[House Hearing, 108 Congress]
[From the U.S. Government Publishing Office]




  THE SCIENCE OF VOTING MACHINE TECHNOLOGY: ACCURACY, RELIABILITY AND 
                                SECURITY

=======================================================================

                                HEARING

                               before the

                SUBCOMMITTEE ON TECHNOLOGY, INFORMATION
                POLICY, INTERGOVERNMENTAL RELATIONS AND
                               THE CENSUS

                                 of the

                              COMMITTEE ON
                           GOVERNMENT REFORM

                        HOUSE OF REPRESENTATIVES

                      ONE HUNDRED EIGHTH CONGRESS

                             SECOND SESSION

                               __________

                             JULY 20, 2004

                               __________

                           Serial No. 108-258

                               __________

       Printed for the use of the Committee on Government Reform


  Available via the World Wide Web: http://www.gpo.gov/congress/house
                      http://www.house.gov/reform


                                 ______

                    U.S. GOVERNMENT PRINTING OFFICE
98-208                      WASHINGTON : 2005
_____________________________________________________________________________
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpo.gov  Phone: toll free (866) 512-1800; (202) 512ï¿½091800  
Fax: (202) 512ï¿½092250 Mail: Stop SSOP, Washington, DC 20402ï¿½090001

                     COMMITTEE ON GOVERNMENT REFORM

                     TOM DAVIS, Virginia, Chairman
DAN BURTON, Indiana                  HENRY A. WAXMAN, California
CHRISTOPHER SHAYS, Connecticut       TOM LANTOS, California
ILEANA ROS-LEHTINEN, Florida         MAJOR R. OWENS, New York
JOHN M. McHUGH, New York             EDOLPHUS TOWNS, New York
JOHN L. MICA, Florida                PAUL E. KANJORSKI, Pennsylvania
MARK E. SOUDER, Indiana              CAROLYN B. MALONEY, New York
STEVEN C. LaTOURETTE, Ohio           ELIJAH E. CUMMINGS, Maryland
DOUG OSE, California                 DENNIS J. KUCINICH, Ohio
RON LEWIS, Kentucky                  DANNY K. DAVIS, Illinois
JO ANN DAVIS, Virginia               JOHN F. TIERNEY, Massachusetts
TODD RUSSELL PLATTS, Pennsylvania    WM. LACY CLAY, Missouri
CHRIS CANNON, Utah                   DIANE E. WATSON, California
ADAM H. PUTNAM, Florida              STEPHEN F. LYNCH, Massachusetts
EDWARD L. SCHROCK, Virginia          CHRIS VAN HOLLEN, Maryland
JOHN J. DUNCAN, Jr., Tennessee       LINDA T. SANCHEZ, California
NATHAN DEAL, Georgia                 C.A. ``DUTCH'' RUPPERSBERGER, 
CANDICE S. MILLER, Michigan              Maryland
TIM MURPHY, Pennsylvania             ELEANOR HOLMES NORTON, District of 
MICHAEL R. TURNER, Ohio                  Columbia
JOHN R. CARTER, Texas                JIM COOPER, Tennessee
MARSHA BLACKBURN, Tennessee          BETTY McCOLLUM, Minnesota
PATRICK J. TIBERI, Ohio                          ------
KATHERINE HARRIS, Florida            BERNARD SANDERS, Vermont 
                                         (Independent)

                    Melissa Wojciak, Staff Director
       David Marin, Deputy Staff Director/Communications Director
                      Rob Borden, Parliamentarian
                       Teresa Austin, Chief Clerk
          Phil Barnett, Minority Chief of Staff/Chief Counsel

   Subcommittee on Technology, Information Policy, Intergovernmental 
                        Relations and the Census

                   ADAM H. PUTNAM, Florida, Chairman
CANDICE S. MILLER, Michigan          WM. LACY CLAY, Missouri
DOUG OSE, California                 STEPHEN F. LYNCH, Massachusetts
TIM MURPHY, Pennsylvania             ------ ------
MICHAEL R. TURNER, Ohio

                               Ex Officio

TOM DAVIS, Virginia                  HENRY A. WAXMAN, California
                        Bob Dix, Staff Director
            Ursula Wojciechowski, Professional Staff Member
                         Juliana French, Clerk
           David McMillen, Minority Professional Staff Member


                            C O N T E N T S

                              ----------                              
                                                                   Page
Hearing held on July 20, 2004....................................     1
Statement of:
    Adler, Jim, founder and CEO, VoteHere, Inc...................   101
    Hite, Randolph C., Director, Information Technology 
      Architecture and Systems, U.S. Government Accountability 
      Office; Hratch G. Semerjian, Acting Director, National 
      Institute of Standards and Technology, Technology 
      Administration, U.S. Department of Commerce; and Terry 
      Jarrett, general counsel for Hon. Matt Blunt, Missouri 
      Secretary of State.........................................    17
    Morganstein, Sanford J., president and founder, Populex Corp.   113
    Rubin, Aviel, technical director, Information Security 
      Institute, Department of Computer Science, Johns Hopkins 
      University.................................................    91
    Shamos, Michael, professor, Carnegie Mellon, director, 
      Universal Library; co-director, Institute for E-Commerce...    96
Letters, statements, etc., submitted for the record by:
    Adler, Jim, founder and CEO, VoteHere, Inc., prepared 
      statement of...............................................   104
    Clay, Hon. Wm. Lacy, a Representative in Congress from the 
      State of Missouri, prepared statement of...................     9
    Hite, Randolph C., Director, Information Technology 
      Architecture and Systems, U.S. Government Accountability 
      Office, prepared statement of..............................    20
    Holt, Hon. Rush D., a Representative in Congress from the 
      State of New Jersey, prepared statement of.................    15
    Jarrett, Terry, general counsel for Hon. Matt Blunt, Missouri 
      Secretary of State, prepared statement of..................    75
    Morganstein, Sanford J., president and founder, Populex 
      Corp., prepared statement of...............................   115
    Putnam, Hon. Adam H., a Representative in Congress from the 
      State of Florida, prepared statement of....................     4
    Rubin, Aviel, technical director, Information Security 
      Institute, Department of Computer Science, Johns Hopkins 
      University, prepared statement of..........................    94
    Semerjian, Hratch G., Acting Director, National Institute of 
      Standards and Technology, Technology Administration, U.S. 
      Department of Commerce, prepared statement of..............    67
    Shamos, Michael, professor, Carnegie Mellon, director, 
      Universal Library; co-director, Institute for E-Commerce, 
      prepared statement of......................................    99

 
  THE SCIENCE OF VOTING MACHINE TECHNOLOGY: ACCURACY, RELIABILITY AND 
                                SECURITY

                              ----------                              


                         TUESDAY, JULY 20, 2004

                  House of Representatives,
   Subcommittee on Technology, Information Policy, 
        Intergovernmental Relations and the Census,
                            Committee on Government Reform,
                                                    Washington, DC.
    The subcommittee met, pursuant to notice, at 10:07 a.m., in 
room 2247, Rayburn House Office Building, Hon. Adam Putnam 
(chairman of the subcommittee) presiding.
    Present: Representatives Putnam and Clay.
    Also present: Representatives Holt and Kaptur.
    Staff present: John Hambel, senior counsel; Dan Daly, 
professional staff member/deputy counsel; Ursula Wojciechowski, 
professional staff member; Juliana French, clerk; Felipe Colon, 
fellow; Casey Welch and Jamie Harper, legislative assistants; 
Sean Hardgrove, intern; David McMillen, minority professional 
staff member; and Earley Green, minority chief clerk.
    Mr. Putnam. The quorum being present, this Subcommittee on 
Technology, Information Policy, Intergovernmental Relations and 
the Census will come to order.
    Good morning, everyone, and welcome to the subcommittee's 
hearing, ``The Science of Voting Machine Technology: Accuracy, 
Reliability and Security.''
    An estimated 50 million voters representing nearly 30 
percent of all voters are expected to cast their votes using 
some type of electronic voting technology this November. We 
have scheduled this oversight hearing to examine where we are 
today with the evolution of electronic voting technology, 
including the subject of access, utilization and the associated 
issues of reliability, ease of use, efficiency, accuracy and 
security.
    The overriding goal of voting systems is to produce 
election results that accurately represent the will of the 
people. The historically close Presidential election of 2000 in 
Congress highlighted deficiencies of the voting process, 
especially in my State, that became the subject of many policy 
discussions at all levels of government. Since then many 
localities have sought to evaluate and improve their voting 
systems through the use of electronic voting technology, 
believing that such technology will improve the accuracy of 
vote recording and tabulation, decrease costs, and increase 
voter turnout.
    The issues we will be examining today in the processes of 
balloting and tabulating the results of elections have been the 
subjects of discussions throughout our history. Deficiencies of 
one type or another have existed in virtually every process 
that has ever been utilized, yet today's existing and emerging 
technology offers greater opportunities for participation in 
the process of selecting our elected representatives, as well 
as the determination of other ballot questions.
    The Federal Government had not historically set mandatory 
standards for voting systems, nor had it provided funding to 
State and local jurisdictions for the administration of 
elections. However, after November 2000, Congress considered 
and debated Federal election reform legislation, and the Help 
America Vote Act of 2002, or HAVA, was enacted. The act created 
a new Federal Government agency with election administration 
responsibilities, set requirements for voting and voter 
registration systems and provided Federal funding.
    Beginning in January 2006, in accordance with HAVA, voting 
systems used in Federal elections must provide for error 
correction by voters, manual auditing, accessibility, 
alternative languages and Federal error rate standards. Systems 
must also maintain voter privacy and ballot confidentiality, 
and States must adopt uniform standards for what constitutes a 
vote on each system.
    HAVA does not require any specific voting system, but it 
sets requirements that influence what systems election 
officials choose. HAVA's requirement for at least one 
handicapped-accessible voting system per polling place and 
other factors are expected to drive States toward adoption of 
touch-screen or direct recording electronic systems [DREs].
    HAVA established a program to provide access to 
approximately $4 billion in Federal grants to States to 
modernize the voting systems currently in use. Accordingly, 
acquisitions of new voting systems technology are under way in 
a number of States and localities.
    Currently five different voting systems are being used: 
hand-counted paper ballots, mechanical lever machines, computer 
punch cards, optical scan or marks forms, and DREs. Most States 
use more than one type of system. Each has advantages and 
disadvantages with respect to error rates, cost, speed, 
recounts, accessibility to the disabled and other 
characteristics. Differences in actual performances in 
elections are difficult to measure accurately and depend on a 
number of factors, such as the system design and condition, 
voter system familiarity, ballot complexity and design, local 
standards and practices, and the competence level of polling 
and training of polling place workers.
    Since 2000, many electronic voting systems have been 
proposed. Today DREs, which present voters with choices on the 
video display and record votes electronically, are gaining 
favor. They offer improved user interfaces, facilitate voter 
confirmation, provide instant running tabulations, and 
potentially satisfy HAVA's requirement for at least one 
handicapped device per polling place.
    There is concern how secure systems are from tampering by 
voters, elections officials or even manufacturers. There is 
also concern by some about the potential for software defects 
or other technical failures that could interrupt the capability 
of the given system. There are disagreements among experts 
about both the seriousness of these concerns and what solutions 
to address them. While it is generally accepted that tampering 
is possible with any computer system given the time and 
resources, some experts believe that current security practices 
are sufficient. Others, naturally, disagree and believe that 
procedural and other safeguards can make DREs sufficiently safe 
from tampering, that the use of creating printed paper ballots 
would create too many problems. A number of these issues will 
be explored today.
    As presently designed, many electronic voting systems do 
not produce a record that can be independently audited. For 
this reason and others, the prospect of electronic voting 
systems has been met with some skepticism in parts of the 
information technology community. Moreover, experience with 
large-scale technology deployment indicates that it takes time 
before the bugs in the system, including technology procedures 
and people associated with using and operating the technology, 
are shaken out or identified. So even communities that have 
deployed and used these systems will face the challenge of 
evaluating their performance.
    Given the importance of the issue, in May I signed on to a 
bipartisan GAO request letter asking for a study examining the 
security of electronic voting systems, including DREs, optical 
scans and punch cards readers. We asked GAO to examine State, 
Federal and governmental use; identify significant issues and 
challenges; and report on best practices that can be 
implemented to improve the security and reliability of the 
electronic voting process.
    Today's hearing will seek to further examine the technology 
of electronic voting systems: what are the lessons learned thus 
far; what are the most appropriate next steps, both short- and 
long-term, to ensure the integrity, reliability and 
accessibility of the security voting process that is such a 
vital ingredient to American democracy.
    This is an election year, and as such it is often the case 
that both sides of the aisle attempt to score political points. 
That is not the purpose of this hearing. We are here to examine 
the technology that is available and learn from panels of 
experts what is and is not feasible in the current climate. Our 
goal is to further the discussion and debate on the 
technological advances that improve the manner in which our 
society conducts elections. My colleagues share my desire to 
conduct an informative oversight hearing, and I welcome their 
input and request for this hearing topic.
    [The prepared statement of Hon. Adam H. Putnam follows:]

