Director, University of Michigan Center for Computer Security and Society
jhalderm@eecs.umich.edu

jhalderm@eecs.umich.edu
letters@usatoday.com,
jenokela@yahoo.com,
kerrie@nytimes.com

http://www.theguardian.com/technology/2015/feb/26/should-britain-introduce-electronic-voting

Should Britain introduce electronic voting?

Suppose,
for a second, that the concept of elections was new, and it was your
job to pitch them to the nation. You start off singing the praises of
democracy, and how it transfers power to the people like never before.

People are looking excited, so you then bring up the concept of a
legislature: all the elected representatives doing the important task of
scrutinising the government, as well as enacting new laws and debating
important national issues.

You’ve pretty much won them over, so now you turn to elections: those
momentous days when the whole nation marks their choices with a pencil
cross on small pieces of paper, which are gathered up, counted by hand
in their thousands, and used to determine who runs the country.

A deathly silence falls. Someone in the back mutters: “Paper?” You
decide that now is perhaps not the time to introduce the concept of
postal voting.

Face it: British elections are ever so slightly anachronistic.

Pencil and paper

The problems with our current, resolutely 19th-century method of
running elections should be obvious. Votes can be miscounted, misread,
or even simply misplaced. Counts consist of thousands of people across
the country, paid overtime to stay up all night manually sorting and
counting those votes. When they go wrong – as happened in Tower Hamlets
during the 2014 local elections – there’s no easy way to trace the
problems back to their source, and no easy way to fix them other than
simply restarting the count.

At this point, one might be forgiven for feeling trapped in the
“before” section of an infomercial. But yes: there is a better way.

Electronic voting machines are used in some of the world’s biggest
democracies, including Brazil, India, and the Philippines, to get around
some of these hurdles. The machines come in all shapes and sizes, from
small touchscreen devices to larger units with physical buttons and a
printed ballot paper on the front.

But those nations that have widespread adoption of electronic voting
are also developing nations with relatively short democratic histories
and their own unique challenges, from inaccessible rural populations to
low levels of literacy.

Addressing those concerns was a driver for the introduction of
electronic voting, but has also led to a perception that the technology
wasn’t necessary in developed nations, according to Antonio Mugica, the
chief executive of electronic voting firm Smartmatic.

“In western Europe, there isn’t a generalised perception that
integrity needs to be improved,” he says. But while it’s true that the
mature democracies of western Europe tend not to see outright stolen
elections, there is still the potential for mistakes. And, after all,
“the fact that there is no crime in this neighbourhood in London doesn’t
mean you’re not going to put a door and a lock.”

But
that’s not enough of a pitch for many, who – perhaps fairly – take the
view that voting with paper ballots isn’t broken, and doesn’t need to be
fixed. Mugica disagrees. “The reason to bring technology into the
election process is to increase integrity and security, but it has a
series of important collateral benefits.

“One is cost reduction: so I’m sure Britain could spend less per
election if it was using technology, and the security and integrity
would be 10 to a hundredfold better. So you have something that’s a
hundredfold better, and it’s going to cost less.”

The concept of electronic voting has garnered widespread political
support, seen as both a cost-saving measure and a possible way of
boosting turnout in an era of declining voter representation. A Labour
spokeswoman said: “Labour is committed to looking at radical ways of
encouraging more people to vote, by making the process easier and more
in tune with the way people live their lives … Labour will pilot secure
systems for electronic voting, including online voting.”

Not everyone agrees that electronic voting is dramatically better, or
even better at all. The switch does remove some problems inherent to
paper ballots – not least the cost of simply printing and distributing
the millions of ballots required to make an election happen. But it also
introduces its own.

The chief fear of many is that a switch to electronic voting would make electoral fraud easier, not harder.
In the worst-case scenario, rather than forging ballots individually, a
wannabe dictator could simply flip a switch and win the election with no
trail in sight.

Jim Killock, the executive director of the Open Rights Group, says that voting has to be secret, secure and accountable.

“This
is a very hard problem to solve and so far nobody has managed it.
Accountability in most software systems means a clear audit trail of who
did what, which of course would violate the basic question of secrecy.”

And even without ascribing malicious intent, a bug in an electoral
machine’s operating system could alter the vote result systematically.
That’s why many observers, such as ORG, prefer that the machines only
run on open source code, so that independent observers can check the
programming is bug-free.

Smartmatic doesn’t go that far, citing the need to protect trade
secrets, but typically encourages nations to perform a fully independent
code review in the runup to an election, inviting all political parties
and representatives of civil society to check for bugs. The code is
compiled then and there, with a digital signature that individual voters
can use to check that their machine is running the correct software.

As for the audit trail, it’s something that the company takes very
seriously. “We bring, along with the technology solution, a
recommendation to perform 17 different audits, before, during and after
the election,” says Mugica.

Keyboard and mouse

But if those problems are tricky to solve, they’re nothing compared
to the other major form of electronic voting, online voting. Casting
votes over the internet seems like the natural progression of democracy
to the 21st century, but it requires a fairly fundamental rethink of how
the electoral process should work.

In order to let people cast votes from home over the internet, we
have to decide to give up some of the most important principles of our
electoral system, like guaranteeing that a vote cannot be given away,
stolen or forced, and ensuring secrecy of the ballot.

Those problems are so fundamental that, to date, only one country has
really cracked the problem: Estonia, where almost a quarter of all
votes cast in the 2011 parliamentary elections were made online. In
March, the country heads to the ballots again, for its sixth election
where online voting is allowed. And the proportion of votes cast online
is expected to rise even further.

How have they solved the problems? With a mixture of hard work and
smart solutions. On the one hand, Estonian civil society is the most
connected in the world: every citizen has an online ID card, which has
biometric information about them and digital signing capabilities. The
card can be used with a chip-and-pin machine to prove to government
agencies online that its user is a citizen of Estonia.

That solves half the problem, letting voters sign and encrypt their
votes as they transmit them to the polling office, in order to prevent
them being intercepted or fraudulently cast.

But what Estonia can’t do is control the conditions in the home of
the voter. So instead, they get around it another way, explains
Smartmatic’s Michael Summers, who works with the Estonian government to
provide the voting solution. After voting, “a copy of the vote is also
sent to a verification server”. The voter can then check that their vote
has been correctly registered at any time, to ensure that it wasn’t
changed by malware on their computer, for instance.

“If you think about an internet application, the environment which is
hardest to control is the voters’ computer. Anyone who has a laptop
runs the risk of downloading malware, so the purpose of verification is
that we give the voter an opportunity to check that their vote has been
correctly recorded by the server.”

Importantly,
voters can also change their votes throughout the polling period, and
if they vote in person as well, that “overwrites” their online vote. The
idea is to limit the opportunities for coercion, so that even if
someone demands to watch a citizen cast the “correct” vote, they can
easily vote according to their conscience later.

All the same, the opportunities for funny business are higher than
in-person voting. But, argues Summers, that’s the wrong comparison;
instead, online voting should be compared to postal votes, used by 15%
of the electorate in Britain in 2010. That comparison is much more
favourable. When you make a postal vote, after all, “your mechanism for
securing that ballot is a piece of gummed paper. As opposed to a robust
RSA certificate which is significantly harder to crack than steaming
open an envelope by putting it over a kettle”.

But regardless of the correct comparator, the ORG’s Killock argues
that the potential downsides of internet voting are just too great. “You
have the complexity of making sure that internet systems are secure,
that the voting equipment can be trusted despite being attached to the
internet, and that every voter’s machine is not being tampered with.

“Given the vast numbers of machines that are infected by criminally
controlled malware and the temptation for someone to interfere in an
election, internet voting is a bad idea.”

But the tide seems to be turning in the concept’s favour. In January, the Speaker of the House of Commons published a report on digital democracy, which concluded that “online voting has the potential greatly to increase the convenience and accessibility of voting”.

“In the 2020 general election, secure online voting should be an
option for all voters,” said the report. In response, the Electoral
Commission’s chair, Jenny Watson, said: “We will consider carefully the
balance between maintaining the security of the system, whilst making it
as accessible as possible for voters as part of this.”

But Killock remains unconvinced, and uneasy with turning to a digital
solution for what remains a societal problem. “The real driver of voter
participation,” he says, “is the belief that elections are important
and that voting will make a difference”.

http://usatoday30.usatoday.com/news/opinion/editorials/story/2012-09-19/electronic-voting-fraud-security/57809062/1
    •    OPPOSING VIEW: Paper voting system is broken
It’s
not entirely a fantasy. In many states, some voters can already do
both. The process is seductively simple, but it’s also shockingly
vulnerable to problems from software failure to malicious hacking. While
state lawmakers burn enormous energy in a partisan fight over in-person
vote fraud, which is virtually nonexistent, they’re largely ignoring
far likelier ways votes can be lost, stolen or changed.
How? Sometimes, technology or the humans running it simply fail:
•In
March, malfunctioning software sent votes to the wrong candidate and
the wrong municipal election in Palm Beach County, Fla. The mistake was
corrected only after a court-approved hand count.
•In an election in Pennington County, S.D., in 2009, a software glitch almost doubled the number of votes actually cast.
•In
Carteret County, N.C., 4,530 electronic votes simply disappeared in
2004 when the voting machine ran out of storage capacity and no one
noticed until too late.
•In 2010, a University of Michigan assistant
professor of computer science and three assistants hacked into
Washington, D.C.’s online voting system during a test. They manipulated
it undetected, even programming it to play the Michigan fight song.
While inside, the hackers blocked probes from Iran, India and China.
Washington officials canceled plans for online voting.
Experiences
like these argue for great caution about expanding electronic voting,
but too many states are choosing convenience over reliability. Sixteen
states, for example, use electronic voting devices with no paper backup,
according to a study by the Verified Voting Foundation, Common Cause
and the Rutgers School of Law.
This means there’s no way to know
whether the machine has recorded a vote accurately or, for that matter,
recorded it at all. And there’s no way for elections officials to
conduct a verifiable recount if things go wrong.
It’s far better to
have, as many other states do, machines that generate a simultaneous
paper record that voters can see when they vote, and that officials can
audit to make sure the machines are getting the votes right.
At least
for now, the next frontier in electronic voting seems to be way too
wild. Twenty-five states allow online voting, chiefly for military
personnel and others overseas, which means 3 million people or more
could cast ballots via the Web this fall. But Alex Halderman, who led
the successful penetration of Washington’s online system, warns that
current technology just can’t keep votes safe.
Home computers are
frequently infested with malware, and central systems such as
Washington’s are notoriously hard to secure. Those who claim otherwise
overlook the fact that hackers have penetrated or shut down systems at
the Pentagon, FBI, Department of Homeland Security and CIA. All these
agencies have cybersecurity budgets that dwarf those of any local
elections board.
The danger is as troubling as it is obvious.
Elections can be stolen, without anyone noticing. Some things are best
done the old-fashioned way.
http://usatoday30.usatoday.com/news/opinion/story/2012-09-19/paper-electronic-voting-risks/57809046/1
Opposing view: Paper voting system is broken
In
the 2010 election, 200,000 military voters failed to cast their
absentee ballots, the vast majority because the mail either failed to
get their ballots to them on time, or failed to get them back home in
time to count. That’s no surprise: Mail to remote military outposts and
ships at sea can easily take three weeks each way. It’s bound to fail.
    •    Whitney Curtis, for USA TODAY

Enlarge
Whitney Curtis, for USA TODAY

Sponsored Links
    •    OUR VIEW: Electronic voting still too wild
During
that same election, though, 46,000 military voters did manage to vote
through electronic voting systems, either receiving their ballot online,
returning it online or both. The number of military personnel using
online systems was triple what it was in the 2006 election, a sign of
the growing effectiveness and availability of Internet voting.
Do
electronic voting systems introduce new risks? Of course. But the
current mail-based system perpetuates a far greater risk of
disenfranchisement. And the most common risks associated with electronic
systems can easily be mitigated.
For example, the military’s
Internet system is constantly monitored for intrusions and infections,
which can significantly reduce the risk of viruses changing voters’
votes. Transmitting the ballots over virtual private networks can ensure
that ballots are not changed by hackers en route.
Washington, D.C.’s
system referenced in USA TODAY’s editorial did not have any of these
protections. It was simply a test by a not-for-profit, not a system
deployed by one of the leading online election vendors.
USATODAY OPINION
About Editorials/Debate
Opinions
expressed in USA TODAY’s editorials are decided by its Editorial Board,
a demographically and ideologically diverse group that is separate from
USA TODAY’s news staff.
Most editorials are accompanied by an
opposing view — a unique USA TODAY feature that allows readers to reach
conclusions based on both sides of an argument rather than just the
Editorial Board’s point of view.
Finally, the sheer diversity and
local control of our electoral system, with more than 7,800 election
jurisdictions, make the payoff of trying to hack these votes unfeasible
given the small number of ballots received electronically in each
election jurisdiction.
In 2002, Congress mandated that the Defense
Department deploy an electronic voting system for military voters. The
department’s Federal Voting Assistance Program presented a plan to
Congress for a secure, reliable electronic voting system by the 2018
election.
President Obama’s 2013 budget cut $20 million for research
on electronic voting; restoring that money might bring such systems
online in time for the 2016 presidential election, 14 years after
Congress ordered it done.
Would such a system be perfect? No. But it would be far better than the broken paper-based system we have now.
Bob
Carey is president of the Abraham & Roetzel government affairs
firm. Until May of this year, he was director of the Defense
Department’s Federal Voting Assistance Program.
USATODAY OPINION
About Editorials/Debate
Opinions
expressed in USA TODAY’s editorials are decided by its Editorial Board,
a demographically and ideologically diverse group that is separate from
USA TODAY’s news staff.
Most editorials are accompanied by an
opposing view — a unique USA TODAY feature that allows readers to reach
conclusions based on both sides of an argument rather than just the
Editorial Board’s point of view.

