[House Hearing, 108 Congress]
[From the U.S. Government Publishing Office]
THE SCIENCE OF VOTING MACHINE TECHNOLOGY: ACCURACY, RELIABILITY AND
SECURITY
=======================================================================
HEARING
before the
SUBCOMMITTEE ON TECHNOLOGY, INFORMATION
POLICY, INTERGOVERNMENTAL RELATIONS AND
THE CENSUS
of the
COMMITTEE ON
GOVERNMENT REFORM
HOUSE OF REPRESENTATIVES
ONE HUNDRED EIGHTH CONGRESS
SECOND SESSION
__________
JULY 20, 2004
__________
Serial No. 108-258
__________
Printed for the use of the Committee on Government Reform
Available via the World Wide Web: http://www.gpo.gov/congress/house
http://www.house.gov/reform
______
U.S. GOVERNMENT PRINTING OFFICE
98-208 WASHINGTON : 2005
_____________________________________________________________________________
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; (202) 512�091800
Fax: (202) 512�092250 Mail: Stop SSOP, Washington, DC 20402�090001
COMMITTEE ON GOVERNMENT REFORM
TOM DAVIS, Virginia, Chairman
DAN BURTON, Indiana HENRY A. WAXMAN, California
CHRISTOPHER SHAYS, Connecticut TOM LANTOS, California
ILEANA ROS-LEHTINEN, Florida MAJOR R. OWENS, New York
JOHN M. McHUGH, New York EDOLPHUS TOWNS, New York
JOHN L. MICA, Florida PAUL E. KANJORSKI, Pennsylvania
MARK E. SOUDER, Indiana CAROLYN B. MALONEY, New York
STEVEN C. LaTOURETTE, Ohio ELIJAH E. CUMMINGS, Maryland
DOUG OSE, California DENNIS J. KUCINICH, Ohio
RON LEWIS, Kentucky DANNY K. DAVIS, Illinois
JO ANN DAVIS, Virginia JOHN F. TIERNEY, Massachusetts
TODD RUSSELL PLATTS, Pennsylvania WM. LACY CLAY, Missouri
CHRIS CANNON, Utah DIANE E. WATSON, California
ADAM H. PUTNAM, Florida STEPHEN F. LYNCH, Massachusetts
EDWARD L. SCHROCK, Virginia CHRIS VAN HOLLEN, Maryland
JOHN J. DUNCAN, Jr., Tennessee LINDA T. SANCHEZ, California
NATHAN DEAL, Georgia C.A. ``DUTCH'' RUPPERSBERGER,
CANDICE S. MILLER, Michigan Maryland
TIM MURPHY, Pennsylvania ELEANOR HOLMES NORTON, District of
MICHAEL R. TURNER, Ohio Columbia
JOHN R. CARTER, Texas JIM COOPER, Tennessee
MARSHA BLACKBURN, Tennessee BETTY McCOLLUM, Minnesota
PATRICK J. TIBERI, Ohio ------
KATHERINE HARRIS, Florida BERNARD SANDERS, Vermont
(Independent)
Melissa Wojciak, Staff Director
David Marin, Deputy Staff Director/Communications Director
Rob Borden, Parliamentarian
Teresa Austin, Chief Clerk
Phil Barnett, Minority Chief of Staff/Chief Counsel
Subcommittee on Technology, Information Policy, Intergovernmental
Relations and the Census
ADAM H. PUTNAM, Florida, Chairman
CANDICE S. MILLER, Michigan WM. LACY CLAY, Missouri
DOUG OSE, California STEPHEN F. LYNCH, Massachusetts
TIM MURPHY, Pennsylvania ------ ------
MICHAEL R. TURNER, Ohio
Ex Officio
TOM DAVIS, Virginia HENRY A. WAXMAN, California
Bob Dix, Staff Director
Ursula Wojciechowski, Professional Staff Member
Juliana French, Clerk
David McMillen, Minority Professional Staff Member
C O N T E N T S
----------
Page
Hearing held on July 20, 2004.................................... 1
Statement of:
Adler, Jim, founder and CEO, VoteHere, Inc................... 101
Hite, Randolph C., Director, Information Technology
Architecture and Systems, U.S. Government Accountability
Office; Hratch G. Semerjian, Acting Director, National
Institute of Standards and Technology, Technology
Administration, U.S. Department of Commerce; and Terry
Jarrett, general counsel for Hon. Matt Blunt, Missouri
Secretary of State......................................... 17
Morganstein, Sanford J., president and founder, Populex Corp. 113
Rubin, Aviel, technical director, Information Security
Institute, Department of Computer Science, Johns Hopkins
University................................................. 91
Shamos, Michael, professor, Carnegie Mellon, director,
Universal Library; co-director, Institute for E-Commerce... 96
Letters, statements, etc., submitted for the record by:
Adler, Jim, founder and CEO, VoteHere, Inc., prepared
statement of............................................... 104
Clay, Hon. Wm. Lacy, a Representative in Congress from the
State of Missouri, prepared statement of................... 9
Hite, Randolph C., Director, Information Technology
Architecture and Systems, U.S. Government Accountability
Office, prepared statement of.............................. 20
Holt, Hon. Rush D., a Representative in Congress from the
State of New Jersey, prepared statement of................. 15
Jarrett, Terry, general counsel for Hon. Matt Blunt, Missouri
Secretary of State, prepared statement of.................. 75
Morganstein, Sanford J., president and founder, Populex
Corp., prepared statement of............................... 115
Putnam, Hon. Adam H., a Representative in Congress from the
State of Florida, prepared statement of.................... 4
Rubin, Aviel, technical director, Information Security
Institute, Department of Computer Science, Johns Hopkins
University, prepared statement of.......................... 94
Semerjian, Hratch G., Acting Director, National Institute of
Standards and Technology, Technology Administration, U.S.
Department of Commerce, prepared statement of.............. 67
Shamos, Michael, professor, Carnegie Mellon, director,
Universal Library; co-director, Institute for E-Commerce,
prepared statement of...................................... 99
THE SCIENCE OF VOTING MACHINE TECHNOLOGY: ACCURACY, RELIABILITY AND
SECURITY
----------
TUESDAY, JULY 20, 2004
House of Representatives,
Subcommittee on Technology, Information Policy,
Intergovernmental Relations and the Census,
Committee on Government Reform,
Washington, DC.
The subcommittee met, pursuant to notice, at 10:07 a.m., in
room 2247, Rayburn House Office Building, Hon. Adam Putnam
(chairman of the subcommittee) presiding.
Present: Representatives Putnam and Clay.
Also present: Representatives Holt and Kaptur.
Staff present: John Hambel, senior counsel; Dan Daly,
professional staff member/deputy counsel; Ursula Wojciechowski,
professional staff member; Juliana French, clerk; Felipe Colon,
fellow; Casey Welch and Jamie Harper, legislative assistants;
Sean Hardgrove, intern; David McMillen, minority professional
staff member; and Earley Green, minority chief clerk.
Mr. Putnam. The quorum being present, this Subcommittee on
Technology, Information Policy, Intergovernmental Relations and
the Census will come to order.
Good morning, everyone, and welcome to the subcommittee's
hearing, ``The Science of Voting Machine Technology: Accuracy,
Reliability and Security.''
An estimated 50 million voters representing nearly 30
percent of all voters are expected to cast their votes using
some type of electronic voting technology this November. We
have scheduled this oversight hearing to examine where we are
today with the evolution of electronic voting technology,
including the subject of access, utilization and the associated
issues of reliability, ease of use, efficiency, accuracy and
security.
The overriding goal of voting systems is to produce
election results that accurately represent the will of the
people. The historically close Presidential election of 2000 in
Congress highlighted deficiencies of the voting process,
especially in my State, that became the subject of many policy
discussions at all levels of government. Since then many
localities have sought to evaluate and improve their voting
systems through the use of electronic voting technology,
believing that such technology will improve the accuracy of
vote recording and tabulation, decrease costs, and increase
voter turnout.
The issues we will be examining today in the processes of
balloting and tabulating the results of elections have been the
subjects of discussions throughout our history. Deficiencies of
one type or another have existed in virtually every process
that has ever been utilized, yet today's existing and emerging
technology offers greater opportunities for participation in
the process of selecting our elected representatives, as well
as the determination of other ballot questions.
The Federal Government had not historically set mandatory
standards for voting systems, nor had it provided funding to
State and local jurisdictions for the administration of
elections. However, after November 2000, Congress considered
and debated Federal election reform legislation, and the Help
America Vote Act of 2002, or HAVA, was enacted. The act created
a new Federal Government agency with election administration
responsibilities, set requirements for voting and voter
registration systems and provided Federal funding.
Beginning in January 2006, in accordance with HAVA, voting
systems used in Federal elections must provide for error
correction by voters, manual auditing, accessibility,
alternative languages and Federal error rate standards. Systems
must also maintain voter privacy and ballot confidentiality,
and States must adopt uniform standards for what constitutes a
vote on each system.
HAVA does not require any specific voting system, but it
sets requirements that influence what systems election
officials choose. HAVA's requirement for at least one
handicapped-accessible voting system per polling place and
other factors are expected to drive States toward adoption of
touch-screen or direct recording electronic systems [DREs].
HAVA established a program to provide access to
approximately $4 billion in Federal grants to States to
modernize the voting systems currently in use. Accordingly,
acquisitions of new voting systems technology are under way in
a number of States and localities.
Currently five different voting systems are being used:
hand-counted paper ballots, mechanical lever machines, computer
punch cards, optical scan or marks forms, and DREs. Most States
use more than one type of system. Each has advantages and
disadvantages with respect to error rates, cost, speed,
recounts, accessibility to the disabled and other
characteristics. Differences in actual performances in
elections are difficult to measure accurately and depend on a
number of factors, such as the system design and condition,
voter system familiarity, ballot complexity and design, local
standards and practices, and the competence level of polling
and training of polling place workers.
Since 2000, many electronic voting systems have been
proposed. Today DREs, which present voters with choices on the
video display and record votes electronically, are gaining
favor. They offer improved user interfaces, facilitate voter
confirmation, provide instant running tabulations, and
potentially satisfy HAVA's requirement for at least one
handicapped device per polling place.
There is concern how secure systems are from tampering by
voters, elections officials or even manufacturers. There is
also concern by some about the potential for software defects
or other technical failures that could interrupt the capability
of the given system. There are disagreements among experts
about both the seriousness of these concerns and what solutions
to address them. While it is generally accepted that tampering
is possible with any computer system given the time and
resources, some experts believe that current security practices
are sufficient. Others, naturally, disagree and believe that
procedural and other safeguards can make DREs sufficiently safe
from tampering, that the use of creating printed paper ballots
would create too many problems. A number of these issues will
be explored today.
As presently designed, many electronic voting systems do
not produce a record that can be independently audited. For
this reason and others, the prospect of electronic voting
systems has been met with some skepticism in parts of the
information technology community. Moreover, experience with
large-scale technology deployment indicates that it takes time
before the bugs in the system, including technology procedures
and people associated with using and operating the technology,
are shaken out or identified. So even communities that have
deployed and used these systems will face the challenge of
evaluating their performance.
Given the importance of the issue, in May I signed on to a
bipartisan GAO request letter asking for a study examining the
security of electronic voting systems, including DREs, optical
scans and punch cards readers. We asked GAO to examine State,
Federal and governmental use; identify significant issues and
challenges; and report on best practices that can be
implemented to improve the security and reliability of the
electronic voting process.
Today's hearing will seek to further examine the technology
of electronic voting systems: what are the lessons learned thus
far; what are the most appropriate next steps, both short- and
long-term, to ensure the integrity, reliability and
accessibility of the security voting process that is such a
vital ingredient to American democracy.
This is an election year, and as such it is often the case
that both sides of the aisle attempt to score political points.
That is not the purpose of this hearing. We are here to examine
the technology that is available and learn from panels of
experts what is and is not feasible in the current climate. Our
goal is to further the discussion and debate on the
technological advances that improve the manner in which our
society conducts elections. My colleagues share my desire to
conduct an informative oversight hearing, and I welcome their
input and request for this hearing topic.
[The prepared statement of Hon. Adam H. Putnam follows:]
[GRAPHIC] [TIFF OMITTED] T8208.001
[GRAPHIC] [TIFF OMITTED] T8208.002
[GRAPHIC] [TIFF OMITTED] T8208.003
Mr. Putnam. Following Mr. Clay's opening statement, I would
like to move directly to the witnesses' testimony, and request
that other Members submit their opening statements for the
record. Members, of course, will be invited to participate in
the witness question-and-answer process.
I now yield to the distinguished ranking member of the
subcommittee Mr. Clay for his opening remarks.
You are recognized, Mr. Clay.
Mr. Clay. Mr. Chairman, first let me thank you for holding
this hearing.
Florida and Missouri are both States with troubled voting
histories. In the 2000 election, I had to go to court to keep
the polls open so that everyone who wanted to vote could vote.
The city had dropped thousands of voters from the rolls without
ever telling the voter.
The issue before us is quite simple. I want to vote, and I
want know that my vote is counted as I intended. With the paper
ballot, my vote is before me, and I place it in the ballot box.
The same holds true with punch cards and optical scans
machines, although both of those are subject to mechanical
error. Everyone in the country now knows what a hanging chad
is. With lever machines and computerized voting, you have to
take it on faith that your vote is counted as you intended.
The difference is one of scale. If a lever machine fails or
is tampered with, it affects only that machine. If it's
software, or computerized voting fails or is tampered with, it
affects every machine running that program, and, therefore, the
system fails the voter.
Last week the New York Times reported that in the March
Florida primary, votes were not recorded for about 1 out of
every 100 persons using the new machine. Some people, in
defense of the new machines, point out that is about the same
error rate as Florida experienced in the 2000 election. I don't
think any of us want to use Florida 2000 as the standard, no
offense against your State.
Advocates for computerized voting tell us to trust the
system. My experience says trust but verify. That is why I
believe, as do 130 of my colleagues who have cosponsored
Congressman Holt's bill, who happens to be with us today, that
the computerized machines that are out there today are
inadequate. They offer no way to verify my vote. The
certification process is inadequate. As we have seen in
California, some manufacturers bypass certification.
