Electronic Voting Report

Report on Pima County Electronic Vote Counting Procedures and Safeguards
Prepared by Gordon Mustain, Tom Ryan, Mary Judge Ryan, and Joe Pyritz
Pima County Democratic Party Committee on Electronic and Computerized Vote Counting Procedures and Safeguards

April 2003

Outline

Summary
The Problem
Committee Objectives
Approach
Election Equipment and Procedures
Election Security
Other Observations and Concerns
Conclusions and Recommendations
Acknowledgments
Contacts
References
ADDENDUM (with last update)

A. A Resolution (July 1, 2003)
B. Serious Election System Flaw (July 10, 2003)
C. More Flaws Found in Election Software (November 3, 2003)
D. Security Enhancements for Near Term Elections (August 8, 2003)
E. Arizona Law Requires a Paper Ballot but not Voter-Verification (November 3, 2003)

Summary
Recent elections uncovered a number of voting irregularities in states across the nation. A CalTech-MIT study concluded that four to six million votes in 2000 were lost due to problems with ballots, voting machines and registration. Some of these irregularities have been traced to electronic voting equipment and software systems that are manufactured and sold by a small number of companies with extremely conservative founders and investors who have contributed heavily to the Republican Party. Pima County uses one of these voting systems.

Electronic software systems are tested and certified by only one independent laboratory. Purchasers of these systems are able to test the proprietary software by observing its behavior but states and counties do not have access to software source code, so no one other than the manufacturers and the independent lab can ever fully examine the software. Computer science experts generally agree that it would not be terribly difficult to insert software functionality that would affect the vote count on election day and remain completely hidden to testing. Although software is certified by the independent laboratory, there is no guarantee that the software actually installed locally is identical to the certified software.

Some electronic voting systems are paperless so leave no record of voting activity other than the electronic record created by these software systems. Many election directors and legislators across the nation are leaning toward paperless systems, including Internet voting, because of the cost-savings potential. For these systems, voting irregularities would be difficult to detect in the first place but even if one suspected fraud, it would be impossible to get a vote count (e.g., a hand count) that is independent of the electronic voting system.

As voting technology moves from problematic punch card and lever machines to more accurate electronic systems, it is incumbent upon voters and political parties to fully understand the potential for fraudulent activity in our polling places. This report examines the vote counting procedures and safeguards employed by the Pima County Division of Elections which is responsible for all federal, state, and county level elections in Pima County. Data for this report was obtained from interviews with Brad Nelson, Director of the Pima County Division of Elections and his staff, Mary Jo Kief, Elections Director at the Secretary of State's Office, Pat Pecoraro who represents the Democratic Party's interest in the testing of the Pima County voting systems, and Dr. Rebecca Mercuri, a nationally recognized expert on election systems. Relevant material was also obtained via Internet research.

Our findings indicate that Pima County and the State of Arizona are doing a pretty good job of safeguarding our local election process. Although our election equipment comes from Diebold, one of the suspect election equipment companies, there appears to be no reason to question any of our election results to date. Our equipment uses optical scan technology in which a paper ballot is read by electronic equipment. Optical scan is considered by many to be the most reliable method of voting. Software tabulates the vote count but the paper ballots are retained. Pima County employees play a significant role in setting up and running elections. Logic and Accuracy testing is performed by Pima County, the Secretary of State's Office, and political party representatives. Pima County's testing is fairly extensive; the others are really spot checks. Some hand-counting of election results is done informally but is not required by law. The Arizona Revised Statutes (Title 16) specifies equipment certification procedures and provides a solid foundation for election procedures in law, but the laws could be strengthened in a couple of ways.

Although the County's election system appears to be in relatively good shape, there is still some potential for fraudulent manipulation of the vote count. Examples of how such manipulation could occur are presented in this report. To further reduce this risk, we recommend the following improvements:

A law to establish a requirement for hand-counting to verify the electronic count in a few selected precincts.

A law to establish a requirement that every electronic voting system provide paper backup.

A law to make "ballot as marked by voter" the legal document in any election. In Arizona, the electronic count is the ultimate arbiter.

A law to allow a candidate to obtain hand counts at his/her own expense.

Establish a more secure protocol for downloading election software from the vendor.

More specific information and rationale for these recommendations is provided in this report.

The Problem

The elections of 2000 and 2002 revealed a number of serious problems with election procedures, equipment, and software. A prominent CalTech-MIT study concluded that

4 to 6 million presidential votes were lost in 2000

Up to 3.5 million Senate and governor votes were lost in 2000

7.4 percent of registered voters who did not vote reported trouble with registration

Many of these problems can be traced to antiquated voting systems, most prominently punch card systems, and poor maintenance of voter-registration rolls. Fortunately, elections in Tucson and Pima County have not seen problems in these areas. However, local elections use electronic voting systems, and any electronic system is subject to errors, including fraudulent manipulation. The potential for fraudulent election manipulation has become an increasingly serious concern, as evidenced by the large number of Internet web sites and academic research devoted to the topic (see, for example, talion.c om, blackboxvoting.com, notablesoftware.com, votewatch.us, ecotalk.org, and lorrie.cranor.org). There are a number of reasons for concern.

Concern #1: Conflict of interest in ownership of companies making and testing electronic voting machines and software.