    [GRAPHIC] [TIFF OMITTED] T8208.001
    
    [GRAPHIC] [TIFF OMITTED] T8208.002
    
    [GRAPHIC] [TIFF OMITTED] T8208.003
    
    Mr. Putnam. Following Mr. Clay's opening statement, I would 
like to move directly to the witnesses' testimony, and request 
that other Members submit their opening statements for the 
record. Members, of course, will be invited to participate in 
the witness question-and-answer process.
    I now yield to the distinguished ranking member of the 
subcommittee Mr. Clay for his opening remarks.
    You are recognized, Mr. Clay.
    Mr. Clay. Mr. Chairman, first let me thank you for holding 
this hearing.
    Florida and Missouri are both States with troubled voting 
histories. In the 2000 election, I had to go to court to keep 
the polls open so that everyone who wanted to vote could vote. 
The city had dropped thousands of voters from the rolls without 
ever telling the voter.
    The issue before us is quite simple. I want to vote, and I 
want know that my vote is counted as I intended. With the paper 
ballot, my vote is before me, and I place it in the ballot box. 
The same holds true with punch cards and optical scans 
machines, although both of those are subject to mechanical 
error. Everyone in the country now knows what a hanging chad 
is. With lever machines and computerized voting, you have to 
take it on faith that your vote is counted as you intended.
    The difference is one of scale. If a lever machine fails or 
is tampered with, it affects only that machine. If it's 
software, or computerized voting fails or is tampered with, it 
affects every machine running that program, and, therefore, the 
system fails the voter.
    Last week the New York Times reported that in the March 
Florida primary, votes were not recorded for about 1 out of 
every 100 persons using the new machine. Some people, in 
defense of the new machines, point out that is about the same 
error rate as Florida experienced in the 2000 election. I don't 
think any of us want to use Florida 2000 as the standard, no 
offense against your State.
    Advocates for computerized voting tell us to trust the 
system. My experience says trust but verify. That is why I 
believe, as do 130 of my colleagues who have cosponsored 
Congressman Holt's bill, who happens to be with us today, that 
the computerized machines that are out there today are 
inadequate. They offer no way to verify my vote. The 
certification process is inadequate. As we have seen in 
California, some manufacturers bypass certification.
    After the vote is cast, the issue is counting the vote. 
Again, I say trust, but verify. With paper ballots, a recount 
is a straightforward matter. Recounting punch cards and optical 
scan ballots is also straightforward. There is no recount for 
computerized voting. That is not verification. That is trusting 
that the software performed as promised.
    I believe we all have had enough experience with software 
to know that trusting it to work correctly 100 percent of the 
time is a foolish concept. Some suggest that the internal audit 
trail and the computerized machines would be sufficient for a 
recount. I don't know if that is true, but I do know that the 
audit trail is subject to the same weaknesses as all software. 
It is invisible to the voter, and its reliability must be taken 
on faith.
    California ran a parallel monitoring system during its 
March primary, where live machines were set aside for testing. 
In that case the machine worked as intended, but parallel 
testing doesn't work to check the machines. What do you do if 
you find at the end of the day that the machine failed to test? 
Do you throw out the whole precinct? Do you throw out all votes 
cast on that kind of machine?
    I am a man of faith, and I have great trust in my fellow 
man, but when it comes to voting, faith and trust are not the 
building blocks for a secure system. If we are to earn the 
voters' trust, we must provide them with voting opportunities 
that are simple and direct. We must provide them with machines 
that allow the voter to see his or her vote.
    Computerized voting machines are wonderful inventions for 
those that run elections. They make the job of counting and 
transmitting the vote about as simple as can be. As a bonus, 
they make recounts a thing of the past. But we don't run 
elections for the convenience of election boards or election 
officials, we run elections to provide the public with the 
opportunity to participate in their government. We must provide 
the public with the most transparent voting system possible. 
Computerized voting does not accomplish that.
    Two months ago the Secretary of State of California issued 
stringent security measures that counties had to meet before 
electronic voting machines could be used. Last week the 
Secretary of State of Ohio, one of the outspoken advocates of 
electronic voting, halted the deployment of those machines in 
Ohio. Several of the flaws identified last December still had 
not been corrected.
    Last week in Maryland, participants in the Computer Ate My 
Vote rally said that electronic voting machines are poorly 
programmed and prone to hackers. At that rally, Barbara Simons, 
a former president of the Association for Computing Machinery, 
told those gathered, ``If I had a single message, that message 
would be, wait, there is better technology on the way.''
    I look forward to working with the Election Assistance 
Commission and my fellow Members of Congress to reassure the 
American voter that their votes are safe and will be counted. 
In this debate that should be everyone's goal and objective. I 
thank you, Mr. Chairman for this hearing today.
    Mr. Putnam. I thank you, Mr. Clay.
    [The prepared statement of Hon. Wm. Lacy Clay follows:]

    [GRAPHIC] [TIFF OMITTED] T8208.004
    
    [GRAPHIC] [TIFF OMITTED] T8208.005
    
    [GRAPHIC] [TIFF OMITTED] T8208.006
    
    [GRAPHIC] [TIFF OMITTED] T8208.007
    
    [GRAPHIC] [TIFF OMITTED] T8208.008
    
    Mr. Putnam. Mr. Clay requested this hearing, and I am 
delighted to work with him to put it together, and we 
appreciate your interest. It's very important.
    We have been joined by Mr. Holt, a gentleman from New 
Jersey. Without objection, I would like to insert your opening 
statement into the record and also ask unanimous consent that 
you sit on the panel and join us, despite not being a member of 
the committee.
    Mr. Holt. Thank you.
    [The prepared statement of Hon. Rush D. Holt follows:]

    [GRAPHIC] [TIFF OMITTED] T8208.009
    
    [GRAPHIC] [TIFF OMITTED] T8208.010
    
    Mr. Putnam. Without objection, we would welcome you to the 
subcommittee and certainly encourage you to participate in the 
dialog, and we move directly to the witness testimony.
    Before doing so I would ask that the witnesses please rise, 
and anyone who would be accompanying who will be helping you in 
answering the questions, and raise your right hands.
    [Witnesses sworn.]
    Mr. Putnam. I would note for the record that all the 
witnesses responded in the affirmative.
    We will move to our first witness, Mr. Randolph Hite. Mr. 
Hite is the Director of Information Technology Architecture and 
Systems Issues at the U.S. Government Accountability Office, 
formally the GAO, still the GAO, but new G and A. During his 
25-year career with GAO, he has directed reviews of major 
Federal investments and information technology, such as IRS's 
tax systems modernization and DOD's business systems 
modernization. Mr. Hite is the principal author of several 
information technology management guides, including GAO's 
system guides on systems testing. He frequently testifies 
before Congress on such topics and is an ex officio member of 
the Federal CIO Council. He received a number of awards 
throughout his career and was a 2003 Federal 100 Award winner.
    Welcome to the subcommittee. You are recognized for 5 
minutes.

     STATEMENTS OF RANDOLPH C. HITE, DIRECTOR, INFORMATION 
     TECHNOLOGY ARCHITECTURE AND SYSTEMS, U.S. GOVERNMENT 
 ACCOUNTABILITY OFFICE; HRATCH G. SEMERJIAN, ACTING DIRECTOR, 
  NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY, TECHNOLOGY 
ADMINISTRATION, U.S. DEPARTMENT OF COMMERCE; AND TERRY JARRETT, 
  GENERAL COUNSEL FOR HON. MATT BLUNT, MISSOURI SECRETARY OF 
                             STATE

    Mr. Hite. Thank you, Mr. Chairman. It seems like only 
yesterday that hanging chads and butterfly ballots were the 
focus of attention. Now almost 4 years later, the focus is on 
verifiable audit trails and code tampering as they relate to 
the modern ATM-like voting devices, which in many jurisdictions 
have replaced the more venerable voting machine that gave rise 
to the 2000 election debate.
    In the wake of this debate in 2000, we issued a series of 
reports in 2001 on election administration and voting 
technology. We made a number of recommendations for reform. In 
my view, the gist of what we said then still applies today, 
which I will summarize by making four points.
    Point one, although voting systems play a major role in 
elections, they are but one facet of a complex, highly 
decentralized, multidimensional elections process in which each 
dimension demands on the interplay of people, processes and 
technology. As such, when I think of the, ``voting system,'' I 
think of the inseparable triad of the equipment itself, the 
individuals who interact with the equipment and the rules that 
govern this interaction.
    Point two, although security has taken center stage in the 
debates surrounding some electronic voting systems, other 
interrelated performance characteristics, such as accuracy, 
ease of use and cost, are also important. For example, the 
commonly called DREs have been criticized because they lack a 
paper record. At the same time these DREs offer ease of use 
advantages because they are more accommodating to voters with 
disabilities, and they protect against certain voter errors, 
such as overvoting, which can affect how accurately voter 
intent is captured. On the other hand, optical scan voting 
systems have a lower capital cost than DREs, and they offer a 
paper record. However, they are relatively more challenging for 
voters with certain disabilities to use.
    Point three, voting system performance can be traced to two 
key variables. The first is the quality of the standards that 
the system is designed to meet, which includes, in my view, the 
quality of the development and testing that was performed to 
ensure that the system, in fact, meets the standards.
    Second is how well the system, as it has been designed, 
developed and tested, is used in an operational setting, which 
includes the effectiveness of the procedures that are followed 
concerning system maintenance, setup, use and operation, 
combined with the know-how of the people who are interacting 
with the system. If either of these variables is lacking, 
system performance can suffer.
    Point four, local jurisdictions face challenges in 
effectively leveraging modern voting technology this year and 
for years to come. For this year, jurisdictions need to 
maximize the performance and minimize the risk associated with 
the systems that they have, whether electronic or not 
electronic, which is a particularly important point given that 
three-quarters of the voters in 2004 are expected to vote the 
same way that they did in 2000.
    To accomplish this, it is important for jurisdictions to 
make sure that they perform the requisite testing and 
maintenance activities, and, in doing so, they treat the 
people, the processes and the technology as a triad; in effect, 
as the voting system.
    Other challenges are more long-term, and they relate to the 
need for jurisdictions to make informed decisions about whether 
to change their voting equipment, and our work in 2001 showed 
that voting jurisdictions were not consistently addressing all 
of these challenges.
    In closing, let me emphasize electronic voting technology 
is a critical link in the election chain, and while this link 
by itself cannot make an election, it can break one if not 
designed, tested, maintained, implemented and maintained 
properly. The concerns being surfaced with this technology 
highlight the potential for election problems if jurisdictions 
do not effectively address the challenges that I just 
mentioned.
    I believe HAVA recognizes these challenges as does the 
Election Assistance Commission, so I say let's give them a 
chance to do what they were established to do. In this regard, 
although the Commission only recently began operations, and is 
not yet at full strength, I believe that it has hit the ground 
running to inform and educate jurisdictions and voters about 
electronic voting systems and promote the interplay of people, 
process and technology in the November 2004 election.
    Beyond this, the Commission, with the assistance of NIST 
and others, will need to examine opportunities for 
strengthening these voting standards and the testing that's 
associated with enforcing the standards. Critical to 
accomplishing their roles under HAVA will be ensuring that they 
have the resources they need to do their jobs, and that they 
proceed in an open and transparent manner.
    Mr. Chairman, that concludes my statement. I will be happy 
to answer any questions.
    Mr. Putnam. Thank you very much, Mr. Hite.
    [The prepared statement of Mr. Hite follows:]

