Susan Marie Weber
43041 Buttonwood Dr.
Palm Desert, CA 92260-2605
In propria persona
UNITED STATES DISTRICT COURT
FOR THE CENTRAL DISTRICT OF CALIFORNIA
SUSAN MARIE WEBER )
BILL JONES, in his official )
capacity as California )
Secretary of State, )
MISCHELLE TOWNSEND, in her )
Official capacity as Riverside )
Country Registrar of Voters )
Case No. CV 01-11159 SVW(RZx)
PETER G. NEUMANN
Date: May 6, 2002
Time: 1:30 p.m.
Before the Hon. Stephen V. Wilson
I have been employed in the SRI Computer Science Lab since September 1971. I spent eight years at Harvard (1950-58, with my A.B. in Math in 1954, S.M. in Applied Math in 1955, and Ph.D. in 1961 after returning from my two-year Fulbright in Germany (1958-60), where I received the German Dr rerum naturarum in 1960.
I had two reverse sabbaticals as Visiting Mackay Lecturer, during the spring quarter of 1964 at Stanford University in Electrical Engineering, and the academic year 1970-71 at U.C. Berkeley (teaching courses in hardware, operating systems, and coding theory, and co-leading two seminar courses). More recently, I taught a course on survivable systems and networks at the University of Maryland in the fall of 1999, half in person, half by video teleconference.
The following are Notes for a Hearing of the California Assembly Committee on Elections Reapportionment and Constitutional Amendments Wednesday, January 17, 2001.
Summary: The election process is inherently subject to errors, manipulation, and fraud. It is a process that demands extraordinary integrity of any computerized systems involved, as well as honesty and experience of the people involved in administering elections. Evidently, it may require considerable sophistication on the part of voters as well.
The Year 2000 U.S. election process has demonstrated many weaknesses and irregularities in the existing processes. As a result of the Florida punched-card experience, there is a huge cry to get rid of old-fashioned systems. In particular, vendors of electronic systems have come out of the woodwork with promises of eliminating spoiled ballots, punched- card anomalies, and re-counts, and providing instant results; however, those systems lack adequate assurances of the integrity of the voting process. Because of ubiquitous human errors (which typically occur in all computer systems), software trojan horses, and trapdoors (especially if inserted during development or maintenance), existing electronic systems have insufficient guarantees that votes that are actually counted are precisely what the voter had intended. Although it is impossible to guarantee the correctness of hardware and software, it is unfortunate that even common standards for system security are typically ignored.
The highest potential risks relate to electronic systems — and worst of all Internet voting, limited by the intrinsic lack of security in Internet systems and a morass of sociological problems. Old-style lever machines and well-managed optical scanning systems are typically more reliable and less subvertible than electronic ballot systems. It is interesting to note that a very large part of the world still uses paper ballots marked with an X for the selected choice; that approach is considered very reliable and surprisingly quick in the counting phase when distributed into precincts with suitable oversight.
Rebecca Mercuri’s recent Ph.D. thesis (noted below) at the University of Pennsylvania provides an extensive set of criteria against which electronic voting systems should be evaluated, but also points out that any such criteria are at the same time inherently incomplete and intrinsically difficult if not impossible to satisfy. She also proposes a strategy that would significantly increase the accountability of electronic voting systems (such as direct-recording touch-screen systems), providing an independent paper trail for each ballot that is verified by the voter before the ballot is cast. This would provide an audit trail in the event of disputes.
The bottom line is of course that all voting systems are subject to varying degrees of errors and manipulation. As a technologist, I have a responsibility to seek checks and balances not only on the technology but also on the voting process as a whole. As legislators, you have an obligation to ensure that you do not endorse simplistic solutions that could in actuality make the integrity of the election process much less than it is today, with even greater opportunities for fraud and subversion.
My 1995 book (Computer-Related Risks, Addison-Wesley) contains extensive material on the lack of integrity in then- existing election systems, and discussion of requirements for improving the process. The situation has not improved appreciably since then, although there have been some advances toward better electronic systems. Rebecca Mercuri’s thesis has carried the approach of my book much farther. I strongly recommend that you use her guidelines for any future efforts to shift to automated voting systems. You and your staffers will also find considerable background information on my Web site.
Please feel free to call on me for further information and background.
In the wake of the recent Presidential election problems, the knee-jerk reaction of "gee, can't we modernize and solve all this with electronic and/or Internet voting?" is predictable, but still wrongheaded. The shining lure of these "hype-tech" voting schemes is only a technological fool's gold that will create new problems far more intractable than those they claim to solve.