http://usatoday30.usatoday.com/news/opinion/editorials/story/2012-09-19/electronic-voting-fraud-security/57809062/1
Editorial: Electronic voting is the real threat to elections

Imagine
how easy voting would be if Americans could cast ballots the same way
they buy songs from iTunes or punch in a PIN code to check out at the
grocery store: You could click on a candidate from a home computer or
use a touch screen device at the local polling place.
    •   
Whitney Curtis, for USA TODAY
Election workers in Maplewood, Mo., train
on touch-screen machines in 2010. Sixteen states use electronic voting
devices with no paper backup.
Enlarge
Whitney Curtis, for USA TODAY
Election
workers in Maplewood, Mo., train on touch-screen machines in 2010.
Sixteen states use electronic voting devices with no paper backup.
Sponsored Links
    •    OPPOSING VIEW: Paper voting system is broken
It’s
not entirely a fantasy. In many states, some voters can already do
both. The process is seductively simple, but it’s also shockingly
vulnerable to problems from software failure to malicious hacking. While
state lawmakers burn enormous energy in a partisan fight over in-person
vote fraud, which is virtually nonexistent, they’re largely ignoring
far likelier ways votes can be lost, stolen or changed.
How? Sometimes, technology or the humans running it simply fail:
•In
March, malfunctioning software sent votes to the wrong candidate and
the wrong municipal election in Palm Beach County, Fla. The mistake was
corrected only after a court-approved hand count.
•In an election in Pennington County, S.D., in 2009, a software glitch almost doubled the number of votes actually cast.
USATODAY OPINION
About Editorials/Debate
Opinions
expressed in USA TODAY’s editorials are decided by its Editorial Board,
a demographically and ideologically diverse group that is separate from
USA TODAY’s news staff.
Most editorials are accompanied by an
opposing view — a unique USA TODAY feature that allows readers to reach
conclusions based on both sides of an argument rather than just the
Editorial Board’s point of view.
•In Carteret County, N.C., 4,530
electronic votes simply disappeared in 2004 when the voting machine ran
out of storage capacity and no one noticed until too late.
•In 2010, a
University of Michigan assistant professor of computer science and
three assistants hacked into Washington, D.C.’s online voting system
during a test. They manipulated it undetected, even programming it to
play the Michigan fight song. While inside, the hackers blocked probes
from Iran, India and China. Washington officials canceled plans for
online voting.
Experiences like these argue for great caution about
expanding electronic voting, but too many states are choosing
convenience over reliability. Sixteen states, for example, use
electronic voting devices with no paper backup, according to a study by
the Verified Voting Foundation, Common Cause and the Rutgers School of
Law.
This means there’s no way to know whether the machine has
recorded a vote accurately or, for that matter, recorded it at all. And
there’s no way for elections officials to conduct a verifiable recount
if things go wrong.
It’s far better to have, as many other states do,
machines that generate a simultaneous paper record that voters can see
when they vote, and that officials can audit to make sure the machines
are getting the votes right.
At least for now, the next frontier in
electronic voting seems to be way too wild. Twenty-five states allow
online voting, chiefly for military personnel and others overseas, which
means 3 million people or more could cast ballots via the Web this
fall. But Alex Halderman, who led the successful penetration of
Washington’s online system, warns that current technology just can’t
keep votes safe.
Home computers are frequently infested with malware,
and central systems such as Washington’s are notoriously hard to
secure. Those who claim otherwise overlook the fact that hackers have
penetrated or shut down systems at the Pentagon, FBI, Department of
Homeland Security and CIA. All these agencies have cybersecurity budgets
that dwarf those of any local elections board.
The danger is as
troubling as it is obvious. Elections can be stolen, without anyone
noticing. Some things are best done the old-fashioned way.
http://voices.washingtonpost.com/debonis/2010/10/hacker_infiltration_ends_dc_on.html
Hacker infiltration ends D.C. online voting trial
Last
week, the D.C. Board of Elections and Ethics opened a new
Internet-based voting system for a weeklong test period, inviting
computer experts from all corners to prod its vulnerabilities in the
spirit of “give it your best shot.” Well, the hackers gave it their best
shot — and midday Friday, the trial period was suspended, with the
board citing “usability issues brought to our attention.”
Here’s one
of those issues: After casting a vote, according to test observers, the
Web site played “Hail to The Victors” — the University of Michigan
fight song.
“The integrity of the system had been violated,” said Paul Stenbjorn, the board’s chief technology officer.
Stenbjorn
said a Michigan professor whom the board has been working with on the
project had “unleashed his students” during the test period, and one
succeeded in infiltrating the system.
The fight song is a symptom of
deeper vulnerabilities, says Jeremy Epstein, a computer scientist
working with the Common Cause good-government nonprofit on online voting
issues. “In order to do that, they had to be able to change anything
they wanted on the Web site,” Epstein said.
Because of the hack,
Stenbjorn said Monday, a portion of the Internet voting pilot — which
was expected to be rolled out this month — is being temporarily
scrapped.
The program, called “digital vote by mail,” is intended to
allow military or overseas voters to cast secure absentee ballots
without having to worry whether the mail would get them back to
elections officials before final counting. Those voters, about 900 of
them, still will be able to receive blank ballots via the Internet for
the Nov. 2 general election, but they will not be allowed to submit
their completed ballots via the DVM system, Stenbjorn says. Instead,
they’ll have to put them in the mail or send them unsecured via e-mail
or fax.
The security hole that allowed the playing of the fight song
has been identified, Stenbjorn said, but it raised deeper concerns about
the system’s vulnerabilities. “We’ve closed the hole they opened, but
we want to put it though more robust testing,” he said. “I don’t want
there to be any doubt. … This is an abundance-of-caution sort of
thing.”
Last week, Common Cause and a group of computer scientists
and election-law experts warned city officials that the Internet voting
trial posed an unacceptable security risk that “imperils the overall
accuracy of every election on the ballot.” But board officials said the
system provides security and privacy upgrades over a method of Internet
voting that’s already legal: filling out a paper ballot, then scanning
it and attaching it to an e-mail.
Stenbjorn says he hopes that the
Web-voting system’s security vulnerabilities will be addressed in time
for a D.C. Council special election expected next spring. The board has
spent about $300,000 in federal grant money on the project.
A D.C. Council hearing on elections issues, which will include the Internet voting test, is set for Friday.
UPDATE,
5:30 P.M. Verified Voting, another nonprofit concerned with election
integrity, has released a statement that “applauds” BOEE’s decision to
cancel the digital vote return. The release details the hack: “The test
pilot was apparently attacked successfully shortly after it began by a
team of academic experts led by Prof. J. Alex Halderman at the
University of Michigan. The attack caused the University of Michigan
fight song to be played for test voters when they completed the
balloting process.” The group promises “[f]ull details of the hack and
its impact on submitted test ballots … in the coming days.”
The
group also identifies a separate issue, which it calls a “very serious
vote loss problem that caused voters to inadvertently return blank
ballots while believing that they had submitted complete ballots.” This
affected users of “at least two widely used computer/browser
configurations.” Stenbjorn said Monday that the problem had been
identified as affecting certain browsers using the Macintosh operating
system, which do not support inline PDF forms. Mac users, he said, can
download the file and open it in a standalone PDF reader instead.
CORRECTION, 10/7: The Michigan fight song is “The Victors,” not “Hail to the Victors.” Mea maxima culpa.
By Mike DeBonis  | October 4, 2010; 2:14 PM ET 
Categories:  DCision 2010, The District  

Save & Share:                            
Previous: DeMorning DeBonis: Oct. 4, 2010
Next: For Rhee, staying in D.C. is a ‘hard question’

Comments

Hail to the Victors Valiant!
Um…yay alma mater for cyberhacking?
Posted by: gopoohgo | October 4, 2010 3:21 PM | Report abuse
Hail to the Redskins would have been far better!
Posted by: jeffcoud2 | October 4, 2010 4:01 PM | Report abuse
Michigan’s fight song is “The Victors,” not “Hail to the Victors.”
Posted by: Catholepistemiad | October 4, 2010 5:27 PM | Report abuse
Hey
this is the right approach. I’m glad to see they’re not just
approaching the problem in the right way through open testing, but also
are acting cautiously about what they do. Combined with robust review
and flaw remediation, secure voting ought to be possible.
In the meantime, it might be worthwhile to set up something for military members to use through nipernet…
Posted by: Nymous | October 5, 2010 1:48 AM | Report abuse
A
test that is supposed to run over the weekend is shut down by mid day
on Friday due to “usability issues brought to our attention.”? This
shows an apalling lack of awareness of the problems inherent in such a
voting system.
No, the right approach would be to fire the idiots on the
board of elections and hire the students from Michigan.
Posted by: lcollar | October 5, 2010 8:14 AM | Report abuse
Just
consider how often and consistently online systems of all kinds are
successfully hacked. Why would voting systems be different?
The thought of government by those who get into the position by hiring hackers is truly frightening.
Posted by: observer31 | October 5, 2010 8:21 AM | Report abuse
You think you might mention who the vendor is? That seems kind of important.
Posted by: pj_camp | October 5, 2010 9:28 AM | Report abuse
Hey,
look - it’s DC. You KNOW who’s gonna be elected even before the first
ballot is cast. Why worry about hackers? They won’t make ANY difference
in the outcome. Of course, it’s also obvious that the hacking wasn’t
done by ANYONE who is a District resident. Even WITHOUT the fight song,
it’s clear that the capability is JUST NOT there. Now maybe some folks
in nearby Maryland or Virginia have the capability, but surely not DC!
Posted by: matism | October 5, 2010 11:29 AM | Report abuse
It’s
unclear to me that “We’ve closed the hole they opened…” accurately
quotes Mr. Stenbjorn. If it does, he should be fired immediately for his
illiteracy in this matter.
The students did not “open” a hole in this
online voting system. They discovered one that the Mr. Stenbjorn’s inept
staff did not secure.
If Mr. DeBonis is accurately reporting the quote
then this may also indicate a pathological attempt to shift blame from
where it belongs - the morons at DCBOEE - to the students that did them a
favor.
Posted by: Megadan | October 5, 2010 11:45 AM | Report abuse
How great is this? So let’s pretend there’s an 800lb gorilla in the room…his name is Acorn, and he’s a hacker.
Care to wager what percentage of e-voters will be shown to be cast for Democrat candidates?
Fraud
is a huge problem, but not just with e-vote systems. Jokes about dead
people voting isn’t a joke; our voter roles are full of fraud - 3%, 5%,
20%? ID’s should be needed to vote (as in my district), every voter role
should be purged, validated and maintained before every election.
Without it, the gorilla is going to have his way every time.
Posted by: BarryBinInhalin | October 5, 2010 11:49 AM | Report abuse
Any,
[and I mean ANY] system can be hacked, and I have no doubt have
been
electronic [and even mechanical] voting is a gamble. Paper ballots
are also subject to fraud. 
Choose your poison.
Posted by: news41 | October 5, 2010 12:00 PM | Report abuse
Hey,
I’m really going to trust the vote coming out of DC. Maybe they can
show Chicago how to do it during Rahm’s coronation, oh, I mean election.
Posted by: AnnieP1 | October 5, 2010 12:12 PM | Report abuse
Why
is it that I can safely access my bank accounts, investment accounts,
Ebay, etc. from virtually anywhere on the planet, but I cannot vote
online? Maybe it’s because having found a proven set of tools to rig
elections, the Left is terrified that new technology will erase their
advantage. Seems odd that such a hotbed of political neutrality like DC
would be “proving” the “danger” of online voting. Remember -vote early
and vote often!
Posted by: snipelee | October 5, 2010 12:16 PM | Report abuse
Use of electronic voting is a hideous error.
Posted by: KPosty | October 5, 2010 12:16 PM | Report abuse