After the vote is cast, the issue is counting the vote.
Again, I say trust, but verify. With paper ballots, a recount
is a straightforward matter. Recounting punch cards and optical
scan ballots is also straightforward. There is no recount for
computerized voting. That is not verification. That is trusting
that the software performed as promised.
I believe we all have had enough experience with software
to know that trusting it to work correctly 100 percent of the
time is a foolish concept. Some suggest that the internal audit
trail and the computerized machines would be sufficient for a
recount. I don't know if that is true, but I do know that the
audit trail is subject to the same weaknesses as all software.
It is invisible to the voter, and its reliability must be taken
on faith.
California ran a parallel monitoring system during its
March primary, where live machines were set aside for testing.
In that case the machine worked as intended, but parallel
testing doesn't work to check the machines. What do you do if
you find at the end of the day that the machine failed to test?
Do you throw out the whole precinct? Do you throw out all votes
cast on that kind of machine?
I am a man of faith, and I have great trust in my fellow
man, but when it comes to voting, faith and trust are not the
building blocks for a secure system. If we are to earn the
voters' trust, we must provide them with voting opportunities
that are simple and direct. We must provide them with machines
that allow the voter to see his or her vote.
Computerized voting machines are wonderful inventions for
those that run elections. They make the job of counting and
transmitting the vote about as simple as can be. As a bonus,
they make recounts a thing of the past. But we don't run
elections for the convenience of election boards or election
officials, we run elections to provide the public with the
opportunity to participate in their government. We must provide
the public with the most transparent voting system possible.
Computerized voting does not accomplish that.
Two months ago the Secretary of State of California issued
stringent security measures that counties had to meet before
electronic voting machines could be used. Last week the
Secretary of State of Ohio, one of the outspoken advocates of
electronic voting, halted the deployment of those machines in
Ohio. Several of the flaws identified last December still had
not been corrected.
Last week in Maryland, participants in the Computer Ate My
Vote rally said that electronic voting machines are poorly
programmed and prone to hackers. At that rally, Barbara Simons,
a former president of the Association for Computing Machinery,
told those gathered, ``If I had a single message, that message
would be, wait, there is better technology on the way.''
I look forward to working with the Election Assistance
Commission and my fellow Members of Congress to reassure the
American voter that their votes are safe and will be counted.
In this debate that should be everyone's goal and objective. I
thank you, Mr. Chairman for this hearing today.
Mr. Putnam. I thank you, Mr. Clay.
[The prepared statement of Hon. Wm. Lacy Clay follows:]
[GRAPHIC] [TIFF OMITTED] T8208.004
[GRAPHIC] [TIFF OMITTED] T8208.005
[GRAPHIC] [TIFF OMITTED] T8208.006
[GRAPHIC] [TIFF OMITTED] T8208.007
[GRAPHIC] [TIFF OMITTED] T8208.008
Mr. Putnam. Mr. Clay requested this hearing, and I am
delighted to work with him to put it together, and we
appreciate your interest. It's very important.
We have been joined by Mr. Holt, a gentleman from New
Jersey. Without objection, I would like to insert your opening
statement into the record and also ask unanimous consent that
you sit on the panel and join us, despite not being a member of
the committee.
Mr. Holt. Thank you.
[The prepared statement of Hon. Rush D. Holt follows:]
[GRAPHIC] [TIFF OMITTED] T8208.009
[GRAPHIC] [TIFF OMITTED] T8208.010
Mr. Putnam. Without objection, we would welcome you to the
subcommittee and certainly encourage you to participate in the
dialog, and we move directly to the witness testimony.
Before doing so I would ask that the witnesses please rise,
and anyone who would be accompanying who will be helping you in
answering the questions, and raise your right hands.
[Witnesses sworn.]
Mr. Putnam. I would note for the record that all the
witnesses responded in the affirmative.
We will move to our first witness, Mr. Randolph Hite. Mr.
Hite is the Director of Information Technology Architecture and
Systems Issues at the U.S. Government Accountability Office,
formally the GAO, still the GAO, but new G and A. During his
25-year career with GAO, he has directed reviews of major
Federal investments and information technology, such as IRS's
tax systems modernization and DOD's business systems
modernization. Mr. Hite is the principal author of several
information technology management guides, including GAO's
system guides on systems testing. He frequently testifies
before Congress on such topics and is an ex officio member of
the Federal CIO Council. He received a number of awards
throughout his career and was a 2003 Federal 100 Award winner.
Welcome to the subcommittee. You are recognized for 5
minutes.
STATEMENTS OF RANDOLPH C. HITE, DIRECTOR, INFORMATION
TECHNOLOGY ARCHITECTURE AND SYSTEMS, U.S. GOVERNMENT
ACCOUNTABILITY OFFICE; HRATCH G. SEMERJIAN, ACTING DIRECTOR,
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY, TECHNOLOGY
ADMINISTRATION, U.S. DEPARTMENT OF COMMERCE; AND TERRY JARRETT,
GENERAL COUNSEL FOR HON. MATT BLUNT, MISSOURI SECRETARY OF
STATE
Mr. Hite. Thank you, Mr. Chairman. It seems like only
yesterday that hanging chads and butterfly ballots were the
focus of attention. Now almost 4 years later, the focus is on
verifiable audit trails and code tampering as they relate to
the modern ATM-like voting devices, which in many jurisdictions
have replaced the more venerable voting machine that gave rise
to the 2000 election debate.
In the wake of this debate in 2000, we issued a series of
reports in 2001 on election administration and voting
technology. We made a number of recommendations for reform. In
my view, the gist of what we said then still applies today,
which I will summarize by making four points.
Point one, although voting systems play a major role in
elections, they are but one facet of a complex, highly
decentralized, multidimensional elections process in which each
dimension demands on the interplay of people, processes and
technology. As such, when I think of the, ``voting system,'' I
think of the inseparable triad of the equipment itself, the
individuals who interact with the equipment and the rules that
govern this interaction.
Point two, although security has taken center stage in the
debates surrounding some electronic voting systems, other
interrelated performance characteristics, such as accuracy,
ease of use and cost, are also important. For example, the
commonly called DREs have been criticized because they lack a
paper record. At the same time these DREs offer ease of use
advantages because they are more accommodating to voters with
disabilities, and they protect against certain voter errors,
such as overvoting, which can affect how accurately voter
intent is captured. On the other hand, optical scan voting
systems have a lower capital cost than DREs, and they offer a
paper record. However, they are relatively more challenging for
voters with certain disabilities to use.
Point three, voting system performance can be traced to two
key variables. The first is the quality of the standards that
the system is designed to meet, which includes, in my view, the
quality of the development and testing that was performed to
ensure that the system, in fact, meets the standards.
Second is how well the system, as it has been designed,
developed and tested, is used in an operational setting, which
includes the effectiveness of the procedures that are followed
concerning system maintenance, setup, use and operation,
combined with the know-how of the people who are interacting
with the system. If either of these variables is lacking,
system performance can suffer.
Point four, local jurisdictions face challenges in
effectively leveraging modern voting technology this year and
for years to come. For this year, jurisdictions need to
maximize the performance and minimize the risk associated with
the systems that they have, whether electronic or not
electronic, which is a particularly important point given that
three-quarters of the voters in 2004 are expected to vote the
same way that they did in 2000.
To accomplish this, it is important for jurisdictions to
make sure that they perform the requisite testing and
maintenance activities, and, in doing so, they treat the
people, the processes and the technology as a triad; in effect,
as the voting system.
Other challenges are more long-term, and they relate to the
need for jurisdictions to make informed decisions about whether
to change their voting equipment, and our work in 2001 showed
that voting jurisdictions were not consistently addressing all
of these challenges.
In closing, let me emphasize electronic voting technology
is a critical link in the election chain, and while this link
by itself cannot make an election, it can break one if not
designed, tested, maintained, implemented and maintained
properly. The concerns being surfaced with this technology
highlight the potential for election problems if jurisdictions
do not effectively address the challenges that I just
mentioned.
I believe HAVA recognizes these challenges as does the
Election Assistance Commission, so I say let's give them a
chance to do what they were established to do. In this regard,
although the Commission only recently began operations, and is
not yet at full strength, I believe that it has hit the ground
running to inform and educate jurisdictions and voters about
electronic voting systems and promote the interplay of people,
process and technology in the November 2004 election.
Beyond this, the Commission, with the assistance of NIST
and others, will need to examine opportunities for
strengthening these voting standards and the testing that's
associated with enforcing the standards. Critical to
accomplishing their roles under HAVA will be ensuring that they
have the resources they need to do their jobs, and that they
proceed in an open and transparent manner.
Mr. Chairman, that concludes my statement. I will be happy
to answer any questions.
Mr. Putnam. Thank you very much, Mr. Hite.
[The prepared statement of Mr. Hite follows:]
[GRAPHIC] [TIFF OMITTED] T8208.011
[GRAPHIC] [TIFF OMITTED] T8208.012
[GRAPHIC] [TIFF OMITTED] T8208.013
[GRAPHIC] [TIFF OMITTED] T8208.014
[GRAPHIC] [TIFF OMITTED] T8208.015
[GRAPHIC] [TIFF OMITTED] T8208.016
[GRAPHIC] [TIFF OMITTED] T8208.017
[GRAPHIC] [TIFF OMITTED] T8208.018
[GRAPHIC] [TIFF OMITTED] T8208.019
[GRAPHIC] [TIFF OMITTED] T8208.020
[GRAPHIC] [TIFF OMITTED] T8208.021
[GRAPHIC] [TIFF OMITTED] T8208.022
[GRAPHIC] [TIFF OMITTED] T8208.023
[GRAPHIC] [TIFF OMITTED] T8208.024
[GRAPHIC] [TIFF OMITTED] T8208.025
[GRAPHIC] [TIFF OMITTED] T8208.026
[GRAPHIC] [TIFF OMITTED] T8208.027
[GRAPHIC] [TIFF OMITTED] T8208.028
[GRAPHIC] [TIFF OMITTED] T8208.029
[GRAPHIC] [TIFF OMITTED] T8208.030
[GRAPHIC] [TIFF OMITTED] T8208.031
[GRAPHIC] [TIFF OMITTED] T8208.032
[GRAPHIC] [TIFF OMITTED] T8208.033
[GRAPHIC] [TIFF OMITTED] T8208.034
[GRAPHIC] [TIFF OMITTED] T8208.035
[GRAPHIC] [TIFF OMITTED] T8208.036
[GRAPHIC] [TIFF OMITTED] T8208.037
[GRAPHIC] [TIFF OMITTED] T8208.038
[GRAPHIC] [TIFF OMITTED] T8208.039
[GRAPHIC] [TIFF OMITTED] T8208.040
[GRAPHIC] [TIFF OMITTED] T8208.041
[GRAPHIC] [TIFF OMITTED] T8208.042
[GRAPHIC] [TIFF OMITTED] T8208.043
[GRAPHIC] [TIFF OMITTED] T8208.044
[GRAPHIC] [TIFF OMITTED] T8208.045
[GRAPHIC] [TIFF OMITTED] T8208.046
[GRAPHIC] [TIFF OMITTED] T8208.047
[GRAPHIC] [TIFF OMITTED] T8208.048
[GRAPHIC] [TIFF OMITTED] T8208.049
[GRAPHIC] [TIFF OMITTED] T8208.050
[GRAPHIC] [TIFF OMITTED] T8208.051
[GRAPHIC] [TIFF OMITTED] T8208.052
[GRAPHIC] [TIFF OMITTED] T8208.053
[GRAPHIC] [TIFF OMITTED] T8208.054
[GRAPHIC] [TIFF OMITTED] T8208.055
Mr. Putnam. Our next witness is Dr. Hratch Semerjian,
serving as Acting Director of NIST. He has served as Deputy
Director of NIST since July 2003. In this position Dr.
Semerjian is responsible for the overall operation of the
Institute, including financial management, human resource
management, facilities and information technology systems,
effectiveness of NIST's technology programs, and interactions
with international organizations.
He received his master's and Ph.D. Degrees in engineering
from Brown. In 1977, he joined the National Bureau of
Standards, now known as NIST, where he served director of the
chemical science and laboratory from April 1992 through July
2002.
Welcome to the subcommittee, sir. You are recognized.
Dr. Semerjian. Thank you, Mr. Chairman and Ranking Member
Clay and Mr. Holt. I appreciate this opportunity to testify
today.
As you pointed out, major changes are taking place in the
way we conduct elections. The trusty old ballot box is being
replaced by a host of new technology such as optical scanners
or touch-screen systems. As a result of these changes, Congress
enacted the Help America Vote Act and mandated specific roles
for the National Institute of Standards and Technology [NIST].
Many of the issues we are examining today are all directly
related to standards and guidelines. Congress understood the
importance of standards in voting technologies and specifically
gave the Director of NIST the responsibility of chairing the
Technical Guidelines Development Committee [TGDC], a committee
reporting to the Election Assistance Commission [EAC] under
HAVA.
The TGDC is charged with making recommendations to the EAC
with regard to voluntary standards and guidelines for election-
related technologies that have an impact on many of the issues
we are discussing today.
While we have considerable experience in standards
development, NIST understands that, as a nonregulatory agency,
our role is limited, and we need to understand the needs of the
community. To that end, NIST staff have started to meet with
members of the election community.
Also, at the request of Congress and the National
Association of State Election Directors, NIST organized and
hosted a symposium last December on Building Trust and
Confidence in Voting Systems. Over 300 attendees from the
election community attended the seminar to begin discussion,
collaboration and consensus on voting reform issues.
As required under HAVA, earlier this year NIST delivered to
the EAC a report entitled ``Improving the Usability and
Accessibility of Voting Systems and Products.'' The EAC
delivered the report to Congress on April 30th. The specific
recommendations of the report are included in my written
testimony.
NIST views as a top priority accomplishing its
responsibilities mandated under HAVA in partnership with the
EAC. These mandates include the recommendation of voluntary
voting system standards to the EAC through its Technical
Guidelines Development Committee. The first set of voluntary
standards is due 9 months after the appointment of the 14
members by the EAC.