All proposed voting systems should be subjected to rigorous evaluation, public inspection, and “open-source code” license agreements. Some applicable methodologies do exist, but have not been required. For example, Level 4 Common Criteria should be a “minimum” standard, although even that is not enough.
As always in any election environment, there are many opportunities for fraud, mischief, and manipulation -- despite ostensible checks and balances. These problems are exacerbated with electronic and Internet voting, where the lack of any physical ballots makes such manipulations impossible to detect and correct -- because there is no meaningful re-count capability. Extraordinary vigilance is necessary, but never sufficient.
Inside Risks 127, CACM 44, 1, January 2001
Rebecca T. Mercuri and Peter G. Neumann
Consider a computer product specification with data input, tabulation, reporting, and audit capabilities. The read error must not exceed one in a million, although the input device is allowed to reject any data that it considers to be marginal. Although the system is intended for use in secure applications, only functional (black box) acceptance testing has been performed, and the system does not conform to even the most minimal security criteria.
In addition, the user interface (which changes periodically) is designed without ergonomic considerations. Input error rates are typically around 2%, although experience has indicated errors in excess of 10% under certain conditions. This is not considered problematic because errors are thought to be distributed evenly throughout the data. The interface provides essentially no user feedback as to the content of input selections or to the correctness of the inputs, even though variation from the proper input sequence will void the user data.
Furthermore, multiple reads of the same user data set often produce different results, due to storage media problems. The media contain a physical audit trail of user activity that can be manually perused. There is an expectation that this audit trail should provide full recoverability for all data in order to include information lost through user error. (In practice, the audit trail is often disregarded, even when the user error rate could yield a significant difference in the reported results.)
We have just described the balloting systems used by over a third of the voters in the United States. For decades, voters have been required to use inherently flawed punched-card systems, which are misrepresented as providing 100% accuracy ("every vote counts") -- even though this assertion is widely known to be patently untrue. Lest you think that other voting approaches are better, mark-sense systems suffer from many of the same problems described above. Lever-style voting machines offer more security, auditability, and a significantly better user interface, but these devices have other drawbacks -- including the fact that no new ones have been manufactured for decades.
Erroneous claims and product failures leading to losses are the basis of many liability suits, yet (up to now) candidates have been dissuaded from contesting election results through the legal system. Those who have lost their vote through faulty equipment also have little or no recourse; there is no recognized monetary or other value for the right of suffrage in any democracy. With consumer product failures, many avenues such as recalls and class action suits are available to ameliorate the situation -- but these are not presently applicable to the voting process. As recent events have demonstrated, the right to a properly counted private vote is an ideal rather than a guarantee.
The foreseeable future holds little promise for accurate and secure elections. Earlier columns here [November 1990, 1992, 1993, 2000, and June 2000] and Rebecca Mercuri’s doctoral thesis, (See attachment which comes from the webpage: http://www.notablesoftware.com//Papers/thesdefabs.html) describe a multitude of problems with direct electronic balloting (where audit trails provide no more security than the fox guarding the henhouse) and Internet voting (which facilitates tampering by anyone on the planet, places trust in the hands of an insider electronic elite, and increases the likelihood of privacy violations). Flawed though they may be, the paper-based and lever methods at least provide a visible auditing mechanism that is absent in fully automated systems.
In their rush to prevent "another Florida" in their own jurisdictions, many legislators and election officials mistakenly believe that more computerization offers the solution. All voting products are vulnerable due to the adversarial nature of the election process, in addition to technical, social, and sociotechnical risks common to all secure systems. Proposals for universal voting machines fail to address the sheer impossibility of creating an ubiquitous system that could conform with each of the varying and often conflicting election laws of the individual states. Paper-based systems are not totally bad; some simple fixes (such as printing the candidates' names directly on the ballot and automated validity checks before ballot deposit) could go a long way in reducing user error and improving auditability.
As the saying goes, "Those who fail to learn from the past are doomed to repeat it." If the computer science community remains mute and allows unauditable and insecure voting systems to be procured by our communities, then we abdicate what may be our only opportunity to ensure the democratic process in elections. Government officials need your help in understanding the serious risks inherent in computer-related election systems. Now is the time for all good computer scientists to come to the aid of the election process.
I declare under penalty of perjury under the laws of California that the foregoing is true and correct.
Executed this April ___, 2002, at ___________________, California.