Problems with Voting Systems and the Applicable Standards

Testimony before the
U.S. House of Representatives' Committee on Science
Washington D.C., May 22, 2001

Douglas W. Jones
Associate Professor of Computer Science, University of Iowa
Chair, Iowa Board of Examiners for Voting Machines and Electronic Voting Systems
Member, Iowa Election Reform Task Force

[The original was prepared with only a few days notice and contained errors
so I have made several corrections, all set off by square braces]

Indexed on the web at


Elections are a defining feature of democratic government, but all too frequently, we take the actual mechanics of the election for granted. We speak at length of such issues as who is allowed to vote, how campaigns are conducted, and how they are financed, but prior to the events in Florida last November, most people's understanding of the actual voting process was something like the following: "You go to the polls, cast your vote, and then they count it and they announce the winner."

Here, my focus is on how you cast your vote, who they are who count it, how they go about counting it, and how the winner is determined. I will begin by discussing this in a historical context, and then I will discuss the regulatory environment that controls this process, I will give examples of significant shortcomings in this regulation, and finally, I will discuss changes that might be made.

Some of the material here duplicates material that I presented in testimony before the United States Civil Rights Commission hearings in Tallahassee last January 11, but here, my focus will be on the relationship between the problems we have with today's voting machines and the current system of Federal and state standards that govern the use of these machines.

A Very Brief History of Voting Machines

Paper Ballots

When most people speak of voting on paper ballots, they imagine that they are speaking of an ancient technology, and in a sense, this is true. Hand written paper ballots were first used in Rome in 139 BCE, and their first use in America was in 1629, to select a pastor for the Salem church. These early paper ballots offered only modest voter privacy and they were fairly easy targets for various forms of election fraud.

The modern system of election using paper ballots was first used in 1858 in Australia. The great Australian innovation was to print standardized ballots at government expense, distribute them to the voters at the polling places, and require that the voters vote and return the ballots immediately. Today, the security against election fraud this provides seems obvious, but in the 19th century, it was not obvious to most observers, and it was not until 1888 that this ballot was used in the United States.

A properly administered Australian paper ballot sets a very high standard, assuring voter privacy, preventing voters from revealing how they voted, and assuring an accurate and impartial count. It sets such a high standard that voters from many parts of the world find it remarkable that we in the United States are willing to trust our votes to anything else. This is particularly true of the British Commonwealth, where paper ballots remain the rule.

The search for alternative voting methods in the United States was motivated by two factors. First, the entrenched political machines of late 19th century America learned quite quickly how to craft the laws governing the counting of votes under the rules of the Australian ballot so that those laws favored the entrenched political machine.

One of the classic approaches to subverting any election technology is to take control of the vote count. In the case of any physical ballot involving marks on paper, there will be marks that are on the borderline between acceptable and unacceptable votes, and vote counting rules that allow selective counting of marginal marks lie at the heart of a broad class of election rigging.

The most widely used approach to this is based on "objective and uniform standards for counting votes," a phrase heard often in discussions of the recent Supreme Court decision. If carefully chosen, these standards allow a skilled participant in the vote count to disqualify votes based on technicalities even when there is a clear indication of voter intent. Michigan's law governing the validity of ballot markings on hand counted paper ballots illustrates this approach remarkably well (See MCL 168.803).

By carefully controlling the makeup of the vote counting teams, the party in power can use these objective rules to selectively exclude votes for the opposition. Specifically, the party in power must ensure that the representatives of the opposition on each vote counting team are relatively poorly trained, while their own representatives trained to aggressively apply the rules only to ballots containing votes for the opposition while accepting obvious voter intent on ballots favoring their side. According to the 1910 Encyclopedia Britannica entry for voting machines, it was common in many jurisdictions for as many as 40 percent of votes to be excluded in the count!

The second problem unique to the American system is the institution of the general election. Paper ballots are easy to count if there are only a few offices on the ballot, with only a few candidates per office, as is the norm in most parliamentary democracies. In our general elections, it is common to find well over 30 candidates on one ballot, divided between 8 to 15 offices, and this was the case even before the advent of ballot initiatives! An accurate hand count for ballots of this complexity is both difficult and time consuming.

Lever Voting Machines

Lever voting machines were first used in 1892 in New York, and were slowly adopted across the country. Typically, large urban centers began to use them first, and in states such as Iowa, a few smaller rural counties never abandoned paper ballots. In other states, particularly where there were serious charges of election fraud in the first half of the 20th century, lever voting machines were installed statewide. This happened in Louisiana, for example, in the 1950's.

Lever voting machines were so pervasive by the mid 20th century that those of us born in midcentury generally grew up assuming that all voting machines were and would always be lever machines. Today, although they have been out of production since 1982, these machines are still in extremely widespread use. They completely eliminate most of the approaches to manipulating the vote count that were endemic a century ago, and they can easily be configured to handle a complex general election ballot.

Lever voting machines offer excellent voter privacy, and the feel of a lever voting machine is immensely reassuring to voters! Unfortunately, they are immense machines, expensive to move and store, difficult to test, complex to maintain, and far from secure against vote fraud. Furthermore, a lever voting machine maintains no audit trail. With paper ballots, a it is possible to recount the votes if there is an allegation of fraud. With lever voting machines, there is nothing to recount!

In effect, lever voting machines were the "quick technological fix" for the problems of a century ago; they eliminated the problems people understood while they introduced new problems. Because they are expensive to test, complete tests are extremely rare. The mechanism is secure against tampering by the public, but a technician can easily fix a machine so that one voting position will never register more than some set number of votes, and this may not be detected for years.

In effect, with lever voting machines, you put your trust in the technicians who maintain the machines, and if you want to rig an election, all you need to do is buy the services of enough of these technicians. This is quite feasible for a metropolitan political machine.

Punched Cards

The first new technology to effectively challenge lever voting machines was the now infamous Votomatic voting machine. Punched card data processing dates back to the 1890's, but IBM did not introduce the Votomatic punched card voting system until 1964. The Votomatic ballot and the more recent mark-sense ballot both represent a return to the Australian secret ballot, but with the added benefit of an automated and, we hope, impartial vote count produced using tabulating machinery.