TGDC held its first meeting on July 9th, just a couple of
weeks ago. Fourteen of the fifteen appointed members of the
Technical Guidelines Development Committee participated in the
first plenary meeting. At that meeting the TGDC agreed on a
procedural roadmap for standards development as well as a
preliminary work plan. In addition, the TGDC adopted a
resolution that established three working subcommittees to
address issues related to one, security and transparency; two,
human factors and privacy; and three, core requirements and
testing.
Another important role for NIST under HAVA is to develop a
formal accreditation program for laboratories that test voting
system hardware and software for conformance to current voting
system standards.
On June 23rd, NIST announced in the Federal Register the
establishment of a laboratory accreditation program for voting
systems. NVLAP, the National Voluntary Laboratory Accreditation
Program at NIST, will conduct a public workshop on August 17th
to review its accreditation criteria as well as receive
comments and feedback from the participating laboratories and
other interested parties. Only after a laboratory has met all
of the NVLAP criteria for accreditation will it be presented to
the Election Assistance Commission for its approval to test
voting systems. The EAC may impose requirements on the
laboratories in addition to the NVLAP accreditation.
Finally, NIST has compiled best security practices relevant
to election security from current Federal Information
Processing Standards [FIPS]. These standards are available now
on the NIST Website as well as the EAC Website. This
compilation is intended to help State and local election
officials with their efforts to better secure voting equipment
before the November 2004 elections.
NIST realizes how important it is for voters to have trust
and confidence in voting systems, even as new technologies are
introduced. Increasingly, computer technology touches all
aspects of the voting process, voter registration, vote
recording and vote tallying. NIST believes that rigorous
standards, guidelines and testing procedures will enable U.S.
industry to produce products that are high-quality, reliable,
interoperable and secure, thus enabling the trust and
confidence that citizens require and at the same time
preserving room for innovation and change.
Thank you for the opportunity to testify on behalf of NIST,
and I will be happy to answer any questions.
Mr. Putnam. Thank you, sir.
[The prepared statement of Dr. Semerjian follows:]
[GRAPHIC] [TIFF OMITTED] T8208.056
[GRAPHIC] [TIFF OMITTED] T8208.057
[GRAPHIC] [TIFF OMITTED] T8208.058
[GRAPHIC] [TIFF OMITTED] T8208.059
[GRAPHIC] [TIFF OMITTED] T8208.060
[GRAPHIC] [TIFF OMITTED] T8208.061
Mr. Putnam. Our next witness will be introduced by his
fellow Missourian, Missourian or Missourian.
Mr. Clay. Missourian.
Mr. Putnam. Missourian.
You are recognized, sir. You have the floor, sir.
Mr. Clay. Thank you, Mr. Chairman.
Mr. Terry Jarrett is the general counsel to Secretary of
State Matt Blunt. He received his J.D. in 1996 from the
University of Missouri Columbia School of Law. While in law
school, Mr. Jarrett was editor-in-chief of the Missouri Law
Review. From 1996 to 1997, he served as a judicial law clerk to
the Honorable Duane Benton, judge of the Supreme Court of
Missouri.
Prior to joining the Secretary of State, Mr. Jarrett
practiced law as a private attorney in Jefferson City. He is a
member of the Missouri Bar, the Cole County Bar Association and
the American Bar Association. Mr. Jarrett also serves as a
first lieutenant in the Judge Advocate General's Court of the
U.S. Army Reserve. He represents the Missouri Secretary of
State Matt Blunt.
Welcome to the committee. Thank you for being here.
Mr. Jarrett. Thank you, Mr. Chairman, Ranking Member Clay
and Mr. Holt.
It is an honor to have the opportunity to testify at
today's hearing. I am here on behalf of Missouri Secretary of
State Matt Blunt, whose schedule would not allow him to be here
today, and he asked me to express his regrets. Secretary Blunt
specifically asked that I thank the distinguished member of
this subcommittee, Congressman William Lacy Clay from our home
State of Missouri, who has been a leader in reform efforts in
the city of St. Louis. He has been particularly interested in
the city's compliance with the consent decree between St. Louis
City and the Department of Justice related to the handling of
the city's inactive voter list. Secretary Blunt shares his
concern and appreciates his efforts to improve elections in St.
Louis.
Secretary Blunt has asked me to address the security of
direct recording electronic voting machines, specifically
whether to require DREs to produce a voter-verified paper
ballot. Secretary Blunt has worked over the past 3 years to
ensure that our elections are above reproach and that our
citizens have confidence in the process. That is why he decided
earlier this year that he would only certify DRE voting
machines that produce a voter-verified paper ballot. This will
provide voters with the peace of mind they deserve by enabling
them to review their ballots prior to casting them and to
ensure that paper ballots are available for review should a
recount be necessary or an election result challenged.
One of Secretary Blunt's first acts as Secretary of State
was to appoint and convene a bipartisan commission of election
experts to recommend improvements in our election laws and
procedures. The commission met several times and conducted a
series of public hearings where over 125 Missourians voiced
their opinions in oral and written testimony. In addition many
Missourians have submitted their thoughts by e-mail, fax and
regular mail.
Out of this very open process came many recommendations for
improvements that have since been implemented in Missouri. One
of the commission's recommendations was to allow for the use of
touch-screen voting systems, so long as safeguards are in place
to ensure the integrity of votes cast and create a paper audit
trail in case of a contested election.
Secretary Blunt heard from many Missourians who expressed
their preference that touch-screen voting machines produce a
paper ballot so that they can verify their votes before they
are cast. At this point in time, Secretary Blunt is convinced
that a voter-verified paper ballot is the only paper audit
trail that can provide voters with a reasonable assurance that
their vote will not be lost, destroyed or otherwise not
counted.
Computers have opened up a whole new array of technical
possibilities for voting. Manufacturers are moving quickly to
embrace innovation. Technology can and should be used by
government to improve efficiency, as well as provide cost
savings for taxpayers. This new technology promises to open up
voting to people who have not been able to participate fully in
the voting process, namely the disabled voter. Yet in our
urgency to improve and upgrade voting systems, we must not
certify equipment that has the potential to cast doubt on the
integrity of an election. Effective security standards and
procedures must be considered and implemented.
Secretary Blunt has also heard from a number of local
election officials, and I want to say a word about them. They
eagerly await the opportunity to provide voters with the
benefits that technology can provide. Local election officials
are on the front lines of voting, and I urge this subcommittee
to seek their input as it addresses the important issues raised
by today's hearing.
There is a growing consensus of computer science experts,
election officials, voter advocacy groups and political leaders
that touch-screen voting systems should produce a verified
voter ballot so that voters can inspect their ballots before
they are cast. Almost daily, reports in the newspaper and other
media outlets support this view. A voter-verified paper ballot
providing local election officials with access to actual
ballots for recounts if necessary is just as important.
Perhaps at some point in the future, technological advances
will be such that electronic voting system security can be
assured without voter-verified paper ballots. However, that
does not appear to be the case today. Until we can be positive
that electronic voting systems are secure, a voter-verified
paper ballot is the best way to make voters feel confident in
legitimacy of elections.
I appreciate that this subcommittee recognizes the
importance of this issue by having this public hearing. Thank
you again for the opportunity to share Secretary Blunt's views
with this subcommittee, and I would be happy to answer any
questions. Thank you.
Mr. Putnam. Thank you very much.
[The prepared statement of Mr. Jarrett follows:]
[GRAPHIC] [TIFF OMITTED] T8208.062
[GRAPHIC] [TIFF OMITTED] T8208.063
[GRAPHIC] [TIFF OMITTED] T8208.064
[GRAPHIC] [TIFF OMITTED] T8208.065
Mr. Putnam. We are going to do a 5-minute round of
questions, get through everyone, and then do another round if
we so desire. Considering the number of committee members who
are here, I think we will certainly have time to do that.
Technology changes rapidly. Obviously local governments
don't have the luxury of changing election systems with every
cycle, but a number of these new systems are new. I mean, they
are new concepts, they are new approaches.
Mr. Hite, if you would, evaluate these newer models,
optical scan and the DREs, for us and rank them in terms of
accuracy, security and access for those who traditionally have
not had good access to the ballot.
Mr. Hite. I would be happy to, but I would like to preface
it with addressing the question on two levels. You can talk
about the types of equipment in general, but it really also
requires getting down to specific make and model, because while
DREs, for example, commonly offer certain features with respect
to accuracy or with respect to security, how they are actually
implemented in the system, and then how they are actually
implemented within the jurisdiction, will determine how well
they perform.
So, with that preface, I will make a couple of comments
based on our 2001 work, where we surveyed vendors and we
surveyed jurisdictions with respect to these characteristics of
performance. As a general rule, when it came to ease of use and
efficiency, how quickly they can capture and count, and the
costs associated with doing that, DREs generally had a higher
rating than the other types of voting equipment. With regard to
security based on features, notwithstanding how they have been
implemented, that with regard to security, DREs and optical
scan were roughly the same. And then with regard to accuracy
across all types of equipment, whether it is jurisdictions or
vendors, they basically viewed the accuracy of the systems to
be somewhat the same.
Now, I would add another qualification with that with
regard to the jurisdictions, and that is when we followed up
with certain jurisdictions to see what data are actually
collected and are behind these impressions, we learned that is
exactly what they are, they are impressions or viewpoints on
performance.
The data are pretty sparse in terms of what are collected
relative to the performance of any of the types of systems,
which is one of the long-term challenges that we have laid out
that needs to be addressed. If we are going to make strategic,
long-term, informed decisions about what kind of technology to
use, you have to base it on some good data, and in terms of a
performance standpoint out there across the jurisdictions, that
data basically are not being captured.
Mr. Putnam. Dr. Semerjian, do you want to field that as
well?
Dr. Semerjian. Well, I basically agree with the comments
made by Mr. Hite. I think the DREs can improve their
performance with the appropriate standards and testing
protocols. I think that is really where we still have a
perception that these systems are not tested properly. We don't
have national standards; implementation is varied from State to
State, from precinct to precinct. I think with the proper
establishment of proper standards and testing procedures, I
think DREs can improve our ability to provide secure, private
voting ability and accuracy. And also, I think it was pointed
out by Mr. Hite, it can improve in terms of enabling voters
with disabilities. That's something that perhaps the other
systems do not. I think that is something we need to keep in
mind.
Mr. Putnam. Mr. Jarrett, how many different voting systems
are employed throughout Missouri?
Mr. Jarrett. In Missouri we have three types. We do some
counties that still operate under the paper ballot system. We
have punch card systems and also optical scan systems.
Mr. Putnam. And the decision on which type to deploy is
made by whom?
Mr. Jarrett. That is made by the local election officials
in every county.
Mr. Putnam. And how many of those are there? How many
different counties do you have?
Mr. Jarrett. We have 116 election authorities. The urban
areas such as St. Louis, Kansas City, St. Louis County and
Jackson County have boards of election commissioners that are
appointed by the Governor, and they run elections in those
areas. The rest are run by county clerks.
Mr. Putnam. Has there been a high turnover since 2000?
Mr. Jarrett. Of county clerks?
Mr. Putnam. No, of technology.
Mr. Jarrett. Oh, I'm sorry.
Mr. Putnam. Changes in the method of electioneering.
Mr. Jarrett. Well, Missouri is the ShowMe State, so we have
been sort of taking a wait-and-see attitude.
Mr. Putnam. Wait on Florida to show you the way, right?
Mr. Jarrett. Yes, that's right. We have had eight counties
that moved from the punch card to the optical scan for this
election. Several of the counties are waiting, looking at the
DREs very closely, and, of course, some of the counties that
had optical scan had the central count, and they are moving
toward the precinct counters, so not much turnover. Again, we
are sort of adopting the wait-and-see approach.
Mr. Putnam. My time expired. I will yield to Mr. Clay also.
Boy, 5 minutes goes by pretty fast.
Mr. Clay. Yes, it does. You were having fun, Mr. Chairman.
Mr. Hite, in your testimony you communicate that certain
voting machines pose a certain risk. Do you have a certain set
of recommendations for local election officials to minimize
those risks?
Mr. Hite. The short answer is no, sir, I don't have a set
of recommendations handy for those jurisdictions. I would
observe, however, that this is one of the things that the
Election Assistance Commission was set up to do, and I believe
they are on brink of releasing best practices for the local
jurisdictions to employ in the 2004 elections.
Mr. Clay. You know, the Election Assistance Commission has
a budget of $1.5 million for fiscal year 2004. Is that adequate
for them to meet their obligations for the 2004 elections?
Mr. Hite. I know, in talking to the Commission
Commissioners, that they do not believe that it is adequate,
and I believe they are in the best position to make a judgment
as to whether or not it is adequate or not. I know under HAVA
they were authorized up to $10 million a year, and I would only
submit, from my viewpoint, that their role in this, as is the
role of NIST, is extremely important and worthy of adequate
funding to ensure that they can do what they were set up to do
under HAVA.
Mr. Clay. Does certification guarantee that the software is
free of malicious code, and, if so, how is that accomplished?
Mr. Hite. No sir, the answer to your question is no, it
does not guarantee that. There is no system that offers a
guarantee of that.
Mr. Clay. Does it guarantee that the machine cannot be
tampered with during the election?
Mr. Hite. No sir.
Mr. Clay. No. OK. Thank you for your responses.
Dr. Semerjian, it is my understanding that the work at NIST
on standards for computerized voting machines was halted this
year because of a lack of funding; is that correct?
Dr. Semerjian. Well, things slowed down, let's say, but, in
fact, let me make it clear that the standards are not going to
be set by NIST. They will be set eventually by TGDC. So TGDC
just got started. So we have done, as I pointed out, some of
the background work on human factors and on security issues,
but as far as setting standards and guidelines, TGDC had to do
that, which did not get going until 2 weeks ago.
Mr. Clay. Let me ask you, what was your budget request for
election work for 2004, and what will be your request for 2005?
Dr. Semerjian. There was no request in the 2004 budget. For
2005, the EAC has requested a budget of $10 million for NIST,
not for 1 year, but basically for the entire work to be done,
which will probably be done over a 3-year period. But I think
if that $10 million is provided, we feel that is adequate
funding for NIST to get the job done.
