For more information, contact:
Tom Ryan
520-722-1796
twmjryan@earthlink.net
There are four basic problems with election systems in Arizona:Problem 1. Pima County and the City of Tucson are using and have used uncertified firmware and software in recent elections, in violation of state law.
Problem 2: Diebold Election Systems, the vendor for large portions of Arizona's election equipment, has developed and delivered software that independent analysts characterize as having a "high risk of compromise."
Problem 3: Both the state certification process and the national testing process are ineffective and have resulted in poor quality software in our election systems,
Problem 4: Touch-screen voting systems, to be purchased in Arizona to accommodate the disabled, violate state law and do not provide any means for auditing an election.
Each of these problems is discussed in more detail below, but first a little background on voting equipment.
Election Equipment, Qualification, and Certification
Pima County and the City of Tucson use the Diebold optical scan voting system. This system consists of precinct AccuVote ballot readers, central count AccuVote ballot readers, and the central count Global Election Management System, or GEMS. The County and City use the same ballot readers, but each has their own version of GEMS.
Early voting ballots are processed with the central count readers. These readers are directly connected to the GEMS system. The precinct readers accumulate vote counts at each polling place at the close of the polls, and the data is transmitted from polling places to GEMS by modem. The GEMS software accumulates votes from the different sources and does the final tabulation.
The Help America Vote Act of 2002 (HAVA) requires states to replace outdated election systems. Arizona has decided to replace the punch card systems in nine counties with Diebold optical scan systems. These must be in place by the February 2004 Presidential Primary election. HAVA also requires voting accommodations for the disabled (especially the blind). Arizona has decided to purchase Diebold touch screen units for this purpose, one for each polling place. These must be operational by 2006.
Election system vendors pay an Independent Testing Authority (ITA) to test hardware, firmware, and software. The ITAs are private corporations. Elements that pass testing are said to be NASED qualified (or approved). NASED is the National Association of State Election Directors, an organization that is responsible for approving the ITAs. Currently, there are only two active ITAs, Wyle Labs (hardware and firmware), and Ciber, Inc. (software). There are other ITAs, but they get very little of the work. Systems that are qualified appear on a list of NASED-approved equipment.
The firmware and software are considered to be a trade secret by the vendors. The ITA is able to view the source code, but no one else sees it, including state election directors and reviewers whose job it is to approve the systems for use in Arizona. This state review process is called certification. Systems that have been certified appear on a state certification list.
For more detail on the testing processes, see our Report on Election Integrity in Pima County (http://www.pimademocrats.org/votingreport/votingintegrity.htm).
In the past year, a vigorous debate has ensued between the election system vendors and the computer science community. The vendors are pushing electronic systems, especially paperless touch-screens. Computer scientists, by and large, are concerned that touch screen systems are too easy to manipulate and there is no way to audit (or recount) and election after the fact. Some of these concerns also apply to the optical scan systems in Arizona as described below.
Problem 1: Uncertified Firmware and Software Used in Elections
It has become evident that recent election proceedings in Tucson and Pima County have violated state law. The 2002 Pima County and 2003 City of Tucson primary and general elections were conducted on election equipment running uncertified software and firmware. This violates ARS §16-442.
The Pima County Division of Elections and the Tucson City Clerk's Office provided software and firmware version numbers. The specific violations are as follows:
- The AccuVote precinct readers use firmware version 1.94. Version 1.94w appeared on the state certification list on 11/7/03, after the city general election, but was backdated to October. This version was therefore certified after the primary election and most likely after the general election. It is also not clear if 1.94 and 1.94w are the same.
- The central count readers use firmware version 2.0.11. This version is not state certified nor does it appear on the list of equipment approved by the National Association of State Election Directors (NASED), dated 1/3/03.
- Pima County used GEMS version 1.17.20 in the 2002 election and it is still installed on their computer. This version is neither state certified nor NASED approved.