With this return to paper ballots, we gained the ability to recount the vote in the event there is a challenge, but we also introduce the question of how to interpret marginal votes. Almost everyone is an expert at interpreting marks on paper. We have been making and interpreting such marks since kindergarten. As a result, we can easily distinguish intentional marks from smudges or defects in the paper. This expertise is a key element in our ability to conduct a hand recount of paper ballots, and it fails utterly when the time comes to recount punched cards. With a punched card, a piece of dangling or pregnant chad is the analog to a smudge or an accidental pencil tick. None of us have the wealth of experience interpreting chad that almost all of us have with marks on paper!

From a legal perspective, a ballot is an instrument, just like a deed or a check. When the ballot is deposited in the ballot box, it becomes anonymous, but just prior to the moment when the ballot is deposited, it ought to be possible to hand the ballot to the voter and ask "does this ballot properly represent your intent?". Votomatic punched card ballots fail this simple test! While the ballot is in the Votomatic machine, the voter can punch holes in it but is unable to see the ballot itself. Once removed from the machine, the voter can see the holes, but without the ballot labels printed on the machine, the voter is unable to tell what those holes mean.

The problems with Votomatic ballots were severe enough that, by the early 1970s, IBM abandoned the technology, and in 1988, the National Bureau of Standards published a report by Saltman recommending the immediate abandonment of this technology. By that time, punched card voting was the most widely used voting technology in the United States, and problems quite similar to many of the problems encountered in Florida during the last election had been encountered in many local elections.

There are alternative punched card technologies that eliminate most of the problems with the Votomatic system, and there have been many improvements to the Votomatic voting machine and punching stylus since Saltman's report. While I recommend phasing out punched card voting, my suspicion is that, with proper maintenance and up-to-date voting mechanisms, it is possible to conduct a vote with the Votomatic punched card machines that lives up to reasonable standards of accuracy and resistance to fraudulent counting.

Optical Mark Sense Ballots

Optical mark-sense voting systems were developed in the early 1970's by American Information Systems of Omaha, alternately in competition with and in cooperation with Westinghouse Learning Systems of Iowa City. The latter was the licensee of the University of Iowa's patents on the optical mark-sense scanning machine. Essentially the only advantage of mark-sense technology over punched card technology is that it uses marks on a printed paper ballot. This is an important advantage! This means that no special machines are required to vote on the ballot, it means that, with proper ballot design, a voter can easily verify that the markings on the ballot exactly convey his or her intent, and it means that, during a hand recount, no special expertise is required to interpret the intent of the voters.

Unfortunately, the first generation of optical mark-sense voting machines was extremely sensitive to the particular type of pen or pencil used to mark the ballot, and to the exact details of the mark itself. As a result, early machines, including many still in use today, had real difficulty distinguishing faint deliberate marks from smudged erasures, and they tended to have mark sensing thresholds that required a fairly dark mark.

The newest generation of optical mark-sense readers uses visible wavelength image processing technology instead of simple infrared sensors to read the marks. Many of the more recent offerings use either FAX machine scanning mechanisms or computer page-scanning devices to obtain the image of the ballot, and they operate by finding each marking target before they search the target for acceptable marks. Such machines can easily ignore relatively dark smudged erasures while catching relatively faint deliberate marks.

Precinct Count versus Central Count Systems

Both punched-card and optical mark-sense technology were originally developed for use with centralized ballot counting machines. These machines were typically large and cumbersome, this remains true, even with the smaller machines of today, Counties could rarely afford more than one, so when the polls closed, the ballot boxes were transported to the central counting center to be tabulated. By the late 1970's, it became feasible to build mark-sense and punched-card readers that could be installed in each polling place, but despite this, central count technology remains in widespread use with both punched cards and optical mark-sense ballots.

Because there need be only one central-count machine per county, complete and exhaustive pre-election calibration and testing is possible, as is complete post-election testing. It is quite reasonable to expect, prior to each election, that a technician will spend a good part of the day running test ballots through such a machine while monitoring the outputs of each sensor and adjusting the sensitivity to meet the requisite standards.

Precinct-count ballot tabulating machines are typically seen by the voter as somewhat complex ballot boxes. To the county, they are expensive ballot boxes that also count the ballots as they are deposited in the box, and offer immediate vote totals for the precinct when the polls are closed. Furthermore, the more recent precinct count systems offer the option of detecting overvotes and other ballot problems before the voter leaves the polling place, thus allowing the voter to correct the problem instead of leaving it uncorrected or leaving it to the judgement of the tally team during a hand recount.

Because there must be large numbers of precinct-count machines, we cannot afford to have complete and detailed calibration and testing of such machines prior to each election. The most we can typically afford is a general visual inspection and cleaning of each machine before the election, with detailed spot checks of only a few machines. Prior to opening the polls, polling place workers to run some simple self-tests, and well designed machines can auto-calibrate their sensors as they read each ballot. The use of image processing technology based on FAX machine mechanisms significantly reduces the need for measuring absolute brightness, and this, in turn, significantly reduces the calibration problems that plagued early mark-sense readers.

Hand Recounts

Unfortunately, because punched-card and optical mark-sense ballots are machine readable variations on the Australian ballot, the introduction of these technologies raises many of the problems that led to the large-scale abandonment of paper ballots during the first half of the 20th century. When punched-card and mark-sense ballots are subject to a hand recount, all of the shenanigans that we hoped to eliminate with lever voting machines have begun to reappear.

Thus, we have the option of instituting "uniform and objective standards" that allow the plain and obvious intent of a voter to be ignored. We must guard against attempts to do this without safeguards that account for all ballots excluded under such standards!

Furthermore, we must guard against many other threats. Voters might might add marks identifying their ballots so that dishonest observers of the count can determine how they voted and provide appropriate bribes. We guard against this by laws that exclude ballots with stray marks on them, but clever marking schemes will always be possible. There is the possibility that vote counters might surreptitiously mark or punch ballots (a carefully trimmed fingernail or a bit of pencil lead under the fingernail is all it takes), so we insist on the rule that all ballots be handled in plain sight by people with freshly manicured fingernails. We must prevent voters from smuggling blank ballots out of the polling place or smuggling pre-voted ballots in, so we require elaborate care in accounting for all ballots.