Mr. Clay. OK. NIST has a responsibility under the Help
America Vote Act with regard to the development of technical
standards for voting systems. When do you think these standards
will be ready? And I heard you say in your testimony you have
had the initial meeting?
Dr. Semerjian. Right. Basically HAVA legislation requires
us to make the first set of recommendations within 9 months
after the formation of TGDC. So the clock just started running.
Mr. Clay. OK. Thank you for those answers.
Mr. Clay. Mr. Jarrett, the Secretary of State in Missouri
has declared that no electronic voting machines will be used in
Missouri that do not provide a voter verification paper trail.
Has any electronic voting equipment been certified for use in
Missouri, and, if so, will any be used in the St. Louis area?
Mr. Jarrett. The answer to that is no, none have been
certified. In Missouri, State statute requires that before the
Secretary of State can certify equipment for use in Missouri,
that it has to be certified to the current standards by an
independent testing authority. And as of this date, no vendor
has submitted that ITA certification to the Secretary of State,
so there will be none used in Missouri this year.
Mr. Clay. During the debate at the Election Assistance
Commission hearing in May, there was a concerned voice by the
disability community that computerized voting machines with
verified paper ballots would be a step backward for the
visually impaired. In research done by your office, how have
you addressed that problem?
Mr. Jarrett. Well, we have looked at, of course, that's a
very serious problem, and it is one that I know Secretary Blunt
takes very seriously. We have looked at a written opinion from
the Department of Justice on that issue that talks about DREs
that produce paper ballots; as long as they produce a similar
experience for disabled voters, that it complies with HAVA and
the Americans with Disabilities Act. And in Missouri, Secretary
Blunt has appointed a committee, an equipment certification
committee, where we have a representative from a disability
advocacy group that's a member, and we also have two members
from the blind community that are on the committee. And they
have been very helpful in educating the rest of the committee
on the disability issues, and they will certainly be very
important in certifying. And Secretary Blunt will consider
their input before he certifies equipment to make sure that it
is accessible to the disabled.
Mr. Clay. Thank you for your answer.
My time is up, Mr. Chairman.
Mr. Putnam. Mr. Holt.
Mr. Holt. Thank you very much, Mr. Chairman, and I
appreciate the opportunity to join you here, and I certainly
like the Florida orange juice. That's a nice touch. We all
extol the contributions of Florida in the orange juice field.
Mr. Putnam. We have to have something positive to say about
Florida this morning.
Mr. Holt. Well, indeed, in 2000, we all got an education.
Americans got an education in voting. Many of us who had been
involved in the business knew it is complex. As one who won a
reelection by less than 1 vote per precinct, I certainly had
paid attention to the mechanisms and as well as the technology
of voting.
But for most Americans, it was previously thought to be
very simple, and I think we have all learned a lot. I think we
have learned that we have to hold up the principles that voting
will be fair, that it will be accessible, and that it will be
verifiable, and it is that latter principle that I wanted to
talk about today.
I noticed your hearing calls for technology, accuracy,
reliability and security. I would add another, auditability or
verifiability, as what we should be looking at today.
And my first question, actually, I guess, is probably for
Mr. Hite and for Mr. Semerjian. Considering that it is a secret
ballot, is it possible for anyone other than the voter, be it
the manufacturer, vendor or election official--is it possible
for anyone other than a voter to verify whether the voter's
intentions have been appropriately recorded?
Mr. Hite. I have never pondered that question before, so
that is why I pause.
Mr. Holt. I think it is the fundamental question here.
Mr. Hite. My quick response to that is I don't think it is
possible for anyone other than the voter to know the voter's
intent and be able to verify the voter's intent. You would have
to require some element of the voter's interaction to do that.
Mr. Holt. Dr. Semerjian.
Dr. Semerjian. Well, let me perhaps answer a different and
related question.
Mr. Holt. OK.
Dr. Semerjian. That is the fact that the paper ballot is
verified does not necessarily mean that the computer-recorded
vote is verified. I mean, they are related, but they are two
different things. So I think we need to make sure that we
should not be satisfied simply by saying the paper ballot, the
paper ballot is the intent of the voters.
We need to make sure that the computer-recorded vote
records properly the intent of the voter, and I think that's
done through a proper testing, through providing proper
security and data integrity measures.
Mr. Holt. Well, let me follow on that point, Mr. Semerjian.
In your testimony you talk about performance-based standards. I
take that to mean you like to look at the outcome in an applied
way, where it is actually used in the field, to see whether the
result is correct, rather than relying on procedures that the
room is locked, and that no one else has access to the software
or whatever training and procedural steps one takes. So, given
that, with performance-based standards, how can you know
whether a machine has an error in it, perhaps in a software,
perhaps unintentional, perhaps hacked? How can you know that on
a performance basis?
Dr. Semerjian. Well, that's normally done by subjecting the
equipment that is being tested to certain inputs.
Statistically----
Mr. Holt. But that's beforehand. That's not performance-
based. As I understand what you mean by performance-based
standards, you want to know whether, as it is used in the
field, whether the numbers match up with some independent
measurement.
Dr. Semerjian. The idea of the performance-based standard
is not to simply say you have to do this and that and the other
thing, but to simply say, OK, if applied, if I use that
equipment the way it is supposed to be used. Then does the
machine, at the end, produce the exact input as an output?
That's really what is meant by performance standard--and with
what level of accuracy? I mean, is there a discrepancy at the 1
percent level, or what is our expectation; is 1 percent
acceptable, or 5 percent?
Those are the kinds of standards we can accept, not telling
vendors that you have to do this, you have to save the data
this way, etc. I think we want to leave the creativity, the
innovation part to the vendor, but require them to deliver an
equipment, the machine, that provides 100 percent accurate
performance.
Mr. Holt. Well, the time is up. I am not sure I got an
answer to how do you know whether the machine has been hacked
or not, but time has expired, so thank you.
Thank you, Mr. Chairman.
Mr. Putnam. Thank you.
Mr. Hite or Dr. Semerjian, do you know how many individual
election units there are in this country, how many precincts
there are in this country?
Mr. Hite. The numbers I have seen on the precincts, are on
the order of 193,000.
Mr. Putnam. 193,000 precincts, and presumably some of them
in very rural areas might just have one or two machines, and
another might have a couple of dozen?
Mr. Hite. I was speaking to precincts, polling places, in
terms of jurisdictions, voting jurisdictions, there's only on
the order of 10,000. Each of these precincts have multiple
polling places associated with them.
Mr. Putnam. So there are 193,000 polling places?
Mr. Hite. Correct, where you go to vote, the local school,
church.
Mr. Putnam. Right. Each of which may have one or two
machines or private little areas where you go do your paper
ballot, pull the paper ballot or lever or whichever it may be,
up to a dozen at each precinct, something like that.
Mr. Hite. Configurations go by equipment and size.
Mr. Putnam. But we are talking about a lot?
Mr. Hite. Yes.
Mr. Putnam. It could be several hundred thousand starting
at a baseline of almost 200,000?
Mr. Hite. Yes.
Mr. Putnam. So, let me just say something about Florida,
because I think it is important. Anyone could have been Florida
in 2000, and, in my opinion, we haven't passed any regulation
that will prevent another Florida in 2004. Nothing we have
done, nothing we will talk about, nothing we can do will
prevent a close election, which is really what happened.
I mean, when you talk about what happened in Florida, you
had a close election, and it was not the first time that it had
happened. Even in my short time, county commissioners have been
elected and then unelected because the outcome of a vote turned
by five votes or three votes, because there were human beings
involved and somebody forgot to--the deputy who delivered the
boxes of ballots to the central accounts location thought he
had unloaded all the ballots and found another box in his car
the next morning, or the very well-meaning, well-trained
coworkers just picked up three paper ballots, and they thought
they only had one, fed it into the machine, and so the top one
was red, the bottom two were not.
When you get down to several hundred thousand machines
counting millions of votes, there will be errors, because
humans are involved. So let me just ask what the HAVA act will
do to prevent the same errors, the same oversights, the same
mistakes that were made in 2000. What has changed as a result
of that legislation?
Mr. Hite. I don't believe that the HAVA act will
fundamentally change that for the 2004 election. The HAVA act
has in it provisions for long-term improvement in this area, as
well as short-term, because steps have already been taken by
the EAC in a relatively short amount of time to recognize and
inform and educate the jurisdictions about where improvements
can be made in the near term to minimize the chance of those
errors. We are never going to get rid of them. That's what we
are trying to do is minimize them. And whether similar problems
will surface in 2004, I would be shocked if they didn't, and
particularly because the whole election process is going to be
under such a microscope now and going forward. But what we are
talking about, what HAVA does, and what we are talking about
doing near term and long term, is to reduce the probabilities
of this happening.
Mr. Putnam. Is there a margin of error in every voting
process and voting technology that is deployed today?
Mr. Hite. There is a margin of error in every process
involved in any type of business or government activity,
including air traffic control, for example, where you want
accuracy down to five nines, so it is inevitable.
Mr. Putnam. Over the long term, is a paper trail the way to
go? Is a paper trail the best, most effective way to audit the
results of an election?
Mr. Hite. I believe a paper trail can offer a layer of
security with respect to DREs. Now, it all depends on how you
use that paper trail. Just having the paper receipt and having
the voter look at it in and of itself doesn't give you a whole
lot. But if you implement it in a way where you have some means
to know whether or not the machine is capturing the vote as it
is on the paper receipt, now you have added a level of
security.
As with any decision about security capabilities, you have
to make those decisions in the context of risk. What is the
threat, what are my vulnerabilities, and how much am I willing
to pay to reduce the risks associated with those two variables?
And so you have to make decisions about that. You don't just
throw money at something. You make good, fact-based decisions.
Mr. Putnam. And I would submit that time is also a factor,
because it becomes a deterrent to voting, depending on how long
it takes for all this verification to occur.
Dr. Semerjian, I want you to answer that question, and then
we will yield to Mr. Clay.
Dr. Semerjian. Well, I agree with what was said. I don't
think I have anything to add. There is an uncertainty with
every process. And the whole point is, how do you reduce that
uncertainty to an acceptable level? So whether you expect 100
percent accuracy, which is almost unattainable, or whether 99.9
percent is acceptable or whether it is 95 percent, I think we
certainly want to set standards that push that level, that
level of certainty, or reduce the level of uncertainty as much
as possible. And that can be done through proper testing and
setting the proper standards to start with.
Mr. Chairman, may I answer, sir, the question that Mr. Holt
asked that I could not answer?
Mr. Putnam. Sure.
Dr. Semerjian. Regarding hacking, how do we know that it's
hacked?
Mr. Holt. Or error of any sort.
Dr. Semerjian. Well, this is work in progress. As I said,
TGDC had the first meeting. But one of the issues that they
already addressed is this issue: How do we know that the
software on a particular machine is not hacked or modified or
changed by mistake? And we do have a National Software
Reference Laboratory at NIST that we use for this kind of
applications. We haven't used them for the voting process, but
we have used it where at different stages of a process you can
actually check the integrity or the signature of a particular
software package, so that once you have established this
referenced initial certified version of a software, you can
check against that at different stages so that there are no
mistakes made in duplication, or, changes by mistake, so that
you can verify the integrity of that software from the very
beginning of the process to the very end where it is loaded to
individual machines.
So we haven't worked out all the details, but I think that
the technology is there to be able to say that this particular
software package is not what it was at the beginning of the
process, that something has changed, and alert the officials
that some action needs to be taken.
Mr. Putnam. Mr. Holt, how about if I just go ahead and
recognize you for your second wave of questions?
Mr. Holt. Well, just following on that point. In fact, that
is right; the way you test software is you see whether it gives
the right answer. In other words, you audit it. You compare it
against another approach to that same calculation to see if it
gives the same result. And you do that at each stage along the
way. You also check the software to see whether it is robust in
various ways.
Dr. Semerjian. May I say something?
Mr. Holt. Yes.
Dr. Semerjian. This is not only substantiating the result
of the computation, because the program can give you the same
result but in the meantime could produce some output of some
other source. Here, the idea is to check the integrity of the
entire software package.
Mr. Holt. That is right. Step by step, you audit it.
Dr. Semerjian. Well, it is more than that.
Mr. Holt. And you compare each operation to see whether
that operation does what you think it does.
Dr. Semerjian. It is more than that. If any kind of a
statement is changed in that software--which may still give the
same answer--if any code is changed, the signature of the code
will be changed. So even two codes that give the same answer
may be slightly modified. And this kind of technology will
detect that.
Mr. Holt. That is external hacking. That might or might not
find an embedded problem, an embedded bug that has been in
there since it was written or since it left the package.
Dr. Semerjian. That is where the certification process
comes in.
Mr. Holt. But, anyway, my point is the way you know
anything, the way anything of value should be subject to
audit--and my point is, if in fact the answer to my first
question is that only the voter can verify his or her
intentions are properly recorded, then the only audit that
makes sense is to compare the result against what the voter has
verified. But let me go on to a couple of other questions.
Mr. Hite, what do you think--you say in your testimony that
we have to make sure that the people who work with these
devices are well trained and have the requisite knowledge. What
is the requisite knowledge to operate today's BREs? Is it more
or less than the knowledge to maintain, say, keeping track of
optical scan paper for the election workers?
Mr. Hite. What I can offer there as part of our survey of
jurisdictions, in 2001 we asked local jurisdictions about
whether or not DREs versus optical scans, etc., how difficult
they were for operators, poll workers to use, or for voters to
use, or how difficult it was to correct somebody's vote who
made a mistake versus the different types of technology. And in
general, DREs were easier to operate than the optical scan and
the other types of voting systems.
Specifically in terms of the training that is needed for a
given poll worker, a given maintenance individual, anyone who
has to interact with that system, that is going to vary by
jurisdiction and by type of system because there's different
rules and standards that govern how these elections are
conducted--and we can use Missouri as an example of that.
Mr. Holt. So if there are 50 million people this year who
will be asked to vote on electronic machines, maybe 30 million
will actually show up and vote. For those 30 million votes this
year, what would you recommend is the best near-term solution
to protect the integrity?