- The City of Tucson is using GEMS version 1.17.23. This version is neither state certified nor NASED approved.
On November 20, we issued a letter to the Arizona Secretary of State Jan Brewer notifying her of these violations and requesting a) an audit of all Arizona election systems, and b) a review of the national testing and state certification processes.
In response to a similar finding, California has conducted an audit and found 14 counties using noncompliant software or firmware.
Problem 2: Diebold Election Systems Software is at High Risk of Compromise
As mentioned above, election software is considered to be a trade secret by the vendors. Election system researchers have thus been stymied by the lack of access. In January 2003, however, journalist Bev Harris discovered an unprotected Internet site that Diebold was using to distribute software and documents to their clients. Researchers downloaded the entire site. The site contains a version of GEMS that is identical to the one used in Pima County. This past summer, two reports were released that were highly critical of the Diebold software.
The Harris Report revealed serious weaknesses in the GEMS system. First, GEMS uses Microsoft Access files for its database. Knowledgeable programmers developing a database that requires good security would not use Microsoft Access. Secondly, the database files are accessible without a password with MS Access. Third, data files could be manipulated without affecting the system audit log that keeps track of events occurring in GEMS; in fact, the audit log could be edited.
The Hopkins Report revealed significant weaknesses in the Diebold Touch Screen (TS) software. The problems identified in this report include faulty use of encryption and security procedures, as well as faulty design of the electronic smart cards that voters use to access to the voting terminals. They also criticized the use of Commercial Off The Shelf (COTS) third party software that is incorporated into the voting system without required inspection. They conclude that the software is vulnerable to both outsiders and insiders (programmers and election staff). Some of the criticisms have been discounted, but there was enough concern about the software that the Governor of Maryland held up the purchase of $56 million in new TS systems. The Governor asked contractor Science Applications International Corporation (SAIC) to do an analysis of the TS software. The SAIC report, made public on September 24, 2003, found hundreds of weaknesses and 26 major problems and concluded "the system, as implemented in policy, procedure, and technology, is at high risk of compromise." In other words, it would not be difficult to fraudulently manipulate an election conducted with this system. The report recommends numerous changes to mitigate risk. Nevertheless, the state of Maryland is going ahead with the purchase.
The risk of compromise is considerably higher if the software is not adequately tested and analyzed. In Pima County and Tucson the early ballots are counted with a combination of central count ballot readers and GEMS, neither of which have been qualified or certified, as described above. It would be relatively easy for a Diebold programmer to insert malicious code into the part of the system that counts early ballots. Since none of these ballots are counted by hand, there is no way to be sure that the vote count is correct.
Counting votes is simple arithmetic, yet Diebold's system is estimated at around 100,000 lines of source code. Granted, some of this is needed for ballot design and other bookkeeping operations, but the mere size of the package makes it more difficult to thoroughly analyze and increases the level of suspicion.
For more detail on these problems, see the Addendum in our Report on Election Integrity.
Problem 3: The National Qualification and State Certification Processes are Ineffective
The weaknesses found by researchers in two completely different parts of the Diebold system show that the testing done by the Independent Testing Authority (ITA) is completely inadequate and incompetent. Earlier this year, a huge quantity of Diebold internal company email was released to Wired Magazine. This data shows that both Diebold and the ITA were well aware of some of the security problems back in 2000, but decided to do nothing about it. Diebold has attempted to squelch this information by issuing cease-and-desist orders to many of the Internet Service Providers hosting the data, saying that the data is copyrighted. Many ISPs have complied, but the data has been copied and hosted by hundreds of mirror sites, some of which are ignoring the Diebold orders. Another good description of the problem can be found here.
The state certification process is conducted by a committee of three persons as required in ARS §16-442. Since the software and firmware are considered by the vendors to be a trade secret, however, the certification committee cannot look at the source code. They have to take the word of the vendor and the ITA that the software does what it is supposed to do, and no more.
