[House Hearing, 108 Congress]
[From the U.S. Government Publishing Office]
ELECTRONIC VOTING SYSTEM SECURITY
----------
WEDNESDAY, JULY 7, 2004
House of Representatives,
Committee on House Administration,
Washington, DC.
The committee met, pursuant to call, at 11:00 a.m., in room
1310, Longworth House Office Building, Hon. Robert W. Ney
(chairman of the committee) presiding.
Present: Representatives Ney, Ehlers, Mica, Larson,
Millender-McDonald, and Brady.
Also Present: Representatives Hoyer and Holt.
Staff Present: Paul Vinovich, Staff Director; Matt
Petersen, Counsel; Payam Zakipour, Professional Staff Member;
George Shevlin, Minority Staff Director; Charlie Howell,
Minority Chief Counsel; Matt Pincus, Minority Professional
Staff Member; Catherine Tran, Minority Professional Staff
Member; Thomas Hicks, Minority Professional Staff Member; and
Kellie Cass-Broussard, Minority Professional Staff Member.
The Chairman. The committee will come to order. I am going
to begin my opening statement. Mr. Larson is on his way and we
have Mr. Ehlers. The committee is meeting today to discuss
electronic voting system security, an issue that has garnered
extensive media attention and produced impassioned opinions on
all sides in recent months. Hopefully, this committee hearing
will be able to shed some light on a matter that has certainly
generated plenty of intense heat across the Nation. After the
controversial presidential election of 2000, in which the term
``hanging chad'' became part of the national lexicon, Congress
enacted and President Bush signed the Help America Vote Act,
known as HAVA, to help restore the American public's confidence
in the Federal electoral process. The goals of HAVA are simple:
to ensure that all eligible Americans have an equal opportunity
to vote and have their votes counted, to protect against legal
votes being cancelled out by illegal votes, basically making it
easier to vote and harder to cheat.
To accomplish these objectives, HAVA established new voter
rights providing for second-chance voting, provisional ballots
and enhanced access for individuals with disabilities;
specifies new voting standards, requires each State to
implement a computerized statewide voter registration database;
and requires each polling place to publicly post certain voting
information, such as sample ballots, instructions regarding
provisional ballots and polling place hours. To address issues
relating to the security of voting technologies, HAVA creates
the Technical Guidelines Development Committee (TGDC) chaired
by the director of the National Institute of Standards (NIST)
to aid the Election Assistance Commission in crafting standards
and guidelines to ensure the integrity of computer technology
being used in current voting systems. Furthermore, HAVA
provides for the testing and certification of voting system
hardware and software in accredited laboratories.
Following HAVA's passage, many jurisdictions began making
plans to replace outmoded voting machines with the latest and
most technologically advanced electronic voting equipment.
These direct recording electronic (DRE) voting systems have
been widely touted as easier for voters to use, thus resulting
in fewer spoiled ballots, and, unlike most other voting
systems, are capable of allowing individuals with disabilities
to vote in a private and independent manner, sometimes for the
first time in their lives.
Not everyone is excited about the prospect of widespread
electronic voting, however. Over the last year, several
technology specialists, concerned citizens, and media outlets
have raised serious concerns about the security of DRE voting
systems. These critics contend that DREs contain insufficient
safeguards to protect against potential efforts by malicious
software programmers or computer hackers to skew the results of
an election. Moreover, the critics argue that DRE malfunctions
or technical glitches could result in scores of votes being
lost without any possibility of retrieval.
To address concerns surrounding the security of electronic
voting, a number of different bills have been introduced this
Congress that would require DRE voting systems to produce a
voter verified paper record--a paper receipt listing the
choices made by the voter. I have not supported any legislative
proposal as of today that would amend HAVA to require DREs to
produce paper receipts. As I expressed in a Dear Colleague
letter co-signed by my friend Congressman Steny Hoyer and by
Senators Mitch McConnell and Christopher Dodd, I believe it
would be premature to amend HAVA at this time before the new
law has been fully implemented. Doing so could undermine the
process established by HAVA for the EAC to develop standards
and guidelines for voting systems security.
My reservations about amending HAVA to require paper
receipts, however, in no way lessens my interest in assuring
that DRE voting systems meet the most rigorous security and
operational standards. The American people demand and deserve a
voting process in which they can have full confidence, and I
will do everything in my power to guarantee that they do.
For this reason, the committee has called today's hearing
to hear from a wide range of technology specialists and
election administrators to learn more about the issues relating
to voting system security. Over the course of the hearing, we
will gain a greater understanding about the security measures
that DRE voting systems currently have in place and whether
they are sufficient to protect against hackers and technical
malfunctions. In addition, we hope
to learn more about whether voter verified paper trails are
necessary to protect the integrity of the voting process or
whether there are other alternatives that can be used. So I
look forward to hearing from the witnesses and I will yield to
our ranking member.
[The statement of Mr. Ney follows:]
[GRAPHIC] [TIFF OMITTED] T7366A.001
[GRAPHIC] [TIFF OMITTED] T7366A.002
Mr. Larson. Thank you, Mr. Chairman. I would like to thank
you for calling this second of two hearings on a very important
topic of elections. The 2000 presidential elections brought to
light many problems with the elections process. We heard
reports of wide range of voting frustrations, most common were
punch cards with hanging and pregnant chads and voters who were
turned away from the polls without being given the opportunity
to cast a ballot.
This committee has worked tirelessly to enact the Help
America Vote Act as a solution to these and other election
concerns. As a result of HAVA, $650 million was provided to the
States to replace lever and punch card machines for more modern
voting equipment. HAVA does not mandate the type of voting
equipment a jurisdiction must use. The decision is left to the
States. A few States have opted to require, as the chairman has
pointed out, direct recording electronic machines to replace
lever and punch card voting equipment. DREs have been in use
for elections for over 20 years. According to the 2001 MIT Cal
Tech study, DRE machines have a lower residual rate than punch
card, lever and optical scan machines. DREs are also fully
accessible to disabled voters and they can be modified to the
language of voters who may not be proficient in English. An
increase ballot font-sized component of the machines can assist
voters with vision difficulties as well.
Although some view DRE machines as a panacea for Election
Day problems, several computer scientists and advocates have
called for a return to paper ballots. I am interested in
hearing the witnesses' thoughts on the practicality of
implementing a paper trail, and if they believe there is a
security problem with DRE machines; and if so, is a paper trail
the best answer.
In addition, I would like them to discuss if human factors
are being addressed within DRE machines. Is the answer to most
of these perceived problems better training for poll workers? I
read about the unplugged machines and inadequate training for
the process involved in restarting the machinery. But the
bigger issue to explore is if electronic voting system security
is the most significant problem facing this election or is
there a more pressing issue facing us in this election. The MIT
Cal Tech study also stated that difficulties with registration
were the number one problem with the 2000 elections.
Between 1.5 and 3 million voters were turned away from the
polls without casting a ballot on Election Day 2000. I would
like the second panel of today's witnesses to highlight the
steps that are being taken to ensure that all aspects of HAVA
are being followed in order for the American people to have the
best election possible this November. My concern is that all of
the attention that is being given to voting security will
inadvertently suppress voters coming to the polls if they feel
their votes will not count; what steps election officials are
taking to fix registration problems; will they have enough
provisional ballots for the voters.
Two-thirds of the public will vote on the same type of
equipment they used in the year 2000. I would like the second
panel to review what is being done to ensure that all the
voting equipment is secure; what steps are being taken to
inform the public that DRE machines are counting ballots
correctly. I am also interested in hearing the witnesses'
assessment of the New York Times' editorials calling into
question the views and actions of the Senior Senator from
Connecticut and one of the chief authors, Chris Dodd and Jim
Dickson, the Vice President of Governmental Affairs for the
American Association of People with Disabilities who are trying
diligently to improve the election process.
Mr. Chairman, I want to thank you and also note that we
have two distinguished colleagues joining us today, both the
co-author with you of the HAVA bill here in the House, my
distinguished leader Steny Hoyer, and probably one of the most
knowledgeable people in the House, and I dare say the country,
with respect to the issue of electronic voting and paper
ballots, Rush Holt, a scientist and physicist, as Mr. Ehlers
likes to point out, and a five-time jeopardy winner as well.
So we are graced by their presence and I thank the
panelists as well because this is such an important and
critical issue to each and every one of us here today.
[The statement of Mr. Larson follows:]
[GRAPHIC] [TIFF OMITTED] T7366A.003
[GRAPHIC] [TIFF OMITTED] T7366A.004
The Chairman. I guess the ranking member Congress is
insinuating that Congress is a little bit like jeopardy?
Mr. Ehlers.
Mr. Ehlers. Thank you, Mr. Chairman. And thank you for
having this hearing on a very important topic. It has reached
the popular press. There is an article in PC World this month
entitled ``Is E-voting Safe?'' so obviously, people are
beginning to worry about it and their conclusion is, as many of
us have concluded, not totally safe. We clearly have to do a
better job of ensuring the security, reliability, usability and
verifiability of electronic computers in voting. And I don't
want to go into all the details, but I am very concerned as
someone who has programmed computers and who understands how
one could hack these or change results or flip votes, as the
case may be.
This clearly is an area of concern. The closed source code
is one of the problems, because something may have been
inserted in the source code, which would allow a flipping of
votes. But there are many other problems and issues that have
to be addressed as well. So I thank you for holding this
important hearing. I look forward to hearing from the
witnesses, some of whom I have heard from before. And I hope
that we learn something from it. Let me add one other factor.
One of the biggest disappointments in HAVA to me has been the
lack of funding for the National Institute of Standards and
technology to set the standards. And once again, we are going
to have a bill on the floor today, which does not provide
funding for the National Institute of Standards and Technology
to set the standards and make--and to me that is one of the
most important things we should be doing because we have to be
concerned that these machines work properly, that they are not
tinkered with, that there is no fraud, either intentional or
accidental that is taking place.
And so I hope with the assistance of Mr. Hoyer, who is on
the Appropriations Committee and some of my other friends, that
we can change this as the appropriations bill goes through the
process and provide adequate funds for the National Institute
of Standards and Technology to lend its expertise to this
issue. I yield back the balance of my time.
The Chairman. I would note the gentleman, Mr. Hoyer--and we
set this last hearing on the overall issue--has been diligent.
And when we put this bill together--I am speaking we,
everybody--we didn't want an unfunded mandate. And we have had
parts of the funding due to Mr. Hoyer's diligence and the
Speaker and other people who have been active on this, such as
Senator Dodd and Senator McConnell. But there is more to do.
And as we said at the last hearing, it has to happen. It just
absolutely has to happen. Mr. Brady.
Mr. Brady. Thank you, Mr. Chairman. I do want to recognize
and thank our leader, Steny Hoyer for being here and keeping up
his participation and his interest. And it is also enlightening
to accommodate a fellow member, Mr. Rush Holt that asked to
speak, but I also have to respect our chairman and ranking
member who would have this place filled up with 430-some of us
that all want to talk on this issue. I have to recognize the
knowledge that you have in this field and also the bill you
have in front of us and you experienced it firsthand in your
election. And I do appreciate your participation and your
interest. Thank you, Mr. Chairman.
The Chairman. Mr. Mica.
Mr. Mica. Thank you, Mr. Chairman, and I thank you for
holding this hearing. Our Committee on House Administration has
an important responsibility to see that our election system
works. Quite frankly, I am a bit frustrated by our continuing
to throw money at some of these problems. I have always viewed
the elections responsibility as that of State and local with
Federal participation where we can assist. One of the things we
don't have any problem with in Congress is throwing huge
amounts of money at problems. And I think we started off with
$3.9 billion for this program. And we have adopted some
systems, for example, electronic voting and also optical
readers replacing punch cards that were used in Florida and
other places and lever voting equipment. With new technology
like cell phones----
The Chairman. Was that the President?
Mr. Mica. Actually, I have very strict instructions. It
could have been the President. But it wasn't, it could be the
Secretary of Transportation. I am heavily involved with issues
there. But the most important person is my septic tank
operator.
The Chairman. We will move on with the topic.
Mr. Mica. In our business you have to put things in
priority. But, again, we spent a lot of money. I did not
support this, the act or the huge amount of money that we threw
at the problem. In Florida, I participated in some of the
recount. And I saw that in one of my counties, we had optical
readers which we are spending a portion of this billions of
dollars to replace punch cards and also lever, old lever
equipment, which actually don't work that badly when you look
at some of the problems we have seen with the newest equipment.
But I remember looking through hundreds of ballots. And the
optical reader is a very simple thing. It has an arrow like
this and you just fill in this little space here.
Now that seems like a pretty darn simple thing to do. And I
am telling you, hundreds of people--they circled entire areas.
They x'd down through. They destroyed a ballot. Unfortunately,
I think what you need is a more intelligent electorate. So we
are replacing this equipment--we are replacing this equipment
now and there is less than 1 percent error rate improvement in
putting these machines in, and we have got the electronic
equipment that this hearing is about. We found now we are
buying this very expensive electronic equipment. And I think it
was in Virginia, the dummies didn't plug the machines in. So
now we have to pay for training courses to plug these in.
My cell phone just went off and having been in the
communications and cellular business, I know all the problems
you can have with electronic equipment. And I can tell you we
will be back here to fund auxiliary power units to ensure that
the backup to run the paper trail or the electronic equipment
that was to replace the equipment that we just spent other
money on. So I would like to see the system work. Some of the
best equipment is actually the lever equipment, the most
primitive, but some of the most accurate that was ever produced
and we are replacing it, again, at great expense.
So I am discouraged that we have spent a lot of money on a
system that doesn't work. I think we have got to do a much
better job of educating people. And no matter what system you
put in place, you are going to have problems in the future. And
there will be people who will use that equipment, whatever we
put in and misuse it and their vote will not be counted. It has
been that way. It is that way. And it will be that way. So I
thank you for holding this hearing and I hope without spending
too much hard earned taxpayer money, we can find some solutions
that work. Thank you.
The Chairman. Thank the gentleman. On the first panel, we
have Dr. Avi Rubin, Professor of computer science at Johns
Hopkins University; Dr. Brit Williams, professor of computer
science and information technology at Kennesaw State
University; Tadayoshi Kohno, computer security expert with the
computer science and engineering department at the University
of California at San Diego; and Dr. Michael Shamos, Professor
in the School of Computer Science at Carnegie Mellon
University. I want to welcome all of you to the Hill.
STATEMENTS OF AVI RUBIN, PROFESSOR OF COMPUTER SCIENCE, JOHNS
HOPKINS UNIVERSITY; DR. BRIT WILLIAMS, PROFESSOR OF COMPUTER
SCIENCE AND INFORMATION TECHNOLOGY, KENNESAW STATE UNIVERSITY;
TADAYOSHI KOHNO, COMPUTER SECURITY EXPERT, COMPUTER SCIENCE AND
ENGINEERING DEPARTMENT, UNIVERSITY OF CALIFORNIA AT SAN DIEGO;
AND DR. MICHAEL SHAMOS, PROFESSOR, THE SCHOOL OF COMPUTER
SCIENCE AT CARNEGIE MELLON UNIVERSITY
The Chairman. And Dr. Rubin, we will start with you.
STATEMENT OF AVI RUBIN
Mr. Rubin. Good morning, Chairman Ney, Ranking Member
Larson, and members of the committee. My name is Avi Rubin and
I am a computer science professor at Johns Hopkins University.
I am going to start with two things that may surprise you in
order to highlight the points that I think are important. I am
not fundamentally against electronic voting. The second is that
a DRE retrofitted with a paper trail is not necessarily the
best kind of voting machine that we can have. There are ways to
design and build systems so that those who make and those who
administer the machines will have a tough time cheating.
Today, DREs are not being produced this way. The advantages
of a well-designed system is that they do not require complex
procedures in order to ensure security. They take control of
the outcome out of the hands of the manufacturers and the
vendors and they take into account the needs of users including
special needs users. The elements of such a system are
transparency in the form of open code, so people can see what
is going on inside of a machine. Independent audit, that is an
audit that is not controlled by the designers of the system
peer review, which is fundamental to computer security and
usability system to make sure everybody who needs to use the
machine can use it and it is designed appropriately. There are
many attractive features of DREs that are often touted:
Accessibility for those who do not speak English as the primary
language or for blind people; user friendliness of the
machines; the ability to catch undervotes and warn the voter
and the ability to prevent overvotes and the results are
available immediately.
If I were given these requirements and asked to design a
voting machine with these properties, it would not be like
today's DREs. My focus is always security, but you can achieve
all of the properties that I just mentioned much more securely.
Here is how I would design a voting machine. The machine
would be as accessible as a DRE. It would be as user friendly.
It would warn about undervotes. It would prevent overvotes. But
there would be some big differences. Meaningful recounts would
be possible, it would be incredibly difficult for a vendor to
rig the election, and voters would be able to have confidence
in how their vote was recorded.
Now the interface, as far as a voter is concerned, would be
the same as a DRE, but I would name the machine a ballot
preparation machine. You walk up to the machine, and you have
exactly the same experience you would with a DRE. You touch all
your selections, but at the very end of the experience, instead
of ``cast vote,'' you would push ``print ballot,'' and the
machine would output a card maybe similar to a boarding pass
you would get at the airport these days or, if there were a lot
of choices, maybe it would be an 8-by-10 card and that would be
the ballot.
The voter would review the ballot to see if their markings
and their choices corresponded to what they intended; and, if
it did not, there would be a shredder available to shred that
and they could do it again. Perhaps they made a mistake or
perhaps something was wrong with the machine. In either case,
it would be good to know that.
Now we have a separate problem on our hand, a completely
separate issue, which is how do we count the ballots. Some
places say, well, we have these paper ballots. We have had a
simple election. Let us count them by hand. Other places may
say our ballots are too complicated. What we can do is feed
them into a completely different unit which would be an optical
scanning unit that could read it in and count the votes.
You may say, well, that is a computer, too. I would respond
I am not opposed to electronic voting. The difference is if you
optically scan these things, you are dealing with a much
simpler machine. It could be several hundreds lines of codes,
could be open source and at the end of the day you have the
ballots.