    [GRAPHIC] [TIFF OMITTED] T8208.011
    
    [GRAPHIC] [TIFF OMITTED] T8208.012
    
    [GRAPHIC] [TIFF OMITTED] T8208.013
    
    [GRAPHIC] [TIFF OMITTED] T8208.014
    
    [GRAPHIC] [TIFF OMITTED] T8208.015
    
    [GRAPHIC] [TIFF OMITTED] T8208.016
    
    [GRAPHIC] [TIFF OMITTED] T8208.017
    
    [GRAPHIC] [TIFF OMITTED] T8208.018
    
    [GRAPHIC] [TIFF OMITTED] T8208.019
    
    [GRAPHIC] [TIFF OMITTED] T8208.020
    
    [GRAPHIC] [TIFF OMITTED] T8208.021
    
    [GRAPHIC] [TIFF OMITTED] T8208.022
    
    [GRAPHIC] [TIFF OMITTED] T8208.023
    
    [GRAPHIC] [TIFF OMITTED] T8208.024
    
    [GRAPHIC] [TIFF OMITTED] T8208.025
    
    [GRAPHIC] [TIFF OMITTED] T8208.026
    
    [GRAPHIC] [TIFF OMITTED] T8208.027
    
    [GRAPHIC] [TIFF OMITTED] T8208.028
    
    [GRAPHIC] [TIFF OMITTED] T8208.029
    
    [GRAPHIC] [TIFF OMITTED] T8208.030
    
    [GRAPHIC] [TIFF OMITTED] T8208.031
    
    [GRAPHIC] [TIFF OMITTED] T8208.032
    
    [GRAPHIC] [TIFF OMITTED] T8208.033
    
    [GRAPHIC] [TIFF OMITTED] T8208.034
    
    [GRAPHIC] [TIFF OMITTED] T8208.035
    
    [GRAPHIC] [TIFF OMITTED] T8208.036
    
    [GRAPHIC] [TIFF OMITTED] T8208.037
    
    [GRAPHIC] [TIFF OMITTED] T8208.038
    
    [GRAPHIC] [TIFF OMITTED] T8208.039
    
    [GRAPHIC] [TIFF OMITTED] T8208.040
    
    [GRAPHIC] [TIFF OMITTED] T8208.041
    
    [GRAPHIC] [TIFF OMITTED] T8208.042
    
    [GRAPHIC] [TIFF OMITTED] T8208.043
    
    [GRAPHIC] [TIFF OMITTED] T8208.044
    
    [GRAPHIC] [TIFF OMITTED] T8208.045
    
    [GRAPHIC] [TIFF OMITTED] T8208.046
    
    [GRAPHIC] [TIFF OMITTED] T8208.047
    
    [GRAPHIC] [TIFF OMITTED] T8208.048
    
    [GRAPHIC] [TIFF OMITTED] T8208.049
    
    [GRAPHIC] [TIFF OMITTED] T8208.050
    
    [GRAPHIC] [TIFF OMITTED] T8208.051
    
    [GRAPHIC] [TIFF OMITTED] T8208.052
    
    [GRAPHIC] [TIFF OMITTED] T8208.053
    
    [GRAPHIC] [TIFF OMITTED] T8208.054
    
    [GRAPHIC] [TIFF OMITTED] T8208.055
    
    Mr. Putnam. Our next witness is Dr. Hratch Semerjian, 
serving as Acting Director of NIST. He has served as Deputy 
Director of NIST since July 2003. In this position Dr. 
Semerjian is responsible for the overall operation of the 
Institute, including financial management, human resource 
management, facilities and information technology systems, 
effectiveness of NIST's technology programs, and interactions 
with international organizations.
    He received his master's and Ph.D. Degrees in engineering 
from Brown. In 1977, he joined the National Bureau of 
Standards, now known as NIST, where he served director of the 
chemical science and laboratory from April 1992 through July 
2002.
    Welcome to the subcommittee, sir. You are recognized.
    Dr. Semerjian. Thank you, Mr. Chairman and Ranking Member 
Clay and Mr. Holt. I appreciate this opportunity to testify 
today.
    As you pointed out, major changes are taking place in the 
way we conduct elections. The trusty old ballot box is being 
replaced by a host of new technology such as optical scanners 
or touch-screen systems. As a result of these changes, Congress 
enacted the Help America Vote Act and mandated specific roles 
for the National Institute of Standards and Technology [NIST].
    Many of the issues we are examining today are all directly 
related to standards and guidelines. Congress understood the 
importance of standards in voting technologies and specifically 
gave the Director of NIST the responsibility of chairing the 
Technical Guidelines Development Committee [TGDC], a committee 
reporting to the Election Assistance Commission [EAC] under 
HAVA.
    The TGDC is charged with making recommendations to the EAC 
with regard to voluntary standards and guidelines for election-
related technologies that have an impact on many of the issues 
we are discussing today.
    While we have considerable experience in standards 
development, NIST understands that, as a nonregulatory agency, 
our role is limited, and we need to understand the needs of the 
community. To that end, NIST staff have started to meet with 
members of the election community.
    Also, at the request of Congress and the National 
Association of State Election Directors, NIST organized and 
hosted a symposium last December on Building Trust and 
Confidence in Voting Systems. Over 300 attendees from the 
election community attended the seminar to begin discussion, 
collaboration and consensus on voting reform issues.
    As required under HAVA, earlier this year NIST delivered to 
the EAC a report entitled ``Improving the Usability and 
Accessibility of Voting Systems and Products.'' The EAC 
delivered the report to Congress on April 30th. The specific 
recommendations of the report are included in my written 
testimony.
    NIST views as a top priority accomplishing its 
responsibilities mandated under HAVA in partnership with the 
EAC. These mandates include the recommendation of voluntary 
voting system standards to the EAC through its Technical 
Guidelines Development Committee. The first set of voluntary 
standards is due 9 months after the appointment of the 14 
members by the EAC.
    TGDC held its first meeting on July 9th, just a couple of 
weeks ago. Fourteen of the fifteen appointed members of the 
Technical Guidelines Development Committee participated in the 
first plenary meeting. At that meeting the TGDC agreed on a 
procedural roadmap for standards development as well as a 
preliminary work plan. In addition, the TGDC adopted a 
resolution that established three working subcommittees to 
address issues related to one, security and transparency; two, 
human factors and privacy; and three, core requirements and 
testing.
    Another important role for NIST under HAVA is to develop a 
formal accreditation program for laboratories that test voting 
system hardware and software for conformance to current voting 
system standards.
    On June 23rd, NIST announced in the Federal Register the 
establishment of a laboratory accreditation program for voting 
systems. NVLAP, the National Voluntary Laboratory Accreditation 
Program at NIST, will conduct a public workshop on August 17th 
to review its accreditation criteria as well as receive 
comments and feedback from the participating laboratories and 
other interested parties. Only after a laboratory has met all 
of the NVLAP criteria for accreditation will it be presented to 
the Election Assistance Commission for its approval to test 
voting systems. The EAC may impose requirements on the 
laboratories in addition to the NVLAP accreditation.
    Finally, NIST has compiled best security practices relevant 
to election security from current Federal Information 
Processing Standards [FIPS]. These standards are available now 
on the NIST Website as well as the EAC Website. This 
compilation is intended to help State and local election 
officials with their efforts to better secure voting equipment 
before the November 2004 elections.
    NIST realizes how important it is for voters to have trust 
and confidence in voting systems, even as new technologies are 
introduced. Increasingly, computer technology touches all 
aspects of the voting process, voter registration, vote 
recording and vote tallying. NIST believes that rigorous 
standards, guidelines and testing procedures will enable U.S. 
industry to produce products that are high-quality, reliable, 
interoperable and secure, thus enabling the trust and 
confidence that citizens require and at the same time 
preserving room for innovation and change.
    Thank you for the opportunity to testify on behalf of NIST, 
and I will be happy to answer any questions.
    Mr. Putnam. Thank you, sir.
    [The prepared statement of Dr. Semerjian follows:]

    [GRAPHIC] [TIFF OMITTED] T8208.056
    
    [GRAPHIC] [TIFF OMITTED] T8208.057
    
    [GRAPHIC] [TIFF OMITTED] T8208.058
    
    [GRAPHIC] [TIFF OMITTED] T8208.059
    
    [GRAPHIC] [TIFF OMITTED] T8208.060
    
    [GRAPHIC] [TIFF OMITTED] T8208.061
    
    Mr. Putnam. Our next witness will be introduced by his 
fellow Missourian, Missourian or Missourian.
    Mr. Clay. Missourian.
    Mr. Putnam. Missourian.
    You are recognized, sir. You have the floor, sir.
    Mr. Clay. Thank you, Mr. Chairman.
    Mr. Terry Jarrett is the general counsel to Secretary of 
State Matt Blunt. He received his J.D. in 1996 from the 
University of Missouri Columbia School of Law. While in law 
school, Mr. Jarrett was editor-in-chief of the Missouri Law 
Review. From 1996 to 1997, he served as a judicial law clerk to 
the Honorable Duane Benton, judge of the Supreme Court of 
Missouri.
    Prior to joining the Secretary of State, Mr. Jarrett 
practiced law as a private attorney in Jefferson City. He is a 
member of the Missouri Bar, the Cole County Bar Association and 
the American Bar Association. Mr. Jarrett also serves as a 
first lieutenant in the Judge Advocate General's Court of the 
U.S. Army Reserve. He represents the Missouri Secretary of 
State Matt Blunt.
    Welcome to the committee. Thank you for being here.
    Mr. Jarrett. Thank you, Mr. Chairman, Ranking Member Clay 
and Mr. Holt.
    It is an honor to have the opportunity to testify at 
today's hearing. I am here on behalf of Missouri Secretary of 
State Matt Blunt, whose schedule would not allow him to be here 
today, and he asked me to express his regrets. Secretary Blunt 
specifically asked that I thank the distinguished member of 
this subcommittee, Congressman William Lacy Clay from our home 
State of Missouri, who has been a leader in reform efforts in 
the city of St. Louis. He has been particularly interested in 
the city's compliance with the consent decree between St. Louis 
City and the Department of Justice related to the handling of 
the city's inactive voter list. Secretary Blunt shares his 
concern and appreciates his efforts to improve elections in St. 
Louis.
    Secretary Blunt has asked me to address the security of 
direct recording electronic voting machines, specifically 
whether to require DREs to produce a voter-verified paper 
ballot. Secretary Blunt has worked over the past 3 years to 
ensure that our elections are above reproach and that our 
citizens have confidence in the process. That is why he decided 
earlier this year that he would only certify DRE voting 
machines that produce a voter-verified paper ballot. This will 
provide voters with the peace of mind they deserve by enabling 
them to review their ballots prior to casting them and to 
ensure that paper ballots are available for review should a 
recount be necessary or an election result challenged.
    One of Secretary Blunt's first acts as Secretary of State 
was to appoint and convene a bipartisan commission of election 
experts to recommend improvements in our election laws and 
procedures. The commission met several times and conducted a 
series of public hearings where over 125 Missourians voiced 
their opinions in oral and written testimony. In addition many 
Missourians have submitted their thoughts by e-mail, fax and 
regular mail.
    Out of this very open process came many recommendations for 
improvements that have since been implemented in Missouri. One 
of the commission's recommendations was to allow for the use of 
touch-screen voting systems, so long as safeguards are in place 
to ensure the integrity of votes cast and create a paper audit 
trail in case of a contested election.
    Secretary Blunt heard from many Missourians who expressed 
their preference that touch-screen voting machines produce a 
paper ballot so that they can verify their votes before they 
are cast. At this point in time, Secretary Blunt is convinced 
that a voter-verified paper ballot is the only paper audit 
trail that can provide voters with a reasonable assurance that 
their vote will not be lost, destroyed or otherwise not 
counted.
    Computers have opened up a whole new array of technical 
possibilities for voting. Manufacturers are moving quickly to 
embrace innovation. Technology can and should be used by 
government to improve efficiency, as well as provide cost 
savings for taxpayers. This new technology promises to open up 
voting to people who have not been able to participate fully in 
the voting process, namely the disabled voter. Yet in our 
urgency to improve and upgrade voting systems, we must not 
certify equipment that has the potential to cast doubt on the 
integrity of an election. Effective security standards and 
procedures must be considered and implemented.
    Secretary Blunt has also heard from a number of local 
election officials, and I want to say a word about them. They 
eagerly await the opportunity to provide voters with the 
benefits that technology can provide. Local election officials 
are on the front lines of voting, and I urge this subcommittee 
to seek their input as it addresses the important issues raised 
by today's hearing.
    There is a growing consensus of computer science experts, 
election officials, voter advocacy groups and political leaders 
that touch-screen voting systems should produce a verified 
voter ballot so that voters can inspect their ballots before 
they are cast. Almost daily, reports in the newspaper and other 
media outlets support this view. A voter-verified paper ballot 
providing local election officials with access to actual 
ballots for recounts if necessary is just as important.
    Perhaps at some point in the future, technological advances 
will be such that electronic voting system security can be 
assured without voter-verified paper ballots. However, that 
does not appear to be the case today. Until we can be positive 
that electronic voting systems are secure, a voter-verified 
paper ballot is the best way to make voters feel confident in 
legitimacy of elections.
    I appreciate that this subcommittee recognizes the 
importance of this issue by having this public hearing. Thank 
you again for the opportunity to share Secretary Blunt's views 
with this subcommittee, and I would be happy to answer any 
questions. Thank you.
    Mr. Putnam. Thank you very much.
    [The prepared statement of Mr. Jarrett follows:]