The fact that Pima County, Tucson, and perhaps other jurisdictions, are running elections with uncertified and unqualified software with highly questionable security implies that the entire election system testing process is broken.
Some election officials across the nation have discounted these concerns, saying that the systems are protected by local Logic and Accuracy testing prior to an election. The L&A testing, while necessary, is not sufficient to catch intentional mischief perpetrated by a clever hacker. The L&A testing uses a very small number of test ballots and it would be trivial to insert software that could discriminate between a test case and a real election. Current L&A procedure, for example, does not even change the clock on the computer to simulate the actual Election Day. A simple program that activates when the date and time coincide with known election dates could be used to manipulate vote data and would not be detected by L&A testing. Other more sophisticated logic could also be used. Manipulating the vote would be simple. For example, for every 100 votes, add 10 to candidate A and subtract 10 from candidate B. This leaves the total vote count intact and total vote count is all that is checked by election workers. Even in an optical scan system, it would not be difficult for software to discriminate the political parties of the candidates; this information is on the ballot.
Problem 4: Touch Screen Voting Systems Violate Arizona Law and are Vulnerable to Fraudulent Manipulation
Arizona is planning to purchase touch screen (TS) systems to comply with HAVA's requirement to accommodate the disabled, primarily the blind. These systems are fitted with auditory feedback to aid the voter. Anyone entering the polling place, however, may use the system. This kind of voting system violates current Arizona law. ARS §16-444 states that an electronic election system is defined as "a system in which votes are recorded on a paper ballot or ballot cards by means of marking or punching, and such votes are subsequently counted and tabulated by vote tabulating equipment at one or more counting centers." The optical scan systems currently in use comply with this definition. Touch screens do not. Additionally, ARS §16-661 specifies that a recount must be conducted for very close elections. Such a recount would be impossible without a paper ballot. Note: It has been reported that Yavapai County is already using TS voting for early balloting.
When a person votes by touch screen, there is no guarantee that the vote is recorded correctly. What you see is not necessarily what you get. Election officials say that all the concern is unwarranted because they have seen no problems. However, there are numerous examples such as Georgia (2002), and Virginia (2003) where problems occurred. Also, there is no way the election officials could know for sure that a problem did not occur. An election without controversy is not necessarily an accurate election. Software designed to manipulate an election would also be designed to avoid detection.
The Diebold touch screen (TS) systems to be purchased for use in Arizona, under HAVA, are not currently configured to produce a voter-verified paper trail. This means that the election cannot be recounted or audited in any way. There is absolutely no way to be sure that the system records the votes accurately.
Paperless voting systems are an open invitation for tampering. A programmer at Diebold, for example, could easily insert malicious software, and the errors would never be detected. This is particularly true if the systems are not adequately tested and certified. Fortunately, Pima County and Tucson use optical scan systems, so the ballot, filled in by the voter, provides the voter-verified paper trail. Unfortunately, all recounts (say for close elections) in Arizona are to be done electronically, so errors introduced by the electronic counting system might never be detected. If and when paperless touch screens are introduced in Arizona, it will not be possible to do a full election recount.
There are vendors that sell TS systems with a printer to produce a voter-verified receipt. This receipt is then placed in a secure ballot box, to be used in case of recounts or audits. This is apparently not the approach taken by Arizona.
California Secretary of State Kevin Shelley has just mandated that all voting systems must have a voter-verified paper trail by 2006. All of the paperless touch screens systems in California will need to be retrofitted with printers. He also introduced stricter requirements for testing and auditing the software used to record and tabulate votes. Article in the Arizona Daily Star (11/22/03).
Summary and Solutions
The election system in the United States is in a troubling condition. HAVA requires states to modernize their election systems, and many states are moving to paperless touch screen systems; it is estimated that 50,000 such systems are currently in use in the U.S. This significantly increases the risk of fraud, especially since the software is developed by a corporation, in secret, and tested by another corporation, in secret. These corporations are also heavily partisan, with management, employees, and members of the boards of directors making huge contributions in recent years to Republican candidates and the Republican National Committee.