Let me stress the big difference between a DRE with a--
versus the kind of machine that I am describing. In the kind of
machine I am describing, there is only one authoritative
ballot, and that is that piece of paper. In a DRE that you
retrofit with a verifiable paper trail, which is better than a
DRE without it, but you have the issue of having two different
votes. Do you count the electronic ones? Do you count the paper
ones? I think there should only be an authoritative paper
ballot, but we can utilize computers to create that ballot, and
we can utilize computers in order to count those ballots and
utilize the paper to check that count.
I am quickly running out of time, so let me draw an
analogy, and I started about 10 seconds late. The grading
system we use to turn in our grades at Johns Hopkins is done
over the Internet, but it was done with security in mind. And I
am perfectly happy at the end of the semester uploading my
grades to a central server at Johns Hopkins, even though,
considering you have a bunch of computer science students who
might try to hack the system, it is a lot less work to do that
than to work for a grade in all your classes.
Why am I willing to do this? Because the following
semester, direct from the Registrar's Office, hand walked to me
by the secretary, is a paper with grades on it that were
recorded; and I get to compare them to the grades that I
submitted and say, did anybody alter these grades, have they
been tampered with? And I know that, if they have, I will catch
that.
In DREs, we don't have a catch like that. The only point at
which we can perform an audit which the voter can verify that
the vote was recorded correctly is when they are voting and
they have to have an ability to look at the actual ballot and
say that is how I voted. Thank you.
The Chairman. Thank you, Doctor.
[The statement of Mr. Rubin follows:]
[GRAPHIC] [TIFF OMITTED] T7366A.005
[GRAPHIC] [TIFF OMITTED] T7366A.006
The Chairman. Dr. Williams.
STATEMENT OF BRIT WILLIAMS
Mr. Williams. As you mentioned in your remarks, after the
2000 election, a group of political activists began to attack
the direct recording systems, claiming that they are totally
unsecure, that they can't be made secure and the only way you
can make them secure is with the addition of a verified paper
ballot. When this was picked up by some of my fellow computer
scientists, it gained attraction in the media.
The claim is that we cannot build a secure voting system.
Now a DRE voting system--or any voting system, for that
matter--but a DRE voting system is one of the simplest computer
applications you can imagine. The main line is to recognize a
touch on a particular location on a screen and add one to the
appropriate register. That is it. It doesn't do any complex
computations, doesn't take the logarithm or the trigometric
functions of anything. It doesn't do square roots, doesn't
multiply or divide. And to claim that we can't build a secure
accurate system just flies in the face of the way we live our
lives. We fly on airplanes that are controlled by computers.
Our sailors go under the ice cap on submarines controlled by
computers. We have been to the moon and back on spacecraft
controlled by computers. On a less grandiose scale, our cars,
our microwaves, our watches are controlled by computers.
I am not saying we should not attempt to improve our
computer systems. We should. And I like Dr. Rubin's system and
I look forward to it, but we have to deal in the short term
with what we have on the shelf right now. And there are many
dimensions to a voting system other than just security. We have
to look at availability, reliability, maintainability,
usability and even affordability. Any change to the voting
system, particularly something as drastic as adding paper
receipts or paper ballots, needs to be evaluated in terms of
the total voting system, not just the security aspects of it.
Now this--your HAVA legislation created the Election
Assistance Commission system and gave them the resources and
the authority to approach this in a very orderly and systematic
manner, and I sincerely hope they will be allowed to do that.
Now we don't believe that we are in imminent danger. We
think in Georgia that our voting system is both accurate and
secure. We have measures in place to ensure that the voting
system components, the computer components are as accurate and
secure as current computer technology permits. We have physical
security measures and the essential ingredients in DRE systems
in place to compensate for the remaining vulnerabilities in the
system. These are discussed in our written report, and I won't
go into them here.
We have a Center For Election Systems at Kennesaw State
University that provides technical assistance and training to
our 159 counties. Before any piece of equipment can be used in
an election in Georgia, it has to be examined by members from
this center. And, in addition to this testing, we now, out of
the center, offer training for election managers, for new
election poll workers and for board members, election board
members.
So let me close by pointing out that we do not live in an
absolute world, that everything we do contains a certain amount
of uncertainty. When we fly on an airplane, we know there is a
remote possibility that we won't live to reach our destination.
When we drive our cars, we know there is a possibility we won't
reach our destination. We evaluate the risk and the advantages,
and we make a decision.
Now we do the same thing with our election in Georgia. We
know when we conduct an election that there is a remote
possibility that someone has altered that election in an
attempt to defraud or disrupt the election. But we also know
the diligence with which we maintain and protect the system and
we know that we reduce that risk to a miniscule level.
In our written report, we point out that we think that we
can detect an alteration of that system with a chance of less
than one in one billion. So with that kind of a risk, we are
willing to go ahead and hold our election with a voting system
that allows a business person to vote on their lunch hour very
quickly and easily, that provides the elderly and infirm with a
voting interface that does not require difficult manipulation,
that allows a non-English-speaking voter to vote in their
native language, that allows disabled voters to vote
unassisted, many of them for the first time, that reduces the
rate of incorrectly marked ballots by a factor of five and
provides a level of accuracy that exceeds any voting system
that has previously been used in the State of Georgia.
Now no one that is involved in elections would come before
you and claim that the current systems are the best that can be
devised or suggest that we can't make improvements. We have a
culture of continuous improvement, and we applaud people who
offer reasonable, well-reasoned criticism and who have
carefully considered recommendations for improvement.
I thank you for this opportunity to speak to you, and may
God bless America.
The Chairman. Thank you.
[The statement of Mr. Williams follows:]
[GRAPHIC] [TIFF OMITTED] T7366A.007
[GRAPHIC] [TIFF OMITTED] T7366A.008
[GRAPHIC] [TIFF OMITTED] T7366A.009
[GRAPHIC] [TIFF OMITTED] T7366A.010
[GRAPHIC] [TIFF OMITTED] T7366A.011
[GRAPHIC] [TIFF OMITTED] T7366A.012
[GRAPHIC] [TIFF OMITTED] T7366A.013
[GRAPHIC] [TIFF OMITTED] T7366A.014
[GRAPHIC] [TIFF OMITTED] T7366A.015
[GRAPHIC] [TIFF OMITTED] T7366A.016
[GRAPHIC] [TIFF OMITTED] T7366A.017
[GRAPHIC] [TIFF OMITTED] T7366A.018
[GRAPHIC] [TIFF OMITTED] T7366A.019
The Chairman. Mr. Kohno.
STATEMENT OF TADAYOSHI KOHNO
Mr. Kohno. Thank you, Chairman Ney and Ranking Member
Larson and members of the committee, for holding this hearing
today and for inviting me to speak on the topic of electronic
voting security. My name is Tadayoshi Kohno, and I am a
computer security expert with the University of California at
San Diego's Department of Computer Science; and prior to
joining the University of California for Doctor studies, I was
a cryptography and computer security expert with two of the top
cryptography and security consulting firms in the Nation.
Last summer, together with three other colleagues, I
identified a number of security problems with Diebold's
Accuvote TS electronic voting system. But I think that the most
important result of our discoveries was that it concretely
shows the existing certification processes are unable to
identify security problems with electronic voting machines, and
what this means is we have no reason to believe that other
vendors' electronic voting machines are any more secure.
But what I would like to talk about with you today is why
I, as a computer security expert, am deeply concerned about the
use of existing paperless electronic voting systems. I want to
emphasize that I am talking about existing paperless electronic
voting machines because, you know, there might be the
possibility of having secure enough paperless electronic voting
machines in the future. I say ``secure enough'' because there
is no such thing as absolute security. We don't have those
machines today and won't have them by November, and let me
expand on this. There are several reasons for this.
First, many people have suggested patching the existing
systems, maybe by changing the software slightly or instituting
new procedures. But this is not sufficient.
First, an analogy I always like to make is that spot
treating security problems is like spot treating termites. You
can never be sure that you have gotten rid of them all. And
this is particularly important because when you hire a security
analyst to look at the security of a system, you typically
contract them for a limited period of time, and in that limited
period of time they might only uncover the most obvious
security problems. And while addressing the obvious security
problems might raise the bar for an attacker, it doesn't mean
you have addressed all the important problems.
Another thing that I want to point out is that unless all
the components of the revised system, including the software
and the revised procedures, are open to the public for public
scrutiny and review, the public will have no reason to believe
that the spot treatment actually succeeded in addressing the
security problems; and I think this is illustrated most
beautifully by the evolution of Diebold's Accuvote TS system.
It is the system that we know the most about because it is the
one that was analyzed publicly.
In response to our analysis, the State of Maryland hired
SAIC and then RABA to conduct independent analyses of Diebold
systems; and in both ours and SAIC's analyses we found that the
Diebold system found a security problem in the way that the
Diebold voting terminals communicate with a back end server.
Diebold tried to fix this problem. And then, in RABA's
subsequent analysis, RABA found that Diebold's fix was
insufficient.
I think the important lesson from this is that there are
two points: One is that if Maryland had not commissioned RABA
to conduct a subsequent analysis of Diebold's supposed fixes to
our report, no one except for maybe an attacker would have
uncovered Diebold's insufficient fix of the problems we
identified. And I think, at a higher level, the thing I want to
say, this begs the question. First, for systems the public
cannot openly review and inspect, how or when can we know that
a security problem has been accurately addressed?
I think in the remaining minute or so that I have that I
would like to talk--I would like to advocate the following
general principle; and that is, from a security perspective,
the minimum requirement we should have for any new voting
technology, it doesn't have to be computer technology, but the
minimum requirement for any new voting technology is that it
must be at least as secure as the technology that it is
replacing. It is for this reason that our computer security
experts are advocating the use of a voter-verifiable paper
ballot, where we have the voting machines produce a paper
ballot that the voter will look at and verify that it is
correct and deposit it into the ballot box and that becomes the
official record.
People have said that, you know, this has problems, too,
because, you know, the ballot box could be stuffed, the ballots
could be destroyed. But the point is that these are the
problems that we already have with traditional paper-based
voting mechanisms. By adding a voter-verifiable paper trail, we
have not made things worse. Unfortunately, as a security
expert, I cannot say the same thing about the use of existing
paperless electronic voting machines in elections.
That is all the technical stuff I wanted to point out, but
I wanted to thank the committee for focusing on this critical
issue, and I think that the dialogue we are having today will
move us forward towards addressing all of the security
concerns.
The Chairman. I thank the gentleman for your testimony and
the previous two witnesses.
[The statement of Mr. Kohno follows:]
[GRAPHIC] [TIFF OMITTED] T7366A.020
[GRAPHIC] [TIFF OMITTED] T7366A.021
[GRAPHIC] [TIFF OMITTED] T7366A.022
[GRAPHIC] [TIFF OMITTED] T7366A.023
The Chairman. Dr. Shamos.
STATEMENT OF MICHAEL I. SHAMOS
Mr. Shamos. Mr. Chairman and members of the committee, my
name is Michael Shamos. I have been a faculty member in the
School of Computer Science at Carnegie Mellon University in
Pittsburgh since 1975. I am an attorney admitted to practice in
Pennsylvania and before the U.S. Patent and Trademark Office.
From 1980 to 2000, I was statutory examiner of computerized
voting systems for the Commonwealth of Pennsylvania. From 1987
until 2000, I was statutory examiner of computerized voting
systems for the State of Texas. During those 20 years, I
examined over 100 different voting systems. These were used to
count over 11 percent of the popular vote in the United States
during the 2000 election.
I view electronic voting as primarily an engineering
problem to be solved through traditional scientific methods.
Once standards are set for the degree and type of risk we are
willing to accept in such systems, engineers can determine
whether a particular system meets those standards. The
tolerable risk can never be reduced to zero. No system of any
kind ever developed for any purpose has been completely free of
risk. The issue is not to eliminate it but to quantify and
control it. It may be a difficult pill for the voters of the
United States to swallow, but it is true nonetheless and always
will be that some votes are lost, miscounted or never are cast
in every election and this will always be so.
There are many types of DRE machines, and it is incorrect
to lump them together in a single category. DRE voting is not
new. It has been used in the United States for over 25 years
and has been successful, though not perfect, during that time.
Many brands of DRE systems have exhibited problems, including
failure to start, freezing up during voting, displaying
incorrect candidate names. Some possess identified security
weaknesses, such as according the wrongdoer the opportunity to
vote more than once during an election.
Of course, machines that do not work and are not suitable
for use in an election should not be used in an election, but
this country has no systematic process by which such machines
can be pinpointed and kept from the polling place. We need one.
Voting machines, like every other machine we rely on in society
can be tested to determine whether they are reliable. We need
such procedures.
A completely different sort of allegation that is made
against DRE machines is they can be tampered with undetectably
or may contain malicious software that no testing procedure or
examination would ever reveal. Even the venerable New York
Times declared erroneously on April 24 of this year that,
quote, it is not hard to program a computer to steal an
election. It is very hard. In fact, there has never been a
verified incident in which a DRE machine was manipulated to
alter the outcome of an election. DRE opponents respond, how do
you know? Maybe the alteration was done so well that we will
never find out. That response is completely unscientific. It
asks us to believe that which has never been seen and which by
hypothesis can never be seen. It is a pure article of faith,
which every person is free to accept or reject, but it cannot
serve as the basis for logical debate.
I have asked DRE opponents exactly how they would modify a
machine to influence an election without being detected. This
of course must be done in such a way that the machine passes
all tests with flying colors, yet performs its dirty work only
during the actual election and, furthermore, does so in a way
that leaves no trace and does not raise undue suspicion, given
the political demographic of a particular precinct or
jurisdiction. In short, it would be the perfect crime. No one
has ever come close to giving a credible method by which this
could be done.
When challenged, the response of the opponents is to say,
we are not obliged to show you how to do it. You have to prove
that it can't be done.
That is not the law. The various States require voting
systems be safe for use, accurate and resistant to tampering.
None of the requirements is absolute, and they require
judgments to be made by responsible officials and bodies.
Administrative action is never required to be accompanied by a
proof that the action is perfect. If there were such a
requirement, then government would grind to a halt.
The proposal has been made that the variety of problems
exhibited by DRE machines can be solved by adding a device that
will print out a piece of paper containing the voter's choices
so she may verify that they correspond to her desired
selection. If anything goes wrong, the voter has the chance to
try again before her vote is officially cast. If all is well,
the piece of paper is dropped or deposited into a box inside
the machine. This proposal is embodied in several bills before
Congress and at least one that is currently before this
committee, Representative Holt's bill, H.R. 2239.
The argument goes that we receive paper receipts when we
buy things, use an ATM machine or play the lottery, so why
should voting be any different? The answer is simple. In
commercial transactions, the paper is simply a piece of
evidence. It is not an incontestable, self-proving document.
Even a lottery ticket will not be awarded a prize if it does
not match the electronic records of the central lottery
computer. The H.R. 2239 proposal is to make the paper records
supreme, something that we do not do in the commercial world.
If paper were in any way safer than electronic methods,
then the whole bill might make sense. But it is not safer or
better. This is a case in which the cure is worse than the
disease. This country has a long and sorry history of vote
tampering involving paper ballots. Since 1852, the New York
Times has published over 4,000 articles detailing numerous
methods of altering results of elections through physical
manipulation of paper ballots. On average, one article has
appeared in the Times every 12 days since it began publishing
in 1851. Mechanical and electronic voting machines were
introduced specifically to eliminate this problem. Any proposal
to make paper ballots official once again ignores history and
therefore dooms us to repeat it.
Adding a paper trail that can be viewed by the voters
solves one problem and one problem only. It assures the voter
that her choices were correctly noticed by the machine. It
provides no guarantee that the vote was counted or ever will be
counted correctly or the paper viewed by the voter will even be
in existence at the time a recount is conducted. And the paper
trail surely does nothing to increase the reliability of a
voting machine. If a device won't start on Election Day, then
adding a printer does not increase its chances of working.
Paper trail proponents have not bothered to list the
problems with DRE machines in an attempt to explain how the
paper trail would solve them because they cannot do so. They
have not explained why the paper trail would not be vulnerable
to well-known and well-documented methods of tampering the
paper ballots, for they cannot do so. All of the problems with
DRE machines have solutions. None of the solutions requires a
paper trail. I have given specific alternatives in my rather
lengthy testimony, and I thank you for the opportunity to speak
today.
The Chairman. We will accept the gentleman's testimony as
all other individuals appearing here today for the record. Very
frankly, fascinating testimony by I think all four of you.
[The statement of Mr. Shamos follows:]
[GRAPHIC] [TIFF OMITTED] T7366A.024
[GRAPHIC] [TIFF OMITTED] T7366A.025
[GRAPHIC] [TIFF OMITTED] T7366A.026
[GRAPHIC] [TIFF OMITTED] T7366A.027
[GRAPHIC] [TIFF OMITTED] T7366A.028
[GRAPHIC] [TIFF OMITTED] T7366A.029
[GRAPHIC] [TIFF OMITTED] T7366A.030
[GRAPHIC] [TIFF OMITTED] T7366A.031
[GRAPHIC] [TIFF OMITTED] T7366A.032
[GRAPHIC] [TIFF OMITTED] T7366A.033
[GRAPHIC] [TIFF OMITTED] T7366A.034
[GRAPHIC] [TIFF OMITTED] T7366A.035
[GRAPHIC] [TIFF OMITTED] T7366A.036
[GRAPHIC] [TIFF OMITTED] T7366A.037
[GRAPHIC] [TIFF OMITTED] T7366A.038
[GRAPHIC] [TIFF OMITTED] T7366A.039
[GRAPHIC] [TIFF OMITTED] T7366A.040
[GRAPHIC] [TIFF OMITTED] T7366A.041
[GRAPHIC] [TIFF OMITTED] T7366A.042
[GRAPHIC] [TIFF OMITTED] T7366A.043
[GRAPHIC] [TIFF OMITTED] T7366A.044
[GRAPHIC] [TIFF OMITTED] T7366A.045
[GRAPHIC] [TIFF OMITTED] T7366A.046
[GRAPHIC] [TIFF OMITTED] T7366A.047
[GRAPHIC] [TIFF OMITTED] T7366A.048
[GRAPHIC] [TIFF OMITTED] T7366A.049
The Chairman. One point I would like to make. Historically
speaking, any time there has been manipulation or suggested
manipulation of a voting system, it has involved paper ballots.