    [GRAPHIC] [TIFF OMITTED] T8208.062
    
    [GRAPHIC] [TIFF OMITTED] T8208.063
    
    [GRAPHIC] [TIFF OMITTED] T8208.064
    
    [GRAPHIC] [TIFF OMITTED] T8208.065
    
    Mr. Putnam. We are going to do a 5-minute round of 
questions, get through everyone, and then do another round if 
we so desire. Considering the number of committee members who 
are here, I think we will certainly have time to do that.
    Technology changes rapidly. Obviously local governments 
don't have the luxury of changing election systems with every 
cycle, but a number of these new systems are new. I mean, they 
are new concepts, they are new approaches.
    Mr. Hite, if you would, evaluate these newer models, 
optical scan and the DREs, for us and rank them in terms of 
accuracy, security and access for those who traditionally have 
not had good access to the ballot.
    Mr. Hite. I would be happy to, but I would like to preface 
it with addressing the question on two levels. You can talk 
about the types of equipment in general, but it really also 
requires getting down to specific make and model, because while 
DREs, for example, commonly offer certain features with respect 
to accuracy or with respect to security, how they are actually 
implemented in the system, and then how they are actually 
implemented within the jurisdiction, will determine how well 
they perform.
    So, with that preface, I will make a couple of comments 
based on our 2001 work, where we surveyed vendors and we 
surveyed jurisdictions with respect to these characteristics of 
performance. As a general rule, when it came to ease of use and 
efficiency, how quickly they can capture and count, and the 
costs associated with doing that, DREs generally had a higher 
rating than the other types of voting equipment. With regard to 
security based on features, notwithstanding how they have been 
implemented, that with regard to security, DREs and optical 
scan were roughly the same. And then with regard to accuracy 
across all types of equipment, whether it is jurisdictions or 
vendors, they basically viewed the accuracy of the systems to 
be somewhat the same.
    Now, I would add another qualification with that with 
regard to the jurisdictions, and that is when we followed up 
with certain jurisdictions to see what data are actually 
collected and are behind these impressions, we learned that is 
exactly what they are, they are impressions or viewpoints on 
performance.
    The data are pretty sparse in terms of what are collected 
relative to the performance of any of the types of systems, 
which is one of the long-term challenges that we have laid out 
that needs to be addressed. If we are going to make strategic, 
long-term, informed decisions about what kind of technology to 
use, you have to base it on some good data, and in terms of a 
performance standpoint out there across the jurisdictions, that 
data basically are not being captured.
    Mr. Putnam. Dr. Semerjian, do you want to field that as 
well?
    Dr. Semerjian. Well, I basically agree with the comments 
made by Mr. Hite. I think the DREs can improve their 
performance with the appropriate standards and testing 
protocols. I think that is really where we still have a 
perception that these systems are not tested properly. We don't 
have national standards; implementation is varied from State to 
State, from precinct to precinct. I think with the proper 
establishment of proper standards and testing procedures, I 
think DREs can improve our ability to provide secure, private 
voting ability and accuracy. And also, I think it was pointed 
out by Mr. Hite, it can improve in terms of enabling voters 
with disabilities. That's something that perhaps the other 
systems do not. I think that is something we need to keep in 
mind.
    Mr. Putnam. Mr. Jarrett, how many different voting systems 
are employed throughout Missouri?
    Mr. Jarrett. In Missouri we have three types. We do some 
counties that still operate under the paper ballot system. We 
have punch card systems and also optical scan systems.
    Mr. Putnam. And the decision on which type to deploy is 
made by whom?
    Mr. Jarrett. That is made by the local election officials 
in every county.
    Mr. Putnam. And how many of those are there? How many 
different counties do you have?
    Mr. Jarrett. We have 116 election authorities. The urban 
areas such as St. Louis, Kansas City, St. Louis County and 
Jackson County have boards of election commissioners that are 
appointed by the Governor, and they run elections in those 
areas. The rest are run by county clerks.
    Mr. Putnam. Has there been a high turnover since 2000?
    Mr. Jarrett. Of county clerks?
    Mr. Putnam. No, of technology.
    Mr. Jarrett. Oh, I'm sorry.
    Mr. Putnam. Changes in the method of electioneering.
    Mr. Jarrett. Well, Missouri is the ShowMe State, so we have 
been sort of taking a wait-and-see attitude.
    Mr. Putnam. Wait on Florida to show you the way, right?
    Mr. Jarrett. Yes, that's right. We have had eight counties 
that moved from the punch card to the optical scan for this 
election. Several of the counties are waiting, looking at the 
DREs very closely, and, of course, some of the counties that 
had optical scan had the central count, and they are moving 
toward the precinct counters, so not much turnover. Again, we 
are sort of adopting the wait-and-see approach.
    Mr. Putnam. My time expired. I will yield to Mr. Clay also. 
Boy, 5 minutes goes by pretty fast.
    Mr. Clay. Yes, it does. You were having fun, Mr. Chairman.
    Mr. Hite, in your testimony you communicate that certain 
voting machines pose a certain risk. Do you have a certain set 
of recommendations for local election officials to minimize 
those risks?
    Mr. Hite. The short answer is no, sir, I don't have a set 
of recommendations handy for those jurisdictions. I would 
observe, however, that this is one of the things that the 
Election Assistance Commission was set up to do, and I believe 
they are on brink of releasing best practices for the local 
jurisdictions to employ in the 2004 elections.
    Mr. Clay. You know, the Election Assistance Commission has 
a budget of $1.5 million for fiscal year 2004. Is that adequate 
for them to meet their obligations for the 2004 elections?
    Mr. Hite. I know, in talking to the Commission 
Commissioners, that they do not believe that it is adequate, 
and I believe they are in the best position to make a judgment 
as to whether or not it is adequate or not. I know under HAVA 
they were authorized up to $10 million a year, and I would only 
submit, from my viewpoint, that their role in this, as is the 
role of NIST, is extremely important and worthy of adequate 
funding to ensure that they can do what they were set up to do 
under HAVA.
    Mr. Clay. Does certification guarantee that the software is 
free of malicious code, and, if so, how is that accomplished?
    Mr. Hite. No sir, the answer to your question is no, it 
does not guarantee that. There is no system that offers a 
guarantee of that.
    Mr. Clay. Does it guarantee that the machine cannot be 
tampered with during the election?
    Mr. Hite. No sir.
    Mr. Clay. No. OK. Thank you for your responses.
    Dr. Semerjian, it is my understanding that the work at NIST 
on standards for computerized voting machines was halted this 
year because of a lack of funding; is that correct?
    Dr. Semerjian. Well, things slowed down, let's say, but, in 
fact, let me make it clear that the standards are not going to 
be set by NIST. They will be set eventually by TGDC. So TGDC 
just got started. So we have done, as I pointed out, some of 
the background work on human factors and on security issues, 
but as far as setting standards and guidelines, TGDC had to do 
that, which did not get going until 2 weeks ago.
    Mr. Clay. Let me ask you, what was your budget request for 
election work for 2004, and what will be your request for 2005?
    Dr. Semerjian. There was no request in the 2004 budget. For 
2005, the EAC has requested a budget of $10 million for NIST, 
not for 1 year, but basically for the entire work to be done, 
which will probably be done over a 3-year period. But I think 
if that $10 million is provided, we feel that is adequate 
funding for NIST to get the job done.
    Mr. Clay. OK. NIST has a responsibility under the Help 
America Vote Act with regard to the development of technical 
standards for voting systems. When do you think these standards 
will be ready? And I heard you say in your testimony you have 
had the initial meeting?
    Dr. Semerjian. Right. Basically HAVA legislation requires 
us to make the first set of recommendations within 9 months 
after the formation of TGDC. So the clock just started running.
    Mr. Clay. OK. Thank you for those answers.
    Mr. Clay. Mr. Jarrett, the Secretary of State in Missouri 
has declared that no electronic voting machines will be used in 
Missouri that do not provide a voter verification paper trail. 
Has any electronic voting equipment been certified for use in 
Missouri, and, if so, will any be used in the St. Louis area?
    Mr. Jarrett. The answer to that is no, none have been 
certified. In Missouri, State statute requires that before the 
Secretary of State can certify equipment for use in Missouri, 
that it has to be certified to the current standards by an 
independent testing authority. And as of this date, no vendor 
has submitted that ITA certification to the Secretary of State, 
so there will be none used in Missouri this year.
    Mr. Clay. During the debate at the Election Assistance 
Commission hearing in May, there was a concerned voice by the 
disability community that computerized voting machines with 
verified paper ballots would be a step backward for the 
visually impaired. In research done by your office, how have 
you addressed that problem?
    Mr. Jarrett. Well, we have looked at, of course, that's a 
very serious problem, and it is one that I know Secretary Blunt 
takes very seriously. We have looked at a written opinion from 
the Department of Justice on that issue that talks about DREs 
that produce paper ballots; as long as they produce a similar 
experience for disabled voters, that it complies with HAVA and 
the Americans with Disabilities Act. And in Missouri, Secretary 
Blunt has appointed a committee, an equipment certification 
committee, where we have a representative from a disability 
advocacy group that's a member, and we also have two members 
from the blind community that are on the committee. And they 
have been very helpful in educating the rest of the committee 
on the disability issues, and they will certainly be very 
important in certifying. And Secretary Blunt will consider 
their input before he certifies equipment to make sure that it 
is accessible to the disabled.
    Mr. Clay. Thank you for your answer.
    My time is up, Mr. Chairman.
    Mr. Putnam. Mr. Holt.
    Mr. Holt. Thank you very much, Mr. Chairman, and I 
appreciate the opportunity to join you here, and I certainly 
like the Florida orange juice. That's a nice touch. We all 
extol the contributions of Florida in the orange juice field.
    Mr. Putnam. We have to have something positive to say about 
Florida this morning.
    Mr. Holt. Well, indeed, in 2000, we all got an education. 
Americans got an education in voting. Many of us who had been 
involved in the business knew it is complex. As one who won a 
reelection by less than 1 vote per precinct, I certainly had 
paid attention to the mechanisms and as well as the technology 
of voting.
    But for most Americans, it was previously thought to be 
very simple, and I think we have all learned a lot. I think we 
have learned that we have to hold up the principles that voting 
will be fair, that it will be accessible, and that it will be 
verifiable, and it is that latter principle that I wanted to 
talk about today.
    I noticed your hearing calls for technology, accuracy, 
reliability and security. I would add another, auditability or 
verifiability, as what we should be looking at today.
    And my first question, actually, I guess, is probably for 
Mr. Hite and for Mr. Semerjian. Considering that it is a secret 
ballot, is it possible for anyone other than the voter, be it 
the manufacturer, vendor or election official--is it possible 
for anyone other than a voter to verify whether the voter's 
intentions have been appropriately recorded?
    Mr. Hite. I have never pondered that question before, so 
that is why I pause.
    Mr. Holt. I think it is the fundamental question here.
    Mr. Hite. My quick response to that is I don't think it is 
possible for anyone other than the voter to know the voter's 
intent and be able to verify the voter's intent. You would have 
to require some element of the voter's interaction to do that.
    Mr. Holt. Dr. Semerjian.
    Dr. Semerjian. Well, let me perhaps answer a different and 
related question.
    Mr. Holt. OK.
    Dr. Semerjian. That is the fact that the paper ballot is 
verified does not necessarily mean that the computer-recorded 
vote is verified. I mean, they are related, but they are two 
different things. So I think we need to make sure that we 
should not be satisfied simply by saying the paper ballot, the 
paper ballot is the intent of the voters.
    We need to make sure that the computer-recorded vote 
records properly the intent of the voter, and I think that's 
done through a proper testing, through providing proper 
security and data integrity measures.
    Mr. Holt. Well, let me follow on that point, Mr. Semerjian. 
In your testimony you talk about performance-based standards. I 
take that to mean you like to look at the outcome in an applied 
way, where it is actually used in the field, to see whether the 
result is correct, rather than relying on procedures that the 
room is locked, and that no one else has access to the software 
or whatever training and procedural steps one takes. So, given 
that, with performance-based standards, how can you know 
whether a machine has an error in it, perhaps in a software, 
perhaps unintentional, perhaps hacked? How can you know that on 
a performance basis?
    Dr. Semerjian. Well, that's normally done by subjecting the 
equipment that is being tested to certain inputs. 
Statistically----
    Mr. Holt. But that's beforehand. That's not performance-
based. As I understand what you mean by performance-based 
standards, you want to know whether, as it is used in the 
field, whether the numbers match up with some independent 
measurement.
    Dr. Semerjian. The idea of the performance-based standard 
is not to simply say you have to do this and that and the other 
thing, but to simply say, OK, if applied, if I use that 
equipment the way it is supposed to be used. Then does the 
machine, at the end, produce the exact input as an output? 
That's really what is meant by performance standard--and with 
what level of accuracy? I mean, is there a discrepancy at the 1 
percent level, or what is our expectation; is 1 percent 
acceptable, or 5 percent?
    Those are the kinds of standards we can accept, not telling 
vendors that you have to do this, you have to save the data 
this way, etc. I think we want to leave the creativity, the 
innovation part to the vendor, but require them to deliver an 
equipment, the machine, that provides 100 percent accurate 
performance.
    Mr. Holt. Well, the time is up. I am not sure I got an 
answer to how do you know whether the machine has been hacked 
or not, but time has expired, so thank you.
    Thank you, Mr. Chairman.
    Mr. Putnam. Thank you.
    Mr. Hite or Dr. Semerjian, do you know how many individual 
election units there are in this country, how many precincts 
there are in this country?
    Mr. Hite. The numbers I have seen on the precincts, are on 
the order of 193,000.
    Mr. Putnam. 193,000 precincts, and presumably some of them 
in very rural areas might just have one or two machines, and 
another might have a couple of dozen?
    Mr. Hite. I was speaking to precincts, polling places, in 
terms of jurisdictions, voting jurisdictions, there's only on 
the order of 10,000. Each of these precincts have multiple 
polling places associated with them.
    Mr. Putnam. So there are 193,000 polling places?
    Mr. Hite. Correct, where you go to vote, the local school, 
church.
    Mr. Putnam. Right. Each of which may have one or two 
machines or private little areas where you go do your paper 
ballot, pull the paper ballot or lever or whichever it may be, 
up to a dozen at each precinct, something like that.
    Mr. Hite. Configurations go by equipment and size.
    Mr. Putnam. But we are talking about a lot?
    Mr. Hite. Yes.
    Mr. Putnam. It could be several hundred thousand starting 
at a baseline of almost 200,000?
    Mr. Hite. Yes.
    Mr. Putnam. So, let me just say something about Florida, 
because I think it is important. Anyone could have been Florida 
in 2000, and, in my opinion, we haven't passed any regulation 
that will prevent another Florida in 2004. Nothing we have 
done, nothing we will talk about, nothing we can do will 
prevent a close election, which is really what happened.
    I mean, when you talk about what happened in Florida, you 
had a close election, and it was not the first time that it had 
happened. Even in my short time, county commissioners have been 
elected and then unelected because the outcome of a vote turned 
by five votes or three votes, because there were human beings 
involved and somebody forgot to--the deputy who delivered the 
boxes of ballots to the central accounts location thought he 
had unloaded all the ballots and found another box in his car 
the next morning, or the very well-meaning, well-trained 
coworkers just picked up three paper ballots, and they thought 
they only had one, fed it into the machine, and so the top one 
was red, the bottom two were not.
    When you get down to several hundred thousand machines 
counting millions of votes, there will be errors, because 
humans are involved. So let me just ask what the HAVA act will 
do to prevent the same errors, the same oversights, the same 
mistakes that were made in 2000. What has changed as a result 
of that legislation?
    Mr. Hite. I don't believe that the HAVA act will 
fundamentally change that for the 2004 election. The HAVA act 
has in it provisions for long-term improvement in this area, as 
well as short-term, because steps have already been taken by 
the EAC in a relatively short amount of time to recognize and 
inform and educate the jurisdictions about where improvements 
can be made in the near term to minimize the chance of those 
errors. We are never going to get rid of them. That's what we 
are trying to do is minimize them. And whether similar problems 
will surface in 2004, I would be shocked if they didn't, and 
particularly because the whole election process is going to be 
under such a microscope now and going forward. But what we are 
talking about, what HAVA does, and what we are talking about 
doing near term and long term, is to reduce the probabilities 
of this happening.
    Mr. Putnam. Is there a margin of error in every voting 
process and voting technology that is deployed today?
    Mr. Hite. There is a margin of error in every process 
involved in any type of business or government activity, 
including air traffic control, for example, where you want 
accuracy down to five nines, so it is inevitable.
    Mr. Putnam. Over the long term, is a paper trail the way to 
go? Is a paper trail the best, most effective way to audit the 
results of an election?
    Mr. Hite. I believe a paper trail can offer a layer of 
security with respect to DREs. Now, it all depends on how you 
use that paper trail. Just having the paper receipt and having 
the voter look at it in and of itself doesn't give you a whole 
lot. But if you implement it in a way where you have some means 
to know whether or not the machine is capturing the vote as it 
is on the paper receipt, now you have added a level of 
security.
    As with any decision about security capabilities, you have 
to make those decisions in the context of risk. What is the 
threat, what are my vulnerabilities, and how much am I willing 
to pay to reduce the risks associated with those two variables? 
And so you have to make decisions about that. You don't just 
throw money at something. You make good, fact-based decisions.
    Mr. Putnam. And I would submit that time is also a factor, 
because it becomes a deterrent to voting, depending on how long 
it takes for all this verification to occur.
    Dr. Semerjian, I want you to answer that question, and then 
we will yield to Mr. Clay.
    Dr. Semerjian. Well, I agree with what was said. I don't 
think I have anything to add. There is an uncertainty with 
every process. And the whole point is, how do you reduce that 
uncertainty to an acceptable level? So whether you expect 100 
percent accuracy, which is almost unattainable, or whether 99.9 
percent is acceptable or whether it is 95 percent, I think we 
certainly want to set standards that push that level, that 
level of certainty, or reduce the level of uncertainty as much 
as possible. And that can be done through proper testing and 
setting the proper standards to start with.
    Mr. Chairman, may I answer, sir, the question that Mr. Holt 
asked that I could not answer?
    Mr. Putnam. Sure.
    Dr. Semerjian. Regarding hacking, how do we know that it's 
hacked?
    Mr. Holt. Or error of any sort.
    Dr. Semerjian. Well, this is work in progress. As I said, 
TGDC had the first meeting. But one of the issues that they 
already addressed is this issue: How do we know that the 
software on a particular machine is not hacked or modified or 
changed by mistake? And we do have a National Software 
Reference Laboratory at NIST that we use for this kind of 
applications. We haven't used them for the voting process, but 
we have used it where at different stages of a process you can 
actually check the integrity or the signature of a particular 
software package, so that once you have established this 
referenced initial certified version of a software, you can 
check against that at different stages so that there are no 
mistakes made in duplication, or, changes by mistake, so that 
you can verify the integrity of that software from the very 
beginning of the process to the very end where it is loaded to 
individual machines.
    So we haven't worked out all the details, but I think that 
the technology is there to be able to say that this particular 
software package is not what it was at the beginning of the 
process, that something has changed, and alert the officials 
that some action needs to be taken.
    Mr. Putnam. Mr. Holt, how about if I just go ahead and 
recognize you for your second wave of questions?
    Mr. Holt. Well, just following on that point. In fact, that 
is right; the way you test software is you see whether it gives 
the right answer. In other words, you audit it. You compare it 
against another approach to that same calculation to see if it 
gives the same result. And you do that at each stage along the 
way. You also check the software to see whether it is robust in 
various ways.
    Dr. Semerjian. May I say something?
    Mr. Holt. Yes.
    Dr. Semerjian. This is not only substantiating the result 
of the computation, because the program can give you the same 
result but in the meantime could produce some output of some 
other source. Here, the idea is to check the integrity of the 
entire software package.
    Mr. Holt. That is right. Step by step, you audit it.
    Dr. Semerjian. Well, it is more than that.
    Mr. Holt. And you compare each operation to see whether 
that operation does what you think it does.
    Dr. Semerjian. It is more than that. If any kind of a 
statement is changed in that software--which may still give the 
same answer--if any code is changed, the signature of the code 
will be changed. So even two codes that give the same answer 
may be slightly modified. And this kind of technology will 
detect that.
    Mr. Holt. That is external hacking. That might or might not 
find an embedded problem, an embedded bug that has been in 
there since it was written or since it left the package.
    Dr. Semerjian. That is where the certification process 
comes in.
    Mr. Holt. But, anyway, my point is the way you know 
anything, the way anything of value should be subject to 
audit--and my point is, if in fact the answer to my first 
question is that only the voter can verify his or her 
intentions are properly recorded, then the only audit that 
makes sense is to compare the result against what the voter has 
verified. But let me go on to a couple of other questions.
    Mr. Hite, what do you think--you say in your testimony that 
we have to make sure that the people who work with these 
devices are well trained and have the requisite knowledge. What 
is the requisite knowledge to operate today's BREs? Is it more 
or less than the knowledge to maintain, say, keeping track of 
optical scan paper for the election workers?
    Mr. Hite. What I can offer there as part of our survey of 
jurisdictions, in 2001 we asked local jurisdictions about 
whether or not DREs versus optical scans, etc., how difficult 
they were for operators, poll workers to use, or for voters to 
use, or how difficult it was to correct somebody's vote who 
made a mistake versus the different types of technology. And in 
general, DREs were easier to operate than the optical scan and 
the other types of voting systems.
    Specifically in terms of the training that is needed for a 
given poll worker, a given maintenance individual, anyone who 
has to interact with that system, that is going to vary by 
jurisdiction and by type of system because there's different 
rules and standards that govern how these elections are 
conducted--and we can use Missouri as an example of that.
    Mr. Holt. So if there are 50 million people this year who 
will be asked to vote on electronic machines, maybe 30 million 
will actually show up and vote. For those 30 million votes this 
year, what would you recommend is the best near-term solution 
to protect the integrity?
    Mr. Hite. Coming from an organization where we don't make 
rash decisions or take or quick positions on things, I'd go 
back to what I said before. It requires a level of 
understanding and visibility into those systems--make and model 
of those systems--to know how they behave and know what their 
strengths and weaknesses are. I just don't have that because I 
haven't done that type of analysis on a system-by-system basis. 
And so my position would be that is the kind of decision that 
you want to make with the long-term focus in mind. You want to 
base it on some good data that talks about what are the 
vulnerabilities of those systems and what is the best way to 
implement paper receipts if you choose to do that. I am just 
not in a position to give you the answer that you are looking 
for. I don't have that kind of knowledge.
    Mr. Holt. And with my time expired, I just want to thank 
the Show Me State and Secretary Blunt for his, I think, 
intelligent approach to this and his leadership.
    And thank you, Mr. Chairman.
    Mr. Putnam. Mr. Clay.
    Mr. Clay. Thank you, Mr. Chairman.
    Mr. Putnam. And I will note for the record the presence of 
the gentlelady from Ohio, Ms. Kaptur. Without objection, you 
are certainly welcome to join us, and we are delighted to have 
you here and certainly hope that should you wield the gavel in 
your appropriations subcommittee, that I will be accorded the 
same treatment when you all are----
    Ms. Kaptur. Yes.
    Mr. Putnam. Thank you.
    Mr. Clay.
    Mr. Clay. Thank you.
    Mr. Hite, the California Secretary of State has established 
a set of safety criteria that, if met by election officials, 
will allow the recertification of the computerized voting 
machines. Would you comment on the adequacy of those 
recommendations?
    Mr. Hite. Yes, sir. I am aware, as you say, that there are 
these 23 conditions. I am not, unfortunately, familiar with 
those 23 conditions so that I can offer an informed opinion on 
it. So I apologize for that.
    Mr. Clay. In your full written testimony, you state that 
current touch-screen electronic voting machines can produce 
images that can be printed, but explain that this is according 
to vendors. Did GAO investigate whether the machines currently 
in use do in fact have this potential?
    Mr. Hite. No sir, we did not. We have done no code reviews 
or any testing or evaluation of specific make and models to 
determine what features are implemented and whether or not they 
have been implemented properly. I believe that other witnesses 
at this hearing have much more in-depth knowledge about the 
specific make and models.
    Mr. Clay. Thank you.
    Dr. Semerjian, when the new standards are ready, what do 
you suggest that States do if they have already purchased 
voting machines with HAVA funds and then find out that the new 
machines are not HAVA compliant? What should they do?
    Dr. Semerjian. I am not quite sure how to answer that 
question.
    Mr. Clay. I want to hear your answer.
    Dr. Semerjian. I think this is exactly the issue they are 
struggling with. They feel that they are between a rock and a 
hard place, because they need to make some changes perhaps, and 
yet the information that they need to make informed decisions 
regarding purchases is not available. So, I mean, I really feel 
for them, but unfortunately the timing was such that these 
standards could not be provided in time certainly to affect 
this year's elections, but we hope that they will be for the 
2006 elections.
    Mr. Clay. So some States got ahead of everyone else because 
of HAVA, and now that may come back to bite them?
    Dr. Semerjian. Well, I mean, this is strictly conjecture on 
my part. But I mean, it sort of depends on what the changes 
needed will be. I mean, if there are software changes, they 
certainly can be made relatively inexpensively. But if there 
are going to be major hardware changes, obviously they will be 
more costly.
    Mr. Clay. Let me also ask, whose job is it to assure that 
electronic voting machines are free of malicious code and 
actually register the votes as intended? Whose job would that 
be?
    Dr. Semerjian. Elections are run, to the best of my 
knowledge, by local officials. So it is their responsibility to 
ensure the integrity of the voting process. The EAC, TGDC, and 
other organizations try to provide them with the information, 
knowledge, and the tools, technology tools to make that job as 
tenable as possible. But at the end of the day, it is the local 
officials' responsibility to ensure the integrity of the voting 
process.
    Mr. Clay. Thank you for those responses.
    Mr. Jarrett, it is my understanding that none of the touch-
screen machines now on the market have been certified to the 
2002 standards. Is that correct?
    Mr. Jarrett. That is my understanding as well.
    Mr. Clay. Did the lack of certification play a role in the 
Missouri Secretary of State's decision to defer the use of 
computerized voting machines in Missouri?
    Mr. Jarrett. Yes. Again, our State statute requires that 
anytime that the Secretary of State certifies equipment, it has 
to be certified by an ITA to the current standards, which are 
the FEC 2002 standards currently, d will be the EAC standards 
when the Standards Board and the TGDC sets those standards. So, 
yes, it played the major role, as a matter of fact.
    Mr. Clay. I thank you for your response and the entire 
panel being here.
    Mr. Chairman, I yield back the balance of my time.
    Mr. Putnam. Thank you, sir.
    Ms. Kaptur.
    Ms. Kaptur. Yes, Mr. Chairman. Thank you so much for 
allowing us to participate in your important hearing this 
morning and also for the Florida orange juice. I now had that 
for breakfast and for lunch, and appreciate the work that the 
people of your State do for the rest of the world.
    Thank you very much. And I wanted to thank the witnesses 
for producing this excellent report this morning. This is a 
topic on which we in Ohio are very, very focused, and 
appreciate your diligence.
    I think more oversight is better than less oversight. I 
know that Congressman Clay in our conversations has been trying 
to receive information from those of us not on this 
subcommittee, not on this full committee, in the important area 
of voting technology and reform. And I just thought I would 
state for the record, and I will put the full information in 
the record, that in Ohio, about a year ago, five technologies 
that were being considered were displayed at our Statehouse in 
Columbus, OH. And at that time, not being a computer technology 
expert, I asked three of our major universities to select the 
best people they had, and they chose the people in charge of 
their computer security to go down and review the technologies 
on display. And I won't read you their full report, but I will 
read you some of the conclusions:
    No technology currently under consideration had attributes 
that made it both secure and readily accessible for use. All of 
the technologies had serious shortcomings in these two major 
elements:
    None of the security mechanism force of the voting systems 
that remained in consideration in Ohio could sufficiently 
prevent fraud or abuse.
    The integrity of the voting process as well as voter 
confidence could be compromised through the absence of an 
auditible paper trail at each precinct. Without rigorous 
testing by multiple outside agencies with appropriate technical 
expertise, assurance of a secure era of tamper-proof electronic 
election system cannot be obtained. Levels of computer 
proficiency among the electorate vary and tend to disfavor the 
elderly, minorities, and the economically disadvantaged.
    And we saw that in the election called the test election, 
which was held last year in which the technologies were 
employed.
    And, finally, while electronic voting is a viable option 
that can be successfully implemented, it must use secure 
disciplines to gain the public's confidence.
    After that information came to me, it got my attention, and 
particularly because our State was trying to get our local 
counties to purchase equipment and to sign contracts. And after 
my family and I voted in November, I sent a letter to our 
Secretary of State, November 10, 2003--and I am placing this in 
the record--to which I have received no response. But I would 
ask you if you are capable to answer any of these questions.
    I explained in the letter that when we voted at our polling 
place, we actually chose the paper ballot rather than using the 
electronic device that was also an option. When we completed 
the paper ballot, we gave it over to the election official who 
put it in an optical scan. And our ballots, when it went 
through the scan, were physically stored in the back of the 
machine and at the end of the day the physical ballots could be 
tallied against the totals provided by the scanner. And, thus, 
we felt confident that our votes had been counted and that, if 
necessary, an auditible trail would be present at the precinct 
level, which is how we vote in Ohio. We count at the precinct 
level.
    The people, however, who in that same precinct chose to use 
the electronic device, I would ask the question, how would 
their votes be counted? Where exactly is their vote in that 
machine? That is the first question. How and where were their 
votes counted at the end of the day? Will the touch-screen 
system produce an auditable paper trail of votes at the 
precinct level? And, if not, what happens to the votes on the 
disk once those votes leave the precinct? Who controls the 
disk? And is any tally left at the precinct level?
    To date, our Secretary of State has not chosen to answer 
this letter. I am just curious, how would you go about perhaps, 
if you can, answering any of the questions that I have asked?
    Mr. Putnam. Did you write all that down?
    Mr. Hite. Well, actually, I didn't need to write it down 
because, unfortunately, the answer to the question is, it 
depends. And it is going to depend on the specific make and 
model of the equipment that is being used there and the set of 
procedures that are being employed to govern the extraction of 
those votes and the transportation of those votes, whether it 
is on disk or electronically. So there is so many things that 
are peculiar to your situation that we don't have privy to and 
are not in a position to answer, but certainly your Secretary 
of State should be in a position to answer.
    Mr. Putnam. Anybody else want a crack at that?
    Mr. Jarrett. Certainly in Missouri, Secretary Blunt has 
said that he is not going to certify any DREs unless they do 
provide a voter-verified paper ballot. So, in Missouri, that 
will be the standard. There will be a paper backup.
    Ms. Kaptur. And that paper backup would be at the precinct 
level? Do you count the votes at the precinct level in 
Missouri?
    Mr. Jarrett. No. They are counted back at the central 
office. But, yeah, that will be available at the precinct 
level. I think Secretary Blunt envisioned a system where the 
paper ballot would either be behind glass and where the voter 
couldn't touch it, it would simply drop into the ballot box. 
Or, even where the voter would get the ballot, paper ballot, 
and put it in a ballot box so that the voter could see it 
before they hit the final button casting their ballot to make 
sure that it is what they intended.
    Mr. Putnam. The gentlelady's time has expired.
    The subcommittee will accept any final comments that the 
first panel would like to make, if you have any. If there are 
some last words, a question you wish you had been asked, 
something you would like to answer, this is your opportunity. 
And then we will recess and set up the second panel. Any final 
comments from the first panel? Very good. The subcommittee will 
stand in recess. We will arrange the witness table for the 
second panel.
    [Recess.]
    Mr. Putnam. The subcommittee will reconvene. The witnesses 
will please rise for the administration of the oath.
    [Witnesses sworn.]
    Mr. Putnam. I would note for the record that all the 
witnesses responded in the affirmative. We will move directly 
to witness testimony.
    The first witness is Dr. Aviel Rubin. Dr. Rubin is 
professor of computer science and technical director of the 
Information Security Institute at Johns Hopkins University. 
Prior to joining Johns Hopkins, he was a research scientist at 
AT&T labs. Dr. Rubin has authored and coauthored several books 
on Internet security. He serves on the board of directors of 
the UFE&IX Association and on the DARPA Information Science and 
Technology Study Group. Dr. Rubin is coauthor of a report 
showing security flaws in a widely used electronic voting 
system that focused a national spotlight on the issue.
    In January of this year, Baltimore Magazine named him 
Baltimorean of the year for his work in safeguarding the 
integrity of our election process, and he is also a recipient 
of the 2004 Electronic Frontiers Foundation Pioneer Award. 
Weather to the subcommittee. You are recognized for 5 minutes.