Direct Recording Electronic Voting Systems

The newest voting technology uses direct-recording electronic voting machines. These were developed after microcomputers became sufficiently inexpensive that they could be incorporated into a voting machine. The first of these was developed by Shoup in 1978; The Shoup Voting Machine Company was one of the two companies that had been making lever voting machines for much of the century. Their new electronic voting machine was built to have the "look and feel" of a lever voting machine, thereby minimizing the voter education problems that always accompany changes in voting technology.

Much of the rhetoric today about voting system reform asks why we can't have voting machines that are as ubiquitous and convenient as automatic teller machines. This turn of phrase is a reference to the newest generation of direct-recording voting machines; these make no attempt to emulate earlier technology; physically, they are little more than repackaged personal computers with touch screen input and special software to make them function as voting systems.

All of today's direct-recording voting machines attempt to offer far stronger audit and security tools than the old lever machines they functionally replace. Instead of simply storing vote totals on odometer wheels inside the machine, they store an electronic record called a ballot image recording each voter's choices, and they store an audit trail of all actions involving the machine, from pre-election testing to the printing of vote totals after the polls close. These records are stored in duplicate form, for example, in a hard drive in the machine as well as in a removable memory pack of some kind or on an adding machine tape inside the machine. Should any disaster strike or should a recount be requested, it should be possible to recover all votes that have been cast on such a machine.

Unlike any system resting on paper ballots, none of the information stored inside a direct-recording electronic voting machine can be said to have the status of a legal instrument. Instead, the record is created by the software within the voting machine in response to the voter's actions, and the record is only as trustworthy as the software itself. It is far from easy to test and inspect software to assure that it functions as advertised, and it is far from easy to assure that the software resident in a machine today is the same software that was authorized for use in that machine months or years ago.

Current Status

Today, only about 1 percent of the population votes at polling places on hand counted paper ballots, but this figure is misleading. There are many elections conducted on optical mark-sense ballots that are actually hand counted, and many jurisdictions that use lever voting machines process absentee ballots by hand.

Hand-counting of mark-sense ballots is common in small local elections where a small turnout is expected and there are only a few issues on the ballot. When this is the case, the cost of hand counting may well be less than the cost of programming and testing the vote tabulating machinery. The actual ballots used and the instructions to voters need not reveal what counting technology is being used.

Today, lever machines are used by about 19 percent of the population. While these machines have not been made for many years, they are built to last, and it takes only a moderately skilled mechanic to keep them in good working order. Because these machines have been phased out by many counties over the past 45 years, surplus machines are widely available as a source of replacement parts.

Nationally, about 31 percent of voters use punched card ballots; most of these use the Votomatic machine. This number is in rapid decline since the most recent election! Many jurisdictions that have used punched cards without question prior to that election are now committed to move to other voting technologies.

The use of punched card voting machines has never been legal in Iowa, the state where I have voted for the past 21 years; by the time there were counties in Iowa that were interested in moving to this technology, the problems with punched-cards were widely enough known that the law was changed to effectively prohibit their use for any but absentee ballots; the same revision to the law allowed the use of optical mark-sense and other electronic vote counting methods.

Punched card ballots are used for absentee voting in many counties where direct-recording voting machines are used at polling places. When used for absentee voting, no voting machine is used; instead, the voter's instructions indicate, for each candidate or position on an issue, exactly which hole should be punched. Absentee voting using this method is too time consuming for use at polling places, but it allows the voter to verify that the ballot does correctly represent his or her intent, and as such, the punched card ballot becomes an appropriate legal instrument.

About 27 percent of voters nationally use optical mark-sense ballots, and many of the states that have just abandoned punched cards will be moving to this technology. In my home state of Iowa, the figure is 80 percent because counties that might have used punched cards had they been in other states moved to mark-sense technology instead.

Direct recording electronic voting machines are used in about 9 percent of the nation. The adoption of this new technology has been slow, largely because it is expensive; direct-recording electronic voting machines typically cost upward of $5000 each. Another reason for the slow adoption is that many people are rightly suspicious of any voting technology that puts the entire election system in the hands of a few highly skilled computer programmers.

New Technologies

Aside from hand counted paper ballots and lever voting machines, all of today's voting technologies rest on the use of computers, and two suggestions follow quite naturally from this: First, why should these computers operate in isolation? Why not interconnect them using some kind of network technology, and second, why not let me use my own computer to vote instead of making me use a publically owned machine in a polling place.

Today, an increasing fraction of the direct-recording electronic voting machines on the market include provisions to network all of the voting machines in one polling place. This allows each machine to store vote totals in the memory of the others, and at the close of the polls, it allows a single report for the entire precinct to be created instead of one report for each machine.

Today, all new precinct-count voting machines are offered with communication options; this includes direct-recording voting machines, optical mark-sense ballot readers, and punched-card ballot readers. These allow the machines to electronically communicate the vote totals to a machine at the county level that computes county wide vote totals within minutes of the close of the polls.

In most cases, this option centers on a modem incorporated in the machine, but where modem use is impractical, the machines will electronically record the vote totals on a memory pack or diskette that may be hand carried to the county's tabulating center, and some machines even offer a wireless option, so that the machines transmit vote totals over the air.

It is worth noting that many polling places are in building lobbies that have no telephone connections or in township halls that have never been wired for telephone service. Even if every polling place had a phone line, the idea that each voting machine in a large urban county might simultaneously attempt to phone in its totals when the polls close is daunting! This is one reason that wireless communications options are appealing.

Most proposals for allowing voters to use their own machines to vote in general elections suggest that this be done via the Internet. Usually, the term E-voting is used as a synonym for Internet voting, but the term could just as well be applied to all of the electronic voting technologies introduced since 1960. Furthermore, there are many non-internet options for using personal computers to vote. For example, voters could use modems to connect by telephone directly to the county offices when they vote.

There are several companies that are aggressively attempting to sell Internet voting, most notably Safevote, of San Rafael, California, but this technology has many problems to overcome. In effect, Internet voting can be classified as the use of direct-recording voting machines provided by the voter for absentee voting, with ballot transmission electronically over a public communications network. Thus, before we can accept this technology, we must assure ourselves that we trust direct-recording voting technology and that we trust electronic transmission of ballots, and having surmounted these hurdles, we must assure ourselves that we trust the voters to provide, maintain and secure their own voting machines!