Fifty-six percent of all votes in the United States are counted on equipment provided by a company called Election Sales & Services (ES). ES was given its grubstake (while operating under the name American Information Systems) in 1984 when the billionaire Ahmanson family injected enough cash to get hold of a 68 percent ownership. This wealthy family has been instrumental in coercing the Republican Party to take a hard right turn, pouring money into conservative Christian candidates and right-wing agendas. In 1997 Ahmanson transferred their interest to a Nebraska company called The McCarthy Group. CEO of the McCarthy group is Mike McCarthy who is also the Campaign Treasurer for Nebraska Republican Senator Chuck Hagel. The following quote from the web site talion.com is illustrative of the rife conflict of interests here.
"Republican Senator Hagel was Chairman and CEO of American Information Systems (now called ES); And, Hagel was CEO and a partner in McCarthy & Company. According to his financial filings, Hagel's investments with the McCarthy Group are still between $1 million and $5 million. Hagel's largest single investment appears to be in the McCarthy Group, who owns a large chunk of ES, the firm responsible for counting Hagel's own votes." (Not to mention 56% of all the rest of the votes in the U.S.)

Pima County uses electronic equipment produced by Diebold Election Systems, one of the "big three" vote counting equipment vendors. There are ownership links between Diebold and ES. Diebold is currently involved in a controversy over security breaches and uncertified software patches applied to voting machines in Georgia (see blackboxvoting.com).

The Independent Testing Authority (ITA), CIBER, Inc., is responsible for testing all election software. CIBER is paid by the vendors of voting equipment. CIBER, Inc. donated $25,000 to the Republican National Committee in 2000 and $23,000 to the Allard Victory Committee in support of Republican Wayne Allard's successful run for the U.S. Senate in Colorado in 2002. CIBER's president and CEO, Mac Slingerland, has donated over $17,000 to Republican causes in the last three election cycles (from opensecrets.org). This degree of partisanship is worrisome.

Concern #2: Lack of election officials' ability to check and verify source code used on electronic and computerized vote counting machines.

As the result of a lawsuit filed by a Florida election official against ES a federal judge ruled that the source code used to program the vote counting equipment provided by ES was, in fact, a trade secret, and therefore election officials had no right to inspect it. The result has been the inability of any local election official using ES equipment to have any access to any source code used to program the machines used in their own election districts. Hence, independent validation of the machine vote count is severely hampered.

Concern #3: Growing use of computerized voting machines which function without leaving any paper trail.

In the wake of the election difficulties of 2000, many districts across the country have invested in new vote counting equipment. Unfortunately the trend has been more and more towards "touch screen" voting machines which leave no paper trail of any individual ballot. This lack of a paper trail makes any meaningful recount in any election impossible, and coupled with the lack of access to the source code used to program the machines, raises major alarms about the integrity of our vote counts.
A whistle blowing voting machine test engineer, formerly an employee of DRE touchscreen vendor VoteHere claims to have evidence which shows that voting systems are certified despite known flaws (see blackboxvoting.com and ecotalk.org).

Concern #4: The continuously expanding potential for, and growing ease of, electronic manipulation of the vote count.

Each and every contact between a representative of the company providing the electronic voting machines, and the machines themselves, is an opportunity for the software in the machine to be altered and thus the vote count skewed. In many districts representatives of the company set up all the machines for each election. Many of them have service contracts with the company which provides for company employees to respond to any problems at polling places and "fix" the machines on the spot. Many of the systems involve each machine having an internal modem connecting the machine to company headquarters so the work on the machines is done remotely. This allows the opportunity to alter the machines at almost any time. Florida spent 63 million on new "touch screen" voting machines before the last election and each and every machine was connected by modem to ES company headquarters while the election was actually taking place; while the vote counting was actively in process. It doesn't take a computer engineer to see the potential for manipulation here.

Concern #5: Disturbing data from Election 2002.

Only 50,000 votes nationally kept the Democrats from controlling both the House and the Senate in the 2002 elections. On election eve there were (depending on which source you use) either thirteen or sixteen House and Senate races still too close to call. In all cases, the last polls before election day showed the Democratic candidates leading. In all cases the Republican candidates won. This was an election first, according to some election historians, and polling experts consulted say they can't recall a time when the polls called all the close races in an election wrong.
To compound the problems of the inaccurate polls and lack of paper trails to refer back to, on the morning of election day the exit polling company owned by a consortium of media news giants (ABC, CBS, NBC, CNN, Fox, MSNBC among others) which has been providing exit polls on national elections for years, suddenly announced there would be no exit polls done on this election because "apparent quirks in our new software are providing anomalous results." The lack of exit polls eliminates the one source of data which might be used to validate reported vote totals; i.e., if in exit polls sixty eight percent say they voted for candidate A and the vote counts only show candidate A getting forty two percent of the vote, the discrepancy would be cause for investigation.

Finally, a visit to votewatch.us (a web site created to be a repository for reports of voting problems across the U.S.) reveals an extensive nationwide pattern of problems with the vote count in 2002, ranging from a Texas race where the Republican candidate's win in a Democratic district was overturned after a suspicious election director demanded new machine chips be installed and recounted the vote coming up this time with a Democratic landslide, to numerous reports of voters in Florida trying to vote an all Democratic ticket on the new touch screen machines, and having their votes register as all Republican instead. One lady reported poll workers had her try four machines before her all Democratic vote was accepted. Meanwhile, she said, the other machines continued to be used for voting. There were no reports of voters trying to vote all Republican and having their votes recorded as all Democratic.

The combination of these concerns provides compelling circumstantial evidence for the existence of at least a possibility that the outcomes of the 2002 elections were shaped by partisan electronic manipulation of the vote count.

