kind of voting machine—and a
lever machine is nothing other than a computerized piece of voting equipment or
a mechanized county equipment to a more sophisticated machine but presents the
same problems with transparency. You
just can’t do it with a number 2 pencil anymore. And as I’m sure we’ll hear in public
testimony, you can change the results of many more elections simultaneously by
using malicious code or just bad code.
Then you could in a lever-voting machine environment where you actually
had physical access to every single machine in which you wanted to change the
results.
So as much as I joke about the
lever-voting machines in
So what I would like to do—we have 26
people who want to testify. I have
another panel. I’d like to ask each of
the members here, if you have three takeaways that you want me and the public
to take from today, to spell those out, and then I think there are some matters
that we just didn’t have time to get into, and I would welcome further thoughts
in any manner in which you feel it’s appropriate for presenting additional material
so that we continue ___ very serious discussion.
And let me go from the reverse. At the beginning, we’ll start with Peter
Neumann, and we’ll work our way across and let Professor Rubin have the last
word of this panel.
MR.
NEUMANN: Okay. The first take away in responding to your
question is that there are no easy answers.
You’re asking for an easy answer or three easy answers.
SENATOR
BOWEN: Just the three most important
parts.
MR.
NEUMANN: I think the most important
thing is that we’re dealing with flawed assumptions with a flawed process, HAVA
process. It was a feeding frenzy to go
into electronic machines to replace punch cards because punch cards were in
disrepute from the year 2000 partly for the wrong reasons. But many of the assumptions we’re dealing
with are in flood assumptions. And if we
look at the end-to-end issue and recognize that everything’s a weak link—and
I’ve said this so many times now that it sounds redundant, but redundancy is a
wonderful thing (laughter)—then you realize that we’re trying to make the silk
purse out of the sow’s ear. What we’ve
got is a lot of sow’s ears, and we’re trying to find one good silk purse.
We’re dealing with broad
assumptions. The answer to your
question, What
testing can we learn from other states,
I take the negative. I say, Well, we can learn how not to do it. And again, it’s the big-picture thing of
realizing that everything is flawed and we need a different paradigm. One of the paradigms you’ll hear from later,
presumably, is from some of the disclosable source folks who will amplify some
of things that we talked about last week in
So I think the first step here is to
understand, as we’ve already heard, the threats, the threat models, and to
design systems in an open way that are inherently capable of addressing all of
those threats.
MR.
DILL: I think my first point would be,
when it comes to certification and testing, be very suspicious of any easy
solution because the solutions are probably not easy.
Second, that auditability is crucial
and security is merely important with these machines.
Thirdly, that
SENATOR
BOWEN: And what does that mean?
MR.
DILL: That we need to think up an
alternative process to the federal process.
Maybe it’s an additional process; maybe it’s an alternative that—you
know, the original—I learned this when I was on the Taskforce in Touch-Screen Voting
from Bob Nagley ?? who is
like the long-time consultant on all issues to do with voting technology in
MR.
WALLACH: So my first takeaway point
is that it’s all about process. It’s the
development process, but it’s also the deployment process. It’s about how poll workers are trained, how
the machines move around, how the ballots move around, how voter registration
works. There’s a huge process, and you
have to look at the whole thing. I mean
this hearing has been relatively focused.
But you can’t look at anything in isolation.
And to that end, my second point is
that transparency is critical in this system.
I think that it’s just not appropriate to have trade secrets anywhere in
an election. I think vendors are allowed
to have intellectual property. They can
protect that with copyrights and patents, if they’d like. So if I can copyright my code, that means you
can’t just pick it up and run it. But
the trade secrets in particular, I just feel, are inappropriate anywhere in an
election because that goes against public confidence.
And a last point might be that we should
be willing to take some chances and to try to think, yes, think outside the box
when we’re talking about voting.
SENATOR
BOWEN: We have to watch the box
reference. (Laughter)
MR.
WALLACH: Yes. We have only looked at a very—in the space of
how you could engineer the interface between a voter and whatever it is that
they vote on, very, very few kinds of machines have been considered. And there’s a much bigger world than just
touch-screen devices or paper ballots that you scribble on with a pencil.
SENATOR
BOWEN: Pen, pen, please.
MR.
WALLACH: Oh. (Laughter)
Pen, scribble on with a pen, absolutely. And it’s important to, you know, that we can
still innovate and come up with crazy new ideas in the process.
PROFESSOR
RUBIN: Well, nine points have been
made so far, and they’ve done pretty good coverage on what I had jotted
down. But let me just give my take on
it.
SENATOR
BOWEN: Redundancy is helpful.
PROFESSOR
RUBIN: That’s right. (Laugher)
My first point, which I had written
down before—Dan said it—was that we cannot compromise on transparency. I think that, when it comes down to a
tradeoff where on the one side we have transparency—on the other side, we have
anything else—we have to allow for the transparency to win.
Now I’ll sound more like David
Dill. I think if you have simple,
auditable systems, you don’t need to rely as much on security testing of the
machines because, if you don’t place trust in the machines, then it doesn’t
really matter how secure they are. And
along those lines, since you said I could have the last word, I came up with
something that we’ll see if you think it makes sense, which is that an ounce of
audit is worth a pound of prevention.
(Laughter)
SENATOR
BOWEN: I’ll think about that, though
I’d be inclined to buy a pound of each ____, simply live by the rules I’m
given.
MR.
NEUMANN: The audit has to be
non-subvertible, it has to be non-tamperable, it has to be non-bypassable, and
all those good things.
SENATOR
BOWEN: Oh, we will be doing—and
again, I understand that this hearing is only, with regard to a very small
piece of the process, that is, that’s because it’s simply not possible to
discuss everything end to end at once without having even the witnesses to go
comatose. (Laughter) So we’ve been trying to break the process,
what is an end-to-end process. I think
that’s a really critical point that every single person’s made into pieces that
are manageable to understand and deal with.
One of them has been the nature of the software, another with certification. We will deal in the next few weeks
specifically with the audit process and the inclusion of, or not, of absentee
ballots, ___ ballots in the audit process, which is an issue at some counties
in California, as well as with what is a truly statistically valid sample and
in particular in the auditing process with how gaming, how we might expect
people to game a particular set of audit rules because perhaps it’s my
experience chairing the Enron Committee—no—the Energy Committee. (Laughter)
That’s my Freudian slip of the day.
Enron had a floor of computer
programmers whose job it was to game the rules of the
So
transparency was the first part of the flaw in the energy market. It did not have a transparency. We couldn’t see what some of the games were,
and that I think there are lessons to be taken from that. And interestingly enough, that also was a situation
in which the use of computers was extremely critical to the success of that
operation. Enron could not have gained
the energy market in the same way without having access to computers, of
computer modeling, and knowledge of how the systems that run electricity in
So we
will look at audits which are an important part of any system that involves our
market. And here, we don’t have a
market. We have a system in which the
only safeguard is the engineering of the system itself, the end-to-end process,
and the audit. It has
to take the place of the bank that’s interested in whether or not the
transaction’s accurate or the casino that is following the results of gaming at
a particular machine or even a game box manufacturer that’s interested in
knowing whether or not you actually
purchased the game that’s going to be running on a box which is a, I think, a
very useful example for me to contemplate. So this is a beginning of this
conversation. I want to thank you to the
people in the audience who are not computer programmers, for spending the time
and energy to work on something. That’s
difficult.
Let
me now call up Sonia Arrison, Pacific Research Institute; Tom Stanionis, Yolo
County Elections Department; and Warren Slocum, assessor, county clerk, and recorder
of
But
Warren Slocum is here. Welcome.
MR. WARREN SLOCUM: Thank you.
SENATOR BOWEN: Thanks for being here.
MR. SLOCUM: Thank you for having me. Is the mike on? Can you hear me okay?
SENATOR BOWEN: In the back?
MR. SLOCUM: Can you hear me?
SENATOR BOWEN: It’s not on.
MR. SLOCUM: Is the mike on now? Can you hear me?
SENATOR BOWEN: It’s on, but I think you want to get even closer.
MR. SLOCUM: Okay.
Good afternoon. My name is Warren
Slocum. I currently serve as
I’d
like to welcome you, Senator Bowen, to
SENATOR BOWEN: All right.
We’ll have no displays during the hearing. (Applause)
MR. SLOCUM: Obviously, it’s hard to follow four professors
of Ph.D. computer types, but we’re pleased that you’re here in
Madam
Chair, as you know, accurate elections are at the very heart of our
democracy. Accurate election results are
not just the concern of
First, understand that there is no
perfect voting system, as was discussed earlier. Each one has its strengths and
weaknesses. But more importantly,
regardless of the voting system, a great deal depends on other factors, such as
the quality of the poll worker training, ballot design, and election work-flow
management, community education efforts, and the county’s ability to plan,
organize, and deploy complex, technological systems. There are, in fact, many variables. Instead of asking whether
Consider a simple scenario where a
machine successfully completed testing at the federal and state level, then
successfully completed a county’s logic and accuracy testing process, but it
was seriously jarred in transport and, for that reason, malfunctioned at the
polls. Nevertheless, generally speaking,
once a machine has been federally and state certified, the public should have
confidence in the device. But remember
that the certification process occurs in laboratory conditions while elections
are conducted in the real world. And
once we understand that voting machines are programmed for every election, that
they are touched by election workers, that they are delivered in trucks to
polling sites, then handled by precinct workers, and eventually used by voters,
you realize that there are many potential failure points. We must remember that a voting device is part
of a larger voting system and that all components of that system must work
properly in order for vote totals to be captured and reported accurately. Accordingly, in order to help fully achieve that objective, we should consider the
five following reforms that would make elections, I think, more accurate, more
reliable, and more secure.