Thanks
to your PUBLIC education YOU are missing the OBVIOUS … VOTING sites
are referred to as POLLING STATIONS … Why you ask? 
Because for
decades now, the government only POLLS THE OPINIONS of ITS public …
Your VOTE has absolutely NO MERIT in the election process … the
Electorial College does ALL the deciding for you - you only convey your
opinion - which is ignored!! This is the just the tip of the iceberg
when it comes to deceiving Americans! Sorry to burst your patriotic
bubble - wake up people - this isn’t your country anymore!
Posted by: ScatScat | October 5, 2010 12:21 PM | Report abuse
There
is almost nothing more important than insuring the integrety of our
elections. It is sure that it isn’t 100% free of fraud but to allow it
to go on-line kills all hope of keeping the system safe at all.
These
morons in charge of this test either 1.have NO IDEA how computers work
2. are actively trying to steal elections 3. are just plain stupid or 4.
have NO sense of what their country is about
I don’t see any good on that list!
Election
rlls need to be continuously scrutinized (by people with brains) and
ballot need to be paper only. The last bit of the puzzle? Honesty
Posted by: rleored1 | October 5, 2010 12:23 PM | Report abuse
Another
bad idea beat down. Voting online, Missile defense systems, etc. can
only be truly tested when the real world comes into play. SO, never go
there.
IF banks etc. are not hack-proof, why would we ever want our
elections and our country to be vulnerable by depending on a computer
program which can never be truly tested before it is used.
That’s a
hard way to learn. We should NEVER go there. There are no hack-proof or
bug-free programs when they are as elaborate as would be required for
voting or missile defense. NEVER! Ask any programmer or QA Tester.
Posted by: tojo45 | October 5, 2010 12:27 PM | Report abuse
How
many D.C. voters that actually VOTE are there serving over seas for our
country? It can’t be more than a hand full. So, I’d love to see how
much the cost per vote is in this $300,000 waste of money.
Posted by: arbogastd | October 5, 2010 12:30 PM | Report abuse
In 2012 a hacked voter system in favor of Obama is the only way he’ll win reelection…
Posted by: mrcyberdochotmailcom | October 5, 2010 12:30 PM | Report abuse
THANK
YOU, HACKERS! I can think of few greater threats to liberty than, even
assuming no technology-based corruption or mischief (HA!), by allowing
lazy, livin’-off-the-taxpayer-dime, do-nothings to be able to sit on
their indolent butts while electing their welfare patrons as they watch
another episode of Judge Mathis.
Posted by: jnsesq | October 5, 2010 12:30 PM | Report abuse
Well,
d@amn it, there is such a thing as making it too easy to vote. Just as
all in-person voters should be required to present a valid
government-issued ID card in order to vote, so should we also be
carefully review all absentee ballot procedures to maintain the security
of the voting process and the integrity of our democracy. Many of us
Republicans have been screaming about ballot security for years, and
those of us who have actually run campaigns have witnessed real, live
voting fraud around the country. I don’t care if you’re a Republican,
Democrat, Libertarian or Martian, we should all agree that the integrity
of our democracy must be paramount. If we can’t agree on that, and any
party, candidate or interest group can cheat, then we’re on a slippery
slope to becoming Venezuela.
Bottom line: we should put aside on-line
voting until its iron-clad security can be assured. If this debacle had
occurred in a hotly contested swing state in the middle of a
presidential election, this could have caused a national, if not a
constitutional crisis. Think clearly, people.
Posted by: Dirtlawyer1 | October 5, 2010 12:36 PM | Report abuse
Every lab geek at M.I.T. is now on the case. Winner of the next presidential election: Oliver R. Smoot
Posted by: floyddabarber | October 5, 2010 12:37 PM | Report abuse
I figured it would have been CalTech or MIT that would have pulled this one off.

My thoughts are this-
Election Day is Election Day. No “Early Voting” or “provisional ballots.” Absentee balloting is allowed.
Either people do their “Civic Duty” and appear, on Election Day or they don’t deserve to vote.
Casting one’s ballot is serious and these lazy bums that are trying to “reach-out,” for more time, are way out of line.
Posted by: Computer_Forensics_Expert_Computer_Expert_Witness | October 5, 2010 12:43 PM | Report abuse
I
could understand why liberals want this system.
As republicans
investgate Dem voter fraud they will need a new method to cheat.
Posted by: jpalm32 | October 5, 2010 1:06 PM | Report abuse
All hail online voting! What could possibly go wrong?!?!?
Posted by: Armed_Texan | October 5, 2010 1:12 PM | Report abuse
I’m
pretty sure most of Maryland’s votes are rigged, because most of the
state is actually republican bu the democrats always win
Posted by: interloper5 | October 5, 2010 1:27 PM | Report abuse
Can D.C. do anything right?
Posted by: COOLCHILLY | October 5, 2010 1:28 PM | Report abuse
Every lab geek at M.I.T. is now on the case. Winner of the next presidential election: Oliver R. Smoot
Posted by: floyddabarber
As a Harvard alum, I appreciated this posting. LOL.
Posted by: WashingtonDame | October 5, 2010 1:36 PM | Report abuse
Each
state has different laws… In one of the presidential elections I
voted in here in Michigan, we had a machine that reads your pencil marks
on a ballot. I noticed while waiting in line, 2 out of 3 ballots
scanned were rejected as miss-votes - meaning some of their votes would
not be counted. Everyone accepted this. So, when it was my time, I was
extra - extra - extra careful that I did it perfectly. Mine was rejected
too. I took back the ballot and checked again. Everything was still
perfect, so I had them scan it again. This time it took When I quested
this, the election officials said they only test the machine at the
start of voting, so if some dirt gets on the lenses of the scanner, they
will never know. Also, as a voter I was not allowed to request a
re-count. Only a person on the ballot.
Posted by: arbogastd | October 5, 2010 1:37 PM | Report abuse
Since when were Democrats worried about the integrity of the vote???
Posted by: CapsNut | October 5, 2010 1:52 PM | Report abuse
dems
want the internet voting so they can assure their coming wins by
fraud………….dems know that America has had it with their damage to
America and the American way of life
Posted by: M_Algore | October 5, 2010 1:52 PM | Report abuse
Cyber
security. The only thing you can prove is its “secure” as you are
writing this very sentence. Ten secs from now, it may be hacked. And we
spend hundreds of millions on this.
Wouldn’t a low tech solution be
better, like maybe dipping our fingers into purple dye? It would stop
voter fraud, and would also be env friendly, since you wouldn’t need all
those “I voted” stickers.
Posted by: jcl154 | October 5, 2010 1:56 PM | Report abuse
Why
even bother having elections in DC? If there’s a black candidate, award
the office to him. If both candidates are black, pick the one who’s
most liberal. The outcome will be the same as if they had wasted time
with an election, which would be stolen by ACORN and SEIU operatives
anyway.
Posted by: p3orion | October 5, 2010 2:06 PM | Report abuse
Oh,
for God’s sake another idiot who doesn’t understand the electoral
college.It’s more fair, you fool, not less fair. If you allowed only the
popular vote to determine the outcome of a presidential election then
only the most populous states would elect the president. It would be
whomever California wanted as president not whomever the country wanted.
Congressional seats are apportioned by population so that larger
populations can be represented properly in congress but each state gets
two senators to balance that out. Mob rule is dangerous. There has to be
checks and balances.
Posted by: haunches | October 5, 2010 2:08 PM | Report abuse
Of course the internet program was open to being hacked. Don’t these elections officials ever listen to the experts?
Posted by: dubious1 | October 5, 2010 2:15 PM | Report abuse
This
is a joke, systems can be secured, our banking system is secure enough.
Put some republicans in charge of this and I bet they’ll get the job
done. Anybody notice the Democrats are the only ones trying to shoot
down electronic voting, as if it’s less reliable than a gang of
volunteers?
Posted by: zardinuk | October 5, 2010 2:20 PM | Report abuse
Most
of the voter fraud is in favor of Republicans. Look at Ohio in 2004
when all the votes were run through a computer in Tennessee that was
running GOP software before being sent back to Ohio. Look at the hack in
Florida that nearly caused Gore to concede on election night before it
was revealed. Almost all hacks benefit Republicans. Check it out.
And using the internet is to invite the hackers to have great fun.
Posted by: dubious1 | October 5, 2010 2:24 PM | Report abuse
Just
print the ballots on rolls of free toilet paper so the totally
uninformed, and uninvolved can more easily cancel out your vote.
Posted by: borntoraisehogs | October 5, 2010 2:31 PM | Report abuse
ACORN… really? lol
Anyway,
at least the testing of this system is more transparent than the
testing done on the Diebold systems that are actually in use.
Posted by: AJohn1 | October 5, 2010 2:33 PM | Report abuse
E-Voting was brought to US by Al Goron & the Dims.
Welcome to hanging e-chads!
Posted by: harpotoo | October 5, 2010 2:37 PM | Report abuse
@ dubious1
So
if the voter fraud is all republicans, why not use electronic voting?
It’s your best bet at eliminating fraud. I know I want to see the fraud
eliminated, tired of seeing the bag of votes someone forgot about
magically appearing, I want electronic voting because it will solve all
of the problems. They leave a paper trail, it’s as good and better than
your preferred paper ballot.
The DNC is afraid of electronic voting
machines because they have relied on the fraud that goes on in the
voting locations for so long. It’s quite clear to me. Your argument
makes no sense whatsoever.
Posted by: zardinuk | October 5, 2010 2:37 PM | Report abuse
Nymous
Yes one would THINK there should be a way to vote on line for at least
our Military.. however, while they allowed anyone to GIVE IT THEIR BEST
SHOT.. did that include CHINA who seems to LOVE to hack our Pentagon? It
is not just hackers HERE but elsewhere that we have to watch for..
Posted by: lcky9 | October 5, 2010 2:46 PM | Report abuse
Thank
God this crack attack has stopped the overseas military from voting.
Everyone knows that those people are the best possible representatives
of their city, and so they shouldn’t be allowed to vote, because they
might cause something good to happen if they could.
In another way,
this is more proof that the District of Columbia is going to get about
another $100 million to “improve its systems.”
Posted by: Extempraneous | October 5, 2010 2:51 PM | Report abuse
Yeah, baby! Saw off another chunk of that federal cash log!
Posted by: Extempraneous | October 5, 2010 2:53 PM | Report abuse
In
a city so replete with disfunction, where under every rock there is a
corrupt politician and/or contractor, who in their right mind thought
the government could implement a HACKER PROOF on line voting system?
Sheesh!
Posted by: Curmudgeon10 | October 5, 2010 2:57 PM | Report abuse
There
is an easy way to eliminate any voting fraud. Simply require a
biometric when a voter registers and each time he or she votes, with a
system that verifies the biometric. A fingerprint is provided at
registration and the same fingerprint is given when the voter votes.
It’s not rocket science, but the Party of Illegal Voters would fight it
to the bitter end… I’ll leave it to the reader to figure out what
party THAT is.
Posted by: danny70000 | October 5, 2010 3:04 PM | Report abuse
get the money back!!
stop paying these con artists…
seize their assests …
give to my charity…
Posted by: wingdingluey | October 5, 2010 3:08 PM | Report abuse
I
have never understood the rationale behind changing the voting process.
It worked. The new systems are fraught with the potential for mischief
and criminality. Voting by mail - a terrible idea. How does anyone know
that the ballots counted are truly the ballots received? There’s nothing
equivalent to a precinct where votes are tallied in a public way. And
voting machines? How do we know that they haven’t been hacked (as in
this story), except worse: to provide one party or another with an
advantage - whoever the hacker happens to favor?
Worse - how do we know that the hackers aren’t in the employ of one of the political parties?
I
want America to go back to the good old paper ballot (no chads). And a
requirement that you be intelligent enough to complete a ballot and live
with whatever careless mistakes you make after you drop the ballot in
the box. The time to correct your mistakes is before you drop it in the
box.
We OUGHT to be a nation of adults instead of winy entitled
spoiled brats who think that the sun shines up their a$$es and makes the
world a better place just because they have the wonderful decency to
show up.
Posted by: harrygett | October 5, 2010 3:12 PM | Report abuse
there
was a time when the washington post had enough clout to stop something
such as this fiasco long before the taxpayer ever got clobbered. and
internet access from jails and prisons keeps convicted felons actually
serving time from being disenfranchised. i gather the dc experiments are
off limits i.e. politically incorrect targets of the wash post. no
wonder your profits continue to drop. retro back 40 - 50 years if you
intend to remain in business. ps - when are you going to expose the
money pit known as pretrial services. possibly the biggest waste of tax
money on the planet.
Posted by: anonymoose1990 | October 5, 2010 3:22 PM | Report abuse
As
long as systems can be hacked no vital system - like voting - can be
entrusted to online technology. Even with manual systems if voter
tampering is discovered AFTER an election the results are not
overturned. The perpetrators are prosecuted (maybe) but the election
results are not overturned. Moreover, with cyber tampering it is
extremely difficult to find and prove direct links to the guilty. Add to
that how long it takes to move thru federal courts.
Posted by: aceswild1 | October 5, 2010 3:38 PM | Report abuse
I’m
wheelchair bound and have been for a couple years, I was on a chicago
thread yesterday about absentee ballots saying this same thing;
If I
can drag my tired broken azz to the local elementary school like I did
even before while becoming crippled from MS and did to vote against
Obama anyone else can too.
WTF?
We know online voting is nuts as
we can’t even keep dead liberals from voting the old way ;( , now we
want the CHICOMS, Ruskies and all to be able to as well, because THEY
WILL if they OK this anytime in the near future.
Posted by: chicagoray40 | October 5, 2010 3:50 PM | Report abuse