Committee Objectives

As far we know, the Pima County Democratic Party had no previous documentation on local voting procedures and safeguards. This report begins to fill that gap. The Pima County Democratic Party Committee on Electronic and Computerized Vote Counting Procedures and Safeguards was formed in February 2003 with the purpose of researching local vote-counting procedures and safeguards with special attention to any potential for electronic manipulation of the vote count, and to provide recommendations for reducing the risk of fraudulent manipulation.

It was not the Committee's goal to attempt to prove or disprove whether such manipulation has occurred. But the mere existence of so much circumstantial evidence in other states, in and of itself, makes it incumbent upon us to reexamine, and if necessary, enhance our local electronic and computerized vote counting procedures and safeguards to ensure the integrity of our local vote count. Without such certified integrity in place, all other political and election issues become more or less moot.

The Committee did not address voter registration and we are not aware of any problems, but it is well worth further examination in Pima County. In some states, most notably Florida, election officials removed many eligible voters from the voter file and prevented them from voting in 2000. The CalTech-MIT study recommended that polling places be equipped with laptop computers with access to voter registration information in order to alleviate the problem of eligible voters being turned away on election day. This is probably a good idea and could be done with leased computers for a nominal cost.

Approach

After reviewing an assemblage of background data (see References), the Committee produced the following list of questions:

What machines are used in our elections in Pima County? What models? Can we get a copy of an operating manual?

What company provides those machines?

Is each machine certified, or only each model used?

How are they set up for an election and who sets them up?

Who does the maintenance on machines before, during and after an election? Is that maintenance done remotely, via modem, on site, or both? Procedure followed?

Who keeps voter registration rolls?

Is the source code on the machines available for inspection on demand? At all? Has it ever been checked? What procedure?

Where are the machines stored between elections? What security measures? Who has access?

Machine modem connection protocol: before, during, and after elections. Two way modems? Do machines register in some external fashion when they are being connected to from an outside source?

A detailed description of the step-by-step procedure followed with voting machines and ballots from the scheduling of an election, through ballot and machine set up, to the election, through the final vote tabulation and machine storage.

Are safeguard procedures mandated in ARS Title 16, Chapter 4, Article 4, 16-445 A & B and 16-449 A & B, being implemented? What procedure is used?

Full details on recount procedures.

To find answers to these questions, the committee combined Internet research; in-person interviews with Pima County Director of Elections Brad Nelson and his staff, and with longtime Democratic representative on the Pima County Elections Logic & Accuracy Board, Pat Pecoraro; and telephone interviews with the Arizona Secretary of State's Office and with Dr. Rebecca Mercuri, a nationally recognized expert on election systems. These initial questions have led to many more and the results are documented below. We also reviewed the sections of Arizona Revised Statutes Title 16 relevant to elections, vote counting and recounts. We reviewed the Help America Vote Act (HAVA) and took a preliminary look at how it is being implemented in Arizona. And we did preliminary research on the company (Diebold, Inc.) that supplies Pima County's voting machines and on the independent testing company (CIBER, Inc.).

Election Equipment and Procedures

The Arizona Revised Statutes, Title 16, Chapter 4 (ARS) specifies election procedures in law, including the specification and selection of voting equipment, filing of computer programs with the Secretary of State, examination and preparation of machines prior to an election, required testing and procedures manuals, inspection of ballots by party representatives, and recount procedures. Pima County's procedures appear to conform to all these requirements, with one minor exception.

Pima County and the City of Tucson use AccuVote optical scanning machines produced by Global Election Systems, now Diebold Election Systems. Voters fill out paper ballots which are then scanned and deposited in a secure box at each polling place. Pima County employees are responsible for setting up and testing the machines. The hardware that reads the ballots is controlled by software that is also produced by Diebold. The ballot design is created by Pima County employees using Diebold software and the design is encoded on a memory card that is inserted, in a secure manner, into each optical scanner.

In cases where there are multiple candidates for an office, the order of the candidates on the ballot is rotated so that across Pima County's polling places, each candidate appears in each position on the ballot at roughly equal frequencies. Ballots at any given polling place use a fixed rotation.

At each polling place, votes are accumulated by Diebold software. When the polls close, the accumulated vote totals are transmitted by modem to Pima County's central counting computer where final vote tallies are produced at the Pima County Division of Elections. The transmissions are interpreted by Diebold software and the central count is performed by Diebold software. Mail-in ballots are counted by AccuVote machines at the central count location. All election computers use the Windows operating system.

State law allows for an automatic vote recount whenever the margin between the two candidates receiving the greatest number of votes for a particular office does not exceed one-tenth of one percent of the number of votes cast for both candidates. All recounts, including court ordered recounts, are to be done using electronic tabulation equipment. ARS 16-664 states that the "programs to be used in the recount of votes pursuant to this section shall differ from the programs prescribed by section 16-445 and used in the initial tabulation of the votes." In Pima County, this "difference" in the program amounts to a change in the way the ballot is read, but not in the way votes are accumulated.

Updates to voting software are downloaded from a Diebold website. In Pima County, updates are done very infrequently, and only when necessary to correct a problem. Pima County does not automatically keep up with the latest software versions.