The Regulatory Environment Today

Today, the technology we use for voting is regulated by numerous branches of government! In Iowa and most states, the counties individually own, pay for and administer the voting machines used locally. The states regulate the voting machines that may be purchased by the counties, and state laws and administrative rules determine how these machines are used. These state rules have, on many occasions, been overruled by Federal court decisions, and where civil rights issues have arisen, there has been direct Federal control of local elections. Finally, the Federal Election Commission has established voluntary standards governing voting systems, and these standards include a testing and certification process for voting equipment. These standards have been incorporated into law by a large and growing minority of the states [correction: small but growing majority of the states], so they are not as voluntary as they appear at first glance.

In Iowa, voting machines must be certified by the Iowa Board of Examiners for Voting Machines and Electronic Voting Systems. Iowa law requires that all new machines offered for sale in the state comply with Federal Election Commission standards prior to our examination. I have served on the Iowa Board of Examiners since 1994, and and I have chaired the board since 1999; I feel that we have been moderately effective in setting reasonable standards for the voting systems used in Iowa.

You will note that I did not say that we assure perfection or even that we have set excellent standards! The criteria on which we can disqualify a machine are weak! We can only disqualify machines if we find that they do not meet the conditions set by state law, and in many cases, I would have liked to disqualify machines but I was forced to vote for their approval because I had no legal grounds for disqualification.

The Federal Election Commission Performance and test Standards for Punchcard, Marksense, and Direct Recording Electronic Voting Systems, released in January 1990 and revised in April of that year were developed in response to the problems reported from various quarters in the mid 1980's. In addition to defining terms and setting basic requirements for some of the machinery used in elections, these standards require testing of new voting systems by an independent testing authority -- independent of both the jurisdiction using the machines and the manufacturer. Unfortunately, a decade after these standards were introduced, only Wyle Labs of Huntsville Alabama is available an independent testing authority.

These standards have two major weaknesses. First, they are voluntary! A voting machine manufacturer who conforms has a marketing advantage over a non conforming manufacturer, but in most states, conformance is not required. Over the past decade, over 20 states [correction: over 30 states] have opted to require conformance, but unless things have changed since I last checked, the majority of the states have not opted in [note: indeed they had changed, by at least 10 states].

The other problem with these standards is that they simply fail to cover many issues, and in my experience evaluating voting machines for use in Iowa, I find that many inadequate designs and marginal features have made it through the standards process with no comment. I must note that the Federal Election Commission is currently in the process of producing a major overhaul of these standards; Volume I of the new standard is scheduled for preliminary release on June 29, and Volume II is scheduled for October 31.

Examples of Problem With the Current Standards

In the following subsections, I will document some of the shortcomings of the current standards, with illustrations from my experience evaluating voting machines for use in the state of Iowa.

Accuracy Standards, a Mark Sense example

The current Federal Election Commission standards require a recording accuracy of "one part in one million" (Section for direct-recording electronic voting machines, for punched-card and mark-sense machines).

On the face of it, this standard appears to be objective and measurable, but it is not! There are two basic problems. First, the standard specifies no measurement methodology, and second, the standard itself, "one part in one million" appears with no justification; it appears to be a number pulled out of thin air!

In actual practice, we have one useful measure of voting system accuracy, provided by the institution of the recount. Recounts detect other things as well, but when you exclude recounts that have found lost ballots and clerical errors, the difference between the first count and the recount represents the actual error level in the voting system.

In my home county, Johnson County Iowa, we currently use 16-year-old Optech II precinct-count mark-sense machines made by Business Records Corporation (now Election Systems and Software). Tom Slockett, the Johnson County Auditor (in his role as county election commissioner), has told me that, in a typical machine recount in Johnson County, the results are rarely off by more than 1 in 10,000 from the original count and are frequently the same. At the United States Civil Rights Commission hearings in Tallahassee on January 11, Witness Dan Gloger cited figures from the Dade County Florida punched-card recount last November suggesting an error rate of 1 in 6000.

These figures, 1 in 6000 or 1 in 10,000 come nowhere near the 1 in 1,000,000 required by the Federal Election System standards, but I believe they are an accurate reflection of the accuracy achieved by real ballot counting mechanisms. These counts involve real ballots punched or marked by real people, with loose chad that might be knocked into or out of holes in punched cards, and with ballot markings that may be very close to the voting machine's threshold for determining whether a mark is or is not counted.

In one of the first voting system tests I was involved with, in 1994, if my memory is correct [note: Sept 30, 1994], we tested the central count optical mark-sense vote counting system being offered to count absentee ballots in counties using Microvote's Direct Recording Electronic voting system. This used an optical mark-sense reader sold by the Chatsworth company, and it is noteworthy that the Chatsworth mark-sense reader is specifically cited as an example of hardware that is not subject to qualification test and measurement procedures because it has "a history of performing successfully under conditions equivalent to the election use" and has a "demonstrated compatibility with the voting system" (Section 7.1.2 of the FEC Standards).

In order to test this system, I took several hundred ballots out on the street and asked random people to mark the ballots as I instructed, quoting the marking instructions from the Chatsworth and Microvote documentation I had been given. When we counted and recounted my test deck, we found that the reader rarely came within a few percent of the count it had previously given. Thus, we are speaking of an accuracy of significantly worse than 1 in 1000! This for a voting system that had been accepted for use in Arkansas, Michigan and North Carolina, and that had passed through the FEC certification process.

When we asked about these problems, the vendor's representative cited the FEC Standard, Section, that "valid punches or marks shall be detected, invalid punches or marks shall be rejected," and turned this on its head. In effect, if the machine detects a mark, it is valid, and if the machine fails to detect a mark, it is invalid. Thus, in effect, the machine sets the criteria for what is and is not a vote, entirely independent of how a human looking at the marked ballot would interpret it! The solution, in this case, involved changing both the ballot marking instructions and the specific model of ballot reader used; with these changes, we were able to approve the system.

The root of the problem was twofold. First, under the original marking instructions, voters had been free to use any pen or pencil. Indeed, the Chatsworth reader was able to read most pen and pencil marks, but some colored pens and hard-lead pencils produced marks very near to the threshold for the reader. The other problem was that the reader was nominally able to read ballots in any of four orientations (reversed top-to-bottom or front-to-back or both). As a result, any given mark on the ballot might be seen by any of 4 different sensors, and the sensing thresholds of these sensors were obviously not equal!