Wrap a band aid around the nose piece of those geeky glasses, then DeBonis can claim he did it.
Posted by: screwjob21 | October 5, 2010 4:06 PM | Report abuse
it would be fitting to use the anthem of the peoples republic of Ann Arbor
Posted by: jibreelriley | October 5, 2010 4:09 PM | Report abuse
@snipelee, what makes you think that your online access to banking and financial services are safe?
to the hacker.. Go Blue!
Posted by: SpecTP | October 5, 2010 5:07 PM | Report abuse
There
is nothing in the US more sacred than voting. If one cannot get off the
couch to go to the polls, they should lose their vote!! However, power
is enticing and the Left will not go down quietly!!
Posted by: MadonnaDJ88 | October 5, 2010 5:28 PM | Report abuse
Not good. These were just students. Real pros would have ZERO problem breaking that system.
Posted by: illogicbuster | October 5, 2010 5:39 PM | Report abuse
North Carolina is satisfied and is willing to buy the software unchanged for the November election.
Posted by: James10 | October 5, 2010 6:21 PM | Report abuse
The
only truly secure system is one that can be audited by the voters.
Voters should be able to log in at any time afterwards and confirm their
vote the same way they confirm their bank account balance.
Posted by: c094728 | October 5, 2010 6:53 PM | Report abuse
If
any of the students could hack it to change all repub votes to dems and
keep all dem votes, then it would have been a go for
Obomba/Pelousy/Reed express.
The student who hacked needs protection now.
Never
Forget the young men who were murdered so Obama could run for
office:
Donald Young, Nate Spencer, Larry Bland, Lt. Quarles Harris, Jr.
Posted by: LaVie | October 5, 2010 7:05 PM | Report abuse
Non-Taxpayers should not vote
Posted by: LaVie | October 5, 2010 7:11 PM | Report abuse
Thank
you Hacker! This just shows how dangerous and vulnerable online voting
is. This person did us a favor. Just think if he can do it what is to
stop the government or a candidate hiring someone to do it. Ever hear of
black ops? These a..holes have the key to every server. Thank you very
much.
Posted by: sdchanman | October 5, 2010 7:24 PM | Report abuse
This is old news. How do you think the Obama Mafia got Barack elected?
Posted by: DigitalBob1 | October 5, 2010 7:41 PM | Report abuse
Okay,
all you dopes who thought online voting could be relied upon, raise
your hands. Now, put your hands down and go stand in the corner.
GET THIS NOW, GET IT RIGHT AND HOLD ONTO IT:
THERE
ARE NO MACHINES THAT ARE AS GOOD AS A PAPER BALLOT, WHETHER MARKED OR
PUNCHED. YOU MUST STOP IMAGINING THAT SIMPLY BECAUSE A THING CAN BE DONE
ON A COMPUTER THAT IT THEREFORE MUST BE DONE ON A COMPUTER.
JM (Electronics/Computer Systems Engineer with decades of experience)
Posted by: JMinSanDiegoCA | October 5, 2010 7:59 PM | Report abuse
I
can only imagine Obama sitting up late with his laptop at his side,
trying to figure out how to enlist these folks to rig the 2012 vote. He
should be banging Michelle but have you taken a good long look at her
face???????
Posted by: dougonesko | October 5, 2010 8:41 PM | Report abuse
The Democrats will hack the voting process, whether or not computers are involved.
Posted by: Jack64 | October 5, 2010 8:50 PM | Report abuse
I don’t care what song they played to hail the voting system, that’s some funny $hit!
Posted by: jayesouthworth | October 5, 2010 8:56 PM | Report abuse
Haha.
When will people figure out anything that involves a computer can be
compromised? Especially if it’s online, since the guy doing it doesn’t
have to be anywhere near the actual machines. Some things are just best
kept offline.
At least they tested it openly rather than hoping a
flimsy attempt at security through obscurity would save them, unlike
*some* electronic voting efforts.
Posted by: CppThis | October 5, 2010 11:30 PM | Report abuse
The “system” was compromised in 2008 when DUH WON.
Posted by: LoneWolf1 | October 5, 2010 11:41 PM | Report abuse
snipelee:
Why is it that I can safely access my bank accounts, investment
accounts, Ebay, etc. from virtually anywhere on the planet, but I cannot
vote online?
For one thing, because voting includes a “secret ballot”.
There
are a number of commercial startups addressing the on-line voting
“market”. Their sites generally contain white papers explaining the
problems and their solutions. Read a few.
Secret ballots are an
example of voting system problems eBay and banks don’t have. The voting
system must be able validate that each counted vote comes from one and
only one voter. But the system cannot know who that voter is. And, at
the same time, the system must be able to prove to you that your vote
was counted one and only one time - and it was for who you voted for.
Except, again, the voting system cannot know who you voted for. Take a
minute to think of a way to do this.
That said, it sounds like the
problem with this site had nothing to do with voting and everything to
do with running a secure web site. That also said, it’s one thing for a
few thousand, full time, highly paid, expert specialists to run a secure
web site, and quite another for 10’s of thousands of amateurs to do so.
That means that, unlike a paper system run by amateurs and subject to
the sorts of controls a normal person can understand (try not to let
dead people vote, don’t lose the ballots, etc), on-line voting systems
will either be run centrally by pros (do you trust them? why?) or be
turn-key products produced by pros (do you trust them? why?). And, in
either case, they’ll run like the dozens of computers running in your
new car - outside your knowledge and vision.
And, as another example
of why eBay and banks are not like voting systems: eBay and banks tend
to have custom systems. You break one, the others still stand. Every
county ain’t gonna roll their own, custom on-line voting system. If all
counties buy the same system - well, you break that system, you can
pretty much count on getting that paving contract anywhere you bid for
it.
Posted by: bar_washington_post | October 6, 2010 3:54 AM | Report abuse
When
are people going to learn that NOTHING online is secure. My god Hugo
Chavez could be elected president with this system. Or worse BHO might
get re-elected.
Posted by: backliner | October 6, 2010 4:57 AM | Report abuse
This
is very likely a test of the DNC ability to hack the system in
preparation for Massive cheating in the coming elections. NAAAHHH
couldn’t be….thats much too far fetched!
Posted by: rabiddog9 | October 6, 2010 7:05 AM | Report abuse
Might
this online voting ploy be another misguided attempt by Obama’s people
to once again by way of deception insure a victory in the upcoming
November elections? After all, that is the only possible explanation for
2008!
Posted by: hindsight2040 | October 6, 2010 7:16 AM | Report abuse
Go Blue!
Posted by: gb11231 | October 6, 2010 1:21 PM | Report abuse
It
is shameful that the scientific community allows ego driven agendas to
impede efforts to secure the vote counting process. We know open source
and paper ballots are minimal mandatory requirements. Hopefully OVC will
address oversea ballot issues- as they have effectively demonstrated
open source / paper ballot systems for precinct use.. We don’t need
licensing schemes and ego games.. we need election system security !!
Posted by: UnderdogUSA | October 10, 2010 10:22 PM | Report abuse
The
only ones that seems to be seeing this correctely are JMinSanDiegoCA
and c094728 with a few other interspersed good ideas. There is a world
of difference between an excellent computer scientist and one that
specializes in security. Even if they do correct the problems in the
system it still has excised the most important element - people who can
monitor to make sure things are progressing fairly. There is a reason
polling places have at least both a Republican and a Democrat running
them. Both are there to assure as much as possible voting fairness. If
you don’t like the system then get involved in how to correct it by
being one of these polling control people or blogging about where you
have actual proof the system is failing. It would be nice to also have a
post check to make sure what you voted for actually happened.
As to
the people complaining about the absentee ballot, shame on you. The
people in the armed forces in Iraq, Afghanistan, and other parts of the
globe, many in harms way have just as much right to vote as you do. They
maybe have even more right to vote than you do. I for one want to make
sure they have that right and opportunity to vote. If I was a Democrat
and they were all Republicans I would still want it. Ditto for
vice-versa. This is not a partican issue.
Please, lets keep this
central to the point at issue, which is whether we can trust online
voting. As one of those computer security analysts I have to say the
answer is no. If you see it differently my answer will still be no. The
instant something is open to attacks from the entire world then the more
likely it is to be successfully attacked. Really, they didn’t have the
sucker protected from a shell injection attack? Bad. REALLY BAD!
Posted by: hhhobbit | October 11, 2010 1:22 PM | Report abuse
Post a Comment
We
encourage users to analyze, comment on and even challenge
washingtonpost.com’s articles, blogs, reviews and multimedia features.
User
reviews and comments that include profanity or personal attacks or
other inappropriate comments or material will be removed from the site.
Additionally, entries that are unsigned or contain “signatures” by
someone other than the actual author will be removed. Finally, we will
take steps to block users who violate any of our posting standards,
terms of use or privacy policies or any other policies governing this
site. Please review the full rules governing commentaries and
discussions.

You must be signed in to washingtonpost.com to comment. Please sign in.

https://www.schneier.com/blog/archives/2004/11/the_problem_wit.html

About Bruce Schneier

I’ve been writing about security issues on my blog since 2004, and in my monthly newsletter since 1998. I write books, articles, and academic papers. Currently, I’m the Chief Technology Officer of Resilient Systems, a fellow at Harvard’s Berkman Center, and a board member of EFF.

Schneier on Security

Amtrak “Security”

Amtrak will now randomly check IDs:

Amtrak conductors have begun random checks of passengers’ IDs as a precaution against terrorist attacks.

This works because, somehow, terrorists don’t have IDs.

I’ve written about this kind of thing before. It’s the kind of program that makes us no safer, and wastes everyone’s time and Amtrak’s money.

Tags: ID cards, identification, public transit, security theater, terrorism

Posted on November 19, 2004 at 10:03 AM
•
27 Comments

Comments

Scott Johnson • November 19, 2004 2:26 PM

At least it’s only random, so it won’t waste as much time as checking EVERY ID.

Jeremy Hilliker • November 19, 2004 3:04 PM

“It is a ticket verification program, which is not intended to
determine a person’s identity, but to make sure the person who’s
traveling with the ticket is the person whose name is on the ticket,”
Black said.

It’s a business move to stop the resale of tickets by people who
don’t want them anymore. Now you can’t buy the tickets from someone who
needs to dump their’s in the classifieds. This is the same reason that
they check IDs on airlines. It’s not for security, it’s to increase
revenue.

mindwarp • November 19, 2004 3:18 PM

Random? My ID gets checked every single time I board an Amtrak bus or
buy an Amtrak ticket. When I buy a ticket after boarding a bus, my ID
is checked TWICE. When are IDs *not* checked?

W.P. Fleischmann • November 19, 2004 4:04 PM

No, it works because they have IDs that say “Terrorist” on them–silly!

Nick • November 19, 2004 9:52 PM

So, if you want to travel on AmTrak, you have to have your papers
with you, so you can present them when the guard says “Show me your
papers!”

Patrick Berry • November 20, 2004 1:46 AM

Just more of the “look we are doing something” mentality. The
theory that by doing anything, even something incredibly dumb, you have
a non-zero chance of catching a bad guy/gal is just too irresistible I
guess.

Bruce, is it just that Amtrak is ignorant of how to enact useful
security measures or do they really think this will a) work or b) be
good PR?

Matthew X. Economou • November 20, 2004 4:25 PM

I do not understand why tickets are non-transferable. Is this simply
a revenue generation tool, or is there another reason (e.g. to stop
ticket scalping)?

Zak Braverman • November 21, 2004 2:26 AM

Bruce, you’ll love this.

I live in Japan and whenever I get money wired to me from the US
someone from the Japanese bank branch calls me and asks what I’m going
to use the money for. This is (I’ve asked) to prevent the money from
going to things like the Red Army, N. Korea, or terrorists.

All the Americans I tell about this roll over laughing, but it has never occurred to Japanese people just how stupid this is.

“Darn, I guess you caught me!! I was going to give it to the Red Army. How come you bank people are so crafty?”

Ste • November 22, 2004 4:08 AM

This is probably just another case where “doing something against
terrorism” is used as an excuse to pursue another, completely unrelated
goal (a commrecial one?).

john • November 22, 2004 6:50 AM

i am reading ‘the outlaw sea’ now, and the author there, in a similar
situation, points out that if someone were to get found without an ID,
that would probably better demonstrate innocence, since someone up to no
good is obviously going to take care of the details like ID

Oliver • November 22, 2004 9:33 AM

When I recently took Amtrak through Montana, border patrol cops
boarded the train outside Glacier. They claimed to be looking for
illegal Canadians, but as far as I can tell they just wandered up and
down the train glancing at people. I guess they know what Canadians look
like compared to Americans.

piglet • November 22, 2004 11:31 AM

So it seems that Amtrak tickets are personalized, like plane tickets?
That’s sad. Of course, it only makes sense to put passengers’ names on
the tickets if you intent to verify the ticket holders’ identity, so you
shouldn’t be surprised at all. But why do they put your names on the
tickets? Maybe that’s what you should complain about.