Election Security

The Committee focused heavily on the safeguards that ensure a valid vote count. There are several official layers of security and one "unofficial" layer. The first official layer of security involves the qualification of election hardware and software at the national level. 37 states currently require that voting equipment must conform to the Federal Voting Systems Standards that are formulated by and available from the Federal Election Commission (FEC). The hardware and software must be tested by an Independent Test Authority (ITA) approved by the National Association of State Election Directors (NASED). Currently, all hardware and firmware are tested by Wyle Laboratories and all software is tested by CIBER, Inc. Election system vendors must have their equipment qualified in order to be available for purchase by jurisdictions that adopt the federal voting system standards and require NASED qualification. The vendors pay the ITAs for this service. Once a system passes the ITA process, it receives a NASED Qualified identification number which identifies to the states that the system has been qualified by NASED. The Election Center is NASED's management arm and serves as the focal point for coordination among the FEC, NASED, and state and local jurisdictions.

Although election software has been declared proprietary by the vendors and that decision upheld by a Florida court, the Election Center has told us that the ITA responsible for software testing does examine the source code line by line. All updates to the source code must also be tested by the ITA before it is installed in election equipment. No one beyond the vendors and the ITA has access to source code which leads to the conclusion that it is impossible for any entity to examine the ITA testing procedures and results.

The next official level of security occurs at the state level. According to the Secretary of State's Office (SOS), all voting equipment used in Arizona must be qualified by NASED. Currently, this is a procedural requirement instituted by the SOS about 6 years ago. Arizona has not formally adopted the Federal Voting Standards or NASED testing, but SB1145 (HAVA Compliance Bill), if passed, would formally require Arizona to comply with the federal Help America Vote Act of 2002, which requires the FVSS and the NASED/ITA qualification process (according to the SOS). The HAVA Compliance Bill passed the Arizona House of Representatives on April 10, 2003.

ARS 16-442 requires the SOS to appoint a committee of 3 persons to investigate and test election systems and submit recommendations. The SOS then certifies the types, makes, and models to be used in Arizona. The local election entities may then adopt any kind of of voting system certified by the SOS. The Statutes do not specify how the committee should test the equipment. It does say, however, that the equipment, "when properly operated, [shall] record correctly and count accurately every vote cast" [ARS 16-446]. According to the SOS, the committee is given a presentation of the equipment by the vendor and is able to do hands-on examination of the equipment. The SOS does not examine the software, but requires that a copy of each computer program for each election be "filed" with SOS at least two weeks before the date of the election.

The third level of security involves local Logic and Accuracy (L&A) testing of the election hardware and software. These tests are open to the public. In Pima County, L&A tests are conducted in the weeks preceding an election by several organizations: the Arizona SOS, Pima County employees, and representatives from the major political parties. Each of these organizations is given a set of ballots to be used for an upcoming election. Each organization produces a test deck that is run through selected vote scanners and tabulated by the central count computer. Pima County's test is the most extensive, involving around 7000 ballots for a primary election, and 3500 for a general election. Every scanner is tested by County employees.

The other L&A tests use a smaller number of ballots, typically between 100 and 400. The tests focus on ballot-reading accuracy, not counting; all ballot rotations are tested but most of the selected scanning machines see only one test ballot, and never more than about 20. Each organization produces an independent test deck, which may include ballots with intentional errors and ballot-marking variations including over-vote and under-vote. Each organization compares the vote tally with the expected tally for their tests. Count discrepancies uncovered in L&A testing are analyzed to determine the cause, usually a ballot design problem, and corrections are made to eliminate the discrepancy.

The fourth and final layer of security is unofficial; that is, it is not required by Arizona law. This layer involves a "gentleman's agreement" at the county level that Democratic and/or Republican party representatives may request a hand count of the ballots in one randomly selected precinct each (for a total of two random precincts) to check the accuracy of the machine counts after the polls have closed. This step has been in place for the last 8 to 10 elections and so far, no discrepancies in count have been detected. The Committee feels that this is an extremely important layer for risk reduction. The weakness here is that it is an unofficial agreement with no standing in state law, and that two precincts may or may not constitute an adequate statistical sampling. This hand count procedure was challenged in a city election several years ago. The challenge claimed this process constitutes a hand recount, which state law only allows if required by a court. In this case, however, the court found that this very limited testing did not constitute a hand-recount. So the procedure appears to be allowed by state law, but not required.

Maintenance on the machines is done mainly in-house by county employees, and whenever it is necessary to have a Diebold representative work on the machines, they do so only in the physical presence of an elections division employee. None of the machines, scanners, or central count computer are connected to the Internet. The voting machines and the central computer have modems but the only time they are used is when the voting machines call the central computer during testing and after the polls have closed. Diebold does not have remote access to any of the machines. Software upgrades are done by county employees, who infrequently obtain upgrades from Diebold. The county is not required to install available updates. The polling machines and the central computer are date-time cognizant, a property that is inherent in the Windows operating system.

Other Observations and Considerations

There are holes in the security system. Computer scientists generally agree that it is not possible to completely secure an electronic voting system, a property that is due primarily to the secrecy (anonymity) of the vote. A few points to further illuminate the concern:

Software patches are supposedly qualified by the ITA, and certified by the Secretary of State. Patches are obtained, however, by downloading from a Diebold website (not from the ITA), so there is no guarantee that this code is identical to the code examined by the ITA.

The ITA, if sufficiently partisan and unscrupulous, could manipulate the software or approve fraudulent software. See Concern #1 above.

Logic & Accuracy testing in advance of an election is done using standard operating system parameters, including the default time and date, which means that the test date is not the same as the election date. A simple way of manipulating the vote count would be to insert hidden software that queries the date and time and only activates on election day during a portion of the voting hours.