Some elections administrators deal with this problem of near-threshold marks on mark-sense ballots by requiring that, on a recount, all ballots be recounted by the same machine that was used in the first count. In fact, I believe that this is a serious mistake! If counts on two different machine reveal significantly different counts, then either the standards for adjusting the sensitivity of the sensing mechanisms on those machines are inadequate or the ballot marking instructions are inadequate, leading to too many near-threshold marks!

Accuracy Standards, Direct Recording Electronic Examples

When we examined the Global Election Systems Model 100 Electronic Ballot Station in 1998, as the examination progressed from the sales presentation to the actual qualification test, we were warned by the sales representative that we would have difficulty testing the machine and that, in fact, a useful hand test of such a system was generally difficult. I do not want to single out Global; Fidlar-Doubleday has a system that is both similar looking and subject to the same problems.

These machines use a touch screen for voting, and I imagine that, as a voter, I would have immense confidence in them, both because they are excellent representatives of current technology and because the computer interfaces on these machines are generally very well designed.

During testing, however, we quickly learned that the warning from the sales representative was correct. Casting one ballot on this machine is something of a peak moment, psychologically, but to perform an interesting test, it is necessary to cast several hundred ballots. After casting five or ten ballots on this machine, the job became tedious, and after casting twenty or thirty, it became a stressful exercise. By the end of the test, two of the three examiners had made so many mistakes that their test plans were of little use. I made it through my test plan without error but with sore fingers from poking at the touch screen and with a splitting headache and a sore neck.

In discussing our tests, the vendor's representative said that, really, we should not expect to make realistic tests, that, in effect, we just had to trust the testing done by the vendor and by Wyle Labs. We could not duplicate the human factors present at a real polling place in our tests, and we should trust the vendors and the labs to do that for us. Trust, however, is a dangerous thing in the world of elections. Every step in the election process needs to be testable, and with direct-recording machines, testing is becoming extremely difficult! In this particular case, I suspect that the large scale testing was done with robotic fingers touching the screen in pre-determined patterns, and this too does not duplicate the human factors elements in real voting, as no humans are involved!

Exempt Software, A Direct Recording Electronic Example

Another problem that came up in the test of both the Fidlar-Doubleday and and Global Election Systems Direct Recording Electronic voting machines is a consequence of the fact that these machines are essentially repackaged IBM PC compatible computers running versions of the Microsoft Windows operating system.

Under Section 7.1.2 of the FEC Standards, software qualification testing for the operating system running in a voting system is not required unless the operating system has "been modified for use in the vote counting process." Thus, because these voting machines use off-the-shelf versions of Windows, the operating system is exempt from inspection.

If I recall correctly, during our first test of the Global Election Systems Model 100 Electronic Ballot Station early 1998 [correction: it was the Fidlar and Chambers EV 2000, in January 1998], we found an interesting and obscure failing that was directly due to a combination of this this exemption and a recent upgrade to the version of Windows being used by the vendor in their machine.

In effect, the machine always subtly but reliably revealed the previous voter's vote to the next voter using the same machine! This was because, whenever a particular set of "pushbuttons" was displayed on the screen, the button most recently pressed was shown with slightly different shading. Such a set of buttons is frequently referred to as a radio button widget. As far as the developers of Windows were concerned, this new feature of radio button widgets was intended to help computer users remember what they'd done the last time they encountered a particular menu on their computer screen. I want to emphasize here that Microsoft did not intend any violation of voter privacy, and in fact, that this feature of their software was developed without reference to the possibility that it might be used in elections.

In the vendor's original tests, this feature had apparently not yet been added to Windows, and since the new version of Windows did not contain any notices indicating features that might have been relevant to the voting application, this problem was left for us to find. Had the operating system not been in the exempt category, I suspect we would have never had this problem.

The use of a proprietary Microsoft operating system in a voting machine and the fact that the current standards provide us with no control over this use is particularly troublesome! Microsoft is currently in the midst of an antitrust case -- which is to say, it is in an adversary relationship with the Federal government! Thus, the company has great reason to be interested in the outcome of elections.

In fact, about a year ago, I remember hearing a Microsoft representative state that he hoped to delay hearings on their antitrust case until after the election because he believed that Microsoft would receive a more favorable hearing from a Bush administration, and I remember that, when asked about this, then candidate Bush confirmed that he did not favor the antitrust litigation.

Thus, we are in the bizarre situation that our current standards exempt large portions of software in voting machinery from inspection, where those portions happen to be made by an organization that has taken a partisan position in an upcoming political race!

I do not believe that Microsoft has abused our trust by incorporating code into Windows that could be used to falsify the vote totals for a race, but I do object to our extending such trust. It would be remarkably easy to program the window manager component of any operating system to rig elections, and testing to prove the absence of such programming would be impossible! For example, a clever programmer could add code that only operated on election day (the first Tuesday after the first Monday of years divisible by two), so that, whenever the text "STRAIGHT PARTY" appeared in the same window as a radio button widget, and that widget had buttons labels containing "DEMOCRAT" "REPUBLICAN" and "GREEN", the first and last of these labels would be exchanged one time in ten. The net result would be to throw ten percent of the Democratic party's straight-party votes to the Green party! This could easily swing an election.

Today, there are numerous operating systems and window managers available that could be used as alternatives to Microsoft Windows for voting machines based on PC compatible software. Furthermore, at least two of these, Linux and FreeBSD, are open-source systems, that is, operating systems where the code of the system is available for inspection by anyone. There is no preference built into the current standards to favor the use of such open-source systems!

What Software is Running

The current FEC standards include a System Escrow Plan for the Voting System Standards Program also released in January 1990 and revised in April 1990. Section 3 of this plan justifies the escrow process by noting that storing in escrow a copy of the software approved for use on a machine can allow verification that the software installed is indeed the software that ought to run on that machine, and it allows customers to protect the value of their equipment in the event that a vendor goes out of business.

This is true, but there is a major shortcoming of the current system! Section 5.5 of the primary FEC Standard does require that no tools be resident on the voting system for altering the software, but there is no requirement for provisions supporting the verification that the software loaded on a voting system is indeed the software authorized on that machine.

