[House Hearing, 108 Congress]
[From the U.S. Government Publishing Office]



 
                   ELECTRONIC VOTING SYSTEM SECURITY

                              ----------                              


                        WEDNESDAY, JULY 7, 2004

                          House of Representatives,
                         Committee on House Administration,
                                                    Washington, DC.
    The committee met, pursuant to call, at 11:00 a.m., in room 
1310, Longworth House Office Building, Hon. Robert W. Ney 
(chairman of the committee) presiding.
    Present: Representatives Ney, Ehlers, Mica, Larson, 
Millender-McDonald, and Brady.
    Also Present: Representatives Hoyer and Holt.
    Staff Present: Paul Vinovich, Staff Director; Matt 
Petersen, Counsel; Payam Zakipour, Professional Staff Member; 
George Shevlin, Minority Staff Director; Charlie Howell, 
Minority Chief Counsel; Matt Pincus, Minority Professional 
Staff Member; Catherine Tran, Minority Professional Staff 
Member; Thomas Hicks, Minority Professional Staff Member; and 
Kellie Cass-Broussard, Minority Professional Staff Member.
    The Chairman. The committee will come to order. I am going 
to begin my opening statement. Mr. Larson is on his way and we 
have Mr. Ehlers. The committee is meeting today to discuss 
electronic voting system security, an issue that has garnered 
extensive media attention and produced impassioned opinions on 
all sides in recent months. Hopefully, this committee hearing 
will be able to shed some light on a matter that has certainly 
generated plenty of intense heat across the Nation. After the 
controversial presidential election of 2000, in which the term 
``hanging chad'' became part of the national lexicon, Congress 
enacted and President Bush signed the Help America Vote Act, 
known as HAVA, to help restore the American public's confidence 
in the Federal electoral process. The goals of HAVA are simple: 
to ensure that all eligible Americans have an equal opportunity 
to vote and have their votes counted, to protect against legal 
votes being cancelled out by illegal votes, basically making it 
easier to vote and harder to cheat.
    To accomplish these objectives, HAVA established new voter 
rights providing for second-chance voting, provisional ballots 
and enhanced access for individuals with disabilities; 
specifies new voting standards, requires each State to 
implement a computerized statewide voter registration database; 
and requires each polling place to publicly post certain voting 
information, such as sample ballots, instructions regarding 
provisional ballots and polling place hours. To address issues 
relating to the security of voting technologies, HAVA creates 
the Technical Guidelines Development Committee (TGDC) chaired 
by the director of the National Institute of Standards (NIST) 
to aid the Election Assistance Commission in crafting standards 
and guidelines to ensure the integrity of computer technology 
being used in current voting systems. Furthermore, HAVA 
provides for the testing and certification of voting system 
hardware and software in accredited laboratories.
    Following HAVA's passage, many jurisdictions began making 
plans to replace outmoded voting machines with the latest and 
most technologically advanced electronic voting equipment. 
These direct recording electronic (DRE) voting systems have 
been widely touted as easier for voters to use, thus resulting 
in fewer spoiled ballots, and, unlike most other voting 
systems, are capable of allowing individuals with disabilities 
to vote in a private and independent manner, sometimes for the 
first time in their lives.
    Not everyone is excited about the prospect of widespread 
electronic voting, however. Over the last year, several 
technology specialists, concerned citizens, and media outlets 
have raised serious concerns about the security of DRE voting 
systems. These critics contend that DREs contain insufficient 
safeguards to protect against potential efforts by malicious 
software programmers or computer hackers to skew the results of 
an election. Moreover, the critics argue that DRE malfunctions 
or technical glitches could result in scores of votes being 
lost without any possibility of retrieval.
    To address concerns surrounding the security of electronic 
voting, a number of different bills have been introduced this 
Congress that would require DRE voting systems to produce a 
voter verified paper record--a paper receipt listing the 
choices made by the voter. I have not supported any legislative 
proposal as of today that would amend HAVA to require DREs to 
produce paper receipts. As I expressed in a Dear Colleague 
letter co-signed by my friend Congressman Steny Hoyer and by 
Senators Mitch McConnell and Christopher Dodd, I believe it 
would be premature to amend HAVA at this time before the new 
law has been fully implemented. Doing so could undermine the 
process established by HAVA for the EAC to develop standards 
and guidelines for voting systems security.
    My reservations about amending HAVA to require paper 
receipts, however, in no way lessens my interest in assuring 
that DRE voting systems meet the most rigorous security and 
operational standards. The American people demand and deserve a 
voting process in which they can have full confidence, and I 
will do everything in my power to guarantee that they do.
    For this reason, the committee has called today's hearing 
to hear from a wide range of technology specialists and 
election administrators to learn more about the issues relating 
to voting system security. Over the course of the hearing, we 
will gain a greater understanding about the security measures 
that DRE voting systems currently have in place and whether 
they are sufficient to protect against hackers and technical 
malfunctions. In addition, we hope
to learn more about whether voter verified paper trails are 
necessary to protect the integrity of the voting process or 
whether there are other alternatives that can be used. So I 
look forward to hearing from the witnesses and I will yield to 
our ranking member.
    [The statement of Mr. Ney follows:]

    [GRAPHIC] [TIFF OMITTED] T7366A.001
    
    [GRAPHIC] [TIFF OMITTED] T7366A.002
    
    Mr. Larson. Thank you, Mr. Chairman. I would like to thank 
you for calling this second of two hearings on a very important 
topic of elections. The 2000 presidential elections brought to 
light many problems with the elections process. We heard 
reports of wide range of voting frustrations, most common were 
punch cards with hanging and pregnant chads and voters who were 
turned away from the polls without being given the opportunity 
to cast a ballot.
    This committee has worked tirelessly to enact the Help 
America Vote Act as a solution to these and other election 
concerns. As a result of HAVA, $650 million was provided to the 
States to replace lever and punch card machines for more modern 
voting equipment. HAVA does not mandate the type of voting 
equipment a jurisdiction must use. The decision is left to the 
States. A few States have opted to require, as the chairman has 
pointed out, direct recording electronic machines to replace 
lever and punch card voting equipment. DREs have been in use 
for elections for over 20 years. According to the 2001 MIT Cal 
Tech study, DRE machines have a lower residual rate than punch 
card, lever and optical scan machines. DREs are also fully 
accessible to disabled voters and they can be modified to the 
language of voters who may not be proficient in English. An 
increase ballot font-sized component of the machines can assist 
voters with vision difficulties as well.
    Although some view DRE machines as a panacea for Election 
Day problems, several computer scientists and advocates have 
called for a return to paper ballots. I am interested in 
hearing the witnesses' thoughts on the practicality of 
implementing a paper trail, and if they believe there is a 
security problem with DRE machines; and if so, is a paper trail 
the best answer.
    In addition, I would like them to discuss if human factors 
are being addressed within DRE machines. Is the answer to most 
of these perceived problems better training for poll workers? I 
read about the unplugged machines and inadequate training for 
the process involved in restarting the machinery. But the 
bigger issue to explore is if electronic voting system security 
is the most significant problem facing this election or is 
there a more pressing issue facing us in this election. The MIT 
Cal Tech study also stated that difficulties with registration 
were the number one problem with the 2000 elections.
    Between 1.5 and 3 million voters were turned away from the 
polls without casting a ballot on Election Day 2000. I would 
like the second panel of today's witnesses to highlight the 
steps that are being taken to ensure that all aspects of HAVA 
are being followed in order for the American people to have the 
best election possible this November. My concern is that all of 
the attention that is being given to voting security will 
inadvertently suppress voters coming to the polls if they feel 
their votes will not count; what steps election officials are 
taking to fix registration problems; will they have enough 
provisional ballots for the voters.
    Two-thirds of the public will vote on the same type of 
equipment they used in the year 2000. I would like the second 
panel to review what is being done to ensure that all the 
voting equipment is secure; what steps are being taken to 
inform the public that DRE machines are counting ballots 
correctly. I am also interested in hearing the witnesses' 
assessment of the New York Times' editorials calling into 
question the views and actions of the Senior Senator from 
Connecticut and one of the chief authors, Chris Dodd and Jim 
Dickson, the Vice President of Governmental Affairs for the 
American Association of People with Disabilities who are trying 
diligently to improve the election process.
    Mr. Chairman, I want to thank you and also note that we 
have two distinguished colleagues joining us today, both the 
co-author with you of the HAVA bill here in the House, my 
distinguished leader Steny Hoyer, and probably one of the most 
knowledgeable people in the House, and I dare say the country, 
with respect to the issue of electronic voting and paper 
ballots, Rush Holt, a scientist and physicist, as Mr. Ehlers 
likes to point out, and a five-time jeopardy winner as well.
    So we are graced by their presence and I thank the 
panelists as well because this is such an important and 
critical issue to each and every one of us here today.
    [The statement of Mr. Larson follows:]

    [GRAPHIC] [TIFF OMITTED] T7366A.003
    
    [GRAPHIC] [TIFF OMITTED] T7366A.004
    
    The Chairman. I guess the ranking member Congress is 
insinuating that Congress is a little bit like jeopardy?
    Mr. Ehlers.
    Mr. Ehlers. Thank you, Mr. Chairman. And thank you for 
having this hearing on a very important topic. It has reached 
the popular press. There is an article in PC World this month 
entitled ``Is E-voting Safe?'' so obviously, people are 
beginning to worry about it and their conclusion is, as many of 
us have concluded, not totally safe. We clearly have to do a 
better job of ensuring the security, reliability, usability and 
verifiability of electronic computers in voting. And I don't 
want to go into all the details, but I am very concerned as 
someone who has programmed computers and who understands how 
one could hack these or change results or flip votes, as the 
case may be.
    This clearly is an area of concern. The closed source code 
is one of the problems, because something may have been 
inserted in the source code, which would allow a flipping of 
votes. But there are many other problems and issues that have 
to be addressed as well. So I thank you for holding this 
important hearing. I look forward to hearing from the 
witnesses, some of whom I have heard from before. And I hope 
that we learn something from it. Let me add one other factor. 
One of the biggest disappointments in HAVA to me has been the 
lack of funding for the National Institute of Standards and 
technology to set the standards. And once again, we are going 
to have a bill on the floor today, which does not provide 
funding for the National Institute of Standards and Technology 
to set the standards and make--and to me that is one of the 
most important things we should be doing because we have to be 
concerned that these machines work properly, that they are not 
tinkered with, that there is no fraud, either intentional or 
accidental that is taking place.
    And so I hope with the assistance of Mr. Hoyer, who is on 
the Appropriations Committee and some of my other friends, that 
we can change this as the appropriations bill goes through the 
process and provide adequate funds for the National Institute 
of Standards and Technology to lend its expertise to this 
issue. I yield back the balance of my time.
    The Chairman. I would note the gentleman, Mr. Hoyer--and we 
set this last hearing on the overall issue--has been diligent. 
And when we put this bill together--I am speaking we, 
everybody--we didn't want an unfunded mandate. And we have had 
parts of the funding due to Mr. Hoyer's diligence and the 
Speaker and other people who have been active on this, such as 
Senator Dodd and Senator McConnell. But there is more to do. 
And as we said at the last hearing, it has to happen. It just 
absolutely has to happen. Mr. Brady.
    Mr. Brady. Thank you, Mr. Chairman. I do want to recognize 
and thank our leader, Steny Hoyer for being here and keeping up 
his participation and his interest. And it is also enlightening 
to accommodate a fellow member, Mr. Rush Holt that asked to 
speak, but I also have to respect our chairman and ranking 
member who would have this place filled up with 430-some of us 
that all want to talk on this issue. I have to recognize the 
knowledge that you have in this field and also the bill you 
have in front of us and you experienced it firsthand in your 
election. And I do appreciate your participation and your 
interest. Thank you, Mr. Chairman.
    The Chairman. Mr. Mica.
    Mr. Mica. Thank you, Mr. Chairman, and I thank you for 
holding this hearing. Our Committee on House Administration has 
an important responsibility to see that our election system 
works. Quite frankly, I am a bit frustrated by our continuing 
to throw money at some of these problems. I have always viewed 
the elections responsibility as that of State and local with 
Federal participation where we can assist. One of the things we 
don't have any problem with in Congress is throwing huge 
amounts of money at problems. And I think we started off with 
$3.9 billion for this program. And we have adopted some 
systems, for example, electronic voting and also optical 
readers replacing punch cards that were used in Florida and 
other places and lever voting equipment. With new technology 
like cell phones----
    The Chairman. Was that the President?
    Mr. Mica. Actually, I have very strict instructions. It 
could have been the President. But it wasn't, it could be the 
Secretary of Transportation. I am heavily involved with issues 
there. But the most important person is my septic tank 
operator.
    The Chairman. We will move on with the topic.
    Mr. Mica. In our business you have to put things in 
priority. But, again, we spent a lot of money. I did not 
support this, the act or the huge amount of money that we threw 
at the problem. In Florida, I participated in some of the 
recount. And I saw that in one of my counties, we had optical 
readers which we are spending a portion of this billions of 
dollars to replace punch cards and also lever, old lever 
equipment, which actually don't work that badly when you look 
at some of the problems we have seen with the newest equipment. 
But I remember looking through hundreds of ballots. And the 
optical reader is a very simple thing. It has an arrow like 
this and you just fill in this little space here.
    Now that seems like a pretty darn simple thing to do. And I 
am telling you, hundreds of people--they circled entire areas. 
They x'd down through. They destroyed a ballot. Unfortunately, 
I think what you need is a more intelligent electorate. So we 
are replacing this equipment--we are replacing this equipment 
now and there is less than 1 percent error rate improvement in 
putting these machines in, and we have got the electronic 
equipment that this hearing is about. We found now we are 
buying this very expensive electronic equipment. And I think it 
was in Virginia, the dummies didn't plug the machines in. So 
now we have to pay for training courses to plug these in.
    My cell phone just went off and having been in the 
communications and cellular business, I know all the problems 
you can have with electronic equipment. And I can tell you we 
will be back here to fund auxiliary power units to ensure that 
the backup to run the paper trail or the electronic equipment 
that was to replace the equipment that we just spent other 
money on. So I would like to see the system work. Some of the 
best equipment is actually the lever equipment, the most 
primitive, but some of the most accurate that was ever produced 
and we are replacing it, again, at great expense.
    So I am discouraged that we have spent a lot of money on a 
system that doesn't work. I think we have got to do a much 
better job of educating people. And no matter what system you 
put in place, you are going to have problems in the future. And 
there will be people who will use that equipment, whatever we 
put in and misuse it and their vote will not be counted. It has 
been that way. It is that way. And it will be that way. So I 
thank you for holding this hearing and I hope without spending 
too much hard earned taxpayer money, we can find some solutions 
that work. Thank you.
    The Chairman. Thank the gentleman. On the first panel, we 
have Dr. Avi Rubin, Professor of computer science at Johns 
Hopkins University; Dr. Brit Williams, professor of computer 
science and information technology at Kennesaw State 
University; Tadayoshi Kohno, computer security expert with the 
computer science and engineering department at the University 
of California at San Diego; and Dr. Michael Shamos, Professor 
in the School of Computer Science at Carnegie Mellon 
University. I want to welcome all of you to the Hill.

 STATEMENTS OF AVI RUBIN, PROFESSOR OF COMPUTER SCIENCE, JOHNS 
 HOPKINS UNIVERSITY; DR. BRIT WILLIAMS, PROFESSOR OF COMPUTER 
SCIENCE AND INFORMATION TECHNOLOGY, KENNESAW STATE UNIVERSITY; 
TADAYOSHI KOHNO, COMPUTER SECURITY EXPERT, COMPUTER SCIENCE AND 
ENGINEERING DEPARTMENT, UNIVERSITY OF CALIFORNIA AT SAN DIEGO; 
   AND DR. MICHAEL SHAMOS, PROFESSOR, THE SCHOOL OF COMPUTER 
             SCIENCE AT CARNEGIE MELLON UNIVERSITY

    The Chairman. And Dr. Rubin, we will start with you.

                     STATEMENT OF AVI RUBIN

    Mr. Rubin. Good morning, Chairman Ney, Ranking Member 
Larson, and members of the committee. My name is Avi Rubin and 
I am a computer science professor at Johns Hopkins University. 
I am going to start with two things that may surprise you in 
order to highlight the points that I think are important. I am 
not fundamentally against electronic voting. The second is that 
a DRE retrofitted with a paper trail is not necessarily the 
best kind of voting machine that we can have. There are ways to 
design and build systems so that those who make and those who 
administer the machines will have a tough time cheating.
    Today, DREs are not being produced this way. The advantages 
of a well-designed system is that they do not require complex 
procedures in order to ensure security. They take control of 
the outcome out of the hands of the manufacturers and the 
vendors and they take into account the needs of users including 
special needs users. The elements of such a system are 
transparency in the form of open code, so people can see what 
is going on inside of a machine. Independent audit, that is an 
audit that is not controlled by the designers of the system 
peer review, which is fundamental to computer security and 
usability system to make sure everybody who needs to use the 
machine can use it and it is designed appropriately. There are 
many attractive features of DREs that are often touted: 
Accessibility for those who do not speak English as the primary 
language or for blind people; user friendliness of the 
machines; the ability to catch undervotes and warn the voter 
and the ability to prevent overvotes and the results are 
available immediately.
    If I were given these requirements and asked to design a 
voting machine with these properties, it would not be like 
today's DREs. My focus is always security, but you can achieve 
all of the properties that I just mentioned much more securely.
    Here is how I would design a voting machine. The machine 
would be as accessible as a DRE. It would be as user friendly. 
It would warn about undervotes. It would prevent overvotes. But 
there would be some big differences. Meaningful recounts would 
be possible, it would be incredibly difficult for a vendor to 
rig the election, and voters would be able to have confidence 
in how their vote was recorded.
    Now the interface, as far as a voter is concerned, would be 
the same as a DRE, but I would name the machine a ballot 
preparation machine. You walk up to the machine, and you have 
exactly the same experience you would with a DRE. You touch all 
your selections, but at the very end of the experience, instead 
of ``cast vote,'' you would push ``print ballot,'' and the 
machine would output a card maybe similar to a boarding pass 
you would get at the airport these days or, if there were a lot 
of choices, maybe it would be an 8-by-10 card and that would be 
the ballot.
    The voter would review the ballot to see if their markings 
and their choices corresponded to what they intended; and, if 
it did not, there would be a shredder available to shred that 
and they could do it again. Perhaps they made a mistake or 
perhaps something was wrong with the machine. In either case, 
it would be good to know that.
    Now we have a separate problem on our hand, a completely 
separate issue, which is how do we count the ballots. Some 
places say, well, we have these paper ballots. We have had a 
simple election. Let us count them by hand. Other places may 
say our ballots are too complicated. What we can do is feed 
them into a completely different unit which would be an optical 
scanning unit that could read it in and count the votes.
    You may say, well, that is a computer, too. I would respond 
I am not opposed to electronic voting. The difference is if you 
optically scan these things, you are dealing with a much 
simpler machine. It could be several hundreds lines of codes, 
could be open source and at the end of the day you have the 
ballots.
    Let me stress the big difference between a DRE with a--
versus the kind of machine that I am describing. In the kind of 
machine I am describing, there is only one authoritative 
ballot, and that is that piece of paper. In a DRE that you 
retrofit with a verifiable paper trail, which is better than a 
DRE without it, but you have the issue of having two different 
votes. Do you count the electronic ones? Do you count the paper 
ones? I think there should only be an authoritative paper 
ballot, but we can utilize computers to create that ballot, and 
we can utilize computers in order to count those ballots and 
utilize the paper to check that count.
    I am quickly running out of time, so let me draw an 
analogy, and I started about 10 seconds late. The grading 
system we use to turn in our grades at Johns Hopkins is done 
over the Internet, but it was done with security in mind. And I 
am perfectly happy at the end of the semester uploading my 
grades to a central server at Johns Hopkins, even though, 
considering you have a bunch of computer science students who 
might try to hack the system, it is a lot less work to do that 
than to work for a grade in all your classes.
    Why am I willing to do this? Because the following 
semester, direct from the Registrar's Office, hand walked to me 
by the secretary, is a paper with grades on it that were 
recorded; and I get to compare them to the grades that I 
submitted and say, did anybody alter these grades, have they 
been tampered with? And I know that, if they have, I will catch 
that.
    In DREs, we don't have a catch like that. The only point at 
which we can perform an audit which the voter can verify that 
the vote was recorded correctly is when they are voting and 
they have to have an ability to look at the actual ballot and 
say that is how I voted. Thank you.
    The Chairman. Thank you, Doctor.
    [The statement of Mr. Rubin follows:]

    [GRAPHIC] [TIFF OMITTED] T7366A.005
    
    [GRAPHIC] [TIFF OMITTED] T7366A.006
    
    The Chairman. Dr. Williams.