You basically suggested that the paper receipts will not, in
fact, bring forth the security that their advocates promise. Do
you have any details about what you believe would be the
shortcomings of paper receipts in trying to resolve the DRE
security-related issues?
Mr. Shamos. The issue with paper receipts and my problem
with them is that there is no guaranteed chain of custody from
the moment the voter looks at the piece of paper and says, yes,
this is my vote. From that moment until the time that piece of
paper has to be touched or reviewed by other people, there is
no way of assuring that the pieces of paper have not been
removed from the box, new pieces of paper have been added to
the box, that the pieces of paper have not been altered, et
cetera. And it is impractical with 1.4 million poll workers we
have in this country, most of them volunteers, to have any kind
of systematic system where we can ensure that from the time the
voter sees the piece of paper until the time it is reviewed
that nothing has happened to it. That is the problem we have
had when there is a physical paper ballot of any kind, whether
it is punched card or paper.
The Chairman. Dr. Rubin, the chairman of the EAC and other
groups such as Brennan Center For Justice have issued
recommendations for ensuring the security of the DREs, as you
know. You are involved with the Brennan study, I am told.
Mr. Rubin. I was asked to read, review it and comment on
it, yes.
The Chairman. Do you have any further comments on that
study or can you describe more about the security practices and
how they protect the process?
Mr. Rubin. I was asked to comment on this and then to
participate in a press conference to publicly comment on it.
Initially, I hesitated to do that, because I was worried about
an endorsement of these recommendations appearing to--or being
misconstrued to be an endorsement of paperless DREs. What in
fact was intended was that, no matter what I say or anyone else
says, there are people going to be voting on paperless DREs in
November. And for those election officials, what advice can we
offer? Rather than just saying everyone is in trouble, can we
do something constructive? And under those assumptions, they
came up with recommendations that I think are very good: hiring
security reviews, setting up a group that would supervise the
security reviews, some ideas for testing; and, you know, the
recommendations are available for the public.
I think that while I would strongly advocate against using
paperless DREs, I am not going to be naive enough to ignore the
people that are using them. So I would recommend that those
recommendations be followed in those cases.
The Chairman. Just one question. Probably not a perfect
question for you, but does anybody here believe--that one
should be able to take those with you out of the----
Mr. Rubin. Take what?
The Chairman. A copy of the paper receipt with you out of
the voting area.
Mr. Rubin. Absolutely not. The problem with that is that
two things could happen. One is you have the opportunity to
sell your vote if you can show someone how you voted, and the
other is you could be coerced to vote a certain way. The idea
behind the paper is that you have some tangible record of how
the person voted, but if you take it out of the polling place
with you, you haven't actually voted.
Mr. Shamos. Mr. Chairman, there are systems in which the
voter is given some form of receipt but that receipt cannot be
used to prove how he voted. It is possible for him to verify
that that particular ballot was actually counted in the
election. In general, it is not possible to remove from the
booth any piece of evidence that you would be able to use to
prove how you voted.
The Chairman. Anybody else have any concerns still about
the issue of your vote being secret? That is a huge issue or
being able, frankly, to vote in secrecy. But out comes the
paper--because, Dr. Shamos, you mentioned something
interesting, a chain of custody. What happens with that? Dr.
Rubin, would you like to respond?
Mr. Rubin. I will say one thing about the secrecy. I
believe it is the property of secrecy that makes this problem
so hard. When we talked earlier about commercial transactions
and all different kinds of transactions where we have paper,
the difference between voting is that imagine trying to audit
somebody's bank account without knowing which person performed
which transaction. In an election, we have a secret ballot, and
it is a privilege, and we decouple the voter from their vote.
That makes auditing a lot harder than it is in any other
application that we know because the very information we keep,
which is logging who did what and when, you can't do in an
election.
The Chairman. You can't go back and say that this ballot
was John Smith or Susan Smith's ballot.
Mr. Kohno. If I may extend comments. There are two main
requirements of voting machines. One is that the result has the
correct integrity, and the other is the privacy. And when
people are talking about electronic voting machines, the focus
has been--most people have been focusing on the integrity.
One of the results of our analysis is that with these
electronic voting machines it could be the case where an
election official or a poll worker--I am assuming that most of
them are not malicious--but an election official or poll worker
could look at the results, the files stored--the results filed
on these Diebold terminals and figure out who voted for whom if
they are watching the voting process all day. So I think that,
you know, I wanted to throw that in as being another problem
that I see with electronic voting.
Mr. Williams. Not true. The ballot files in that system are
randomized. So even if you had your numbered list of voters and
you knew the order that people voted, you couldn't correlate
that to the ballots on the file. And even if they were, it
wouldn't be a one-to-one correspondent because, although you
may check into the polling place ahead of me, I might cast my
ballot before you cast yours. So that is not going to be a one-
to-one correspondent, regardless.
Mr. Kohno. I think we are taking the discussion away from
the main focus of this hearing, and we can talk about this off
line. But I think that the important thing--you know, I don't
want to focus on Diebold, because, unfortunately for them, they
are the ones that were publicly analyzed. There is a random
serial number stored with the ballots when they were added and
specifically for randomizing them for reporting at the end. But
the problem is on the files themselves, they were stored in the
order they were created. But I think, like I said, this is an
issue that hasn't been seen very much; and the focus here I
think is on preserving on the integrity.
Mr. Williams. The problem he is referring to has been
changed. That was true of the version that they looked at. In
the SAIC report in Maryland, one of their recommendations was
that those files be randomized, and that has been done.
The Chairman. I think I not do disagree with you. I think
it is appropriate--basically what you said is appropriate to
the hearing. What the gentleman, Dr. Williams, answered is also
appropriate.
Mr. Williams. The problem that secret ballot creates is
that you cannot--the voter cannot verify their ballot. There is
no way once the voter walks away from that voting booth that
they can go back to that collection of ballots and pull out a
ballot and say that is mine, because that would violate the
secrecy of the ballot. The whole concept of a voter-verified
ballot is questionable.
You say, what do we do in a recount? Let us look at lever
machines for a minute. When you recount on a lever machine,
there is nothing to recount. What you are doing is verifying
that the machine is operating properly; and the assumption is
that if the machine is operating properly, then the count is
accurate. Same thing with the DRE machine. There is nothing to
recount, and you are not technically doing a recount in the
sense of a traditional recount. What you are doing is that you
are verifying that this machine is operating properly. If the
machine is operating properly, then the assumption is that the
results are accurate.
Mr. Rubin. I believe that DRE have managed to replicate the
worse property of lever machines, which is that a meaningful
recount is not possible. That is why I was never comfortable
with lever machines. The nice thing about having the paper
ballot, when it is time for a recount we know at the very least
the thing that is being recounted was seen by the voter. We
don't know the order.
The Chairman. On that point, I will let you finish.
Mr. Rubin. The idea behind a meaningful recount is that the
things that are being counted are ballots that were seen by the
voters, and that is where the term voter verifiable comes in. I
don't think it is important whether or not the voter can reach
into the pile of ballots being recounted and verify theirs.
They have to have some confidence in the procedures, just like
they do in any election. But without those paper ballots
existing, there is no hope of any recount; and I don't think
the solution to hanging or pregnant chads is to throw away all
the ballots.
The Chairman. I want to open this up to questions from
other members, but you just made a point. The voter sees it,
verifies, but how does the voter know it was counted? When you
are dealing with paper, you could stuff a ballot box. Where is
the chain of custody of the item? Who is watching all that? I
mean, historically in this country, any problems we have had
have been on the paper. If you are saying, wow, the voter gets
this and there is my vote and I walk away, where did that paper
ballot go?
Mr. Rubin. I believe the chain of custody problem does not
go away with electronic tallying. We should look at constantly
improving the security and not deploying a system that is less
secured than the one we had before.
The difference between lever machines and automated
computerized machines is that software, if there is a problem
with the software, either intentional or accidental--and anyone
who has dealt with software knows the accidental ones happen
all the time--that problem is in tens of thousands of machines.
And when you program a lever machine, if you make a mistake,
that is that one machine. And that is one of the differences
between electronic systems and mechanical or paper systems, is
that the problems are more localized.
The Chairman. If we are talking about rigging--that is what
we are talking about--rigging an election either by
manipulating paper ballots or by electronic manipulation, you
would have to have the ability of someone to put a chip or
something in every single machine and pull it back and put it
in the next election and next election.
Mr. Rubin. Not necessarily.
The Chairman. Because it is not like you can hack into
these things.
Mr. Rubin. The biggest concern that I have always had ever
since our initial report came out is that the person writing
the software who is putting together the machine, not that I
think they are going to do something, but I think they are in a
position to.
The Chairman. For a particular election. They would have to
rewrite the software then.
Mr. Rubin. Not necessarily. Perhaps they favor a particular
party.
One thing I find, if we get mired in a particular attack,
if I get asked, how would you attack a voting machine, and I
come up with an answer for that. Then someone says yes, but we
could put this procedure in place that would prevent it. For
every single individual attack I may come up with, someone
could have a counterargument, but it is hard to design a system
that would inherently block all the different attacks one might
be able to come up with.
I believe that the difficulty of analyzing software is one
thing, and I have talked at length about that, but a bigger
problem is the software isn't being analyzed. There is no way
that the software in the Diebold machine that we analyzed was
analyzed before it was deployed or they never would have
deployed that system.
The Chairman. Was that system corrected?
Mr. Rubin. I don't know, because they won't let me have a
look at it. I believe--they claim that many of the problems
that we found in the machines have been fixed, but I think,
without public scrutiny, there is no way to know if that is
true.
The Chairman. We went from not correcting the machines to
an issue of paper ballots. I think some people are sincere in
this. I think some people have made absolutely incredible
statements that smack of politics. There are conspiracy
theoricists, people have done this for political purposes and
are using this issue, while others are sincere on this issue.
But I think the whole thing, frankly, has gotten clouded
because of one company or one statement. I just think it has
gotten quite clouded. At least today I feel we are hearing a
reasonable debate on some of the issues.
Mr. Rubin. Let me rephrase the statement, which I think
that if we have the capability of building voting systems where
the vendor does not have an opportunity to rig it, that is
better to do it than ones where they do have the opportunity,
whether or not we think they are going to do it.
Mr. Shamos. Mr. Chairman, it is precisely the property of
the software that is resident in all the machines that makes it
feasible to test them. If someone plucks one machine out of a
polling place and alters it, then unless we specifically test
that machine we are not going to find the alteration. But if
the vendor has inserted the alteration into every machine that
it has manufactured, then we can use the same kinds of
procedures that we use with airplanes and nuclear weapons and
other systems that have the capability of killing people. We
can use those analytical methods to test these machines and
determine whether or not they have been altered.
The allegation is made, as I mentioned in my testimony,
that no, no, there is no amount of testing that will ever
reveal every flaw in the system. That is quite correct. We
don't insist that every flaw in every system be found. We would
never have systems if we insisted upon that.
Mr. Kohno. If I may add to his comments, I think that--I
guess I want the committee to be careful about analogies that
are made. You find many people make analogies, ``we do testing
for airplanes and we do testing for cars,'' et cetera. I think
the important thing to keep in mind is, when you are testing
these things, you don't plan to put them in an environment
where there is someone actually trying to actively attack them.
You can be flying in the air in a normal airplane and you want
to make sure in turbulence that things will be okay, but for
these voting systems there is an active attacker. This active
attacker will try to not play by the rules. It is this that
makes voting systems or security so difficult.
I just kind of wanted to point that out.
The Chairman. I understand that, but what makes the paper
so much more secure? The State of Maryland, Ohio, Texas, any
State, Georgia, they are smart enough in these States, and they
don't want fraudulent elections--not one person wants
fraudulent elections, but they are smart enough to randomly
pull machines in and test them because someone, as you say, is
trying to attack these systems. But they are smart enough to be
able to do that.
But why all of a sudden is everyone saying the paper is so
much more secure, when paper could be crumpled--once you look
at your vote, it could be crumpled and thrown away. Fraudulent
paper ballots could be stuffed in the ballot box. What makes
you so convinced that the paper is so secure? Paper to me is
100 times more unsecure than any machine that we could randomly
test, that the States could test.
Mr. Kohno. I still think that the thing I tried to convey
in my testimony was that paper still is not perfect. Paper can
be crumpled, thrown away, all this stuff can happen to paper,
but at least that is what we are used to now. We are not going
backwards. The problem now is with electronic voting machines,
like Professor Rubin said, the public is not able to go in and
analyze them and verify that the problems have actively been
corrected.
The Chairman. The States could do that. Everybody in this
room knows how to crumple a ballot up and toss it away or stuff
a ballot box. Everybody in this room could be knowledgeable
about that. I doubt maybe four, two or one of you could
actually go in and be able to fix and manipulate those
machines. You would have to have a conspiracy theory that they
are sitting out there and manipulating these machines that we
can't ever find out about.
Mr. Rubin. As someone--I have been working with computers
my entire career. One of the feelings that I have is that, one,
something could go wrong and you just wouldn't know it. It
might be easier to detect some number of missing ballots than
some bits in a computer that were flipped. If you look at the
system as a whole, if you look at the magnetic cards in the
machines that have the tallies on them; and the thought that
all of the votes are being kept in a medium that inherently has
glitches and inherently has flaws and can often be
undetectable, that makes me nervous. I will not say that paper
is great, but, right now, I think computers are not ready for
this important responsibility.
The Chairman. I think they could be.
I am going to move on to our ranking member. One question
and I am going to move on, although this has been interesting I
think for everybody. On that note, we don't know. Let's talk
about something we do know, though, Dr. Williams, about the
undervote in the elections. Wasn't there an amazing undervote
when it came down to nonelectric machines?
Mr. Williams. In the 2000 election, Georgia had actually a
higher percentage of undervotes than Florida. We sat there and
watched the goings on in Florida and thought, wow, there but
for a close election goes us. That, in fact, is what led us to
switch to the DRE machines. With the DRE machines, we reduced
our undervote at the top of the ticket from something over 4
percent to less than 1 percent, a factor of five.
The Chairman. The gentleman from Connecticut.
Mr. Larson. Thank you very much, Mr. Chairman.
Let me also say I really appreciate this line of
questioning, and I think the debate and the dialogue that is
ensuing is oftentimes best between the participants which I
would broadly categorize as individuals who believe in trust
and verify and those that believe that scientifically and from
an engineering perspective that we have to analyze the risk,
then solve the problem.
I have an overarching question that deals with the
practicality of implementation and a more technical question
that deals with encryption and how that would coincide with Mr.
Rubin's proposal. But my esteemed colleague, Rush Holt, who, as
has been mentioned by several of you, is a proponent of the
bill before us has asked me to ask these two questions; and I
think they cut to the heart of what we are trying to get at. I
am going to direct them at Dr. Shamos and Dr. Williams, but I
would appreciate a response from Mr. Rubin and Mr. Kohno as
well in the process.
Mr. Holt's question is, if a vote is a record of an
intended preference of a voter, isn't a recount an attempt to
revisit and recount the records of those intentions? If so,
after a voter casts a secret ballot on the electronic DRE
machine and leaves the polling place and the polls close, is
there any way, without a voter-verified audit record, that
election officials or manufacturers or programmers can
determine what was the intention of the voter? Is it possible
to have a meaningful recount on a DRE? Question number one.
Question number two, which is a follow-up, what is the
possibility that a problem in software, whether it be an
inadvertent bug or a deliberate, malicious doctoring of
software could go undetected?
Dr. Shamos, I will start with you.
Mr. Shamos. The first question was quite lengthy. I think I
remember it. I actually dislike the phrase ``meaningful
recount'' because I don't know what it means. The legal purpose
of a recount is not to do a revote. The legal purpose of a
recount is to ensure that the vote totals that were reported by
the individual machines in the jurisdiction were correctly
reported and correctly added up.
Mr. Larson. Could you elaborate on that? Because I think
this is a confusing item to a lot of people, the difference
between a recount and a revote.
Mr. Shamos. Yes. We never use the phrase ``revote'' unless
we are talking about holding the election all over again, but I
think a lot of people believe that the word ``recount'' means
that we go back and look at the original intention of the
voter. That is generally not what is done in a recount, and
that is not what is required by the State statutes for
recounts.
The problem is, if you look at the procedure for vote
totaling in this country, voting is exceptionally local. It
occurs on individual machines in individual polling places. The
number of precincts in the United States is over 170,000. The
number of voting machines is much larger than that. We must
take the individual totals from all of those machines and
eventually gather them together into some central place where
they are totaled for the entire Nation in the case of a
Presidential election or in the county in the case of a
sheriff's election.
The process by which the totals are transmitted to this
central place is error prone. It is done by human beings, often
writing numbers on a piece of paper. So what a recount consists
of is going and looking at those totals to make sure that they
have been added correctly.
Where there is a physical record in the case of, for
example, a mark sense or optical scan ballot, it is possible to
rerun the ballots through the machine, in effect creating what
you would refer to as a recount, count them again and then
report those totals. The problem is, if they have been counted
twice, then which is the total that we really should be
reporting?
In the case of mark sense machines, you can get some pretty
reproducible results. In the case of punch cards, you can't
take 10,000 punch card ballots, read them through a card reader
twice and get the same results, because the process of actually
reading the cards changes the cards.
In the case of the DRE machine, the way you assure that the
vote that the voter saw before she left the voting booth is
actually recorded, right now the process is you test the
machine. We don't test these machines enough. There aren't
established procedures for doing it, but it is doable.