This is not an easy problem to solve! The requirement that the resident software print out the ID of that software may be trivially met by modifying whatever software is actually resident on the machine to print out whatever report is expected. There are cryptographic tricks that could be applied to this, but effective solutions to this problem are subtle and I have yet to see any voting system that offered even a partial solution to this problem.

What is a Voting Machine, A Direct Recording Electronic Example

One of the most perplexing problems posed by the current generation of direct-recording electronic voting machines is the question of exactly what is a voting machine? On the face of it, even the fact that such a question should arise is alarming.

I first encountered this question in the examination of the Fidlar-Doubleday (then Fidlar and Chambers) EV 2000, but the same problem is present in the machines made by Global Election Systems. In both cases, these machines are designed to allow networking of all the machines in a single polling place, with many functions that are traditionally connected to individual machines connected, instead, to the cluster of machines.

Current FEC standards require that each voting machine have a public counter (Sections and that indicates, to the public, the number of ballots cast on that machine during that election, and a protective counter (Sections and that indicates the total number of ballots cast on the machine during its lifetime.

The problem is twofold: First, when does a machine come into existence? If the machine is essentially a personal computer, each component inside the case can be replaced independently of all the others. The CPU can be replaced, the disk drives can be replaced, and the display screen can be replaced. There is no component analogous to the odometer mechanism that is included to serve as the protective counter in a classical lever machine, so generally, the protective counter is stored on disk or some equally replaceable component.

When the system component containing the protective counter is replaced, must the counter be set to the original value in order to conform to the letter of the FEC Standards? If so, there must be software that allows setting the counter, and if this is the case, the value of this counter for protecting against fraud becomes questionable! If there is no such software, then the counter must automatically reset to zero whenever the component that contains it is replaced or reinitialized. In this case, in order to conform to the FEC Standards, we must consider that replacement to have manufactured a new voting machine! This is very strange.

The second problem arises as a result of the networking option allowed by Section of the standard. This allows, but does not require, the interconnection of the voting machines in a polling place so that they produce a single report of the results of an election. When machines are interconnected, it is natural to consider the total set of machines as a single system that comes into existence when the machines are plugged together at the start of election day, and that is destroyed after the polls close.

In the case of the Global Electronic Ballot Station, it appears that they have met the FEC requirement for redundant storage of ballots (Section by taking advantage of this networking within the polling place. Each voting machine records a copy of the votes cast on that machine not only in its own memory, but also in the memory of one of the other machines that are part of the same network of machines.

Technically, there is nothing at all wrong with this, except that the current standards do not seem to have anticipated this; neither did Iowa law, and as a result, after a long argument, we decided that, for purposes of Iowa law, the only way we could approve this system was if we viewed the system of machines installed at a polling place as a single machine. This is clumsy!

Secret Ballots, Problems With Write-In Votes

A very interesting problem came up last fall, in an examination of an upgrade to the Fidlar-Doubleday EV 2000 system. Processing write-in votes is difficult on any voting system, and under the laws of many states, including Iowa, it is sometimes necessary to check for certain other votes on the ballot before accepting a write-in vote.

The specific rule that causes problems is that write-in votes for candidates names who are already on the ballot are not counted, unless the write-in vote is an overvote for a candidate that has already been voted for normally, in which case, the write-in is discounted and it is not an overvote. On direct-recording machines, this causes no problems for vote-for-one offices, but on a vote-for-three office, for example, a voter could vote for two candidates normally and then write in the name of one of them in an attempt to cast two votes for that candidates.

Many election administrators have apparently asked Fidlar-Doubleday (and other vendors, I suspect) to print a special report when the polls are closed, listing all write-in votes with enough added information to allow the polling place workers to apply the above rules. This is one of the enhancements we were asked to evaluate last fall.

Unfortunately, Fidlar-Doubleday implemented this feature by including the entire coded ballot image of every ballot containing a write-in vote as an appendix to the report printed by the voting machine when the polls close. Under Iowa law, this entire report must be posted publically, so the net result was that the coded ballot image of every ballot containing write-ins was made public.

The write-in votes themselves were in plain readable text in this coded image, and each vote cast on the same ballot was coded as a random number, using a code that was fixed for that precinct. It only took me a minute to discover a foolproof way to crack this code, and using this, someone intent on bribing voters to vote in a particular way could simply assign a nonsense name to each voter, asking them to write in that person's name for a specified minor office in order to force the public disclosure of their ballot in order to prove that they had earned their bribe.

Had Fidlar-Doubleday arranged to print only the other votes, if any, for the office where the voter cast a write-in vote, the problem would have been considerably less severe and we would have approved the machine. As it is, we had to forbid the use of this feature in Iowa (fortunately, it could be disabled), despite the fact that Wyle Labs had found no problems in their software audit and despite the fact that some of the election officials requesting this feature had been from Iowa.

Vote Transmission by Wire and Radio

The current FEC Standards cover the machinery and software of central count mark-sense and punched-card ballot counters, and they cover the machinery and software of precinct-count and direct-recording electronic machines, but they have not been used to cover central counting systems used in conjunction with precinct-count or direct-recording electronic machines.

The problem is, all of the recent precinct-count and direct-recording voting machines that I have seen offered for sale have included communications options that will electronically transmit ballot either images or vote totals from the voting machine to a central location, and then tabulate the results from all machines reporting in. Most machines offer to do this using modems and the public telephone network. All machines also offer to do this using removable memory packs of some type (diskette or electronic), yet no aspect of this appears to be adequately covered by the current standards!

All of these electronic communication options raise severe security problems, which the current FEC Standard addresses very briefly in Section 5.6. How do you prevent some hacker from using his personal computer to report false totals for some precinct by phone or radio? If hand-carried memory packs are used, how do you prevent a dishonest election worker from switching a false memory pack for the pack that came from the voting machine. Today's memory packs are frequently about the size of a credit card! It takes only modest skills at sleight-of-hand to swap two cards that size, even in the presence of suspicious witnesses.

When I have asked vendor's representatives about the security they offered, some have flatly refused to discuss any details, stating that to do so would compromise their security. As a general rule, those in the computer security business are very hesitant to accept such statements, because history shows us that the most secure systems are strong enough to stand up to detailed inspection of their mechanisms!