In Europe, at least, where many people travel by train than in North
America, a train ticket is still a train ticket, proof that you have
paid the fare. You have a valid ticket, then you can take the train,
usually any time you like within its period of validity. Many tickets
are nowadays bought at ticket machines. The transaction takes a few
seconds. The idea to put passengers’ names on their tickets hasn’t yet
sugested itself to train operators. Let’s hope they’ll never try to
imitate the American way.

piglet • November 22, 2004 11:32 AM

Sorry, more people than in America.

Alison • November 23, 2004 7:23 PM

Hey, I was wondering if they are doing this only to give the
“perception of security” which you mentioned in Beyond Fear. Perhaps I
am giving them too much credit.

oyving • November 23, 2004 9:17 PM

I took the train from Albany to New York City right after they
implemented this measure. There was a call over the calling system
telling us to keep ID ready in case the conductor would ask for it. The
conductor then proceeded to ask, “If there are any terrorists here,
please tell me now.” Then he proceeded to check our tickets and never
asked for ID.

DaveL • November 29, 2004 3:10 PM

Very good, but I still haven’t seen anything to match one of the
“security” programs instituted at the Honolulu airport after 9/11, which
still seems to show up every now and then: a couple of security guards
sit outside the parking garage and check the trunk of every incoming
car. Apparently they’re looking for large red boxes that say “BOMB” in
3-inch letters. If you’re smart enough to put your bomb in a suitcase,
no problem, because they’re not doing anything more than taking a
cursory look into the trunk. And don’t even get me started wondering
why a terrorist would choose to bomb the airport parking garage as
opposed to, say, a shopping mall.

Tyree Currie Jr.` • December 14, 2004 9:45 PM

Please advise me; How can I receive an application to apply for work
with AMTRAK? I have 30 years of experience in Law Enforcement and
Security.

Thank you in advance

Scott Mace • December 22, 2004 6:06 PM

What’s MOST shameful is that our vigilant U.S. press totally
overlooked this story for 15 days, until I posted a message to Dave
Farber’s mailing list, that I myself was subjected to one of these I.D.
checks November 9 on board an Amtrak train in California, after a stern
warning “papers please” lecture delivered to all passengers on board.

I was only thankful that my father had died the day before and hadn’t
lived to see the liberties he fought for in two wars so thoroughly
trampled upon. “Your papers please” has landed — no one even wanders
the aisles of airliners asking for I.D. It’s not far from here to roving
random law enforcement checks of anyone on foot, anywhere in the U.S.

matt • January 1, 2007 10:19 PM

As a former Amtrak employee allow me to provide insight…the purpose
of checking ID’s has a few important purposes: 1 in case of a tragic
event there will be a passenger list with actual names and phone numbers
of pax, 2. as many are unaware amtrak’s many many employees have the
ability to recieve unlimited train tix as a contracted right through
thier union agreements, amtrak is doing this as a means of keeping
employees honest and not allowing the employees to give away and or sell
these free tix to non employees - amtrak does not have any one in
buissiness withem!

keeplosingmoney • May 28, 2007 8:23 PM

They’re already losing money. Now, people who don’t want to be
harassed won’t ride, so they’ll lose even more money. Good for them.

barb • August 10, 2007 8:46 AM

as i sat on a amtrak train looking over the beautiful sites of dc, i
suddenly thought how easy could it be to put a bomb on the train! i got
off in philly, had a friend drive two hours to pick me up! I cancelled
my return reservation and had my friend drive me to the cape may ferry,
where I went thru security and had my husband drive 4 hours up and 4
hours back- no moore trains for me!

barb • August 10, 2007 8:46 AM

as i sat on a amtrak train looking over the beautiful sites of dc, i
suddenly thought how easy could it be to put a bomb on the train! i got
off in philly, had a friend drive two hours to pick me up! I cancelled
my return reservation and had my friend drive me to the cape may ferry,
where I went thru security and had my husband drive 4 hours up and 4
hours back- no moore trains for me!

YONICK • February 28, 2008 12:02 AM

DON’T SEE WHAT ALL THE FUSS IS ABOUT. HOW MUCH HASSLE IS IT TO SHOW A
PICTURE ID TO AN AMTRAK EMPLOYEE. LIGHTEN UP THE TRAIN IS STILL THE
GREATEST WAY TO TRAVEL.

Caroline • April 29, 2010 9:12 PM

If it’s for security purposes, let’s say a person has a foreign
passport, would they look at the picture and the name only or would they
check for a Visa too? Someone said terrorists don’t have IDs, but they
would probably still have a passport (assuming they’re foreign, because I
believe there have been terrorists who were born here, which in case
they WOULD have an ID).

Alex • May 30, 2010 2:02 AM

Even if there ARE terrorists in a train, what are they going to do? Hijack the train and crash a skyscraper with it? Hahaha

Keith • November 28, 2010 4:12 PM

I realize this is and old article but showing ID is meaningless. You
should be able to buy your ticket at a kiosk in any airport or bus
terminal by cash or credit and hop on in less than 5 minutes. This
security theater is a useless waste of time. Checking to see the name
on an ID matches a ticket is moronic and another waste of time. Lock
the cockpit, lock the conductor doors and be done with it. Stop taking
away my right to travel freely by encroaching on the 4th amendment.

Lisa • March 7, 2013 8:02 PM

Actually, amtrak is very generous when it comes to refunding tickets.
So there’s really no need to “dump” tickets on someone else.

http://iipdigital.usembassy.gov/st/english/publication/2008/05/20080523104533wrybakcuh0.2701227.html#axzz3tDe8D7qq

http://www.akamaiuniversity.us/PJST11_1_649.pdf

http://www.cartercenter.org/documents/nondatabase/automatedsummary.pdf

http://www.notablesoftware.com/evote.html

Electronic Voting

Rebecca Mercuri, Ph.D.	Updated 9/1/10
P.O. Box 1166 — Dept. EV Philadelphia, PA  19105	notable AT notablesoftware DOT com
215/327-7105 or 609/587-1886 10AM-6PM U.S. Eastern Time, Mon.-Fri.  (Please try the 609 number first)	http://www.notablesoftware.com

---

The
contents of this webpage and website are Copyright © 2000 - 2010 by
Rebecca Mercuri. All Rights Reserved. All material is protected by
copyright attributed to Rebecca Mercuri where she is the sole author,
or
the original sources otherwise.

I am
available
for comment, consultation, expert testimony, and lectures on electronic
vote tabulation, and can be contacted via the information at
the top of this page.  Members of the press and researchers
seeking interviews and quotation permissions may find it helpful to
look
at the guidelines posted here. I
would appreciate it greatly if calls can be limited to the hours of
10AM
- 6PM, U.S. Eastern Time, weekdays.

Follow links
to full text of papers and articles. Papers not linked may be available
on request. As this website is rather long, I’ve highlighted certain
“must read” papers and articles using red asterisks (*). For a good overview of the subject, search
for these first and read the text at their adjacent links.

Statement

I am
adamantly
opposed to the use of fully electronic or Internet-based systems for
use in anonymous balloting and vote tabulation applications.  The
reasons
for my opposition are manyfold, and are expressed in my writings as
well as those of other well-respected computer security experts. 

At the
present time,
it is my strong recommendation that all election officials REFRAIN from
procuring ANY system that does not provide an indisputable, voter
verified paper ballot.

Communities
have gradually discovered that manually prepared paper balloting
systems, augmented with assistive paper ballot-marking devices for use
by the disabled and those with literacy and language issues, can
typically be procured and maintained for considerably less than half of
the price for a Direct Recording Electronic (DRE) with touch-screen or
push-button input, or DRE/VVPAT (DRE with ballot-printer) system.
Ballot-marking devices do not need to be
electronic or computer-based. Opscan-style ballots can (and should) be
entirely
hand-counted. Paper ballots increase voter confidence by offering the
best in terms of reliability, usability and recountability, as well as
being highly cost-effective.

Since 2003,
because of unresolvable problems with the implementation and deployment
of the DRE/VVPAT systems, and the difficulties experienced in using the
VVPATs in recounts, I have recommended AGAINST the purchase of these
devices.

A detailed
explanation of these points, along with my suggestions regarding the
selection of appropriate voting equipment, is provided in the full text
of this statement, available *here*. 

Table of Contents

Statement	A Bit of Levity
Electronic Voting Update	Voting Presentations
World Democracies	Press Quotes
US Voting Rights Act	Sound Bites and Video Clips
Writings by Rebecca Mercuri	Join My Email Group
Related Writings by Other Authors	Recount Assistance
State Reports	Additional Links
California Florida New Jersey Ohio and Pennsylvania (coming soon!)

ELECTRONIC VOTING UPDATE

Danger to Democracy #1 National Popular Vote (NPV) legislation has been creeping into state after state. Fot those of you who don’t know what it is, NPV, when fully enacted, would MANDATE that states cast their electoral votes, NOT how the voters of those states intended, but rather to the winner of the NATIONAL popular vote. Yup, YOUR electors would be REQUIRED to cast their Presidential votes to the AGGREGATE US highest vote-getter, REGARDLESS of who the winner was in the state itself. I can’t imagine how this could even remotely be deemed Constitutional (remember the concept of States’ Rights?) but it would likely take a team of Harvard-educated lawyers to argue this point before the U.S. Supreme Court. If enough states (they only need a total of 270 electors) are stupid enough to allow their legislatures to pass the bill and their Governors sign it, then we’re ALL hosed, even if your own state doesn’t sign on. Here’s what it really means and why it’s on my evoting website – states that have unauditable voting will be incentivised to increase their bogus vote totals for President well beyond what they need to do to win their own state, enough so that they can shift the national total to the candidate of their choice! This is no problem for places like Ohio, where observed variations in the number of persons who sign the polling book from the number of ballots recorded on the machines, in over 80% of precincts, is somehow considered “normal” — or in Florida where the citizens vote on paper ballots read by optical scanners but prohibited from review via manual recounts. Basically, if NPV becomes law, then the Crooks are in Control for sure. To find out the status of NPV in your state, check http://www.saveourstates.com – if it does not say “enacted” yet, then let your State Senator, State Representative and Governor all know RIGHT AWAY that this is a HORRIBLE idea that should not become law.

Danger to Democracy #2 The same group that has been promoting NPV is also hawking Instant Runoff Voting (IRV). Certainly not coincidentally, the key founder of the organization behind both of these absurdities is none other than John “the spoiler” Anderson. IRV is getting a foothold with naieve communities who would like to believe the snake oil salesmen’s claims that by making the voting selection process harder (not easier) this somehow further enfranchises beleaguered minority groups and third party candidates. The reason why I’m mentioning IRV here is again because of the voting machines. Heck, we can’t even prove that these devices (whether DREs or scanners) are adding 1+1=2 properly. It’s all a trade secret and we’re not allowed to check the algorithms. How can we ever hope to verify that the complicated math needed to generate the IRV totals has been programmed and implemented correctly? If you find yourself in a conversation with anyone supporting IRV, just ask them to show you ON PAPER how to tally the election and then watch them squirm. Make sure your municipality, county, and state does not fall for IRV. For more on how to help oppose IRV, check out http://www.instantrunoffvoting.us .

Danger to Democracy #3 Perhaps because Americans are considered to be notoriously lazy, our election officials would rather find excuses for not hand-counting all of the ballots in order to verify the results produced by the computers. Of course, the reasons given for not checking the totals at each precinct (before the ballots are removed and have a chance to mysteriously wander away) are often ones of cost or expedience. As it turns out, a small team of vote counters (perhaps drafted as for jury duty), using a simple bin (not binary) method should be able to hand-tabulate all but the most complex ballots in time for the 11 o’clock news (assuming that the polls close at 8PM). (For the computer scientists, it helps to recall that a bin sort is O(n).) Of course there are plenty of mathematics wonks, and even a few Congressfolk, who would like us to believe that a random percentage audit is all that is necessary to confirm the electronic tallies. This is provably untrue. Even so, such formulas require that increasing percentages be audited if anomalies are detected, so you might as well just count all the ballots from the get-go to avoid the further hassle. For a detailed explanation of why partial audits don’t work, see my post on the CNET Defensive Computing blog at http://news.cnet.com/8301-13554_3-9876062-33.html . Oh, and if someone tells you that if people touch the ballots they’ll change the votes, just explain that page feeders could be used with opaque projectors to display the papers without human handling.

Voter Verified Paper Ballots — An Informational Brochure: An explanatory brochure has been prepared in response to the myths and misinformation that are currently being circulated by those who are opposed to independent election auditing.  ”Facts About Voter Verified Paper Ballots” can be downloaded, printed on double-sided paper, and freely distributed (if in its entirety and unedited). Although DREs with VVPBs are an improvement over DREs without them, because of numerous issues related to the construction and use of VVPBs (some of which are noted below), since 2003 I have recommended AGAINST the purchase of these devices. Ballots should be prepared on paper (not computers) and counted from the paper (preferably by humans).