There are any number of ways of creating an additional
record. For example, one could display the voter's choices on a
screen, just as they are done now; and one could take a digital
photograph using equipment not manufactured by the same voting
machine vendor, take a digital photograph of exactly what was
on the screen at the time the voter left the booth. That would
constitute, if it were properly encrypted and stored, an
unalterable audit trail of what went on in the voting booth.
There are many such solutions that don't involve the use of
paper. It is not that I have anything against the wood pulp
industry. It is that anytime you have a specific piece of paper
that human beings can touch, it becomes losable, augmentable or
alterable. When you have properly encrypted computer records,
written in write ones memory so that nobody can change them,
you don't have that problem.
The other question I think was with respect to software.
How do we know that the software hasn't been altered? The same
as we know with all other systems, we test them. That is the
way we find out whether machines work or not.
Mr. Larson. Would you agree with the New York Times or are
you familiar with the New York Times article that they did
recently comparing the testing of machines that occurs in Las
Vegas in the gaming industry versus, say, our polling booths
across the country?
Mr. Shamos. Yes, I am. I am very familiar with the New York
Times article. I think they have had to add a new guy to the
mail room to respond to my letters that I write to them.
I haven't agreed with anything the New York Times has said
about voting during 2004 except that specific editorial to
which you refer, and I agree with everything in it. The point
was made there that the Nevada Gaming Commission carefully vets
every software--every piece of software and every chip that
goes into every slot machine in Las Vegas. It is essential for
that huge industry for people to be able to rely on machines to
pay off when you win, and it is essential that casinos--for
them to not pay off when you lose. So there is a huge amount of
money available to do this kind of vetting and testing. I agree
that, if the money were available, precisely the same kind of
thing should be done with voting machines.
Mr. Larson. How much money would that require, in your
estimation?
Mr. Shamos. I don't have an estimate.
Mr. Larson. If the other panelists could respond.
Mr. Williams. We do a significant amount of testing in
Georgia directed toward just exactly that thing. We get our
software directly from the ITA. We do not get it from the
vendor. So that we know that what we have is what the ITA
qualified, not necessarily what the vendor would like for us to
have. So we get the software directly from the vendor; and
then, before it is ever used in the State, we run about 6 weeks
of testing on it. Some of it is designed toward the use of the
system, but some of it is designed toward security, to try to
wake up any Trojan horses that might be present and things like
that.
Once we are satisfied with the system, we freeze it, so to
speak, and we take a digital signature of it, and the digital
signature that we use is the exact same digital signature that
NIST uses to validate law enforcement software. Then
periodically, anytime that one of our staff is out in a county,
they can run that signature against the county system and
verify that that system has not been changed.
Mr. Larson. Dr. Rubin.
Mr. Rubin. I would like a chance to respond to your three
questions, the last one being of the gambling example.
In terms of meaningful recounts, the important thing I
think is the question, what happens when something goes wrong?
Sometimes it is really visible. There was a case of hundreds of
thousands of votes being tabulated by an electronic voting
machine in a place where fewer people had actually voted. What
do you do when something goes wrong?
Things go wrong all the time. I worked as an election judge
in Baltimore County. At the end of the day, the totals that we
got off the machine did not match the totals that came in the
door. It was one or two people. So we got out all the books and
we got out all cards and we sat there for about an hour and a
half and counted everything up until we found the error.
What do you do if something goes wrong inside a DRE? You
get a result that doesn't make sense. There is nothing you can
do. But if you have a voter-verified paper ballot trail, a box
full of paper ballots, you can at least count them. You have
some recourse for something to do if something goes wrong.
That is my response to the first question.
The second one, I have a very simple answer. I do not
believe that it is possible to detect malicious code when it is
hidden well inside of other code. I have done experiments with
that, with 40 graduate students hiding code and then trying to
find code. It is just an intuition. I don't have scientific
proof, but I find that when I travel to computer science
conferences and the only thing they want me to talk about these
days is electronic voting, when the topic of hiding code comes
up, that seems to be the consensus that I find, is that it is
much, much easier to hide code than it is to find it.
Finally, the question about the editorial about the
gambling machines and the Gaming Commission. I don't know if
you are familiar with the case of Rob Harris who worked for the
Nevada Gaming Board. He was one of the testers of the slot
machines. He wrote some malicious code that he put on a testing
device which would download to one of the slot machines and
then somebody could come in and put in a particular sequence of
coins into that machine, it would turn it into a winning
machine for a while. So his conspirators would go around and
play those machines and win a lot of money. The way he got
caught was that one of his relatives won a big slot and didn't
have an ID on him, so the security escorted him back to his
room where Rob Harris was in his room, and they started
investigating. But they didn't catch it any other way.
The point I am making is that insider threat happens. Even
with all the stringent controls on the gambling machines, he
was getting away with that for a long time and would not have
been caught if he hadn't have been careless.
I think the insider threat in anything electronic will be
caught through some out-of-band mechanism like not having your
ID, but there is nothing inherent about software that makes it
easy to catch these things.
Mr. Larson. Dr. Shamos mentioned encryption. We heard
testimony in previous committee hearings as well about that
being the way to go. What you talked about earlier seemed like
a method of encryption, though I profess not to be either an
attorney, a scientist or a physicist, but I am interested in
that line of questioning and would ask if the panelists want to
further respond to one another.
Mr. Rubin. I would start off by saying that encryption is a
valuable tool in the security arsenal. It has specific
purposes, namely to hide information from an adversary, so
governments use it to send information out to spies in the
field. It is not something that can be blindly applied to a
system to make it secure. You can't sprinkle encryption dust on
a computer and make it secure. Encryption is a tool. When there
is something that needs to be done to maintain confidentiality,
you can encrypt it with a key, but then the problem reduces to
protecting that key. So the biggest value of encryption is in
taking a lot of information that you need to protect and
reducing it to a small amount of information that you need to
protect like a key which can then be put on a smart card or
protected some other way. But, in and of itself, encryption is
not going to give you secure voting.
Mr. Kohno. I would also like to add to that in the fact--so
encryption, like you said, is a specific tool, but I think lots
of people confuse encryption with the science of cryptography.
Cryptography is a much broader science with many different
goals in mind.
I think one of the things that as a cryptographer I have
seen often mistaken is that encryption provides--protects--if
you take some data and you encrypt it, you protect both the
privacy and the authenticity. That actually turns out not to be
true.
I don't know how technical in the details you want me to
get, but, essentially, if you talk to a cryptographer,
encryption is the process of taking some message, applying a
transformation to it, typically using a key. You get some
ciphertext. The ciphertext--an adversary looking at the
ciphertext will not be able to figure out what the original
message was. So this might protect the privacy of the vote,
assuming all the other things like key management are in place,
but this doesn't mean that you can't actually controllably flip
a number of bits.
The example that I might--by flipping bits, I mean change
the contents of the message. So an example that I might give is
that you have several different messages that you want to be
sending: sequences of ``yeses'' or ``noes.'' You encrypt each
of these individually. I take my message ``yes,'' I am going to
encrypt it, take my message ``no'' and encrypt it, and take the
next message ``yes'' and encrypt it, send these over
separately. This doesn't prevent an adversary from taking the
``yes'' messages, preventing the delivery of my messages and
kind of shuffling the order of these messages I sent.
I am hoping that this analogy is getting across the fact
that encryption doesn't provide authentication. It is a
powerful tool in the arsenal, but isn't a be-all, end-all
solution.
Mr. Larson. Most of the testimony I have heard over the
last couple of weeks really points out the complexity of the
issue, that really when--the further you look into it and the
more you peel away each layer of veneer, you find that there
doesn't exist a true simple answer to this, and what the voters
are looking for is a very simple solution. It seems to me, at
least in listening to the testimony we have heard over the last
several weeks, that it is a more complex issue. I tend to agree
with Dr. Shamos, that I think we have got to analyze the risk
and then come up with the best possible solution. I also would
think that the four of you could probably get into a room and
come out with a solution.
My question is, given the practicality of facing elections
in November and wanting to assure the public, and this is a
concern that the chairman raised and I think many people on the
committee feel, we don't want the message to go out to the
general public that their vote doesn't count or if they are
voting on a specific machine that the machine might in fact
alter the election in such a manner or have been altered in
such a manner that their vote doesn't count. How do we, in the
short period of time that we have, produce the best possible
result?
Mr. Shamos. I can start with that one.
First, on the issue of can machines be tested adequately, I
find myself in the rare position of agreeing with Dr. Rubin on
a few points that he just made. It is true there are always
going to be insider attacks. We will develop countermeasures,
and some new insider will find a new and better attack the next
time, and the battle never ends. It is notable that after the
discovery of the Harris debacle in Nevada, they didn't stop the
slot machines from spinning. You can still play the slots in
Las Vegas, even though there was an insider attack. If we
insist on perfection, if we insist on zero defect, there is
never any kind of system we are ever going to be able to
deploy.
With respect to what to do between now and November, the
only answer at this point seems to be test, test, test and
train, train, train. Many of the problems that have arisen with
DRE machines can be ascribed to first-time use. Poll workers
who have never seen the machines before were asked to follow
procedures that didn't even exist in written form. So training
is required there.
If it is believed that the security vulnerabilities in
these machines can be exploited in order to alter the results
of an election, then security measures must be taken to ensure
that that doesn't happen. You don't leave the machines around,
for example, where outsiders get an opportunity to play with
them. You watch what people are doing when they are going into
the polling place. I don't see any alternative to those two
steps before November, which is, I believe, 120 days from now.
Mr. Williams. I agree with that.
To get back to the Brennan report that supposedly is
recommendations for things to do for 2004, it can't be done.
The things that are in that report: to start today and go out
and try to hire a consultant, bring that consultant in,
evaluate your voting system, get the recommendations, implement
those recommendations and hold an election 120 days from now,
you can't do it. It is a catch-22 situation. If you try to do
it, you are going to wind up running your election with an
uncertified system, and you are going to get criticized for
that. So if you don't do it you are going to get criticized for
not doing it. So that Brennan report puts us in a real catch-22
type situation.
Mr. Rubin. I believe that if there is a vulnerability out
there, it is better to know it than not to know it. Hiring
security consultants to come in and review the system and
produce a report and if they find something, then at least you
know about it and then we can figure out what to do about it.
It is better than not knowing about it.
When we analyzed the Diebold system a year ago, it was a
year and a half left until the election. We asked ourselves,
will we do more damage or good by going public with this? One
of the things we said, well, there is not an election coming
up. We have a year and a half before the election, plenty of
time to fix the things we are talking about and design perhaps
and provide better voting systems. We did go public with it.
Right now, we are coming up to the election. We need to do
everything we can. Unfortunately, I think there are places that
are going to be used, equipment that I don't believe in, that I
don't believe is secure enough. Should I sit back and say,
well, in order to preserve the confidence of the voter in
something I think is insecure, do I sit back and keep quiet? I
don't think that is a good idea. That is why I have been
speaking out about this.
Mr. Larson. Would you agree with Dr. Shamos that what we
should do then, given the shortness, is test, test, test? Is
that a reasonable alternative?
Mr. Rubin. I think that I do believe in parallel testing,
and I believe we should maximize the testing but not in place
of external review. I think you can test and review at the same
time.
Mr. Larson. The review that you are indicating would be the
review that you laid out in your testimony?
Mr. Rubin. No, the review that the Brennan Center and SSCR
recommends in their recommendations that came out last week.
Mr. Williams. Which is based on the assumption that we
don't already know the vulnerabilities in our voting system and
we need somebody else to tell us about them, and we don't agree
with that.
Mr. Rubin. No, but that is one of the assumptions.
The Chairman. Mr. Mica.
Mr. Mica. Thank you, Mr. Chairman.
We have got a couple of experts that have looked at the
overall picture here. What percentage of our voting will be
done in 2004 by electronic means?
Mr. Shamos. It was estimated originally at about 32
percent. The estimates have been falling to somewhere in the
20s, which is somewhere between two and three times the
percentage that voted under the early machines in the year
2000.
Mr. Mica. Basically, the machines that are out there, do
any of them have a paper trail capacity?
Mr. Shamos. Many of them have a paper trail, one that is
not viewed by the voter, however. Most DRE machines--at least
when I was involved in certification, most DRE machines have an
internal paper trail that records in random order a complete
ballot image of every vote cast. In that sense, they have a
paper trail.
Mr. Rubin. That is not what the Diebold machines do,
though. They print out the totals at the end of the day on a
printer, but they only maintain an electronic total.
Mr. Mica. But that is an electronic total, not as everyone
votes?
Mr. Shamos. It is as everyone votes. Not in Diebold.
Mr. Mica. It is just adding a number as opposed to sort of
a continual tab on how each one has voted?
Mr. Shamos. Yes. I am in the enviable position of never
having reviewed the Diebold system for certification purposes,
so it can't be blamed on me.
Mr. Rubin. These machines do not print anything throughout
the day until the end of the day when they print totals. They
do not print anything as people vote.
Mr. Mica. Then I heard the dilemma, if we have a
discrepancy in a paper trail versus an electronic trail, how
would that be resolved?
Mr. Rubin. There isn't a paper trail in the Diebold
machines.
Mr. Williams. That is not entirely true. As you know, the
HAVA legislation requires that the system have the capability
to print ballot images. The Diebold system can do that. As a
matter of fact, it can print them in a format that can be read
on an optical scan machine if you want to. I have never known
anybody to actually do that, but the capability is there.
Mr. Rubin. That would be a pretty useless thing to do.
Mr. Mica. Hey, join the club up here. We do a lot of
useless things and spend a lot of money doing it, too. That is
part of my point.
Okay, everyone has agreed that there is no way to verify
the vote of an individual.
Mr. Shamos. With the current systems that are deployed,
that is correct.
Mr. Mica. And we have no way of really changing--everyone
agrees that before this election basically there is no way to
add any other security checks or enhancements to existing
machines, that what we have got is what we are going to go
with, basically?
Mr. Williams. That is right. We talk about November, but
November is not really the date. You have got to send out your
absentee ballots 45 days ahead of time. So, actually, you have
got to put your election to bed 45 days before November 2.
Mr. Mica. I am trying to get a glimpse of the 2004
election. I think you are providing that.
I don't mind spending Federal money to make certain that an
election improves voter participation and accuracy and
security. However, I am concerned the way we spent money here,
I think we did it by a formula, and each State got, based on
population of voters, a distribution. Is that the right way?
What should the Federal role be in this process?
Traditionally, you heard my comments at the beginning, the
State and locals really run the show, and you have got a mass--
someone said 1.4 million volunteers. These aren't people that
we are taking in and giving computer technical training and
operations. These are folks that will get a little course here
and there.
To get the biggest bang for the Federal buck--and, also,
what is our Federal responsibility in this process? Maybe we
could go down--that will be a major question. What is our best
role with our money and our position to make this work in a
cost-effective manner and that gets us the best results?
Mr. Shamos. Until recently, I believed that the best role
for Federal Government in elections was hands off.
Unfortunately, what has happened is that the States' attitude
has also been hands off. The States have one by one been
abdicating their responsibility for testing and certifying
voting systems. What they have done is to rely instead on the
Independent Testing Authority process and the voluntary FEC
standards, which are now known as the FVSS. The idea there is
that there are some standards voluntarily proposed by a body
and there are independent testing authorities who supposedly
test the machines to those standards and they produce a letter
that says----
Mr. Mica. When you say ``machines,'' are you just talking
about electronic? Or all machines?
Mr. Shamos. There is computerized voting and then there is
DRE voting. I am including anything that involves a computer.
The Independent Testing Authority produces a letter that says
we tested this system to the Federal voting system standards
and it passes. In many States, that is sufficient. The States
themselves don't do any subsequent evaluation of the machine.
They just accept that letter at face value.
It is obvious that there is something wrong with that
process, because all of these systems that have been found to
have security flaws, particularly the system examined by Dr.
Rubin and his colleagues, they were all ITA certified. And so
it raises the question exactly what are these ITAs doing and
are the standards adequate.
I have looked at the standards. They are 300 pages long,
and I have them with me. Many of the concerns we have discussed
today received no attention or one or two sentences' worth of
attention in these standards. So I don't believe the standards
should be voluntary.
I think that in elections for Federal offices there should
be mandated Federal standards these systems should have to
obey, and there has to be some serious attention given to
updating the standards and keeping them updated. As new attacks
and new modes of attack are discovered, there have to be new
standards to attempt to respond to those. We don't have such a
system right now.
Mr. Mica. Anyone else?
Mr. Williams. We don't have the system, but you have put in
place the mechanism. The EAC is the organization to address
these problems. It has been slow getting off the ground, but
with all of the problems that we know are in the HAVA
legislation, I think basically it is doggone good legislation.
I have worked with the NASED program, the FEC program since
its inception in 1986; and it has been an entire volunteer
effort. That shows. With things that Mike is talking about
here, there are problems with it. The problems are primarily--
it is not because we didn't know better. It is just because we
didn't have the resources. But now with the HAVA legislation,
we have got the resources.
The Technical Development Committee is meeting for the
first time Friday. They have 9 months to produce a preliminary
standard. Things are beginning to happen. I think the best
thing that this committee can do right now is to give the HAVA
legislation a chance to work.
Mr. Shamos. The problem I see there is, even after the EAC
does its work, the standards that it develops or the standards
that it developed under its leadership will still be completely
voluntary standards. It will not be mandated for the States to
follow.
Mr. Williams. Yes, but I would like to not say a priori
that those are going to be the law. Let's develop them, look at
them and decide whether or not they are good enough to be the
law. Let's let people like sitting here at this table take a
look at those standards.
Mr. Mica. You are saying the standards will be sort of an
evolving set?
Mr. Kohno. I would like to comment on that.
Someone made an argument to update the standards as we find
new attack modes. That kind of hints at what concerns me most
as a computer security expert. These machines are still new.
The assumption is that we are going to expect to keep finding
new attack modes. That I think is a very scary idea, because it
means that we are at a state where we don't know what all the
attacks are. We are going to be finding new ones and evolving
the standards over time. I don't want to be using something
that is standardized, and the standardization says this is what
we know now, but it is not perfect. There might be attacks
discovered in the future, so we are going to revise these
standards.