When I was involved in the examination of the new modem option for the Business Records Corporation (now Election Systems and Software) Optech Eagle in 1996, I asked about this, and after some confusion, learned that the system was secure, but that this security was accidental and not a matter of design. One of the fields stored in the voting machine when it was set up for a particular election was the time and date of the setup, and when that machine transmitted its results back to the central location for counting, the time and date were included in the transmission and checked against the original. Had this information just been the day on which the machine was programmed, it would have offered no security, and had it been the day, hour and minute, it would have been fairly easy to guess, particularly when the actual setup of voting machines is itself subject to observation by witnesses for each party. In this case, however, the value used happened to be accurate to the millisecond! It was that fact that made the transmission secure against forgery.

In another case, I believe it involved the Global Electronic Ballot Station, when I asked about security, they assured me that they used the United States Government approved Data Encryption Standard. This standard is moderately good, but it requires that the transmitter and receiver of a particular piece of data each have identical keys, one used to encrypt the data, and the other used to decrypt. So, I asked how the company was handling the key management problem.

The answer I got scared me! The company's sales representative phoned their technical expert and handed me the phone. I asked my question again, to the expert, and he said that he was surprised that I should ask about key management because, really, there was no problem. The reason for this turned out to be that there is only one key -- company wide, and incorporated into every voting machine they build! This fact was not, apparently, considered worth noting in any of the examinations conducted under the current FEC standards.

Because of these problems, we in Iowa do not allow electronic vote reporting for anything other than reporting early totals to the press. For the official canvass, we still require that the totals for each precinct to be printed in duplicate at the polling place, then signed and witnessed by the precinct election workers, with one copy publically posted and the other copy hand delivered to the county offices. If you are suspicious about the accurate transmission of your precinct's totals, you can go to the polling place as the polls close, take notes from the posted totals, and then check these with the totals reported later for the official canvass.

Before we allow such electronic transmission, I want to see open standards for interconnection of voting systems. Proprietary protocols, where the voting system vendor cannot inform the examiners of any details of the protocol for fear of compromising a system's security must not be allowed! On the other extreme, genuinely open protocols that allow voting machines made by different manufacturers to be used together would make the marketplace far more competitive because it would allow counties to phase in a new make of machine instead of forcing an all or nothing change. Such protocol development must be overseen by an organization that understands the issues of security and reliability far more clearly than the vendors or testing authority with whom we deal today.

Fault Tolerance, A Direct Recording Electronic Example

Section of the FEC Standard requires that each direct-recording voting system incorporate multiple memories, so that, in the event of failure, any disparity can be detected. Unfortunately, the standard says nothing about what to do when there is a problem!

The fundamental problem extends far beyond this section of the standard, into the laws of many states. If we have two documents, one an original and the other a photocopy, the original has far higher standing in law than the copy, and rightly so. If someone were to photocopy a stack of ballots and then somehow manage lose those ballots, there would be interesting arguments about the legal standing of those copies!

In the case of direct-recording voting machines, we have no original document; rather, the ballot images stored within the memory of the machine are all copies! If the duplicate copies are the same, the standards grant them considerable weight. If, on the other hand, the duplicate copies to differ, there is no guidance to suggest how the correct copy should be determined.

In fact, there is a technical solution to this problem! This relies on storing, with each ballot image, an electronic signature of that image (the simplest such signature is the checksum, the simple sum of the binary representations of the data bytes of the image). In the event that two copies of a ballot image disagree, the one with the bad checksum should be disregarded in favor of the one with the correct checksum. This is mentioned in the current FEC Standards, section 5.6, but it is applied only to data communication.

In all of the voting systems I have examined, it appears that, where redundancy is used, it is left to the human user's judgement to decide what to do in the case of disagreements between the redundant copies. This is not acceptable! I admit, however, that I base my observation of current practice on sales literature, discussions with manufacturer's sales representatives, and very sketchy and infrequent contact with technical people within the vendors' organizations.

Vote Counting

Section of the current FEC Standards requires that the voting system count ballots, and for each office or measure, that it count votes overvotes and undervotes. This is excellent, but most states (including Iowa) appear to ignore much of the information that could be obtained from this, and the the FEC Standards do not even suggest some extremely productive ways to use this to ensure the accuracy of the count within a voting machine.

In general, for a vote-for-one office or a yes-no ballot issue, the sum of the number of votes for each candidate, the number of overvotes (if any) and the number of undervotes should equal the number of ballots counted. Therefore, if each of these items is brought forward independently through the entire vote count, from the moment the ballot is inspected until the final canvass is published, it should be possible to check this sum at every level in the process to detect errors.

If we can guarantee that the components of this sum are genuinely brought forward independently, for example, that some part of the system counts ballots without access to any record of the votes cast, and if we can guarantee that the count for each candidate is made without the ability to inspect or modify the count for any other candidate, then we have a system that is very secure against falsification of the count. Section 2.3.2 of the current FEC Standards requires part of what is suggested here, but the followthrough is weak.

The current FEC Standards, in Section 7.4.2, require a source code audit of all software in the voting machine, but the criteria given to the auditors are all generic criteria that could be applied to video games and payroll software as easily as to voting systems. It would be extremely valuable to incorporate into this audit a review of the independence of the counting of ballots (enforcing Section 2.3.2) and votes for each office; such an audit requirement would materially change the way system designers approach the problem and would make all vote counting software more trustworthy.

I also suggest that this same rule be applied to manual vote counting, and that some component of the count always be carried forward outside the machine. Most systems of polling place administration require that the polling place produce a count of the number of voters allowed to vote. In Iowa, for example, each voter must sign an affidavit of eligibility in order to receive a ballot, and these are numbered. It is therefore very easy to count the number of ballots issued entirely outside of any computer system, and I strongly urge that this count be brought forward into the official canvass by hand, even if everything else is handled by computers!

Prospects for Change

The flaws in today's voting systems exposed by general election last fall have moved counties, states and the Federal government to action. In addition, the Supreme Court decision that put an end to the recounts moved great areas of election law into the Federal domain, bringing it quite properly under the umbrella of Civil Rights law.

While I wasn't too thrilled with the process that led up to this court decision, nor was I thrilled with the pragmatic considerations that led both sides to take the positions they took, I find myself in agreement with the court decision and look forward to the unfolding of its consequences.