                   STATEMENT OF BRIT WILLIAMS

    Mr. Williams. As you mentioned in your remarks, after the 
2000 election, a group of political activists began to attack 
the direct recording systems, claiming that they are totally 
unsecure, that they can't be made secure and the only way you 
can make them secure is with the addition of a verified paper 
ballot. When this was picked up by some of my fellow computer 
scientists, it gained attraction in the media.
    The claim is that we cannot build a secure voting system. 
Now a DRE voting system--or any voting system, for that 
matter--but a DRE voting system is one of the simplest computer 
applications you can imagine. The main line is to recognize a 
touch on a particular location on a screen and add one to the 
appropriate register. That is it. It doesn't do any complex 
computations, doesn't take the logarithm or the trigometric 
functions of anything. It doesn't do square roots, doesn't 
multiply or divide. And to claim that we can't build a secure 
accurate system just flies in the face of the way we live our 
lives. We fly on airplanes that are controlled by computers. 
Our sailors go under the ice cap on submarines controlled by 
computers. We have been to the moon and back on spacecraft 
controlled by computers. On a less grandiose scale, our cars, 
our microwaves, our watches are controlled by computers.
    I am not saying we should not attempt to improve our 
computer systems. We should. And I like Dr. Rubin's system and 
I look forward to it, but we have to deal in the short term 
with what we have on the shelf right now. And there are many 
dimensions to a voting system other than just security. We have 
to look at availability, reliability, maintainability, 
usability and even affordability. Any change to the voting 
system, particularly something as drastic as adding paper 
receipts or paper ballots, needs to be evaluated in terms of 
the total voting system, not just the security aspects of it.
    Now this--your HAVA legislation created the Election 
Assistance Commission system and gave them the resources and 
the authority to approach this in a very orderly and systematic 
manner, and I sincerely hope they will be allowed to do that.
    Now we don't believe that we are in imminent danger. We 
think in Georgia that our voting system is both accurate and 
secure. We have measures in place to ensure that the voting 
system components, the computer components are as accurate and 
secure as current computer technology permits. We have physical 
security measures and the essential ingredients in DRE systems 
in place to compensate for the remaining vulnerabilities in the 
system. These are discussed in our written report, and I won't 
go into them here.
    We have a Center For Election Systems at Kennesaw State 
University that provides technical assistance and training to 
our 159 counties. Before any piece of equipment can be used in 
an election in Georgia, it has to be examined by members from 
this center. And, in addition to this testing, we now, out of 
the center, offer training for election managers, for new 
election poll workers and for board members, election board 
members.
    So let me close by pointing out that we do not live in an 
absolute world, that everything we do contains a certain amount 
of uncertainty. When we fly on an airplane, we know there is a 
remote possibility that we won't live to reach our destination. 
When we drive our cars, we know there is a possibility we won't 
reach our destination. We evaluate the risk and the advantages, 
and we make a decision.
    Now we do the same thing with our election in Georgia. We 
know when we conduct an election that there is a remote 
possibility that someone has altered that election in an 
attempt to defraud or disrupt the election. But we also know 
the diligence with which we maintain and protect the system and 
we know that we reduce that risk to a miniscule level.
    In our written report, we point out that we think that we 
can detect an alteration of that system with a chance of less 
than one in one billion. So with that kind of a risk, we are 
willing to go ahead and hold our election with a voting system 
that allows a business person to vote on their lunch hour very 
quickly and easily, that provides the elderly and infirm with a 
voting interface that does not require difficult manipulation, 
that allows a non-English-speaking voter to vote in their 
native language, that allows disabled voters to vote 
unassisted, many of them for the first time, that reduces the 
rate of incorrectly marked ballots by a factor of five and 
provides a level of accuracy that exceeds any voting system 
that has previously been used in the State of Georgia.
    Now no one that is involved in elections would come before 
you and claim that the current systems are the best that can be 
devised or suggest that we can't make improvements. We have a 
culture of continuous improvement, and we applaud people who 
offer reasonable, well-reasoned criticism and who have 
carefully considered recommendations for improvement.
    I thank you for this opportunity to speak to you, and may 
God bless America.
    The Chairman. Thank you.
    [The statement of Mr. Williams follows:]

    [GRAPHIC] [TIFF OMITTED] T7366A.007
    
    [GRAPHIC] [TIFF OMITTED] T7366A.008
    
    [GRAPHIC] [TIFF OMITTED] T7366A.009
    
    [GRAPHIC] [TIFF OMITTED] T7366A.010
    
    [GRAPHIC] [TIFF OMITTED] T7366A.011
    
    [GRAPHIC] [TIFF OMITTED] T7366A.012
    
    [GRAPHIC] [TIFF OMITTED] T7366A.013
    
    [GRAPHIC] [TIFF OMITTED] T7366A.014
    
    [GRAPHIC] [TIFF OMITTED] T7366A.015
    
    [GRAPHIC] [TIFF OMITTED] T7366A.016
    
    [GRAPHIC] [TIFF OMITTED] T7366A.017
    
    [GRAPHIC] [TIFF OMITTED] T7366A.018
    
    [GRAPHIC] [TIFF OMITTED] T7366A.019
    
    The Chairman. Mr. Kohno.

                  STATEMENT OF TADAYOSHI KOHNO

    Mr. Kohno. Thank you, Chairman Ney and Ranking Member 
Larson and members of the committee, for holding this hearing 
today and for inviting me to speak on the topic of electronic 
voting security. My name is Tadayoshi Kohno, and I am a 
computer security expert with the University of California at 
San Diego's Department of Computer Science; and prior to 
joining the University of California for Doctor studies, I was 
a cryptography and computer security expert with two of the top 
cryptography and security consulting firms in the Nation.
    Last summer, together with three other colleagues, I 
identified a number of security problems with Diebold's 
Accuvote TS electronic voting system. But I think that the most 
important result of our discoveries was that it concretely 
shows the existing certification processes are unable to 
identify security problems with electronic voting machines, and 
what this means is we have no reason to believe that other 
vendors' electronic voting machines are any more secure.
    But what I would like to talk about with you today is why 
I, as a computer security expert, am deeply concerned about the 
use of existing paperless electronic voting systems. I want to 
emphasize that I am talking about existing paperless electronic 
voting machines because, you know, there might be the 
possibility of having secure enough paperless electronic voting 
machines in the future. I say ``secure enough'' because there 
is no such thing as absolute security. We don't have those 
machines today and won't have them by November, and let me 
expand on this. There are several reasons for this.
    First, many people have suggested patching the existing 
systems, maybe by changing the software slightly or instituting 
new procedures. But this is not sufficient.
    First, an analogy I always like to make is that spot 
treating security problems is like spot treating termites. You 
can never be sure that you have gotten rid of them all. And 
this is particularly important because when you hire a security 
analyst to look at the security of a system, you typically 
contract them for a limited period of time, and in that limited 
period of time they might only uncover the most obvious 
security problems. And while addressing the obvious security 
problems might raise the bar for an attacker, it doesn't mean 
you have addressed all the important problems.
    Another thing that I want to point out is that unless all 
the components of the revised system, including the software 
and the revised procedures, are open to the public for public 
scrutiny and review, the public will have no reason to believe 
that the spot treatment actually succeeded in addressing the 
security problems; and I think this is illustrated most 
beautifully by the evolution of Diebold's Accuvote TS system. 
It is the system that we know the most about because it is the 
one that was analyzed publicly.
    In response to our analysis, the State of Maryland hired 
SAIC and then RABA to conduct independent analyses of Diebold 
systems; and in both ours and SAIC's analyses we found that the 
Diebold system found a security problem in the way that the 
Diebold voting terminals communicate with a back end server. 
Diebold tried to fix this problem. And then, in RABA's 
subsequent analysis, RABA found that Diebold's fix was 
insufficient.
    I think the important lesson from this is that there are 
two points: One is that if Maryland had not commissioned RABA 
to conduct a subsequent analysis of Diebold's supposed fixes to 
our report, no one except for maybe an attacker would have 
uncovered Diebold's insufficient fix of the problems we 
identified. And I think, at a higher level, the thing I want to 
say, this begs the question. First, for systems the public 
cannot openly review and inspect, how or when can we know that 
a security problem has been accurately addressed?
    I think in the remaining minute or so that I have that I 
would like to talk--I would like to advocate the following 
general principle; and that is, from a security perspective, 
the minimum requirement we should have for any new voting 
technology, it doesn't have to be computer technology, but the 
minimum requirement for any new voting technology is that it 
must be at least as secure as the technology that it is 
replacing. It is for this reason that our computer security 
experts are advocating the use of a voter-verifiable paper 
ballot, where we have the voting machines produce a paper 
ballot that the voter will look at and verify that it is 
correct and deposit it into the ballot box and that becomes the 
official record.
    People have said that, you know, this has problems, too, 
because, you know, the ballot box could be stuffed, the ballots 
could be destroyed. But the point is that these are the 
problems that we already have with traditional paper-based 
voting mechanisms. By adding a voter-verifiable paper trail, we 
have not made things worse. Unfortunately, as a security 
expert, I cannot say the same thing about the use of existing 
paperless electronic voting machines in elections.
    That is all the technical stuff I wanted to point out, but 
I wanted to thank the committee for focusing on this critical 
issue, and I think that the dialogue we are having today will 
move us forward towards addressing all of the security 
concerns.
    The Chairman. I thank the gentleman for your testimony and 
the previous two witnesses.
    [The statement of Mr. Kohno follows:]

    [GRAPHIC] [TIFF OMITTED] T7366A.020
    
    [GRAPHIC] [TIFF OMITTED] T7366A.021
    
    [GRAPHIC] [TIFF OMITTED] T7366A.022
    
    [GRAPHIC] [TIFF OMITTED] T7366A.023
    
    The Chairman. Dr. Shamos.

                 STATEMENT OF MICHAEL I. SHAMOS

    Mr. Shamos. Mr. Chairman and members of the committee, my 
name is Michael Shamos. I have been a faculty member in the 
School of Computer Science at Carnegie Mellon University in 
Pittsburgh since 1975. I am an attorney admitted to practice in 
Pennsylvania and before the U.S. Patent and Trademark Office.
    From 1980 to 2000, I was statutory examiner of computerized 
voting systems for the Commonwealth of Pennsylvania. From 1987 
until 2000, I was statutory examiner of computerized voting 
systems for the State of Texas. During those 20 years, I 
examined over 100 different voting systems. These were used to 
count over 11 percent of the popular vote in the United States 
during the 2000 election.
    I view electronic voting as primarily an engineering 
problem to be solved through traditional scientific methods. 
Once standards are set for the degree and type of risk we are 
willing to accept in such systems, engineers can determine 
whether a particular system meets those standards. The 
tolerable risk can never be reduced to zero. No system of any 
kind ever developed for any purpose has been completely free of 
risk. The issue is not to eliminate it but to quantify and 
control it. It may be a difficult pill for the voters of the 
United States to swallow, but it is true nonetheless and always 
will be that some votes are lost, miscounted or never are cast 
in every election and this will always be so.
    There are many types of DRE machines, and it is incorrect 
to lump them together in a single category. DRE voting is not 
new. It has been used in the United States for over 25 years 
and has been successful, though not perfect, during that time. 
Many brands of DRE systems have exhibited problems, including 
failure to start, freezing up during voting, displaying 
incorrect candidate names. Some possess identified security 
weaknesses, such as according the wrongdoer the opportunity to 
vote more than once during an election.
    Of course, machines that do not work and are not suitable 
for use in an election should not be used in an election, but 
this country has no systematic process by which such machines 
can be pinpointed and kept from the polling place. We need one. 
Voting machines, like every other machine we rely on in society 
can be tested to determine whether they are reliable. We need 
such procedures.
    A completely different sort of allegation that is made 
against DRE machines is they can be tampered with undetectably 
or may contain malicious software that no testing procedure or 
examination would ever reveal. Even the venerable New York 
Times declared erroneously on April 24 of this year that, 
quote, it is not hard to program a computer to steal an 
election. It is very hard. In fact, there has never been a 
verified incident in which a DRE machine was manipulated to 
alter the outcome of an election. DRE opponents respond, how do 
you know? Maybe the alteration was done so well that we will 
never find out. That response is completely unscientific. It 
asks us to believe that which has never been seen and which by 
hypothesis can never be seen. It is a pure article of faith, 
which every person is free to accept or reject, but it cannot 
serve as the basis for logical debate.
    I have asked DRE opponents exactly how they would modify a 
machine to influence an election without being detected. This 
of course must be done in such a way that the machine passes 
all tests with flying colors, yet performs its dirty work only 
during the actual election and, furthermore, does so in a way 
that leaves no trace and does not raise undue suspicion, given 
the political demographic of a particular precinct or 
jurisdiction. In short, it would be the perfect crime. No one 
has ever come close to giving a credible method by which this 
could be done.
    When challenged, the response of the opponents is to say, 
we are not obliged to show you how to do it. You have to prove 
that it can't be done.
    That is not the law. The various States require voting 
systems be safe for use, accurate and resistant to tampering. 
None of the requirements is absolute, and they require 
judgments to be made by responsible officials and bodies. 
Administrative action is never required to be accompanied by a 
proof that the action is perfect. If there were such a 
requirement, then government would grind to a halt.
    The proposal has been made that the variety of problems 
exhibited by DRE machines can be solved by adding a device that 
will print out a piece of paper containing the voter's choices 
so she may verify that they correspond to her desired 
selection. If anything goes wrong, the voter has the chance to 
try again before her vote is officially cast. If all is well, 
the piece of paper is dropped or deposited into a box inside 
the machine. This proposal is embodied in several bills before 
Congress and at least one that is currently before this 
committee, Representative Holt's bill, H.R. 2239.
    The argument goes that we receive paper receipts when we 
buy things, use an ATM machine or play the lottery, so why 
should voting be any different? The answer is simple. In 
commercial transactions, the paper is simply a piece of 
evidence. It is not an incontestable, self-proving document. 
Even a lottery ticket will not be awarded a prize if it does 
not match the electronic records of the central lottery 
computer. The H.R. 2239 proposal is to make the paper records 
supreme, something that we do not do in the commercial world.
    If paper were in any way safer than electronic methods, 
then the whole bill might make sense. But it is not safer or 
better. This is a case in which the cure is worse than the 
disease. This country has a long and sorry history of vote 
tampering involving paper ballots. Since 1852, the New York 
Times has published over 4,000 articles detailing numerous 
methods of altering results of elections through physical 
manipulation of paper ballots. On average, one article has 
appeared in the Times every 12 days since it began publishing 
in 1851. Mechanical and electronic voting machines were 
introduced specifically to eliminate this problem. Any proposal 
to make paper ballots official once again ignores history and 
therefore dooms us to repeat it.
    Adding a paper trail that can be viewed by the voters 
solves one problem and one problem only. It assures the voter 
that her choices were correctly noticed by the machine. It 
provides no guarantee that the vote was counted or ever will be 
counted correctly or the paper viewed by the voter will even be 
in existence at the time a recount is conducted. And the paper 
trail surely does nothing to increase the reliability of a 
voting machine. If a device won't start on Election Day, then 
adding a printer does not increase its chances of working.
    Paper trail proponents have not bothered to list the 
problems with DRE machines in an attempt to explain how the 
paper trail would solve them because they cannot do so. They 
have not explained why the paper trail would not be vulnerable 
to well-known and well-documented methods of tampering the 
paper ballots, for they cannot do so. All of the problems with 
DRE machines have solutions. None of the solutions requires a 
paper trail. I have given specific alternatives in my rather 
lengthy testimony, and I thank you for the opportunity to speak 
today.
    The Chairman. We will accept the gentleman's testimony as 
all other individuals appearing here today for the record. Very 
frankly, fascinating testimony by I think all four of you.
    [The statement of Mr. Shamos follows:]