The L&A testing uses a limited test deck. The scanners rarely see more than a couple hundred ballots during testing. In an actual election, however, the scanners process an average of about 600 ballots (for a 70% turnout). Hidden software could be activated by total vote count and only manipulate the vote after several hundred ballots have been scanned.

The software that accumulates the vote count in a scanner could contain hidden code that is triggered by special markings on a ballot that could be fed to a scanner by a cooperative registered voter early on election day.

Attempts to manipulate the vote in these ways would be difficult to detect. If manipulation were attempted, it would probably not be obvious from vote tallies, especially if the "manipulation" involved a swing of only 10-20% of the vote total.

Local jurisdictions are completely dependent on testing done by the ITAs, but there is essentially no oversight of the ITAs and the lack of code examination by any other organizations is a definite weakness. The fact that the ITAs are paid by the equipment/software vendors is definitely problematic.

The Help America Vote Act (HAVA) of 2002 establishes a program to provide funds to states to replace punch card voting systems and to establish minimum election administration standards for states and local governments. The HAVA Compliance Bill (SB1145) was passed by the Arizona House of Representatives on April 10, 2003. According to this bill, election equipment must comply with HAVA and must be tested by an accredited laboratory. Under existing law, and under SB1145, the Secretary of State could mandate a specific voting system, including touchscreen or Internet voting. However, to date it appears that the focus is on eliminating punch card systems from several Arizona counties. The Act also includes a requirement to facilitate voting for the disabled. It appears that this will result in Direct Recording Electronic (DRE) voting systems in each polling place to meet voting accessibility requirement. It is currently unlikely that DRE systems will replace optical scan systems. The SOS's office stated that there is not enough funding under HAVA to replace optical scan, and the state is not interested in doing so.

HAVA also is supposed to fund the creation of updated federal voting standards, but progress has been slow. The Institute of Electrical and Electronics Engineers (IEEE) has two standards groups focused on voting systems. One of their proposals is to insert electronic fingerprints into qualified code so that jurisdictions could be certain the code they are running is identical to that tested by the ITAs.

Arizona law (ARS 16-445) states that the "programs used in the recount of votes pursuant to this section shall differ from the programs prescribed by section 16-445 and used in the initial tabulation of the votes." When a recount occurs in Pima County, it is usually done only for a specific office, most likely one where the vote counts are close enough to cause an automatic recount. The program used to do the recount "differs" only in that the ballot reader ignores all ballot entries not involved in the recount. The software used to accumulate votes is identical. This procedure may violate the intent of the law. Pima County, however, has only one program for counting votes.

Computer scientists and other electronic election experts appear to be coming to the conclusion that computer science, by itself, is unable to develop an electronic voting system that cannot be manipulated. For this reason, they are adamantly opposed to fully electronic systems or Internet-based systems that make independent election audit impossible (see notablesoftware.com). In the Weber v. Jones case, currently before the 9th Circuit Court of Appeals, the plaintiff alleges that the fully electronic voting system there infringes on her right to vote, as protected by the 14th amendment to the U.S. Constitution. The crux of the argument is that there is no way to verify that the system records and counts the votes as the voters cast them.

The Elections Director for the state of Wisconsin recently (3/26/03) proposed that the State Elections Board revoke the approval of all electronic voting systems not currently used in Wisconsin, stating "There are also significant concerns about the use of touch screen voting in the absence of a paper document that can be reviewed by the voter to verify the voter's choices. The paper document is also an essential piece in auditing the system's performance, particularly in the event of a recount. There is a growing movement of concerned individuals with technical backgrounds raising legal challenges to touch screen voting."

As mentioned previously, source code is considered to be a trade secret by the vendors. Access to the election source code would allow analysis by other independent entities, and this would further reduce risk. But it is well established that the source code may not fully define the code that is executed during an election. It might seem that having local entities control source code and build the executable would alleviate concerns, but it would also allow additional opportunity for malicious code manipulation.

Conclusions and Recommendations

The Committee has uncovered no evidence of problems with any past or current vote counts in Pima County. Indeed, we found Pima County to have a rigorous set of protections in place, making us better off than many jurisdictions across the US. All indications are that Pima County employees are knowledgeable professionals who do their best to ensure valid elections. Pima County's optical scan system is probably the best of electronic systems, mainly because it leaves an auditable paper trail in the form of ballots cast by voters. But many of the protections are dependent upon the independent testing companies and the election system vendor doing their jobs properly. The Committee concludes that the checks on these companies are insufficient:

Pima County must simply trust Diebold's "word" that the code used here is what is tested by the ITA

the practice of downloading and installing patches from Diebold's website opens up a huge vulnerability

there is no way to monitor how CIBER tests code because they consider that proprietary information

even a line by line analysis of source code is inadequate to ensure security.

We conclude that there exist vulnerabilities within the system that make it subject to potential manipulation. Some of these vulnerabilities could be relatively easily addressed, and some are more problematic. But all could be addressed by the recommendations we make below. Many of these recommendations would have to be implemented at the state level and there are two ways to accomplish that. One would be through draft legislation introduced by a State representative or senator from Pima County; the other through initiating action at the state party level to make these issues part of the party platform so candidates can start pushing the issue to the voters. Probably a combination of both would be best.

To strengthen local election safeguards and reduce the risk for fraudulent manipulation, we list the following recommendations:

Establish a hand-counting requirement in law.

Hand counting in one or two precincts to verify vote totals is currently an informal gentleman's agreement. Since this is an important risk-reduction method, we would like to see a law passed that would establish a requirement for hand-counting to verify the electronic count in a few selected precincts. At minimum, the law should formally allow limited hand-counting at the request of the party representatives.