The Risks of Monopoly

There is one possible interpretation of the Supreme Court decision that worries me. The court declared that the equal protection clause requires that states adopt uniform, state-wide standards governing the interpretation of votes, but it is possible to interpret this as a demand for a uniform state-wide standard voting technology, and it is hard to see why the same argument the court used to support uniform standards within a state should not be extended to uniformity from state to state, which is to say, a single uniform Federal standard voting machine.

I am extremely wary of granting any monopoly in the field of voting machines! Today, we have a diverse marketplace, and the competition in this marketplace has fueled the development of a number of interesting new ideas. Unfortunately, as things stand right now, none of the available voting technologies are perfect. If we had a monopoly, as the result of a national standard voting technology, this progress would end and we would be forced to accept a system with known flaws.

To my knowledge, none of the flaws with new voting technology, have been widely exploited for the purpose of vote fraud, but if we freeze the technology, I have no doubt that somebody will eventually begin to exploit them. Furthermore, having frozen development by accepting one of the available technologies as a standard, we will have eliminated the competition! Had punched cards been the national standard last year, we would not be able to abandon them, as Florida has recently done!

Finally, if we create a monopoly, a crook intent on subverting the system must only subvert that one monopoly. If there are 4 makers of voting systems, the gain to be had by subverting one is limited. If there is only one maker, it may only be necessary to subvert only one or two people to rig next year's elections nationwide! The fewer people you have to trust, the more vulnerable you are to the subversion of any one of those people! Dispersed authority is resilient in the face of challenges, while centralized authority is vulnerable to corruption!

Change at the State Level

Unfortunately, the legislative response, at both the state and national levels, has been chaotic. Numerous voting system reform bills have been introduced in states across the country, and there are many proposals before the Federal government.

In Florida, with the nation's eyes on the state, an election reform task force began work in January, and the changes they proposed have already been signed into law. The political pressure on Florida to make big changes and make them quickly was immense, so I sympathize with the decision that the Florida Task Force made -- given the alternatives available today, optical mark-sense ballots are probably the best technology, if properly administered. That is a big if, however, and the decision to switch the entire state to one technology now is sufficiently expensive that it may preclude any additional change over the next decade.

In Iowa, the creation of the Secretary of State's Election Reform Task Force, of which I am a member, led to the failure of various election reform legislation that was introduced this spring. This was a good thing! We are not in a hurry, we do not need to hastily adopt random changes to our law, and the budget in Iowa is tight enough that state investment in an emergency update of our election machinery is out of the question. By this coming fall, we should have a proposal in place for reasoned changes to Iowa's election laws, and these changes are likely to require the phased replacement of some of the older election machinery in the state.

Redefining the Role of the Federal Election Commission

As I stated earlier, the need to revise the Federal Election Commission Standards was widely recognized before the chaos surrounding the general election last fall! The Commission has contracted with American Management Systems, a major management and software consulting house, to undertake such a revision, and a revised standard should become available for public comment soon. I eagerly await a chance to read this revision, and I hope that it addresses some of the problems I have outlined above.

Even while this revision is in progress, I understand that there are proposals before Congress to completely change the role of the Federal Election Commission with regard to the Federal regulation of voting machinery!

Under the Supreme Court decision of last fall, it would appear to be within the authority of Congress to mandate significant binding standards governing the counting of votes during Federal elections. If this is done, significant areas of the Federal standards governing voting machines would no-longer be voluntary. I have high hopes for this, but as I understand the current focus of legislation before Congress, the focus is elsewhere, on the possibility of funding massive changes in election machinery in the states, something I strongly discourage, and on changing the role of the Federal Election Commission.

HR 1165, the Election Voting System Standards Act of 2001, is one of the more moderate proposals to strip the Federal Election Commission of its authority over voting machines. More radical proposals would give this authority to the National Institute of Standards with very little direction, while HR 1165 would create a new commission to oversee the development of new standards and the establishment of a new National Election Systems Standards Laboratory.

I am not certain how much of the push to strip the Federal Election Commission of its authority over voting systems standards stems from the inadequacies of the current standards and how much comes from a general dislike of the Commission. Those who have had to file campaign finance disclosure reports generally don't enjoy the process, and it is easy to see how this could lead to a general dislike of the Commission.

While I feel very strongly that our current system of standards needs to be updated and strengthened, and I feel that such updates should be done far more frequently than once a decade, I am not sure that this justifies stripping the Federal Election Commission of its role in promulgating such standards. The strongest argument for such a change may be that the regulation of the conduct of elections and election campaigns requires expertise quite different from that required to regulate the mechanisms by which we conduct elections.

Furthermore, it is important to note that many state and local election officials do not seem to feel a pressing need to change the current system. When I mentioned HR 1165 to Iowa's Director of Elections, Sandy Steinbach, she was shocked; it is worth noting that she is on the committee that is overseeing the revision of the FEC Standard. When I have talked about these issues with some of the county auditors (who serve as commissioners of elections), they have been universally surprised by the idea that the role of the FEC itself was being questioned. Their typical reaction was "if it ain't broke, don't fix it!" or "it it's broken, fix it, don't tear it down and start over."


In sum, it is worth recalling Mark Twain's quote [note: also attributed to Winston Churchill], that "Democracy is the worst of all systems, except for all of the others." One could go on to say that every approach to conducting a democratic vote is bad, but the alternative is worse.

The current system of regulation for voting machinery suffers from significant flaws. Many systems have been approved for use in many states that plainly fail to meet the requirements of the standards we have set, and the standards do not cover many features that have become common on modern voting machines.

Given this, I cannot recommend large-scale funding for immediate modernization of voting systems across the country. To do so now would be to rush into the purchase of large numbers of systems that I hope will be found failing by the standards we ought to have in place!

Furthermore, there are many aspects of current standards that ought to be subject to constant reexamination. How accurate our our ballot counting machines with real ballots cast by real voters? How do the different user interfaces of different voting machines change the way voters respond to the machinery? How can we realistically test direct-recording machines, and how can we develop open standards for electronic storage and communication of votes?

An answer to these questions may require, but does not necessarily require, a change in the oversight process for our voting machine standards. An answer to these questions does require that we invest more effort into ongoing studies of the problems with voting machinery, something that might be done if we establish the kind of voting systems laboratory envisioned in HR 1165.