But the first question you raised was along the lines what
can the government do. I am a computer security person, not a
person in the government. I don't know what is within the
limitations of me to allow for you to legislate, et cetera. But
I think that one thing I believe is very important is for the
voting process to be very open.
I think Ranking Member Larson asked a question earlier or
was talking about--there are two different issues going on. One
is, are the elections themselves going to be secure? The other
issue is, will the public believe that the elections are
secure? I think these are two different things, and I believe
one important thing we need to think about in the future, you
have to weigh the importance of these two things. Do we want a
system that is secure but the public doesn't have faith in for
various reasons? To me, I believe it is important for the
public to believe the election was secure. Toward this end, I
believe developing a model where the public can look at and
verify for themselves that the voting systems are secure and
reliable is very important.
Mr. Mica. Dr. Rubin is the only one that didn't comment.
Mr. Rubin. I think the best thing the Federal Government
could do is put independent back into the Independent Testing
Authority. They should be the ones hiring the testers and the
certifiers, as opposed to the vendors who are making the
machines.
Mr. Mica. Thank you.
The Chairman. The gentlewoman from California.
Ms. Millender-McDonald. Thank you, Mr. Chairman. From the
testimony this morning and if the public is looking and
listening, they have absolutely validated that there is no
assurance that there is security in their voting. This is what
members in the minority community grapple with all the time,
that their vote will not count because there is no verification
that their vote is being counted. But the one thing I suppose
we can all agree to, that there is no such thing as a risk-free
system. Am I correct, gentlemen?
Mr. Shamos. Yes.
Ms. Millender-McDonald. Secondly, whether there is a paper
trail or not a paper trail, there is never a means for a
complete or verification accuracy count, am I correct on that?
Is that a correct assumption?
Mr. Williams. Not as long as we have secret ballots.
Mr. Shamos. In the currently deployed systems, that is
correct. There are proposals for systems that would remedy that
defect.
Ms. Millender-McDonald. Let me ask you, for the umpteen
years that I have voted--and I do not care to tell you those
number of years--when you go to the polls to vote, you have a
ballot that is given to you. The ballot has a top part that is
detached from when you finish and complete your ballot, and
they put that larger ballot into a box, and they give you this
little detached piece saying that I have voted or whatever it
says, but it carries a number. That number cannot be verified
if there is a recount? You can never go into that box?
Assumedly, that is the box you voted from--or is that the
operative word? "assumedly," that is the box you voted--your
ballot went down in, to compare that from that stub that you
get, compare it to the ballot that is put into the box?
Mr. Shamos. No, because the number is on the stub only. It
is not on the ballot.
Ms. Millender-McDonald. I see.
Mr. Shamos. It is a privacy problem.
Mr. Williams. In most States, by law you cannot have any
identifying mark on the ballot that could be identified back to
the voter.
Ms. Millender-McDonald. In other words, then it is true
that we do not--the position is not there or the system is not
set up for recounting to be done accurately then? Is that a
fair statement?
Mr. Rubin. The idea behind the meaningful recount concept
of voter-verifiable ballots is that if you have a box full of
ballots that voters looked at and put them into that box, then
while you won't know which ballot corresponds to which person,
it is the best effort, best hope you have of counting the
voter's intent.
Ms. Millender-McDonald. Absolutely true.
Mr. Rubin. That is why I and many others have been
advocating voter-verifiable paper ballots, so that you have
something to go back and count.
Ms. Millender-McDonald. Yet we don't have to bring up
Florida again. Because Florida indicated that, even with a
paper ballot, that was not an assurance that that could be a
count that was accurate in the sense of accuracy.
Mr. Rubin. The ideological difference is that I think the
way to improve Florida is to design better paper ballots where
you won't have hanging chads or be confused about which hole to
punch. You can accomplish that with a system I described in my
initial testimony where you have all the benefits of a DRE for
vote casting but you have all the benefits of paper for vote
counting.
Ms. Millender-McDonald. Dr. Williams, in your testimony you
indicate that you do have your DRE now in place for Georgia,
the State of Georgia. It has been replaced by all other systems
that you have once used.
Then I see an article by the California Secretary of State
Shelley who says in this article, a number of failures,
including touch screen machines in Georgia, Maryland and
California, has spurred serious questioning of the technology.
Of course, as you know, our Secretary of State has banned to
some degree the use of the Diebold system, although in one of
my cities in my district we do use it, and he has not banned
that one. But he is kind of contradicting what you have said in
your statement, or is that a contradiction?
Mr. Williams. I have no idea what he is talking about. We
installed that system--we first used it in November of 2002,
and we have right now held over 500 elections using that
system, and we have not had a problem yet that we could
attribute to the system per se. We have had problems, but they
have all been typical human-type problems that you have with
any system.
Ms. Millender-McDonald. So this article that is dated May
of this year really does not speak to your testimony and
especially that that I have dated April, 2003?
Mr. Williams. That is correct. There is a learning curve on
anything. The first time we used the system, there were some
problems in some of the precincts, but these are mostly
training issues and so forth.
We haven't talked much about training, but if you asked me
what is the one thing you can do to improve your elections, the
answer is, train your poll workers. And I don't care what kind
of voting system you have got. A well-trained poll worker can
overcome a lot of problems in a voting system; and, conversely,
a poorly trained poll worker can cause you a lot of problems,
no matter what your voting system.
Ms. Millender-McDonald. I think it was Dr. Shamos who said
test, test, test, train, train, train, or one of you said that.
Who would be the most reliable training source to train
persons, especially in the minority communities? Because they
really still do not believe that their vote counts and that
there is a reliable system that really speaks to their having
security in voting.
Mr. Williams. In Georgia, we have a Center For Election
Systems at Kennesaw State University. We provide training to
county election superintendents, all 159 of them; and we do not
train poll workers directly, but we train the people who train
the poll workers. That is a huge effort that is ongoing.
Ms. Millender-McDonald. I would think it is because you are
training the persons who train the poll workers which you are
not sure the poll workers are being trained, given the trainers
that you have training them. If that is not a convoluted type
statement, what else is? It is frustrating to sit here and hear
this and to know those folks who are out there in the heartland
and in the other part of our country are really frustrated
about this whole voting system.
Mr. Williams. We have got hard statistics to demonstrate
that we have greatly reduced the number of spoiled ballots in
the predominantly minority districts.
Ms. Millender-McDonald. Is that right? I would like to get
that, if you can give me a copy of that.
Mr. Williams. Be happy to.
Ms. Millender-McDonald. Is there anyone on this panel
outside Dr. Rubin who thinks that the ballot, the paper ballot,
is the best way to go? Is there anyone else here who thinks
that, over and above the DRE?
Mr. Kohno. I agree with that, especially in terms of
between now and November.
I think the thing that I was trying to make before--the
statement I was trying to make before is, the systems we know--
we know the system we analyzed had serious security problems.
We know that the certification processes don't address these
security problems. So I think the thing to do in the short term
definitely is that we need to--yes, to answer your question I
think I do.
But I think I also wanted to--you were talking a lot about
testing. I think one important thing to address is whether
testing--I am sorry--not testing, you are talking about adding
procedures, training people for procedures. I think the
important thing to address is whether your having poll workers
trained for election day is going to be sufficient enough.
One analogy I kind of like to think about was that we know
that the systems right now may have a lot of security
vulnerabilities. You are trying to rely on people and
procedures to help protect the systems. An analogy you might
want to talk about is like a bank saying, I know our safe
doesn't work or I don't have a safe, but I am going to assume
that no one is going to steal money because I have a lot of
people walking around and following the procedures I have
outlined.
One thing to keep in mind, the people implementing the
procedures may be the adversaries as well.
Another thing, I was recently at a meeting at the Kennedy
School of Government on electronic voting. One of the election
officials there made a very interesting point. Her observation
was that when people--anytime anyone starts a new job, you kind
of expect them to make mistakes on their first day. That is not
an unreasonable assumption. But the concern is that, for
elections, every election day may be the first and only day for
the people that are volunteering or being paid to work the
polls that day.
These are two things to keep in mind, I think.
Ms. Millender-McDonald. Let me ask one more question here.
With the AAPD, the American Association of People with
Disabilities, which one of these systems will best address
their needs or if any of these will? A paper ballot? Braille?
Mr. Rubin. I think the needs of the disabled community
definitely need to be addressed with voting, and what has
happened is we have taken in the design of the machines that
are being used today like the Diebold machines, we have taken
that as the predominant property to address. And it has been
addressed. I think that it is possible to build systems that
address those needs equally well and also address security.
That hasn't happened yet. Having a machine that allows a blind
person to vote but also allows some malicious person to change
the entire outcome of the election is not anything that anyone
desires, not even a blind person. I think that we cannot ignore
security.
Mr. Shamos. I don't agree exactly with that
characterization. It is not a choice of one or the other. The
disabled rightly argue that if there is going to be voter
verifiability then they ought to be able to participate in that
also. There are means of offering voter verifiability without
the requirement of having a piece of paper which they cannot
read.
So I am not against voter verifiability in any way. I am
against attempting to accomplish it with paper where that paper
becomes the official ballot. If you want to print out a piece
of paper to convince the voter that her choices were correctly
heard by the machine, there is nothing wrong with that. I just
don't want that piece of paper to become the official ballot,
because we have 150 years of history in which people with no
training or education at all have been able to successfully
manipulate those things.
It is true that there is no centralized manipulation
possible with paper. The manipulations are only local. Whereas
there is centralized manipulation possible with software, but
it is the very centralization that makes it easier to detect.
Again, safes are not safe. Many banks have had safes broken
into. That doesn't mean that we have disbanded the banking
system. It may mean that it is necessary to hire more security
guards and install video cameras to watch the safes.
But I disagree with the concept that perfection is required
and as soon as someone points to some vulnerability we must
shut down the entire system. There are security flaws of all
kinds in these DRE systems, some much worse than others. Some
are really excellent. Because there are security flaws, that
doesn't mean that the election will necessarily be tampered
with. It doesn't even necessarily mean that the probability
will be high that the election will be tampered with. It means
we have 25 years of history of using DRE machines and no one
has been able to demonstrate that any election ever was
tampered with, despite the fact that there have been numerous
problems of all kinds, not necessarily related to security. So
it is not a choice of one or the other. Paper certainly doesn't
help the disabled, though.
Ms. Millender-McDonald. Mr. Chairman, thank you so much for
such an interesting and absolutely--although very thorough by
the experts here, still very convoluted type of concern that we
have, especially when we are preparing for the largest election
in this country.
I note my dear friend and colleague Congressman Holt is
here. He had a statement to submit for the record. By unanimous
consent, may we have that?
The Chairman. The Congressman can submit it for the record,
without objection.
Ms. Millender-McDonald. Thank you, Mr. Chairman.
[The statement of Mr. Holt follows:]
[GRAPHIC] [TIFF OMITTED] T7366A.050
[GRAPHIC] [TIFF OMITTED] T7366A.051
The Chairman. Mr. Larson, the Ranking Member, has another
question, but, on the point, I think this discussion needs to
be--everybody knows there is politics in this building, but
this discussion really needs to--that is the way it has gone
today--to rise above the political. There was a maligning
editorial, I think a disgusting editorial on this whole issue--
I mentioned this 2 weeks ago--really maligning people,
especially people that are out there fighting for persons that
have some form of disabilities. So there is the political side
of this, the emotional side of this, but I think this type of
hearing is a better way to look at the issue.
But, also, within the civil rights community and within the
community of people that have some form of disability, they
have genuine concerns about the paper ballots. I do not think
it is just so clear-cut that you are either the good people if
you are for the paper ballot or bad people if you question the
merits of a paper trail. I don't think it is a clear-cut issue.
I think there is some science to look at here and also the
evolution of our elections. But the one thing for sure is we
don't want people disenfranchised. That is the most important
thing to consider.
Six years ago, Georgia's system had a high undervote rate.
Dr. Williams answered 4.8 percent was the ballot error rate. In
2002, after deployment of the new systems that they have in
Georgia, it was 0.87 percent, a fivefold reduction in
undervoting. There were 71,000 votes in 2000 that no one voted
at the top of the ticket; and now, under their system, it has
been drastically reduced--if you hear 4.8 percent, that doesn't
sound big, but 71,000 in that election was a lot of people. So
am I correct in understanding that the undervote rate is down
to 0.87, is that correct?
Mr. Williams. That is correct. We are not willing to give
that up for concerns that have never occurred, for pure
conjectures, when we have never yet had the first hint of
problems. We have been using computer-based systems in Georgia
since 1964. DeKalb and Fulton County were the first
jurisdictions in the United States to count ballots on
computers. In that whole period we have not once had anybody
attack the computer system.
Ms. Millender-McDonald. Mr. Chairman, just as a follow-up
to what you are saying, Dr. Williams, what I am interested in
is seeing in the minority community the reduction of the
problems that have occurred since you are using DRE. If there
is a comparison on your report that you are going to submit to
me, I would like to see that as well.
Mr. Williams. The figures he is quoting are State averages.
In some of the communities, those undervote rates were much
higher than that. They went up to much higher numbers in some
communities. What he is quoting is the average.
Ms. Millender-McDonald. Mr. Chairman, in the City of Carson
where we have a DRE, those voters, seems to me, that that
electronic voting is much more secure than the paper voting,
given the Florida's issue. However, since the whole notion of
paper trail has come about, now they are concerned as to
whether or not there is reliability. I suppose no matter how
you cut this there will always be the chances of voters being
concerned about the whole notion of whether their vote has been
counted.
Mr. Shamos. Much recent analysis has gone into looking at
the security of electronic voting systems, and it should. I
completely agree with the notion that we need as complete a
list as we possibly can have of the vulnerabilities. We also
need transparency in these systems.
I am not aware of any recent studies where people have
looked again at paper ballots, looked at the physical handling
procedures for paper ballots to try to develop a list of
vulnerabilities there. This country over a long period of time
discarded paper ballots to the point where they are used in
less than 1 percent--to cast less than 1 percent of the vote in
this country. We have gone over to various other systems to
eliminate chicanery.
When the lever machine was introduced in 1892, its inventor
said of it that its purpose was to protect the voter
mechanically from ``rascaldom,'' an interesting new term. I had
never heard that before. I think it is pretty clear what
rascaldom is, however. And that is because of rampant--once
every 12 days since 1852--rampant stories of all kinds of
tampering with paper ballots. So I think somebody should do a
new study looking at whether paper is more or less secure than
the voting systems that we know have security vulnerabilities.
Ms. Millender-McDonald. I think that would only be fair,
given that we have arguments on both sides, that we should look
both places for that type of reliability.
The Chairman. The gentleman from Connecticut.
Mr. Larson. Thank you. I thank the chairman for the great
latitude that we have had this morning in exploring these
issues because it is so important.
I would note this past Friday, in fact, we marked the 40th
anniversary of the signing of the Civil Rights Act of 1964; and
the gravity of this, of course, comes home today. Many people
fought and gave their lives for the right to vote and how
serious this is. I think across this panel and across this
Nation, people are very much concerned. I think that is
heartening to see.
Again, I want to commend the chairman, Mr. Hoyer and others
for HAVA, because I do think--although I disagree with Mr.
Mica, I think that it is important to have a funded mandate.
For so long the States have had to bear an unfunded Federal
mandate in handling all of our Federal elections. This provides
an opportunity for them to receive the appropriate kind of
money.
I want to go back because I think, as I listened to the
testimony and hear the arguments put forward, Dr. Shamos, you
said that if we strive for perfection, we can't get there given
there has been no system designed to date that will allow for
that. So, within that context, we have to look and see what the
risk is and what was the risk analysis and what we can arrive
at in terms of the best system.
It seems we have two goals in front of us. One ongoing, to
continue to strive towards perfection as we project out into
the future and the other a more immediate goal in terms of the
November election whose backdrop is the election of 2000 and
the concerns that have been raised.
I would add and it seems at least--and I don't want to put
words in anyone's mouth--that there was a general consensus
that in the short term testing, testing, testing, training,
training, training, testing with the Rubin corollary of
independent sources is a very logical remedy, though I think
Dr. Kohno would prefer that there be a paper trail that would
go along with that, or as Peter Finley Dunn would say, trust
everyone but cut the cards. But it seems to me at least in the
short run that those seem to be goals that we could accomplish
as the debate still goes on between whether or not the idea of
trust and verify, of the paper trail being the best possible
alternative for us to go to, the most secure alternative to go
is further explored. Is that a fair statement? And how would
you respond to that?
Mr. Kohno. I guess I will respond since I was singled out
as maybe disagreeing, but I actually don't disagree. I think
that I would prefer to go back to the voter-verifiable paper
ballot if we can, but it sounds like there are various
procedures and various things that might prevent that. In that
case I agree. You want to do the best you can to raise the bar
in an attack. If that means you have to do more testing and do
more secure analyses and changing the procedures, if that is
actually the best you can implement, then I say you should at
least do that.
Mr. Shamos. And I think paper has some use. It certainly
has use in commercial transactions. One of its uses is to point
out errors. So my belief is that if a voting machine is making
a record and it is making a simultaneous record that the voter
can see and there is some discrepancy between the machine
record and the one that the voter sees, that is the starting
point for investigation.
Forensic experts come in, they tear the thing apart, and
they find out what is wrong with it. They don't propose that it
is the right thing to do, to take the piece of paper and make
that the official ballot, any more than it is right to take the
electronic record and make it the official ballot if there is
something wrong with it unless we can have adequate handling.
Mr. Rubin. I am very impressed with your ability to extract
all the points of agreement and consensus and I agree with your
summary of our positions.
Mr. Larson. Thank you.
The Chairman. I want to thank all four witnesses. I think
it was a very, very fascinating hearing and I want to thank you
for coming to the Capitol.