The Federal Election Commission sets standards, but these standards are voluntary and the FEC does not oversee the testing process, nor do they specify how testing is to be done. In fact, no one outside the vendors and the ITAs knows how the testing is actually done. Requests for details from the ITAs have been ignored.
A number of solutions have been proposed. U.S. Representative Rush Holt (D-NJ) has introduced the Voter Confidence and Increased Accessibility Act of 2003 (HR2239). This bill would amend HAVA to require a paper trail, ban the use of undisclosed software, and require hand-counts in a small number of jurisdictions. The bill has 75 cosponsors as of 11/19/03, including three Republicans. Rep. Jim Kolbe does not support the bill because says voting is a state issue. He also thinks that the AZ Secretary of State is doing a fine job by introducing TS voting systems in Arizona. Holt's bill would establish voter-verification in law and would be a substantial improvement.
Australia implemented a touch screen system in 2001, but they used an open-source software development process in which a public commission wrote specifications and a private company developed the software but then made it available on the Internet for all to see and evaluate. A company spokesman said that the Australian Electoral Commission "called all the shots." The system was developed in six months. This approach would be a significant improvement over the secret development used in the U.S. Adding voter-verification to the Australian system would be a huge improvement over the U.S. approach.
If the software must remain a trade secret in the U.S., then there should be multiple independent testing authorities. Each major party (R, D, L, G, etc.) would be given an opportunity to appoint a team of analysts. The analysts would sign non-disclosure agreements with the vendors, but then would be given free reign in scrutinizing and testing the election system, including full access to the source code.
Finally, it is very important to note that we have not uncovered any cases of vote manipulation in Tucson or Pima County. In observing the November 4 2003 Tucson elections, I was impressed with the quality of the personnel and with the checking and double checking done with all ballot handling activities. This included observers from the Democratic, Republican, and Libertarian parties. In fact, I was struck by the stark contrast between the extremely conscientious handling of ballots (and the computer disks) and the counting of the ballots by software that was developed in secret and tested in secret.
One cannot completely rule out the possibility that the vote has been fraudulently manipulated, especially given that both Pima County and City of Tucson used uncertified and unqualified software and firmware. In the City election, hand counting was done on ten precincts (out of 158). Only one race was counted for each precinct. This means the mayor's race was hand counted in no more than two precincts. None of the 30,000 early ballots were hand-counted to compare with the electronic count (40% of the vote total). We all assume the vote was counted correctly, but no one knows for sure and given the limited hand counting, the likelihood of detecting fraud is miniscule. Short of a court order to hand count all the ballots, we will never know if the count was accurate.
Voters need greater assurance that the vote is counted correctly. Given the voting system currently operating in Pima County and City of Tucson, this increased confidence can by achieved by additional hand counting. At minimum, 10% of the precincts should be hand counted. This could be done by selecting 5% of the precincts randomly, 5% selected by political party observers. A sample of early ballot batches would also be hand counted. Hand counting is still used successfully in many places. Canada, for example, recently hand counted 13 million ballots in 4 hours. We are suggesting its use only for verification.
Election System vendors refer to critics of electronic voting systems as paranoid conspiracy theorists. See, for example, a recent CBS article. It is a fact, however, that these election systems are not adequately tested, have known security holes, and are vulnerable to manipulation. The lack of a confirmed case of fraud does not mean that it hasn't or couldn't happen. After all, effective fraud would remain undetected. The U.S. needs a system that is as bulletproof as possible so that voters can have full confidence that their votes are counted accurately.
For more information, contact:
Tom Ryan
520-722-1796
twmjryan@earthlink.netAlso, see
http://www.pimademocrats.org/votingreport/votingintegrity.htm
CRS Report for Congress: Election Reform and Electronic Voting Systems