Mr. Hite. Coming from an organization where we don't make
rash decisions or take or quick positions on things, I'd go
back to what I said before. It requires a level of
understanding and visibility into those systems--make and model
of those systems--to know how they behave and know what their
strengths and weaknesses are. I just don't have that because I
haven't done that type of analysis on a system-by-system basis.
And so my position would be that is the kind of decision that
you want to make with the long-term focus in mind. You want to
base it on some good data that talks about what are the
vulnerabilities of those systems and what is the best way to
implement paper receipts if you choose to do that. I am just
not in a position to give you the answer that you are looking
for. I don't have that kind of knowledge.
Mr. Holt. And with my time expired, I just want to thank
the Show Me State and Secretary Blunt for his, I think,
intelligent approach to this and his leadership.
And thank you, Mr. Chairman.
Mr. Putnam. Mr. Clay.
Mr. Clay. Thank you, Mr. Chairman.
Mr. Putnam. And I will note for the record the presence of
the gentlelady from Ohio, Ms. Kaptur. Without objection, you
are certainly welcome to join us, and we are delighted to have
you here and certainly hope that should you wield the gavel in
your appropriations subcommittee, that I will be accorded the
same treatment when you all are----
Ms. Kaptur. Yes.
Mr. Putnam. Thank you.
Mr. Clay.
Mr. Clay. Thank you.
Mr. Hite, the California Secretary of State has established
a set of safety criteria that, if met by election officials,
will allow the recertification of the computerized voting
machines. Would you comment on the adequacy of those
recommendations?
Mr. Hite. Yes, sir. I am aware, as you say, that there are
these 23 conditions. I am not, unfortunately, familiar with
those 23 conditions so that I can offer an informed opinion on
it. So I apologize for that.
Mr. Clay. In your full written testimony, you state that
current touch-screen electronic voting machines can produce
images that can be printed, but explain that this is according
to vendors. Did GAO investigate whether the machines currently
in use do in fact have this potential?
Mr. Hite. No sir, we did not. We have done no code reviews
or any testing or evaluation of specific make and models to
determine what features are implemented and whether or not they
have been implemented properly. I believe that other witnesses
at this hearing have much more in-depth knowledge about the
specific make and models.
Mr. Clay. Thank you.
Dr. Semerjian, when the new standards are ready, what do
you suggest that States do if they have already purchased
voting machines with HAVA funds and then find out that the new
machines are not HAVA compliant? What should they do?
Dr. Semerjian. I am not quite sure how to answer that
question.
Mr. Clay. I want to hear your answer.
Dr. Semerjian. I think this is exactly the issue they are
struggling with. They feel that they are between a rock and a
hard place, because they need to make some changes perhaps, and
yet the information that they need to make informed decisions
regarding purchases is not available. So, I mean, I really feel
for them, but unfortunately the timing was such that these
standards could not be provided in time certainly to affect
this year's elections, but we hope that they will be for the
2006 elections.
Mr. Clay. So some States got ahead of everyone else because
of HAVA, and now that may come back to bite them?
Dr. Semerjian. Well, I mean, this is strictly conjecture on
my part. But I mean, it sort of depends on what the changes
needed will be. I mean, if there are software changes, they
certainly can be made relatively inexpensively. But if there
are going to be major hardware changes, obviously they will be
more costly.
Mr. Clay. Let me also ask, whose job is it to assure that
electronic voting machines are free of malicious code and
actually register the votes as intended? Whose job would that
be?
Dr. Semerjian. Elections are run, to the best of my
knowledge, by local officials. So it is their responsibility to
ensure the integrity of the voting process. The EAC, TGDC, and
other organizations try to provide them with the information,
knowledge, and the tools, technology tools to make that job as
tenable as possible. But at the end of the day, it is the local
officials' responsibility to ensure the integrity of the voting
process.
Mr. Clay. Thank you for those responses.
Mr. Jarrett, it is my understanding that none of the touch-
screen machines now on the market have been certified to the
2002 standards. Is that correct?
Mr. Jarrett. That is my understanding as well.
Mr. Clay. Did the lack of certification play a role in the
Missouri Secretary of State's decision to defer the use of
computerized voting machines in Missouri?
Mr. Jarrett. Yes. Again, our State statute requires that
anytime that the Secretary of State certifies equipment, it has
to be certified by an ITA to the current standards, which are
the FEC 2002 standards currently, d will be the EAC standards
when the Standards Board and the TGDC sets those standards. So,
yes, it played the major role, as a matter of fact.
Mr. Clay. I thank you for your response and the entire
panel being here.
Mr. Chairman, I yield back the balance of my time.
Mr. Putnam. Thank you, sir.
Ms. Kaptur.
Ms. Kaptur. Yes, Mr. Chairman. Thank you so much for
allowing us to participate in your important hearing this
morning and also for the Florida orange juice. I now had that
for breakfast and for lunch, and appreciate the work that the
people of your State do for the rest of the world.
Thank you very much. And I wanted to thank the witnesses
for producing this excellent report this morning. This is a
topic on which we in Ohio are very, very focused, and
appreciate your diligence.
I think more oversight is better than less oversight. I
know that Congressman Clay in our conversations has been trying
to receive information from those of us not on this
subcommittee, not on this full committee, in the important area
of voting technology and reform. And I just thought I would
state for the record, and I will put the full information in
the record, that in Ohio, about a year ago, five technologies
that were being considered were displayed at our Statehouse in
Columbus, OH. And at that time, not being a computer technology
expert, I asked three of our major universities to select the
best people they had, and they chose the people in charge of
their computer security to go down and review the technologies
on display. And I won't read you their full report, but I will
read you some of the conclusions:
No technology currently under consideration had attributes
that made it both secure and readily accessible for use. All of
the technologies had serious shortcomings in these two major
elements:
None of the security mechanism force of the voting systems
that remained in consideration in Ohio could sufficiently
prevent fraud or abuse.
The integrity of the voting process as well as voter
confidence could be compromised through the absence of an
auditible paper trail at each precinct. Without rigorous
testing by multiple outside agencies with appropriate technical
expertise, assurance of a secure era of tamper-proof electronic
election system cannot be obtained. Levels of computer
proficiency among the electorate vary and tend to disfavor the
elderly, minorities, and the economically disadvantaged.
And we saw that in the election called the test election,
which was held last year in which the technologies were
employed.
And, finally, while electronic voting is a viable option
that can be successfully implemented, it must use secure
disciplines to gain the public's confidence.
After that information came to me, it got my attention, and
particularly because our State was trying to get our local
counties to purchase equipment and to sign contracts. And after
my family and I voted in November, I sent a letter to our
Secretary of State, November 10, 2003--and I am placing this in
the record--to which I have received no response. But I would
ask you if you are capable to answer any of these questions.
I explained in the letter that when we voted at our polling
place, we actually chose the paper ballot rather than using the
electronic device that was also an option. When we completed
the paper ballot, we gave it over to the election official who
put it in an optical scan. And our ballots, when it went
through the scan, were physically stored in the back of the
machine and at the end of the day the physical ballots could be
tallied against the totals provided by the scanner. And, thus,
we felt confident that our votes had been counted and that, if
necessary, an auditible trail would be present at the precinct
level, which is how we vote in Ohio. We count at the precinct
level.
The people, however, who in that same precinct chose to use
the electronic device, I would ask the question, how would
their votes be counted? Where exactly is their vote in that
machine? That is the first question. How and where were their
votes counted at the end of the day? Will the touch-screen
system produce an auditable paper trail of votes at the
precinct level? And, if not, what happens to the votes on the
disk once those votes leave the precinct? Who controls the
disk? And is any tally left at the precinct level?
To date, our Secretary of State has not chosen to answer
this letter. I am just curious, how would you go about perhaps,
if you can, answering any of the questions that I have asked?
Mr. Putnam. Did you write all that down?
Mr. Hite. Well, actually, I didn't need to write it down
because, unfortunately, the answer to the question is, it
depends. And it is going to depend on the specific make and
model of the equipment that is being used there and the set of
procedures that are being employed to govern the extraction of
those votes and the transportation of those votes, whether it
is on disk or electronically. So there is so many things that
are peculiar to your situation that we don't have privy to and
are not in a position to answer, but certainly your Secretary
of State should be in a position to answer.
Mr. Putnam. Anybody else want a crack at that?
Mr. Jarrett. Certainly in Missouri, Secretary Blunt has
said that he is not going to certify any DREs unless they do
provide a voter-verified paper ballot. So, in Missouri, that
will be the standard. There will be a paper backup.
Ms. Kaptur. And that paper backup would be at the precinct
level? Do you count the votes at the precinct level in
Missouri?
Mr. Jarrett. No. They are counted back at the central
office. But, yeah, that will be available at the precinct
level. I think Secretary Blunt envisioned a system where the
paper ballot would either be behind glass and where the voter
couldn't touch it, it would simply drop into the ballot box.
Or, even where the voter would get the ballot, paper ballot,
and put it in a ballot box so that the voter could see it
before they hit the final button casting their ballot to make
sure that it is what they intended.
Mr. Putnam. The gentlelady's time has expired.
The subcommittee will accept any final comments that the
first panel would like to make, if you have any. If there are
some last words, a question you wish you had been asked,
something you would like to answer, this is your opportunity.
And then we will recess and set up the second panel. Any final
comments from the first panel? Very good. The subcommittee will
stand in recess. We will arrange the witness table for the
second panel.
[Recess.]
Mr. Putnam. The subcommittee will reconvene. The witnesses
will please rise for the administration of the oath.
[Witnesses sworn.]
Mr. Putnam. I would note for the record that all the
witnesses responded in the affirmative. We will move directly
to witness testimony.
The first witness is Dr. Aviel Rubin. Dr. Rubin is
professor of computer science and technical director of the
Information Security Institute at Johns Hopkins University.
Prior to joining Johns Hopkins, he was a research scientist at
AT&T labs. Dr. Rubin has authored and coauthored several books
on Internet security. He serves on the board of directors of
the UFE&IX Association and on the DARPA Information Science and
Technology Study Group. Dr. Rubin is coauthor of a report
showing security flaws in a widely used electronic voting
system that focused a national spotlight on the issue.
In January of this year, Baltimore Magazine named him
Baltimorean of the year for his work in safeguarding the
integrity of our election process, and he is also a recipient
of the 2004 Electronic Frontiers Foundation Pioneer Award.
Weather to the subcommittee. You are recognized for 5 minutes.
STATEMENT OF AVIEL RUBIN, TECHNICAL DIRECTOR, INFORMATION
SECURITY INSTITUTE, DEPARTMENT OF COMPUTER SCIENCE, JOHNS
HOPKINS UNIVERSITY
Mr. Rubin. Thank you, Mr. Chairman, Mr. Clay, Mr. Holt, and
Ms. Kaptur. In addition to all of that, I just want to
introduce that I served as an election judge on Super Tuesday
in March, in Baltimore County, to gain experience with actually
helping to run an election.
My belief, after studying the code in the Diebold DREs is
that the DREs that are in use right now and that will be in use
in November are poorly designed, insecure, and that they should
not be used. The Secretaries of State of California and Ohio--
and, I now learned, Missouri as well--have come out with
statements backing this opinion.
I have two major concerns, and to some degree they are
mutually exclusive. Let me describe the first concern.
The first concern is that something very bad will happen in
November in the election due to the insecure machines. They
could fail in a catastrophic way. They could get a result that
is obviously wrong. And what would we do? There would be no
ballots to recount. They could fail in a way that is wrong,
that could get a result that is wrong but not obvious. We don't
know how likely that outcome is.
Let me talk about my second concern. My second concern is
that nothing bad will happen, and that will be used as an
argument to say that the machines are secure. Some people
already are saying that the machines are secure because we have
had no failures in the past. This would give them more
ammunition to continue to say that the machines are secure. The
lack of an obvious failure does not mean that the machines are
secure. We have a vulnerability here. We have fully
computerized machines that can be read, they can be read
without anyone even knowing it, and even if the machines are
open source. Just because this software is available for
inspection does not mean there isn't something hidden inside of
it that cannot be found. I do not believe it is possible to
find all of the problems that could exist in software, even by
really good experts.
Let me give an analogy. You might drive without a seat
belt, and if a bad accident happens to you and you get really
hurt, there is no consolation in me saying, I told you so. But
if there is no accident, that does not mean that it was safe.
On November 2nd, 30 percent of American voters will be
driving without a seat belt. If there is no apparent incident,
that does not mean it was safe to do so.
My primary concerns with today's DREs are that there is no
way for voters to verify that their votes were recorded
correctly. There is no way to publicly count the votes, no way
to count the votes so that people can watch and be sure that
the counting is legitimate. In the case of a controversial
election, a meaningful recount is not possible. The machines
must be completely trusted not to fail, not to have been
programmed maliciously in the first place, and not to have been
tampered with. In Diebold's machines we found gross design and
implementation errors when we looked at the code.
The current certification process resulted in these
machines being approved for use and are being used in
elections.
I am often asked, how do the other vendors compare to
Diebold? And I have to say, I don't know; nobody will let me
look at that their system.
We often find ourselves in these kinds of hearings, and
election officials will pull out--and I just learned we are
going to have a similar demonstration today--a 10-foot long
ribbon that shows what a paper ballot might look like. And I
would say, yes, if you designed the absolute worst paper ballot
that you could think of, it would look like that. Why don't we
start with something like the absentee ballots that they are
using, and show that is what a ballot could look like? In fact,
that absolutely worst possible design of a paper ballot
probably includes all of the choices that were not made by the
voters as well.
I don't think that this is an insurmountable problem. I
believe that we can design voting systems that are accessible
to the disabled, that provide voter verifiability to the
voters, and that raise the bar in security past the threshold
that I need to be past, and we are way below that threshold
right now.
In conclusion, accessibility and security are not mutually
exclusive. They should not be portrayed that way. We need to
develop systems that do not require completely trusting the
vendor with the outcome. We need to develop systems that are
auditable, including the ability to perform a recount that is
recounting the voter's intent. Systems where voters know that
their completed ballots
are recorded correctly need to be developed, and we need to
develop a transparent process without secret code. Today's DREs
have none of those properties. Thank you.
