UNITED STATES DISTRICT COURT
FOR THE CENTRAL DISTRICT OF CALIFORNIA
I, Rebecca T. Mercuri, Ph.D., expert witness on electronic voting systems and technology, respectfully declare and submit this testimony in support of Plaintiff Susan Marie Weber’s opposition to California Secretary of State Bill Jones’ motion for summary judgment.
I hold a PhD. in Computer and Information Science from the School of Engineering and Applied Science at the University of Pennsylvania. In addition, I have two Master’s degrees and a Bachelor’s degree in Computer Science and Engineering. I am the President of Notable Software, Inc. (a New Jersey Corporation) and an Assistant Professor of Computer Science at Bryn Mawr College, PA. I have spent over twenty years as an employee and consultant to industry and government agencies, with much of my work in the area of real-time microprocessor-based systems. I am fluent in over a dozen computer languages, ranging from assembly to object-oriented programming, and am also competent as a microsystems (board-level) designer, and computer systems analyst.
For the last decade, I have provided written and oral testimony regarding various election equipment matters, including procurement hearings in New York City and Houston, Texas, as well as litigation in Florida. My testimony regarding the recount of punch card ballots in the November 2000 election was provided to the U.S. 11th Circuit Court, and cited in the first set of U.S. Supreme Court hearings. I have written extensively on the subject of electronic voting equipment, including my Ph.D. dissertation (which demonstrated the necessity of voter-verified physical balloting systems) and numerous technical articles. I am often requested to provide information and/or testimony about voting systems to government agencies, including many State and local election boards, the U.S. House of Representatives Science Committee, the Federal Election Commission, and the U.S. General Accounting Office. Primarily my work on election equipment has been pro bono, although I have (on only a few occasions) accepted a consulting fee for an independent evaluation of equipment or election data, and have occasionally been reimbursed for expenses incurred. All work for this case was provided pro bono.
In recent years, municipalities across the United States have become concerned about the voting systems that they were using to conduct elections. Many, including Riverside County in California, have decided to replace their existing systems with newer technologies. Some manufacturers, including Sequoia Voting Systems of Hayward, California, claimed that they could provide kiosk-style (DRE) touchscreen systems that were both “auditable” and “fail-safe.” In actual fact, Sequoia touchscreen systems similar to the style procured by Riverside County have been found to have recorded votes incorrectly in actual use, and they provide no more security than does a fox guarding the hen house in terms of auditability.
Sequoia Voting Systems produces various models of free standing voting machines, each configured differently for the municipalities that purchase them. Consequently, it is not possible to examine every voting system that Sequoia produces. Thus, I have not personally had the opportunity to examine the AVC Edge Touchscreen Voting System model produced for Riverside County, California, in part because I have not yet been afforded the opportunity to do so in this case, and in part because it is my understanding that the company policies of Sequoia Voting Systems are such that they do not provide units for thorough outside inspection (other than those performed by the Independent Test Authorities, in this case Wyle Laboratories) under the grounds that doing so would reveal proprietary company information. Should the Court or County be able to persuade Sequoia to lift or waive their trade secret claim for purpose of this dispute (they would, of course, still have protection under copyright and patent law), and permit me to examine the product under question here, I would be happy to do so. Nevertheless, even without inspection of this particular model, I can confirm, through discussion with Susan Marie Weber, and by examination of the documentation on Sequoia’s website (www.sequoiavote.com/docs) and the materials that Riverside County produced on the request of the Plaintiff that the basic operational features of the AVC Edge appear to be similar or functionally equivalent to those of other Sequoia models I have seen. From the description provided by Defendant Bill Jones in his memorandum to the United States District Court for the Central District of California, Western Division, I am able to discern numerous salient flaws in the configuration of the equipment that are relevant to this case, which I have enumerated (below) in Sections III and IV.