Establish a requirement that every electronic voting system provide paper backup.

Many of the modern direct recording electronic (DRE) voting machines leave no paper trail, so there is no way to verify final vote tabulations. Some DRE systems have been retrofitted with printers in order to provide the voter with some assurance that the vote has been cast correctly. Pima and Maricopa counties use optical scan systems which use paper ballots, but some day there may be an interest in moving to DRE technology. Arizona should pass a law that requires a paper trail that can be used to validate voting results. Pima County should avoid any fully electronic voting system.

Make "ballot as marked by voter" the legal document in any election.

As noted previously (ARS 16-664), all vote tabulation including recounts is to be done with electronic tabulation equipment. Current law states that recounts are to be done with a different program, but Pima County has access to only one counting program, and the recount would simply duplicate the original count within the accuracy of the ballot scanners. Faulty counting software would not be detected. One of the potential benefits of our optical scan system is that all of the original paper ballots are available. While it would be costly to hand count all the ballots, it is ultimately the only method to ensure a count that is independent of a suspect electronic system.

Amend or repeal ARS 16-664.

ARS 16-664 is concerned with recount procedures. This statute needs to be modified to clarify the meaning of "shall differ" with respect to software used for a recount. Since Pima County does not have an alternative program for counting and may be unable to acquire one, we doubt that the law can be upheld at this time. For this reason, we prefer a "ballot as marked by voter" law.

Allow a candidate to obtain hand counts at his/her own expense.

The possibility of a full or partial recount, either electronically or by hand, would reduce the likelihood of vote manipulation software. If a vendor, or other potential fraud perpetrator, knew that alternative methods could be used to check the vote tally, it is unlikely that vote manipulation would ever be attempted. One way to do this would be to allow a candidate to obtain a recount or hand count if he/she is willing to pay the costs. We think this would be rarely used and could be restricted to recounts in a few selected precincts in order to limit costs, but is an important additional safeguard.

Improve the security associated with downloading software from vendors.

We support the development of new federal election standards that improve the security of electronic voting systems. We hope that these new standards will eventually improve the security procedures for downloaded software. In the meantime, Pima County employees responsible for acquiring software and patches should make an extra effort to be sure that the code they download is identical to the code tested by the ITA. Pima County should work out a protocal with Diebold and CIBER to this end.

Acknowledgments

The Committee wishes to extend its profound thanks to Pima County Elections Director Brad Nelson and his staff for their generous, candid and open responses to our inquiries, and to Pat Pecoraro both for his assistance to the committee, and for his many years of dedicated and under-recognized volunteer work on the Logic and Accuracy Board on behalf of all Pima County voters. We also thank Mary Jo Kief at the Secretary of State's Office for her willingness to answer all our questions. Finally, we thank Dr. Rebecca Mercuri for her participation in discussions of voting security issues.

Contacts

Brad Nelson, Elections Director, Pima County Division of Elections, 520-740-4260

Mary Jo Kief, State Election Director, Office of the Arizona Secretary of State, 602-542-6167

Pat Pecoraro, Logic and Accuracy Testing for the Pima County Democratic Party, 520-622-5811 (W), 520-855-3908 (H)

Rebecca Mercuri, Ph.D., mercuri@notablesoftware.com

References

Pima County Elections Division, http://www.co.pima.az.us/elections

talion.com, http://talion.com/election-machines.html

blackboxvoting.com, http://blackboxvoting.com

notablesoftware.com, http://notablesoftware.com/evote.html

votewatch.us, http://votewatch.us

ecotalk.org, http://www.ecotalk.org/VotingMachineErrors.htm

lorrie.cranor.org, http://lorrie.cranor.org/voting/hotlist.html

Arizona Revised Statutes, Title 16, http://www.azleg.state.az.us/ArizonaRevisedStatutes.asp?Title=16

Diebold Election Systems, http://www.diebold.com/solutions/election/default.htm

CIBER, Inc., http://www.ciber.com

Federal Voting System Standards, http://www.fec.gov/pages/vssfinal/vss.html

National Association of State Election Directors (NASED), http://www.nased.org

Testing performed by ITAs, http://www.nased.org/ITA_process.htm

List of states that have adopted federal voting standards and ITA testing, http://www.fec.gov/pages/faqsvss.htm

The Help America Vote Act (HAVA) , http://www.fec.gov/hava/hava.htm

Weber v. Jones, http://www.electionguardians.org/weber_vs_jones.htm AND http://www.electionguardians.org/9th.htm

Minutes of the Wisconsin Election Board Meeting, http://elections.state.wi.us/board_materials/26March2003/2003%20March%2026.htm

Ken Thompson on Trusting Trust, http://cm.bell-labs.com/who/ken/trust.html

Arizona's preliminary HAVA plan, http://hava.sos.state.az.us/2003/state_plan/HAVA_Preliminary_State_Plan.pdf

Center for Responsive Politics (campaign finance info), http://opensecrets.org

Addendum

This section includes information obtained after the original report was adopted by the Pima County Democratic Party Executive Committee.