Mr. Putnam. Thank you very much.
[The prepared statement of Mr. Rubin follows:]
[GRAPHIC] [TIFF OMITTED] T8208.066
[GRAPHIC] [TIFF OMITTED] T8208.067
Mr. Putnam. Our next witness is Dr. Michael Shamos. Dr.
Shamos is a distinguished career professor in the school of
computer science at Carnegie Mellon University where he serves
as co-director of the Institute for E-Commerce, and the
director of the Center for Privacy Technology. He is also
editor in chief of the Journal of Privacy Technology.
From 1980 to 2000, he was statutory examiner of
computerized voting systems for the Secretary of the
Commonwealth of Pennsylvania. From 1987 to 2000, he was the
designee of the Attorney General of Texas for electronic voting
certification. During that time, he participated in every
electronic voting examination conducted in those two States,
involving over 100 different voting systems, accounting for
more than 11 percent of the popular vote of the United States
in the 2000 election.
He is the author of ``Electronic Voting: Evaluating
Threat,'' and ``Paper V-Electronic Voting Records: An
Assessment.'' He is a member of the Serve Project Review Group,
and the recent National Research Council Workshop on Electronic
Voting.
Welcome to the subcommittee. You are recognized for 5
minutes.
STATEMENT OF MICHAEL SHAMOS, PROFESSOR, CARNEGIE MELLON,
DIRECTOR, UNIVERSAL LIBRARY; CO-DIRECTOR, INSTITUTE FOR E-
COMMERCE
Mr. Shamos. I thank you, Mr. Chairman, members of the
committee, and visiting members. This hearing is about the
science of voting machine technology. There presently is no
such field of science, if by science we mean an organized
experimental discipline with authoritative principles and
published journals. The reason is that until the year 2000, it
was difficult to interest scientists in a problem so apparently
trivial as counting ballots.
As we saw in Florida in 2000, it is not a trivial problem,
and we desperately need a field of voting science. However,
there is no systematic science of voting machine technology, no
engineering journal devoted to the subject, no academic
department nor even a comprehensive textbook. There are no
adequate standards for voting machines nor any effective
testing protocols. It is only a set of minimum statutory
requirements, public budgets, and the law of the marketplace
that have shaped the development of voting machines.
When a flaw is detected in a voting machine, there is no
compulsory procedure for reporting it, studying it, repairing
it, or even learning from the experience. The voting machine
industry is unregulated and has not chosen to regulate itself.
I don't believe the public will long tolerate such a situation.
While recent newspaper articles and statements by certain
computer scientists have shed doubt on the ability of direct
recording electronic machines to count votes securely and
reliably, it should be noted that in the 25 years these
machines have been used in the United States, there has not
been a single verified incident of tampering or exploitation of
a security leak.
The concerns have been expressed and, unfortunately, taken
up with unjustified gusto by the popular press, representing a
hypothetical rather than a real threat to the electoral
process. Various design flaws and potential avenues of attack
have been verified, and it is important to analyze and repair
them rather than to flee to methods of voting that are even
less safe.
For reasons of cost and convenience, evolution of voting
systems has tracked that of personal computers. As we now know,
the operating systems of such machines are highly vulnerable to
attack and infiltration by malicious software such as viruses.
In addition, the temptation to connect voting machines
together by networks and link them to central counting stations
through telecommunications has introduced new vulnerabilities
not previously seen. The only set of standards used to evaluate
voting systems, the Federal Voting Systems Standards, FVSS, now
the province of the Election Assistance commission, have not
kept pace with either developments or threats. For example,
these standards place responsibility for virus protection and
elimination on the vendor, and provide for no test procedures
by which the presence of viruses or the susceptibility of a
system might be determined.
An example of disorganization in the field of voting
technology is the recent popular call embodied in several bills
now before Congress to add paper trails to existing voting
machines in the vain belief that this would suddenly make
untrusted machines trustworthy.
No scientific study has been performed comparing the
security of paper ballots to electronic records, yet fear of
the machines is so prevalent that entire States are now
insisting on the introduction of a technology that does not yet
exist to solve a problem that has never been observed.
I could give testimony for 2 hours on exactly how one can
take any method of voting that is performed with paper ballots
or paper devices, and I can explain in detail numerous methods
of tampering with a ballot. If I were to do that, one of the
effects would be that many Americans would not go to the
polling places this November because they would have no faith
in any method of voting.
I believe this situation has occurred, because allegations
have been made that voting machines jeopardize democracy. But
there is no engineering study available to rebut the
allegation, and we need one.
The scientific establishment of the United States needs to
be mobilized to investigate the problem. Some efforts are
already underway in this regard. Last week, the National
Research Council convened a committee of approximately 20
experts on voting technology and election practices to
formulate a set of questions for further study, but the
investigation is as yet unfunded and may take several years to
complete. The National Science Foundation should fund proposals
to study various aspects of voting.
Other than health and nuclear safety, it is difficult to
think of a more pressing subject for NSF support. HAVA, the
Help America Vote Act of 2002, tasks the National Institute of
Standards and Technology with major technical responsibility
for guiding the development of voting systems standards. Yet
this effort remains tragically unfunded. Section 273 of HAVA
authorized an appropriation of $20 million for research on
voting technology improvements during fiscal 2003. The total
actual appropriation was zero dollars, and no authorization
even exists for 2004.
I have heard it expressed that Congress wants to give HAVA
a chance to work before enacting further voting legislation,
but it is elementary that HAVA cannot work if it is never
implemented. As scientists have begun to study voting
seriously, a number of revolutionary breakthroughs have
occurred that can allow a previously unheard of degree of
transparency in the process of voting and tabulation. For
example, you will hear later, right after me, about a system
called VoteHere. Also, because of a development by computer
scientist David Chaum, it is now possible to accord each voter
the ability after voting has taken place to verify that her
vote has not only been counted but counted correctly. It is
also feasible for any member of the public independently to
verify the correctness of the tabulation, and to be sure that
no unauthorized votes have been added to the total, all of this
without compromising the secrecy of the ballot. Technologies
such as these need Federal support in order to flourish.
I thank you for the opportunity to testify today.
Mr. Putnam. Thank you very much.
[The prepared statement of Mr. Shamos follows:]
[GRAPHIC] [TIFF OMITTED] T8208.068
[GRAPHIC] [TIFF OMITTED] T8208.069
Mr. Putnam. Our third witness is Mr. Jim Adler. Mr. Adler
is the founder and CEO of VoteHere, Inc. He is widely regarded
as an authority on the subjects of cryptography, security, and
e-voting. He has served on California's groundbreaking 1999
Internet Voting Task Force, testified before legislatures on
the subject of e-voting, and is defining certification
procedures for e-voting systems. Currently, he is co-chair of
the Institute of Electrical and Electronics Engineers Voter
Verification Standards Committee which is defining national
standards as part of the Help America Vote Act of 2002.
Early in his career, he was a rocket scientist working on
Atlas, Titan and Space Station Freedom avionics systems. He
received a B.S. in electrical engineering with high honors from
the University of Florida--go Gators--an M.S. in electrical
engineering from the University of California, San Diego.
Welcome to the subcommittee. You are recognized for 5
minutes.
STATEMENT OF JIM ADLER, FOUNDER AND CEO, VOTEHERE, INC.
Mr. Adler. Thank you, Mr. Chairman, members of the
committee, and visitors.
So far we have heard a bipolar debate between, on the one
hand, electronic voting machines are fine as is, and on the
other, the only way forward is to go back to paper ballots.
Many people agree that there is a problem with electronic
voting today. However, we don't all agree that the paper ballot
is the best solution, because we already know paper-based
solutions are badly flawed. I am here to tell you there is a
third way, perhaps the technology that Dr. Simons is waiting
for, a better solution to prove that every vote is counted
properly without falling back to paper ballots, the same paper
ballots that have been at the root of electrical fraud and
disenfranchisement throughout our history.
There are technologies available today, and VoteHere's VHTi
is one of them that can make electronic voting better than
paper ballots and still retain all of the accessibilities and
operational benefits. Just because some have diagnosed
electronic voting disease doesn't mean the only cure is going
back to paper ballots. There are other more effective cures.
Interesting that Dr. Rubin mentioned safety belts. The call
for paper ballots is similar to the call nearly 100 years ago
to ban the automobile and go back to horses. Back then the
automobile was considered dangerous new technology, lacking
critical safety equipment such as safety glass. Instead of
moving backward in elections, we need to look forward and, in
effect, add safety glass to our electronic voting machines.
Today I will outline technology that brings measurable
certainty and transparency from the voting booth to the final
election results, solves the current dilemma, and is available
now.
My message to you is very simple: We should let innovation
and HAVA and NIST work, and not revert back to paper ballots
which have historically failed us.
Last summer we announced a nonexclusive agreement with the
Sequoia Voting Systems to put our technology in electronic
voting machines, and just yesterday we announced another
agreement with Advanced Voting Solutions to put our technology
in their machines. So this is not far off into the future. This
is happening today. We will be testing that technology in the
fall.
VoteHere has a solution called VHTi, a voter-verified
election audit technology that works inside any machine, and
even though hardware/software procedures may be opaque, the
audit system is 100 percent transparent and will with certainty
detect if a single ballot is corrupted either maliciously or
accidently. The technology goes beyond paper ballots because it
proves election results are valid end to end, not just at the
polling booth.
It does two basic things: First, it gives voters a voter-
verified receipt if they want to check both that their vote was
properly recorded at the poll site and properly counted in the
final results, while maintaining ballot secrecy throughout. And
second, it enables a meaningful and transparent audit trail
that lets anyone independently verify the election results with
accuracy down to a single vote.
The effectiveness of this technology does not rely on
securing software, source code, or the hardware, but instead
relies on a transparent audit process that it enables.
Elections have always been protected by detecting when
elections are compromised, not necessarily just protecting
elections from compromise.
Too often, security experts have misunderstood elections as
being only secured by protective measures, big fences that you
build around your house. Actually elections have, as I said,
been always secured by detecting these problems, like guard
dogs that alert you to intruders inside your house. It is
always good to build big fences, always good to have a dog in
the yard. In many ways this VHTi technology is that barking
dog.
As a practical matter, tracking our votes is as simple as
tracking a package sent through UPS or the U.S. Postal Service
or tracking a lottery ticket to its point of purchase, and
every day Americans track 12 million packages. If we can track
the destiny of our packages, why can't we do so with our votes?
The often-used reason for not using a true receipt that
could be used to be taken home is that it could violate a
voter's privacy and be used for vote-buying or voter coercion.
Well, now this cryptographic technology provides an encrypted
voter-verifiable receipt to assure the voter that her vote was
counted properly but cannot be used to pass that assurance on
to anyone else. The same technology protects trillions of
dollars of electronic banking, and it is time that we brought
it into our voting process. I realize that the capability
sounds unbelievable, but this is the type of long overdue
innovation that we are now embarking upon, and in no small part
is due to HAVA.
There is a demonstration on the VoteHere Web site, I know
we don't have time to go into it, but a couple points need to
be made. Just like at the gas pump, the voter has the option to
obtain a detailed receipt of each race she wishes to verify.
After the election, the receipt data is regenerated from the
counted ballots, and she can look up the receipt on the county
Web site to verify that the receipt she obtained in the polling
place represents the same one that got counted. While the
county tallies the votes, the public can also independently
tally them as well, and nonpartisan groups such as the League
of Women Voters and others could verify the results
independently.
With so much transparency and with so many people
monitoring the results, you can statistically guarantee that
anomalies will be caught, and in my appendix and written
statement I go into that in some detail, and I also presented
it at last December's NIST conference on security and
transparency.
What is most attractive about this technology is that it
acts as a spot check on the election system end to end. Much of
the criticisms have focused on the fact that we have no way to
trust and justify the trust we place in electronic elections.
This voter-verified receipt gives you that spot check and
provides us a degree of statistical confidence and guarantees
the election results are valid.
I just want to talk about transparency. Cryptology is not a
``Trust Me'' technology, it is a ``Trust No One'' technology.
In every election, absolutely everything connected with the
vote is published for scrutiny. The protocols, the mathematics
are published. We did that last September. The source code is
published. We did that in April. And all the voting data is
published in every election. Cryptography actually reduces the
need to trust election officials, hardware, software,
procedures, and vendors. And paper ballots just can't do that.
Paper ballots let voters check that their vote was recorded,
but voters have no idea that their vote was counted. It then
drops into a ballot box, a black box, and we have to trust that
votes were actually counted.
To just sum up, the promise of electronic voting is that it
could be better than paper, not just as good as paper. The
calls for security confidence and transparency are necessary. I
wholeheartedly embrace them. Let's not go back to horse-and-
buggy elections. Instead of banning technology, we should let
innovation work and provide safety equipment to our electronic
elections. Only then will we have a truly safe voting process.
Thank you for your time.
Mr. Putnam. Thank you.
[The prepared statement of Mr. Adler follows:]
[GRAPHIC] [TIFF OMITTED] T8208.071
[GRAPHIC] [TIFF OMITTED] T8208.072
[GRAPHIC] [TIFF OMITTED] T8208.073
[GRAPHIC] [TIFF OMITTED] T8208.074
[GRAPHIC] [TIFF OMITTED] T8208.075
[GRAPHIC] [TIFF OMITTED] T8208.076
[GRAPHIC] [TIFF OMITTED] T8208.077
[GRAPHIC] [TIFF OMITTED] T8208.078
[GRAPHIC] [TIFF OMITTED] T8208.079
Mr. Putnam. Our next witness is Mr. Sanford Morganstein.
Mr. Morganstein is the president and founder of Populex Corp.
He has more than 35 years of technology-based experience in
both entrepreneurial and Fortune 500 companies. For the past 20
years, he has led several new high-technology corporations,
including developing Dytel into a successful corporation. He
has served as chief of Technology and Competitiveness for the
Illinois Department of Commerce and Community Affairs. In this
capacity, he was responsible for strategic planning in new
initiatives in biotechnology, telecommunications, business
modernization, and commercialization of advanced university
research. He also served as a member of several Governors' task
forces. He holds 29 United States and foreign patents for
telecommunications and high-tech products. Welcome to the
subcommittee. You are recognized for 5 minutes.