In addition, I have evidence of failures of Sequoia DRE products in Louisiana, New Jersey, and Florida, In a Louisiana election involving candidate Susan Bernecker, Sequoia DRE machines randomly recorded votes to the two candidates below her on the ballot. I have a copy of a videotape filmed at the warehouse after the election, showing numerous machines registering votes to some candidates when certain other candidates were selected. In another instance (that occurred in November 2000) brand new Sequoia DRE machines in North Brunswick, New Jersey registered zero votes for major party candidates in a local race. When the manufacturer was questioned about why their supposedly “fail-safe” system failed, the company representative indicated that votes were not “lost” - rather that votes were not “cast” - a semantic distinction that certainly has Equal Protection ramifications. Most recently, in a runoff primary election with only two candidates in Palm Beach, Florida, Sequoia machines registered no selection in 2.3% of the ballots cast (or attempted to be cast). In some precincts, the “no vote recorded” rate was as high as 10%. This matter is currently being litigated, and here again, the manufacturer has yet to provide any explanation for the failure to record votes, or the failure to detect and shut-down defective machinery (as per their own product specification claims).
Certain claims made by Defendant Bill Jones in his April 15, 2002 statement to this court regarding “benefits of the Sequoia AVC Edge Touchscreen Voting System” are extremely misleading and at times wholly erroneous. Jones bases his claim on his belief “that plaintiff’s Equal Protection challenges to the use of touchscreen voting systems in California amount only to (1) an unqualified and unsubstantiated fear of fraud and manipulation in connection with the touchscreen vote tally and (2) an uninformed dissatisfaction with the touchscreen recount process.” This is incorrect. Plaintiff’s concerns are based on the very REAL possibility not only of fraud and manipulation but of malfunctions and erroneous code in the equipment, as substantiated by Sequoia and other DRE product failures in actual election use, and as testified to by computer security and voting technology experts in numerous hearings in California and elsewhere in the United States. The dissatisfaction with the touchscreen recount process is based on the lack of VOTER verification of the printed ballot used for the recount as well as other matters that I shall address below. To make these points clear, I have quoted from Jones’ statement for this discussion, as follows:
1. “… the touchscreen system is more accurate than the optical-scan … system that it replaced” This is untrue. In a study performed by MIT/CalTech in 2001, it was revealed that touchscreen/DRE systems had the worst residual (‘lost’) vote rate, exceeding ALL other varieties of voting systems (except for punch card).
2. “Continued testing insures the accuracy and integrity of Riverside County’s touchscreen system.” The testing performed before and after the election by the County is what is known as “black box” examination - this only provides a functional test that does not prove that the machine operated correctly during the election. Considerable portions of the “black box” test procedure are provided by the machine checking “itself’ and reporting back results (as Bill Jones states: “there would be a system shut-down initiated by the system itself; thus protecting the accuracy of the ballot.”) If the machine doesn’t work, how can we assure that its self test process works? As it turns out, there is no way to know if a “broken” machine has produced an incorrect test report. Furthermore, the independent testing performed by Wyle Labs is done for the vendor, not the County or State, and is executed on sample machines. There is no real assurance that the machines provided to Riverside are identical to those that were examined by Wyle, nor that each machine operates correctly throughout election use. It is entirely possible that machines could pass both the pre- and post-election testing, yet they may still operate incorrectly during the actual voting session, this despite all preventative, detective and corrective controls applied to the system by the manufacturer.
3. “… the touchscreen system is safe from fraud or manipulation.” Nothing could be further from the truth than this statement. First of all, computer science theory insists that it is impossible to demonstrate the absence of malicious code in a computational product. If such were the case, manufacturers (including Microsoft) would be able to secure computer-based products from attack, but in fact they have not been able to do so. Nor does a product being stand-alone make it immune, it only makes certain types of attack more difficult, while many other vulnerabilities still remain. For example, with a Sequoia machine, time bomb code can reside in the chips or software for years before being triggered. Also, any exchange of data (perhaps via the vote cartridge, or during election configuration) could possibly introduce viruses. It is well known that bogus code can be inserted via third-party software (operating systems and compilers, such as are used by the manufacturer in development and construction of systems), so Sequoia’s claims that its products can not be tampered with are wholly unsubstantiated. Even more common and risky than fraud or manipulation is the inadvertent or accidental existence of erroneous code or defective hardware that compromises operations and often goes undetected in computer systems prior to or during field use.