   STATEMENT OF AVIEL RUBIN, TECHNICAL DIRECTOR, INFORMATION 
   SECURITY INSTITUTE, DEPARTMENT OF COMPUTER SCIENCE, JOHNS 
                       HOPKINS UNIVERSITY

    Mr. Rubin. Thank you, Mr. Chairman, Mr. Clay, Mr. Holt, and 
Ms. Kaptur. In addition to all of that, I just want to 
introduce that I served as an election judge on Super Tuesday 
in March, in Baltimore County, to gain experience with actually 
helping to run an election.
    My belief, after studying the code in the Diebold DREs is 
that the DREs that are in use right now and that will be in use 
in November are poorly designed, insecure, and that they should 
not be used. The Secretaries of State of California and Ohio--
and, I now learned, Missouri as well--have come out with 
statements backing this opinion.
    I have two major concerns, and to some degree they are 
mutually exclusive. Let me describe the first concern.
    The first concern is that something very bad will happen in 
November in the election due to the insecure machines. They 
could fail in a catastrophic way. They could get a result that 
is obviously wrong. And what would we do? There would be no 
ballots to recount. They could fail in a way that is wrong, 
that could get a result that is wrong but not obvious. We don't 
know how likely that outcome is.
    Let me talk about my second concern. My second concern is 
that nothing bad will happen, and that will be used as an 
argument to say that the machines are secure. Some people 
already are saying that the machines are secure because we have 
had no failures in the past. This would give them more 
ammunition to continue to say that the machines are secure. The 
lack of an obvious failure does not mean that the machines are 
secure. We have a vulnerability here. We have fully 
computerized machines that can be read, they can be read 
without anyone even knowing it, and even if the machines are 
open source. Just because this software is available for 
inspection does not mean there isn't something hidden inside of 
it that cannot be found. I do not believe it is possible to 
find all of the problems that could exist in software, even by 
really good experts.
    Let me give an analogy. You might drive without a seat 
belt, and if a bad accident happens to you and you get really 
hurt, there is no consolation in me saying, I told you so. But 
if there is no accident, that does not mean that it was safe.
    On November 2nd, 30 percent of American voters will be 
driving without a seat belt. If there is no apparent incident, 
that does not mean it was safe to do so.
    My primary concerns with today's DREs are that there is no 
way for voters to verify that their votes were recorded 
correctly. There is no way to publicly count the votes, no way 
to count the votes so that people can watch and be sure that 
the counting is legitimate. In the case of a controversial 
election, a meaningful recount is not possible. The machines 
must be completely trusted not to fail, not to have been 
programmed maliciously in the first place, and not to have been 
tampered with. In Diebold's machines we found gross design and 
implementation errors when we looked at the code.
    The current certification process resulted in these 
machines being approved for use and are being used in 
elections.
    I am often asked, how do the other vendors compare to 
Diebold? And I have to say, I don't know; nobody will let me 
look at that their system.
    We often find ourselves in these kinds of hearings, and 
election officials will pull out--and I just learned we are 
going to have a similar demonstration today--a 10-foot long 
ribbon that shows what a paper ballot might look like. And I 
would say, yes, if you designed the absolute worst paper ballot 
that you could think of, it would look like that. Why don't we 
start with something like the absentee ballots that they are 
using, and show that is what a ballot could look like? In fact, 
that absolutely worst possible design of a paper ballot 
probably includes all of the choices that were not made by the 
voters as well.
    I don't think that this is an insurmountable problem. I 
believe that we can design voting systems that are accessible 
to the disabled, that provide voter verifiability to the 
voters, and that raise the bar in security past the threshold 
that I need to be past, and we are way below that threshold 
right now.
    In conclusion, accessibility and security are not mutually 
exclusive. They should not be portrayed that way. We need to 
develop systems that do not require completely trusting the 
vendor with the outcome. We need to develop systems that are 
auditable, including the ability to perform a recount that is 
recounting the voter's intent. Systems where voters know that 
their completed ballots
are recorded correctly need to be developed, and we need to 
develop a transparent process without secret code. Today's DREs 
have none of those properties. Thank you.
    Mr. Putnam. Thank you very much.
    [The prepared statement of Mr. Rubin follows:]

    [GRAPHIC] [TIFF OMITTED] T8208.066
    
    [GRAPHIC] [TIFF OMITTED] T8208.067
    
    Mr. Putnam. Our next witness is Dr. Michael Shamos. Dr. 
Shamos is a distinguished career professor in the school of 
computer science at Carnegie Mellon University where he serves 
as co-director of the Institute for E-Commerce, and the 
director of the Center for Privacy Technology. He is also 
editor in chief of the Journal of Privacy Technology.
    From 1980 to 2000, he was statutory examiner of 
computerized voting systems for the Secretary of the 
Commonwealth of Pennsylvania. From 1987 to 2000, he was the 
designee of the Attorney General of Texas for electronic voting 
certification. During that time, he participated in every 
electronic voting examination conducted in those two States, 
involving over 100 different voting systems, accounting for 
more than 11 percent of the popular vote of the United States 
in the 2000 election.
    He is the author of ``Electronic Voting: Evaluating 
Threat,'' and ``Paper V-Electronic Voting Records: An 
Assessment.'' He is a member of the Serve Project Review Group, 
and the recent National Research Council Workshop on Electronic 
Voting.
    Welcome to the subcommittee. You are recognized for 5 
minutes.