The Act that did not help America Vote: The 2002 Help America Vote Act (HAVA) legislation authorized $3.8B in federal spending, with a substantial portion of these funds allocated to US states and territories for the purpose of replacing their punch card and lever voting machines and making voting systems accessible to the disabled.  To obtain the money, an implementation plan had to be submitted to the Election Assistance Commission by January 1, 2004. States were NOT required to purchase fully computerized voting systems, they could obtain mark-sense (optically scanned) products that use paper, but in order to receive certain of the equipment funds, the plan had to indicate that the state would replace all of its lever and punch card machines by the first election for Federal office held after January 1, 2006. New York was the only state that decided to retain its lever machines. The Presidentially appointed 4-member HAVA Election Assistance Commission, in addition to approving each of the state plans, was also to be responsible for administering a host of other tasks, not the least of which included overseeing a 14-member Technical Guidelines Development Committee and a 110-member Standards Board, and making provisions for “testing, certification, decertification, and recertification of voting system hardware and software by accredited laboratories.”  The Technical Guidelines Committee was to have produced a set of recommended voluntary voting system guidelines nine months after appointment, and it was understood that these guidelines would be the ones used by the laboratories in their certification and testing processes. What actually occurred was that the members of the HAVA Commission were appointed nearly a year late and the establishment of HAVA Committees and Boards were similarly delayed. Thus, the Technical Guidelines were NOT available by the time that state implementation plans were due. This resulted in 9 states requesting HAVA extensions, and many others contracting to purchase voting systems that could not possibly be HAVA compliant, since no official HAVA standards yet existed. A further setback occurred at the beginning of 2004, when the National Institute of Standards and Technologies (NIST) announced that it had to curtail all work related to HAVA (despite their named role in the legislation), due to Federal budget cuts (funds were later reinstated for the election project). Those of us (including myself) who had worked hard for this bill were sorely disappointed that the most salient aspects of its implementation were stalled, while initial equipment purchases were allowed to proceed under grandfathered and obsolete standards. Many municipalities (including in California, Florida and elsewhere) purchased voting equipment that subsequently had to be replaced due to non-compliance, system failures, and security and auditability concerns. It has taken years to only partially unwind the many problems caused by the feeding frenzy generated by overzealous voting system vendors seeking the HAVA funds, fueled by gullible election officials who were intimidated into doling the money out for products that were not yet ready for prime time. Some of this unnecessary waste of funds could have been avoided, had Congress merely extended the HAVA deadlines, or had the appointments and work proceeded on schedule.

But vendors said their voting machines were certified: U.S. voting systems, beginning in 1990, have been certified under a system originally established by the Federal Election Commission (FEC) and a private group, the National Association of State Election Directors (NASED). Testing fees are paid, by the vendors, to certain qualified Independent Testing Authorities and examinations are conducted secretly without any results (other than a final passed status) issued publicly. This certification was, at first, based on the FEC guidelines adopted by only 37 of the states and criticized by technologists as flawed.  (See my detailed comment The FEC Proposed Voting Systems Standard Update.)  According to their website, even “the FEC recognizes that the Help Americans [sic] Vote Act of 2002 will fundamentally alter the long term application of the Standards, including testing.” Some problems with the FEC standard included the lack of a requirement that vote tallies be independently auditable, the allowance of trade-secret code that may not be able to be inspected should an election contest question the proper functionality of a voting system, the use of commercial software products in balloting and tabulation systems without any inspection at all, and no provision for re-examination or decertification when problems are later identified. Even when additional state certification inspection has been performed, there may be no guarantee that any particular system has been appropriately configured prior to deployment. Revelations that uncertified software was used in at least two California elections (including the Gubernatorial recall) led to the mandate that voter verified paper ballots be added to their fully-electronic voting systems. Under HAVA, the certification program was restructured under the Election Assistance Commission (EAC) and Thomas Wilkey, the individual formerly responsible for this task under NASED, was appointed as the EAC’s Executive Director, where he has continued to perform oversight of the testing and certification tasks. The EAC generated a new set of Voluntary Voting System Guidelines, which was approved in December 2005, far too late to have any systems tested and deemed compliant in time for the 2006 HAVA deadline for replacement of lever and punch card systems. Though there were some slight improvements, these guidelines suffered from most of the same problems as did the FEC standard (as noted above and in my comment to the EAC). A proposed revision (including the MIT/NIST-proposed Orwellian concept of Software Independence – that a voting machine could contain software but somehow be independent of it) was issued for public comment in 2009 as VVSG 1.1, but portions were harshly criticized (including earlier by myself) and it has not yet been approved. Many of the voting systems that have been certified under the 2005 EAC standard were subsequently found to be faulty in actual elections or via independent studies (reports commissioned by state or local governments are posted at http://www.eac.gov/testing_and_certification/voting_system_reports.aspx ). The list of certified voting systems can be found at  http://www.eac.gov/testing_and_certification/certified_voting_systems.aspx but these are only the current certifications. Obsolete certifications cannot be easily checked, nor is the older equipment recalled.

What about Internet voting? Internet voting is risky due to its sociological and technological problems. Absentee balloting does not provide the safeguards of freedom from coercion and vote selling that are afforded via local precincts. Internet voting creates additional problems due to the inability of service providers to assure that websites are not spoofed, denial of service attacks do not occur, balloting is recorded accurately and anonymously, and votes are only cast by the authorized voter themself. The government’s website warned that “it is the citizen’s responsibility to maintain the latest anti-virus software for their computer” in order to assure safety, yet they failed to acknowledge the fact that anti-virus software can only protect against known malware (new ones appear constantly, and could occur during an election season) and server-based attacks are still possible. Certainly citizens overseas should have an opportunity to vote, but perhaps this could be handled by setting up remote balloting precincts at the U.S. Embassies, or by creating bi-partisan poll-worker teams on military bases? Back in 2000 when the U.S. Department of Defense first tried Internet voting they spent $6.2M so that 84 voters could cast ballots.  Subsequently, the DoD engaged Accenture, the Bermuda-based consultancy arm of the former Arthur Andersen (can we spell Enron?) group at a cost of $22M to oversee its SERVE project for military personnel and overseas citizens. Following issuance of an analysis by four computer scientists who were members of the SERVE Security Peer Review Group, the Pentagon decided to scrap plans for the use of this technology to cast ballots in the 2004 Presidential election.  But it’s far from gone — the DoD dabbled with the concept of Internet voting prior to the 2008 election and was shot down again by the same scientists on many of the same grounds. We’ll likely see some variation of this project surface again as we near 2012. Need I say more? (If so, see the World Democracies and Press Quotes sections.)

Who created the Voter Verified Balloting concept? Rebecca Mercuri coined the phrase in her comment: “Explanation of Voter-Verified Ballot Systems” in The Risks Digest, ACM Committee on Computers and Public Policy, Volume 22, Issue 17, July 24, 2002. Mercuri first addressed this concept in her paper: “Physical Verifiability of Computer Systems” presented at the 5th International Computer Virus and Security Conference in March 1992, and a more detailed description appeared in her Doctoral Dissertation, defended October 27, 2000. An artist’s rendering of a “Mercuri Method” voting system (they need not be so elaborate) appeared in her October 2002 IEEE Spectrum article, “A Better Ballot Box.” The earliest description of a “ballot behind glass” was provided by Tom Benson in The Risks Digest, Volume 2, Issue 22, March 4, 1986 and elaborated on by Kurt Hyde in The Risks Digest, Volume 2, Issue 24, March 8, 1986. The difference between these methods and Mercuri’s involves her requirement for a deliberate verification step, and also the recognition of the paper ballot as the authoritative record of the voter’s choices (in the event of a dispute, the paper version would prevail over any electronic data). This design concept was deliberately never patented by any of the inventors so that it could be freely incorporated into election systems. Shortly after the November 2000 Presidential election, the Avante company submitted a patent application that incorporated much of this prior art (including block diagrams very similar to those displayed at Mercuri’s October 2000 dissertation defense and at a subsequent publicly-attended ACM talk she presented in November 2000, at the Sarnoff Center, situated just a few blocks down the road from Avante’s offices). Avante has tried (largely unsuccessfully) to pursue infringement claims against some of the vendors who have implemented ballot printers. Note that a “voter verified paper ballot” (VVPB) is not the same as a “voter verifiable audit trail” (VVAT). Many vendors and some scientists believe that an audit trail of electronically recorded ballots can be made secure (possibly through encryption or other mechanisms), but no such systems have yet been validated through rigorous mathematical proofs, nor can they be independently confirmed for correctness by non-technical poll workers, election officials or ordinary citizens. A great demonstration showing why electronic audits and pre-election testing are inadequate can be viewed at: www.wheresthepaper.org. Simply adding paper “receipts” as some have proposed, to the system, is not sufficient. The voter must be required to perform an action that confirms that their choices have been recorded correctly on the paper, hence making it a verifiED (rather than just “verifiABLE”) ballot in a legal sense. The paper ballot must not provide any feature that could be used to violate voter privacy or encourage coercion and vote selling. These voter verified paper ballots must be used to produce the certified vote totals and be available for scrutiny in case of election contest or recount.

Think about it: Scientists had been warning for years about the devastation that might result from a major hurricane on the Gulf Coast. But the U.S. Congress failed to provide $35M to fully fund previously approved projects to build and improve levees, floodwalls and pumping stations in the Lake Pontchartrain region. The federal government did (prior to Katrina) allocate some $37M to Louisiana under the Help America Vote Act, primarily for the purchase and upgrade of fully electronic voting systems that provide no mechanism for independently auditing ballots and vote totals. The Civil Rights Division of the U.S. Department of Justice issued a memorandum opinion affirming that voting systems that include contemporaneous paper records, allowing voters to confirm that their ballots accurately reflect their choices, do not violate HAVA or ADA laws, so long as a similar capablility (such as can be provided by audio equipment) is available for use. This could include tactile ballots, an inexpensive (non-computer) alternative for the visually-impaired that has been used successfully in Rhode Island, Canada, Peru, and Siera Leone.

Mark your Calendar: I will be conducting a computer forensics seminar/workshop for the Princeton ACM/IEEE Computer Society on November 13, 2010. One of the sections of this short-course will overview voting system investigations. Further information is available at http://princetonacm.acm.org/meetings/mtg1011s.pdf . Advance registration is required and there is a fee for attendance.

The articles linked below in my writings section provide an illustration of the magnitude of problems encountered with electronic voting equipment and offer some suggested solutions. My analyses are based on computer science and engineering facts, and are not politically motivated. Please try to read some of the *red starred* materials before contacting me for further clarification or assistance.

World Democracies

Election
officials in world democracies often want to believe that the
situations in the USA are dissimilar to those in their own countries.
Although
laws and procedures may be different, the computer introduces universal
vulnerabilities to privacy, accuracy, and security in elections.
All democratic nations should be advised to use caution in their
deployment of new systems, and avoid those products that do not produce
a voter-verified paper audit trail.

The United
Kingdom and other European countries have begun initiatives to convert
all or part of their voting to electronic balloting (kiosk/DREs and/or
Internet-based) systems. Europe appears to be rushing ahead to deploy
computer voting technologies with serious sociological
and technological downsides, such as lack of auditability, and
increased opportunities for vote selling, monitoring, coercion, and
denial of service attacks. During mid-October, 2002 I visited England,
on the invitation of the Foundation for
Information Policy Research, to meet with and brief members of the
UK Cabinet and Parliament regarding this subject, and to provide
technical lectures at the Royal Academy of Engineering and Cambridge
University. My comments to the Cabinet are posted *here.
I also formally submitted an additional
follow-up comment as part of their “In the Service of Democracy”
consultation, which explains why Internet voting is not appropriate for
UK democratic elections.  Media coverage of my UK tour can be
found over in my press section.
Information on the electronic voting project in Ireland can be found
at http://www.evoting.cs.may.ie.
Thanks to the unflagging efforts of this group and others (including
myself) who strongly protested the change from paper and pencil voting,
in 2009 it was announced that “the Government has decided not to
proceed with electronic voting in Ireland.” Over in the Netherlands,
the Dutch group “We Don’t Trust Voting Computers” successfully hacked a
NEDAP voting machine, turning it into a chess-playing device. On
October 1, 2007, the District Court of Amsterdam decertified all NEDAP
voting computers currently in use there. Further information at http://wijvertrouwenstemcomputersniet.nl/English .

The Brazilian
government converted to fully electronic voting in 2000, deploying over
400,000 kiosk-style machines.  Although their elections are often
compared to those in the US, they are actually quite different because
the voters cast ballots by using numbers assigned to each candidate
(this is necessary because of a high degree of illiteracy in the
country). Concerns regarding accuracy of the self-auditing systems
caused the legislature to mandate a retrofit of 3% (some 12,000
machines) to produce a paper ballot that the voter could peruse and
deposit in a box for recount (the first large-scale use of the “Mercuri
Method” — described more fully in “A
Better Ballot Box?“). These paper-trail machines were
successfully used during the October 6, 2002 election, and it is
believed that the rest of their machines will eventually be retrofitted
as well. Further discussion on this subject can be found in the
article: *“The importance of
recounting votes” by Michael Stanton (originally published in
Portuguese as “A importância da recontagem de votos“, on
the
website of the Agência O Estado de São Paulo, November
13, 2000). There is also an informative website: Brazilian Electronic Voting Forum
by Amilcar Brunazo Filho.

