Computer Science
and Technology
--------------------------------------------
NBS Special
Publication 500-158
Accuracy,
Integrity, and Security in
Computerized
Vote-Tallying
Roy G. Saltman
Institute for Computer Sciences and Technology
National Bureau of Standards
Gaithersburg, MD 20899
Sponsored by:
John and Mary R. Markle Foundation
75 Rockefeller Plaza, Suite 1800
New York, NY 10019-6908
August 1988
U.S. DEPARTMENT OF COMMERCE
C. William Verity, Secretary
National Bureau of Standards
Ernest Ambler, Director
ACCURACY, INTEGRITY, AND
SECURITY
IN
COMPUTERIZED
VOTE-TALLYING
Roy G. Saltman
Recommendations are provided to promote accuracy, integrity, and security in computerized vote-tallying, and to improve confidence in the results produced. The recommendations respond to identified problems, and concern software, hardware, operational procedures, and institutional changes.
It is proposed that the concept of internal control, almost universally used to protect operations that produce priced goods or services, be adapted to vote-tallying, a non-priced service. For software, recommendations concern certification, assurance of logical correctness, and protection against contamination by hidden code. For hardware, recommendations concern accuracy of ballot reading, and design and certification of vote-tallying systems that do not use ballots. Improved pre-election testing and partial manual recounting of ballots are recommended operational procedures.
Some recent significant events concerning computerized vote-tallying are reported. These events include development of performance specifications, publication of a series of New York Times articles, and activities in Texas leading to passage of a revised statute on electronic voting systems. Relative vulnerabilities of different types of vote-tallying systems, i.e., punch card, mark-sense, and direct recording electronic, are discussed. Certain recent elections in which difficulties occurred are reviewed, and categories of failures are highlighted.
Key words: accuracy; computer; election; integrity; internal control; public administration; security; vote-tallying.
ACKNOWLEDGMENTS
The author wishes to acknowledge assistance received from those individuals who provided documentation of election difficulties, reviewed drafts of this report, or otherwise gave of their time and ideas. These persons include Penelope Bonsall, Director, FEC Clearinghouse; Robert Boram, Director of Engineering, R.F.Shoup corp.; Kimball Brace, President, Election Data Services, Inc.; David Burnham, journalist, Washington, DC; David Clampitt, Oklahoma City, Oklahoma; Terry Elkins, Dallas, Texas; Curtis Fielder, DFM Associates; Emmett Fremaux, Jr., Executive Director, DC Board of Elections and Ethics; Marie Garber, formerly Administrator, Maryland State Administrative Board of Election Laws; Paul Goldy, President, and Jacob Merriwether, Vice President, International Technology Group; Russ Harlan, Assistant Registrar of Voters, Placer County, California; Michael Harty, formerly Director of Voting Systems and Standards, Illinois State Board of Elections; Ralph Heikkila, Assistant Registrar-Recorder, Los Angeles County; Lance Hoffman, professor of computer science, George Washington University; Michael Lavelle, formerly Chairman, Chicago Board of Election Commissioners; Robert Lemens, formerly Assistant Attorney General, State of Texas; David Link, Dean, Notre Dame Law School; Conny McCormack, formerly Director of Elections, Dallas County, Texas; John Medcalf, President, VOTEC; Robert Naegele, President, Granite Creek Technology; Tod Rapp, President, Triad GSI; Jim Riggs, formerly Director of Elections, Maricopa County, Arizona; Deborah Seiler, Chief, Elections and Political Reform Division, State of California; Larry Slesinger, formerly Program Officer, John and Mary R. Markle Foundation; Richard Smolka, editor, Election Administration Reports; David Stutsman, attorney, Elkhart, Indiana; Robert Tyre, Executive Vice President, Business Records Corporation; Malin VanAntwerp, Project Director, ECRI, Plymouth Meeting, PA; Thomas Van de Bussche, Director of Data Processing, Carroll County, Maryland; Douglas Webb, Senior Consultant, SRI International; Britain Williams, Chief, Computer Technology and Applications Division, Georgia Tech Research Institute; Jackie Winchester, Supervisor of Elections, Palm Beach County, Florida.
Regardless of assistance received, the author accepts full responsibility for the content of this report.