Addendum A. A Resolution Adopted by the Pima County Democratic Party Executive Committee

Election Integrity Resolution, 1 July 03

WHEREAS public trust in a complete and fair count of all cast votes is essential to a functioning democracy; and

WHEREAS the Pima County Democratic Party Committee on Electronic and Computerized Vote Counting Procedures and Safeguards has submitted a report to the Pima County Democratic Party Executive Committee which details extensive problems across the country with the vote count in the last two national elections, including at least circumstantial evidence of conflicts of interest and possible partisan manipulation of the vote count in several cases; and

WHEREAS that same report examines in detail the vote counting procedures and safeguards in place in Pima County and, to a lesser extent, statewide in Arizona; and

WHEREAS that same report details shortcomings in the vote count procedures and safeguards in place in Arizona and Pima County; and

WHEREAS the Pima County Democratic Party Executive Committee adopted this same committee report at the last Executive Committee meeting: therefore

BE IT RESOLVED THAT the Executive Committee of the Pima County Democratic Party will undertake the following actions in regards to the vote count report:

1. Push for inclusion of the following election integrity planks in the County Party Platform:

A. Fair and accurately counted elections are the cornerstone of our democracy.
B. We support the use of electronic voting and vote counting equipment which leaves a paper record of each voter‚s selections and allows for a complete audit of election results.

C. We believe that „the ballot as marked by voter‰ should be the legal document in any election as opposed to the tally obtained by electronic equipment.

D. We support limited hand counting of ballots to verify electronic counts and ensure fair elections.

2. Oppose any attempt to install paperless touch-screen technology for purposes of recording and counting votes.

3. Meet with elected representatives to push for Arizona legislation that would:

A. Require voting systems to produce a voter-verified paper record for use in audits and recounts.
B. Require manual counts in a small number of sample precincts to establish a vote count base line against which to compare the machine counts.

C. Make ballot-as-marked-by-voter the legal document in all recounts.

D. Ammend or repeal ARS 16-664 to clarify stature on recounts regarding a „program‰ which „differs‰ from that used in inital tabulations.

E. Allow a candidate to obtain handcounts at his/her own expense.

4. Contact Pima County Elections Director Brad Nelson to encourage improvement of software downloading security; specifically to work out a protocol to ensure that software updates downloaded from the vendor are the same code as tested and certified by the Independent Testing Authority.

5. Officially encourage Representatives Grijalva and Kolbe to support U.S. HR 2239, the Voter Confidence and Increased Accessibility Act of 2003 which, among other things, requires a paper record of votes, bans the use of undisclosed software, and calls for mandatory handcounts in 0.5% of jurisdictions as a check on machine counts.

6. Forward copy of the report to the State Party Executive Committee with recommendation that they distribute the report to county executive committees of all Arizona counties and encourage them to „secure the integrity of their local vote count‰ by establishing their own „Committees on Electronic Vote Counting Procedures and Safeguards.‰

7. Send out an „offical‰ county party press release on this issue of integrity in the vote count, and election reform where needed. Make sure copies of the report are sent to all Pima County legislators at the County, State and National Levels. Take any other possible steps to make the issue of integrity in the vote count an important „issue‰ in the next election cycles.

And lastly,

8. Give a formal recognition to Pat Pecoraro for his many years of service to the County Democratic Party in particular, and Pima County voters in general, as the Democratic Party‚s representative on the Pima County Department of Elections Logic and Accuracy Board.

Addendum B. July 8, 2003. Serious System Integrity Flaw Discovered in Diebold Election Systems Software

In February, 2003, it was reported that people around the world had been downloading software and data files from on open FTP site maintained by Diebold Election Systems. This site included source code and manuals for Diebold's vote-counting software, called GEMS. Experts say this it was possible for knowledgeable individuals to modify software on this site. There is no proof, however, that this was done. The site was closed down on January 29th, 2003. The files, however, are freely available at a number of locations.

Bev Harris, an investigative journalist, has led a team of scientists in the analysis of the downloaded software. Their results were released online on July 8, 2003:

Bev Harris, "Inside a U.S. Election Vote Counting Program"

A couple of other articles have since appeared:

Sludge Report #154 - Bigger Than Watergate
U.S. Election Fraud Scandal Looms?

The gist of the Harris Team analysis is that the GEMS software contains features that make it possible to change vote tallies while making error detection difficult.This is accomplished by the use of multiple sets of vote tallies. Table 1 contains the original vote counts as obtained from the individual voting machines. Tables 2 is a copy of Table 1. Table 2 can be modified. In the software analyzed, the election summary came from Table 2. However, if an election supervisor requests a detailed report for a precinct, the data comes from Table 1. The researchers found that when entries in Table 2 were modified, there was no record of it in the audit log. Also, they found a plug-in that would allow someone to change the date and time stamp on a file. This could be used to adjust the time stamp of Table 2 so that it would appear that it had not been edited.

These "features" in the software are very odd and not in line with good auditing practices. The research to date has not established that these features have been used to tamper with an election. The references articles do, however, reveal evidence of motive, opportunity, method, prior conduct, and other circumstantial evidence. The researchers are hoping that other programmers and computer scientists will continue the analysis to a greater level of depth.

Addendum C. November 3, 2003. More Flaws Found in Diebold Software

On February 24, 2003, the New York Times described an additional study that was done on the software downloaded from the open Diebold site (see Appendix B above). This study, done by John Hopkins University, focused on software used in the Diebold touch-screen voting terminals. The report is technical, but the bottom line is that the machines could be manipulated so that voters could cast extra votes and poll workers could alter ballots. The list of flaws is extensive. The report is available online:

Analysis of an Electronic Voting System, July 23, 2003 [the "Hopkins paper"]

The problems identified in the Hopkins paper include faulty use of encryption and security procedures, as well as faulty design of the electronic smart cards that voters use to access to the voting terminals. They also criticized the use of Commercial Off The Shelf (COTS) third party that is incorporated into the voting system without inspection.