We should, first, strengthen the
certification process; two, strengthen the canvass process; three, increase
training for poll workers; four, of course we need to adequately fund election
offices in California; and five, I’m just going to make a little pitch here
that California allow certain counties to conduct their June primary election
all by mail because of the lateness of the certifications.
The community needs confidence that
their voting machines work correctly.
This can partially be accomplished by wider and deeper public inspection
of source code. In addition to the
formal testing processes that the Secretary of State undertakes, there should
be a second-level open inspection, examination and testing process of voting
systems undertaken by computer scientists, professors, security experts, and
members of the public that should be done in a public forum, perhaps even on
the internet. The findings of all
reviews should be published and presented at public hearings. We should go further if we are truly
committed to increasing voter confidence and call on the government perhaps to
develop its own vote counting hardware and software, fully open to unlimited
public inspection, just like any other government record.
Another suggestion that would help
ensure that our voting systems are accurate, reliable, and secure is to
strengthen the canvass of the vote procedures. The canvass of the vote, it could be argued,
is the most important part of an election but perhaps also the least understood. Basically, it’s an audit of the various
components of the election. It includes
such things as ballot reconciliation and a 1 percent manual recount of precinct
ballots.
Specifically, following certification,
and at least 14 days prior to an election, the vendor and the county should be
required to place in escrow all software that is relevant to the functionality
and operations of the voting system. The
documentation might include a list of programmers responsible for creating,
testing, and programming the software, and a sworn affidavit that the source
code includes all relevant program statements in low-level and high-level
languages. Hash codes, or some type of
public key certificates, should be present so that election officials and the
public can authenticate the version of software that a county used for an
election is the same version of the software that was placed in escrow and that
was certified. The outcome of that
verification should be included in the official Statement of the Vote that gets
published locally.
Other canvass procedures should
include a manual recount of 1 percent of the absentee ballots and an
independent audit that would verify that the processes, procedures, and results
from a specific election were properly undertaken and reported. I realize, Senator, that
this will be controversial in election circles, but consider the soundness of
this approach in the financial world.
And as a county assessor, I can tell you that the State Board of
Equalization regularly comes to county assessors’ offices and audits to
guarantee that the assessment practices in that county are accurate and that the
assessments are sound. It’s not a
foreign idea to have an audit of a local agency.
SENATOR
BOWEN: You know, it’s
not a foreign idea for the state to have a federal audit of functionality
either.
MR.
SLOCUM: That’s true.
SENATOR BOWEN: I’m familiar with a few systems, like child
support, where the state has had some difficulties with the federal audit and
it’s, as much as no one likes to have someone looking, it’s a level of
accountability in complex functions that I think is worth considering, so I
appreciate your raising it.
MR.
SLOCUM: Thank you.
Another important reform is that
And finally, election offices must be
funded at levels sufficient to guarantee they can accomplish their mission,
their objectives, and their mandates.
They should be recognized for their important work they do on behalf of
the public and be a priority in funding decisions, just like police protection,
education, and healthcare. Election
offices must be able to attract, retain, and continually educate high-caliber
workers. They must have money to
complete security reviews, provide for technological upgrades and other related
resource requirements. One approach to
this funding issue might be for the state to make available security and
training/education and technology grants while simultaneously increasing
funding at the local level.
If we do indeed want to increase
confidence in public elections, these reforms must be seriously
considered. We need to think about our
voting machines as part of a larger election system and work diligently to make
certain that all parts of that system are accurate, secure, and reliable.
Madam Chair, as you know, we find
ourselves in a very difficult position in
While there is enough blame to go
around, it makes no sense to play that old blame game. Now, election officials throughout
I
have this beautiful map. I hope you can
see it. And as you can see from it,
there are some 13 million voters or 46 counties in
Given
the lateness of this certification situation, legislative relief is necessary
in the form, I think, of an all-mail ballot option just for June ’06. Let’s give counties who do not have certified
systems, through no fault of their own, the choice to conduct that June
election all by mail. At present, the Secretary
of State has expressed concerns about all-mail elections; the Legislature has expressed
concerns about all-mail elections. But
this election official is confident that this may be the safest alternative for
June 2006, given the certification situation.
Boards of supervisors in eight counties have passed resolutions
supporting the call for all-mail ballot options for the primary, and two
additional boards have matters pending on their agendas.
The
all-mail option is safe; it can stem the sinking voter turnout numbers this
state has experienced; it can save a little money; and it can be implemented in
a very responsible manner. If counties
rush to deploy voting technology and don’t have sufficient time to thoroughly
test and plan for their deployment, there could be serious consequences.
In
conclusion, there is absolutely no disagreement around the fact that elections
are a fundamental and vital part of this democracy and that every vote must be
counted and reported accurately. Citizen
confidence in the voting process is paramount.
Today, 42 percent of the public has little confidence in our democratic
processes. The reforms that I outlined
today are meant to restore public confidence, and they are offered with this
outcome in mind. As the election Science
Institute recently said, “The public has a right to know exactly how elections
work and to verify for themselves that the voting and the counting is done
right.”
I
appreciate your willingness to consider these proposals. And certainly, I know you have questions, and
I’ll try to answer them the best that I can.
SENATOR BOWEN: The one thing I don’t want to do, and I’ll
resist the urge, is to pre-hear the bill that is set to be heard next week on
the proposal to allow all-mail elections, and that would be m-a-i-l (laughter)
for the June 6—we had all-male elections of a different nature, the beginning
in this country. And actually, just a
moment, an aside, you know we’re also having discussions about campaign
financing this year, and I think it’s fair to point out something I’ve learned
as chair of the Women’s Caucus, which is the first year that the Constitutional
Amendment went on the ballot to allow women the right to vote, it passed in 56
of California’s 58 counties. It failed
in
Not
directly related to how we vote, but I think what the point is that we have a
democracy where we are not supposed to simply take the rules as we were handed
them when the first election in this country was held and you voted
publicly. The vote was not private, you
had to be white, male, and own at least 50 acres of property in order to
exercise the franchise. What we’re doing
now is an attempt to form a more perfect union.
That’s what this hearing is a part of.
So I
really appreciate your coming and the suggestions that you’ve made. We will hear the all-mail proposal. I don’t know another way, and there’s no
acronym. There’s no other way to say
it. It’s not
absentee.
UNIDENTIFIED SPEAKER: Postal.
SENATOR BOWEN: Postal elections. Thank you.
Let
me just ask one question that comes to mind.
You suggested that that code, software developers, testers, so forth, be
re-released 14 days in advance, and I was curious how you chose 14 days as
opposed to some other…
MR. SLOCUM: Thank you.
I’ll be honest and say it’s somewhat arbitrary. But as one of the professors noted, sometimes
there are last-minute changes that might be required. So 14 days seemed like, in my experience, a
most reasonable period when that process would be over, things would be
stabilized, and we could certify it. It
might be 30 days; it might be seven days.
SENATOR BOWEN: And then one other question, I think, is the
question that most commonly comes up when people talk about either postal
voting or paper ballots at the polling place on an election day, which is
another alternative to using voting machines, to simply use paper ballots, an
old-fashioned method but that has something to recommend it. In both instances, the question arises how a
county, if it were to conduct an election in that manner, would meet the
requirements that disabled voters be able to vote independently as required by
the Help America Vote Act. How would
MR. SLOCUM: Thank you.
I think that the issue—hopefully these new machines will be certified
sometime in, let’s just hope, March or April.
Rather than deploy, in our situation, for instance, 525 of these new
machines, if assuming they were certified, we might deploy a dozen to early
voting centers scattered throughout the county.
It would be much easier to deploy and ensure the integrity of that
election process with 12 machines versus 525 that were certified late in the
process so that those voters who had special needs could go to one of those
early-voting stations during the 29 days before the election and cast their
ballot.
SENATOR BOWEN: Let me go to Tom Stanionis. And I understand you are here on behalf of
Freddie Oakley who
planned to be here but had a relative who is ill.
MR. TOM STANIONIS: Yes. She is.
SENATOR BOWEN: I thank you for coming.
MR. STANIONIS: She is literally at her mom’s
deathbed as we speak.
SENATOR BOWEN: Please convey our…
MR. STANIONIS: And I realize I am but a poor substitute for
the flamboyant Freddie Oakley and, as such, I didn’t have as much of a chance
to prepare, but I have a couple of points to make from my relationship with the
process of procuring technology for our county.
First
off and echoing a lot of what was said by previous panel, one of the things
that I tell people when they ask about what we do in the elections office and
how hard can it be to count votes, and I tell them that our job is not to count
votes. It’s to provide evidence to the
people that the votes were counted accurately and fairly. And that needs to be
the watchword for the whole process of certification and any technology that we
use, is, How does it provide evidence that the process is working?
But
when I think of voting systems, I go back to after the 2000 election, and the
first flush of, Oh, my gosh; we’ve got to
change everything, and then Secretary of State Bill Jones put on a voting
systems show for the registrars in Sacramento.
And for many of us, it was our first chance to see what new technologies
were out there. When I looked at those
machines, my first reaction was, well, these are interesting ideas, but I want
to wait for next year, and our biggest problem is,
next year never came. Fundamentally,
what we have is what we had in 2000.