Roy G. Saltman
TABLE
OF CONTENTS
1. SUMMARY OF CONCLUSIONS AND
RECOMMENDATIONS
1.1 Problems Of Computerized Vote-Tallying
1.2 Government Responsibilities
1.3 Implementation Of An Internal Control Function
1.4 FEC Clearinghouse Specifications
1.5 Revised Texas Statute On Electronic Voting
Systems
1.6 Recommendations On Software
1.6.1 Certification
1.6.2 Integrity and Logical Correctness
1.6.3 Dedicated Software Use and Dedicated
Operation
1.7 Recommendations On Hardware
1.7.1
Accuracy of Ballot Reading
1.7.2 Elimination of Pre-Scored Punch Card Ballots
1.7.3 Counting of Rejected Ballots
1.7.4 Required Research
1.7.5 Design of Direct Recording Electronic (DRE)
Machines
1.7.6 Certification of DRE Data Entry Logic
1.8 Recommendations On
Operational Procedures
1.8.1 Pre-Election Checkout
1.8.2 Audit Trails
1.8.3 Complete Data From Split Precincts
1.8.4 Access Controls
1.8.5 Application Internal Controls for
Ballot-Tallying Systems
1.8.6 Application Internal Controls for DRE Systems
1.9 Relative Vulnerabilities Of Different System
Types
1.10 Review Of Recent Difficulties In Computerized
Vote-Tallying
1.11 Future Vote-Tallying Systems
2. BACKGROUND, AND RECENT SIGNIFICANT EVENTS
2.1 Accuracy, Integrity, And Security
2.2 ICST's 1974/1975 Project On Computerized Voting
2.3 Some Pertinent Technological Changes Since 1975
2.4 Development Of Standards For Voting Equipment
2.5 Establishment Of The Election Center
2.6 New York Times Articles On Computerized
Voting
2.7 California Attorney General's Report
2.8 Texas Controversy, Hearings, And
Legislation: 1986/1987
2.8.1 Controversy Over 1985 Dallas Mayoralty
Contest
2.8.2 Texas Secretary of State's Directive
2.8.3 Legislative Hearings
2.8.4 Revised Texas Statute on Electronic Voting
Systems
2.9 Current Problems Of Computerized Vote-Tallying
2.9.1 Difficulty in Verifying Results
2.9.2 Possibility of Undiscoverable Frauds
2.9.3 Election Administrators' Lack of Knowledge
and Resources
3. TYPES OF VOTE-TALLYING SYSTEMS, THEIR VULNERABILITIES,
AND THEIR NATIONAL DISTRIBUTION
3.1 Vote-Tallying As Part Of Voting
3.2 Paper Ballots
3.2.1 Vulnerabilities of Paper Ballots
3.3 Lever Machines
3.3.1 Summarizing Lever Machine Results
3.3.2 Vulnerabilities of Lever Machines
3.4 Punch Card Voting
3.4.1 Vulnerabilities of Punch Card Use
3.4.2 Types of Punch Cards
3.4.3 Voting With the "Votomatic" Card
3.4.4 Vulnerabilities of the "Votomatic"
System
3.4.5 Voting With the "Datavote" Card
3.4.6 Vulnerabilities of the "Datavote"
System
3.5 Voting With A Mark-Sense Ballot
3.5.1 Vulnerabilities of Mark-Sense Ballot Systems
3.6 Precinct Versus Central Count For
Machine-Readable Ballots
3.6.1 Vulnerabilities of Precinct Count and Central
Count
3.7 Direct Recording Electronic (DRE) Machines
3.7.1 Summarization of DRE Machine Results
3.7.2 Vulnerabilities of DRE Machines
3.8 Software For Computerized Vote-Tallying
3.8.1 Vulnerabilities of Software
3.8.2 Integration of Administrative Software
3.9
Local Conduct Of Elections And Distribution Of System Types
3.9.1 The Number of Major Election Jurisdictions
3.9.2 Distribution of System Types
3.10
Future Vote-Tallying Systems
3.10.1 Technological Possibilities
3.10.2 Political and Social Priorities
4. SOME RECENT DIFFICULTIES IN COMPUTERIZED VOTE-TALLYING
4.1 Carroll County, Maryland: November, 1984
4.2 Charleston, West Virginia: November, 1980
4.3 Dallas, Texas: April, 1985
4.4 Elkhart County, Indiana: November, 1982, And
November, 1986
4.4.1 November, 1982 General Election
4.4.2 November, 1986 General Election
4.5 Gwinnett County, Georgia: November, 1986
4.6 Illinois - Statewide Testing Program
4.6.1 Programming and/or Program Initialization
Errors
4.6.2 Hardware and Punch Card Difficulties
4.7
Maricopa County, Arizona: September, 1986
4.8 Moline, Illinois: 1985 Consolidated Municipal
And Township Election
4.9 Oklahoma County, Oklahoma: November, 1986
4.10 Palm Beach County, Florida: November, 1984
4.11 Salt Lake County, Utah: November, 1980
4.12 Stark County, Ohio: May, 1986
4.13 Summary Of Problem Types
4.13.1 Insufficient Pre-election Testing