We will move on to the second panel. I want to thank the
second panel for waiting a period of time. We have Linda
Lamone, Administrator of the Maryland State Board of Elections;
and Kathy Rogers, Director of Elections Administration, Office
of the Georgia Secretary of State; and Jill Lavine, Registrar,
Sacramento County, California. I want to thank all three of you
for coming.
STATEMENTS OF LINDA H. LAMONE, ADMINISTRATOR, MARYLAND STATE
BOARD OF ELECTIONS; KATHY ROGERS, DIRECTOR OF ELECTIONS
ADMINISTRATION, OFFICE OF THE GEORGIA SECRETARY OF STATE; AND
JILL LAVINE, REGISTRAR, SACRAMENTO COUNTY, CALIFORNIA
The Chairman. If we could, Ms. Lamone.
STATEMENT OF LINDA H. LAMONE
Ms. Lamone. Thank you very much, Mr. Chairman, and members
of the committee. I am more than pleased to be here today.
A lot of the discussion on the previous panel focused on
the voting equipment, and I want to emphasize to you all that
voting is not only the voting system; that it has many other
components, and they involve people and procedures and those
other components are equally important to the whole process.
The other thing that has been stressed this morning is
testing. I think I can safely say that both Georgia and the
State of Maryland test this equipment beyond what anybody ever
expected or what we thought we would have to do. We have at
least four preelection testing procedures that the equipment
must survive successfully before it can be used in an election.
That does not include the ITA or independent testing
laboratories that do the testing to meet the Federal standards.
We also, when we do the testing in Maryland having anything
to do with the software, we always involve two other entities
besides my staff, and that is a quality assurance firm and
something called an independent validation and verification.
These are firms that we contract separately. They all have
security clearances and the other credentials necessary.
So we have very high competence in Maryland that when we
test this equipment, we are testing it to the highest standards
and highest quality possible. We also do other testing, that
Dr. Williams mentioned, in Georgia; and that is to make sure
there are no Trojan horses or other malicious code. And I would
think that since the Diebold--which we both use--voting
equipment code has been in the public domain for a year, if
there was malicious code or otherwise in that system, it would
have certainly been discovered by all the hot-shot ITA people
or information technology people that claim to know all about
elections all of a sudden.
In Maryland, we have also had our voting system analyzed by
two independent securities firms. One was the first one, SAIC,
and the second one was done by a company out in Columbia,
Maryland. We have had both firms report to us the risk
assessments, the mitigations that they thought we should take
and Diebold should take, and both of them assured me in their
written reports that the voting equipment counted, recorded,
and tabulated the votes 100 percent accurately. And again, that
gave us a great deal of satisfaction and confidence in our
voting system.
In addition, the SAIC also thoroughly investigated the work
that was produced by Professor Rubin, and they made four
recommendations to us, all four of which have been implemented
in Maryland. One was to have the ability to protect the--or
create the passwords on the voter access cards; two, the same
thing with the activation cards or the memory chips on the
voting equipment; three, randomize the votes; four, use
encryption for any modem of the unofficial votes on election
night. All four of those recommendations were implemented in
Maryland prior to the March 2004 primary.
I think another interesting thing is that the computer
scientists have all these things--conjecture could happen. It
is conjecture that someone is going to be able to go out there
and mass-reproduce the voter access cards so they can have
access to the voting units and manipulate the election. They
also say they are going to be able to do the same thing with
the memory cards. Yet again, the source code has been in the
public domain for a year and no one has successfully done that.
No one. And I would suggest to the committee that if it were
possible to have done so, they would have come forward to let
the world know, because they like to tell people how well they
can do things like that.
We are doing an upgrade of the system now, and we will do
another whole security analysis this summer. I have three full-
time employees on my staff that are devoted to nothing but
security issues. We have developed with, again, another
independent outside security firm for an entire information
security plan for the office, not only on the voting system but
on every aspect of the process of conducting elections,
including voting registration.
A lot of the issues this morning also talked about the
paper trail. And I understand, Congressman Larson, I appreciate
your characterization of the positions because I think they
accurately reflect mine and everyone else in the Nation who has
to deal with the issue and who cares very deeply about having a
secure and safe election.
But let me just show you what a paper trail would look like
for one voter from Baltimore County, Maryland in the March 2,
Super Tuesday primary. This is 10 feet long, one voter; and it
took us 4\1/2\ minutes to print it out. Granted, we had to shut
down the election to print the thing out because the system
isn't geared right now to printing a contemporaneous paper
trail. But that is a lot of paper per voter. You look at the
turnout in the November primary or November general election,
probably 80 percent in Maryland, it is going to be a lot of
paper we are going to have to have.
And let me ask you, how are your constituents going to
react when the printer paper jams and they say, Mr. Technician,
will you come over here and help me unjam this paper trail,
because the machine won't let you cast your ballot until you
print this paper. When that technician walks over, he or she is
going to be looking at a live ballot on the voting equipment.
And for those of you who have optical scan balloting in your
jurisdiction in the past, you know how protective the voters
are. They don't want the poll workers to see their ballots. We
use privacy screens to try to protect them. On the DRE, before
you cast your ballot, your review ballot screen is live. It
shows how the voter has voted, and that is what the technician
is going to look at.
And I think you need to know that the printer engineering
community at IEEE is convinced that the printers that the
voting vendors are now producing are not going to meet the
standards we need to have to have a safe and reliable election.
Mr. Rubin had an experience as an election judge in Maryland,
and he said when they went to close the election they had a
discrepancy between the number of votes on the DRE units and
the number of votes that they had checked in. I suggest to the
committee that the reason was human error. The machines were
correct. The people handling the pieces of paper, the voting
authority cards, the poll books, had made a mistake.
And that is exactly what we are trying to get away from
with the electronic voting equipment, aside from all of the
other attributes that you have discussed here already.
The other thing that really, really irritates me and my
colleagues around the country is the irresponsibility of the
way the press has handled this issue. They start with one
problem, and all of a sudden it is attributable to the voting
units. Let me give you an example. In Maryland, right down the
street from my office, they delivered the wrong encoders. That
is the device that puts the ballot on the voter access card.
They delivered the wrong encoders to a single precinct. It was
human error. They simply mixed them up. And when they went to
program the cards and the voter put them in the voting unit, it
wouldn't pull up a ballot because it was the wrong encoder for
the wrong voting units. It worked as it was supposed to work. I
had international press at that precinct reporting that as an
equipment failure, and that got perpetrated over and over and
over again, that that was a major problem in Maryland. It
wasn't a major problem. We didn't have any major problems in
Maryland with the voting equipment.
Everything that happened that went wrong was attributable
to human error. And that is because now we are boosting our
training and voter education. We are spending millions of
dollars on security, on training, on voter education, and we
still get nailed in the press.
You asked what we are doing to get the word out. We can't
get our word printed. We put out all this good stuff that we
are doing. When we sit down to educate a reporter and finally
teach him or her everything we do, they go in and say, wow, I
had no idea you did that stuff.
CBS news was in Maryland a week ago Monday, and when my
staff finished explaining to them everything we go through,
they were convinced. We will see if they will actually
broadcast that, which will be on this Sunday morning on Sunday
morning news.
The other thing that the New York University Brennan report
came out with is a lot of issues about each State should have a
security analysis done like we have done in Maryland. Let me
suggest that I think that we would have a lot better economy of
scale if NIST or someone like that did it on each voting unit
and provided it to the States so we could use our management
and other procedures to then implement it and control it.
I see my time is up. I thank the committee for the
opportunity to appear today.
The Chairman. As they always say, they don't report when
the planes land, you know.
[The statement of Ms. Lamone follows:]
[GRAPHIC] [TIFF OMITTED] T7366A.052
[GRAPHIC] [TIFF OMITTED] T7366A.053
[GRAPHIC] [TIFF OMITTED] T7366A.054
[GRAPHIC] [TIFF OMITTED] T7366A.055
[GRAPHIC] [TIFF OMITTED] T7366A.056
The Chairman. Ms. Rogers.
STATEMENT OF KATHY ROGERS
Ms. Rogers. Thank you very much. As you know, the 2002
general election was a milestone in Georgia history as we
became the very first State in the Nation to implement a
statewide uniform electronic system of voting. On that one day
on November 2, 2002, many concerns and fears were laid to rest.
The elderly did not have trouble voting on Election Day and
voters were not afraid of the new technology. For the very
first time, every voter was afforded an opportunity to vote on
the same equipment, using the same interface as their neighbor
in the next county.
That fact seems to be forgotten today. By upgrading our
voting system platform, Georgia corrected a problem which was
very close to being a disaster. And in the almost 2 years since
that very first successful election, Georgia counties have
conducted over 450 individual elections using the statewide
uniform electronic voting system. Georgia voters have expressed
their approval in not one but two independent studies which
were conducted by the University of Georgia. These studies
found that Georgians overwhelmingly prefer electronic voting to
any other means. More than 70 percent of the respondents
reported they were very confident that their vote was
accurately counted, and some 97 percent reported that they
experienced no difficulties whatsoever when using electronic
voting. These numbers have already been thrown out, but I don't
think it hurts to reiterate them again.
Six years ago on our antiquated voting platforms, the top
of the ballot of the U.S. Senate race was a 4.8 percent
undervote rate of total ballots cast. Of enormous concern to us
was also our analysis of 90 minority precincts in which we
showed an extremely high undervote rate that in some cases
topped 10 percent in predominantly African Americans precincts.
After 2002 and the deployment of our new system, the undervote
rate in the top of the ticket ballot was reduced to a mere .87
percent. That is a fivefold reduction in undervoting.
The paper receipt debate has generated a great deal of
inaccurate, false, and misleading information by those who are
calling for its very hurried implementation. Conspiracy
theories do abound. No system, as has been stated earlier,
whether electronic, mechanical, or paper based, can be made 100
percent invulnerable to attack; but the facts are the current
system of voting is more secure than any type of voting that
has ever been used in the history of Georgia elections.
We in the State of Georgia did not sign a contract with our
vendor and simply walk away from the process. Rather, we have
provided oversight and direction to our counties through every
step of implementation and we continue to do so to date.
Let us consider the practical realities of paper receipt
for just a moment. We have discussed how would each receipt be
collected, how does the voter view it. You saw the prototype
from Maryland. Georgia has created one that is about 31 inches
long. It brings into question how you would store the paper for
some 4 million voters in the State of Georgia and the voiding
and the spoiling of the ballots.
I heard mentioned earlier the possibility of a paper
shredder. I am not sure we want paper shredders in our polling
places on Election Day. There is also the question of what is
the official record of the election? I have heard a lot of
controversy about which would be the official. If it is the
paper, what happens if so much as one piece of that paper were
to become mangled or destroyed? Have you then called your
entire election into question?
If even 1 percent of Georgia precincts were to experience
problems implementing a paper trail on Election Day, that would
translate to 30 polling places in the State of Georgia. I can
assure you if that were to happen, it would no doubt be
portrayed as a catastrophic failure by the public and by the
press.
We also find it very remarkable that even as many activists
are calling for this hurried implementation of paper receipts,
these same critics express no concern whatsoever over the 30
million Americans who will be voting on a punch-card system
this November. We can be certain that hundreds upon thousands
of Americans will be disenfranchised by these punch-card voting
systems which have been proven to be far more inaccurate than
our current system of voting. And yet we hear no impassioned
pleas from journalists or the activists that these systems must
be decertified before November, and we have to ask the
question, Why?
We agree, as do all election officials, that we must
continue to embrace a concept of continuous improvement in
election security and we recognize that much of the debate has
been healthy. And some of it has surfaced significant
shortcomings which needed to be addressed.
We in Georgia cannot overstate the value of having an
independent, technically competent center like the Kennesaw
Center for Election Assistance which is staffed with elections-
oriented computer scientists who are equipped to audit and test
voting systems. Every day we continue to review our security
practices. And over the last 18 months, we have strengthened
our procedures and our practices a great deal.
I applaud the interest of this distinguished committee in
the important public policy issue, and we stand ready from
Georgia to assist you in any way that we can. Thank you.
The Chairman. Thank you for your testimony.
[The statement of Ms. Rogers follows:]
[GRAPHIC] [TIFF OMITTED] T7366A.057
[GRAPHIC] [TIFF OMITTED] T7366A.058
[GRAPHIC] [TIFF OMITTED] T7366A.059
[GRAPHIC] [TIFF OMITTED] T7366A.060
[GRAPHIC] [TIFF OMITTED] T7366A.061
[GRAPHIC] [TIFF OMITTED] T7366A.062
[GRAPHIC] [TIFF OMITTED] T7366A.063
[GRAPHIC] [TIFF OMITTED] T7366A.064
[GRAPHIC] [TIFF OMITTED] T7366A.065
[GRAPHIC] [TIFF OMITTED] T7366A.066
[GRAPHIC] [TIFF OMITTED] T7366A.067
[GRAPHIC] [TIFF OMITTED] T7366A.068
[GRAPHIC] [TIFF OMITTED] T7366A.069
The Chairman. And we will move on to the last witness.
STATEMENT OF JILL LAVINE, REGISTRAR, SACRAMENTO COUNTY,
CALIFORNIA
Ms. Lavine. Thank you. I am Jill Lavine and I am from
Sacramento, California. And Sacramento County was the first
jurisdiction in the United States that has conducted any
portion of an election using touch-screen technology that was
incorporated in a voter-verified paper audit trail. Ours was a
very limited early voting project which is described in detail
in my written report. The equipment for this pilot was the Vote
Trakker system provided to Sacramento County by Avante
International Technology, Incorporated. The pilot was
authorized by the Voting Systems and Standards Procedure panel
within the Office of the California Secretary of State.
Additional authorization was provided by the Sacramento County
Board of Supervisors.
This project involved early voting in six locations for a
period of 11 days prior to the November 5, 2002 election.
Voters from anywhere in Sacramento County were permitted to
vote at any one of the six locations. There were a total of 246
variations of the ballot for this election. The voting units
were accessible for blind voters, to voters with disabilities,
and each voter was able to choose a language: Spanish or
English. A total of 1,612 valid ballots were cast at these
early voting locations.
This experiment with the voter-verified paper audit trail
was conducted under very controlled conditions. Each of the
early voting sites was staffed with various personnel from our
office and a technician provided by Avante. The equipment and
the system met our requirements and expectations. We considered
the project a success. The reaction to the equipment was mostly
positive. Comments and observations from the poll workers,
voters in the poll, and the others are contained in my written
report.
In the interest of time, I will limit my time to the use of
the printed ballot and the challenges it presented. Some of the
voters did not want to see the ballot and fled before the
ballot was able to print. There are approximately 20 of these
voters. This could be a major problem. If a voter walks away
before approving the paper version of the ballot, is the ballot
counted? Some voters wanted to take the copy with them. We
called the printed copy a receipt, which implied they could
take it with them. This is obviously a mistake and is easy to
change. The printed ballot jammed. This caused the machine to
be taken out of service until the problem was corrected. In
order to remove the jammed ballots, we had to use anything that
was handy. For example, a back-scratcher and a windshield wiper
blade were used to pull the ballots out. Voters complained that
the printed copy of the ballot was hard to read because of the
size and lightness of the print and because of the location of
the shield which protected the printed copy. These problems are
easy to correct.
Voters also complained that the length of the ballot made
it difficult to check, which will continue to be a problem when
the ballot is long.
Voters wanted to remove the printed ballot before it went
back in the machine. This is not possible, of course, because a
voter could remove the ballot without being detected. Some of
the voters were concerned that other voters would see his or
her ballot. This was a placement problem that can be corrected.
The location of the shield that protected the printed ballot
made it difficult for a seated voter to see his or her ballot.
Again, this is fairly easy to correct. The storage area for the
printed ballot was too small and needed to be emptied during
the day. This is obviously unacceptable and must be corrected.
After the voter verified his or her ballot on the screen,
the printed version was produced. If the voter changed his or
her mind, or didn't agree with what was printed, it was too
late to be corrected. This has been corrected, but it is still
potentially problematic.
Only ballots approved by the voters should be counted. At
the same time, there must be no way to connect the ballot with
a voter. During the canvass of the vote, we manually recounted
one of the early voting places. The precinct selected had 114
ballots. Because of the complexity of the ballot and the fact
there were 246 different ballot types, it took 127\1/2\ hours
to recount. The machine count and the count on the paper
ballots did match. Following this demonstration project, Avante
made numerous changes to the equipment, addressing most if not
all of the concerns expressed.
In conclusion, while a voter-verified paper trail may
increase a voter's confidence in the use of electronic ballots,
it is not without concern. While many of the concerns I have
identified can and have been resolved, there still remain
concerns that may not be fixable. For example at the polling
place, the problem with fleeing voters, printing jams, the
length of time necessary for a voter to verify his or her
ballot. After the election, there would be significant delays
in providing official election results from the manual counting
of paper ballots in case of a recount or a challenged election.
These issues remain unresolved.
Thank you.
The Chairman. Thank you for your testimony.