   STATEMENT OF MICHAEL SHAMOS, PROFESSOR, CARNEGIE MELLON, 
   DIRECTOR, UNIVERSAL LIBRARY; CO-DIRECTOR, INSTITUTE FOR E-
                            COMMERCE

    Mr. Shamos. I thank you, Mr. Chairman, members of the 
committee, and visiting members. This hearing is about the 
science of voting machine technology. There presently is no 
such field of science, if by science we mean an organized 
experimental discipline with authoritative principles and 
published journals. The reason is that until the year 2000, it 
was difficult to interest scientists in a problem so apparently 
trivial as counting ballots.
    As we saw in Florida in 2000, it is not a trivial problem, 
and we desperately need a field of voting science. However, 
there is no systematic science of voting machine technology, no 
engineering journal devoted to the subject, no academic 
department nor even a comprehensive textbook. There are no 
adequate standards for voting machines nor any effective 
testing protocols. It is only a set of minimum statutory 
requirements, public budgets, and the law of the marketplace 
that have shaped the development of voting machines.
    When a flaw is detected in a voting machine, there is no 
compulsory procedure for reporting it, studying it, repairing 
it, or even learning from the experience. The voting machine 
industry is unregulated and has not chosen to regulate itself. 
I don't believe the public will long tolerate such a situation.
    While recent newspaper articles and statements by certain 
computer scientists have shed doubt on the ability of direct 
recording electronic machines to count votes securely and 
reliably, it should be noted that in the 25 years these 
machines have been used in the United States, there has not 
been a single verified incident of tampering or exploitation of 
a security leak.
    The concerns have been expressed and, unfortunately, taken 
up with unjustified gusto by the popular press, representing a 
hypothetical rather than a real threat to the electoral 
process. Various design flaws and potential avenues of attack 
have been verified, and it is important to analyze and repair 
them rather than to flee to methods of voting that are even 
less safe.
    For reasons of cost and convenience, evolution of voting 
systems has tracked that of personal computers. As we now know, 
the operating systems of such machines are highly vulnerable to 
attack and infiltration by malicious software such as viruses.
    In addition, the temptation to connect voting machines 
together by networks and link them to central counting stations 
through telecommunications has introduced new vulnerabilities 
not previously seen. The only set of standards used to evaluate 
voting systems, the Federal Voting Systems Standards, FVSS, now 
the province of the Election Assistance commission, have not 
kept pace with either developments or threats. For example, 
these standards place responsibility for virus protection and 
elimination on the vendor, and provide for no test procedures 
by which the presence of viruses or the susceptibility of a 
system might be determined.
    An example of disorganization in the field of voting 
technology is the recent popular call embodied in several bills 
now before Congress to add paper trails to existing voting 
machines in the vain belief that this would suddenly make 
untrusted machines trustworthy.
    No scientific study has been performed comparing the 
security of paper ballots to electronic records, yet fear of 
the machines is so prevalent that entire States are now 
insisting on the introduction of a technology that does not yet 
exist to solve a problem that has never been observed.
    I could give testimony for 2 hours on exactly how one can 
take any method of voting that is performed with paper ballots 
or paper devices, and I can explain in detail numerous methods 
of tampering with a ballot. If I were to do that, one of the 
effects would be that many Americans would not go to the 
polling places this November because they would have no faith 
in any method of voting.
    I believe this situation has occurred, because allegations 
have been made that voting machines jeopardize democracy. But 
there is no engineering study available to rebut the 
allegation, and we need one.
    The scientific establishment of the United States needs to 
be mobilized to investigate the problem. Some efforts are 
already underway in this regard. Last week, the National 
Research Council convened a committee of approximately 20 
experts on voting technology and election practices to 
formulate a set of questions for further study, but the 
investigation is as yet unfunded and may take several years to 
complete. The National Science Foundation should fund proposals 
to study various aspects of voting.
    Other than health and nuclear safety, it is difficult to 
think of a more pressing subject for NSF support. HAVA, the 
Help America Vote Act of 2002, tasks the National Institute of 
Standards and Technology with major technical responsibility 
for guiding the development of voting systems standards. Yet 
this effort remains tragically unfunded. Section 273 of HAVA 
authorized an appropriation of $20 million for research on 
voting technology improvements during fiscal 2003. The total 
actual appropriation was zero dollars, and no authorization 
even exists for 2004.
    I have heard it expressed that Congress wants to give HAVA 
a chance to work before enacting further voting legislation, 
but it is elementary that HAVA cannot work if it is never 
implemented. As scientists have begun to study voting 
seriously, a number of revolutionary breakthroughs have 
occurred that can allow a previously unheard of degree of 
transparency in the process of voting and tabulation. For 
example, you will hear later, right after me, about a system 
called VoteHere. Also, because of a development by computer 
scientist David Chaum, it is now possible to accord each voter 
the ability after voting has taken place to verify that her 
vote has not only been counted but counted correctly. It is 
also feasible for any member of the public independently to 
verify the correctness of the tabulation, and to be sure that 
no unauthorized votes have been added to the total, all of this 
without compromising the secrecy of the ballot. Technologies 
such as these need Federal support in order to flourish.
    I thank you for the opportunity to testify today.
    Mr. Putnam. Thank you very much.
    [The prepared statement of Mr. Shamos follows:]

    [GRAPHIC] [TIFF OMITTED] T8208.068
    
    [GRAPHIC] [TIFF OMITTED] T8208.069
    
    Mr. Putnam. Our third witness is Mr. Jim Adler. Mr. Adler 
is the founder and CEO of VoteHere, Inc. He is widely regarded 
as an authority on the subjects of cryptography, security, and 
e-voting. He has served on California's groundbreaking 1999 
Internet Voting Task Force, testified before legislatures on 
the subject of e-voting, and is defining certification 
procedures for e-voting systems. Currently, he is co-chair of 
the Institute of Electrical and Electronics Engineers Voter 
Verification Standards Committee which is defining national 
standards as part of the Help America Vote Act of 2002.
    Early in his career, he was a rocket scientist working on 
Atlas, Titan and Space Station Freedom avionics systems. He 
received a B.S. in electrical engineering with high honors from 
the University of Florida--go Gators--an M.S. in electrical 
engineering from the University of California, San Diego.
    Welcome to the subcommittee. You are recognized for 5 
minutes.

    STATEMENT OF JIM ADLER, FOUNDER AND CEO, VOTEHERE, INC.

    Mr. Adler. Thank you, Mr. Chairman, members of the 
committee, and visitors.
    So far we have heard a bipolar debate between, on the one 
hand, electronic voting machines are fine as is, and on the 
other, the only way forward is to go back to paper ballots.
    Many people agree that there is a problem with electronic 
voting today. However, we don't all agree that the paper ballot 
is the best solution, because we already know paper-based 
solutions are badly flawed. I am here to tell you there is a 
third way, perhaps the technology that Dr. Simons is waiting 
for, a better solution to prove that every vote is counted 
properly without falling back to paper ballots, the same paper 
ballots that have been at the root of electrical fraud and 
disenfranchisement throughout our history.
    There are technologies available today, and VoteHere's VHTi 
is one of them that can make electronic voting better than 
paper ballots and still retain all of the accessibilities and 
operational benefits. Just because some have diagnosed 
electronic voting disease doesn't mean the only cure is going 
back to paper ballots. There are other more effective cures.
    Interesting that Dr. Rubin mentioned safety belts. The call 
for paper ballots is similar to the call nearly 100 years ago 
to ban the automobile and go back to horses. Back then the 
automobile was considered dangerous new technology, lacking 
critical safety equipment such as safety glass. Instead of 
moving backward in elections, we need to look forward and, in 
effect, add safety glass to our electronic voting machines.
    Today I will outline technology that brings measurable 
certainty and transparency from the voting booth to the final 
election results, solves the current dilemma, and is available 
now.
    My message to you is very simple: We should let innovation 
and HAVA and NIST work, and not revert back to paper ballots 
which have historically failed us.
    Last summer we announced a nonexclusive agreement with the 
Sequoia Voting Systems to put our technology in electronic 
voting machines, and just yesterday we announced another 
agreement with Advanced Voting Solutions to put our technology 
in their machines. So this is not far off into the future. This 
is happening today. We will be testing that technology in the 
fall.
    VoteHere has a solution called VHTi, a voter-verified 
election audit technology that works inside any machine, and 
even though hardware/software procedures may be opaque, the 
audit system is 100 percent transparent and will with certainty 
detect if a single ballot is corrupted either maliciously or 
accidently. The technology goes beyond paper ballots because it 
proves election results are valid end to end, not just at the 
polling booth.
    It does two basic things: First, it gives voters a voter-
verified receipt if they want to check both that their vote was 
properly recorded at the poll site and properly counted in the 
final results, while maintaining ballot secrecy throughout. And 
second, it enables a meaningful and transparent audit trail 
that lets anyone independently verify the election results with 
accuracy down to a single vote.
    The effectiveness of this technology does not rely on 
securing software, source code, or the hardware, but instead 
relies on a transparent audit process that it enables. 
Elections have always been protected by detecting when 
elections are compromised, not necessarily just protecting 
elections from compromise.
    Too often, security experts have misunderstood elections as 
being only secured by protective measures, big fences that you 
build around your house. Actually elections have, as I said, 
been always secured by detecting these problems, like guard 
dogs that alert you to intruders inside your house. It is 
always good to build big fences, always good to have a dog in 
the yard. In many ways this VHTi technology is that barking 
dog.
    As a practical matter, tracking our votes is as simple as 
tracking a package sent through UPS or the U.S. Postal Service 
or tracking a lottery ticket to its point of purchase, and 
every day Americans track 12 million packages. If we can track 
the destiny of our packages, why can't we do so with our votes?
    The often-used reason for not using a true receipt that 
could be used to be taken home is that it could violate a 
voter's privacy and be used for vote-buying or voter coercion. 
Well, now this cryptographic technology provides an encrypted 
voter-verifiable receipt to assure the voter that her vote was 
counted properly but cannot be used to pass that assurance on 
to anyone else. The same technology protects trillions of 
dollars of electronic banking, and it is time that we brought 
it into our voting process. I realize that the capability 
sounds unbelievable, but this is the type of long overdue 
innovation that we are now embarking upon, and in no small part 
is due to HAVA.
    There is a demonstration on the VoteHere Web site, I know 
we don't have time to go into it, but a couple points need to 
be made. Just like at the gas pump, the voter has the option to 
obtain a detailed receipt of each race she wishes to verify. 
After the election, the receipt data is regenerated from the 
counted ballots, and she can look up the receipt on the county 
Web site to verify that the receipt she obtained in the polling 
place represents the same one that got counted. While the 
county tallies the votes, the public can also independently 
tally them as well, and nonpartisan groups such as the League 
of Women Voters and others could verify the results 
independently.
    With so much transparency and with so many people 
monitoring the results, you can statistically guarantee that 
anomalies will be caught, and in my appendix and written 
statement I go into that in some detail, and I also presented 
it at last December's NIST conference on security and 
transparency.
    What is most attractive about this technology is that it 
acts as a spot check on the election system end to end. Much of 
the criticisms have focused on the fact that we have no way to 
trust and justify the trust we place in electronic elections. 
This voter-verified receipt gives you that spot check and 
provides us a degree of statistical confidence and guarantees 
the election results are valid.
    I just want to talk about transparency. Cryptology is not a 
``Trust Me'' technology, it is a ``Trust No One'' technology. 
In every election, absolutely everything connected with the 
vote is published for scrutiny. The protocols, the mathematics 
are published. We did that last September. The source code is 
published. We did that in April. And all the voting data is 
published in every election. Cryptography actually reduces the 
need to trust election officials, hardware, software, 
procedures, and vendors. And paper ballots just can't do that. 
Paper ballots let voters check that their vote was recorded, 
but voters have no idea that their vote was counted. It then 
drops into a ballot box, a black box, and we have to trust that 
votes were actually counted.
    To just sum up, the promise of electronic voting is that it 
could be better than paper, not just as good as paper. The 
calls for security confidence and transparency are necessary. I 
wholeheartedly embrace them. Let's not go back to horse-and-
buggy elections. Instead of banning technology, we should let 
innovation work and provide safety equipment to our electronic 
elections. Only then will we have a truly safe voting process. 
Thank you for your time.
    Mr. Putnam. Thank you.
    [The prepared statement of Mr. Adler follows:]

    [GRAPHIC] [TIFF OMITTED] T8208.071
    
    [GRAPHIC] [TIFF OMITTED] T8208.072
    
    [GRAPHIC] [TIFF OMITTED] T8208.073
    
    [GRAPHIC] [TIFF OMITTED] T8208.074
    
    [GRAPHIC] [TIFF OMITTED] T8208.075
    
    [GRAPHIC] [TIFF OMITTED] T8208.076
    
    [GRAPHIC] [TIFF OMITTED] T8208.077
    
    [GRAPHIC] [TIFF OMITTED] T8208.078
    
    [GRAPHIC] [TIFF OMITTED] T8208.079
    
    Mr. Putnam. Our next witness is Mr. Sanford Morganstein. 
Mr. Morganstein is the president and founder of Populex Corp. 
He has more than 35 years of technology-based experience in 
both entrepreneurial and Fortune 500 companies. For the past 20 
years, he has led several new high-technology corporations, 
including developing Dytel into a successful corporation. He 
has served as chief of Technology and Competitiveness for the 
Illinois Department of Commerce and Community Affairs. In this 
capacity, he was responsible for strategic planning in new 
initiatives in biotechnology, telecommunications, business 
modernization, and commercialization of advanced university 
research. He also served as a member of several Governors' task 
forces. He holds 29 United States and foreign patents for 
telecommunications and high-tech products. Welcome to the 
subcommittee. You are recognized for 5 minutes.