They’ve added add-ons like paper trails and all of that, but the
fundamental technology has not changed in those years, largely because of the
way that the ITA system works and also because of the funding constraints that
have set a deadline that, combined with the length of the ITA process needed so
they couldn’t see a gain in doing any research because they didn’t see that
they could bring it to market through the ITA process before the deadline for
the HAVA funds and for the voting modernization funds before that.
The
second part of that process is there were companies that were new and coming up
with new ideas, and I’ve seen a half a dozen of them who have come up and who
have been willing to say, Okay. How can we make it better? What would you like? And they’ve been very encouraged and worked
hard to create systems that were better than what was out there, and they go to
ITA testing and discovered that, if you’re not Diebold or ES&S or Sequoia or
Hart, the ITA testing process is not going to be friendly to you.
SENATOR BOWEN: What do you mean by that? Why should it matter who you are as a vendor?
MR. STANIONIS: Well, substantially, there’s a very limited
number of ITA testing facilities, and their principal clients are who they will
take care of the most.
SENATOR BOWEN: Okay.
So you’re saying that the current system creates challenges for even accessibility
to vendors who don’t have an existing relationship with one of the ITAs. And I think one of the things that really we
haven’t talked about is who the ITAs are and the fact that it is not a
governmental entity. It is private
laboratories.
MR. STANIONIS: Yes.
The analogy that I use is, as I say, these are these people’s
lawyers. They’re not going to be
inclined to take another client that conflicts with their own existing clients.
SENATOR BOWEN: When we have the ITAs with us to answer questions, that will be a good question to ask.
MR. STANIONIS: One of the things that has
been raised by some of the registrars is their desire to get the IVS phone
system certified by the state and they have—of course, the Secretary of State
to certify that separately from the DREs because it doesn’t electronically
record the vote. It just prints a
ballot. But they totally bypassed the
issue that IVS has been in federal testing for almost two years now, but
they’re unable to get it out because the labs are not willing to work with them
to help them to get a certification. And
it is a limited market of ITAs that has literally quashed any innovation in the
marketplace. Many counties in
SENATOR BOWEN: Very interesting. I will have some further questions, not for
you but as a result of that.
And
what are
MR. STANIONIS: Well, we’re rather well-known right now. We’re going out on a limb. We’re going to use the vote pad
tactile-ballot system that we’re purchasing from OPED ??,
Inc., in
SENATOR BOWEN: So when you say probably, you are one of the counties on Mr. Slocum’s chart where
we’re not entirely sure how the election will be conducted on June 6?
MR. STANIONIS: Quite honestly, I spent mostly day, yesterday
looking at the first draft of the contract with Hart. We’re still in negotiations. So it’s still out there. But the good part of
it is, because their system is basically off-the-shelf hardware, that we could
gear up and implement it fairly quickly, and that was a large part of the
reason for that choice.
SENATOR BOWEN: To help people again whose programming
experience like mine may be limited to Fortran 101 or the equivalent, what’s the
advantage of using what you just termed off-the-shelf
hardware systems?
MR. STANIONIS: Well, from our point of view of purchasing it,
off the shelf means that they don’t
have to manufacture it. They can just
give a phone call to Dell and have them deliver stuff. And the only part of the system that they’re
actually providing is software on CDs.
SENATOR BOWEN: So it limits what you have to test?
MR. STANIONIS: It limits what we have to test in house, and
it gives us more control over the process.
SENATOR BOWEN: And your answer then to the question of how
you will comply with the Help America Vote Act for disabled voters is the vote
pad?
MR. STANIONIS: That is correct.
SENATOR BOWEN: Okay.
And I think we will be looking at the vote pad and issues about access
for disabled voters along with the issue that was raised by Professor Rubin
today about how we audit specifically the vote of accessibility devices. But it’s my understanding—and I’ve seen the
vote pad—it basically uses an existing paper ballot with a variety of tactile devices.
MR. STANIONIS: Yes.
The voter uses exactly the same ballot as every other voter at the
precinct, marks it with the exact same pen.
The only difference is that it has a template that is tactiley marked
with rubber bumps so that they can navigate the ballot with the use of cassette
tape.
SENATOR BOWEN: Okay. I
want to not try to hear in advance the discussion on the postal option for
voting for June because we will do that in
UNIDENTIFIED SPEAKER: I don’t know.
SENATOR BOWEN: I don’t know if we’ll be broadcast. But what we will try to do is arrange for, at
the very least, audio taping, video taping, if at all possible, because a lot
of people have made a great many trips to Sacramento in the last few weeks to
deal with questions around voting equipment, and I understand it takes an
entire day for most parts of California to get to Sacramento, and it’s not
without its cost. So we’ll do our best
to make that process as accessible, and I want to again reiterate to anyone who
is hearing this, seeing this present, has issues they would like to raise that
are more detailed than what they feel they can present right now, you can
phone, you can email, you can fax, you can even put a letter in the mailbox
with a 39-cent-or-greater stamp on it, depending on how weighty your thoughts
are, and we will welcome additional thoughts.
Many of the questions that we have been asking come directly from the
public. So a lot of what you’re hearing
today is a direct result of public input, and it is the way democracy works the
best. So I would like to thank people
who are not here and who participated in the past well as those who made the trip
today.
Thank
you, gentlemen.
UNIDENTIFIED SPEAKER: Thank you.
SENATOR BOWEN: Please wish Freddie Oakley and her family our
best. Thank you for coming. I will see you again next week.
I
probably will see you as well.
MR. STANIONIS: I’ll see you tomorrow, I think.
SENATOR BOWEN: Tomorrow?
Okay.
And
let me begin with the public testimony.
There is a list, I believe, of 28 people who would like to testify. If there are people who would like to combine
their testimony, so if they want someone to have five minutes instead of two
and feel that someone would be a good spokesperson, we can arrange that. If you’d like to come up in groups, I find
that depth is as important, if not more so than quantity of witnesses. I’m sorry.
I should have announced that at the beginning. I was not expecting to have so many people
who want to participate. But I know
we’re going to hear from, in this order, Arthur Keller, Ron Crane, and Frank
Egger and Alan Dechert, each of whom I’ve heard from at great length by email,
fax, or letters. So thank you all for
providing your input in advance as well as being here today.
And
let’s ask Arthur Keller to come forward.
And on deck, Ron Crane followed by Frank Egger and Alan Dechert and then
Pete Newcome.
MR. ARTHUR KELLER: Thank you, Madam Chair. I’d also like to
acknowledge that one of the representatives…Paige Schoknecht,
is here from Senator Joe Simitian’s office, and I wanted to acknowledge that
she’s here.
SENATOR BOWEN: Thank you.
You beat me to it.
MR. KELLER: Thank you.
SENATOR BOWEN: That’s because I had to get the pronunciation
of her name, and you apparently knew it already.
MR. KELLER: I may not have done it justice.
SENATOR BOWEN: Thank you.
Thank you to Senator Simitian for sending someone to monitor.
MR. KELLER: Thank you.
Let me introduce myself. I am a
founder and board secretary of the Open Voting Consortium; I’m also chair of
the executive committee of VSPR Voting System Performance Review; and I’m
affiliated with UC Santa Cruz, and I had the pleasure of having served as a
poll worker and as a precinct inspector in
One
of the issues that was brought up earlier was the
consideration of the values of stealing from gambling devices. You can just imagine the values of stealing
an election, if the election for governor or president were to be stolen, the
values involved in that. And one of the
notions that was explained to me by my advisor, Jim Witerhold ??, professor at
Stanford University, is that the security should be such that it should
basically make it more expensive in order to steal something or break into
something and the value of that thing that you’re achieving. So, for example, it makes sense to put a lock
on a bicycle, that the difficulty of breaking into that bicycle and stealing it
should be proportionate to the value of that bicycle. We have a principal in this country that
votes are cast in private and tallied in public. An the problem with
this is that we now have a system in which the votes are not tallied in
public. They are tallied on proprietary
machines whose inner workings are trade secrets.
There
was some earlier discussion I’d like to underline about the difference between
retail problems, which are, if you will, problems that occur in the individual
voting machines in usual precincts versus wholesale problems that occur in
terms of mass market. Essentially what
we have is a mono-clone of a handful of voting machines. And those of you who
know about biology, the issue is that a virus can basically wipe out whole
mono-clone or mono-culture.
In
terms of auditing, one of the interesting things that I’m interested in is, for
example, posting precinct totals. I
believe this is supposed to be done—it is not followed in many jurisdictions—and
being able to compare that with county totals which would allow and drilling
that down to precinct level would allow some degree of auditing by the public.
What
earlier was mentioned, the notion of separating hardware and software, I think
it’s also important to separate hardware and software and service. The idea is you should be able to get the
software from one vendor and be able to get service from any number of vendors
that you’re not locked in indefinitely, as was mentioned in last week’s
hearing. In this regard, the notion of
intra-operability is important so that you can provide services from other
sources so you can do a best-of-breed solution and allow for the existence and
acceptance of third-party audit tools. And in particular, there is a IEEE committee on which I
serve called the IEEE P-1622 standards committee is looking at
intra-operability, and I would commend looking at that committee for its work.
I
think it makes sense, because of the market failure and as identified in nature
of the ITA and testing process to think about commissioning software. The state would own, multiple states could
make available elsewhere and also make it available to commercial vendors. I think that there isn’t a place in this for
commercial vendors. And
if we can basically do collective R&D, funded by the state rather than fund
it thorough payments to vendors that then do their own research, that makes a
lot of sense. And in terms of design for
auditability, I think that that’s important.