    [GRAPHIC] [TIFF OMITTED] T7366A.024
    
    [GRAPHIC] [TIFF OMITTED] T7366A.025
    
    [GRAPHIC] [TIFF OMITTED] T7366A.026
    
    [GRAPHIC] [TIFF OMITTED] T7366A.027
    
    [GRAPHIC] [TIFF OMITTED] T7366A.028
    
    [GRAPHIC] [TIFF OMITTED] T7366A.029
    
    [GRAPHIC] [TIFF OMITTED] T7366A.030
    
    [GRAPHIC] [TIFF OMITTED] T7366A.031
    
    [GRAPHIC] [TIFF OMITTED] T7366A.032
    
    [GRAPHIC] [TIFF OMITTED] T7366A.033
    
    [GRAPHIC] [TIFF OMITTED] T7366A.034
    
    [GRAPHIC] [TIFF OMITTED] T7366A.035
    
    [GRAPHIC] [TIFF OMITTED] T7366A.036
    
    [GRAPHIC] [TIFF OMITTED] T7366A.037
    
    [GRAPHIC] [TIFF OMITTED] T7366A.038
    
    [GRAPHIC] [TIFF OMITTED] T7366A.039
    
    [GRAPHIC] [TIFF OMITTED] T7366A.040
    
    [GRAPHIC] [TIFF OMITTED] T7366A.041
    
    [GRAPHIC] [TIFF OMITTED] T7366A.042
    
    [GRAPHIC] [TIFF OMITTED] T7366A.043
    
    [GRAPHIC] [TIFF OMITTED] T7366A.044
    
    [GRAPHIC] [TIFF OMITTED] T7366A.045
    
    [GRAPHIC] [TIFF OMITTED] T7366A.046
    
    [GRAPHIC] [TIFF OMITTED] T7366A.047
    
    [GRAPHIC] [TIFF OMITTED] T7366A.048
    
    [GRAPHIC] [TIFF OMITTED] T7366A.049
    
    The Chairman. One point I would like to make. Historically 
speaking, any time there has been manipulation or suggested 
manipulation of a voting system, it has involved paper ballots. 
You basically suggested that the paper receipts will not, in 
fact, bring forth the security that their advocates promise. Do 
you have any details about what you believe would be the 
shortcomings of paper receipts in trying to resolve the DRE 
security-related issues?
    Mr. Shamos. The issue with paper receipts and my problem 
with them is that there is no guaranteed chain of custody from 
the moment the voter looks at the piece of paper and says, yes, 
this is my vote. From that moment until the time that piece of 
paper has to be touched or reviewed by other people, there is 
no way of assuring that the pieces of paper have not been 
removed from the box, new pieces of paper have been added to 
the box, that the pieces of paper have not been altered, et 
cetera. And it is impractical with 1.4 million poll workers we 
have in this country, most of them volunteers, to have any kind 
of systematic system where we can ensure that from the time the 
voter sees the piece of paper until the time it is reviewed 
that nothing has happened to it. That is the problem we have 
had when there is a physical paper ballot of any kind, whether 
it is punched card or paper.
    The Chairman. Dr. Rubin, the chairman of the EAC and other 
groups such as Brennan Center For Justice have issued 
recommendations for ensuring the security of the DREs, as you 
know. You are involved with the Brennan study, I am told.
    Mr. Rubin. I was asked to read, review it and comment on 
it, yes.
    The Chairman. Do you have any further comments on that 
study or can you describe more about the security practices and 
how they protect the process?
    Mr. Rubin. I was asked to comment on this and then to 
participate in a press conference to publicly comment on it. 
Initially, I hesitated to do that, because I was worried about 
an endorsement of these recommendations appearing to--or being 
misconstrued to be an endorsement of paperless DREs. What in 
fact was intended was that, no matter what I say or anyone else 
says, there are people going to be voting on paperless DREs in 
November. And for those election officials, what advice can we 
offer? Rather than just saying everyone is in trouble, can we 
do something constructive? And under those assumptions, they 
came up with recommendations that I think are very good: hiring 
security reviews, setting up a group that would supervise the 
security reviews, some ideas for testing; and, you know, the 
recommendations are available for the public.
    I think that while I would strongly advocate against using 
paperless DREs, I am not going to be naive enough to ignore the 
people that are using them. So I would recommend that those 
recommendations be followed in those cases.
    The Chairman. Just one question. Probably not a perfect 
question for you, but does anybody here believe--that one 
should be able to take those with you out of the----
    Mr. Rubin. Take what?
    The Chairman. A copy of the paper receipt with you out of 
the voting area.
    Mr. Rubin. Absolutely not. The problem with that is that 
two things could happen. One is you have the opportunity to 
sell your vote if you can show someone how you voted, and the 
other is you could be coerced to vote a certain way. The idea 
behind the paper is that you have some tangible record of how 
the person voted, but if you take it out of the polling place 
with you, you haven't actually voted.
    Mr. Shamos. Mr. Chairman, there are systems in which the 
voter is given some form of receipt but that receipt cannot be 
used to prove how he voted. It is possible for him to verify 
that that particular ballot was actually counted in the 
election. In general, it is not possible to remove from the 
booth any piece of evidence that you would be able to use to 
prove how you voted.
    The Chairman. Anybody else have any concerns still about 
the issue of your vote being secret? That is a huge issue or 
being able, frankly, to vote in secrecy. But out comes the 
paper--because, Dr. Shamos, you mentioned something 
interesting, a chain of custody. What happens with that? Dr. 
Rubin, would you like to respond?
    Mr. Rubin. I will say one thing about the secrecy. I 
believe it is the property of secrecy that makes this problem 
so hard. When we talked earlier about commercial transactions 
and all different kinds of transactions where we have paper, 
the difference between voting is that imagine trying to audit 
somebody's bank account without knowing which person performed 
which transaction. In an election, we have a secret ballot, and 
it is a privilege, and we decouple the voter from their vote. 
That makes auditing a lot harder than it is in any other 
application that we know because the very information we keep, 
which is logging who did what and when, you can't do in an 
election.
    The Chairman. You can't go back and say that this ballot 
was John Smith or Susan Smith's ballot.
    Mr. Kohno. If I may extend comments. There are two main 
requirements of voting machines. One is that the result has the 
correct integrity, and the other is the privacy. And when 
people are talking about electronic voting machines, the focus 
has been--most people have been focusing on the integrity.
    One of the results of our analysis is that with these 
electronic voting machines it could be the case where an 
election official or a poll worker--I am assuming that most of 
them are not malicious--but an election official or poll worker 
could look at the results, the files stored--the results filed 
on these Diebold terminals and figure out who voted for whom if 
they are watching the voting process all day. So I think that, 
you know, I wanted to throw that in as being another problem 
that I see with electronic voting.
    Mr. Williams. Not true. The ballot files in that system are 
randomized. So even if you had your numbered list of voters and 
you knew the order that people voted, you couldn't correlate 
that to the ballots on the file. And even if they were, it 
wouldn't be a one-to-one correspondent because, although you 
may check into the polling place ahead of me, I might cast my 
ballot before you cast yours. So that is not going to be a one-
to-one correspondent, regardless.
    Mr. Kohno. I think we are taking the discussion away from 
the main focus of this hearing, and we can talk about this off 
line. But I think that the important thing--you know, I don't 
want to focus on Diebold, because, unfortunately for them, they 
are the ones that were publicly analyzed. There is a random 
serial number stored with the ballots when they were added and 
specifically for randomizing them for reporting at the end. But 
the problem is on the files themselves, they were stored in the 
order they were created. But I think, like I said, this is an 
issue that hasn't been seen very much; and the focus here I 
think is on preserving on the integrity.
    Mr. Williams. The problem he is referring to has been 
changed. That was true of the version that they looked at. In 
the SAIC report in Maryland, one of their recommendations was 
that those files be randomized, and that has been done.
    The Chairman. I think I not do disagree with you. I think 
it is appropriate--basically what you said is appropriate to 
the hearing. What the gentleman, Dr. Williams, answered is also 
appropriate.
    Mr. Williams. The problem that secret ballot creates is 
that you cannot--the voter cannot verify their ballot. There is 
no way once the voter walks away from that voting booth that 
they can go back to that collection of ballots and pull out a 
ballot and say that is mine, because that would violate the 
secrecy of the ballot. The whole concept of a voter-verified 
ballot is questionable.
    You say, what do we do in a recount? Let us look at lever 
machines for a minute. When you recount on a lever machine, 
there is nothing to recount. What you are doing is verifying 
that the machine is operating properly; and the assumption is 
that if the machine is operating properly, then the count is 
accurate. Same thing with the DRE machine. There is nothing to 
recount, and you are not technically doing a recount in the 
sense of a traditional recount. What you are doing is that you 
are verifying that this machine is operating properly. If the 
machine is operating properly, then the assumption is that the 
results are accurate.
    Mr. Rubin. I believe that DRE have managed to replicate the 
worse property of lever machines, which is that a meaningful 
recount is not possible. That is why I was never comfortable 
with lever machines. The nice thing about having the paper 
ballot, when it is time for a recount we know at the very least 
the thing that is being recounted was seen by the voter. We 
don't know the order.
    The Chairman. On that point, I will let you finish.
    Mr. Rubin. The idea behind a meaningful recount is that the 
things that are being counted are ballots that were seen by the 
voters, and that is where the term voter verifiable comes in. I 
don't think it is important whether or not the voter can reach 
into the pile of ballots being recounted and verify theirs. 
They have to have some confidence in the procedures, just like 
they do in any election. But without those paper ballots 
existing, there is no hope of any recount; and I don't think 
the solution to hanging or pregnant chads is to throw away all 
the ballots.
    The Chairman. I want to open this up to questions from 
other members, but you just made a point. The voter sees it, 
verifies, but how does the voter know it was counted? When you 
are dealing with paper, you could stuff a ballot box. Where is 
the chain of custody of the item? Who is watching all that? I 
mean, historically in this country, any problems we have had 
have been on the paper. If you are saying, wow, the voter gets 
this and there is my vote and I walk away, where did that paper 
ballot go?
    Mr. Rubin. I believe the chain of custody problem does not 
go away with electronic tallying. We should look at constantly 
improving the security and not deploying a system that is less 
secured than the one we had before.
    The difference between lever machines and automated 
computerized machines is that software, if there is a problem 
with the software, either intentional or accidental--and anyone 
who has dealt with software knows the accidental ones happen 
all the time--that problem is in tens of thousands of machines. 
And when you program a lever machine, if you make a mistake, 
that is that one machine. And that is one of the differences 
between electronic systems and mechanical or paper systems, is 
that the problems are more localized.
    The Chairman. If we are talking about rigging--that is what 
we are talking about--rigging an election either by 
manipulating paper ballots or by electronic manipulation, you 
would have to have the ability of someone to put a chip or 
something in every single machine and pull it back and put it 
in the next election and next election.
    Mr. Rubin. Not necessarily.
    The Chairman. Because it is not like you can hack into 
these things.
    Mr. Rubin. The biggest concern that I have always had ever 
since our initial report came out is that the person writing 
the software who is putting together the machine, not that I 
think they are going to do something, but I think they are in a 
position to.
    The Chairman. For a particular election. They would have to 
rewrite the software then.
    Mr. Rubin. Not necessarily. Perhaps they favor a particular 
party.
    One thing I find, if we get mired in a particular attack, 
if I get asked, how would you attack a voting machine, and I 
come up with an answer for that. Then someone says yes, but we 
could put this procedure in place that would prevent it. For 
every single individual attack I may come up with, someone 
could have a counterargument, but it is hard to design a system 
that would inherently block all the different attacks one might 
be able to come up with.
    I believe that the difficulty of analyzing software is one 
thing, and I have talked at length about that, but a bigger 
problem is the software isn't being analyzed. There is no way 
that the software in the Diebold machine that we analyzed was 
analyzed before it was deployed or they never would have 
deployed that system.
    The Chairman. Was that system corrected?
    Mr. Rubin. I don't know, because they won't let me have a 
look at it. I believe--they claim that many of the problems 
that we found in the machines have been fixed, but I think, 
without public scrutiny, there is no way to know if that is 
true.
    The Chairman. We went from not correcting the machines to 
an issue of paper ballots. I think some people are sincere in 
this. I think some people have made absolutely incredible 
statements that smack of politics. There are conspiracy 
theoricists, people have done this for political purposes and 
are using this issue, while others are sincere on this issue. 
But I think the whole thing, frankly, has gotten clouded 
because of one company or one statement. I just think it has 
gotten quite clouded. At least today I feel we are hearing a 
reasonable debate on some of the issues.
    Mr. Rubin. Let me rephrase the statement, which I think 
that if we have the capability of building voting systems where 
the vendor does not have an opportunity to rig it, that is 
better to do it than ones where they do have the opportunity, 
whether or not we think they are going to do it.
    Mr. Shamos. Mr. Chairman, it is precisely the property of 
the software that is resident in all the machines that makes it 
feasible to test them. If someone plucks one machine out of a 
polling place and alters it, then unless we specifically test 
that machine we are not going to find the alteration. But if 
the vendor has inserted the alteration into every machine that 
it has manufactured, then we can use the same kinds of 
procedures that we use with airplanes and nuclear weapons and 
other systems that have the capability of killing people. We 
can use those analytical methods to test these machines and 
determine whether or not they have been altered.
    The allegation is made, as I mentioned in my testimony, 
that no, no, there is no amount of testing that will ever 
reveal every flaw in the system. That is quite correct. We 
don't insist that every flaw in every system be found. We would 
never have systems if we insisted upon that.
    Mr. Kohno. If I may add to his comments, I think that--I 
guess I want the committee to be careful about analogies that 
are made. You find many people make analogies, ``we do testing 
for airplanes and we do testing for cars,'' et cetera. I think 
the important thing to keep in mind is, when you are testing 
these things, you don't plan to put them in an environment 
where there is someone actually trying to actively attack them. 
You can be flying in the air in a normal airplane and you want 
to make sure in turbulence that things will be okay, but for 
these voting systems there is an active attacker. This active 
attacker will try to not play by the rules. It is this that 
makes voting systems or security so difficult.
    I just kind of wanted to point that out.
    The Chairman. I understand that, but what makes the paper 
so much more secure? The State of Maryland, Ohio, Texas, any 
State, Georgia, they are smart enough in these States, and they 
don't want fraudulent elections--not one person wants 
fraudulent elections, but they are smart enough to randomly 
pull machines in and test them because someone, as you say, is 
trying to attack these systems. But they are smart enough to be 
able to do that.
    But why all of a sudden is everyone saying the paper is so 
much more secure, when paper could be crumpled--once you look 
at your vote, it could be crumpled and thrown away. Fraudulent 
paper ballots could be stuffed in the ballot box. What makes 
you so convinced that the paper is so secure? Paper to me is 
100 times more unsecure than any machine that we could randomly 
test, that the States could test.
    Mr. Kohno. I still think that the thing I tried to convey 
in my testimony was that paper still is not perfect. Paper can 
be crumpled, thrown away, all this stuff can happen to paper, 
but at least that is what we are used to now. We are not going 
backwards. The problem now is with electronic voting machines, 
like Professor Rubin said, the public is not able to go in and 
analyze them and verify that the problems have actively been 
corrected.
    The Chairman. The States could do that. Everybody in this 
room knows how to crumple a ballot up and toss it away or stuff 
a ballot box. Everybody in this room could be knowledgeable 
about that. I doubt maybe four, two or one of you could 
actually go in and be able to fix and manipulate those 
machines. You would have to have a conspiracy theory that they 
are sitting out there and manipulating these machines that we 
can't ever find out about.
    Mr. Rubin. As someone--I have been working with computers 
my entire career. One of the feelings that I have is that, one, 
something could go wrong and you just wouldn't know it. It 
might be easier to detect some number of missing ballots than 
some bits in a computer that were flipped. If you look at the 
system as a whole, if you look at the magnetic cards in the 
machines that have the tallies on them; and the thought that 
all of the votes are being kept in a medium that inherently has 
glitches and inherently has flaws and can often be 
undetectable, that makes me nervous. I will not say that paper 
is great, but, right now, I think computers are not ready for 
this important responsibility.
    The Chairman. I think they could be.
    I am going to move on to our ranking member. One question 
and I am going to move on, although this has been interesting I 
think for everybody. On that note, we don't know. Let's talk 
about something we do know, though, Dr. Williams, about the 
undervote in the elections. Wasn't there an amazing undervote 
when it came down to nonelectric machines?
    Mr. Williams. In the 2000 election, Georgia had actually a 
higher percentage of undervotes than Florida. We sat there and 
watched the goings on in Florida and thought, wow, there but 
for a close election goes us. That, in fact, is what led us to 
switch to the DRE machines. With the DRE machines, we reduced 
our undervote at the top of the ticket from something over 4 
percent to less than 1 percent, a factor of five.
    The Chairman. The gentleman from Connecticut.
    Mr. Larson. Thank you very much, Mr. Chairman.
    Let me also say I really appreciate this line of 
questioning, and I think the debate and the dialogue that is 
ensuing is oftentimes best between the participants which I 
would broadly categorize as individuals who believe in trust 
and verify and those that believe that scientifically and from 
an engineering perspective that we have to analyze the risk, 
then solve the problem.
    I have an overarching question that deals with the 
practicality of implementation and a more technical question 
that deals with encryption and how that would coincide with Mr. 
Rubin's proposal. But my esteemed colleague, Rush Holt, who, as 
has been mentioned by several of you, is a proponent of the 
bill before us has asked me to ask these two questions; and I 
think they cut to the heart of what we are trying to get at. I 
am going to direct them at Dr. Shamos and Dr. Williams, but I 
would appreciate a response from Mr. Rubin and Mr. Kohno as 
well in the process.
    Mr. Holt's question is, if a vote is a record of an 
intended preference of a voter, isn't a recount an attempt to 
revisit and recount the records of those intentions? If so, 
after a voter casts a secret ballot on the electronic DRE 
machine and leaves the polling place and the polls close, is 
there any way, without a voter-verified audit record, that 
election officials or manufacturers or programmers can 
determine what was the intention of the voter? Is it possible 
to have a meaningful recount on a DRE? Question number one.
    Question number two, which is a follow-up, what is the 
possibility that a problem in software, whether it be an 
inadvertent bug or a deliberate, malicious doctoring of 
software could go undetected?
    Dr. Shamos, I will start with you.
    Mr. Shamos. The first question was quite lengthy. I think I 
remember it. I actually dislike the phrase ``meaningful 
recount'' because I don't know what it means. The legal purpose 
of a recount is not to do a revote. The legal purpose of a 
recount is to ensure that the vote totals that were reported by 
the individual machines in the jurisdiction were correctly 
reported and correctly added up.
    Mr. Larson. Could you elaborate on that? Because I think 
this is a confusing item to a lot of people, the difference 
between a recount and a revote.
    Mr. Shamos. Yes. We never use the phrase ``revote'' unless 
we are talking about holding the election all over again, but I 
think a lot of people believe that the word ``recount'' means 
that we go back and look at the original intention of the 
voter. That is generally not what is done in a recount, and 
that is not what is required by the State statutes for 
recounts.
    The problem is, if you look at the procedure for vote 
totaling in this country, voting is exceptionally local. It 
occurs on individual machines in individual polling places. The 
number of precincts in the United States is over 170,000. The 
number of voting machines is much larger than that. We must 
take the individual totals from all of those machines and 
eventually gather them together into some central place where 
they are totaled for the entire Nation in the case of a 
Presidential election or in the county in the case of a 
sheriff's election.
    The process by which the totals are transmitted to this 
central place is error prone. It is done by human beings, often 
writing numbers on a piece of paper. So what a recount consists 
of is going and looking at those totals to make sure that they 
have been added correctly.
    Where there is a physical record in the case of, for 
example, a mark sense or optical scan ballot, it is possible to 
rerun the ballots through the machine, in effect creating what 
you would refer to as a recount, count them again and then 
report those totals. The problem is, if they have been counted 
twice, then which is the total that we really should be 
reporting?
    In the case of mark sense machines, you can get some pretty 
reproducible results. In the case of punch cards, you can't 
take 10,000 punch card ballots, read them through a card reader 
twice and get the same results, because the process of actually 
reading the cards changes the cards.
    In the case of the DRE machine, the way you assure that the 
vote that the voter saw before she left the voting booth is 
actually recorded, right now the process is you test the 
machine. We don't test these machines enough. There aren't 
established procedures for doing it, but it is doable.
    There are any number of ways of creating an additional 
record. For example, one could display the voter's choices on a 
screen, just as they are done now; and one could take a digital 
photograph using equipment not manufactured by the same voting 
machine vendor, take a digital photograph of exactly what was 
on the screen at the time the voter left the booth. That would 
constitute, if it were properly encrypted and stored, an 
unalterable audit trail of what went on in the voting booth.
    There are many such solutions that don't involve the use of 
paper. It is not that I have anything against the wood pulp 
industry. It is that anytime you have a specific piece of paper 
that human beings can touch, it becomes losable, augmentable or 
alterable. When you have properly encrypted computer records, 
written in write ones memory so that nobody can change them, 
you don't have that problem.
    The other question I think was with respect to software. 
How do we know that the software hasn't been altered? The same 
as we know with all other systems, we test them. That is the 
way we find out whether machines work or not.
    Mr. Larson. Would you agree with the New York Times or are 
you familiar with the New York Times article that they did 
recently comparing the testing of machines that occurs in Las 
Vegas in the gaming industry versus, say, our polling booths 
across the country?
    Mr. Shamos. Yes, I am. I am very familiar with the New York 
Times article. I think they have had to add a new guy to the 
mail room to respond to my letters that I write to them.
    I haven't agreed with anything the New York Times has said 
about voting during 2004 except that specific editorial to 
which you refer, and I agree with everything in it. The point 
was made there that the Nevada Gaming Commission carefully vets 
every software--every piece of software and every chip that 
goes into every slot machine in Las Vegas. It is essential for 
that huge industry for people to be able to rely on machines to 
pay off when you win, and it is essential that casinos--for 
them to not pay off when you lose. So there is a huge amount of 
money available to do this kind of vetting and testing. I agree 
that, if the money were available, precisely the same kind of 
thing should be done with voting machines.
    Mr. Larson. How much money would that require, in your 
estimation?
    Mr. Shamos. I don't have an estimate.
    Mr. Larson. If the other panelists could respond.
    Mr. Williams. We do a significant amount of testing in 
Georgia directed toward just exactly that thing. We get our 
software directly from the ITA. We do not get it from the 
vendor. So that we know that what we have is what the ITA 
qualified, not necessarily what the vendor would like for us to 
have. So we get the software directly from the vendor; and 
then, before it is ever used in the State, we run about 6 weeks 
of testing on it. Some of it is designed toward the use of the 
system, but some of it is designed toward security, to try to 
wake up any Trojan horses that might be present and things like 
that.
    Once we are satisfied with the system, we freeze it, so to 
speak, and we take a digital signature of it, and the digital 
signature that we use is the exact same digital signature that 
NIST uses to validate law enforcement software. Then 
periodically, anytime that one of our staff is out in a county, 
they can run that signature against the county system and 
verify that that system has not been changed.
    Mr. Larson. Dr. Rubin.
    Mr. Rubin. I would like a chance to respond to your three 
questions, the last one being of the gambling example.
    In terms of meaningful recounts, the important thing I 
think is the question, what happens when something goes wrong? 
Sometimes it is really visible. There was a case of hundreds of 
thousands of votes being tabulated by an electronic voting 
machine in a place where fewer people had actually voted. What 
do you do when something goes wrong?
    Things go wrong all the time. I worked as an election judge 
in Baltimore County. At the end of the day, the totals that we 
got off the machine did not match the totals that came in the 
door. It was one or two people. So we got out all the books and 
we got out all cards and we sat there for about an hour and a 
half and counted everything up until we found the error.
    What do you do if something goes wrong inside a DRE? You 
get a result that doesn't make sense. There is nothing you can 
do. But if you have a voter-verified paper ballot trail, a box 
full of paper ballots, you can at least count them. You have 
some recourse for something to do if something goes wrong.
    That is my response to the first question.
    The second one, I have a very simple answer. I do not 
believe that it is possible to detect malicious code when it is 
hidden well inside of other code. I have done experiments with 
that, with 40 graduate students hiding code and then trying to 
find code. It is just an intuition. I don't have scientific 
proof, but I find that when I travel to computer science 
conferences and the only thing they want me to talk about these 
days is electronic voting, when the topic of hiding code comes 
up, that seems to be the consensus that I find, is that it is 
much, much easier to hide code than it is to find it.
    Finally, the question about the editorial about the 
gambling machines and the Gaming Commission. I don't know if 
you are familiar with the case of Rob Harris who worked for the 
Nevada Gaming Board. He was one of the testers of the slot 
machines. He wrote some malicious code that he put on a testing 
device which would download to one of the slot machines and 
then somebody could come in and put in a particular sequence of 
coins into that machine, it would turn it into a winning 
machine for a while. So his conspirators would go around and 
play those machines and win a lot of money. The way he got 
caught was that one of his relatives won a big slot and didn't 
have an ID on him, so the security escorted him back to his 
room where Rob Harris was in his room, and they started 
investigating. But they didn't catch it any other way.
    The point I am making is that insider threat happens. Even 
with all the stringent controls on the gambling machines, he 
was getting away with that for a long time and would not have 
been caught if he hadn't have been careless.
    I think the insider threat in anything electronic will be 
caught through some out-of-band mechanism like not having your 
ID, but there is nothing inherent about software that makes it 
easy to catch these things.
    Mr. Larson. Dr. Shamos mentioned encryption. We heard 
testimony in previous committee hearings as well about that 
being the way to go. What you talked about earlier seemed like 
a method of encryption, though I profess not to be either an 
attorney, a scientist or a physicist, but I am interested in 