STATEMENT OF SANFORD J. MORGANSTEIN, PRESIDENT AND FOUNDER,
POPULEX CORP.
Mr. Morganstein. Thank you, Mr. Chairman, Congressman Clay,
invited Members of Congress.
What a great spirit of bipartisanship and democracy when
the ranking member quotes Ronald Reagan in saying ``Trust but
verify.'' It was President Reagan who said that so many years
ago.
I am here with one goal only, and that is to dispel
misinformation that somehow voter verifiability and verifiable
ballots are impractical, costly, and disenfranchise the blind.
As Professor Rubin said, there is no reason at all that
providing voters with a voter-verifiable, tangible ballot, one
of which I am holding in my hand--and we will talk a little bit
about that further--can't be used on touch-screen systems so
that blind voters can work, undervotes are detected and warned,
overvotes are not permitted, people who speak different
languages can have their ballot easily translated into the
language of their choice. There is absolutely no
incompatibility with those noteworthy goals and the notion of
having a voter-verifiable ballot.
Mr. Chairman, some who have said that there is an
incompatibility have pointed to reams of cash register tape
saying, if you want an audit trail, this is what you have to
have. It is crinkled, it is folded, it tears. Who knows how you
count such a thing? I think that is a piece of misinformation
that insists that something that is voter-verifiable has to be
of this nature.
And Mr. Adler to my right said let us not go back to paper.
But it is not either/or. We can combine the best of the new,
which is touch-screen voting, for its obvious advantages with
the best of the old; something that can be verified, something
that voters understand, something that they see, that is
tangible, that goes in a ballot box, that is counted at the end
of the day, as the Congresswoman asked, and that can be
recounted. If you count this ballot, you will get the same
result as when you recounted.
Let us look at whether or not it disenfranchises the blind
voter. We have had two of our machines in use for several
months at the National Federation of the Blind in Baltimore,
and they are going to be issuing a report based on human
interface--this is easy to use, hard to use. And they have
looked at five or six machines. And I don't know what they will
say about that, but I do know--and I have questioned them and
asked, can I quote you on that--that the blind voters who have
taken the opportunity to verify their ballots--and they can by
holding it underneath a supermarket scanner that we are all
kind of used to and putting on headphones, it will read what is
on that ballot. Those blind voters appreciated and understood
that their ballots were being verified and that they were not
being discriminated against because there was a technology that
did not apply to them.
When the subcommittee issued its notice, it focused on
technology and science. And there is a human component that I
urge consideration. Mr. Chairman, I would be preaching to the
choir if I said that, fundamentally, our system is one that is
ruled by the consent of the governed. And what is missing in a
lot of the debate is the confidence of the voter; not of the
scientist, but the confidence of the voter. And if the voter
erosion--and if the voter's confidence in an electoral system
is eroded because they don't understand what happens to the
ones and the zeros on the disk, or they know that they had a
hard drive that crashed, and they read about viruses, then we
have a real risk that the people who really make this country,
the voters, will lose confidence. And, again, there is
absolutely no reason that confidence is incompatible with the
electronic systems that can ensure that we capture the vote and
capture the voters' intent.
[The prepared statement of Mr. Morganstein follows:]
[GRAPHIC] [TIFF OMITTED] T8208.080
[GRAPHIC] [TIFF OMITTED] T8208.081
Mr. Putnam. Thank you very much.
Let me begin with a question for you, sir. How many ballot
questions will fit on the card that you held up?
Mr. Morganstein. Well, I have a lot of jokes about the city
of Chicago, and I come from that city. And when I tell those
jokes to people who are election officials there, I get into
trouble. The typical Chicago ballot will have 75 judicial
retention questions whereby judges are up, and you probably
aware of that, sir. We have programmed an election for the city
of Chicago--we programmed the 2000 election in which there were
some, I think, 96 ballot questions, counting 75 judicial
retention, President, Vice President, and so on. And that is,
as a matter of fact, the limit that we can put on here. We can
put 96. You can have thousands of people on the ballot,
thousands of questions, but 96 selections, which is more than
adequate for any election we have seen.
Mr. Putnam. So that being the ballot, the voter can read
their 96 selections on that piece of paper?
Mr. Morganstein. Yes, sir. There are two ways the voter can
do that. It is printed in a human readable format. You can see
some numbers--and I am happy to pass these up to the committee
if you would like to touch these.
Mr. Putnam. That would be helpful.
Mr. Morganstein. There is a human readable portion on the
bottom, and then you see a bar code in there, which as the last
time you went to the supermarket to buy a can of soup, you know
that it read the price properly. The voter can hold that
underneath a laser beam, and in the privacy of a voting booth
it will show the selections, English selection, President of
the United States and so on that they have picked up to 96.
Mr. Putnam. Dr. Shamos, considering the pool of people able
to hack into electronic voting systems is presumably smaller
than those who are able to do it the old-fashioned way by
manipulating the paper system, would you agree or disagree that
electronic systems increase security of the ballot?
Mr. Shamos. Properly designed and properly deployed and
tested systems, DRE systems, do indeed increase the security of
the ballot.
Mr. Putnam. Dr. Rubin, after volunteering as a poll worker,
you were quoted as saying that the experience showed you that
one potential attack would be far more difficult to pull off
than you and your colleagues had assumed. Is that an accurate
quote, and do you still feel that a serious attack is likely?
Mr. Rubin. Yeah. It's not a misquote, but it's the first
half of a sentence where the second half was, ``I have found
some attacks that I considered would have been harder to pull
off in my precinct. I thought of new ones that I hadn't
considered. And basically I think the experience focused me
better on appreciating what the real risks were,'' and at the
end of that paragraph, I stated that I still believe that these
were a fundamental risk to our elections.
So I did not believe the system was any less secure after
working there. I just sharpened my appreciation for the various
attacks.
Mr. Putnam. Is it more or less difficult to perpetrate
fraud using electronic devices over traditional paper ballots?
Mr. Rubin. I believe it is probably more difficult to
perpetrate fraud, but that the fraud would have much more far-
reaching consequences if it were successful.
Mr. Putnam. And for the short term, this whole idea of a
paper trail, is it technologically feasible to deploy an
auditable, verifiable paper trail in every machine in America
between now and November?
Mr. Rubin. I don't know.
Mr. Putnam. Anyone else?
Mr. Shamos. It is not possible.
Mr. Putnam. Mr. Adler.
Mr. Adler. It is not possible.
Mr. Morganstein. I would be wealthy if it were true, but it
is not possible.
Mr. Putnam. So we are all in agreement, with the exception
of Dr. Rubin, that this is really a discussion about improving
or changing or altering the approach for the 2006 election,
because 2004 is out.
Mr. Morganstein. There are primaries in 2005, and there are
municipal elections in 2005.
Mr. Putnam. OK.
Mr. Rubin. I will agree with that statement, too.
Mr. Putnam. OK. So this is all then, about post-
Presidential election and the challenges that we are going to
have to deal with. We have heard testimony that no system is
perfect, they all have their problems, they all have their
security issues. We all deal with a certain amount of error
every day in on-line IRS filings, ATM machines, self-serve gas
pumps that scan our credit cards, and we all deal with a margin
of error in electronic devices involving our finances. And
obviously voting is a fundamental piece of our democracy, and
we ought to do everything we can to secure it as well.
But my concern is that this election is going to be seen as
being a fiasco despite the fact that there may or may not be
any greater error rate than historically has been the case
because of the sensitivity, the international scrutiny, and the
fact that now, frankly, both parties are ramping up teams of
attorneys to figure out ways to exploit what everyone admits is
an imperfect system.
So knowing that everyone, the first panel and I believe all
of you are in agreement--and if you are not, please say so.
Knowing that everyone agrees that there is a margin of error in
every single system deployed, how do we develop some standard
that defines an acceptable error rate, knowing that this thing
is going to be litigated and played out both in the media and
presumably in the courts again? How do we have some standard if
everybody agrees that there is going to be something that
someone can point to and say that is an imperfect system?
Because we haven't designed a perfect one. What is the
definition?
Mr. Morganstein, and we will work across the table.
Mr. Morganstein. Thank you, Mr. Chairman. I will be brief.
I was very honored last week to participate in a panel at the
National Academy of Sciences right here in Washington with some
of the smartest people I have ever seen or had the pleasure to
sit down next to. And evidence was presented, sir, that showed
that the voting system unquestionably counts. It makes a
difference. It lowers error rates. Unquestionably. If you start
from hand-marked ballots, which sound simple--make an X; well,
some people make a circle and other things happen--to
punchcards, which were good for a long time, and then we saw,
well, maybe not so good; to optical scan that provide feedback
to voters in the precinct. Better yet. And you can see that
when we did these, the questions on the ballot didn't get
easier, but the technology got better and the error rates did
increase.
I think DREs are a step further yet, and a I think a voter-
verifiable touch screen--which is not really a DRE, by the
way--is yet another step.
The answer, sir, to your question is, like anything else
that we have done in this country, we have recognized the
importance of continual improvement. It is not like the
Constitution says, a more perfect union; you know, it is
something perfect, you can't make it more perfect. We are
getting better and better, and that is the best we can do as
humans, is make it better and better and work on continuing
improvement.
Mr. Putnam. Mr. Adler.
Mr. Adler. As Dr. Shamos said, there is no election
science, and we--the election community--are making it up as we
go. And that is just a true statement. On the committee that I
co-chair at IEEE on voter verifiability, we have put out
margin-of-error levels, standards that every system should
meet, whether it be paper DREs or receipt-based systems where
you can spot check these things.
Statistics govern our whole lives. How do you know that a
vaccine works? Because you didn't get sick? If you didn't take
it, you might not have sick either. We do statistical analyses
in this society that we base policy upon. What we are not doing
with voting is we are not measuring the margin of error. The
first thing we have to do is measure it and figure out how to
measure it across systems, whether it be DREs, whether it be
paper ballots. And I think once we understand that--and we have
done some analysis which says if 2,000 people faithfully spot
check and verify their vote, actually counted properly in a
congressional district of, say, 400,000 voters, you can get a
margin of error that you can take to court that is about a
quarter of a percent. If you want better than that, you need
more spot checking.
And that is exactly what we did with lever machines; we
used to spot check them. There was no paper to recount. We had
a meaningful audit trail. And there are performance
requirements that we need to institute and measure for every
system on Election Day that will provide the second component,
which we have all talked about, which is voter confidence. I
get a receipt at the gas pump if I want it. If I get a receipt
at the voting machine--in our focus groups, and we put about 70
people, you know, through our last incarnation, whether they
were going to check or not, they said I would rather have it
than not have it.
Between those two, measuring and giving the voters some
confidence their vote counted and some proof their vote
counted, I believe, is a way forward.
Mr. Putnam. That technology test that would give you that
.25 margin of error, isn't it true that would not take into
consideration a confusing ballot design that, frankly, in
Florida was one of the key reasons for voter confusion? But
technically the machine worked. They were overvotes as a result
of voter confusion on a complicated design. So, I mean, that is
the whole other human piece; right?
Mr. Adler. Well, I would agree that the most difficult
place is between the voter's gray matter and how they represent
it. And we have done a lot--the best things DREs do is stop
overvotes. Overvotes have gone to zero. And so we will continue
to deal with that gap, from gray matter to medium.
The question that I think we are all dealing with, and
actually NIST put out a report on usability, is once the voter
intent is captured, how do you make sure it is counted
accurately or properly, faithfully? And then the chain of
custody all the way to rolling up the result. You have to do it
from gray matter all the way to results, and that is the end-
to-end solution or end-to-end system that we need to measure.
Mr. Putnam. I will let the other two finish, and then go
over to Mr. Clay.
Mr. Shamos. I have to make the question more complex before
actually giving an answer. We have no definition of what error
is in voting. Political scientists think it is an error when a
voter goes into a voting booth and comes out without having
voted for every race and question on the ballot. They actually
use the word ``error'' in reference to that. Error can occur
because of a difficulty in a voter expressing her choices. That
is, they have in mind a certain slate they want to vote for,
and it ends up, through error or mistake in the voting booth,
they don't actually end up voting for those people.
Then, of course, there is the issue of error in the
software, error in the hardware, that may cause the vote to be
recorded differently from the correctly expressed intention of
the voter. But even if that could ever be reduced to zero,
which it can't, that still doesn't mean that we have error-free
voting, because the votes must be totaled, the totals must be
communicated through a central place. We must make sure that
every voting machine that was used, that its totals are
correctly reported and added together. And so there are many
parts in the process which have the potential for introducing
error.
The issue with paper, paper receipts and paper trails, is
exactly which of those errors they address. And they do address
one error very well; and that is, the error in the voter
communicating her choices to the machine. When the verified
piece of paper or whatever mechanism is used--and there are
numerous ways of verifying ballots without using paper.
Whatever the mechanism is used, it does provide an
instantaneous feedback that, yes, the machine heard me
correctly. Unfortunately, because of the inability to secure
the physical custody of ballots--these, after all, are
potentially touched by 1.4 million poll workers around the
United States on their way to the central counting station.
Despite the fact that the voter was heard properly, it doesn't
mean that piece of paper is ever going to be around for a
recount, that it will not have been augmented, destroyed,
modified, or changed in some other way. That is the fundamental
problem with relying on paper.
Mr. Putnam. Dr. Rubin.
Mr. Rubin. My area of expertise is computer security. That
is what I do for a living. And so I face this question all the
time because no system that is on is secure. And in my
consulting work I am often asked, we want you to help us design
this or evaluate it to make sure it keeps hackers out, and that
we are not vulnerable to data loss. And I say it can't be done.
So given that, the goal is to make things better and to
make them as secure as possible. You know, I talk about
spectrum from really insecure to very, very good. And you try
to fall in the best possible spot on there.
I think what we need to do is use all the technologies
available, whether the modern and computerized ones or the old
paper ones, utilize the best properties of each, and make the
system as good as possible and then hope that the election is
not too close.
Mr. Putnam. Mr. Clay.
Mr. Clay. Thank you, Mr. Chairman.