I’m
going to very briefly outline the design that the Open Voting Consortium has
put together, in terms of demonstrations, in back of 2004, and that involves a
paper ballot and an electronic audit trail.
The paper ballot is—there’s an electronic voting machine that has a
touch screen or other kind of system for entering information about what
particular choices that you wish to make for the ballot choices. And that prints out a paper ballot, and that
paper ballot is then, each time, counted.
Paper is actually counted. There
is an accessible device for entering your request for who should be, who you’re
voting for, as well as a separate device for verifying that paper is as the
blind or reading-impaired voter or other visually impaired voter could actually
verify audibly how they voted. And we
then also have a precinct reconciliation system that pairs the paper with the
electronic audit trail to make sure that the precinct level—this is the ballots
are cast and counted accurately. And in
addition, we’re now exploring the issues of the central tabulation system, in
particular, in terms of full-log ?? system
within the penned-only ?? database; and therefore,
you’re not allowed to make changes to it, just adds onto it, and you can keep
track fully of what is occurring here.
We
believe, at least I believe, that an appropriate combination of paper,
computers, and people—and people include the people who are running the system,
people who are auditing and processes, and I would also like to make available
a website that I host at Stanford that keeps track of the—that has ____ papers
that I’ve coauthored on various aspects
of security, and it is www-db, as in database.stanford.ebu/pub/keller—k-e-l-l-e-r—all
lower case, and that gives the website, click on electronic voting. And I’m not sure if I mentioned it, but I’m
also pleased to be affiliated with the
SENATOR BOWEN: Thank you. Thank you.
That was very succinct and appreciated.
I want to make sure that the reference to the website is made available
for anybody like me who didn’t quite catch that on the first try.
Ron
Crane and then Frank Egger, Alan Dechert, Pete Newcome.
MR. RON CRANE: Yes. Thank you, Madam Chair.
Several
people today mentioned the issue of transparency, and I would like to take that
a little bit farther that my position on transparency is that the entire
process should be supervisible by any member of the public.
SENATOR BOWEN: They cannot hear you in the
back.
MR. CRANE: Okay now?
SENATOR BOWEN: Just pull the microphone closer. It’s easier than talking louder.
MR. CRANE: Yes. Thank you.
Some people
have mentioned, transparency. And I’m going to take that a little bit
farther. My concept of transparency is
that any member of the general public should be able to determine, should be
able to supervise, the voting process effectively to determine that that
process is actually yielding a correct count of votes. And that’s a little
bit different from transparency that we’ve heard so far which is transparency
with respect to technically astute people being able to do this, people who
have at least Fortran 101 or maybe much more than that. But if we are going
to use electronic voting machines, we need a publicly disclosed source,
publicly disclosed firmware, publicly disclosed hardware. Everything about these systems needs to be
publicly disclosed. We need citizen
verification that these machines on election day are
in fact running the code that was publicly disclosed. We need properly conducted parallel
testing. We can’t end that program. We can expand that program. We need a
Right
now, we have no defenses, really, against vendor fraud. And it’s sad that I have to mention the
possibility of vendor fraud. But in any
system where there is a lot at stake, you are going to have people who are
going to try to treat the system, and there are trillions of dollars at stake,
frankly, in elections.
I
would also like to mention the possibility of what I term presentation
frauds. We’ve talked a lot about
verified paper ballots and so forth coming out of these machines. But it is possible for the machines to
present the choices to voters, in particular, voters who are undecided in the
voting booth in such a way as to influence how those voters vote. And by doing this, these machines create a
scenario where the ballot that comes out of the machine is what the voter
intended. But what the voter intended
was influenced by what the machine intended.
And that’s something that is not taken care of by voter-verified paper
ballots. It’s not taken care of by
after-the-fact audits. It’s a general
problem that can’t happen with any programmed device that presents choices to
the voter. And a little more detail on
that, that could be done, for example, by changing the sensitivity of the touch
screen in areas for specific candidates so that, if the voter was leaning
towards Candidate A and that was not the candidate preferred by the machine,
the machine would make it so that the voter had to poke that a little
harder. So now
maybe the undecided voter pokes it once, doesn’t register, Oh, well, I’m not really interested in that Candidate B, and one
picks up right away. And because there
are a considerable number of voters who are undecided in the voting booth—and
that depends, of course, upon the election, but there is a considerable number—this
could influence elections, election results.
___ narrowly contested.
And last, I would like to point out
that these machines—we’re talking about electronic voting machines for the
general public, in particular, the large proportion of the public that is
non-disabled—and the machines are, frankly, unnecessary for most people. They are expensive, costing $3,000-$4,000 per
machine. And the only reason that many counties are considering the purchase of
them is because of the HAVA Act and because of the subsidies of the HAVA
Act. But those machines are not
necessary for most people, and we should bear that in mind when we think about
the risks that these machines present versus the benefit that they can provide. Thank you very much.
SENATOR
BOWEN: Thank you very much. Thank you.
Frank Egger, welcome. Thank you for coming down from
MR.
FRANK EGGER: Senator, thank you for
coming to the Bay Area in this area. Frank Egger from
Marin uses a Diebold AccuVote optical scan using firmware 2.0.12 to count all
absentee vote and vote-by-mail ballots and Diebold’s, with firmware, 1.96.4 at
the polling places. Six races in
November in Marin were decided by absentee vote-by-mail ballots. And six of us may have been victims of
Diebold system. But without independent
testing and without subsequent hand counts, we will never know for sure.
To compound risk problems, the
election materials included program absentees, were lost for over two weeks by
the outside vendor the county used to mail the election materials. The state tell us
permanent absentees must be in the hands of voters 30 days before the
election. I have here two ballots
unopened. One is a permanent absentee
that was coming to the voter. The
second, when the voter never received a permanent absentee, they called the
county. And I have another ballot,
unopened, that was mailed October 25 to the voter. Both of these ballots arrived after the
election. What’s interesting in Marin
is—the Marin Registrar of Voters advised us last Tuesday at a hearing that 485
absentee ballots arrived the day after the election, so they were not even
counted.
Just prior to the recent statewide
election, technical experts assigned by the Libertarian Party to inspect
Diebold systems in San Joaquin, Marin, and Alameda Counties found that the
Diebold’s central-count optical scanners, a critical paper audit component, is
missing for all absentee and mail-in ballots and also for recounts. Diebold’s central scanners are unable to
write backup data to memory storage, instead passing all vote
counting directly to the notoriously insecure GEMS tabulator. No vault, no poll tapes, or secondary source
data was retained, and there is no way to check whether the GEMS security
defect was exploited without obtaining GEMS low-data files. Diebold refuses to release those files.
Those voting at the polling places put
me in third place. Those voting provisionally
placed me second. But Marin’s
Thank you, Senator, very much.
SENATOR
BOWEN: Thank you.
I had several people email or
otherwise communicate information about concerns about absentee-ballot
counting and the Diebold central tabulator in particular and is one of the
issues that we will be looking at. So
thank you for coming to talk about that.
Alan Dechert, welcome.
MR.
ALAN DECHERT: Thank you, Madam
Chair, and thank you for having this whole series of hearings. Last week’s hearing about open source, I
think it’s interesting that some of the strongest arguments we heard in favor
of open source were actually in today’s hearing about testing.
I want to pick up on David Dill’s
point and also Tom Stanionis’s point about the ITA process being a—oh, by the
way, I’m Alan Dechert; I’m president of the Open Voting Consortium—David Dill’s
point about the expensive, lengthy, and still lousy certification process as a
barrier to improved voting systems. And
I believe it’s true that we have bought into this process voluntarily, as the
State of
One other point—I’ll be very
brief—several witnesses talked about the need for a disclosed source. I have in my hand a draft of a bill that will
be introduced next week. Our
organization is sponsoring this with Assemblywoman Jackie Goldberg. It doesn’t have everything we want, but I
want to make this clear to the committee and also the members of the audience,
that if you want to go to our website, this bill is on our website right now in
our discussion list, and we will be—of course, we’re not going to be able to
control what happens to it when it gets to the committees. But we’re going to go over this…
SENATOR
BOWEN: We can’t control our
Legislature either (laughter), but that’s a good thing. That’s by design because it’s the people in
this room and the people who participate who are supposed to help control the
outcome. That is the way it’s supposed
to work, so that’s a good thing, not a bad thing.
MR.
DECHERT: So the point here is that
the text of this bill, we’re going to be working on it on our email list in
public. And people who want to have
input and want to have comments on that, we have a team that’s working on the
final language or that we’re going to be submitting at this point, and it will
be how it’s going to be amended when it gets to committee. So anybody…
SENATOR
BOWEN: I want to commend you for
opening up on the two-public display what is normally in legislation a private
discussion about what a bill is going to look like and what the pros and cons
of particular language are. I personally
spent some time a couple of weeks ago looking at the history of discussions
about some of the other legislation that the Open Voting Consortium has been
involved with, and I learned more in the process of reading the comments back
and forth among very knowledgeable people than I think I could have learned in
any other way. So if people really want
to see what this process looks like, what the discussions look like, you get an
opportunity to do that, that I’m not aware of ever having seen any other bill
in 13.5 years of the Legislature.
MR.