  STATEMENT OF SANFORD J. MORGANSTEIN, PRESIDENT AND FOUNDER, 
                         POPULEX CORP.

    Mr. Morganstein. Thank you, Mr. Chairman, Congressman Clay, 
invited Members of Congress.
    What a great spirit of bipartisanship and democracy when 
the ranking member quotes Ronald Reagan in saying ``Trust but 
verify.'' It was President Reagan who said that so many years 
ago.
    I am here with one goal only, and that is to dispel 
misinformation that somehow voter verifiability and verifiable 
ballots are impractical, costly, and disenfranchise the blind. 
As Professor Rubin said, there is no reason at all that 
providing voters with a voter-verifiable, tangible ballot, one 
of which I am holding in my hand--and we will talk a little bit 
about that further--can't be used on touch-screen systems so 
that blind voters can work, undervotes are detected and warned, 
overvotes are not permitted, people who speak different 
languages can have their ballot easily translated into the 
language of their choice. There is absolutely no 
incompatibility with those noteworthy goals and the notion of 
having a voter-verifiable ballot.
    Mr. Chairman, some who have said that there is an 
incompatibility have pointed to reams of cash register tape 
saying, if you want an audit trail, this is what you have to 
have. It is crinkled, it is folded, it tears. Who knows how you 
count such a thing? I think that is a piece of misinformation 
that insists that something that is voter-verifiable has to be 
of this nature.
    And Mr. Adler to my right said let us not go back to paper. 
But it is not either/or. We can combine the best of the new, 
which is touch-screen voting, for its obvious advantages with 
the best of the old; something that can be verified, something 
that voters understand, something that they see, that is 
tangible, that goes in a ballot box, that is counted at the end 
of the day, as the Congresswoman asked, and that can be 
recounted. If you count this ballot, you will get the same 
result as when you recounted.
    Let us look at whether or not it disenfranchises the blind 
voter. We have had two of our machines in use for several 
months at the National Federation of the Blind in Baltimore, 
and they are going to be issuing a report based on human 
interface--this is easy to use, hard to use. And they have 
looked at five or six machines. And I don't know what they will 
say about that, but I do know--and I have questioned them and 
asked, can I quote you on that--that the blind voters who have 
taken the opportunity to verify their ballots--and they can by 
holding it underneath a supermarket scanner that we are all 
kind of used to and putting on headphones, it will read what is 
on that ballot. Those blind voters appreciated and understood 
that their ballots were being verified and that they were not 
being discriminated against because there was a technology that 
did not apply to them.
    When the subcommittee issued its notice, it focused on 
technology and science. And there is a human component that I 
urge consideration. Mr. Chairman, I would be preaching to the 
choir if I said that, fundamentally, our system is one that is 
ruled by the consent of the governed. And what is missing in a 
lot of the debate is the confidence of the voter; not of the 
scientist, but the confidence of the voter. And if the voter 
erosion--and if the voter's confidence in an electoral system 
is eroded because they don't understand what happens to the 
ones and the zeros on the disk, or they know that they had a 
hard drive that crashed, and they read about viruses, then we 
have a real risk that the people who really make this country, 
the voters, will lose confidence. And, again, there is 
absolutely no reason that confidence is incompatible with the 
electronic systems that can ensure that we capture the vote and 
capture the voters' intent.
    [The prepared statement of Mr. Morganstein follows:]