US Voting Rights Act

In the wake
of
the Florida 2000 election, a number of voting rights bills were
proposed in Congress. On May 22, 2001, the U.S. House of
Representatives Committee on Science convened a Hearing on Improving
Voting Technology: The Role of Standards.  I was joined on the
invited panel by Dr. Stephen Ansolabehere (MIT), Mr. Roy Saltman (NIST
- retired), and Dr. Doug Jones (University of Iowa).

• A report issued by NIST,
  overviewing the session, is available at http://www.nist.gov/hearings/2001/votetech.htm. 
• The transcript, “Full
  Committee Hearing on Improving Voting Technology: The Role of
  Standards” should be available from the House Science Committee. 
• Press coverage of the
  hearing can be found here.

These hearings
resulted in House Bill H.R. 2275, the Voting Technology Standards Act
of 2001, issued from the Subcommittee on Environment, Technology, and
Standards on June 27, 2001, which was presented with the bipartisan
co-sponsorship of Congressman Vern Ehlers and Congressman Jim Barcia.
Eventually this bill was incorporated into H.R. 3295, the Help America
Vote Act of 2002. The final version can be
found at http://thomas.loc.gov.
Although
this bill authorized spending of over $4B on new voting systems, it
failed to provide for a voter-verified audit trail, available for
independent recount, of ballots cast. (This is discussed further in the
California section below.) It was hoped that the
related voting system standardization efforts created by the EAC/TGDC,
as authorized by the bill, would provide additional safeguards, but
sadly, the application of these controls has not been universally
mandated in the United States, leaving it up to the states (and in some
cases, municipalities within the states) to decide whether or not paper
ballots should be used or even allowed to be recounted (see Florida below).

California

The California
State Elections Code contains a number of sections that are
directly relevant to US and international electronic voting issues.

Section
15360
requires that there be “a public manual tally of the ballots tabulated
by those devices, including vote by mail voters’ ballots, cast in 1
percent of the precincts chosen at random by the elections official.”
This section also notes: “In resolving any discrepancy involving a vote
recorded by means of a punchcard voting system or by electronic or
electromechanical vote tabulating devices, the voter verified paper
audit trail shall govern if there is a discrepancy between it and the
electronic record.” Curiously, Section 15627 on recounts states: “If in
the election which is to be recounted the votes were recorded by means
of a punchcard voting system or by electronic or electromechanical vote
tabulating devices, the voter who files the declaration requesting the
recount may select whether the recount shall be conducted manually or
by means of the voting system used originally, or both.” Section
15629 notes that “The recount shall be conducted publicly” and Section
15630 says that “All ballots, whether voted or not, and
any other relevant material, may be examined as part of any recount
if the voter filing the declaration requesting the recount so
requests.” Given all of this, one would think that the paper ballots
(either the original ones that were scanned, or in the case of the
DRE’s, the VVPATs) would be consulted in all recounts. Unfortunately,
as
occurred in Nguyen v. Nguyen, Case No. 07CC00407 (2007), Orange County
California Superior Court, the Judge ruled that the Election Code’s
allowance for the selection by the voter requesting the recount, means
that the requirement that the VVPAT always trump any discrepancies can
be disregarded if the requestor chooses to use the recount produced “by
means of the voting system used originally.” This loophole in the law
will likely be opportunistically exploited again until it is closed.
(Numerous YouTube courtroom videos from my 2 days of testimony in this
matter can be found by using the search string: rebecca mercuri
nguyen.)

As well,
Proposition 41, California’s Voting
Modernization Bond Act, passed in 2002, mandates that “a voting
system that does not require a voter to directly mark on the ballot
must produce, at the time the voter votes his or her ballot, or at the
time the polls are closed, a paper version or representation of the
voted ballot; this version shall  not be provided to the voter,
but shall be retained by election officials for use during
a manual recount or other recount or contest.” The key phrase here is
“or at the time the polls are closed” — this has been
interpreted
by vendors and election officials to permit the voting system to
self-generate ballot images from the internal data stored by the
computer during the election, for use in public manual tallies or
recounts. Using such systems, the voter has no way to confirm that the
ballot they intended
to cast is identical to the one recorded by the machine. Hence, such
recounts are only procedural in nature, and not truly validatory. 
Sadly, the U.S. Congress was similarly vague in their definition of
“manual audit
capacity” in the Help America Vote Act of 2002 (Section 301 a. 2), so
lower
court rulings will play an important role in determining the
implementation of when the “permanent paper record” must be produced
(at the time of voting, or after the election is over). 

I have
always maintained that the intention of HAVA, as well as the
California Code, is to allow the voter to view the printed ballot prior
to casting it. Finally, in 2004, California’s Secretary of State agreed
(but only after discovering that uncertified software was used in their
Recall and General elections in 2003) with this interpretation. Your
participation
is needed here — if you are a voter living in a municipality that uses
DREs (with or without VVPATs), request an absentee
ballot prior to the election so that you can cast your vote on paper.
That is the only way you can be assured that a) your vote was submitted
as you
intended and b) the ballot you prepared will be available for a manual
recount. I have been voting absentee since DREs replaced the lever
machines in my County in 2004.

In 2001,
Susan
Marie Weber, a citizen of Riverside County, CA, decided to protest
the use of the recently purchased Sequoia Voting Systems’ AVC Edge
System
direct recording electronic (touch-screen) voting machines in her
locality.
She filed a Complaint for
Injunctive and Declaratory Relief against CA Secretary of State
Bill
Jones and Riverside County, CA Registrar of Voters Mischelle Townsend,
under 42 U.S.C. §1983 and the Fourteenth Amendment to the United
States Constitution. This appeared as Case No. CV 01-11159-SVW(RZx)
before the Honorable Stephen V. Wilson in the United States District
Court for the Central District of California.  Weber obtained
testimony (at name links here) from experts Rebecca
Mercuri, Peter Neumann
and Kim Alexander. The
Judge
ruled on September 3, 2002 in favor of the State on the basis of
only written testimony without deposition or cross-examination, and
without providing an opportunity to inspect the voting systems in
question (although he criticized
one witness for not having done so, even though it would likely have
been a felony to perform such an examination in the absence of a court
order), and various appeals also failed. The ruling allowed other
California
counties to proceed with their purchases of self-auditing voting
equipment. Despite this ruling, the subsequent Secretary of State,
Kevin Shelley, decided
on November 21, 2003 to require that all computerized voting equipment
be equiped with an accessible voter verified paper trail by July 2006.
The next Secretary of State, Deborah Bowen, decided to conduct a “Top
to Bottom Review” of California’s voting systems, which resulted in the
decertification of most of the DREs. Currently only Orange and San
Mateo Counties use DRE with VVPAT. All other Counties in CA use opscan.

California
Proposition 23, the None of the Above Ballot Option, failed to achieve
enough votes to pass in the March 7, 2000 election. The lack of
a “none of the above” choice for each ballot race (in all states)
creates a dubious dark hole for election auditing. Traditionally, when
one totals all votes cast in each race, these fall short of the
total number of votes eligible to be cast (usually by around 3%). The
“lost vote” (also called “undervote” or “residual vote”) rate tends
to differ depending on equipment and other factors, but it is often
also an indicator of malfunction or tampering. The lack of a definitive
“no vote” allows vendors and election officials to assert that votes
were “not cast” when in fact votes have actually been lost. This
situation
is becoming more prevalent with the introduction of multiple recording
devices within the voting machines, and no real way to determine which
storage unit has the “correct” data. It is unfortunate that the U.S.
Green Party believes that the “none of the above” option is contrary
to their interest in promoting proportional balloting, since they are
among the most vocal opponents of this effective auditing requirement.

See http://www.calvoter.org for further
information on initiatives and election equipment data.U.C. Hastings
College of the Law Library maintains a search engine for its extensive California Ballot Propositions
Database, which is also helpful.

Florida

I was
requested by the Democratic Recount Committee to provide a sworn
affidavit regarding the necessity of a hand recount in the disputed
Florida precincts.  The testimony was presented as part of the
defense
brief in the 11th Circuit Court of Appeals, Atlanta, November
17, 2000. The document is linked here
as a pdf file, and can also obtained through direct request to the
11th Circuit Court.  Reference to this affidavit was made in Brief
in opposition for respondents Gore et al. in Nos. 00-836 and 00-837 to
the U.S. Supreme Court.

In August of
2002 I testified in behalf of the Plaintiff requesting a recount in
Florida 15th Circuit Court Case No. CA-02-3667-AE Emil P. Danciu v.
Theresa LePore in her Official Capacity as Palm Beach County Supervisor
of Elections, Boca Raton City Canvassing Board, Palm Beach County
Canvassing Board, Susan Haynie, and Bill Hager. Footage of my
demonstration showing that a selection could inadvertently be made
without actually pressing the touchscreen at the candidate’s name
location, aired on 60 Minutes. Also revealed during the warehouse
investigation was the fact that these voting machines were never
manually checked for all combinations of candidate selections during
the pre-election testing process.

During 2007,
Florida outlawed the use of touchsreen voting (having previously
outlawed the hanging chad punchcard systems) and now uses optical
scanning throughout the state. Unfortunately, in 2004, Florida also
outlawed the right of voters or candidates to be allowed to audit the
electronically-generated results via a manual recount. (This may have been
partly in response to a federal lawsuit by their 19th District Congressman Robert Wexler
and Palm Beach County Commissioners Burt Aaronson and Addie Green,
citing the equal protection clause of the U.S. Constitution and
claiming that it was unconstitutional for 52 counties in Florida to
have
a means to conduct a recount, while the 15 touchscreen counties could
not perform one.) Thus there is no way to
independently confirm that the scanners have been programmed correctly,
are not experiencing anomalous conditions (such as treating certain
types of ink as invisible), and have not been tampered with (as Hari
Hursti showed can alter vote totals). See http://onlinejournal.com/evoting/060305BBV/060305bbv.html
for further details. For all of these reasons (plus others related to
voter disenfranchisement), Florida continues to get an F in election
integrity.

New Jersey

From
2004-2006, I provided pro bono assistance for the Guciora v. McGreevy
lawsuit, which protested the use of paperless DRE voting machines in
the State of New Jersey on constitutional grounds. The Plaintiff’s Complaint
and Brief
can be found at the links here. I submitted extensive written
testimony on October 16, 2004 that described numerous flaws with
electronic voting systems (lack of provability, malfunctioning that
disenfranchises voters, less accuracy, vulnerability to insider
attacks, lack of transparency, improper vendor responses to software
flaws, inadequate certification, lack of independent ballot audit, and
vendor misrepresentation). My testimony in the remand hearing before
Hon. Linda Feinberg, Superior Court of New Jersey, Law Division, Mercer
County, largely focused on the inability of the vendors to provide a
voter verified paper ballot add-on to the DRE equipment that could be
Federally certified for use, in time for compliance with the newly
enacted New Jersey law requiring same by January 1, 2008. Based on
Judge
Feinberg’s findings, the Appellate Division decided to remand the
matter to the Law Division in order to monitor compliance with the new
legislation. Although testimony by numerous individuals was presented
by Plaintiffs, the only comments noted in the Appellate
Division Opinion were mine, pertaining to the issue that there were
factors independent of the VVPAT that would make it unlikely that the
AVC Advantage DRE would meet the 2002 FEC standards requirements by
December 2007. As I had predicted, and despite monitoring by the Court,
the VVPATs indeed were not ready by 2008 and the Attorney General
issued two 6-month extensions for compliance, also to no avail.

In the
meanwhile, a trial was scheduled and the Court ordered the State and
vendor to supply voting machines and source code for examination.
Information about the review and testimony in the 2009 (and earlier)
hearings can be found at Professor Andrew Appel’s website
and also at the Freedom
to Tinker blog. On February 1, 2010, Judge Feinberg ruled that the
voting machines must be reevaluated to determine whether they are
“accurate and reliable” and required that additional safeguards should
be put in place to discourage tampering. The statement, which noted
“there is simply no evidence to conclude that absent complete access,
coupled with malicious intent to alter the results of an election, the
voting machines have failed to correctly and accurately count every
vote cast” also indicated that all voting systems have vulnerabilities,
so New Jersey’s unauditable machines seem (at least to the Court) to be
no worse than other methods (such as those involving paper ballots).
Unfortunately, the ruling did not go far enough to require that the
VVPAT law in the state be complied with, so that there might be some
actual proof that the machines were correctly and accurately counting
every vote cast (or not). And so it goes. Personally, I have felt
strongly that the Plaintiffs’ team was missing the boat by focusing on
hacking rather than the Constitutional aspects of assuring verification
and transparency in the election process. Nothing is really proven by
such attack demonstrations, other than that they could potentially
occur — since independent examinations of the equipment directly
following the elections are routinely
prohibited, we’ll never be able to show that tampering was afoot. The
greater likelihood is that malfunctions and misprogramming actually
will (and do) occur. These we have plenty of evidence of, and only with
voter verified paper ballots is it possible to recover from and
mitigate such problems. Perhaps someone else will try to sue on these
grounds, when evidence of machine failure eventually surfaces.