DECHERT: Thank you very much. We are for transparency in the election
system, and we want transparency in the whole process of how we decide these
things as well. Thank you very much.
SENATOR
BOWEN: Thank you.
Pete Newcome, George Johnson, Phil
Albert, and I can’t tell—is it Carl Canter?
Carter. Okay. It’s either my eyes or your writing or both.
MR. CARL CARTER: My writing.
SENATOR BOWEN: Okay. And Carol Brouillet.
And again, as I’ve done on prior hearings, if I kill your name once,
please let me know. I’ll try very hard
not to do it again.
Mr. Newcome, welcome.
MR.
PETE NEWCOME: Hi. My name is Pete Newcome. I’m associated and affiliated with the Marin
Chapter of the CEPN, California Election Protection Network, and there’s a
group of us that came down here today.
I’ll keep my comments very short.
Basically,
I was struck by the Harry Hersey ?? demonstration
in January where he went to
I
think there were two yes’s and seven no’s, so everyone registered or voted in
this
I
appreciate all the testimony I’ve heard here today, and I’ll get an earful
later on. But basically, you can
probably eliminate 50 percent of the fraud by making sure stuff like this
is—you know, and it probably can be manipulated wirelessly, not just
onsite. Some guy
in a truck outside, or who knows? But
it’s diabolically clever and it’s almost infinitesimally undetectable unless
it’s, you know, it’s just excruciatingly undetectable. So that’s all I have to say, other than the fact
that the last thing I would say is, someone mentioned here earlier that having
the poll results in any given precinct nailed to the wall—I mean this is my
mantra—but not only that, but what happens the day after if it’s a
library? You know, everything’s gone.
I
think this may be a little bit cumbersome.
I think those poll results should in some way, shape, or form, they
should be evidence. They should be out
and remain in public for, like, 60-90 days.
I don’t care what the inconvenience is.
And God forbid, we know there will be a human cry, Oh, no. You can’t do that. I beg to differ. I think, you know, it’s not like you’re
spending $2 million or $5 million for a new piece of machinery. Half those poll results, I mean, I don’t
know. Use a staple gun. I mean it’s to the wall. It sounds very archaic and very crude. But there’s got to be—you talked about checks
and balances. It starts, you know, I’ve
heard other members of our group say, it starts at the precinct level. You know, it’s
decentralization, and maybe this is an oversimplification. But to me, next to this, the beginning and
then the end, it’s, you know, the poll results should be, I don’t know,
impermeable, destruction-proof paper.
And it should just be right there, you know, because by the time it gets
to, you know, downtown Board of Elections, adios, amigos. I mean it’s all kinds of—that’s where that
chain of custody can just completely unravel.
So that’s all.
SENATOR BOWEN: Great. Thank
you.
George
Johnson, Phil Albert, Carl Carter, Carol Brouilett. If you all would come up
and be ready so that we can go from one person to the next.
MR. PHIL ALBERT: I’m Phil Albert.
SENATOR BOWEN: You’re Phil Albert.
MR. ALBERT: Seventh on the list.
SENATOR BOWEN: Okay.
Phil Albert, Carl Carter, Carol Brouillet, and Linda Liebes, Ted Newman,
Carol Marks. That’s your order, so come
on up into the front row so we’re ready to go.
MR. ALBERT: So I’m Phil Albert, and I’m
an intellectual property attorney here in town, and I negotiate agreements all
day involving technology, copyrights, trademarks, trade secrets. And each party in agreement tries to get the
terms that meet their needs. And, of
course, the party with the superior negotiating power usually gets the better
terms, and that party is usually the one that needs more flexibility in what it
gets.
For
example, a sole proprietor sandwich-shop owner who needs an accounting system
isn’t going to be able to negotiate some great terms from Oracle. But they don’t need it, you know. If the computer crashes, well, they’re not
out of business. But I can assure you
that a large bank, when they go to their ATM vendor, they get a good deal and a
good set of terms. And there’s no reason
why the State of California, being on top of one of the top ten economies in
the world, can’t negotiate a decent deal which includes that the state should
be able to get terms for the technology that they purchase that allows
inspection, allows modification, and allows publication of the source code and
the schematics and everything that they buy.
To do otherwise, it’s like you’re getting out-negotiated.
And
there’s an earlier concern about, well, if the state says no, we need
everything and we’re going to throw it open to the public for inspection and
lose your trade secrets. Well, let’s set
aside for the moment that democracy is more important than trade secrets. But as many involved in the open-source
community will tell you, there will still be vendors that will supply a product
under those terms and say, Fine. We’re
going to make money on service. We’re
going to make money because you’re going to pay us. We don’t need to keep the trade secrets. And the state should get those terms.
On
another point, the state is probably
better off doing the negotiation on the terms in the counties. Just like any chain grocery store will tell
you, they get better purchasing power purchased as a whole as opposed to
individual stores. And so that’s my
point.
And I have one point that
I just thought of, that if you can’t make the machines completely secure,
there’s one thing that you can do. And I’m reminded as a kid, me and my brother were faced with
a piece of pie, one piece of pie and two boys.
It’s hard to see how you resolve that.
So we worked out a system where one person cuts and the other person
chooses. (Laughter)
SENATOR BOWEN: Your family and mine must have been
friends. There were five kids. And whoever divided got the last of the five
pieces.
MR. ALBERT: And that principle can be
used in voting machines to say, Let’s
wait until the last minute before we add the candidate’s name so that’s
entirely independent of all the software.
So if someone is going to jam a number 2 pencil into a lever, let’s make
it so they have to do that before the names get added to the levers. And it would just remove the incentive to do
that, and that’s my comment. (Applause)
SENATOR BOWEN: Thank you.
What I would want to take away from that is that randomness is our
friend in this and
unpredictability. It isn’t the answer because
I’ve seen evidence of ways that you can hack a voting machine even without
knowing in advance the exact name or office, but it makes it hard. So thank you.
I think that’s a point well taken.
Carl
Carter and Linda Liebes, Ted Newman, Carol Marks, Jerry Berkman, Ferris Gluck.
MR.
CARL CARTER: Good afternoon. My name is Carl Carter, and I live in Marin,
and I’m part of the California Election Protection Group in Marin. And I’ve been interested in elections for
sometime but most evidently, most recently, since the 2004 election.
Just a few, couple of points I’d like
to make.
One is, I think, when you’re
establishing an audit protocol, I would like to have a number greater than 1
percent considered for statistical purposes.
I think 1 percent is just an uncomfortably small number.
The second thing that is kind of
interesting, when you go back to the lever machines, people were talking about
how the tradition in the voting is you’re supposed to show the open box and
then tape it up in modern-day elections when you’re using paper to make sure
there are no pre-stuffed ballot boxes.
That’s a holdover from the days when you’re supposed to check the back
of the lever machines. The first voter
looks and they’re all zeroes. Well,
presently, you’ve got electronic software.
You can open up the back of the computer but you can’t show them. And what has been discovered through investigation
is that certain machines have been preloaded with—well, first of all, you print
out the tape, and you show that it totaled to zero. But you find out that you can preload a
machine with a negative 25 votes for one candidate and a positive 25 votes for
another candidate. You print out the
tape, it still shows zero. So there are,
you know, infinite ways you can fox systems.
I guess my last point would be, I
would like to see the government take a few million dollars and develop their
own system which could be used as an audit backup at centralized places, be it the
Registrar of Voter offices or in the county.
Or if you have something as large as LA, you’ll have to have multiple
machines. But where you run through an
independent machine that’s developed by the state where its proprietary
software to the state developed by our universities or people in this room
where you know what the outcome should be, and then you run them through the
other machines. And if you get it
different, then you know you’ve got a problem to solve.
Thank you for having these hearings.
SENATOR
BOWEN: Thank you.
MS.
CAROL BROUILLET: Yes. Thank you very much for having these hearings.
My name is Carol Brouillet, and I’m actually running for Congress in the 14th
District here in
I’m
convinced, that by making the public think that the elections are fraudulent
and disenfranchising them and giving them the choices between Tweedle Dee and
Tweedle Dum, that is one way the outcome of the election is determined in a
presidential race when people feel that they really don’t have much choice when
the candidates are very, very similar.
The
point that I wanted to make is, you mentioned the Scientific Application
International Corporation, SAIC, of
Now
these are also the people who are imposing elections on other countries which
we are occupying. And this is what
concerns me greatly: I think it was
Stalin who very succinctly said, “It’s not who votes that counts. It’s who counts the votes.” And if we have oversight of the software
voting, the counting software vote, the software voting systems by the CIA, the
Defense Department, we’re in serious trouble because they can certainly push
elections in a way that serves their interests, not the interests of most
people in this country and the planet.
So thank you very much.
SENATOR BOWEN: Thank you.
UNIDENTIFIED SPEAKER: Senator Bowen.
SENATOR BOWEN: Yes.
UNIDENTIFIED SPEAKER: I’d like to respectfully yield my time to Jim
March.
SENATOR BOWEN: Okay.
UNIDENTIFIED SPEAKER: Thank you.
MS. FERRIS GLUCK: Good afternoon. My name is Ferris Gluck, and I just wanted to
say there’s a lot of discussion about the certification impasse, and now we’re
finding a lot of counties rushing to solve the problem with vote by mail. And there are alternatives that don’t require
certification as Tom Stanionis from
SENATOR BOWEN: Thank you.
Jim
March.