4.13.2 Failure to Implement an Adequate Audit Trail
4.13.3 Failure to Provide for a Partial Manual
Recount
4.13.4 Inadequate Ballots or Ballot-Reader
Operation
4.13.5 Inadequate Security and Management Control
4.13.6 Inadequate Contingency Planning
4.13.7 Inadequate System Acceptance Procedures
5. APPLYING INTERNAL CONTROL TO
COMPUTERIZED ELECTIONS
5.1 Internal Control And Computer Security
5.2 Internal Control As Control Of Assets
5.3 Voting And Banking Operations: Accounting
Similarities
5.4 The GAO Concept Of Internal Control
5.4.1 Purposes of Internal Control
5.4.2 GAO Definition of Internal Control
5.4.3 GAO General Standards
5.4.4 The Concept of a Non-Financial Transaction
5.4.5 GAO Specific Standards
5.5 A Classification Of Internal Controls
5.5.1 General Controls
5.5.2 Application Controls
5.6 The Discipline Of Internal Control
5.6.1 Link to a Professional Body of Knowledge
5.6.2 Job Functions for Internal Control
6. DETAILED CONCLUSIONS AND
RECOMMENDATIONS
6.1 The
Continuing Problem Of Confidence In Results
6.2 Responsibility And Requirements For The
Effective Management Of Elections
6.2.1 Government Responsibility
6.2.2 Expertise and Effective Management
6.2.3 Requirements
6.2.4 FEC Clearinghouse Performance Specifications
6.3 Implementation Of An Internal Control Function
6.3.1 Outside Recommendations vs. In-house
Expertise
6.3.2 Achievement of Management Goals
6.3.3 Analysis of Risks and Impact on Public
Confidence
6.4 Review Of The Adequacy Of State Laws And
Regulations
6.4.1 Revised Texas Statute on Electronic Voting
Systems
6.4.2 Effective Use of Technical Terminology
6.5
Future Vote-Tallying Systems
6.6
Transfer Of Technical Knowledge To Election Officials
6.7
Adoption Of FEC Clearinghouse Concepts For Product Acceptance
6.8
Software Certification, Performance, And Integrity
6.8.1 Certification of Software
6.8.2 Requirements for Certification
6.8.3 Integrity of Software
6.8.4 Dedicated Operation and Use
6.8.5 Logical Correctness of Vote-Tallying Software
6.8.6 Design for Specialization and Prevention of
Logic Changes
6.8.7 Deposit and Availability of Certified
Software
6.9 Accuracy Of Ballot Reading
6.9.1 Accuracy Goal
6.9.2 Elimination of Pre-scored Punch Card Ballots
6.9.3 Treatment of Rejected Ballots
6.9.4 Required Research
6.10 Design of DRE Machines
6.10.1 Recording of Each Undervote
6.10.2 Retention of Voter-Choice Sets
6.10.3 Accuracy of DRE Machines
6.11 Certification Of DRE Hardware Logic
6.12 Selection Of A Vote-Tallying System
6.13 Pre-Election Checkout
6.14 Implementation Of Audit Trails
6.14.1 Full Ballots-Cast Data from Split Precincts
6.15 Access Controls
6.15.1 Site Controls
6.15.2 Equipment Access Controls
6.15.3 Transportation and Handling Controls
6.15.4 Voting Process Controls
6.15.5 Telecommunications Security Controls
6.16 Application Internal Controls For
Ballot-Tallying Systems
6.16.1 Controls over Blank Ballots Printed and
Distributed
6.16.2 Numbering of Ballot Stubs
6.16.3 Controls over Ballot Use
6.16.4 Control of Ballot Validity
6.16.5 Machine-readability of Ballot's Precinct
Number
6.16.6 Accuracy of Telecommunication of Voting Data
6.16.7 Control for Vote Summarization
6.16.8 Vote Reconciliation by Contest
6.16.9 Recording of Undervotes and Overvotes
6.16.10 Recounting
6.17 Application Internal Controls For DRE Systems
6.17.1 Voter Count Match
6.17.2 Accuracy of Telecommunication of Voting Data
6.17.3 Vote Reconciliations
6.17.4 Recounting of Voter-Choice Sets
6.17.5 Post-Election Checkout
6.18 The Recommendations In Relation To The
Identified Problems
REFERENCES
1. SUMMARY OF CONCLUSIONS AND RECOMMENDATIONS
This report has been prepared with funding provided by the John and Mary R. Markle Foundation of New York City. The Markle Foundation requested that the National Bureau of Standards (NBS) undertake this study because of concern about the potential for inaccuracy or fraud in computerized vote-tallying. NBS was approached because of its experience with the subject matter as a result of a previous project undertaken by the author for the U.S. General Accounting Office.