[The statement of Ms. Lavine follows:]
[GRAPHIC] [TIFF OMITTED] T7366A.070
[GRAPHIC] [TIFF OMITTED] T7366A.071
[GRAPHIC] [TIFF OMITTED] T7366A.072
[GRAPHIC] [TIFF OMITTED] T7366A.073
[GRAPHIC] [TIFF OMITTED] T7366A.074
[GRAPHIC] [TIFF OMITTED] T7366A.075
[GRAPHIC] [TIFF OMITTED] T7366A.076
[GRAPHIC] [TIFF OMITTED] T7366A.077
[GRAPHIC] [TIFF OMITTED] T7366A.078
[GRAPHIC] [TIFF OMITTED] T7366A.079
[GRAPHIC] [TIFF OMITTED] T7366A.080
[GRAPHIC] [TIFF OMITTED] T7366A.081
[GRAPHIC] [TIFF OMITTED] T7366A.082
[GRAPHIC] [TIFF OMITTED] T7366A.083
[GRAPHIC] [TIFF OMITTED] T7366A.084
[GRAPHIC] [TIFF OMITTED] T7366A.085
[GRAPHIC] [TIFF OMITTED] T7366A.086
[GRAPHIC] [TIFF OMITTED] T7366A.087
[GRAPHIC] [TIFF OMITTED] T7366A.088
[GRAPHIC] [TIFF OMITTED] T7366A.089
[GRAPHIC] [TIFF OMITTED] T7366A.090
[GRAPHIC] [TIFF OMITTED] T7366A.091
[GRAPHIC] [TIFF OMITTED] T7366A.092
[GRAPHIC] [TIFF OMITTED] T7366A.093
[GRAPHIC] [TIFF OMITTED] T7366A.094
[GRAPHIC] [TIFF OMITTED] T7366A.095
[GRAPHIC] [TIFF OMITTED] T7366A.096
[GRAPHIC] [TIFF OMITTED] T7366A.097
[GRAPHIC] [TIFF OMITTED] T7366A.098
[GRAPHIC] [TIFF OMITTED] T7366A.099
[GRAPHIC] [TIFF OMITTED] T7366A.100
[GRAPHIC] [TIFF OMITTED] T7366A.101
[GRAPHIC] [TIFF OMITTED] T7366A.102
[GRAPHIC] [TIFF OMITTED] T7366A.103
[GRAPHIC] [TIFF OMITTED] T7366A.104
[GRAPHIC] [TIFF OMITTED] T7366A.105
[GRAPHIC] [TIFF OMITTED] T7366A.106
[GRAPHIC] [TIFF OMITTED] T7366A.107
[GRAPHIC] [TIFF OMITTED] T7366A.108
[GRAPHIC] [TIFF OMITTED] T7366A.109
[GRAPHIC] [TIFF OMITTED] T7366A.110
[GRAPHIC] [TIFF OMITTED] T7366A.111
[GRAPHIC] [TIFF OMITTED] T7366A.112
[GRAPHIC] [TIFF OMITTED] T7366A.113
[GRAPHIC] [TIFF OMITTED] T7366A.114
[GRAPHIC] [TIFF OMITTED] T7366A.115
[GRAPHIC] [TIFF OMITTED] T7366A.116
[GRAPHIC] [TIFF OMITTED] T7366A.117
[GRAPHIC] [TIFF OMITTED] T7366A.118
[GRAPHIC] [TIFF OMITTED] T7366A.119
[GRAPHIC] [TIFF OMITTED] T7366A.120
[GRAPHIC] [TIFF OMITTED] T7366A.121
[GRAPHIC] [TIFF OMITTED] T7366A.122
[GRAPHIC] [TIFF OMITTED] T7366A.123
[GRAPHIC] [TIFF OMITTED] T7366A.124
[GRAPHIC] [TIFF OMITTED] T7366A.125
[GRAPHIC] [TIFF OMITTED] T7366A.126
[GRAPHIC] [TIFF OMITTED] T7366A.127
[GRAPHIC] [TIFF OMITTED] T7366A.128
[GRAPHIC] [TIFF OMITTED] T7366A.129
[GRAPHIC] [TIFF OMITTED] T7366A.130
[GRAPHIC] [TIFF OMITTED] T7366A.131
[GRAPHIC] [TIFF OMITTED] T7366A.132
[GRAPHIC] [TIFF OMITTED] T7366A.133
[GRAPHIC] [TIFF OMITTED] T7366A.134
[GRAPHIC] [TIFF OMITTED] T7366A.135
[GRAPHIC] [TIFF OMITTED] T7366A.136
[GRAPHIC] [TIFF OMITTED] T7366A.137
[GRAPHIC] [TIFF OMITTED] T7366A.138
[GRAPHIC] [TIFF OMITTED] T7366A.139
[GRAPHIC] [TIFF OMITTED] T7366A.140
[GRAPHIC] [TIFF OMITTED] T7366A.141
[GRAPHIC] [TIFF OMITTED] T7366A.142
[GRAPHIC] [TIFF OMITTED] T7366A.143
[GRAPHIC] [TIFF OMITTED] T7366A.144
[GRAPHIC] [TIFF OMITTED] T7366A.145
[GRAPHIC] [TIFF OMITTED] T7366A.146
[GRAPHIC] [TIFF OMITTED] T7366A.147
[GRAPHIC] [TIFF OMITTED] T7366A.148
[GRAPHIC] [TIFF OMITTED] T7366A.149
[GRAPHIC] [TIFF OMITTED] T7366A.150
[GRAPHIC] [TIFF OMITTED] T7366A.151
[GRAPHIC] [TIFF OMITTED] T7366A.152
[GRAPHIC] [TIFF OMITTED] T7366A.153
[GRAPHIC] [TIFF OMITTED] T7366A.154
[GRAPHIC] [TIFF OMITTED] T7366A.155
[GRAPHIC] [TIFF OMITTED] T7366A.156
[GRAPHIC] [TIFF OMITTED] T7366A.157
[GRAPHIC] [TIFF OMITTED] T7366A.158
The Chairman. This was also shown. This is from Maryland.
And this was the printout from it. And I would note that I did
see the name Hoyer nine times, so I thought I would mention
that.
Mr. Hoyer. Mr. Chairman, if I could, I want to apologize to
Attorney General Lamone--that was some years ago--for missing
her testimony, although I have a reliable report that it was
excellent and right on point. And I thank you as well, the two
of you who have not the theoretical discussion but the
practical problem of confronting hundreds, indeed thousands, of
voters and ensuring that they are processed in a way that gives
them confidence and does not discourage them from voting and
has voting occur in a time frame that can handle a large number
of people.
Let me say, Dr. Rubin is also here. Mr. Kohno, the graduate
student, is here as well. I think Mr. Williams and Dr. Shamos
have left.
Mr. Chairman, you and I have had this discussion. This is
not an adversarial proceeding. This committee worked together--
Mr. Ney and I, Mr. Larson was very helpful as well, Mr. Dodd
and Mr. McConnell--to try to facilitate voting and to give
voters a greater degree of confidence that they could vote
accurately and that it would be counted. We did not mandate a
technology. We purposely did not mandate a technology.
We did mandate that you could not use Federal dollars to
replace a lever machine or the punch cards because, A, the
leverage machines have essentially gone out of business with no
replacement parts; and secondly, the punch cards have proved to
be one of the least reliable systems; although, as all of us
know, paper ballots themselves are very high up on the list. If
you had just the paper ballot system, they are higher up on the
list of mistakes as well.
We all want to get to the same place, and that is a system
where the voter has confidence, the jurisdiction, whether it be
a county, a State, or a country, has confidence that as a
result that is what the voters intended the result to be.
I think we can do that. I will tell you, I don't think we
can do it between now and November in terms of the technology
that will be available.
So what the Chairman was saying and I think what Mr. Larson
said as well--and I apologize. I apologize. I give a press
briefing every week. But we want to make sure that no voter in
America this year is discouraged from voting. We don't want to
undermine their confidence.
My problem as, Dr. Rubin, you have probably read, and
Senator Dodd's problem is not with the analysis, because you
are an expert and we are not, and we ought to make sure that
whatever technology we use is not subject to being manipulated
and is accurate and fair; but that the debate that is occurring
concerns a number of people, not just those with disabilities,
who are concerned that we will go to a system that does not
provide them as for the first time in history they have been
provided with a mechanism to vote secretly.
Mr. Dixon was in the room, as you know. Mr. Dixon is blind.
He is a wonderful person, a bright, knowledgeable, able person,
and he like every other American wants to go into a ballot
booth and vote, and he wants to know how he votes, and nobody
else, unless he wants to tell them.
Mr. Ney, myself, Mr. Larson, and Senator Dodd and Senator
McConnell were pleased that we mandated that that happen. This
technology, DRE technology, is one of the ways both from a
visual and/or audible standpoint that allows that to happen.
What I am hopeful, Mr. Chairman, is that we proceed in a
manner which will give Americans confidence that we are
pursuing the best technology we can possibly find, using all
the expert advice and counsel. But at the same time, while we
are evolving towards whatever system we arrive at--and my
presumption is that this process will always be evolving
because we will get better technology and better security and
better ways to do things, and that is progress--but that we not
get so animated in our debate that we undermine citizens'
confidence. That would not be a result that I know any of us
seek.
So I apologize, Linda, that I didn't hear your testimony. I
will read it.
And, Ms. Rogers, thank you very much for what you and
Georgia have done. Georgia and Maryland were two of the leading
States in terms of trying to adopt technology.
I want to say, Mr. Chairman, in closing, that--Mr. Ehlers
unfortunately has left, and I didn't want to interject at that
point in time--we do need more money for NIST. I would like to
offer an amendment, adding $2.8 million, which is what NIST
says it needs, to the NIST budget in the Commerce, State,
Justice. You and I have had that discussion. The budget is so
tight. I would like to have them--they get 300-plus million;
2.8 million of that I would like them to use in the short term,
because this is an immediate problem and this could be helpful
to us. And Mr. Ehlers was primarily responsible for NIST being
a part of HAVA. And I think Mr. Ney and I both believe that
that was a very positive suggestion.
But perhaps we can work on that because, again, this is not
an adversary relationship. Everybody wants the same objective.
Everybody. And in that context, as I was telling my good friend
Rush Holt, in that context, people of goodwill, experts and
practical appliers of technology, we ought to be able to get
together and figure out how we can do this, but in the interim
do the very best we can, which in my opinion is going to be far
better than 2000.
There are a lot of other things in HAVA: second-chance
voting, provisional ballots. We are not there yet. But when we
get to on-line statewide registration, interfacing with local
precincts, that is probably going to take us the longest time
and be most expensive in the long run, probably, but that is a
wonderful reform: accessibility of all polling places.
There are some wonderful things in HAVA which do not deal
directly with the technology question, but giving jurisdictions
the ability to afford--Mr. Mica, I disagree with Mr. Mica very
fundamentally. The Federal Government has been on the State
dole since 1789, which means that for over 200 years, we have
not contributed a nickel to the running of Federal elections;
$3.9 billion is a small sum for us to help 55 jurisdictions, 50
States, the District of Columbia, in doing what they have had
trouble doing, because so often they were the last people
considered in the budget process, because elections just seem
to be, well, we are working and we are stumbling along. HAVA
was an attempt to try to empower the States to bring our
elections up to date and to utilize the technology available to
make sure that we accomplished the objectives stated.
And, Mr. Chairman, I know you and I are in 100 percent
agreement that $3.9 billion is a small sum, relatively
speaking. It is how much money we will spend in Iraq. I
supported the authority and I believe our mission in Iraq, if
accomplished, will be a very positive accomplishment. But it is
more money than we spend--it is less money than we spend in
Iraq in 25 days to make America's democracy work better. A good
investment.
The Chairman. Thank the gentleman. And I want to ask some
questions, but I do want to make a statement first, too. You
know, the Help America Vote Act went way beyond the hanging
chads. And I will be frank with you, and I know that
Congressman Hoyer heard this, I heard it; many asked, why do
you want to do something? Let it go. We can't afford it. We
shouldn't do it. We shouldn't change the system.
And I didn't know this until the Bush-Gore election, that
1,800-some votes weren't counted in my own congressional race.
Now, it didn't matter because the margin was so big. But if it
had been close, there would have been 1,700 individuals that
would not have been in the process, would have been
disenfranchised. So I think something had to happen.
HAVA wasn't done on a whim. We would have liked it to have
passed faster. But the process took time. And that is the way
things run. But we reached out also in that bill, Carter--the
Ford-Carter Commission, they contributed to it. We talked to
the NAACP, we talked to election officials, and we reached out
to others. We didn't do it in a vacuum or behind a closed door,
and we especially talked to people on the front line, like all
of you. You are on the front line. You can do good research or
people can do science projects when it comes to these issues.
But the fact remains that you are out there and you see how the
voting system actually works.
That doesn't mean we take this issue lightly or take the
bill lightly. And we don't take the lack of funding lightly
either. And I am hoping within one of these bills--and I think
what Congressman Hoyer said is completely correct and
accurate--we will work toward fully funding HAVA.
As far as the money goes, when this started we went to
Speaker of the House Hastert, and then Leader Gephardt, and sat
down with both the Speaker and Leader Gephardt. Money was not
an issue. We spend $5 billion helping blossoming democracies
around the world, and that is great. So I don't think $3.9
billion is too much to spend on improving our democracy here at
home.
And what the Congressman wants to do is critical to
securing that money, at least here in the house. And frankly, I
don't think any of us will rest, and that includes our Senate
colleagues, until we get all of the money; because you should
have some resources, which the Federal Government has never
before provided.
I think I am going to ask a question. Unfortunately, this
whole debate, and I think most all of you pointed this out,
there is some unfortunate twisting that has happened. A lot of
things have been overshadowed. Comments have been made about
individuals who run these voting system companies who have
supported a Presidential candidate. That is unfortunate that
ever happened. We have to move beyond that and look at what is
going on. And the Election Commission can try to devise ways to
look at the security of these systems.
I know the paper ballots weren't working. And, again, the
main problems our election system has faced throughout the
history of this country have involved paper. But I know the
intentions of election officials--and you did watch in your
States for situations, and you did monitor your respective
election systems. And I think a lot of you have been maligned
unfairly, frankly. It has been twisted. There are people
involved in this debate for the right reasons who are doing
good research. And there are people in the front line. I think
that is why this hearing helps, and helps get issues out on
both sides of this issue.
Mr. Hoyer. Mr. Chairman, would you yield a minute? One of
the things I mentioned, registration. One of the statistics
that was brought before us when we had the hearings on HAVA was
that many more millions of people lost their vote because of
registration issues and technology issues by far, by a multiple
of maybe 3 or 4. I don't think there is a precise number
obviously, but significant. And we ought to keep that in mind,
because as the Chairman said, HAVA has done a lot of things in
addition to this and this is getting all the attention.
But I am hopeful we get voters--I know the election
officials are--but you run the system with 95 percent
volunteers on one day, it is tough not to make mistakes because
it is a human factor. But second-chance voting is essentially
new, and provisional ballots are new, and there are paper
ballots and they have to be set aside and have to be checked to
see whether or not the voter actually is--and I am concerned,
Mr. Chairman, there are different State laws. In HAVA, we were
focused on not empowering the States and not limiting the
States, but I am not so sure we didn't make a mistake by having
State law apply; because some States say if you don't live in
that precinct, even if you may be voting for all the same
people as voting in the next precinct, you can't have a
provisional ballot. I think that is unfortunate.
I don't what the law is in Georgia and I don't know what
our law is on that, Linda. But in any event, registration is
one of the huge problems that we are not as focused on because
we are so focused on technology, and many more millions lost
the opportunity to vote because of registration issues than
because of technology, hanging chads, or other technology
issues.
Thank you, Mr. Chairman.
The Chairman. Two quick questions. I know the Ranking
Member will want to ask questions. What potential unintended
consequences could result from mandating that all DREs be
equipped with a paper trail?
Ms. Rogers. I would be happy to share with you myself, and
I believe Jill as well, I began my career in elections as an
elections worker in the polls way back in the early eighties.
And I can tell you through all my years I worked in the polls
with lever machines and I worked with optical scan equipment, I
firmly believe that the introduction of paper into the polling
place on a busy Election Day is going to cause mass confusion.
It is going to upset voters who don't want attention called to
them if there is a problem. Voters like the ability to stand at
a unit, review their ballots, such as they do with electronic
voting. It shows them what they have voted prior to touching
cast ballot, and they do that in private.
When you vote on an optical scan-based system and you walk
over to put it into the machine, if that ballot has been
overloaded, it kicks it back and might read on the little LCD,
and it might say ``overvoted race 10.'' Well, you have got a
line of voters standing behind you and you, the voter--the poll
worker says, Would you like to take this over and correct it?
Correct what? It is intimidating to the voters.
I am very afraid the paper receipt such as you saw in the
demonstration a little while ago would be mass intimidation to
voters, and I believe the very same to poll workers just based
upon--and that is based upon my own experience as an elections
official. The introduction of paper is going to cause a great
deal of heartache and headache.
The Chairman. Just a scenario here, because it comes to
mind when you are talking. If I get my receipt and I am in the
privacy of the booth, I take that receipt, right? I would have
to go outside.
Ms. Rogers. You would actually take the receipt and then
deposit it into a box on your way out the door. Now, that
scenario gives me a lot of concern, because what is going to
happen when the voter says, You are not having this receipt?
What does the poll worker do then? In other systems, it sort of
sucks it back up into the machine. And given the length of what
you saw, I have seen some that develop that is a 4-inch window
plexiglass. This roll of paper would move behind the glass and
it does 4 seconds where you see the 4 inches at one time. So
the voter would have to quickly view that as it is going
around, and then it would have to not get caught or jammed in
the system. But there are two different components: one you
would drop in the box, and one would stay behind glass.
The Chairman. If I get that in the privacy of the booth and
I come up and you say, Where is your receipt? And I say, It
didn't spit one out. And you say, It had to. And I say No, it
didn't; are you calling me a liar? And I put it in my pocket.
Ms. Rogers. Which could easily happen. That is one of our
greatest concerns over paper receipt.
The Chairman. The other question is, do you believe the
mandatory paper trail would increase the system security? Does
it add anything to security itself?
Ms. Lamone. No, it doesn't in my estimation. I think what
Dr. Shamos said earlier was that testing, testing, testing. And
his idea of having standards that are well thought out and not
voluntary, I think is the way to go. Maryland law requires us
to adhere to the Federal standards. I have no choice, and I do
not rely on the ITA report solely for our security analysis. I
think it would add more trouble than, frankly, what it is
worth.
There is emerging technology out there, whether it involves
a piece of paper that the voter can then go and verify post-
election that their vote was accurately counted, but it is all
encoded, it doesn't have names on it. And there is also some
electronic technology that is coming about that would provide
us with a better opportunity to audit the election and make
sure that the equipment was performing.
The Chairman. You know, I remember speaking with one of the
companies that produces voting systems. This company doesn't
produce a receipt and they don't want to produce a receipt. But
one of the companies that I saw in a meeting told me, Look, we
can produce a receipt. We don't think it ought to be used
though. We don't think that that gives the security that people
believe it will.