MR. JIM MARCH: Hello. Senator Bowen, I thank you for holding these
hearings, but I have to gently point out an important fact about this hearing
today. If the political will is not
found in your office and in Senate Elections Committee and Senate Rules
Committee to pursue, if necessary, subpoenas against the worst players who are
not here today, who need to speak to the election insiders, the certification
industry insiders, if they are not brought into a room like this, here or in
Sacramento or wherever, then they will come out looking like Teflon, and the
events today will actually serve to harm or voting system.
SENATOR BOWEN: I do take it that you saw the recent reports
of Teflon being cancer causing (laughter)?
MR. MARCH: Yes, exactly.
SENATOR BOWEN: So don’t necessarily depend on Teflon as being
anybody’s savior.
MR. MARCH: We cannot let them have that
appearance. If the California Senate
cannot bring them to task, then nobody can.
I’d
like to talk to you about failures of certification today, my main point. I’m going to tell you about an interlocking
series of failures that led to part of what just happened in
The
first certification failure involved in
The second
failure happened over at Wyle Labs a little bit later. As Mr. Egger was mentioning—and he’s correct;
he cited some of my work—the Central Count version 2.0.12 firmware on the
absentee optical scanners does not keep its own tally, either paper or
electronic, of what votes went through it.
Now that is really surprising, considering that Diebold always told
anybody who asked about the GEMS defect, the ability to modify the GEMS
database, Well, that’s okay because all
the precinct terminals, both optical scan and touch screen, keep a little
ticker tape at the day of how many votes pass through that machine for each
candidate in issue. In other words,
the ticker tape’s typically about three feet long, and it will say something
like, Bush, 325 votes that day; Kerry,
411 votes that day, and for each candidate, each issue produces a ticker
tape.
Now
as Mr. Harry Hersey proved, it’s possible to hack that ticker tape, but that’s
fairly technically sophisticated. So we would say, that in most cases, especially where
there’s machine error or a less skilled hack attempt, it would be unlikely to
see a modification of that paper. So
Diebold had a partial point in say, Well,
that’s a protection for the GEMS database because, if the numbers from the ticker
tape don’t match the GEMS, then everything must be okay. Well, what Diebold didn’t say is that, if you
try to do that kind of matchup between GEMS and the absentee ballot count, you
can’t do it because they don’t produce a count there.
Well,
then after Wyle approved this lack of a paper trail on the absentee ballot, it
got the
Now
this is quoting, this is probably written by Steve Friedman, although it’s not
named by him. He is the state’s chief
technical consultant. And let me read to
you part of what it says here: “Unlike
the two previously certified versions”—sorry—“Unlike the two recently certified
versions”—is what it says—“instead of storing the results on a removable memory
card via a dedicated port, the results for version 2.0.12 are transmitted to GEMS
using a direct connection. The unit also
includes a built-in roll-based printer.
Unlike the two recently certified versions, version 2.0.12 does not use
this printer to produce opening and closing reports as no results are stored on
the unit.”
What
they’re saying, what the Secretary of State’s Office realized officially in
September ’04 is that machine used to do that kind of audit trail. It used to hold both an electronic copy on
its own memory card and a paper tickertape audit trail record of what votes
were passed through that absentee ballot scanner. After Diebold had been promoting the use of
those kinds of audit-trail features as a backstop against the GEMS security
problems, they pulled that feature from absentee ballot counting. So somebody needs to come into a room like
this and face someone like you and answer, Why in God’s name did you pull one of the few even halfway-working audit
trail systems that you have?
So we
have here is a failure by CIBER and then Wyle approving this same removal of
the audit systems and absentee ballot count.
And then
This
is not good, folks. This is failures,
two failures at the federal level, failure at the state level, and then a
failure at the local level. The whole
system’s failed. Somebody needs to
answer for that. I don’t know how else
to put it. The entire system has been a
failure to date.
Now
I’ll point out a couple of other things.
Today, right now, the Secretary of State’s Office has a report from the Wyle
Lab on the Diebold memory card problem that Harry Hersey found and that Black
Box officially requested a review on almost a year ago. Well, through a long, convoluted series of
events, it finally ended up two months ago that McPherson Buck
?? passed it to Wyle ITA and said, Hey, how did you guys end up approving an
illegal interpreted code system? How did
you approve memory cards that can be altered?
Can you go back and rethink this?
Well, I don’t think that was really a crazy thing to do, to go rub the
ITA’s nose in it. But
I was told Tuesday evening by one of the staff for Bruce McDaniel ??, who’s now
running the certification process, the California Secretary of State, one of
his people by the name of Susan—I can’t recall her last name—my apologies—said,
Yeah, we’re getting the ITA report on
that finally today, but we’re going to analyze it and sit on it for a while. So,
no, you can’t have it in time for this meeting on the 16th.. So I
have no idea right now what Wyle said about their previous blooper, basically,
but I think it’d be awfully interesting to find out.
I’m
real concerned about the lack of public-records access. Someone else mentioned that the GEMS central
databases are being withheld by Diebold under trade secrets. Well, the Alaska Democratic Party has been pushing
that one real hard using public records requests that
I actually helped them write in my official duties at Black Box. And we’re actually getting passed along the
barriers. Diebold has actually conceded
the point that, Boy, if anybody takes us
to court and tries to get those GEMS files, they’ll get them. So Diebold is, so nice of them, giving up
their claim-to-trade secrets that they never had properly in the first place on
the GEMS data files, and that should have national repercussions. We may be able to get a hold of the GEMS data
files from
All of
this is cross-wired with transparency.
All of this is about our right to see how our vote is counted. But most of all, the point I must take to
you, is that if you try to design a certification process as bulletproof, you
won’t succeed. Some of the scientists
were absolutely correct about that. So
we, the people, have got to become the certification process, the real one, the
one that matters. And then we must be
allowed enough oversight capability on those machines to make sure that any
minor or even moderate-to-major security flaws that we know about are not exploited. We must have that much eyeballs on process
allowed to do it. We don’t have it right
now.
I was
arrested in
SENATOR BOWEN: Thank you.
I’m
on the next page. So
I have Genevieve Katz, Jane Trumbull, Mary Beth Brangan. I think they were before you. Michelle Gabriel, Jon Barrileau, Gail Slocum,
Gail Work, Sherry Healy, Steve Chessin. If you folks want to come up.
While
the next witness is coming up, I want to make it clear that one of the things
that I think must happen now is, when the supplemental Diebold report comes
back from the ITAs, the public must have an opportunity to look at it before
the Secretary of State’s Office acts on the certification of the Diebold
equipment, despite the fact that the mandatory hearing is argued by some to
have been held in November. This is
really no different than having a supplemental Environmental Impact Report
because a project has changed since the first Environmental Impact Report or
circumstances have changed. And in no
way must we allow the
MS. GENEVIEVE KATZ: I’m Genevieve Katz, and I
come from
One
of the things that people are talking about is putting up the totals on the
doors before they leave. This is at
Also,
it would be nice to have the HAVA deadline extended because I keep on seeing
things where our ROVs are asked to bind ?? out or lose your money.
That’s all I have to say. Thank
you very much.
SENATOR BOWEN: Thank you.
MS. MARY BETH BRANGAN: I’m Mary
Beth Brangan from
I’m so grateful to you to be looking
at the whole process of elections, since I think that many people like I was—I
was totally ignorant of the process that the ballot takes from the time it
leaves my hand until it gets posted. I
think that that’s something that every citizen needs to understand in order for
us to get on top of this.
I’m also reminded with the tendency of
people to say, Well, we have to have more
machines in our election process, I’m reminded of the principle in the book
by Joseph Tainter on the Collapse of
Complex Civilizations that problem after problem is satisfied by putting
another layer of complexity upon complexity in order to solve problems until
you are left with a system that collapses from the sheer weight of the
unsustainable—the unsustainability—from financial costs as well as costs to our
democratic choice because the history of voting in the United States is a
history of ever-increasing complexification and each new “advance” with
machinery presenting new opportunities for fraud. Until now, we find ourselves with the
opportunity for, with these machines, with electronic voting machines, for one
or a handful of people to manipulate millions of votes.
I wanted to also comment on how poll
workers—we could have a different system for poll workers. We could have, we could reignite the sexiness
of being a poll worker, the champions of democracy. We’ve got to make it a wonderful thing to do
to be there and willing to count the votes, maybe a fresh crew at the end of
the day, to do the vote counting. The
average number in each precinct is less than a thousand. That is not an undoable task.
And then I wanted to also add to Jim
March’s comments on the mail-end situation and to the situation in
UNIDENTIFIED
SPEAKER: Jeff Dean.
MS.
BRANGAN: Jeff Dean. What did I say?
UNIDENTIFIED
SPEAKER: Eaton.
MR.
BRANGAN: Oh, sorry. Jeff Dean developed that software while in
prison for computer fraud. Thank you.
SENATOR
BOWEN: Thank
you.
We will be considering a bill this
year that allows high school students to work in the polls without having the ___
school district lose a day’s
UNIDENTIFIED
SPEAKER: 583.
SENATOR
BOWEN: 583? It’s SB 583, democracy at its finest. No?
That’s not right. We’ll get it.
Steve Chessin, welcome. Thank you.
MR.
STEVE CHESSIN: Thank you. My name is Steve Chessin, and I’m wearing two
hats today.