Rebecca Mercuri, computer scientist from Bryn Mawr College and a consultant on our report, issued a critique of the Hopkins paper:

Critique of "Analysis of an Electronic Voting System", July 24, 2003

She points out that although the analysis found numerous flaws in the software that violate the 2002 federal elections standards, the code may not have violated the 1990 standards under which the code was written. The newer standards take effect only for "new" systems in 2003, so there may not be any violation of election laws. She goes to say that the Federal Election Commission (FEC) was well aware that the 1990 standards were inadequate and then places blame on the FEC and NASED who allowed these systems to be certified to standards that were admittedly obsolete. With respect to the COTS software, she points out that this is a serious flaw in the 2002 standards, but the FEC and NASED currently condone the practice.

Diebold representatives issued a "technical" rebuttal to the Hopkins report,

Summary Technical Analysis Of Recent Voting System Report, July 29, 2003
Diebold Election Systems exposes flaws found in recent voting system report, July 29, 2003

They respond that the Hopkins researchers took the analyzed code out of context and therefore could not adequately analyze the security.

Bev Harris responds to the rebuttal

Diebold Denies Ease Of Voting Machine Tampering -- But Rebuttals Don't Stand Up, July 29, 2003

Diebold responds with a highly detailed line by line rebuttal of the Hopkins paper, addressing most, but not all, of the issues raised. It also contains some of the same arguments given by Mercuri.

Checks And Balances In Elections Equipment and Procedures Prevent Alleged Fraud Scenarios, July 30, 2003

Douglas Jones, a computer scientist at the University of Iowa and a member of the Iowa Board of Examiners for Voting Machines and Electronic Voting Equipment, has been following election technology for a number of years. He calls for decertification of the Diebold touch-screen software in Iowa:

The Case Against the Diebold AccuVote TS, July 28, 2003 (this version is brief and came from a presentation)
The Case of the Diebold FTP Site, July 28, 2003 (this version is more complete, is being updated, and has some comments on the Mercuri critique)

He notes that many of the arguments in Diebold's Checks and Balances report are valid, but there remain a number of security flaws that Diebold either admits (in a defensive posture) or fails to give convincing arguments.

The John Hopkins researches provide a response to the Diebold "Checks and Balances" rebuttal

Response to Diebold's Technical Analysis, [August 1, 2003]

This technical discussion argues that Diebold misused cryptography, used poorly designed smart-card security, and used coding standards that are unsuitable for the security requirements that a voting terminal must face.

The state of Maryland was in the process of buying $56M of Diebold touch screen equipment. As a result of the Hopkins report, the Governor put the purchase on hold, and asked contractor Science Applications International Corporation (SAIC) to do an analysis of the touch-screen software. The SAIC report was made public on September 24, 2003:

Risk Assessment Report, Diebold AccuVote-TS Voting System and Processes [pdf]

Only a small portion of the report was made public and much of that is heavily redacted. The report concluded, however, that "the system, as implemented in policy, procedure, and technology, is at high risk of compromise." The report recommends numerous changes to mitigate risk. Nevertheless, the state of Maryland is going ahead with the purchase.

It is particularly odd that Diebold has not yet responded to the Harris report on the GEMS software.

While Diebold may not produce software that lives up to common security practices and commercial coding practices, the bottom line is that the FEC, NASED, and the independent test company CIBER, are not addressing the real problems. The recent attention to these shortcomings will eventually result in much better election security, but in the meantime, we need to push for additional security procedures, as described in Addendum D.

Addendum D. August 8, 2003. Recommendations for improving the security of near-term elections using Pima County and Tucson Equipment

The following two procedures plug the holes we know to exist, and if implemented, will provide an acceptable temporary measure of election security:

A) For each polling place and each candidate or issue in each race, compare the polling machine paper summary tally with the final output of the GEMS system (equivalent to a canvass). This procedure checks GEMS as well as the electronic communications between polling places and GEMS.
B) Perform manual ballot counts in a small fraction (say 10-15%) of polling places to validate the polling machine summary tallies. This procedure checks the optical scanner and its vote accumulation software. With these two measures, we can significantly increase the chance of detecting tampering.

These procedures would safeguard virtually any voting system that produces paper records (as required by Arizona law -- see Addendum E). In a properly designed highly secure system, these checks could be done as spot checks at a lower frequency than is required for checking a system that has known security flaws.

Addendum E. November 3, 2003. Arizona Law Requires a Paper Ballot, but not Voter-verification

In our report, we recommend that Arizona adopt legislation that would require voting systems to produce a voter-verified paper record. It turns out that Arizona law defines an electronic voting system as follows:

ARS 16-444, A6. "Electronic voting system" means a system in which votes are recorded on a paper ballot or ballot cards by means of marking or punching, and such votes are subsequently counted and tabulated by vote tabulating equipment at one or more counting centers."

Note that "voter-verified"is missing. It is the verification by the voter that ensures the vote has been recorded correctly. For the most part, Arizona uses optical scan systems in which a machine reads the ballot that has been filled out by a voter. This is voter-verified by definition. The 2002 Help America Vote Act is requiring states to accomodate disabled voters by installing Direct Electronic Recording (DRE) voting systems. In Arizona, these systems will produce a paper record, but there is no requirement that these paper records be voter-verified.

Although the purpose of DRE systems in Arizona is to accommodate the disabled, especially the blind, there is no restriction on who actually votes by DRE; anyone will be able to use these systems if they are installed.