4. “...the touchscreen system has improved Riverside County’s ability to audit the election process and conduct recounts.” This, along with other supporting statements by Bill Jones regarding the “paper audit trail” indicate a total lack of understanding of the meaning of an audit. As demonstrated by the Enron situation, an internal audit that is not subject to external scrutiny basically is no audit at all. This is precisely how the Sequoia machine “audits” elections. The voter registers his/her intention on the touchscreen and is provided with feedback of their selections on the display. From this point on, neither the voter nor the County, nor the State, has any way of knowing what happens to the ballot data, since no independent audit trail is produced by the Sequoia voting system. The audit report with printed ballots is not one that has been verified by the individual voters, but rather is one which is fabricated after the fact by the computer system. Only if the voter has the opportunity to print out, view, validate, and then deposit a human-readable (paper) ballot that is secured and later made available for recount, can an independent audit trail be created. It is entirely possible for the computer to print one thing on the touchscreen as feedback to the voter while sending entirely different data to the cartridge (possibly because the machine is “broken” or has been corrupted). In the same way, the cartridge reader can tally, display, or print out something other than the data on the cartridge, and so on. The touchscreens do not, as Jones claims, “increase the protection to the voters, over and above paper ballots” merely because they flag over- and under-votes. In fact, they remove the ability to provide checks and balances through independent confirmation. There is nothing in the process and procedures that Bill Jones has described that provides bi-partisan poll workers, or members of the public who would like to observe the counting process, any way of ascertaining that the electrons transmitted by the touchscreen are subsequently recorded, tabulated, and printed properly. In fact, Jones states that “The counting is so fast that it is not detectible by human eye …” - this is utterly laughable if one wants to also claim, as he does, that the “counting is performed in full public view.” (Sure, I can write the ballots out in invisible ink too, and then claim to have read them, if you’d like, but that hardly constitutes a viable oversight process.)
5. The claim that “the touchscreen system has allowed Riverside County to realize substantial cost savings in operating elections” is also misleading. With computer systems, there is an up-front cost for procurement which must be amortized over the duration of use. Computer systems have a limited (generally around 5 years, but possibly as long as 10 years) lifespan (only very few last as long as the 20 years the manufacturer claims), and as they age, costs of repair and replacement of parts increase rapidly. (The warrantee on the products is only for a year, and some replacement parts are very expensive, even now.) Maintenance, storage, training, reprogramming, and other ongoing expenses, many of which are significantly higher than those needed for paper balloting systems, must also be factored in. Rather than citing only the amount not spent for printed ballots, what needs to be considered is the total actual savings (if indeed there is any).
IV. Further Pertinent Issues
Sequoia Voting Systems has repeatedly claimed (in product materials, at hearings, and in purchase negotiations) that their products are “secure” and hence their internal audit process is “safe” and “accurate.” Yet these products do not comply with even the minimal security product certification standards mandated (by the Computer Security Act for some systems) and used for constructing secure products by the United States Government. This process, which incorporates strict design compliances along with verification and validation procedures, is administered by the National Institute of Standards and Technologies (NIST). It is also recognized as a benchmark security standard internationally. Presently, this confirmation of security is not yet required for voting systems in California, although vendors could voluntarily comply with the standard (as is done in other industries, such as some areas of health care) and submit their products to NIST for certification. Any claim of “security” that is not also accompanied by an appropriate level of NIST certification (since such is readily obtainable) is therefore questionable and also moot. I have repeatedly urged all DRE manufacturers (including Sequoia) to submit their products for NIST evaluation so that they can be verified in a stringent security analysis (since such is not performed by Wyle labs, or the State of California in the certification process), but they have not yet done so.