Dr. Rubin, the debate about improving the security and
reliability of the electronic voting machine has up to this
point focused on the use of a voter-verified paper audit trail.
While the idea has many supporters, others say that moving
toward this sort of paper trail is impractical and may prove
unwieldy. In your opinion, are there any better solutions?
Mr. Rubin. I believe that 20 years from now we will all be
voting on systems like Mr. Adler's and David Chaum's, and
universal verifiability. I think that cryptographic solutions
hold a lot of promise.
I approached this from the point of view that many, many
places are using DREs. And I got to see one of those DREs
inside, and I believe that systems like that, that are fully
electronic, that don't have the cryptographic protections
cannot be relied upon without a voter-verifiable paper trail.
Mr. Clay. Dr. Shamos, you said, ``The system that we have
for testing and certifying voting equipment in this country is
not only broken, but it is virtually nonexistent.''
Given that situation, should we have a moratorium on the
purchase of new DRE equipment until we have adequate standards
and an adequate certification process?
Mr. Shamos. I am thinking.
I have never met the question in that form. There are good
DREs and there are bad DREs. And the problem is, the public
doesn't know which is which, and often Secretaries of State
don't know which is which because of failures in the
certification process.
As Dr. Rubin pointed out, the systems that we have that are
known to have serious security flaws all passed the independent
testing authority certification process or qualification
process and were actually adopted by a number of States. The
issue with moratorium--I mean, I pointed out before that we
haven't had a verified incident of tampering with a DRE machine
in the United States. That doesn't mean it doesn't occur and it
doesn't mean that it won't happen tomorrow. Except that when we
are trying to safeguard against risks, we tend to focus our
attention and money on those risks that have occurred at least
once.
And so the answer is, if we know that certain machines have
security flaws, for example, the ability to plug a keyboard--
conceal a keyboard on one's person and plug it into a voting
machine in a polling place on Election Day and type things in
to modify the contents of the machine, a grotesque security
flaw. Nonetheless, there are safeguards that can be introduced
to prevent anybody from actually doing that. If it's necessary
to put people through a metal detector or watch them as they
are going in and out of the booth, then we do that. And so I
don't think the moratorium is the right answer, either, because
it condemns us to live with the worst systems of the past.
Mr. Clay. Thank you for your response.
Mr. Adler, can a computer be programmed to show one thing
on a screen and record something else on an electronic device?
Mr. Adler. I think the statement you made earlier about
trust and verify applies. Yes, a machine can display one thing
and record another. Just like even with the voter-verified
paper ballot, it could record one thing electronically, print
it on the paper, and hope the voter doesn't see it. And if I
could give you one parable about how this might work.
My 64-year-old mother lives still in Florida, Tampa Bay
area. She has been using these machines for the last 4 years.
Loves them. Said: Mom, they are going to put a paper ballot
next to it; you are going to have to compare them; and, if they
are right, you press the button. She said, first question: If I
don't compare them, will my vote count? And I said, of course
it's going to count. She said, then why would I really do it? I
am touching the screen.
Now, here comes the recount where the paper ballot and the
electronic ballot box do not match. They are going to bring
people like my mother into court and say, ma'am, did you look
at that paper ballot? She is going to say, no, sir, I didn't
think I needed to.
So is it voter verified? Is it a source document prepared
by the voter, and can the system do exactly what you said: put
one thing on the paper, put one thing electronically, and hope
the voter doesn't see it?
Mr. Clay. Let me ask you, did your company consider
producing a voting product on the Internet?
Mr. Adler. Yes, we did, and we do.
Mr. Clay. And your company experienced an Internet attack?
Do you feel the Internet is a safe place to vote?
Mr. Adler. I think anyplace you use electronics, you must
verify. And, again, it's not really about the hackers. With
voting, we don't know where the bad guys are, depending on
where you are politically sitting.
Mr. Clay. OK. My time is up. Let me ask you, why should
voters trust a company? This is not malicious in any way to
your company, but why should voters trust a company that could
not protect their own assets from attack over the Internet when
they say they can produce a paperless voting system that is
secure?
Mr. Adler. They shouldn't trust anyone when it comes to
voting. That is one of the reasons why we published our source
code, we published all our mathematics and algorithms,
protocols, we patented all our technology; which means it is
published. And every election, all the data that comes out of
this machine is verifiable by anyone. You shouldn't trust me,
you shouldn't trust the local election official, you shouldn't
trust the parties.
As Congressman Holt said, the voter can verify their vote,
and we need to give them the means to do that, not just that it
was recorded but that it was properly counted, and let anyone
verify the results. No one should be trusted in voting. No one.
Not the company, not anyone else. And we at VoteHere are
dedicated to that. So that if something did happen--the worst
catastrophe of a democracy is an undetected fraud. A detectable
fraud is embarrassing and expensive, but recoverable. And we
need to have the means to detect fraud when it occurs, and we
are dedicated to that.
Mr. Clay. Thank you for your response.
And Mr. Morganstein, why did your company choose to have
paper ballots printed by your voting system?
Mr. Morganstein. We were asked to do that by an election
official in our State--if it plays in Peoria, in fact it came
from Peoria--by an election official who had been working in
the field for some 20 years, who said, you know, I like this
touch-screen idea, but there is no audit trail. And I was
fortunate enough to have some other successful inventions, and
they asked me to put my mind into that and that is what
resulted.
Mr. Clay. Thank you for your response.
Mr. Chairman, I yield back. Thank you.
Mr. Putnam. Ms. Kaptur, you are recognized.
Ms. Kaptur. Again, I just want to thank the chairman, Mr.
Putnam, and the ranking member, Mr. Clay, for holding this very
important hearing. And so many Members are interested in this,
and obviously our citizenry is interested in this issue of
security of the vote.
I wanted to ask several questions, and I hope I can get
through them quickly. One of the counties I represent, Lucas
County, has a situation where they were going to bring on
Diebold technology. And the Secretary of State has just said
that is uncertified and has taken it off the list. And some of
our counties in Ohio of 88 counties had signed contracts with
Diebold. They cannot use that equipment now, as of November.
The local county, Lucas in particular, is now being faced with
a 300, I don't know, 80,000 bill, I guess, to try to bring on
some type of optical scanning equipment by November to try to
have the ballots in a situation where we can have a recount.
Because, under Ohio statute, you have to be within one-half of
1 percent; if you are, a recount is required. And we are told
that in the technologies they have been looking at, that was
impossible. So they have to do the optical scan.
What advice would you give to the Board of Election? They
are in a tizzy now, saying, well, that the Federal money that
is available from Washington that I voted for can't be spent to
pay for the optical scan for November. And the county is broke.
We have 10,000 fewer jobs than we had 3 years ago. The State is
broke. But all this money is sitting there from HAVA. Do you
have any advice? What would you advise to our local county?
Maybe some of you could give them a better price than Diebold
is offering on these Optiscan machines.
Mr. Shamos. I would advise hiring a lawyer. It is important
in procuring voting system equipment to get a representation
and continuing warranty from the vendor that their system meets
certain standards and will continue to meet those standards.
And if the system becomes decertified, then the financial
burden should be placed on the vendor, ultimately its bonding
company, to make good to the county so that it can purchase
whatever substitute is necessary.
Ms. Kaptur. Thank you for that suggestion. Believe me, I
will pass it on to them. Do you think it is appropriate for
private companies to coach and teach board of elections
officials and precinct workers? Or should that training of
election officials, which Federal money has been designated
for, should that be done by publicly hired workers who work for
the board of elections, not for any company?
Mr. Shamos. Well, maybe the vendors would want to give
another answer. But I don't like it. However, it is almost a
universally held opinion among election officials that there is
no alternative to it, because there is no other source of
expertise about the particular systems that are being used,
other than the vendor who has seen them used in numerous
jurisdictions, has seen all kinds of incidents and knows to
deal with them.
Ms. Kaptur. Well, this is a very troubling aspect to me,
that private companies--Mr. Adler, I was very interested in
what you said, that your technology patent was open to the
public realm. When I made this statement in Ohio, that if we
adopt a certain machine, that should fall into the public
domain, there were many who opposed that point of view. You've
stated exactly what I think should happen in terms of the
technologies that are used: Are they public or are they
private? Who provides the training? How do we know what is
really going? Who are the experts that end up controlling the
election process itself? I guess I am especially protective of
the citizens' interests, because in our county, in Lucas
County, we have always counted at the precinct level.
When I saw, Mr. Chairman, what happened in Florida, I
couldn't believe it, where it take votes to another site, you
count the votes. That is no anathema to what we do. It was
agonizing to watch, actually. And our elections are very
decentralized in my home county. And I am not saying there
probably aren't errors, but it really is very democratic, gets
right down to the precinct level, results have to be posted,
they have to be placed on the outside doors. There are all
kinds of things that--you have to have two people from each
party, plus a judge, looking over each other's shoulders; and
the count, it is very, very Jeffersonian. I mean, it is right
down to the grassroots level.
So when I hear about what companies are doing in all of
this, I am very troubled. And I wanted to ask you, I read some
reports about Georgia in the last election, which said that
there is this conjecture, 25,000 patches on machines that were
employed in Georgia. What is a patch, and was that done or
wasn't it done?
Mr. Rubin. I will answer that first one. When a program is
written, it contains lines of code. This is something that a
programmer types in to make the computer do whatever they want.
That gets compiled into software which is what runs on the
machine. From time to time, errors are found in the software or
something needs to be updated or fixed. And this generally
occurs across all disciplines when software is developed, and
you want to upgrade the software and make it new or change some
of it. So you write a patch, which is something that changes
certain parts of the software. It adds lines of source code or
removes lines. And when you apply a patch, what you are doing
is you are creating a new version of the software that is based
on the old version but has certain changes. So a patch can
completely change the behavior of a software package. It can
make it better, it can make it worse.
And I also have read a lot about the patches in Georgia. I
don't have any personal firsthand knowledge that anything like
that happened. But I would say that it is a very, very serious
matter that if a patch gets applied to a voting machine on
Election Day or shortly before, that is no longer a certified
machine; it's a different machine, and it needs to be
recertified.
And so you need to be very careful. And this gets to the
point that you mentioned about access between the election
officials and the vendors. On Election Day, the vendors should
not be tinkering with the machines and applying patches to
them.
Ms. Kaptur. Well, I will tell you, in the home precinct
that I am from--and I'm a precinct committeewoman, long before
I was a Congresswoman--they sent out an official from the
company to deal with a scanner that was malfunctioning in that
precinct, because we didn't have election workers that were
trained to do that work. And I am thinking, what is going on
here?
Mr. Chairman, I want to thank you for holding this hearing.
I don't want to go overtime. I have two small questions I still
want to ask, if you would be kind enough to----
Mr. Putnam. You have time coming.
Ms. Kaptur. Do I have time coming?
I just wanted to ask you if any of you are familiar with
the technology that Mr. Akin Gibbs had. He was one of the few
minority contractors that had a technology out there that could
have been reviewed by the States--they and localities--as they
make selections. Do you know, is that technology still on the
market and what its name is? He was in the State of Tennessee.
Mr. Morganstein. The True Vote?
Ms. Kaptur. I think that was the name.
Mr. Morganstein. That is all I know about it. Sorry.
Mr. Rubin. I had read accounts, I believe this person was
killed in a car accident. Is that right?
Ms. Kaptur. Yes. He was due to come to Ohio to testify
before our State legislature the next week, and he died the
prior Friday, or that weekend.
Mr. Rubin. I am not familiar with his technology.
Ms. Kaptur. You are not familiar with his technology. All
right.
A final question. If you are a local election official in
any State in this Union right now, and you are interested in
getting accurate information about machines' verifiability and
so forth, what you are faced with is a barrage of private
companies coming to you, telling you that their technology is
the best in the world. It may or may not be. Where do you go
now for good information? Where do you go to help you in your
board of elections? None of you know anything about
electronics, nothing about computers. There you sit with this
major public responsibility. Where do you go for information?
Where would you tell them to go?
Mr. Rubin. One of the things to keep in mind is that there
are some questions that can tip off right away the kind of
vendor you are dealing with. So, for example, Chairman DeForest
Soaries of the Election Assistance Commission made a statement
that election officials should have the right to ask the
companies for their source code under nondisclosure to get
external security reviews. The first question to ask a
potential vendor is if they would be willing to do that, and,
if not, why not?
And you could try to produce a list of questions--I have
some actually on my Web site--that you might want to ask a
vendor, just like you would when you are buying a car. If you
start to see that they are acting shady, they don't want to
answer certain questions, they won't provide you written
documentation of certain things, then you would proceed with
caution. I don't know if there is an independent group out
there that is providing advice on vendors.
Mr. Shamos. There are no consumer reports for voting
systems.
Ms. Kaptur. And if I could just say for the record, Mr.
Chairman, I thought when we voted for HAVA, that's what we were
voting for. We were voting for the National Institutes of
Standards and Technology to be the Fort Knox or the Oak Ridge
or the whatever national renewable energy lab for voting, the
place where you would go to get information.
Mr. Shamos. This should be the province of the Election
Assistance Commission. Previously, it was the voluntary
province of the Federal Election Commission, to accumulate
information about voting systems. But they couldn't get into
the position of making specific comments about particular
vendors. It just didn't seem appropriate in that context.
Mr. Putnam. That would be contrary to Jeffersonian ideals,
I believe.
Mr. Shamos. So the answer is now many studies are being
undertaken by many organizations, and one must keep up with the
output of these things to try to determine which are
authoritative and which are not.
Ms. Kaptur. I thank you for your forbearance, Mr. Chairman,
Mr. Ranking Member. And we thank the witnesses very much for
helping educate our whole country and many election officials
who will watch this and are trying to make the best decisions
they can at the local level under these circumstances.
Mr. Putnam. Thank you, Ms. Kaptur, Mr. Clay. Thank you very
much for your input and helping us to get some good expert
testimony. I want to thank all of our witnesses.
In the event that there may be additional questions we did
not have time for today, the record will be open for 2 weeks
for submitted questions and answers. Thank you all very much.
This subcommittee stands adjourned.
Whereupon, at 12:34 p.m., the subcommittee was adjourned.]