that line of questioning and would ask if the panelists want to 
further respond to one another.
    Mr. Rubin. I would start off by saying that encryption is a 
valuable tool in the security arsenal. It has specific 
purposes, namely to hide information from an adversary, so 
governments use it to send information out to spies in the 
field. It is not something that can be blindly applied to a 
system to make it secure. You can't sprinkle encryption dust on 
a computer and make it secure. Encryption is a tool. When there 
is something that needs to be done to maintain confidentiality, 
you can encrypt it with a key, but then the problem reduces to 
protecting that key. So the biggest value of encryption is in 
taking a lot of information that you need to protect and 
reducing it to a small amount of information that you need to 
protect like a key which can then be put on a smart card or 
protected some other way. But, in and of itself, encryption is 
not going to give you secure voting.
    Mr. Kohno. I would also like to add to that in the fact--so 
encryption, like you said, is a specific tool, but I think lots 
of people confuse encryption with the science of cryptography. 
Cryptography is a much broader science with many different 
goals in mind.
    I think one of the things that as a cryptographer I have 
seen often mistaken is that encryption provides--protects--if 
you take some data and you encrypt it, you protect both the 
privacy and the authenticity. That actually turns out not to be 
true.
    I don't know how technical in the details you want me to 
get, but, essentially, if you talk to a cryptographer, 
encryption is the process of taking some message, applying a 
transformation to it, typically using a key. You get some 
ciphertext. The ciphertext--an adversary looking at the 
ciphertext will not be able to figure out what the original 
message was. So this might protect the privacy of the vote, 
assuming all the other things like key management are in place, 
but this doesn't mean that you can't actually controllably flip 
a number of bits.
    The example that I might--by flipping bits, I mean change 
the contents of the message. So an example that I might give is 
that you have several different messages that you want to be 
sending: sequences of ``yeses'' or ``noes.'' You encrypt each 
of these individually. I take my message ``yes,'' I am going to 
encrypt it, take my message ``no'' and encrypt it, and take the 
next message ``yes'' and encrypt it, send these over 
separately. This doesn't prevent an adversary from taking the 
``yes'' messages, preventing the delivery of my messages and 
kind of shuffling the order of these messages I sent.
    I am hoping that this analogy is getting across the fact 
that encryption doesn't provide authentication. It is a 
powerful tool in the arsenal, but isn't a be-all, end-all 
solution.
    Mr. Larson. Most of the testimony I have heard over the 
last couple of weeks really points out the complexity of the 
issue, that really when--the further you look into it and the 
more you peel away each layer of veneer, you find that there 
doesn't exist a true simple answer to this, and what the voters 
are looking for is a very simple solution. It seems to me, at 
least in listening to the testimony we have heard over the last 
several weeks, that it is a more complex issue. I tend to agree 
with Dr. Shamos, that I think we have got to analyze the risk 
and then come up with the best possible solution. I also would 
think that the four of you could probably get into a room and 
come out with a solution.
    My question is, given the practicality of facing elections 
in November and wanting to assure the public, and this is a 
concern that the chairman raised and I think many people on the 
committee feel, we don't want the message to go out to the 
general public that their vote doesn't count or if they are 
voting on a specific machine that the machine might in fact 
alter the election in such a manner or have been altered in 
such a manner that their vote doesn't count. How do we, in the 
short period of time that we have, produce the best possible 
result?
    Mr. Shamos. I can start with that one.
    First, on the issue of can machines be tested adequately, I 
find myself in the rare position of agreeing with Dr. Rubin on 
a few points that he just made. It is true there are always 
going to be insider attacks. We will develop countermeasures, 
and some new insider will find a new and better attack the next 
time, and the battle never ends. It is notable that after the 
discovery of the Harris debacle in Nevada, they didn't stop the 
slot machines from spinning. You can still play the slots in 
Las Vegas, even though there was an insider attack. If we 
insist on perfection, if we insist on zero defect, there is 
never any kind of system we are ever going to be able to 
deploy.
    With respect to what to do between now and November, the 
only answer at this point seems to be test, test, test and 
train, train, train. Many of the problems that have arisen with 
DRE machines can be ascribed to first-time use. Poll workers 
who have never seen the machines before were asked to follow 
procedures that didn't even exist in written form. So training 
is required there.
    If it is believed that the security vulnerabilities in 
these machines can be exploited in order to alter the results 
of an election, then security measures must be taken to ensure 
that that doesn't happen. You don't leave the machines around, 
for example, where outsiders get an opportunity to play with 
them. You watch what people are doing when they are going into 
the polling place. I don't see any alternative to those two 
steps before November, which is, I believe, 120 days from now.
    Mr. Williams. I agree with that.
    To get back to the Brennan report that supposedly is 
recommendations for things to do for 2004, it can't be done. 
The things that are in that report: to start today and go out 
and try to hire a consultant, bring that consultant in, 
evaluate your voting system, get the recommendations, implement 
those recommendations and hold an election 120 days from now, 
you can't do it. It is a catch-22 situation. If you try to do 
it, you are going to wind up running your election with an 
uncertified system, and you are going to get criticized for 
that. So if you don't do it you are going to get criticized for 
not doing it. So that Brennan report puts us in a real catch-22 
type situation.
    Mr. Rubin. I believe that if there is a vulnerability out 
there, it is better to know it than not to know it. Hiring 
security consultants to come in and review the system and 
produce a report and if they find something, then at least you 
know about it and then we can figure out what to do about it. 
It is better than not knowing about it.
    When we analyzed the Diebold system a year ago, it was a 
year and a half left until the election. We asked ourselves, 
will we do more damage or good by going public with this? One 
of the things we said, well, there is not an election coming 
up. We have a year and a half before the election, plenty of 
time to fix the things we are talking about and design perhaps 
and provide better voting systems. We did go public with it.
    Right now, we are coming up to the election. We need to do 
everything we can. Unfortunately, I think there are places that 
are going to be used, equipment that I don't believe in, that I 
don't believe is secure enough. Should I sit back and say, 
well, in order to preserve the confidence of the voter in 
something I think is insecure, do I sit back and keep quiet? I 
don't think that is a good idea. That is why I have been 
speaking out about this.
    Mr. Larson. Would you agree with Dr. Shamos that what we 
should do then, given the shortness, is test, test, test? Is 
that a reasonable alternative?
    Mr. Rubin. I think that I do believe in parallel testing, 
and I believe we should maximize the testing but not in place 
of external review. I think you can test and review at the same 
time.
    Mr. Larson. The review that you are indicating would be the 
review that you laid out in your testimony?
    Mr. Rubin. No, the review that the Brennan Center and SSCR 
recommends in their recommendations that came out last week.
    Mr. Williams. Which is based on the assumption that we 
don't already know the vulnerabilities in our voting system and 
we need somebody else to tell us about them, and we don't agree 
with that.
    Mr. Rubin. No, but that is one of the assumptions.
    The Chairman. Mr. Mica.
    Mr. Mica. Thank you, Mr. Chairman.
    We have got a couple of experts that have looked at the 
overall picture here. What percentage of our voting will be 
done in 2004 by electronic means?
    Mr. Shamos. It was estimated originally at about 32 
percent. The estimates have been falling to somewhere in the 
20s, which is somewhere between two and three times the 
percentage that voted under the early machines in the year 
2000.
    Mr. Mica. Basically, the machines that are out there, do 
any of them have a paper trail capacity?
    Mr. Shamos. Many of them have a paper trail, one that is 
not viewed by the voter, however. Most DRE machines--at least 
when I was involved in certification, most DRE machines have an 
internal paper trail that records in random order a complete 
ballot image of every vote cast. In that sense, they have a 
paper trail.
    Mr. Rubin. That is not what the Diebold machines do, 
though. They print out the totals at the end of the day on a 
printer, but they only maintain an electronic total.
    Mr. Mica. But that is an electronic total, not as everyone 
votes?
    Mr. Shamos. It is as everyone votes. Not in Diebold.
    Mr. Mica. It is just adding a number as opposed to sort of 
a continual tab on how each one has voted?
    Mr. Shamos. Yes. I am in the enviable position of never 
having reviewed the Diebold system for certification purposes, 
so it can't be blamed on me.
    Mr. Rubin. These machines do not print anything throughout 
the day until the end of the day when they print totals. They 
do not print anything as people vote.
    Mr. Mica. Then I heard the dilemma, if we have a 
discrepancy in a paper trail versus an electronic trail, how 
would that be resolved?
    Mr. Rubin. There isn't a paper trail in the Diebold 
machines.
    Mr. Williams. That is not entirely true. As you know, the 
HAVA legislation requires that the system have the capability 
to print ballot images. The Diebold system can do that. As a 
matter of fact, it can print them in a format that can be read 
on an optical scan machine if you want to. I have never known 
anybody to actually do that, but the capability is there.
    Mr. Rubin. That would be a pretty useless thing to do.
    Mr. Mica. Hey, join the club up here. We do a lot of 
useless things and spend a lot of money doing it, too. That is 
part of my point.
    Okay, everyone has agreed that there is no way to verify 
the vote of an individual.
    Mr. Shamos. With the current systems that are deployed, 
that is correct.
    Mr. Mica. And we have no way of really changing--everyone 
agrees that before this election basically there is no way to 
add any other security checks or enhancements to existing 
machines, that what we have got is what we are going to go 
with, basically?
    Mr. Williams. That is right. We talk about November, but 
November is not really the date. You have got to send out your 
absentee ballots 45 days ahead of time. So, actually, you have 
got to put your election to bed 45 days before November 2.
    Mr. Mica. I am trying to get a glimpse of the 2004 
election. I think you are providing that.
    I don't mind spending Federal money to make certain that an 
election improves voter participation and accuracy and 
security. However, I am concerned the way we spent money here, 
I think we did it by a formula, and each State got, based on 
population of voters, a distribution. Is that the right way? 
What should the Federal role be in this process?
    Traditionally, you heard my comments at the beginning, the 
State and locals really run the show, and you have got a mass--
someone said 1.4 million volunteers. These aren't people that 
we are taking in and giving computer technical training and 
operations. These are folks that will get a little course here 
and there.
    To get the biggest bang for the Federal buck--and, also, 
what is our Federal responsibility in this process? Maybe we 
could go down--that will be a major question. What is our best 
role with our money and our position to make this work in a 
cost-effective manner and that gets us the best results?
    Mr. Shamos. Until recently, I believed that the best role 
for Federal Government in elections was hands off. 
Unfortunately, what has happened is that the States' attitude 
has also been hands off. The States have one by one been 
abdicating their responsibility for testing and certifying 
voting systems. What they have done is to rely instead on the 
Independent Testing Authority process and the voluntary FEC 
standards, which are now known as the FVSS. The idea there is 
that there are some standards voluntarily proposed by a body 
and there are independent testing authorities who supposedly 
test the machines to those standards and they produce a letter 
that says----
    Mr. Mica. When you say ``machines,'' are you just talking 
about electronic? Or all machines?
    Mr. Shamos. There is computerized voting and then there is 
DRE voting. I am including anything that involves a computer. 
The Independent Testing Authority produces a letter that says 
we tested this system to the Federal voting system standards 
and it passes. In many States, that is sufficient. The States 
themselves don't do any subsequent evaluation of the machine. 
They just accept that letter at face value.
    It is obvious that there is something wrong with that 
process, because all of these systems that have been found to 
have security flaws, particularly the system examined by Dr. 
Rubin and his colleagues, they were all ITA certified. And so 
it raises the question exactly what are these ITAs doing and 
are the standards adequate.
    I have looked at the standards. They are 300 pages long, 
and I have them with me. Many of the concerns we have discussed 
today received no attention or one or two sentences' worth of 
attention in these standards. So I don't believe the standards 
should be voluntary.
    I think that in elections for Federal offices there should 
be mandated Federal standards these systems should have to 
obey, and there has to be some serious attention given to 
updating the standards and keeping them updated. As new attacks 
and new modes of attack are discovered, there have to be new 
standards to attempt to respond to those. We don't have such a 
system right now.
    Mr. Mica. Anyone else?
    Mr. Williams. We don't have the system, but you have put in 
place the mechanism. The EAC is the organization to address 
these problems. It has been slow getting off the ground, but 
with all of the problems that we know are in the HAVA 
legislation, I think basically it is doggone good legislation.
    I have worked with the NASED program, the FEC program since 
its inception in 1986; and it has been an entire volunteer 
effort. That shows. With things that Mike is talking about 
here, there are problems with it. The problems are primarily--
it is not because we didn't know better. It is just because we 
didn't have the resources. But now with the HAVA legislation, 
we have got the resources.
    The Technical Development Committee is meeting for the 
first time Friday. They have 9 months to produce a preliminary 
standard. Things are beginning to happen. I think the best 
thing that this committee can do right now is to give the HAVA 
legislation a chance to work.
    Mr. Shamos. The problem I see there is, even after the EAC 
does its work, the standards that it develops or the standards 
that it developed under its leadership will still be completely 
voluntary standards. It will not be mandated for the States to 
follow.
    Mr. Williams. Yes, but I would like to not say a priori 
that those are going to be the law. Let's develop them, look at 
them and decide whether or not they are good enough to be the 
law. Let's let people like sitting here at this table take a 
look at those standards.
    Mr. Mica. You are saying the standards will be sort of an 
evolving set?
    Mr. Kohno. I would like to comment on that.
    Someone made an argument to update the standards as we find 
new attack modes. That kind of hints at what concerns me most 
as a computer security expert. These machines are still new. 
The assumption is that we are going to expect to keep finding 
new attack modes. That I think is a very scary idea, because it 
means that we are at a state where we don't know what all the 
attacks are. We are going to be finding new ones and evolving 
the standards over time. I don't want to be using something 
that is standardized, and the standardization says this is what 
we know now, but it is not perfect. There might be attacks 
discovered in the future, so we are going to revise these 
standards.
    But the first question you raised was along the lines what 
can the government do. I am a computer security person, not a 
person in the government. I don't know what is within the 
limitations of me to allow for you to legislate, et cetera. But 
I think that one thing I believe is very important is for the 
voting process to be very open.
    I think Ranking Member Larson asked a question earlier or 
was talking about--there are two different issues going on. One 
is, are the elections themselves going to be secure? The other 
issue is, will the public believe that the elections are 
secure? I think these are two different things, and I believe 
one important thing we need to think about in the future, you 
have to weigh the importance of these two things. Do we want a 
system that is secure but the public doesn't have faith in for 
various reasons? To me, I believe it is important for the 
public to believe the election was secure. Toward this end, I 
believe developing a model where the public can look at and 
verify for themselves that the voting systems are secure and 
reliable is very important.
    Mr. Mica. Dr. Rubin is the only one that didn't comment.
    Mr. Rubin. I think the best thing the Federal Government 
could do is put independent back into the Independent Testing 
Authority. They should be the ones hiring the testers and the 
certifiers, as opposed to the vendors who are making the 
machines.
    Mr. Mica. Thank you.
    The Chairman. The gentlewoman from California.
    Ms. Millender-McDonald. Thank you, Mr. Chairman. From the 
testimony this morning and if the public is looking and 
listening, they have absolutely validated that there is no 
assurance that there is security in their voting. This is what 
members in the minority community grapple with all the time, 
that their vote will not count because there is no verification 
that their vote is being counted. But the one thing I suppose 
we can all agree to, that there is no such thing as a risk-free 
system. Am I correct, gentlemen?
    Mr. Shamos. Yes.
    Ms. Millender-McDonald. Secondly, whether there is a paper 
trail or not a paper trail, there is never a means for a 
complete or verification accuracy count, am I correct on that? 
Is that a correct assumption?
    Mr. Williams. Not as long as we have secret ballots.
    Mr. Shamos. In the currently deployed systems, that is 
correct. There are proposals for systems that would remedy that 
defect.
    Ms. Millender-McDonald. Let me ask you, for the umpteen 
years that I have voted--and I do not care to tell you those 
number of years--when you go to the polls to vote, you have a 
ballot that is given to you. The ballot has a top part that is 
detached from when you finish and complete your ballot, and 
they put that larger ballot into a box, and they give you this 
little detached piece saying that I have voted or whatever it 
says, but it carries a number. That number cannot be verified 
if there is a recount? You can never go into that box? 
Assumedly, that is the box you voted from--or is that the 
operative word? "assumedly," that is the box you voted--your 
ballot went down in, to compare that from that stub that you 
get, compare it to the ballot that is put into the box?
    Mr. Shamos. No, because the number is on the stub only. It 
is not on the ballot.
    Ms. Millender-McDonald. I see.
    Mr. Shamos. It is a privacy problem.
    Mr. Williams.  In most States, by law you cannot have any 
identifying mark on the ballot that could be identified back to 
the voter.
    Ms. Millender-McDonald. In other words, then it is true 
that we do not--the position is not there or the system is not 
set up for recounting to be done accurately then? Is that a 
fair statement?
    Mr. Rubin. The idea behind the meaningful recount concept 
of voter-verifiable ballots is that if you have a box full of 
ballots that voters looked at and put them into that box, then 
while you won't know which ballot corresponds to which person, 
it is the best effort, best hope you have of counting the 
voter's intent.
    Ms. Millender-McDonald. Absolutely true.
    Mr. Rubin. That is why I and many others have been 
advocating voter-verifiable paper ballots, so that you have 
something to go back and count.
    Ms. Millender-McDonald. Yet we don't have to bring up 
Florida again. Because Florida indicated that, even with a 
paper ballot, that was not an assurance that that could be a 
count that was accurate in the sense of accuracy.
    Mr. Rubin. The ideological difference is that I think the 
way to improve Florida is to design better paper ballots where 
you won't have hanging chads or be confused about which hole to 
punch. You can accomplish that with a system I described in my 
initial testimony where you have all the benefits of a DRE for 
vote casting but you have all the benefits of paper for vote 
counting.
    Ms. Millender-McDonald. Dr. Williams, in your testimony you 
indicate that you do have your DRE now in place for Georgia, 
the State of Georgia. It has been replaced by all other systems 
that you have once used.
    Then I see an article by the California Secretary of State 
Shelley who says in this article, a number of failures, 
including touch screen machines in Georgia, Maryland and 
California, has spurred serious questioning of the technology. 
Of course, as you know, our Secretary of State has banned to 
some degree the use of the Diebold system, although in one of 
my cities in my district we do use it, and he has not banned 
that one. But he is kind of contradicting what you have said in 
your statement, or is that a contradiction?
    Mr. Williams. I have no idea what he is talking about. We 
installed that system--we first used it in November of 2002, 
and we have right now held over 500 elections using that 
system, and we have not had a problem yet that we could 
attribute to the system per se. We have had problems, but they 
have all been typical human-type problems that you have with 
any system.
    Ms. Millender-McDonald. So this article that is dated May 
of this year really does not speak to your testimony and 
especially that that I have dated April, 2003?
    Mr. Williams. That is correct. There is a learning curve on 
anything. The first time we used the system, there were some 
problems in some of the precincts, but these are mostly 
training issues and so forth.
    We haven't talked much about training, but if you asked me 
what is the one thing you can do to improve your elections, the 
answer is, train your poll workers. And I don't care what kind 
of voting system you have got. A well-trained poll worker can 
overcome a lot of problems in a voting system; and, conversely, 
a poorly trained poll worker can cause you a lot of problems, 
no matter what your voting system.
    Ms. Millender-McDonald. I think it was Dr. Shamos who said 
test, test, test, train, train, train, or one of you said that. 
Who would be the most reliable training source to train 
persons, especially in the minority communities? Because they 
really still do not believe that their vote counts and that 
there is a reliable system that really speaks to their having 
security in voting.
    Mr. Williams. In Georgia, we have a Center For Election 
Systems at Kennesaw State University. We provide training to 
county election superintendents, all 159 of them; and we do not 
train poll workers directly, but we train the people who train 
the poll workers. That is a huge effort that is ongoing.
    Ms. Millender-McDonald. I would think it is because you are 
training the persons who train the poll workers which you are 
not sure the poll workers are being trained, given the trainers 
that you have training them. If that is not a convoluted type 
statement, what else is? It is frustrating to sit here and hear 
this and to know those folks who are out there in the heartland 
and in the other part of our country are really frustrated 
about this whole voting system.
    Mr. Williams. We have got hard statistics to demonstrate 
that we have greatly reduced the number of spoiled ballots in 
the predominantly minority districts.
    Ms. Millender-McDonald. Is that right? I would like to get 
that, if you can give me a copy of that.
    Mr. Williams. Be happy to.
    Ms. Millender-McDonald. Is there anyone on this panel 
outside Dr. Rubin who thinks that the ballot, the paper ballot, 
is the best way to go? Is there anyone else here who thinks 
that, over and above the DRE?
    Mr. Kohno. I agree with that, especially in terms of 
between now and November.
    I think the thing that I was trying to make before--the 
statement I was trying to make before is, the systems we know--
we know the system we analyzed had serious security problems. 
We know that the certification processes don't address these 
security problems. So I think the thing to do in the short term 
definitely is that we need to--yes, to answer your question I 
think I do.
    But I think I also wanted to--you were talking a lot about 
testing. I think one important thing to address is whether 
testing--I am sorry--not testing, you are talking about adding 
procedures, training people for procedures. I think the 
important thing to address is whether your having poll workers 
trained for election day is going to be sufficient enough.
    One analogy I kind of like to think about was that we know 
that the systems right now may have a lot of security 
vulnerabilities. You are trying to rely on people and 
procedures to help protect the systems. An analogy you might 
want to talk about is like a bank saying, I know our safe 
doesn't work or I don't have a safe, but I am going to assume 
that no one is going to steal money because I have a lot of 
people walking around and following the procedures I have 
outlined.
    One thing to keep in mind, the people implementing the 
procedures may be the adversaries as well.
    Another thing, I was recently at a meeting at the Kennedy 
School of Government on electronic voting. One of the election 
officials there made a very interesting point. Her observation 
was that when people--anytime anyone starts a new job, you kind 
of expect them to make mistakes on their first day. That is not 
an unreasonable assumption. But the concern is that, for 
elections, every election day may be the first and only day for 
the people that are volunteering or being paid to work the 
polls that day.
    These are two things to keep in mind, I think.
    Ms. Millender-McDonald. Let me ask one more question here. 
With the AAPD, the American Association of People with 
Disabilities, which one of these systems will best address 
their needs or if any of these will? A paper ballot? Braille?
    Mr. Rubin. I think the needs of the disabled community 
definitely need to be addressed with voting, and what has 
happened is we have taken in the design of the machines that 
are being used today like the Diebold machines, we have taken 
that as the predominant property to address. And it has been 
addressed. I think that it is possible to build systems that 
address those needs equally well and also address security. 
That hasn't happened yet. Having a machine that allows a blind 
person to vote but also allows some malicious person to change 
the entire outcome of the election is not anything that anyone 
desires, not even a blind person. I think that we cannot ignore 
security.
    Mr. Shamos. I don't agree exactly with that 
characterization. It is not a choice of one or the other. The 
disabled rightly argue that if there is going to be voter 
verifiability then they ought to be able to participate in that 
also. There are means of offering voter verifiability without 
the requirement of having a piece of paper which they cannot 
read.
    So I am not against voter verifiability in any way. I am 
against attempting to accomplish it with paper where that paper 
becomes the official ballot. If you want to print out a piece 
of paper to convince the voter that her choices were correctly 
heard by the machine, there is nothing wrong with that. I just 
don't want that piece of paper to become the official ballot, 
because we have 150 years of history in which people with no 
training or education at all have been able to successfully 
manipulate those things.
    It is true that there is no centralized manipulation 
possible with paper. The manipulations are only local. Whereas 
there is centralized manipulation possible with software, but 
it is the very centralization that makes it easier to detect.
    Again, safes are not safe. Many banks have had safes broken 
into. That doesn't mean that we have disbanded the banking 
system. It may mean that it is necessary to hire more security 
guards and install video cameras to watch the safes.
    But I disagree with the concept that perfection is required 
and as soon as someone points to some vulnerability we must 
shut down the entire system. There are security flaws of all 
kinds in these DRE systems, some much worse than others. Some 
are really excellent. Because there are security flaws, that 
doesn't mean that the election will necessarily be tampered 
with. It doesn't even necessarily mean that the probability 
will be high that the election will be tampered with. It means 
we have 25 years of history of using DRE machines and no one 
has been able to demonstrate that any election ever was 
tampered with, despite the fact that there have been numerous 
problems of all kinds, not necessarily related to security. So 
it is not a choice of one or the other. Paper certainly doesn't 
help the disabled, though.
    Ms. Millender-McDonald. Mr. Chairman, thank you so much for 
such an interesting and absolutely--although very thorough by 
the experts here, still very convoluted type of concern that we 
have, especially when we are preparing for the largest election 
in this country.
    I note my dear friend and colleague Congressman Holt is 
here. He had a statement to submit for the record. By unanimous 
consent, may we have that?
    The Chairman. The Congressman can submit it for the record, 
without objection.
    Ms. Millender-McDonald. Thank you, Mr. Chairman.
    [The statement of Mr. Holt follows:]