I was asked
to provide comment on New Jersey’s draft Criteria for Voter-Verified
Paper Records for DRE voting machines. My response is attached here.
The final version of the State Criteria is posted at http://www.njelections.org/voter_verified_paper_record_criteria.html
. The Attorney General’s reports, also available via this website, in
which she (perhaps conveniently?) declines to certify the VVPRS (paper
ballot attachments) for the Sequoia Advantage and Edge DREs, is very
curious, since the AG’s office argued in behalf of Defense in the
lawsuit noted above. The Sequoia Advantage DREs are used in 18 of NJ’s
21 Counties. You might think that since the AG did certify VVPRS for
two other vendors’ voting machines, the Judge might have required that
these be used instead of the Sequoias, but no. Hmmm.

If you vote
in New Jersey, here’s what you can do. NJ has a absentee
option where citizens can register to receive paper ballots in the
mail. You will need to re-register as an absentee each year, but it is
a great alternative to using the paperless DREs. Don’t trust the Post
Office? If you take your ballot to the County Election Office and drop
it off there (in its sealed envelopes) during their business hours
(extended to the close of polls on election day), you’ll know that at
least your vote choices have reached the tabulation center, which is
something that the DREs cannot assure. In case of recounts (which do
happen in NJ) these ballots are the only ones that can actually be
checked without computer intervention.

Writings by Rebecca Mercuri
This section includes formal papers, commentary, articles, and other
relevant materials on voting and computer security.  The PDF
versions for some of these writings may be more suitable for producing
handouts.

“Electronic Vote Tabulation Checks
& Balances,” Ph.D. dissertation, defended October 27, 2000 at
the School of Engineering and Applied Science of the University of
Pennsylvania, Philadelphia, PA. The title link here takes you
to the thesis defense announcement and abstract. UPenn’s Computer and
Information Science Department has (without permission) archived the
University Microfilms version of my thesis at http://www.cis.upenn.edu/grad/documents/mercuri-r.pdf
and it can be downloaded (for free) there. You can also obtain a copy
of
the thesis through UMI/Proquest by sending an email to
disspub@proquest.com  — the thesis number is 3003665.  They
various archival quality formats (hardbound, softbound unbound,
microfiche, and microfilm) of the original double-spaced 235-page
document, they can take credit-card orders, and I’ll receive a small
royalty. Those who are manufacturing or evaluating voting systems will
find it helpful to consider two additional lists of questions I
developed as part of this thesis research. Some of the wording closely
follows the Common Criteria, whose Level 4 assessment I have
recommended as a minimum benchmark for voting system
security.  Further information about the Common Criteria can be
found at http://www.niap-ccevs.org/cc-scheme/
.

*“Florida
2002: Sluggish Systems, Vanishing Votes,” (PDF) Rebecca Mercuri, Inside
Risks, Communications of the Association for Computing Machinery,
Volume 45, No. 11, November 2002.

“Verification
for Electronic Balloting Systems,” Rebecca T. Mercuri and Peter G.
Neumann, Chapter 3, Secure
Electronic Voting, Dimitris Gritzalis, ed., Advances in Information
Security, Volume 7, Kluwer Academic Publishers, Boston, November
2002.  ISBN 1-4020-7301-1

*“A Better Ballot Box?,”
(PDF) Rebecca Mercuri, IEEE
Spectrum, Volume 39, Number 10, October 2002.

“Computer Security: Quality rather than
Quantity,” (PDF) Rebecca
Mercuri, Security Watch, Communications of the Association for
Computing Machinery, Volume 45, No. 10, October 2002. (Note: The
footnote numbering is incorrect in the PDF version.)

*“MIT
vs Mercuri,” Rebecca Mercuri, The Risks Digest, ACM Committee
on Computers and Public Policy, Volume 22, Issue 26, September 25,
2002. Archived at: http://catless.ncl.ac.uk/Risks/22.26.html.

*“Florida
Primary 2002: Back to the Future,” Rebecca Mercuri, The Risks
Digest, ACM Committee on Computers and Public Policy, Volume
22, Issue 24, September 11, 2002. Archived at: http://catless.ncl.ac.uk/Risks/22.24.html.

*“Explanation
of Voter-Verified Ballot Systems,” Rebecca Mercuri,
ACM Software Engineering Notes (SIGSOFT), Volume 27, Number 5,
September, 2002.  Also published in The Risks Digest, ACM
Committee on Computers and Public Policy, Volume 22, Issue 17, July 24,
2002.
Archived at: http://catless.ncl.ac.uk/Risks/22.17.html.

*“Humanizing
Voting Interfaces,” Rebecca Mercuri, Usability Professionals
Association Conference, Orlando, FL, July 11, 2002.

“Uncommon Criteria,” (PDF) Rebecca Mercuri, Inside Risks,
Communications of the Association for Computing Machinery, Volume 45,
No.
1, January 2002.

*“The FEC
Proposed Voting Systems Standard Update,” a detailed comment
by Dr. Rebecca Mercuri, submitted to the Federal Election Commission on
September 10, 2001 in accordance with Federal Register FEC Notice
2001-9, Vol. 66, No. 132.

*“System
Integrity Revisited,” (PDF)
Rebecca T. Mercuri and Peter G. Neumann, Inside Risks, Communications
of the Association for Computing Machinery, Volume 44, No. 1,
January 2001.  This was reprinted in the CPSR Newsletter, Winter
2001, Volume 19, No. 1.

*“Internet
and Electronic Voting,” Peter Neumann, Rebecca Mercuri, Lauren
Weinstein, The Risks Digest, ACM Committee on Computers and Public
Policy,
Volume 21, Issue 14, December 12, 2000.  Archived at:  http://catless.ncl.ac.uk/Risks/21.14.html. 
This article was also printed in ACM’s Software Engineering Notes
(SIGSOFT), Volume 26, No. 3, March 2001.

*“Voting
Automation (Early and Often?),” (PDF) Rebecca Mercuri, Inside Risks,
Communications of the Association for Computing Machinery, Volume 43,
No. 11, November 2000.

*“Corrupted
Polling,” (PDF) Rebecca
Mercuri,
Inside Risks, Communications of the Association for Computing
Machinery,
Volume 36, No. 11, November, 1993.

“Threats
to
Suffrage Security,” Rebecca Mercuri, 16th National Computer
Security
Conference, September, 1993. (See Conference Panels below.)

*“The
Business of Elections,” (PDF)
Rebecca Mercuri, 3rd Conference on Computers, Freedom and Privacy,
March, 1993.

*“Voting-Machine
Risks,” (PDF) Rebecca
Mercuri, Inside Risks, Communications of the Association for
Computing Machinery, Volume 35, No. 11, November, 1992.

“Physical
Verifiability of Computer Systems,” (PDF)
Rebecca T. Mercuri, 5th
International Computer Virus and Security Conference, March, 1992.

Related Writings by Other
Authors

*“Voting
into Vapor,” Craig Lambert, Harvard Magazine, November-December
2004, Volume 107, Number 2. This succinct piece provides insight into
the mathematics behind the voting system problem, in terms that a
layperson can readily understand.

*“Election Reform and Electronic Voting Systems
(DREs): Analysis of Security Issues,” (PDF),
Eric A. Fischer, Congressional
Research Service, The Library of Congress, November 4, 2003. A
well-balanced overview of voting security threats and vulnerabilities
along with an assessment of strengths and weaknesses of potential
solutions.

“Usability
Review of the Diebold DRE system for Four Counties in the State of
Maryland,” (PDF),
Benjamin B. Bederson, Paul S. Herrnson, University of Maryland, 2002.
This study, conducted prior to the Fall primaries, provides an early
indication of machine failures with the Diebold equipment (used in
Georgia as well as Maryland).

*“Secret-Ballot Receipts and Transparent
Integrity,” (PDF),
David Chaum, Draft, May 2002. Chaum, the inventor of eCash, describes a
unique method where voters can positively confirm their ballots, both
at the polling station and also after the election, to be sure
they are correctly entered into the tallies, without revealing their
choices. This groundbreaking work may eventually form the basis
of secure and auditable future elections.

*“Opening a Can of
Electronic Chad,” Bill Sterner, Carol Schiffler. A position piece
against touch-screen voting from the Citizens for Legitimate
Government.  http://www.legitgov.org

“How to
Make Over One Million Votes Disappear: Electoral Slight of
Hand in the 2000 Presidential Election,” Democratic Investigative
Staff, House Committee on the Judiciary, August 20, 2001. (A 50
state report prepared for US Representative John Conyers, Jr., Ranking
Member, House Committee on the Judiciary, and Dean, Congressional
Black Caucus.)

*“Voting and
Technology,” Bruce Schneier, Crypto-Gram, December 15, 2000. http://www.schneier.com/crypto-gram.html
(Also read his explanation in the 2/15/01 issue about why Internet
voting is not possible, and his scathing comments about iBallot.com’s
proprietary voting technology claims in the 3/15/01 issue. In the
9/15/02
issue, this expert again confirmed his opposition to Internet
elections.)

*“No voting
machine is going to be perfect — and not just in Florida,” Rick
Malwitz, Home News Tribune, November 30, 2000. (If you think
that direct-entry computerized voting machines are the answer
to hanging chad, read this.) A confirming follow-up on this story:
*“N.J.
critic
says booth proved not so fail-safe,” Jeff Gelles, Philadelphia
Inquirer, January 15, 2000.

“Democracy Under Stress,” Ronnie
Dugger, Los Angeles Times, November 19, 2000.

*“Disenfranchised by design: voting systems and
the election process,” Susan King Roth, Information Design Journal,
Volume 9, No. 1, 1998. (This early study examines usability issues in
various election systems, with the conclusion that newer technologies
are not necessarily an improvement for voters.) The pdf can be accessed
via: http://www.informationdesign.org/downloads/doc_roth1998.pdf

*“Security Criteria for
Electronic Voting,” Peter G. Neumann, 16th National Computer
Security Conference, September, 1993.  *“Risks in Computerized Elections,”
Peter G. Neumann, Inside Risks, 5, CACM 33, 11, p. 170, November
1990. (Dr. Neumann has expressed his opposition to fully-electronic
and Internet-based democratic elections since the early days
of this debate. His Risks newsgroup frequently prints reports
of election problems, issues are archived at: http://catless.ncl.ac.uk/Risks.)

“Accuracy,
Integrity, and Security in Computerized Vote-Tallying,” Roy G.
Saltman, U.S. Department of Commerce, National Bureau of Standards
Special Publication 500-158, August 1988. (This classic document
contains highly relevant material for anyone researching or dealing
with voting systems.)

*“Reflections on
Trusting Trust,” Ken Thompson, Communications of the
ACM, Vol. 27, No. 8, August 1984. This important Turing Award lecture
explains precisely how it is possible to conceal nefarious programming
such that it will never be found in a source code inspection.

A Bit of Levity

“Digital Democracy,”
Mark Fiore, February 4, 2004. (A fun animation depicting what we are
getting with paperless voting systems. Wait a minute or so for it to
load, don’t press back or next.)

“We
guarantee the outcome,” Summer, 2003. (If someone told
me I’d be referring folks to Larry Flynt’s website, I would have
laughed, but this parody is great, and G-rated to boot!)

“A Renegade Reciprocal Miracle Chad,”
Joel Achenbach, Washington Post, November 17, 2000. (A lighter view of
the punch card problem)

Join My Email Group

I have
created
a private email group which I am using to send messages regarding
updates to this website and other announcements about relevant
articles,
conferences, legislative activities, election litigation and my
upcoming
talks and media appearances. The group is “send-only” so replies go
only
to me, not to the other group members. Announcements are sporadic,
typically
only a couple per month. If you are interested in joining, send an
email
to:

NotableVoting-subscribe@topica.com

Then follow
the instructions in the reply message that you will receive, and I will
place you on the list. If you join topica (although you don’t need to
do this to be a mailgroup member), you can review all of the prior
messages in the NotableVoting history list at their
website. If you tire of the list, you can remove yourself from it by
sending a message to NotableVoting-unsubscribe@topica.com and your
address will be deleted.

Additional Links

The wealth of materials at these
sites may be helpful to those who are interested in voting technology.
The links here are in no particular order and should not be construed
as endorsements. As web pages and hosts can change rapidly, I take
absolutely no responsibility for the content and/or reliability
of these links.

ecotalk.org — Voting Security

Black Box Voting

The Election Reform Information Project

Peter Neumann

- Inside Risks                  - Risks Forum Newsgroup

People for Internet Responsibility

Computer Professionals for Social Responsibility

Foundation for Information Policy Research

The Privacy Forum

Federal Election Commission (USA)

Election Assistance Commission (USA)

The California Voter Foundation

The Usability Professionals Association’s Voting Resources

Princeton ACM / IEEE Computer Society

Free Software Foundation