The
first hat is as a member of the League of Women Voters of the Los Altos/Mountain
View area. In that capacity, I chaired a
study by the five local leagues of
The second hat that I’m wearing today
is as president of Californians for Electoral Reform. We support voter-verified paper trails for
electronic voting equipment. We also
support the use of rank ballots. And as
one focus of today’s hearing is on certification, I want to read some short
excerpts of the state HAVA plans, state’s HAVA plan, portions, as far as I
know, have never been implemented. In
the section on how the compliance of voting system standards, it says, “In
order to comply with HAVA, the state will support, promote, and encourage the
use of voting systems that are compatible with alternative voting methods, such
as rank, ballot, and cumulative voting will consider decertifying systems and
refusing to certify systems that cannot accommodate alternative voting systems,
such as rank ballots and cumulative voting systems, and we’ll regularly evaluate
voting systems to assess their ability to accommodate alternative voting
systems.”
As far as I know, these provisions
have never been implemented. We would
like to see them implemented. The reason
why I’m bringing that up today is that we don’t want the requirement of
equipment to handle rank ballots so you get lost in the struggle for accurate,
reliable, and secure voting systems. We
want our systems to be accurate, reliable, and secure, but we also want them to
be able to accommodate rank ballots.
Thank you very much.
SENATOR
BOWEN: Thank you.
Michelle Gabriel, Gail Slocum, Gail Work,
Sherry Healy, Peter—I can’t read without my glasses—Drehmeier—Drehmeier? Jim Soper, Dan Ashby, and
MS.
MICHELLE GABRIEL: Hello. My name is Michelle Gabriel, and I just have
a few comments to make.
One is that the state certification, what
I saw on Bruce McPherson’s website, was that the state certification, part of
it is that the laws of California are being met by, when the states request it,
that means that the voting system does meet the laws of California. And I hope that that can be upheld because it
seems to me that there’s already a number of systems out there that are
certified, that don’t actually meet the law or don’t meet the law as the ROV is
implemented, and that was my second point which I wanted to bring up, is that
there’s a lot of laws, but how do you get them enforced?
We’ve had these people come talk about
the experts saying, you know, you don’t have to have a perfect machine, but you
do have to have excellent audits. Well,
what happens when those ROVs don’t do the audits, don’t implement them, refuse
to, and then come up with these crazy costs for us to have a recount or
something like that? It’s great to have
these laws, but I hope, that when the processes are looked at, they’re looked
at as something that the common citizen can actually, A, assume that the state
will somehow enforce the law and, B, that when we ask for recounts, that
they’re actually doable. So I heard a lot
about, every system, every part of this is a weak link. Some of the weak links that I haven’t heard
about is actually the ROVs, the ROVs actually implementing the law, are being
forced to implement the law, and not creating blocks for the citizens to have
their recounts. Thank you.
SENATOR
BOWEN: Thank you.
Mr. Soper, welcome. Thank you for having the meeting here. My name is Jim Soper.
To first addressing the issues on the
testing—by the way, I am a programmer of more than 20 years’ experience and
former senior consultant with the Jewel ?? Equipment
Corporation.
We have evidence that the federal
testing doesn’t work. The ITAs should
have caught the Diebold reliability problems.
It took the Secretary of State to run it through a stretch test in order
to catch it before it went out into the real world. So that was already one failure. And also now the Secretary
of State has got two professor,
Another
point, all this test—and this is a point I’ve made before—all this testing and
review doesn’t do any good if we have no way of knowing what has been tested
and reviewed is to go to ___ the machines, and that needs to be tightened up so
we can be absolutely assured that it’s there.
Much of the discussion
in the past few weeks have been about the, especially the voting
machines and, to a certain degree, the tabulators. We need to have opened up and tested the
signature checkers for the absentee ballots, the registration databases. There’s no certification for those
registration databases. They’re going to
put up at the state level. It’s in the
process. We don’t know what’s going
on. Barbara Simons just told me she’s
writing a whole book on this, and it’s scary.
The testing process is not open. Senator Bowen said we should be insisting on
seeing the supplementary report. Heck,
we can’t even see the original report. I
followed the RFP and evaluation procedures of two counties, and they’re very
close. We have no idea what’s going on,
and we’re not informed, and we have no real way of getting any input into the
people making the choices, in the case of an evaluation committee which, in
All the transport procedures in an
election also need to be open and tested.
I don’t anybody’s talking about any Red Team attacks on the testing of
the transport procedures, anything like that, as being completely ignored. How do we know, that when it leaves the
precinct, it’s going to get to county headquarters properly? It probably is, but maybe we ought to think
about checking that out.
And I support the cause for reporting
the precinct results taken from the polling tapes, the precinct tapes, and put
on the internet by the county offices on the internet as dated that anybody can
check to make sure that the tabulation has gone right, taken from the paper and
enter it into the internet. And again,
as Mr. March had referred to, we need a second monitor out in the public area
on the tabulation database or on the tabulator so we can watch exactly what’s
going on, and that should be law everywhere.
I’d like to finish by saying I’m software
engineer, and there’s many software engineers here and have been. I feel like the civil engineers that were
warning that the levees of
SENATOR
BOWEN: Thank you. Unfortunately, I only have ten fingers. I don’t think that’s adequate ____.
Let’s see, I have Dan Ashby, Lowell
Finley, Barbara Simons, and Donald Mayall.
If anyone who still wants to testify ____ coming up, if I called your
name and you didn’t come up before, please come up now. I want to make sure we don’t miss anyone.
MR.
DAN ASHBY: Hi. My name is Dan Ashby and I’m active with the
California Election Protection Network, and I’d like to just reiterate a few
really good ideas that have been expressed here today and then go into a couple
of more substantive issues, kind of a wrap up of what we’ve heard today.
Following up on the idea that the
Diebold optical system, Hersty Hack ??, it’s important
to note that 30 percent of the
I know that you’re somewhat concerned
about the issue of the audio AVVPAT. And
based on some discussions this morning with Lou Didier ??
of ES&S, it appears that actually none of the
three makers—Diebold, ES&S, or Sequoia—actually have a true read of the
voter’s intent from the paper trail.
They are actually reading from the internal audio record which, of
course, completely defeats the purpose of the law. I would say that it violates the law, and it
certainly violates the exclusive language in the
I would say that one of the most
important things we need to do is insist that all ballots of every class be
counted in their precinct of origin on election night or, at least, all the
reported, according to their election precinct of origin, in the case of
absentee ballots that are counted later.
I would maintain, having closely read the
Election Code, that the Election Code already does require this. I wrote an 11-page analysis which
cross-references all of the sections of the code, and I don’t think that
there’s a way to argue their way around them.
But I don’t think that any Registrar of Voters who maintains the liberty
to ignore those procedures at will has ever provided a test showing that they
have legal mandate to do so. I insist
that they do not and that we have to concentrate on counting ballots at the
precinct levels. That’s the number one thing
that we can do to check fraud now that’s already in the law.
I think that we should also attempt to
get laws passed as soon as possible to recognize that any record of the public
record vote is a public record, not a proprietary claim. For instance, the Diebold system’s
produced the GEMS backup file at a periodic interval that are recorded to
CD-ROM, and yet those records are not allowed access by Diebold claiming
proprietary right. But they’re in the
business of counting the public vote.
Those are our votes. It’s not
their private property. We need to get a
hold of those records. Similarly, with
the central scanner, several makers are capable of producing complete scanner
images of the ballots. For instance,
this is true of the Hart ballot now, second generation. It’s called the digital image scanner, and it
actually maintains a complete record of each ballot which could be accessed as
a public record so that the public would have an independent way of validating
the vote on those machines.
I think that it is very important to
recognize that HAVA was a false sell, that it created a contrived emergency, claiming
that the error rates for earlier generations of punch-card machines were the cause
for the electoral upset in 2000. That
was a very skimpily managed mass-propaganda job. In fact, there have been studies done at UC
Berkeley’s School of Information Studies that have shown exhaustively that many
of the punch cards that were discredited actually had lower error rates than
many of the electronic voting systems that it had been replaced by.
There are simple solutions to the main
issue of HAVA, which is really disability and language access. And I would certainly encourage the wide
adoption of the simple template devices such as the EQUALA ??
vote that you’ve heard mentioned here and the vote pad
which completely solve the accessibility problem and do not cost $3,000 and do
not count the ballots on secret software.
We should seek for the simplest, most direct methods of solving the
accessibility issues, and they are available.
Some of the terms that I think need to
be adjusted are going to be longer term than we can achieve in advance of the
2006 midterm and November elections. One
of these would be a complete update and rewriting of the California Elections
Code which in many cases has been outstripped by technology. It’s excessively confusing. It’s not airtight, clear on such things as
the requirement of the precinct count.
So I think that should be a major legislative priority, although it will
take time.
Secondly, I think we need to
incorporate a really reliable and robust audit
legislation in the Election Code. And as
you know, California Election Protection Network is preparing a very
substantial proposal, having taken advantage of the studies that have been done
in other states and other higher institutes of learning around the
country. We really need to incorporate
auditing as the first line of defense.
As people said here today, you can have a somewhat insecure computer
system if you have an airtight audit system.
There are some very simple
common-sense solutions that should have been addressed. U.S. Counts Votes is an organization that has
written about a four- or five-page best-practices guide to elections. I’ll give you just one obvious example. Anything connected with an election system
that records vote data should be a write-once, read-only media. It’s ridiculous, but ES&S systems, for
instances, you can rewrite—you can carry off the data election on rewritable
zip drives, floppy drives. I mean, it’s
ridiculous. You should have a one-write
only medium for anything that preserves a vote record.