Other Sequoia products that I have scrutinized contain a real-time clock, which Sequoia claims to use to enhance auditability of their systems. I assume (since I have not had the opportunity to examine Riverside County’s machines) that the Edge models contain a real-time clock as well. The existence of a real-time clock provides a serious security and privacy risk, since it can be used subversively to match voters with their ballots, or to trigger nefarious code that only operates during certain intervals (and hence would not be apparent in pre- or post-election testing). As well, the activity log (referred to in Louis W. Dedier’s April 15 statement) that “can be produced from the Registrar of Voters that shows the entire activity of that system from start to finish of the election” could also potentially be used to identify voters with the contents of their ballots, if say a poll worker or other election observer recorded the order in which each voter entered each machine to cast a ballot.
V. Reply to the List of Undisputed Material Facts
Despite the interesting declarations of witnesses Mischelle Townsend and Louis W. Dedier, there is considerable dispute regarding many of the 10 points on this list. In particular, my discussion above, along with supporting evidence of problems where Sequoia equipment has been used in elections demonstrates that:
(Point I) The Sequoia DRE does not provide increased tally accuracy, since its “lost vote rate” is significant, thus displacing much if not all of the benefits achieved by eliminating the rejection of spoiled, mis-marked, and over-voted ballots.
(Points 2 and 3) The perception that an election system is liked by the voters, may not concur with real empirical evidence of ease of use. A true usability study should be performed, not just a “feel good” survey, in order to validate this claim. In fact, touch screens are not good for some populations, in particular those with palsied hand movements, or low-vision voters who tend to run their finger down the column of candidates as they peruse the ballot. There is also a parallax problem, and the touchscreen itself does not mandate layout configurations, all of which can contribute to mis-selection by voters.
(Point 5) The Sequoia system does not provide an independent, voter verified audit trail that can be used for recounts, Hence this “fact” is false.
(Point 6) When all costs are considered, it may not be the case that any savings are realized by the deployment of DRE systems.
(Points 8, 9, 10) What was certified and tested were sample systems and not the actual systems provided for use by the County (these have not been externally verified to be identical). Furthermore, the FEC and NASED have provided guidelines, not true standards, since they have no jurisdiction over election equipment, due to States’ rights issues. The FEC guidelines under which Riverside’s Sequoia machines were examined were written in 1990 -- these have been deemed obsolete and are currently undergoing an extensive re-write. Hence, Riverside’s Sequoia machines will not be in compliance with the new FEC guidelines, when released, as older equipment can be “grandfathered” by the State. Even though the test systems may have been deemed compliant with California and County laws, regulations and procedures, the lack of a requirement that they be independently voter-verified using a human-readable medium at the time of balloting, constitutes a fatal flaw that renders the DRE units unauditable and thus is in violation of Equal Protection rights.
In my opinion, the most salient issue in this case involves the recount procedures provided by Riverside County’s Registrar of Voters in accordance with California Elections Code 15600 et seq. From the County document (rev. 12/99), the DRE Touch-Screen Voting System Manual Recount Procedures specify that “for a manual tally of the touch-screen voting system, the recount board shall produce a printed report from each voting unit and compare it with the election night results from the electronic results cartridge assigned to that voting unit.” It is this “report”-- generated sight-unseen from an electronic system -- that is the crux of the matter here. No “certification” process can unequivocally assure each voter that this “report” accurately reflects their intentions when they cast their ballot. ONLY if the voters have the opportunity to see the physical (printed) ballots, at the time they vote, can there be an audit of the electronic results. The use of a self-generated machine report thus removes the right of citizens to obtain and oversee an independent recount.
It therefore behooves the court to accept Susan Marie Weber’s claim of violation of rights by virtue of Riverside County’s adoption of the Sequoia touchscreen voting system. Use of this equipment and other DREs that do not provide an independent, voter-verified audit of cast ballots should be terminated in this County and throughout the State of California.
I declare under penalty of perjury under the laws of the State of California that the forgoing is true and correct.
Executed this April 29, 2002, at San Mateo County, California (state).
Rebecca T. Mercuri