    [GRAPHIC] [TIFF OMITTED] T7366A.050
    
    [GRAPHIC] [TIFF OMITTED] T7366A.051
    
    The Chairman. Mr. Larson, the Ranking Member, has another 
question, but, on the point, I think this discussion needs to 
be--everybody knows there is politics in this building, but 
this discussion really needs to--that is the way it has gone 
today--to rise above the political. There was a maligning 
editorial, I think a disgusting editorial on this whole issue--
I mentioned this 2 weeks ago--really maligning people, 
especially people that are out there fighting for persons that 
have some form of disabilities. So there is the political side 
of this, the emotional side of this, but I think this type of 
hearing is a better way to look at the issue.
    But, also, within the civil rights community and within the 
community of people that have some form of disability, they 
have genuine concerns about the paper ballots. I do not think 
it is just so clear-cut that you are either the good people if 
you are for the paper ballot or bad people if you question the 
merits of a paper trail. I don't think it is a clear-cut issue. 
I think there is some science to look at here and also the 
evolution of our elections. But the one thing for sure is we 
don't want people disenfranchised. That is the most important 
thing to consider.
    Six years ago, Georgia's system had a high undervote rate. 
Dr. Williams answered 4.8 percent was the ballot error rate. In 
2002, after deployment of the new systems that they have in 
Georgia, it was 0.87 percent, a fivefold reduction in 
undervoting. There were 71,000 votes in 2000 that no one voted 
at the top of the ticket; and now, under their system, it has 
been drastically reduced--if you hear 4.8 percent, that doesn't 
sound big, but 71,000 in that election was a lot of people. So 
am I correct in understanding that the undervote rate is down 
to 0.87, is that correct?
    Mr. Williams. That is correct. We are not willing to give 
that up for concerns that have never occurred, for pure 
conjectures, when we have never yet had the first hint of 
problems. We have been using computer-based systems in Georgia 
since 1964. DeKalb and Fulton County were the first 
jurisdictions in the United States to count ballots on 
computers. In that whole period we have not once had anybody 
attack the computer system.
    Ms. Millender-McDonald. Mr. Chairman, just as a follow-up 
to what you are saying, Dr. Williams, what I am interested in 
is seeing in the minority community the reduction of the 
problems that have occurred since you are using DRE. If there 
is a comparison on your report that you are going to submit to 
me, I would like to see that as well.
    Mr. Williams. The figures he is quoting are State averages. 
In some of the communities, those undervote rates were much 
higher than that. They went up to much higher numbers in some 
communities. What he is quoting is the average.
    Ms. Millender-McDonald. Mr. Chairman, in the City of Carson 
where we have a DRE, those voters, seems to me, that that 
electronic voting is much more secure than the paper voting, 
given the Florida's issue. However, since the whole notion of 
paper trail has come about, now they are concerned as to 
whether or not there is reliability. I suppose no matter how 
you cut this there will always be the chances of voters being 
concerned about the whole notion of whether their vote has been 
counted.
    Mr. Shamos. Much recent analysis has gone into looking at 
the security of electronic voting systems, and it should. I 
completely agree with the notion that we need as complete a 
list as we possibly can have of the vulnerabilities. We also 
need transparency in these systems.
    I am not aware of any recent studies where people have 
looked again at paper ballots, looked at the physical handling 
procedures for paper ballots to try to develop a list of 
vulnerabilities there. This country over a long period of time 
discarded paper ballots to the point where they are used in 
less than 1 percent--to cast less than 1 percent of the vote in 
this country. We have gone over to various other systems to 
eliminate chicanery.
    When the lever machine was introduced in 1892, its inventor 
said of it that its purpose was to protect the voter 
mechanically from ``rascaldom,'' an interesting new term. I had 
never heard that before. I think it is pretty clear what 
rascaldom is, however. And that is because of rampant--once 
every 12 days since 1852--rampant stories of all kinds of 
tampering with paper ballots. So I think somebody should do a 
new study looking at whether paper is more or less secure than 
the voting systems that we know have security vulnerabilities.
    Ms. Millender-McDonald. I think that would only be fair, 
given that we have arguments on both sides, that we should look 
both places for that type of reliability.
    The Chairman. The gentleman from Connecticut.
    Mr. Larson. Thank you. I thank the chairman for the great 
latitude that we have had this morning in exploring these 
issues because it is so important.
    I would note this past Friday, in fact, we marked the 40th 
anniversary of the signing of the Civil Rights Act of 1964; and 
the gravity of this, of course, comes home today. Many people 
fought and gave their lives for the right to vote and how 
serious this is. I think across this panel and across this 
Nation, people are very much concerned. I think that is 
heartening to see.
    Again, I want to commend the chairman, Mr. Hoyer and others 
for HAVA, because I do think--although I disagree with Mr. 
Mica, I think that it is important to have a funded mandate. 
For so long the States have had to bear an unfunded Federal 
mandate in handling all of our Federal elections. This provides 
an opportunity for them to receive the appropriate kind of 
money.
    I want to go back because I think, as I listened to the 
testimony and hear the arguments put forward, Dr. Shamos, you 
said that if we strive for perfection, we can't get there given 
there has been no system designed to date that will allow for 
that. So, within that context, we have to look and see what the 
risk is and what was the risk analysis and what we can arrive 
at in terms of the best system.
    It seems we have two goals in front of us. One ongoing, to 
continue to strive towards perfection as we project out into 
the future and the other a more immediate goal in terms of the 
November election whose backdrop is the election of 2000 and 
the concerns that have been raised.
    I would add and it seems at least--and I don't want to put 
words in anyone's mouth--that there was a general consensus 
that in the short term testing, testing, testing, training, 
training, training, testing with the Rubin corollary of 
independent sources is a very logical remedy, though I think 
Dr. Kohno would prefer that there be a paper trail that would 
go along with that, or as Peter Finley Dunn would say, trust 
everyone but cut the cards. But it seems to me at least in the 
short run that those seem to be goals that we could accomplish 
as the debate still goes on between whether or not the idea of 
trust and verify, of the paper trail being the best possible 
alternative for us to go to, the most secure alternative to go 
is further explored. Is that a fair statement? And how would 
you respond to that?
    Mr. Kohno. I guess I will respond since I was singled out 
as maybe disagreeing, but I actually don't disagree. I think 
that I would prefer to go back to the voter-verifiable paper 
ballot if we can, but it sounds like there are various 
procedures and various things that might prevent that. In that 
case I agree. You want to do the best you can to raise the bar 
in an attack. If that means you have to do more testing and do 
more secure analyses and changing the procedures, if that is 
actually the best you can implement, then I say you should at 
least do that.
    Mr. Shamos. And I think paper has some use. It certainly 
has use in commercial transactions. One of its uses is to point 
out errors. So my belief is that if a voting machine is making 
a record and it is making a simultaneous record that the voter 
can see and there is some discrepancy between the machine 
record and the one that the voter sees, that is the starting 
point for investigation.
    Forensic experts come in, they tear the thing apart, and 
they find out what is wrong with it. They don't propose that it 
is the right thing to do, to take the piece of paper and make 
that the official ballot, any more than it is right to take the 
electronic record and make it the official ballot if there is 
something wrong with it unless we can have adequate handling.
    Mr. Rubin. I am very impressed with your ability to extract 
all the points of agreement and consensus and I agree with your 
summary of our positions.
    Mr. Larson. Thank you.
    The Chairman. I want to thank all four witnesses. I think 
it was a very, very fascinating hearing and I want to thank you 
for coming to the Capitol.
    We will move on to the second panel. I want to thank the 
second panel for waiting a period of time. We have Linda 
Lamone, Administrator of the Maryland State Board of Elections; 
and Kathy Rogers, Director of Elections Administration, Office 
of the Georgia Secretary of State; and Jill Lavine, Registrar, 
Sacramento County, California. I want to thank all three of you 
for coming.