    [GRAPHIC] [TIFF OMITTED] T8208.080
    
    [GRAPHIC] [TIFF OMITTED] T8208.081
    
    Mr. Putnam. Thank you very much.
    Let me begin with a question for you, sir. How many ballot 
questions will fit on the card that you held up?
    Mr. Morganstein. Well, I have a lot of jokes about the city 
of Chicago, and I come from that city. And when I tell those 
jokes to people who are election officials there, I get into 
trouble. The typical Chicago ballot will have 75 judicial 
retention questions whereby judges are up, and you probably 
aware of that, sir. We have programmed an election for the city 
of Chicago--we programmed the 2000 election in which there were 
some, I think, 96 ballot questions, counting 75 judicial 
retention, President, Vice President, and so on. And that is, 
as a matter of fact, the limit that we can put on here. We can 
put 96. You can have thousands of people on the ballot, 
thousands of questions, but 96 selections, which is more than 
adequate for any election we have seen.
    Mr. Putnam. So that being the ballot, the voter can read 
their 96 selections on that piece of paper?
    Mr. Morganstein. Yes, sir. There are two ways the voter can 
do that. It is printed in a human readable format. You can see 
some numbers--and I am happy to pass these up to the committee 
if you would like to touch these.
    Mr. Putnam. That would be helpful.
    Mr. Morganstein. There is a human readable portion on the 
bottom, and then you see a bar code in there, which as the last 
time you went to the supermarket to buy a can of soup, you know 
that it read the price properly. The voter can hold that 
underneath a laser beam, and in the privacy of a voting booth 
it will show the selections, English selection, President of 
the United States and so on that they have picked up to 96.
    Mr. Putnam. Dr. Shamos, considering the pool of people able 
to hack into electronic voting systems is presumably smaller 
than those who are able to do it the old-fashioned way by 
manipulating the paper system, would you agree or disagree that 
electronic systems increase security of the ballot?
    Mr. Shamos. Properly designed and properly deployed and 
tested systems, DRE systems, do indeed increase the security of 
the ballot.
    Mr. Putnam. Dr. Rubin, after volunteering as a poll worker, 
you were quoted as saying that the experience showed you that 
one potential attack would be far more difficult to pull off 
than you and your colleagues had assumed. Is that an accurate 
quote, and do you still feel that a serious attack is likely?
    Mr. Rubin. Yeah. It's not a misquote, but it's the first 
half of a sentence where the second half was, ``I have found 
some attacks that I considered would have been harder to pull 
off in my precinct. I thought of new ones that I hadn't 
considered. And basically I think the experience focused me 
better on appreciating what the real risks were,'' and at the 
end of that paragraph, I stated that I still believe that these 
were a fundamental risk to our elections.
    So I did not believe the system was any less secure after 
working there. I just sharpened my appreciation for the various 
attacks.
    Mr. Putnam. Is it more or less difficult to perpetrate 
fraud using electronic devices over traditional paper ballots?
    Mr. Rubin. I believe it is probably more difficult to 
perpetrate fraud, but that the fraud would have much more far-
reaching consequences if it were successful.
    Mr. Putnam. And for the short term, this whole idea of a 
paper trail, is it technologically feasible to deploy an 
auditable, verifiable paper trail in every machine in America 
between now and November?
    Mr. Rubin. I don't know.
    Mr. Putnam. Anyone else?
    Mr. Shamos. It is not possible.
    Mr. Putnam. Mr. Adler.
    Mr. Adler. It is not possible.
    Mr. Morganstein. I would be wealthy if it were true, but it 
is not possible.
    Mr. Putnam. So we are all in agreement, with the exception 
of Dr. Rubin, that this is really a discussion about improving 
or changing or altering the approach for the 2006 election, 
because 2004 is out.
    Mr. Morganstein. There are primaries in 2005, and there are 
municipal elections in 2005.
    Mr. Putnam. OK.
    Mr. Rubin. I will agree with that statement, too.
    Mr. Putnam. OK. So this is all then, about post-
Presidential election and the challenges that we are going to 
have to deal with. We have heard testimony that no system is 
perfect, they all have their problems, they all have their 
security issues. We all deal with a certain amount of error 
every day in on-line IRS filings, ATM machines, self-serve gas 
pumps that scan our credit cards, and we all deal with a margin 
of error in electronic devices involving our finances. And 
obviously voting is a fundamental piece of our democracy, and 
we ought to do everything we can to secure it as well.
    But my concern is that this election is going to be seen as 
being a fiasco despite the fact that there may or may not be 
any greater error rate than historically has been the case 
because of the sensitivity, the international scrutiny, and the 
fact that now, frankly, both parties are ramping up teams of 
attorneys to figure out ways to exploit what everyone admits is 
an imperfect system.
    So knowing that everyone, the first panel and I believe all 
of you are in agreement--and if you are not, please say so. 
Knowing that everyone agrees that there is a margin of error in 
every single system deployed, how do we develop some standard 
that defines an acceptable error rate, knowing that this thing 
is going to be litigated and played out both in the media and 
presumably in the courts again? How do we have some standard if 
everybody agrees that there is going to be something that 
someone can point to and say that is an imperfect system? 
Because we haven't designed a perfect one. What is the 
definition?
    Mr. Morganstein, and we will work across the table.
    Mr. Morganstein. Thank you, Mr. Chairman. I will be brief. 
I was very honored last week to participate in a panel at the 
National Academy of Sciences right here in Washington with some 
of the smartest people I have ever seen or had the pleasure to 
sit down next to. And evidence was presented, sir, that showed 
that the voting system unquestionably counts. It makes a 
difference. It lowers error rates. Unquestionably. If you start 
from hand-marked ballots, which sound simple--make an X; well, 
some people make a circle and other things happen--to 
punchcards, which were good for a long time, and then we saw, 
well, maybe not so good; to optical scan that provide feedback 
to voters in the precinct. Better yet. And you can see that 
when we did these, the questions on the ballot didn't get 
easier, but the technology got better and the error rates did 
increase.
    I think DREs are a step further yet, and a I think a voter-
verifiable touch screen--which is not really a DRE, by the 
way--is yet another step.
    The answer, sir, to your question is, like anything else 
that we have done in this country, we have recognized the 
importance of continual improvement. It is not like the 
Constitution says, a more perfect union; you know, it is 
something perfect, you can't make it more perfect. We are 
getting better and better, and that is the best we can do as 
humans, is make it better and better and work on continuing 
improvement.
    Mr. Putnam. Mr. Adler.
    Mr. Adler. As Dr. Shamos said, there is no election 
science, and we--the election community--are making it up as we 
go. And that is just a true statement. On the committee that I 
co-chair at IEEE on voter verifiability, we have put out 
margin-of-error levels, standards that every system should 
meet, whether it be paper DREs or receipt-based systems where 
you can spot check these things.
    Statistics govern our whole lives. How do you know that a 
vaccine works? Because you didn't get sick? If you didn't take 
it, you might not have sick either. We do statistical analyses 
in this society that we base policy upon. What we are not doing 
with voting is we are not measuring the margin of error. The 
first thing we have to do is measure it and figure out how to 
measure it across systems, whether it be DREs, whether it be 
paper ballots. And I think once we understand that--and we have 
done some analysis which says if 2,000 people faithfully spot 
check and verify their vote, actually counted properly in a 
congressional district of, say, 400,000 voters, you can get a 
margin of error that you can take to court that is about a 
quarter of a percent. If you want better than that, you need 
more spot checking.
    And that is exactly what we did with lever machines; we 
used to spot check them. There was no paper to recount. We had 
a meaningful audit trail. And there are performance 
requirements that we need to institute and measure for every 
system on Election Day that will provide the second component, 
which we have all talked about, which is voter confidence. I 
get a receipt at the gas pump if I want it. If I get a receipt 
at the voting machine--in our focus groups, and we put about 70 
people, you know, through our last incarnation, whether they 
were going to check or not, they said I would rather have it 
than not have it.
    Between those two, measuring and giving the voters some 
confidence their vote counted and some proof their vote 
counted, I believe, is a way forward.
    Mr. Putnam. That technology test that would give you that 
.25 margin of error, isn't it true that would not take into 
consideration a confusing ballot design that, frankly, in 
Florida was one of the key reasons for voter confusion? But 
technically the machine worked. They were overvotes as a result 
of voter confusion on a complicated design. So, I mean, that is 
the whole other human piece; right?
    Mr. Adler. Well, I would agree that the most difficult 
place is between the voter's gray matter and how they represent 
it. And we have done a lot--the best things DREs do is stop 
overvotes. Overvotes have gone to zero. And so we will continue 
to deal with that gap, from gray matter to medium.
    The question that I think we are all dealing with, and 
actually NIST put out a report on usability, is once the voter 
intent is captured, how do you make sure it is counted 
accurately or properly, faithfully? And then the chain of 
custody all the way to rolling up the result. You have to do it 
from gray matter all the way to results, and that is the end-
to-end solution or end-to-end system that we need to measure.
    Mr. Putnam. I will let the other two finish, and then go 
over to Mr. Clay.
    Mr. Shamos. I have to make the question more complex before 
actually giving an answer. We have no definition of what error 
is in voting. Political scientists think it is an error when a 
voter goes into a voting booth and comes out without having 
voted for every race and question on the ballot. They actually 
use the word ``error'' in reference to that. Error can occur 
because of a difficulty in a voter expressing her choices. That 
is, they have in mind a certain slate they want to vote for, 
and it ends up, through error or mistake in the voting booth, 
they don't actually end up voting for those people.
    Then, of course, there is the issue of error in the 
software, error in the hardware, that may cause the vote to be 
recorded differently from the correctly expressed intention of 
the voter. But even if that could ever be reduced to zero, 
which it can't, that still doesn't mean that we have error-free 
voting, because the votes must be totaled, the totals must be 
communicated through a central place. We must make sure that 
every voting machine that was used, that its totals are 
correctly reported and added together. And so there are many 
parts in the process which have the potential for introducing 
error.
    The issue with paper, paper receipts and paper trails, is 
exactly which of those errors they address. And they do address 
one error very well; and that is, the error in the voter 
communicating her choices to the machine. When the verified 
piece of paper or whatever mechanism is used--and there are 
numerous ways of verifying ballots without using paper. 
Whatever the mechanism is used, it does provide an 
instantaneous feedback that, yes, the machine heard me 
correctly. Unfortunately, because of the inability to secure 
the physical custody of ballots--these, after all, are 
potentially touched by 1.4 million poll workers around the 
United States on their way to the central counting station. 
Despite the fact that the voter was heard properly, it doesn't 
mean that piece of paper is ever going to be around for a 
recount, that it will not have been augmented, destroyed, 
modified, or changed in some other way. That is the fundamental 
problem with relying on paper.
    Mr. Putnam. Dr. Rubin.
    Mr. Rubin. My area of expertise is computer security. That 
is what I do for a living. And so I face this question all the 
time because no system that is on is secure. And in my 
consulting work I am often asked, we want you to help us design 
this or evaluate it to make sure it keeps hackers out, and that 
we are not vulnerable to data loss. And I say it can't be done.
    So given that, the goal is to make things better and to 
make them as secure as possible. You know, I talk about 
spectrum from really insecure to very, very good. And you try 
to fall in the best possible spot on there.
    I think what we need to do is use all the technologies 
available, whether the modern and computerized ones or the old 
paper ones, utilize the best properties of each, and make the 
system as good as possible and then hope that the election is 
not too close.
    Mr. Putnam. Mr. Clay.
    Mr. Clay. Thank you, Mr. Chairman.
    Dr. Rubin, the debate about improving the security and 
reliability of the electronic voting machine has up to this 
point focused on the use of a voter-verified paper audit trail. 
While the idea has many supporters, others say that moving 
toward this sort of paper trail is impractical and may prove 
unwieldy. In your opinion, are there any better solutions?
    Mr. Rubin. I believe that 20 years from now we will all be 
voting on systems like Mr. Adler's and David Chaum's, and 
universal verifiability. I think that cryptographic solutions 
hold a lot of promise.
    I approached this from the point of view that many, many 
places are using DREs. And I got to see one of those DREs 
inside, and I believe that systems like that, that are fully 
electronic, that don't have the cryptographic protections 
cannot be relied upon without a voter-verifiable paper trail.
    Mr. Clay. Dr. Shamos, you said, ``The system that we have 
for testing and certifying voting equipment in this country is 
not only broken, but it is virtually nonexistent.''
    Given that situation, should we have a moratorium on the 
purchase of new DRE equipment until we have adequate standards 
and an adequate certification process?
    Mr. Shamos. I am thinking.
    I have never met the question in that form. There are good 
DREs and there are bad DREs. And the problem is, the public 
doesn't know which is which, and often Secretaries of State 
don't know which is which because of failures in the 
certification process.
    As Dr. Rubin pointed out, the systems that we have that are 
known to have serious security flaws all passed the independent 
testing authority certification process or qualification 
process and were actually adopted by a number of States. The 
issue with moratorium--I mean, I pointed out before that we 
haven't had a verified incident of tampering with a DRE machine 
in the United States. That doesn't mean it doesn't occur and it 
doesn't mean that it won't happen tomorrow. Except that when we 
are trying to safeguard against risks, we tend to focus our 
attention and money on those risks that have occurred at least 
once.
    And so the answer is, if we know that certain machines have 
security flaws, for example, the ability to plug a keyboard--
conceal a keyboard on one's person and plug it into a voting 
machine in a polling place on Election Day and type things in 
to modify the contents of the machine, a grotesque security 
flaw. Nonetheless, there are safeguards that can be introduced 
to prevent anybody from actually doing that. If it's necessary 
to put people through a metal detector or watch them as they 
are going in and out of the booth, then we do that. And so I 
don't think the moratorium is the right answer, either, because 
it condemns us to live with the worst systems of the past.
    Mr. Clay. Thank you for your response.
    Mr. Adler, can a computer be programmed to show one thing 
on a screen and record something else on an electronic device?
    Mr. Adler. I think the statement you made earlier about 
trust and verify applies. Yes, a machine can display one thing 
and record another. Just like even with the voter-verified 
paper ballot, it could record one thing electronically, print 
it on the paper, and hope the voter doesn't see it. And if I 
could give you one parable about how this might work.
    My 64-year-old mother lives still in Florida, Tampa Bay 
area. She has been using these machines for the last 4 years. 
Loves them. Said: Mom, they are going to put a paper ballot 
next to it; you are going to have to compare them; and, if they 
are right, you press the button. She said, first question: If I 
don't compare them, will my vote count? And I said, of course 
it's going to count. She said, then why would I really do it? I 
am touching the screen.
    Now, here comes the recount where the paper ballot and the 
electronic ballot box do not match. They are going to bring 
people like my mother into court and say, ma'am, did you look 
at that paper ballot? She is going to say, no, sir, I didn't 
think I needed to.
    So is it voter verified? Is it a source document prepared 
by the voter, and can the system do exactly what you said: put 
one thing on the paper, put one thing electronically, and hope 
the voter doesn't see it?
    Mr. Clay. Let me ask you, did your company consider 
producing a voting product on the Internet?
    Mr. Adler. Yes, we did, and we do.
    Mr. Clay. And your company experienced an Internet attack? 
Do you feel the Internet is a safe place to vote?
    Mr. Adler. I think anyplace you use electronics, you must 
verify. And, again, it's not really about the hackers. With 
voting, we don't know where the bad guys are, depending on 
where you are politically sitting.
    Mr. Clay. OK. My time is up. Let me ask you, why should 
voters trust a company? This is not malicious in any way to 
your company, but why should voters trust a company that could 
not protect their own assets from attack over the Internet when 
they say they can produce a paperless voting system that is 
secure?
    Mr. Adler. They shouldn't trust anyone when it comes to 
voting. That is one of the reasons why we published our source 
code, we published all our mathematics and algorithms, 
protocols, we patented all our technology; which means it is 
published. And every election, all the data that comes out of 
this machine is verifiable by anyone. You shouldn't trust me, 
you shouldn't trust the local election official, you shouldn't 
trust the parties.
    As Congressman Holt said, the voter can verify their vote, 
and we need to give them the means to do that, not just that it 
was recorded but that it was properly counted, and let anyone 
verify the results. No one should be trusted in voting. No one. 
Not the company, not anyone else. And we at VoteHere are 
dedicated to that. So that if something did happen--the worst 
catastrophe of a democracy is an undetected fraud. A detectable 
fraud is embarrassing and expensive, but recoverable. And we 
need to have the means to detect fraud when it occurs, and we 
are dedicated to that.
    Mr. Clay. Thank you for your response.
    And Mr. Morganstein, why did your company choose to have 
paper ballots printed by your voting system?
    Mr. Morganstein. We were asked to do that by an election 
official in our State--if it plays in Peoria, in fact it came 
from Peoria--by an election official who had been working in 
the field for some 20 years, who said, you know, I like this 
touch-screen idea, but there is no audit trail. And I was 
fortunate enough to have some other successful inventions, and 
they asked me to put my mind into that and that is what 
resulted.
    Mr. Clay. Thank you for your response.
    Mr. Chairman, I yield back. Thank you.
    Mr. Putnam. Ms. Kaptur, you are recognized.
    Ms. Kaptur. Again, I just want to thank the chairman, Mr. 
Putnam, and the ranking member, Mr. Clay, for holding this very 
important hearing. And so many Members are interested in this, 
and obviously our citizenry is interested in this issue of 
security of the vote.
    I wanted to ask several questions, and I hope I can get 
through them quickly. One of the counties I represent, Lucas 
County, has a situation where they were going to bring on 
Diebold technology. And the Secretary of State has just said 
that is uncertified and has taken it off the list. And some of 
our counties in Ohio of 88 counties had signed contracts with 
Diebold. They cannot use that equipment now, as of November. 
The local county, Lucas in particular, is now being faced with 
a 300, I don't know, 80,000 bill, I guess, to try to bring on 
some type of optical scanning equipment by November to try to 
have the ballots in a situation where we can have a recount. 
Because, under Ohio statute, you have to be within one-half of 
1 percent; if you are, a recount is required. And we are told 
that in the technologies they have been looking at, that was 
impossible. So they have to do the optical scan.
    What advice would you give to the Board of Election? They 
are in a tizzy now, saying, well, that the Federal money that 
is available from Washington that I voted for can't be spent to 
pay for the optical scan for November. And the county is broke. 
We have 10,000 fewer jobs than we had 3 years ago. The State is 
broke. But all this money is sitting there from HAVA. Do you 
have any advice? What would you advise to our local county? 
Maybe some of you could give them a better price than Diebold 
is offering on these Optiscan machines.
    Mr. Shamos. I would advise hiring a lawyer. It is important 
in procuring voting system equipment to get a representation 
and continuing warranty from the vendor that their system meets 
certain standards and will continue to meet those standards. 
And if the system becomes decertified, then the financial 
burden should be placed on the vendor, ultimately its bonding 
company, to make good to the county so that it can purchase 
whatever substitute is necessary.
    Ms. Kaptur. Thank you for that suggestion. Believe me, I 
will pass it on to them. Do you think it is appropriate for 
private companies to coach and teach board of elections 
officials and precinct workers? Or should that training of 
election officials, which Federal money has been designated 
for, should that be done by publicly hired workers who work for 
the board of elections, not for any company?
    Mr. Shamos. Well, maybe the vendors would want to give 
another answer. But I don't like it. However, it is almost a 
universally held opinion among election officials that there is 
no alternative to it, because there is no other source of 
expertise about the particular systems that are being used, 
other than the vendor who has seen them used in numerous 
jurisdictions, has seen all kinds of incidents and knows to 
deal with them.
    Ms. Kaptur. Well, this is a very troubling aspect to me, 
that private companies--Mr. Adler, I was very interested in 
what you said, that your technology patent was open to the 
public realm. When I made this statement in Ohio, that if we 
adopt a certain machine, that should fall into the public 
domain, there were many who opposed that point of view. You've 
stated exactly what I think should happen in terms of the 
technologies that are used: Are they public or are they 
private? Who provides the training? How do we know what is 
really going? Who are the experts that end up controlling the 
election process itself? I guess I am especially protective of 
the citizens' interests, because in our county, in Lucas 
County, we have always counted at the precinct level.
    When I saw, Mr. Chairman, what happened in Florida, I 
couldn't believe it, where it take votes to another site, you 
count the votes. That is no anathema to what we do. It was 
agonizing to watch, actually. And our elections are very 
decentralized in my home county. And I am not saying there 
probably aren't errors, but it really is very democratic, gets 
right down to the precinct level, results have to be posted, 
they have to be placed on the outside doors. There are all 
kinds of things that--you have to have two people from each 
party, plus a judge, looking over each other's shoulders; and 
the count, it is very, very Jeffersonian. I mean, it is right 
down to the grassroots level.
    So when I hear about what companies are doing in all of 
this, I am very troubled. And I wanted to ask you, I read some 
reports about Georgia in the last election, which said that 
there is this conjecture, 25,000 patches on machines that were 
employed in Georgia. What is a patch, and was that done or 
wasn't it done?
    Mr. Rubin. I will answer that first one. When a program is 
written, it contains lines of code. This is something that a 
programmer types in to make the computer do whatever they want. 
That gets compiled into software which is what runs on the 
machine. From time to time, errors are found in the software or 
something needs to be updated or fixed. And this generally 
occurs across all disciplines when software is developed, and 
you want to upgrade the software and make it new or change some 
of it. So you write a patch, which is something that changes 
certain parts of the software. It adds lines of source code or 
removes lines. And when you apply a patch, what you are doing 
is you are creating a new version of the software that is based 
on the old version but has certain changes. So a patch can 
completely change the behavior of a software package. It can 
make it better, it can make it worse.
    And I also have read a lot about the patches in Georgia. I 
don't have any personal firsthand knowledge that anything like 
that happened. But I would say that it is a very, very serious 
matter that if a patch gets applied to a voting machine on 
Election Day or shortly before, that is no longer a certified 
machine; it's a different machine, and it needs to be 
recertified.
    And so you need to be very careful. And this gets to the 
point that you mentioned about access between the election 
officials and the vendors. On Election Day, the vendors should 
not be tinkering with the machines and applying patches to 
them.
    Ms. Kaptur. Well, I will tell you, in the home precinct 
that I am from--and I'm a precinct committeewoman, long before 
I was a Congresswoman--they sent out an official from the 
company to deal with a scanner that was malfunctioning in that 
precinct, because we didn't have election workers that were 
trained to do that work. And I am thinking, what is going on 
here?
    Mr. Chairman, I want to thank you for holding this hearing. 
I don't want to go overtime. I have two small questions I still 
want to ask, if you would be kind enough to----
    Mr. Putnam. You have time coming.
    Ms. Kaptur. Do I have time coming?
    I just wanted to ask you if any of you are familiar with 
the technology that Mr. Akin Gibbs had. He was one of the few 
minority contractors that had a technology out there that could 
have been reviewed by the States--they and localities--as they 
make selections. Do you know, is that technology still on the 
market and what its name is? He was in the State of Tennessee.
    Mr. Morganstein. The True Vote?
    Ms. Kaptur. I think that was the name.
    Mr. Morganstein. That is all I know about it. Sorry.
    Mr. Rubin. I had read accounts, I believe this person was 
killed in a car accident. Is that right?
    Ms. Kaptur. Yes. He was due to come to Ohio to testify 
before our State legislature the next week, and he died the 
prior Friday, or that weekend.
    Mr. Rubin. I am not familiar with his technology.
    Ms. Kaptur. You are not familiar with his technology. All 
right.
    A final question. If you are a local election official in 
any State in this Union right now, and you are interested in 
getting accurate information about machines' verifiability and 
so forth, what you are faced with is a barrage of private 
companies coming to you, telling you that their technology is 
the best in the world. It may or may not be. Where do you go 
now for good information? Where do you go to help you in your 
board of elections? None of you know anything about 
electronics, nothing about computers. There you sit with this 
major public responsibility. Where do you go for information? 
Where would you tell them to go?
    Mr. Rubin. One of the things to keep in mind is that there 
are some questions that can tip off right away the kind of 
vendor you are dealing with. So, for example, Chairman DeForest 
Soaries of the Election Assistance Commission made a statement 
that election officials should have the right to ask the 
companies for their source code under nondisclosure to get 
external security reviews. The first question to ask a 
potential vendor is if they would be willing to do that, and, 
if not, why not?
    And you could try to produce a list of questions--I have 
some actually on my Web site--that you might want to ask a 
vendor, just like you would when you are buying a car. If you 
start to see that they are acting shady, they don't want to 
answer certain questions, they won't provide you written 
documentation of certain things, then you would proceed with 
caution. I don't know if there is an independent group out 
there that is providing advice on vendors.
    Mr. Shamos. There are no consumer reports for voting 
systems.
    Ms. Kaptur. And if I could just say for the record, Mr. 
Chairman, I thought when we voted for HAVA, that's what we were 
voting for. We were voting for the National Institutes of 
Standards and Technology to be the Fort Knox or the Oak Ridge 
or the whatever national renewable energy lab for voting, the 
place where you would go to get information.
    Mr. Shamos. This should be the province of the Election 
Assistance Commission. Previously, it was the voluntary 
province of the Federal Election Commission, to accumulate 
information about voting systems. But they couldn't get into 
the position of making specific comments about particular 
vendors. It just didn't seem appropriate in that context.
    Mr. Putnam. That would be contrary to Jeffersonian ideals, 
I believe.
    Mr. Shamos. So the answer is now many studies are being 
undertaken by many organizations, and one must keep up with the 
output of these things to try to determine which are 
authoritative and which are not.
    Ms. Kaptur. I thank you for your forbearance, Mr. Chairman, 
Mr. Ranking Member. And we thank the witnesses very much for 
helping educate our whole country and many election officials 
who will watch this and are trying to make the best decisions 
they can at the local level under these circumstances.
    Mr. Putnam. Thank you, Ms. Kaptur, Mr. Clay. Thank you very 
much for your input and helping us to get some good expert 
testimony. I want to thank all of our witnesses.
    In the event that there may be additional questions we did 
not have time for today, the record will be open for 2 weeks 
for submitted questions and answers. Thank you all very much. 
This subcommittee stands adjourned.
    Whereupon, at 12:34 p.m., the subcommittee was adjourned.]

                                 