Okay.
Here’s what I see happening as really serious, is that we have 12
counties that are poised to implement the discredited TSX Diebold touch-screen
system, just as soon as they get some sort of a certification, green light, and
all it would take is the ITAs to say, It’s
fine with us, and the Secretary of State saying, Well, it’s fine with them; it’s fine with me. His signature goes on. There will be no more hearings. Those systems will be placed in use. I mean, I would have thought that by now, we
could have killed Diebold. And
apparently, it’s going to take massive injunctions. If the state is not going to intervene, the
citizens seem to be the last line of resort.
Finally, in this period of confusion
while Diebold has had a long damage to its reputation, quite quietly—and I
don’t know how they have done it, but they’ve had a marvelous PR campaign,
apparently, a lobbying campaign. Sequoia
has moved into 20 counties. They’re
poised to go with a DRE system.
In the short term for these upcoming
elections, it appears, that in the absence of
comprehensive voting law reform, we need to work in getting citizen pressure on
local boards to pass halfway measures, if possible, for audit protocols. We need citizens conducting parallel
elections as an independent check on the official electronic vote and tallies,
and we need to have exit polls. And I would suggest, that if unions might be able to prepare
the—raise the money necessary to do a truly independent exit poll, which we
know from past experience of generations—that this has always been proven
accurate within 1 percent of the vote.
And we are in peril now _______ polling system eliminated by national
Republican legislation which would eliminate the last check that we have on the
national election. Perhaps in California,
we might even say that this is an important enough matter that state money
ought to be devoted to the creation of an independent exit poll as a check on
the election systems until we have something more solid in place in terms of
long-term legislation.
I
know it’s gone on long and I thank you for your indulgence, but here’s
one last major point that I would have as a possible solution to the very, like
what I view as the strong likelihood that federal- and state-elected offices
will continue to be stolen, as I believe they have been regularly, for at least
the past ten years, if not longer, and that would be in the current system in
which optical-scan systems are by far the most widely installed voting medium
across the country and, until recently, in California. They provide a paper ballot trail, but they
would also make it possible to institute what would be called a split-ballot
solution where it would be a matter of state law that offices for the federal
and state level of government would be hand counted—this would be practically
achievable—and that the remaining issues on the ballot, all the way down to the
water district boards and the local judgeships, could be continue to be counted
by optical scan. But we know that, if
there’s going to be an election, the first target is going to be those of the
greatest governmental influence would be the government and the state
government offices. So if you have a
split-ticket option—not an option—a split-ticket procedure for that ballot and
you have citizen boards volunteers to come in and do the counting, we ought to
be able to do it. Eighty percent of the
democracies in the world hand count their ballots.
SENATOR
BOWEN: Thank you.
MR.
LOWELL FINLEY: Good afternoon,
Senator. I’m Lowell Finley. I’m an election law attorney and working with
a group called Voter Action. I’ve been
for the last year litigating a lawsuit in the State of
I want to just talk about two things.
The first is to underscore what many members
of the first panel said, and it’s been echoed by Dan Ashby and others that the
capacity to audit and the requirement for regular audits after every election
that are paid for by the government that come automatically, that are based on
a random selection of precincts in a sufficient percentage to detect errors or
tampering is really the lynchpin of the reforms that are needed here because
you can make changes in certification standards and testing, in the equipment
that’s selected and used. But if there
isn’t that end-of-the-line audit process, then there really isn’t any assurance
that you’ve got an accurate election outcome.
The second point—oh, and just to point
out one detail there—the only way that that can truly be done is with paper
ballots, given the current technology, paper ballots that are optically scanned,
because the paper trails that are produced by current-day DRE machines simply
cannot be audited in any practical way.
Remarkably, one of the strongest advocates of DRE’s systems, the
Registrar of Voters for
The second point is, I’d like to introduce a principle that needs to be
considered as all of the fast action that’s occurring on this issue develops,
and that is, the law of unintended consequences. I’ve worked in campaign finance as a lawyer. And every attempt at campaign finance reform
has typically had many unintended consequences that then required later repair.
Here, we’re dealing with a very
reasonable movement toward use of paper ballots and optical scanners, but there
are potential pitfalls with that. And
the proposal for an all-postal election that was made in the earlier testimony,
I think, highlights one of the risks. It’s one thing to use paper ballots with optical scanners in
the precinct where the scanning is done immediately after the voter has marked
the ballot. It’s entirely different thing
to use paper ballots with centralized optical scanners at the county
level. And one
of the primary differences that has nothing to do with technology is the length
of time that the ballots are stored physically at the county elections office
before they are counted, before election day.
That period of time presents a significant opportunity for insider
tampering, and I’m concerned about this because I actually represented a party
in a lawsuit in 2004 in Napa County in which we proved, I think convincingly,
that there was tampering with paper ballots while they were stored at the
elections department and before the tabulation was done. And it took the very simple form of someone
who got access going through the ballots and finding true under votes on the
race that they wanted to influence, that is, the actual voter had not
voted. And they simply took a writing
implement that looked like the same one that the true voter had used and filled
in a vote for the candidate that they supported. We were able to prove this by using a
forensic document examiner. And what it
points up here is the need to have a whole different level of security measures
in place that again are very well understood in other industries, such as
banking or in the gambling industry, so that the minute—so that you have a true
chain of custody, so that any time that absentee-ballot envelopes or ballots
are being handled, there is a constant videotape being made, so that access to
the places where they’re stored is carefully controlled. You use two-key systems, a whole series of
things that actually
And so a wholesale move to all postal
elections is anything other than a stopgap, last-minute solution to a crisis
situation, I think, is something that should not be promoted unless there’s
serious time and attention given to this whole series of non-technological
problems that come along with absentee voting and certainly with all postal elections. Thank you.
SENATOR
BOWEN: Thank you.
Okay.
Sherry Healy, Barbara Simons, Donald Mayall.
Is there anyone else who hasn’t—we’re
about an hour later than I wanted to be, but I think the testimony has been
really important and useful.
MS.
SHERRY HEALY: I’m Sherry Healy. Thank you for having this hearing today. I’ll make it really brief. It’s getting so late.
On the topic of the independent
testing laboratories, it seems very telling with the fact that the deponents
haven’t shown—and once again, the public is on the outside, and what’s new to
me in this hearing today is this possibility—I don’t know how realistic it
is—that if indeed we could opt out of it and take a leadership role in
California to get out of this system where it’s clearly corrupt, and we could
move the paradigm back to where the citizens have more oversight over what is
happening within our state and have maybe less power distributed beyond just
the two entities. It seems too much power
in too few hands.
And I had a lot of other things I
could say, but I don’t want to be redundant to what others have said.
Essentially, if indeed we could do that, that would
be, I think, something that could lead the nation and would be worth our
while. And the
only caveat is, I would hope it would not just be in two hands in
SENATOR
BOWEN: Thank you.
MS.
BARBARA SIMONS: I’m Barbara
Simons. I am a past president of the
Association for Computing Machinery which is the oldest and largest professional
society of computer scientists. I’m also
a coauthor of the report on the internet, on the DOD’s ___ project for internet
voting, and our report basically killed that project. And I am indeed writing a book on voting
machines, but that’s not why I’m here to speak to you now.
I must say, I’m very impressed by the
standard you are showing, sitting up there though all these talks. And I thought, you know, it would help keep, wake
you up, I would maybe switch the topic.
I hope you’ll be tolerant of this.
It’s something else for you to have nightmares about, and that is, the
statewide databases of registered voters.
SENATOR
BOWEN: Yes. Let me ask you to just—that’s a hole other topic and I don’t want…
MS.
SIMONS: So I won’t talk about it
then.
SENATOR
BOWEN: Okay.
MS.
SIMONS: I just wanted to make an
announcement that—as I say, I wasn’t planning to talk at all. But at
SENATOR
BOWEN: Great. Thank you.
I appreciate that.
And you are Donald Mayall?
MR.
DONALD MAYALL: Donald Mayall. I’m
all that stands between you and the cocktail hour.
SENATOR
BOWEN: Oh, no, no. It’s not cocktail hour, but thank you. (Laughter)
MR.
MAYALL: Thank you, Senator, for
coming down here to the
But at any
rate, some of my friends are in the audience and didn’t know I ____ on
that. I did insist they take the machine
out of service. So at any rate, I don’t
know how much more of this happens, but I’ll…
SENATOR
BOWEN: And the machine was taken out
of service?
MR.
MAYALL: It was taken out of
service. But at any rate, it is not
hypothetical. It can happen.
SENATOR
BOWEN: Great.
MR.
MAYALL: Thank you for coming down
here.
SENATOR
BOWEN: Thank you for taking the
time.
Anyone else who has anything to say at
this point?
All right. I’d like to say thank you to everyone who
came, thought about what needs to happen to make—five years from now, two years
from now, we shouldn’t be having a discussion like this. Our goal is to get passed this and not to
have a room full of people who are really concerned about how you’re going to
vote, how their vote is going to be counted, and the process. So that’s the goal. It’s basically the infrastructure of
democracy that we’re after. It is the
levees of democracy that we’re after. So
thank you all very much. More work will
be done on other subject matter, and we’ll try to get any written materials
that have been provided up on the committee’s website. It is not the most user friendly website you
will ever find. But if you are even a
little bit patient, you can actually find the material, and thank you.
A
particular thank you to
Thank
you all again very much, and drive safely.
Thank you. (Applause)
---o0o---