And so therefore, that is why I think we should take this
seriously and we should have some ability to check machines to
see if there is fraud, which you all have done, including in
Maryland, where you haven't gotten credit for it, but you have
done it. But we should do that, because the movement now has
been towards, well, forget machines, this should be all paper.
Isn't it true, too, if you could manipulate the machine,
you could manipulate the paper? If you fix the machine, the
paper comes out. So it is still an issue, the machine's
integrity, which we should take seriously.
And wrapping up my questions I have for Ms. Lavine, just
about that pilot which Sacramento County used, the DREs, which
produced a voter-verified paper trail. The pilot took place
during early voting prior to Election Day.
Ms. Lavine. Yes, it did.
The Chairman. Would the conditions have been different if
it had been an Election Day, do you think?
Ms. Lavine. We were going to just to try the system. We
didn't want to do a full rollout in every single polling place.
We wanted to keep it controlled. That is why we only had it for
early voting in certain locations. We were able to have an
authorized technician from Avante at each single polling place.
And if we had done a full rollout on Election Day, there was no
way we could have had a technician at every one of our polling
places.
The Chairman. You had six polling places, so you could have
six technicians?
Ms. Lavine. Yes.
The Chairman. How many polling places do you have in the
county?
Ms. Lavine. Normally over 800.
The Chairman. You couldn't have 800 technicians.
Ms. Lavine. And we wouldn't have had that many experienced
personnel either. We staffed from our office to make sure we
had someone there that knew the ins and outs.
The Chairman. How much longer did it take to vote in these
six polling places?
Ms. Lavine. It didn't take that much longer to vote. It was
the verifying of the receipts. But most voters who were in a
hurry--many voters didn't want to stay, and left. So they just
said, No, I am not interested, go ahead and do whatever you
want to do with it.
The Chairman. You said 127 hours?
Ms. Lavine. One hundred twenty-seven and a half hours to
verify. We did the manual recount verifying what was the paper
versus the electronic. And when you pull out those long pieces
of paper, they start curling like Goldilocks' curls, and you
are holding down both ends. We did them in teams of two to
verify the electronic count. To read back and forth and no way
to quickly read the paper ballot, it took that long to verify
only 114 of the ballots. We didn't do the entire project.
The Chairman. How many ballots were included in the six
polling places?
Ms. Lavine. One thousand six hundred twelve ballots.
The Chairman. What would you have on an Election Day?
Ms. Lavine. Close to 300,000.
The Chairman. Why was the system not adopted?
Ms. Lavine. There are many things. At that point, the
Secretary of State had not come out with his decision on
whether it was necessary to have the paper verified, voter-
verified paper audit trail. We cancelled the RFP that we were
in the process of, and we were waiting for things to settle
down a little bit to see which way the wind was blowing.
The Chairman. If you had a thousand ballots, it took 127
hours. Statistically, it would take how long? Just a
guesstimate.
Ms. Lavine. I didn't figure that one out.
The Chairman. I would assume a long time.
Ms. Lavine. Longer than the 30 days that we have to verify
an election.
The Chairman. For a thousand ballots--how many ballots do
you normally get?
Ms. Lavine. I am sorry.
The Chairman. You have a thousand ballots.
Ms. Lavine. Only 114 ballots that we counted.
The Chairman. And it took 127 hours? If you add 3,000 it
could take months.
Ms. Lavine. We have 300,000.
Ms. Lavine. Years.
The Chairman. Years.
The Chairman. Mr. Larson.
Mr. Larson. Let me thank you for your enlightening
testimony. And before I ask just a couple of rudimentary
questions as they relate to the monies, I want to go back and
emphasize something that our distinguished leader said, Mr.
Hoyer, that in looking at this issue, it is especially
intriguing from a scientific and technological aspect but
equally compelling in terms of the practicality of putting
these things into practice.
I want to commend Dr. Rubin. He said in his testimony in
weighing what we have all been discussing this morning, his
duty and responsibility to speak out, and I commend him for
that because I think that is what enriches our process. That is
what allows us to get to the heart of the matter.
And the first panelists--the goal was, from my perspective,
was to lead people towards a practical consensus. I think it
has been further enhanced by your testimony this morning. My
questions deal specifically with the monies that you are
receiving and have been appropriated under HAVA. Have they been
fully utilized and are they helpful and how will they relate to
what we talked about before in terms of training--which, Mr.
Hoyer called you Attorney General Lamone--but how do they
relate to how you have been able to--you gave elaborate
examples of everything that Maryland has done and I assume
Georgia has done. I am concerned how this money--and of course,
I share with Leader Hoyer and our distinguished Chairman the
concern about getting additional monies out there to accomplish
what I believe was the consensus of the first panel, that what
we need is testing, testing, testing, training, training,
training. But conceptually, I had thought about when we were
talking about a paper ballot, I thought we were talking about a
card, something that was readily available and handy. And
obviously your demonstration of about a 10-foot long paper
ballot and all the ensuing problems that that creates is a
compelling visual demonstration that deals away from the common
idea; because you know, we have been comparing this verbally to
receiving a receipt from an ATM machine, which is quite
different when you contrast this. Not that I don't think
technologically that could be overcome in the future, but we
are dealing with the practicality of a November election.
So my questions are: One, the monies that you are
receiving; how are they being expended? Are you utilizing them?
I have a special question for California, because we did have
the opportunity to meet with Secretary of State Shelley, and
Leader Pelosi arranged everything. Mr. Hoyer and myself were
able to go to that. And I know there was a question of
decertification, but Mr. Shelley went to great lengths to say
that, yes, but he did that so there would be an opportunity to
correct the--what was wrong, what they had detected as being
wrong with machines. And I want to know how that process has
gone.
We also heard some indication from Georgia that some of the
monies that were coming down from HAVA might be used by the
State to address Medicare issues. And I want to know if that
was something that was misreported. But I do think--especially
given the scarcity of funds and the need for us to focus on
this issue, how that is all taking place. If you care to
respond.
Mr. Hoyer. Thank you for allowing me to participate.
Unfortunately, I have to leave, but I want to thank you and Mr.
Larson for your leadership on this issue. And I think these
hearings are important to see what we have done and what we are
doing and what we need to continue to do to accomplish the
objectives. And I want to thank all of the witnesses, who I
think were all very good witnesses. Good information, and we
will digest it and take such action as we deem to be
appropriate.
[The statement of Mr. Hoyer follows:]
[GRAPHIC] [TIFF OMITTED] T7366A.159
The Chairman. If it wasn't for your perseverance, we
wouldn't have the bill.
Ms. Lamone. I will go with the first question. I think I
can state for every jurisdiction in the country and the
territories that the money is more than welcome, but it is not
enough. The unintended consequences of what is going on with
this discussion about security and training, testing, and so
forth, at least in Maryland, I am expected to use the Federal
money first. So here we have got all these other things we have
got to do under HAVA, 13 different mandates, and I am sapping,
I am draining the money, the HAVA money off to do all this
other stuff that I don't think anybody anticipated a year and a
half ago. That is not to say it is not important, but it is
unfortunate because I still have major projects to do, namely
the voter registration system.
There is going to be a time of reckoning, if there are no
more Federal dollars appropriated, when the State is going to
have to cough up additional funds.
Mr. Larson. And the voter registration problem is one that
Mr. Hoyer points out where the greatest number of people ended
up being turned away from voting; is that not correct?
Ms. Lamone. Yes. Nationally, that was correct. I am not
sure that that is the case in Maryland. But we do think
differently in Maryland than some of the other jurisdictions.
But to answer your question, we got a lot of money and it
is not going to be enough anyway, and we are being forced to
use it for unintended expenditures.
Mr. Larson. If I could play devil's advocate and be Mr.
Mica for a second, what is enough money in your estimation?
What would Maryland need?
Ms. Lamone. I think the Department of Legislative Services,
which is the advisory group for our Maryland General Assembly,
estimated between 100 million to 130 million for Maryland to
complete all the tasks and make the payments in the outyears.
It is a little bit over twice of what we have gotten.
Mr. Larson. Would the same be true for Georgia?
Ms. Rogers. We believe if we were to receive the full
funding that HAVA initially allotted, we would be able to cover
all the mandates of HAVA.
Mr. Larson. What about the commingling of funds? Is this a
temptation of States to use--you are smiling, so I take it----
Ms. Rogers. I read the same article that you did. In
Georgia, our State legislature okayed $54 million in bond
funding prior to HAVA ever being enacted. We reimbursed--when
we got this last bit of money, we reimbursed our State
Treasury. Now they are going to use that money, I assume they
are going to use that money to pay down the bond debt. But a
great deal of that bond debt had already been paid. It leaves a
chunk of money that the Treasury then has.
I believe what you read may have been how the State is
going to use the reimbursement once they already pay the bond
funding.
Ms. Lavine. I work on the county level so I am not sure how
much the State would need. We also--in California we were able
to pass a voter bond that allowed us to have some money in our
county and throughout the State. So we have been fortunate that
we have got--I don't want to say enough money--but we probably
have more than some of the other States have.
Mr. Larson. Pretty much unanimous consent amongst the three
of you that if we were to put technologically a draft on the
DREs' paper trail, that that is realistically not something
that would--that is going to fulfill the mission come this
election in November; is that fair to say?
Ms. Rogers. In Georgia we have determined that it would
cost us $16 million to retrofit our equipment for the addition
of a paper trail to do that statewide. We don't think that is a
good use of our HAVA dollars. And we don't have $16 million of
HAVA money left at this point to do so.
Mr. Larson. I seem to garner from your testimony that you
thought that the problems that were raised--not the least of
which is the potential for the machine clogging, people
reviewing, the time that could be allotted, people just walking
away because that is what they are used to after they cast
their vote because they have got to get back to work or
whatever--becomes more problematic. Is that a fair assessment
to say?
Ms. Rogers. I think so.
Mr. Larson. What about the decertification issue?
Ms. Lavine. Because of the decertification, since
Sacramento County did not have a DRE in March, we are not
allowed to even purchase one in December. We are going to go to
an optical-scan system for November. With all the legislation
that is being passed, until there is a system with a paper,
accessible voter-verified paper audit trail, we are not even
allowed to purchase one.
Mr. Larson. You may have heard Dr. Rubin's testimony
earlier where he seemed to come up with a process that was
different than the ones that you have testified to. And again,
I am not a scientist. I am not someone who--what Professor
Negroponte used to call one of the digitally homeless in many
respects. So I don't want to mischance what he said. But it
seemed to me he had a more compact and precise way of using
that, though I think he testified that that is something that
wouldn't be ready for this election cycle. I am wondering if
you heard that and what your reaction might be long term with
respect to the--at the heart of this argument, it is hard to
deny when I face groups and they say, Well, what is the matter
with trust but verify, or trust everyone but cut the cards, and
being able to have that, know that you voted for that. And of
course, it is a very logical assumption until you meet--come
face to face with the practicality of its implementation and
then all the ensuing fallout that has been mentioned, whether
it is the disability community or others.
Mr. Shamos testified that he thought there would be a way
to do that down the road, but it doesn't seem as though--
clearly, it is not possible for November. But what is your
sense about where we need to go for the future, and are these
practical ways?
Ms. Rogers. Well, let me first address what I heard Dr.
Rubin talk about in that--you would. Instead of seeing that
paper receipt, there is a possibility of printing it out. It
probably would be an 18-inch-long ballot. These are just
concepts. No one has developed anything like this. It might
have like, if you voted on an optical scan, an 18-inch piece of
paper. I have seen a prototype where this would come up at the
same time you are viewing your ballot on an electronic machine,
and then you would look at it, as you looked at this side, you
look at this side, and once you verify it, you would hit print
and it might print out on card-stock paper. Understand that
card-stock paper that you are currently printing an optical-
scan ballot on goes for about $0.35 a piece. Each voter would
have this card-stock paper. It would come out. They would
verify it and then they would take it to an optical-scan
tabulator and vote, putting it into the tabulator, which gets
back into the same scenario we talked about a little while ago.
You have one of those per every precinct, versus having one
voting booth with electronic capability for each voter. That in
itself is two separate voting systems with two separate
problems.
And what I have heard knocked around is these need to be
from different vendors as well. You may not want them to be the
same vendor. You have to get two vendors to work together for
their software to integrate together, and there is a lot of
proprietary concerns over that. But the biggest problem, one I
don't think this money is growing on trees, and that is a whole
lot of money.
Mr. Larson. Do you ever feel that when all of these
proposals are being made, that maybe what we ought to do is
convene you all first?
Ms. Rogers. We would appreciate that.
Mr. Larson. My final question has to deal with this New
York Times article that I think makes an awful lot of sense.
[The information follows:]
[GRAPHIC] [TIFF OMITTED] T7366A.160
[GRAPHIC] [TIFF OMITTED] T7366A.161
[GRAPHIC] [TIFF OMITTED] T7366A.162
[GRAPHIC] [TIFF OMITTED] T7366A.163
[GRAPHIC] [TIFF OMITTED] T7366A.164
Mr. Larson. You heard Dr. Shamos refer to it. The article,
though you may not have read it, essentially said we ought to
make sure when it comes to voting that we are going
procedurally from a security standpoint and from testing, et
cetera, that we provide the voters with the same kind of
security that is provided in the casino industry for the
integrity of slot machines. We ought to make sure that the
security is there as well.
I am gathering from your testimony that you wouldn't
disagree with that but what you need for that is the money in
the independent verification. Is that fair to say?
Ms. Lamone. And we need--for the country to be comfortable,
we need to have standards that everybody must follow and we
need to have somebody looking at the software, like I mentioned
before, in establishing a baseline for the security issues,
telling the States what risks were identified and maybe how to
mitigate them, just like we did in Maryland with those two
reports.
Last year it was just a fun-filled year with all the
security reports coming out. Election officials don't have that
expertise. We know how to run an election but we are not
security experts, which is why I now have security people on my
staff. And then you would have some assurance that the country
using X vendor system is all addressing the same issues and
hopefully around the same ways.
Mr. Larson. You would agree with Mr. Rubin that they should
be independently evaluated also, not evaluated by the vendors
themselves?
Ms. Lamone. No, no. I think NIST is an appropriate vehicle.
And I for one am so glad HAVA was enacted and glad that NIST is
involved in the process, because it does provide us with a lot
of weapons that we never had before.
Mr. Larson. I want to thank you all. I think you have been
terrific. And I thank the Chairman again for his leadership on
this important issue. He rarely takes the bows that he richly
deserves, but he has been a leader in this area in passing what
I believe is historic and landmark legislation; like all
legislation, not ones that we can't further perfect as we go
along, but given the circumstances and the times and trying to
put this in order and having to buck a trend, he deserves an
enormous amount of credit. And thank you for providing these
hearings and providing people with the opportunity to voice
their concerns so we can better implement the laws of HAVA.
The Chairman. Thank you. I want to thank my cousin in the
back of the room applauding for me. I want to thank you. And I
want to thank all the people across the country that worked on
this and gave the input to get HAVA to where it is today. I
thank our witnesses who worked hard to prepare for the hearing.
We had two great panels.
I thank Congressman Larson for his diligence and his staff,
and the members and other members of the committee and their
staffs, for their work on this.
I ask unanimous consent that members and witnesses have 7
legislative days to submit material into the record, and those
statements and materials be entered in the appropriate place in
the record. Without objection, the material will be entered.
I ask unanimous consent that staff be authorized to make
technical and conforming changes on all matters considered by
the committee today. Without objection, so ordered.
And, having completed our business, the hearing is
adjourned.
[Whereupon, at 2:15 p.m., the committee was adjourned.]
Chairman Ney's Response to the New York Time Editorial of June
11, 2004
In a recent editorial (``The Disability Lobby and Voting,''
Jun. 11, 2004), the New York Times disgraced itself by making
slanderous attacks against representatives of the disability
community who have opposed legislation that would require
electronic voting systems to produce a voter-verified ``paper
trail.'' The editorial states that this opposition, which the
New York Times believes is disproportionately influential, is
most likely due to contributions that groups like the National
Federation of the Blind (NFB) and the American Association of
People with Disabilities (AAPD) have received from voting
equipment manufacturers. In other words, the New York Times is
more or less alleging that the representatives of these groups
are selling out their own constituents as well as the American
electorate in exchange for a pay-off.
This is simply outrageous. As a principal author of the
Help America Vote Act of 2002 (HAVA), I had the opportunity to
work closely with both NFB and AAPD as this legislation was
being developed. Thus, I know from first-hand experience of
their commitment to improving the election process not only for
those they directly represent but for all Americans as well.
Their input added greatly to a landmark piece of legislation
that will substantially improve our nation's voting system for
generations to come.
People of good will have honest disagreements about the
advisability of requiring electronic voting systems to produce
voter-verified paper records. Groups like NFB and AAPD, as well
as many other respectable voices in the technology and election
administration communities, have legitimate concerns about
whether such a requirement would compromise the privacy and
independence of voters, add unnecessary expense to the process,
and do nothing to buttress the integrity of the election
system.
Unfortunately, the New York Times refuses to even
acknowledge that reasonable opponents of a paper-trail
requirement even exist. Instead, it implies that only those who
have corrupt motives or have been bought off could possibly
oppose such a requirement.
The editorial also smears my good friend, Senator
Christopher Dodd, by implying that there is something untoward
about him appointing Jim Dickson, head of AAPD, to the Advisory
Board of the Election Assistance Commission after the AAPD had
awarded the Senator with its Justice for All Award. This
perception of a conspiracy around every corner is beginning to
descend into the paranoid depths occupied by Oliver Stone and
Michael Moore. This is unbecoming of an institution as
venerable as the New York Times, and the American public
deserves better.
The whole issue of electronic voting system security is
extremely important and very complex, and the committee I chair
will continue to examine it closely. Thus, there is a need for
a healthy debate on this issue. However, that debate is
impoverished when a voice of prominent as the New York Times'
slurs opponents of its positions with outlandish speculation
and unfounded charges. What is needed is more reasoned dialogue
and less character assassination.