 STATEMENTS OF LINDA H. LAMONE, ADMINISTRATOR, MARYLAND STATE 
    BOARD OF ELECTIONS; KATHY ROGERS, DIRECTOR OF ELECTIONS 
 ADMINISTRATION, OFFICE OF THE GEORGIA SECRETARY OF STATE; AND 
     JILL LAVINE, REGISTRAR, SACRAMENTO COUNTY, CALIFORNIA

    The Chairman. If we could, Ms. Lamone.

                  STATEMENT OF LINDA H. LAMONE

    Ms. Lamone. Thank you very much, Mr. Chairman, and members 
of the committee. I am more than pleased to be here today.
    A lot of the discussion on the previous panel focused on 
the voting equipment, and I want to emphasize to you all that 
voting is not only the voting system; that it has many other 
components, and they involve people and procedures and those 
other components are equally important to the whole process.
    The other thing that has been stressed this morning is 
testing. I think I can safely say that both Georgia and the 
State of Maryland test this equipment beyond what anybody ever 
expected or what we thought we would have to do. We have at 
least four preelection testing procedures that the equipment 
must survive successfully before it can be used in an election. 
That does not include the ITA or independent testing 
laboratories that do the testing to meet the Federal standards.
    We also, when we do the testing in Maryland having anything 
to do with the software, we always involve two other entities 
besides my staff, and that is a quality assurance firm and 
something called an independent validation and verification. 
These are firms that we contract separately. They all have 
security clearances and the other credentials necessary.
    So we have very high competence in Maryland that when we 
test this equipment, we are testing it to the highest standards 
and highest quality possible. We also do other testing, that 
Dr. Williams mentioned, in Georgia; and that is to make sure 
there are no Trojan horses or other malicious code. And I would 
think that since the Diebold--which we both use--voting 
equipment code has been in the public domain for a year, if 
there was malicious code or otherwise in that system, it would 
have certainly been discovered by all the hot-shot ITA people 
or information technology people that claim to know all about 
elections all of a sudden.
    In Maryland, we have also had our voting system analyzed by 
two independent securities firms. One was the first one, SAIC, 
and the second one was done by a company out in Columbia, 
Maryland. We have had both firms report to us the risk 
assessments, the mitigations that they thought we should take 
and Diebold should take, and both of them assured me in their 
written reports that the voting equipment counted, recorded, 
and tabulated the votes 100 percent accurately. And again, that 
gave us a great deal of satisfaction and confidence in our 
voting system.
    In addition, the SAIC also thoroughly investigated the work 
that was produced by Professor Rubin, and they made four 
recommendations to us, all four of which have been implemented 
in Maryland. One was to have the ability to protect the--or 
create the passwords on the voter access cards; two, the same 
thing with the activation cards or the memory chips on the 
voting equipment; three, randomize the votes; four, use 
encryption for any modem of the unofficial votes on election 
night. All four of those recommendations were implemented in 
Maryland prior to the March 2004 primary.
    I think another interesting thing is that the computer 
scientists have all these things--conjecture could happen. It 
is conjecture that someone is going to be able to go out there 
and mass-reproduce the voter access cards so they can have 
access to the voting units and manipulate the election. They 
also say they are going to be able to do the same thing with 
the memory cards. Yet again, the source code has been in the 
public domain for a year and no one has successfully done that. 
No one. And I would suggest to the committee that if it were 
possible to have done so, they would have come forward to let 
the world know, because they like to tell people how well they 
can do things like that.
    We are doing an upgrade of the system now, and we will do 
another whole security analysis this summer. I have three full-
time employees on my staff that are devoted to nothing but 
security issues. We have developed with, again, another 
independent outside security firm for an entire information 
security plan for the office, not only on the voting system but 
on every aspect of the process of conducting elections, 
including voting registration.
    A lot of the issues this morning also talked about the 
paper trail. And I understand, Congressman Larson, I appreciate 
your characterization of the positions because I think they 
accurately reflect mine and everyone else in the Nation who has 
to deal with the issue and who cares very deeply about having a 
secure and safe election.
    But let me just show you what a paper trail would look like 
for one voter from Baltimore County, Maryland in the March 2, 
Super Tuesday primary. This is 10 feet long, one voter; and it 
took us 4\1/2\ minutes to print it out. Granted, we had to shut 
down the election to print the thing out because the system 
isn't geared right now to printing a contemporaneous paper 
trail. But that is a lot of paper per voter. You look at the 
turnout in the November primary or November general election, 
probably 80 percent in Maryland, it is going to be a lot of 
paper we are going to have to have.
    And let me ask you, how are your constituents going to 
react when the printer paper jams and they say, Mr. Technician, 
will you come over here and help me unjam this paper trail, 
because the machine won't let you cast your ballot until you 
print this paper. When that technician walks over, he or she is 
going to be looking at a live ballot on the voting equipment. 
And for those of you who have optical scan balloting in your 
jurisdiction in the past, you know how protective the voters 
are. They don't want the poll workers to see their ballots. We 
use privacy screens to try to protect them. On the DRE, before 
you cast your ballot, your review ballot screen is live. It 
shows how the voter has voted, and that is what the technician 
is going to look at.
    And I think you need to know that the printer engineering 
community at IEEE is convinced that the printers that the 
voting vendors are now producing are not going to meet the 
standards we need to have to have a safe and reliable election. 
Mr. Rubin had an experience as an election judge in Maryland, 
and he said when they went to close the election they had a 
discrepancy between the number of votes on the DRE units and 
the number of votes that they had checked in. I suggest to the 
committee that the reason was human error. The machines were 
correct. The people handling the pieces of paper, the voting 
authority cards, the poll books, had made a mistake.
    And that is exactly what we are trying to get away from 
with the electronic voting equipment, aside from all of the 
other attributes that you have discussed here already.
    The other thing that really, really irritates me and my 
colleagues around the country is the irresponsibility of the 
way the press has handled this issue. They start with one 
problem, and all of a sudden it is attributable to the voting 
units. Let me give you an example. In Maryland, right down the 
street from my office, they delivered the wrong encoders. That 
is the device that puts the ballot on the voter access card. 
They delivered the wrong encoders to a single precinct. It was 
human error. They simply mixed them up. And when they went to 
program the cards and the voter put them in the voting unit, it 
wouldn't pull up a ballot because it was the wrong encoder for 
the wrong voting units. It worked as it was supposed to work. I 
had international press at that precinct reporting that as an 
equipment failure, and that got perpetrated over and over and 
over again, that that was a major problem in Maryland. It 
wasn't a major problem. We didn't have any major problems in 
Maryland with the voting equipment.
    Everything that happened that went wrong was attributable 
to human error. And that is because now we are boosting our 
training and voter education. We are spending millions of 
dollars on security, on training, on voter education, and we 
still get nailed in the press.
    You asked what we are doing to get the word out. We can't 
get our word printed. We put out all this good stuff that we 
are doing. When we sit down to educate a reporter and finally 
teach him or her everything we do, they go in and say, wow, I 
had no idea you did that stuff.
    CBS news was in Maryland a week ago Monday, and when my 
staff finished explaining to them everything we go through, 
they were convinced. We will see if they will actually 
broadcast that, which will be on this Sunday morning on Sunday 
morning news.
    The other thing that the New York University Brennan report 
came out with is a lot of issues about each State should have a 
security analysis done like we have done in Maryland. Let me 
suggest that I think that we would have a lot better economy of 
scale if NIST or someone like that did it on each voting unit 
and provided it to the States so we could use our management 
and other procedures to then implement it and control it.
    I see my time is up. I thank the committee for the 
opportunity to appear today.
    The Chairman. As they always say, they don't report when 
the planes land, you know.
    [The statement of Ms. Lamone follows:]

    [GRAPHIC] [TIFF OMITTED] T7366A.052
    
    [GRAPHIC] [TIFF OMITTED] T7366A.053
    
    [GRAPHIC] [TIFF OMITTED] T7366A.054
    
    [GRAPHIC] [TIFF OMITTED] T7366A.055
    
    [GRAPHIC] [TIFF OMITTED] T7366A.056
    
    The Chairman. Ms. Rogers.

                   STATEMENT OF KATHY ROGERS

    Ms. Rogers. Thank you very much. As you know, the 2002 
general election was a milestone in Georgia history as we 
became the very first State in the Nation to implement a 
statewide uniform electronic system of voting. On that one day 
on November 2, 2002, many concerns and fears were laid to rest. 
The elderly did not have trouble voting on Election Day and 
voters were not afraid of the new technology. For the very 
first time, every voter was afforded an opportunity to vote on 
the same equipment, using the same interface as their neighbor 
in the next county.
    That fact seems to be forgotten today. By upgrading our 
voting system platform, Georgia corrected a problem which was 
very close to being a disaster. And in the almost 2 years since 
that very first successful election, Georgia counties have 
conducted over 450 individual elections using the statewide 
uniform electronic voting system. Georgia voters have expressed 
their approval in not one but two independent studies which 
were conducted by the University of Georgia. These studies 
found that Georgians overwhelmingly prefer electronic voting to 
any other means. More than 70 percent of the respondents 
reported they were very confident that their vote was 
accurately counted, and some 97 percent reported that they 
experienced no difficulties whatsoever when using electronic 
voting. These numbers have already been thrown out, but I don't 
think it hurts to reiterate them again.
    Six years ago on our antiquated voting platforms, the top 
of the ballot of the U.S. Senate race was a 4.8 percent 
undervote rate of total ballots cast. Of enormous concern to us 
was also our analysis of 90 minority precincts in which we 
showed an extremely high undervote rate that in some cases 
topped 10 percent in predominantly African Americans precincts. 
After 2002 and the deployment of our new system, the undervote 
rate in the top of the ticket ballot was reduced to a mere .87 
percent. That is a fivefold reduction in undervoting.
    The paper receipt debate has generated a great deal of 
inaccurate, false, and misleading information by those who are 
calling for its very hurried implementation. Conspiracy 
theories do abound. No system, as has been stated earlier, 
whether electronic, mechanical, or paper based, can be made 100 
percent invulnerable to attack; but the facts are the current 
system of voting is more secure than any type of voting that 
has ever been used in the history of Georgia elections.
    We in the State of Georgia did not sign a contract with our 
vendor and simply walk away from the process. Rather, we have 
provided oversight and direction to our counties through every 
step of implementation and we continue to do so to date.
    Let us consider the practical realities of paper receipt 
for just a moment. We have discussed how would each receipt be 
collected, how does the voter view it. You saw the prototype 
from Maryland. Georgia has created one that is about 31 inches 
long. It brings into question how you would store the paper for 
some 4 million voters in the State of Georgia and the voiding 
and the spoiling of the ballots.
    I heard mentioned earlier the possibility of a paper 
shredder. I am not sure we want paper shredders in our polling 
places on Election Day. There is also the question of what is 
the official record of the election? I have heard a lot of 
controversy about which would be the official. If it is the 
paper, what happens if so much as one piece of that paper were 
to become mangled or destroyed? Have you then called your 
entire election into question?
    If even 1 percent of Georgia precincts were to experience 
problems implementing a paper trail on Election Day, that would 
translate to 30 polling places in the State of Georgia. I can 
assure you if that were to happen, it would no doubt be 
portrayed as a catastrophic failure by the public and by the 
press.
    We also find it very remarkable that even as many activists 
are calling for this hurried implementation of paper receipts, 
these same critics express no concern whatsoever over the 30 
million Americans who will be voting on a punch-card system 
this November. We can be certain that hundreds upon thousands 
of Americans will be disenfranchised by these punch-card voting 
systems which have been proven to be far more inaccurate than 
our current system of voting. And yet we hear no impassioned 
pleas from journalists or the activists that these systems must 
be decertified before November, and we have to ask the 
question, Why?
    We agree, as do all election officials, that we must 
continue to embrace a concept of continuous improvement in 
election security and we recognize that much of the debate has 
been healthy. And some of it has surfaced significant 
shortcomings which needed to be addressed.
    We in Georgia cannot overstate the value of having an 
independent, technically competent center like the Kennesaw 
Center for Election Assistance which is staffed with elections-
oriented computer scientists who are equipped to audit and test 
voting systems. Every day we continue to review our security 
practices. And over the last 18 months, we have strengthened 
our procedures and our practices a great deal.
    I applaud the interest of this distinguished committee in 
the important public policy issue, and we stand ready from 
Georgia to assist you in any way that we can. Thank you.
    The Chairman. Thank you for your testimony.
    [The statement of Ms. Rogers follows:]

    [GRAPHIC] [TIFF OMITTED] T7366A.057
    
    [GRAPHIC] [TIFF OMITTED] T7366A.058
    
    [GRAPHIC] [TIFF OMITTED] T7366A.059
    
    [GRAPHIC] [TIFF OMITTED] T7366A.060
    
    [GRAPHIC] [TIFF OMITTED] T7366A.061
    
    [GRAPHIC] [TIFF OMITTED] T7366A.062
    
    [GRAPHIC] [TIFF OMITTED] T7366A.063
    
    [GRAPHIC] [TIFF OMITTED] T7366A.064
    
    [GRAPHIC] [TIFF OMITTED] T7366A.065
    
    [GRAPHIC] [TIFF OMITTED] T7366A.066
    
    [GRAPHIC] [TIFF OMITTED] T7366A.067
    
    [GRAPHIC] [TIFF OMITTED] T7366A.068
    
    [GRAPHIC] [TIFF OMITTED] T7366A.069
    
    The Chairman. And we will move on to the last witness.

    STATEMENT OF JILL LAVINE, REGISTRAR, SACRAMENTO COUNTY, 
                           CALIFORNIA

    Ms. Lavine. Thank you. I am Jill Lavine and I am from 
Sacramento, California. And Sacramento County was the first 
jurisdiction in the United States that has conducted any 
portion of an election using touch-screen technology that was 
incorporated in a voter-verified paper audit trail. Ours was a 
very limited early voting project which is described in detail 
in my written report. The equipment for this pilot was the Vote 
Trakker system provided to Sacramento County by Avante 
International Technology, Incorporated. The pilot was 
authorized by the Voting Systems and Standards Procedure panel 
within the Office of the California Secretary of State. 
Additional authorization was provided by the Sacramento County 
Board of Supervisors.
    This project involved early voting in six locations for a 
period of 11 days prior to the November 5, 2002 election. 
Voters from anywhere in Sacramento County were permitted to 
vote at any one of the six locations. There were a total of 246 
variations of the ballot for this election. The voting units 
were accessible for blind voters, to voters with disabilities, 
and each voter was able to choose a language: Spanish or 
English. A total of 1,612 valid ballots were cast at these 
early voting locations.
    This experiment with the voter-verified paper audit trail 
was conducted under very controlled conditions. Each of the 
early voting sites was staffed with various personnel from our 
office and a technician provided by Avante. The equipment and 
the system met our requirements and expectations. We considered 
the project a success. The reaction to the equipment was mostly 
positive. Comments and observations from the poll workers, 
voters in the poll, and the others are contained in my written 
report.
    In the interest of time, I will limit my time to the use of 
the printed ballot and the challenges it presented. Some of the 
voters did not want to see the ballot and fled before the 
ballot was able to print. There are approximately 20 of these 
voters. This could be a major problem. If a voter walks away 
before approving the paper version of the ballot, is the ballot 
counted? Some voters wanted to take the copy with them. We 
called the printed copy a receipt, which implied they could 
take it with them. This is obviously a mistake and is easy to 
change. The printed ballot jammed. This caused the machine to 
be taken out of service until the problem was corrected. In 
order to remove the jammed ballots, we had to use anything that 
was handy. For example, a back-scratcher and a windshield wiper 
blade were used to pull the ballots out. Voters complained that 
the printed copy of the ballot was hard to read because of the 
size and lightness of the print and because of the location of 
the shield which protected the printed copy. These problems are 
easy to correct.
    Voters also complained that the length of the ballot made 
it difficult to check, which will continue to be a problem when 
the ballot is long.
    Voters wanted to remove the printed ballot before it went 
back in the machine. This is not possible, of course, because a 
voter could remove the ballot without being detected. Some of 
the voters were concerned that other voters would see his or 
her ballot. This was a placement problem that can be corrected. 
The location of the shield that protected the printed ballot 
made it difficult for a seated voter to see his or her ballot. 
Again, this is fairly easy to correct. The storage area for the 
printed ballot was too small and needed to be emptied during 
the day. This is obviously unacceptable and must be corrected.
    After the voter verified his or her ballot on the screen, 
the printed version was produced. If the voter changed his or 
her mind, or didn't agree with what was printed, it was too 
late to be corrected. This has been corrected, but it is still 
potentially problematic.
    Only ballots approved by the voters should be counted. At 
the same time, there must be no way to connect the ballot with 
a voter. During the canvass of the vote, we manually recounted 
one of the early voting places. The precinct selected had 114 
ballots. Because of the complexity of the ballot and the fact 
there were 246 different ballot types, it took 127\1/2\ hours 
to recount. The machine count and the count on the paper 
ballots did match. Following this demonstration project, Avante 
made numerous changes to the equipment, addressing most if not 
all of the concerns expressed.
    In conclusion, while a voter-verified paper trail may 
increase a voter's confidence in the use of electronic ballots, 
it is not without concern. While many of the concerns I have 
identified can and have been resolved, there still remain 
concerns that may not be fixable. For example at the polling 
place, the problem with fleeing voters, printing jams, the 
length of time necessary for a voter to verify his or her 
ballot. After the election, there would be significant delays 
in providing official election results from the manual counting 
of paper ballots in case of a recount or a challenged election. 
These issues remain unresolved.
    Thank you.
    The Chairman. Thank you for your testimony.
    [The statement of Ms. Lavine follows:]

    [GRAPHIC] [TIFF OMITTED] T7366A.070
    
    [GRAPHIC] [TIFF OMITTED] T7366A.071
    
    [GRAPHIC] [TIFF OMITTED] T7366A.072
    
    [GRAPHIC] [TIFF OMITTED] T7366A.073
    
    [GRAPHIC] [TIFF OMITTED] T7366A.074
    
    [GRAPHIC] [TIFF OMITTED] T7366A.075
    
    [GRAPHIC] [TIFF OMITTED] T7366A.076
    
    [GRAPHIC] [TIFF OMITTED] T7366A.077
    
    [GRAPHIC] [TIFF OMITTED] T7366A.078
    
    [GRAPHIC] [TIFF OMITTED] T7366A.079
    
    [GRAPHIC] [TIFF OMITTED] T7366A.080
    
    [GRAPHIC] [TIFF OMITTED] T7366A.081
    
    [GRAPHIC] [TIFF OMITTED] T7366A.082
    
    [GRAPHIC] [TIFF OMITTED] T7366A.083
    
    [GRAPHIC] [TIFF OMITTED] T7366A.084
    
    [GRAPHIC] [TIFF OMITTED] T7366A.085
    
    [GRAPHIC] [TIFF OMITTED] T7366A.086
    
    [GRAPHIC] [TIFF OMITTED] T7366A.087
    
    [GRAPHIC] [TIFF OMITTED] T7366A.088
    
    [GRAPHIC] [TIFF OMITTED] T7366A.089
    
    [GRAPHIC] [TIFF OMITTED] T7366A.090
    
    [GRAPHIC] [TIFF OMITTED] T7366A.091
    
    [GRAPHIC] [TIFF OMITTED] T7366A.092
    
    [GRAPHIC] [TIFF OMITTED] T7366A.093
    
    [GRAPHIC] [TIFF OMITTED] T7366A.094
    
    [GRAPHIC] [TIFF OMITTED] T7366A.095
    
    [GRAPHIC] [TIFF OMITTED] T7366A.096
    
    [GRAPHIC] [TIFF OMITTED] T7366A.097
    
    [GRAPHIC] [TIFF OMITTED] T7366A.098
    
    [GRAPHIC] [TIFF OMITTED] T7366A.099
    
    [GRAPHIC] [TIFF OMITTED] T7366A.100
    
    [GRAPHIC] [TIFF OMITTED] T7366A.101
    
    [GRAPHIC] [TIFF OMITTED] T7366A.102
    
    [GRAPHIC] [TIFF OMITTED] T7366A.103
    
    [GRAPHIC] [TIFF OMITTED] T7366A.104
    
    [GRAPHIC] [TIFF OMITTED] T7366A.105
    
    [GRAPHIC] [TIFF OMITTED] T7366A.106
    
    [GRAPHIC] [TIFF OMITTED] T7366A.107
    
    [GRAPHIC] [TIFF OMITTED] T7366A.108
    
    [GRAPHIC] [TIFF OMITTED] T7366A.109
    
    [GRAPHIC] [TIFF OMITTED] T7366A.110
    
    [GRAPHIC] [TIFF OMITTED] T7366A.111
    
    [GRAPHIC] [TIFF OMITTED] T7366A.112
    
    [GRAPHIC] [TIFF OMITTED] T7366A.113
    
    [GRAPHIC] [TIFF OMITTED] T7366A.114
    
    [GRAPHIC] [TIFF OMITTED] T7366A.115
    
    [GRAPHIC] [TIFF OMITTED] T7366A.116
    
    [GRAPHIC] [TIFF OMITTED] T7366A.117
    
    [GRAPHIC] [TIFF OMITTED] T7366A.118
    
    [GRAPHIC] [TIFF OMITTED] T7366A.119
    
    [GRAPHIC] [TIFF OMITTED] T7366A.120
    
    [GRAPHIC] [TIFF OMITTED] T7366A.121
    
    [GRAPHIC] [TIFF OMITTED] T7366A.122
    
    [GRAPHIC] [TIFF OMITTED] T7366A.123
    
    [GRAPHIC] [TIFF OMITTED] T7366A.124
    
    [GRAPHIC] [TIFF OMITTED] T7366A.125
    
    [GRAPHIC] [TIFF OMITTED] T7366A.126
    
    [GRAPHIC] [TIFF OMITTED] T7366A.127
    
    [GRAPHIC] [TIFF OMITTED] T7366A.128
    
    [GRAPHIC] [TIFF OMITTED] T7366A.129
    
    [GRAPHIC] [TIFF OMITTED] T7366A.130
    
    [GRAPHIC] [TIFF OMITTED] T7366A.131
    
    [GRAPHIC] [TIFF OMITTED] T7366A.132
    
    [GRAPHIC] [TIFF OMITTED] T7366A.133
    
    [GRAPHIC] [TIFF OMITTED] T7366A.134
    
    [GRAPHIC] [TIFF OMITTED] T7366A.135
    
    [GRAPHIC] [TIFF OMITTED] T7366A.136
    
    [GRAPHIC] [TIFF OMITTED] T7366A.137
    
    [GRAPHIC] [TIFF OMITTED] T7366A.138
    
    [GRAPHIC] [TIFF OMITTED] T7366A.139
    
    [GRAPHIC] [TIFF OMITTED] T7366A.140
    
    [GRAPHIC] [TIFF OMITTED] T7366A.141
    
    [GRAPHIC] [TIFF OMITTED] T7366A.142
    
    [GRAPHIC] [TIFF OMITTED] T7366A.143
    
    [GRAPHIC] [TIFF OMITTED] T7366A.144
    
    [GRAPHIC] [TIFF OMITTED] T7366A.145
    
    [GRAPHIC] [TIFF OMITTED] T7366A.146
    
    [GRAPHIC] [TIFF OMITTED] T7366A.147
    
    [GRAPHIC] [TIFF OMITTED] T7366A.148
    
    [GRAPHIC] [TIFF OMITTED] T7366A.149
    
    [GRAPHIC] [TIFF OMITTED] T7366A.150
    
    [GRAPHIC] [TIFF OMITTED] T7366A.151
    
    [GRAPHIC] [TIFF OMITTED] T7366A.152
    
    [GRAPHIC] [TIFF OMITTED] T7366A.153
    
    [GRAPHIC] [TIFF OMITTED] T7366A.154
    
    [GRAPHIC] [TIFF OMITTED] T7366A.155
    
    [GRAPHIC] [TIFF OMITTED] T7366A.156
    
    [GRAPHIC] [TIFF OMITTED] T7366A.157
    
    [GRAPHIC] [TIFF OMITTED] T7366A.158
    
    The Chairman. This was also shown. This is from Maryland. 
And this was the printout from it. And I would note that I did 
see the name Hoyer nine times, so I thought I would mention 
that.
    Mr. Hoyer. Mr. Chairman, if I could, I want to apologize to 
Attorney General Lamone--that was some years ago--for missing 
her testimony, although I have a reliable report that it was 
excellent and right on point. And I thank you as well, the two 
of you who have not the theoretical discussion but the 
practical problem of confronting hundreds, indeed thousands, of 
voters and ensuring that they are processed in a way that gives 
them confidence and does not discourage them from voting and 
has voting occur in a time frame that can handle a large number 
of people.
    Let me say, Dr. Rubin is also here. Mr. Kohno, the graduate 
student, is here as well. I think Mr. Williams and Dr. Shamos 
have left.
    Mr. Chairman, you and I have had this discussion. This is 
not an adversarial proceeding. This committee worked together--
Mr. Ney and I, Mr. Larson was very helpful as well, Mr. Dodd 
and Mr. McConnell--to try to facilitate voting and to give 
voters a greater degree of confidence that they could vote 
accurately and that it would be counted. We did not mandate a 
technology. We purposely did not mandate a technology.
    We did mandate that you could not use Federal dollars to 
replace a lever machine or the punch cards because, A, the 
leverage machines have essentially gone out of business with no 
replacement parts; and secondly, the punch cards have proved to 
be one of the least reliable systems; although, as all of us 
know, paper ballots themselves are very high up on the list. If 
you had just the paper ballot system, they are higher up on the 
list of mistakes as well.
    We all want to get to the same place, and that is a system 
where the voter has confidence, the jurisdiction, whether it be 
a county, a State, or a country, has confidence that as a 
result that is what the voters intended the result to be.
    I think we can do that. I will tell you, I don't think we 
can do it between now and November in terms of the technology 
that will be available.
    So what the Chairman was saying and I think what Mr. Larson 
said as well--and I apologize. I apologize. I give a press 
briefing every week. But we want to make sure that no voter in 
America this year is discouraged from voting. We don't want to 
undermine their confidence.
    My problem as, Dr. Rubin, you have probably read, and 
Senator Dodd's problem is not with the analysis, because you 
are an expert and we are not, and we ought to make sure that 
whatever technology we use is not subject to being manipulated 
and is accurate and fair; but that the debate that is occurring 
concerns a number of people, not just those with disabilities, 
who are concerned that we will go to a system that does not 
provide them as for the first time in history they have been 
provided with a mechanism to vote secretly.
    Mr. Dixon was in the room, as you know. Mr. Dixon is blind. 
He is a wonderful person, a bright, knowledgeable, able person, 
and he like every other American wants to go into a ballot 
booth and vote, and he wants to know how he votes, and nobody 
else, unless he wants to tell them.
    Mr. Ney, myself, Mr. Larson, and Senator Dodd and Senator 
McConnell were pleased that we mandated that that happen. This 
technology, DRE technology, is one of the ways both from a 
visual and/or audible standpoint that allows that to happen.
    What I am hopeful, Mr. Chairman, is that we proceed in a 
manner which will give Americans confidence that we are 
pursuing the best technology we can possibly find, using all 
the expert advice and counsel. But at the same time, while we 
are evolving towards whatever system we arrive at--and my 
presumption is that this process will always be evolving 
because we will get better technology and better security and 
better ways to do things, and that is progress--but that we not 
get so animated in our debate that we undermine citizens' 
confidence. That would not be a result that I know any of us 
seek.
    So I apologize, Linda, that I didn't hear your testimony. I 
will read it.
    And, Ms. Rogers, thank you very much for what you and 
Georgia have done. Georgia and Maryland were two of the leading 
States in terms of trying to adopt technology.
    I want to say, Mr. Chairman, in closing, that--Mr. Ehlers 
unfortunately has left, and I didn't want to interject at that 
point in time--we do need more money for NIST. I would like to 
offer an amendment, adding $2.8 million, which is what NIST 
says it needs, to the NIST budget in the Commerce, State, 
Justice. You and I have had that discussion. The budget is so 
tight. I would like to have them--they get 300-plus million; 
2.8 million of that I would like them to use in the short term, 
because this is an immediate problem and this could be helpful 
to us. And Mr. Ehlers was primarily responsible for NIST being 
a part of HAVA. And I think Mr. Ney and I both believe that 
that was a very positive suggestion.
    But perhaps we can work on that because, again, this is not 
an adversary relationship. Everybody wants the same objective. 
Everybody. And in that context, as I was telling my good friend 
Rush Holt, in that context, people of goodwill, experts and 
practical appliers of technology, we ought to be able to get 
together and figure out how we can do this, but in the interim 
do the very best we can, which in my opinion is going to be far 
better than 2000.
    There are a lot of other things in HAVA: second-chance 
voting, provisional ballots. We are not there yet. But when we 
get to on-line statewide registration, interfacing with local 
precincts, that is probably going to take us the longest time 
and be most expensive in the long run, probably, but that is a 
wonderful reform: accessibility of all polling places.
    There are some wonderful things in HAVA which do not deal 
directly with the technology question, but giving jurisdictions 
the ability to afford--Mr. Mica, I disagree with Mr. Mica very 
fundamentally. The Federal Government has been on the State 
dole since 1789, which means that for over 200 years, we have 
not contributed a nickel to the running of Federal elections; 
$3.9 billion is a small sum for us to help 55 jurisdictions, 50 
States, the District of Columbia, in doing what they have had 
trouble doing, because so often they were the last people 
considered in the budget process, because elections just seem 
to be, well, we are working and we are stumbling along. HAVA 
was an attempt to try to empower the States to bring our 
elections up to date and to utilize the technology available to 
make sure that we accomplished the objectives stated.
    And, Mr. Chairman, I know you and I are in 100 percent 
agreement that $3.9 billion is a small sum, relatively 
speaking. It is how much money we will spend in Iraq. I 
supported the authority and I believe our mission in Iraq, if 
accomplished, will be a very positive accomplishment. But it is 
more money than we spend--it is less money than we spend in 
Iraq in 25 days to make America's democracy work better. A good 
investment.
    The Chairman. Thank the gentleman. And I want to ask some 
questions, but I do want to make a statement first, too. You 
know, the Help America Vote Act went way beyond the hanging 
chads. And I will be frank with you, and I know that 
Congressman Hoyer heard this, I heard it; many asked, why do 
you want to do something? Let it go. We can't afford it. We 
shouldn't do it. We shouldn't change the system.
    And I didn't know this until the Bush-Gore election, that 
1,800-some votes weren't counted in my own congressional race. 
Now, it didn't matter because the margin was so big. But if it 
had been close, there would have been 1,700 individuals that 
would not have been in the process, would have been 
disenfranchised. So I think something had to happen.
    HAVA wasn't done on a whim. We would have liked it to have 
passed faster. But the process took time. And that is the way 
things run. But we reached out also in that bill, Carter--the 
Ford-Carter Commission, they contributed to it. We talked to 
the NAACP, we talked to election officials, and we reached out 
to others. We didn't do it in a vacuum or behind a closed door, 
and we especially talked to people on the front line, like all 
of you. You are on the front line. You can do good research or 
people can do science projects when it comes to these issues. 
But the fact remains that you are out there and you see how the 
voting system actually works.
    That doesn't mean we take this issue lightly or take the 
bill lightly. And we don't take the lack of funding lightly 
either. And I am hoping within one of these bills--and I think 
what Congressman Hoyer said is completely correct and 
accurate--we will work toward fully funding HAVA.
    As far as the money goes, when this started we went to 
Speaker of the House Hastert, and then Leader Gephardt, and sat 
down with both the Speaker and Leader Gephardt. Money was not 
an issue. We spend $5 billion helping blossoming democracies 
around the world, and that is great. So I don't think $3.9 
billion is too much to spend on improving our democracy here at 
home.
    And what the Congressman wants to do is critical to 
securing that money, at least here in the house. And frankly, I 
don't think any of us will rest, and that includes our Senate 
colleagues, until we get all of the money; because you should 
have some resources, which the Federal Government has never 
before provided.
    I think I am going to ask a question. Unfortunately, this 
whole debate, and I think most all of you pointed this out, 
there is some unfortunate twisting that has happened. A lot of 
things have been overshadowed. Comments have been made about 
individuals who run these voting system companies who have 
supported a Presidential candidate. That is unfortunate that 
ever happened. We have to move beyond that and look at what is 
going on. And the Election Commission can try to devise ways to 
look at the security of these systems.
    I know the paper ballots weren't working. And, again, the 
main problems our election system has faced throughout the 
history of this country have involved paper. But I know the 
intentions of election officials--and you did watch in your 
States for situations, and you did monitor your respective 
election systems. And I think a lot of you have been maligned 
unfairly, frankly. It has been twisted. There are people 
involved in this debate for the right reasons who are doing 
good research. And there are people in the front line. I think 
that is why this hearing helps, and helps get issues out on 
both sides of this issue.
    Mr. Hoyer. Mr. Chairman, would you yield a minute? One of 
the things I mentioned, registration. One of the statistics 
that was brought before us when we had the hearings on HAVA was 
that many more millions of people lost their vote because of 
registration issues and technology issues by far, by a multiple 
of maybe 3 or 4. I don't think there is a precise number 
obviously, but significant. And we ought to keep that in mind, 
because as the Chairman said, HAVA has done a lot of things in 
addition to this and this is getting all the attention.
    But I am hopeful we get voters--I know the election 
officials are--but you run the system with 95 percent 
volunteers on one day, it is tough not to make mistakes because 
it is a human factor. But second-chance voting is essentially 
new, and provisional ballots are new, and there are paper 
ballots and they have to be set aside and have to be checked to 
see whether or not the voter actually is--and I am concerned, 
Mr. Chairman, there are different State laws. In HAVA, we were 
focused on not empowering the States and not limiting the 
States, but I am not so sure we didn't make a mistake by having 
State law apply; because some States say if you don't live in 
that precinct, even if you may be voting for all the same 
people as voting in the next precinct, you can't have a 
provisional ballot. I think that is unfortunate.
    I don't what the law is in Georgia and I don't know what 
our law is on that, Linda. But in any event, registration is 
one of the huge problems that we are not as focused on because 
we are so focused on technology, and many more millions lost 
the opportunity to vote because of registration issues than 
because of technology, hanging chads, or other technology 
issues.
    Thank you, Mr. Chairman.
    The Chairman. Two quick questions. I know the Ranking 
Member will want to ask questions. What potential unintended 
consequences could result from mandating that all DREs be 
equipped with a paper trail?
    Ms. Rogers. I would be happy to share with you myself, and 
I believe Jill as well, I began my career in elections as an 
elections worker in the polls way back in the early eighties. 
And I can tell you through all my years I worked in the polls 
with lever machines and I worked with optical scan equipment, I 
firmly believe that the introduction of paper into the polling 
place on a busy Election Day is going to cause mass confusion. 
It is going to upset voters who don't want attention called to 
them if there is a problem. Voters like the ability to stand at 
a unit, review their ballots, such as they do with electronic 
voting. It shows them what they have voted prior to touching 
cast ballot, and they do that in private.
    When you vote on an optical scan-based system and you walk 
over to put it into the machine, if that ballot has been 
overloaded, it kicks it back and might read on the little LCD, 
and it might say ``overvoted race 10.'' Well, you have got a 
line of voters standing behind you and you, the voter--the poll 
worker says, Would you like to take this over and correct it? 
Correct what? It is intimidating to the voters.
    I am very afraid the paper receipt such as you saw in the 
demonstration a little while ago would be mass intimidation to 
voters, and I believe the very same to poll workers just based 
upon--and that is based upon my own experience as an elections 
official. The introduction of paper is going to cause a great 
deal of heartache and headache.
    The Chairman. Just a scenario here, because it comes to 
mind when you are talking. If I get my receipt and I am in the 
privacy of the booth, I take that receipt, right? I would have 
to go outside.
    Ms. Rogers. You would actually take the receipt and then 
deposit it into a box on your way out the door. Now, that 
scenario gives me a lot of concern, because what is going to 
happen when the voter says, You are not having this receipt? 
What does the poll worker do then? In other systems, it sort of 
sucks it back up into the machine. And given the length of what 
you saw, I have seen some that develop that is a 4-inch window 
plexiglass. This roll of paper would move behind the glass and 
it does 4 seconds where you see the 4 inches at one time. So 
the voter would have to quickly view that as it is going 
around, and then it would have to not get caught or jammed in 
the system. But there are two different components: one you 
would drop in the box, and one would stay behind glass.
    The Chairman. If I get that in the privacy of the booth and 
I come up and you say, Where is your receipt? And I say, It 
didn't spit one out. And you say, It had to. And I say No, it 
didn't; are you calling me a liar? And I put it in my pocket.
    Ms. Rogers. Which could easily happen. That is one of our 
greatest concerns over paper receipt.
    The Chairman. The other question is, do you believe the 
mandatory paper trail would increase the system security? Does 
it add anything to security itself?
    Ms. Lamone. No, it doesn't in my estimation. I think what 
Dr. Shamos said earlier was that testing, testing, testing. And 
his idea of having standards that are well thought out and not 
voluntary, I think is the way to go. Maryland law requires us 
to adhere to the Federal standards. I have no choice, and I do 
not rely on the ITA report solely for our security analysis. I 
think it would add more trouble than, frankly, what it is 
worth.
    There is emerging technology out there, whether it involves 
a piece of paper that the voter can then go and verify post-
election that their vote was accurately counted, but it is all 
encoded, it doesn't have names on it. And there is also some 
electronic technology that is coming about that would provide 
us with a better opportunity to audit the election and make 
sure that the equipment was performing.
    The Chairman. You know, I remember speaking with one of the 
companies that produces voting systems. This company doesn't 
produce a receipt and they don't want to produce a receipt. But 
one of the companies that I saw in a meeting told me, Look, we 
can produce a receipt. We don't think it ought to be used 
though. We don't think that that gives the security that people 
believe it will.
    And so therefore, that is why I think we should take this 
seriously and we should have some ability to check machines to 
see if there is fraud, which you all have done, including in 
Maryland, where you haven't gotten credit for it, but you have 
done it. But we should do that, because the movement now has 
been towards, well, forget machines, this should be all paper.
    Isn't it true, too, if you could manipulate the machine, 
you could manipulate the paper? If you fix the machine, the 
paper comes out. So it is still an issue, the machine's 
integrity, which we should take seriously.
    And wrapping up my questions I have for Ms. Lavine, just 
about that pilot which Sacramento County used, the DREs, which 
produced a voter-verified paper trail. The pilot took place 
during early voting prior to Election Day.
    Ms. Lavine. Yes, it did.
    The Chairman. Would the conditions have been different if 
it had been an Election Day, do you think?
    Ms. Lavine. We were going to just to try the system. We 
didn't want to do a full rollout in every single polling place. 
We wanted to keep it controlled. That is why we only had it for 
early voting in certain locations. We were able to have an 
authorized technician from Avante at each single polling place. 
And if we had done a full rollout on Election Day, there was no 
way we could have had a technician at every one of our polling 
places.
    The Chairman. You had six polling places, so you could have 
six technicians?
    Ms. Lavine. Yes.
    The Chairman. How many polling places do you have in the 
county?
    Ms. Lavine. Normally over 800.
    The Chairman. You couldn't have 800 technicians.
    Ms. Lavine. And we wouldn't have had that many experienced 
personnel either. We staffed from our office to make sure we 
had someone there that knew the ins and outs.
    The Chairman. How much longer did it take to vote in these 
six polling places?
    Ms. Lavine. It didn't take that much longer to vote. It was 
the verifying of the receipts. But most voters who were in a 
hurry--many voters didn't want to stay, and left. So they just 
said, No, I am not interested, go ahead and do whatever you 
want to do with it.
    The Chairman. You said 127 hours?
    Ms. Lavine. One hundred twenty-seven and a half hours to 
verify. We did the manual recount verifying what was the paper 
versus the electronic. And when you pull out those long pieces 
of paper, they start curling like Goldilocks' curls, and you 
are holding down both ends. We did them in teams of two to 
verify the electronic count. To read back and forth and no way 
to quickly read the paper ballot, it took that long to verify 
only 114 of the ballots. We didn't do the entire project.
    The Chairman. How many ballots were included in the six 
polling places?
    Ms. Lavine. One thousand six hundred twelve ballots.
    The Chairman. What would you have on an Election Day?
    Ms. Lavine. Close to 300,000.
    The Chairman. Why was the system not adopted?
    Ms. Lavine. There are many things. At that point, the 
Secretary of State had not come out with his decision on 
whether it was necessary to have the paper verified, voter-
verified paper audit trail. We cancelled the RFP that we were 
in the process of, and we were waiting for things to settle 
down a little bit to see which way the wind was blowing.
    The Chairman. If you had a thousand ballots, it took 127 
hours. Statistically, it would take how long? Just a 
guesstimate.
    Ms. Lavine. I didn't figure that one out.
    The Chairman. I would assume a long time.
    Ms. Lavine. Longer than the 30 days that we have to verify 
an election.
    The Chairman. For a thousand ballots--how many ballots do 
you normally get?
    Ms. Lavine. I am sorry.
    The Chairman. You have a thousand ballots.
    Ms. Lavine. Only 114 ballots that we counted.
    The Chairman. And it took 127 hours? If you add 3,000 it 
could take months.
    Ms. Lavine. We have 300,000.
    Ms. Lavine. Years.
    The Chairman. Years.
    The Chairman. Mr. Larson.
    Mr. Larson. Let me thank you for your enlightening 
testimony. And before I ask just a couple of rudimentary 
questions as they relate to the monies, I want to go back and 
emphasize something that our distinguished leader said, Mr. 
Hoyer, that in looking at this issue, it is especially 
intriguing from a scientific and technological aspect but 
equally compelling in terms of the practicality of putting 
these things into practice.
    I want to commend Dr. Rubin. He said in his testimony in 
weighing what we have all been discussing this morning, his 
duty and responsibility to speak out, and I commend him for 
that because I think that is what enriches our process. That is 
what allows us to get to the heart of the matter.
    And the first panelists--the goal was, from my perspective, 
was to lead people towards a practical consensus. I think it 
has been further enhanced by your testimony this morning. My 
questions deal specifically with the monies that you are 
receiving and have been appropriated under HAVA. Have they been 
fully utilized and are they helpful and how will they relate to 
what we talked about before in terms of training--which, Mr. 
Hoyer called you Attorney General Lamone--but how do they 
relate to how you have been able to--you gave elaborate 
examples of everything that Maryland has done and I assume 
Georgia has done. I am concerned how this money--and of course, 
I share with Leader Hoyer and our distinguished Chairman the 
concern about getting additional monies out there to accomplish 
what I believe was the consensus of the first panel, that what 
we need is testing, testing, testing, training, training, 
training. But conceptually, I had thought about when we were 
talking about a paper ballot, I thought we were talking about a 
card, something that was readily available and handy. And 
obviously your demonstration of about a 10-foot long paper 
ballot and all the ensuing problems that that creates is a 
compelling visual demonstration that deals away from the common 
idea; because you know, we have been comparing this verbally to 
receiving a receipt from an ATM machine, which is quite 
different when you contrast this. Not that I don't think 
technologically that could be overcome in the future, but we 
are dealing with the practicality of a November election.
    So my questions are: One, the monies that you are 
receiving; how are they being expended? Are you utilizing them? 
I have a special question for California, because we did have 
the opportunity to meet with Secretary of State Shelley, and 
Leader Pelosi arranged everything. Mr. Hoyer and myself were 
able to go to that. And I know there was a question of 
decertification, but Mr. Shelley went to great lengths to say 
that, yes, but he did that so there would be an opportunity to 
correct the--what was wrong, what they had detected as being 
wrong with machines. And I want to know how that process has 
gone.
    We also heard some indication from Georgia that some of the 
monies that were coming down from HAVA might be used by the 
State to address Medicare issues. And I want to know if that 
was something that was misreported. But I do think--especially 
given the scarcity of funds and the need for us to focus on 
this issue, how that is all taking place. If you care to 
respond.
    Mr. Hoyer. Thank you for allowing me to participate. 
Unfortunately, I have to leave, but I want to thank you and Mr. 
Larson for your leadership on this issue. And I think these 
hearings are important to see what we have done and what we are 
doing and what we need to continue to do to accomplish the 
objectives. And I want to thank all of the witnesses, who I 
think were all very good witnesses. Good information, and we 
will digest it and take such action as we deem to be 
appropriate.
    [The statement of Mr. Hoyer follows:]
    [GRAPHIC] [TIFF OMITTED] T7366A.159
    
    The Chairman. If it wasn't for your perseverance, we 
wouldn't have the bill.
    Ms. Lamone. I will go with the first question. I think I 
can state for every jurisdiction in the country and the 
territories that the money is more than welcome, but it is not 
enough. The unintended consequences of what is going on with 
this discussion about security and training, testing, and so 
forth, at least in Maryland, I am expected to use the Federal 
money first. So here we have got all these other things we have 
got to do under HAVA, 13 different mandates, and I am sapping, 
I am draining the money, the HAVA money off to do all this 
other stuff that I don't think anybody anticipated a year and a 
half ago. That is not to say it is not important, but it is 
unfortunate because I still have major projects to do, namely 
the voter registration system.
    There is going to be a time of reckoning, if there are no 
more Federal dollars appropriated, when the State is going to 
have to cough up additional funds.
    Mr. Larson. And the voter registration problem is one that 
Mr. Hoyer points out where the greatest number of people ended 
up being turned away from voting; is that not correct?
    Ms. Lamone. Yes. Nationally, that was correct. I am not 
sure that that is the case in Maryland. But we do think 
differently in Maryland than some of the other jurisdictions.
    But to answer your question, we got a lot of money and it 
is not going to be enough anyway, and we are being forced to 
use it for unintended expenditures.
    Mr. Larson. If I could play devil's advocate and be Mr. 
Mica for a second, what is enough money in your estimation? 
What would Maryland need?
    Ms. Lamone. I think the Department of Legislative Services, 
which is the advisory group for our Maryland General Assembly, 
estimated between 100 million to 130 million for Maryland to 
complete all the tasks and make the payments in the outyears. 
It is a little bit over twice of what we have gotten.
    Mr. Larson. Would the same be true for Georgia?
    Ms. Rogers. We believe if we were to receive the full 
funding that HAVA initially allotted, we would be able to cover 
all the mandates of HAVA.
    Mr. Larson. What about the commingling of funds? Is this a 
temptation of States to use--you are smiling, so I take it----
    Ms. Rogers. I read the same article that you did. In 
Georgia, our State legislature okayed $54 million in bond 
funding prior to HAVA ever being enacted. We reimbursed--when 
we got this last bit of money, we reimbursed our State 
Treasury. Now they are going to use that money, I assume they 
are going to use that money to pay down the bond debt. But a 
great deal of that bond debt had already been paid. It leaves a 
chunk of money that the Treasury then has.
    I believe what you read may have been how the State is 
going to use the reimbursement once they already pay the bond 
funding.
    Ms. Lavine. I work on the county level so I am not sure how 
much the State would need. We also--in California we were able 
to pass a voter bond that allowed us to have some money in our 
county and throughout the State. So we have been fortunate that 
we have got--I don't want to say enough money--but we probably 
have more than some of the other States have.
    Mr. Larson. Pretty much unanimous consent amongst the three 
of you that if we were to put technologically a draft on the 
DREs' paper trail, that that is realistically not something 
that would--that is going to fulfill the mission come this 
election in November; is that fair to say?
    Ms. Rogers. In Georgia we have determined that it would 
cost us $16 million to retrofit our equipment for the addition 
of a paper trail to do that statewide. We don't think that is a 
good use of our HAVA dollars. And we don't have $16 million of 
HAVA money left at this point to do so.
    Mr. Larson. I seem to garner from your testimony that you 
thought that the problems that were raised--not the least of 
which is the potential for the machine clogging, people 
reviewing, the time that could be allotted, people just walking 
away because that is what they are used to after they cast 
their vote because they have got to get back to work or 
whatever--becomes more problematic. Is that a fair assessment 
to say?
    Ms. Rogers. I think so.
    Mr. Larson. What about the decertification issue?
    Ms. Lavine. Because of the decertification, since 
Sacramento County did not have a DRE in March, we are not 
allowed to even purchase one in December. We are going to go to 
an optical-scan system for November. With all the legislation 
that is being passed, until there is a system with a paper, 
accessible voter-verified paper audit trail, we are not even 
allowed to purchase one.
    Mr. Larson. You may have heard Dr. Rubin's testimony 
earlier where he seemed to come up with a process that was 
different than the ones that you have testified to. And again, 
I am not a scientist. I am not someone who--what Professor 
Negroponte used to call one of the digitally homeless in many 
respects. So I don't want to mischance what he said. But it 
seemed to me he had a more compact and precise way of using 
that, though I think he testified that that is something that 
wouldn't be ready for this election cycle. I am wondering if 
you heard that and what your reaction might be long term with 
respect to the--at the heart of this argument, it is hard to 
deny when I face groups and they say, Well, what is the matter 
with trust but verify, or trust everyone but cut the cards, and 
being able to have that, know that you voted for that. And of 
course, it is a very logical assumption until you meet--come 
face to face with the practicality of its implementation and 
then all the ensuing fallout that has been mentioned, whether 
it is the disability community or others.
    Mr. Shamos testified that he thought there would be a way 
to do that down the road, but it doesn't seem as though--
clearly, it is not possible for November. But what is your 
sense about where we need to go for the future, and are these 
practical ways?
    Ms. Rogers. Well, let me first address what I heard Dr. 
Rubin talk about in that--you would. Instead of seeing that 
paper receipt, there is a possibility of printing it out. It 
probably would be an 18-inch-long ballot. These are just 
concepts. No one has developed anything like this. It might 
have like, if you voted on an optical scan, an 18-inch piece of 
paper. I have seen a prototype where this would come up at the 
same time you are viewing your ballot on an electronic machine, 
and then you would look at it, as you looked at this side, you 
look at this side, and once you verify it, you would hit print 
and it might print out on card-stock paper. Understand that 
card-stock paper that you are currently printing an optical-
scan ballot on goes for about $0.35 a piece. Each voter would 
have this card-stock paper. It would come out. They would 
verify it and then they would take it to an optical-scan 
tabulator and vote, putting it into the tabulator, which gets 
back into the same scenario we talked about a little while ago. 
You have one of those per every precinct, versus having one 
voting booth with electronic capability for each voter. That in 
itself is two separate voting systems with two separate 
problems.
    And what I have heard knocked around is these need to be 
from different vendors as well. You may not want them to be the 
same vendor. You have to get two vendors to work together for 
their software to integrate together, and there is a lot of 
proprietary concerns over that. But the biggest problem, one I 
don't think this money is growing on trees, and that is a whole 
lot of money.
    Mr. Larson. Do you ever feel that when all of these 
proposals are being made, that maybe what we ought to do is 
convene you all first?
    Ms. Rogers. We would appreciate that.
    Mr. Larson. My final question has to deal with this New 
York Times article that I think makes an awful lot of sense.
    [The information follows:]

    [GRAPHIC] [TIFF OMITTED] T7366A.160
    
    [GRAPHIC] [TIFF OMITTED] T7366A.161
    
    [GRAPHIC] [TIFF OMITTED] T7366A.162
    
    [GRAPHIC] [TIFF OMITTED] T7366A.163
    
    [GRAPHIC] [TIFF OMITTED] T7366A.164
    
    Mr. Larson. You heard Dr. Shamos refer to it. The article, 
though you may not have read it, essentially said we ought to 
make sure when it comes to voting that we are going 
procedurally from a security standpoint and from testing, et 
cetera, that we provide the voters with the same kind of 
security that is provided in the casino industry for the 
integrity of slot machines. We ought to make sure that the 
security is there as well.
    I am gathering from your testimony that you wouldn't 
disagree with that but what you need for that is the money in 
the independent verification. Is that fair to say?
    Ms. Lamone. And we need--for the country to be comfortable, 
we need to have standards that everybody must follow and we 
need to have somebody looking at the software, like I mentioned 
before, in establishing a baseline for the security issues, 
telling the States what risks were identified and maybe how to 
mitigate them, just like we did in Maryland with those two 
reports.
    Last year it was just a fun-filled year with all the 
security reports coming out. Election officials don't have that 
expertise. We know how to run an election but we are not 
security experts, which is why I now have security people on my 
staff. And then you would have some assurance that the country 
using X vendor system is all addressing the same issues and 
hopefully around the same ways.
    Mr. Larson. You would agree with Mr. Rubin that they should 
be independently evaluated also, not evaluated by the vendors 
themselves?
    Ms. Lamone. No, no. I think NIST is an appropriate vehicle. 
And I for one am so glad HAVA was enacted and glad that NIST is 
involved in the process, because it does provide us with a lot 
of weapons that we never had before.
    Mr. Larson. I want to thank you all. I think you have been 
terrific. And I thank the Chairman again for his leadership on 
this important issue. He rarely takes the bows that he richly 
deserves, but he has been a leader in this area in passing what 
I believe is historic and landmark legislation; like all 
legislation, not ones that we can't further perfect as we go 
along, but given the circumstances and the times and trying to 
put this in order and having to buck a trend, he deserves an 
enormous amount of credit. And thank you for providing these 
hearings and providing people with the opportunity to voice 
their concerns so we can better implement the laws of HAVA.
    The Chairman. Thank you. I want to thank my cousin in the 
back of the room applauding for me. I want to thank you. And I 
want to thank all the people across the country that worked on 
this and gave the input to get HAVA to where it is today. I 
thank our witnesses who worked hard to prepare for the hearing. 
We had two great panels.
    I thank Congressman Larson for his diligence and his staff, 
and the members and other members of the committee and their 
staffs, for their work on this.
    I ask unanimous consent that members and witnesses have 7 
legislative days to submit material into the record, and those 
statements and materials be entered in the appropriate place in 
the record. Without objection, the material will be entered.
    I ask unanimous consent that staff be authorized to make 
technical and conforming changes on all matters considered by 
the committee today. Without objection, so ordered.
    And, having completed our business, the hearing is 
adjourned.
    [Whereupon, at 2:15 p.m., the committee was adjourned.]

Chairman Ney's Response to the New York Time Editorial of June 
                            11, 2004

    In a recent editorial (``The Disability Lobby and Voting,'' 
Jun. 11, 2004), the New York Times disgraced itself by making 
slanderous attacks against representatives of the disability 
community who have opposed legislation that would require 
electronic voting systems to produce a voter-verified ``paper 
trail.'' The editorial states that this opposition, which the 
New York Times believes is disproportionately influential, is 
most likely due to contributions that groups like the National 
Federation of the Blind (NFB) and the American Association of 
People with Disabilities (AAPD) have received from voting 
equipment manufacturers. In other words, the New York Times is 
more or less alleging that the representatives of these groups 
are selling out their own constituents as well as the American 
electorate in exchange for a pay-off.
    This is simply outrageous. As a principal author of the 
Help America Vote Act of 2002 (HAVA), I had the opportunity to 
work closely with both NFB and AAPD as this legislation was 
being developed. Thus, I know from first-hand experience of 
their commitment to improving the election process not only for 
those they directly represent but for all Americans as well. 
Their input added greatly to a landmark piece of legislation 
that will substantially improve our nation's voting system for 
generations to come.
    People of good will have honest disagreements about the 
advisability of requiring electronic voting systems to produce 
voter-verified paper records. Groups like NFB and AAPD, as well 
as many other respectable voices in the technology and election 
administration communities, have legitimate concerns about 
whether such a requirement would compromise the privacy and 
independence of voters, add unnecessary expense to the process, 
and do nothing to buttress the integrity of the election 
system.
    Unfortunately, the New York Times refuses to even 
acknowledge that reasonable opponents of a paper-trail 
requirement even exist. Instead, it implies that only those who 
have corrupt motives or have been bought off could possibly 
oppose such a requirement.
    The editorial also smears my good friend, Senator 
Christopher Dodd, by implying that there is something untoward 
about him appointing Jim Dickson, head of AAPD, to the Advisory 
Board of the Election Assistance Commission after the AAPD had 
awarded the Senator with its Justice for All Award. This 
perception of a conspiracy around every corner is beginning to 
descend into the paranoid depths occupied by Oliver Stone and 
Michael Moore. This is unbecoming of an institution as 
venerable as the New York Times, and the American public 
deserves better.
    The whole issue of electronic voting system security is 
extremely important and very complex, and the committee I chair 
will continue to examine it closely. Thus, there is a need for 
a healthy debate on this issue. However, that debate is 
impoverished when a voice of prominent as the New York Times' 
slurs opponents of its positions with outlandish speculation 
and unfounded charges. What is needed is more reasoned dialogue 
and less character assassination.

                                  