Concern had been heightened by a series of articles published in the summer of 1985 in the New York Times. The articles cited statements by two computer experts reporting that a computer program widely used for vote-tallying was vulnerable to tampering. Several elections were identified in which losing candidates claimed that it would be possible to fraudulently alter the computer programs that were used in their contests.
1.1 Problems Of Computerized Vote-Tallying
In preparation for this report, a review of recent public statements and documents was undertaken that indicated concern about computerized vote-tallying. The review showed that the problems could be categorized as follows: there is difficulty in verifying results; there is the possibility of undiscoverable frauds; and election administrators lack some necessary knowledge and resources.
While proof of actual computer program manipulation appears to be lacking, documentation conclusively demonstrating otherwise is generally insufficient, due to the manner in which many computerized elections are conducted. It has been clearly shown that audit trails that document election results, as well as general practices to assure accuracy, integrity, and security, can be considerably improved.
1.2 Government Responsibilities
The recommendations that respond to these problems are directed to State and local government election officials. Elections for State and Federal offices are conducted by local government (generally county, township, and city) administrators. In about one-third of all counties, voting is carried out using computerized equipment. Jurisdictions using computerized equipment include over one-half of all registered voters.
Local administrators require the necessary resources and expertise to efficiently and effectively carry out their responsibilities. These responsibilities generally include procurement of vote-tallying systems and supporting services. An effective procurement must include specifications that assure accuracy, integrity, and security. The local administrators also have the responsibility for implementing the necessary management control systems to enable the public to have confidence in the results produced.
Election officials require a source of neutral expertise for the receipt of new technical and administrative information. The establishment of the Election Center in the Academy for State and Local Government clearly fulfills a need. Its efforts should be expanded.
1.3 Implementation Of An Internal Control Function
Internal control is a set of systematic procedures used to guard against errors, waste, and fraud. It is nearly universally used as a management technique to safeguard assets, and to protect operations that result in goods or services priced for sale. Voting services are not priced, and the discipline of internal control has not been systematically applied. Applicability of the discipline to vote-tallying requires only the re-definition of the concept of a transaction. A transaction is now defined as a business event that is measured in money and that is entered into accounting records; a re-definition would allow a transaction to include a step in the implementation of an entitlement that is not measured in money.
Essential recommendations are that the concept of internal control should be re-defined as indicated, and that persons knowledgeable in that professional field should be utilized to assist in the establishment and implementation of sound operational procedures. To the extent that procured computerized voting equipment and software must have capabilities that support internal control, applicable requirements should be included in procurement specifications.
Expertise in internal control (which includes computer security) should be added to the personnel complement in election administration in order to assure implementation of applicable concepts. In addition, an internal auditor should be available to independently review the implementation of internal controls and report on their effectiveness. Internal control is a professional activity; trained persons, texts, and a community of practitioners are available. Internal control expertise may be shared among government agencies or provided at the State level if individual agency resources are insufficient.
An important function of internal control is to identify system vulnerabilities and convert them into a set of realistic threats. Responses must be devised that are consistent with available or obtainable resources, based on a risk analysis determining the likelihood and cost of actual exploitation of a particular vulnerability. As a result, internal controls personnel should be able to provide assurances to the public that the potential threats are understood, have been prioritized for significance, and are being countered.
The availability of internal control specialists should relieve election administrators from having to be personally knowledgeable about specific technical matters best left to individuals who are professionally qualified in that field. With the addition of needed technical resources to the staff, election administrators would be able to retain management control. Administrators would not have to abdicate control to others, such as vendors or data processing center directors. Thus, election administrators would be able to retain the capability of managing the process of assuring accuracy, integrity, and security in vote-tallying.
1.4 FEC Clearinghouse Specifications
The performance specifications being developed by the National Clearinghouse on Election Administration of the Federal Election Commission (FEC Clearinghouse) are approaching completion. They are intended for Statewide adoption. Each State should consider the adoption of these specifications when they are issued.
Acceptance procedures for hardware and software should be consistent with the FEC Clearinghouse implementation plan for adoption of these specifications. That plan calls for qualification and certification prior to final acceptance. Qualification implies conformance with standards and functional requirements, and may be done once to satisfy many States. Certification ensures that the product meets State requirements. Acceptance testing evaluates the degree to which the specific units delivered to the local government conform to approved characteristics.
1.5 Revised Texas Statute On Electronic Voting Systems
The requirements of the revised Texas statute on electronic voting systems should be considered for adoption in those States that have not already adopted equivalent or more stringent provisions. Requirements of the Texas statute include audit trails, deposit of computer programs with the secretary of state, assurance that programs used in vote-tallying are identical to those deposited, mandatory one percent manual recount of all contests, testing of equipment using all applicable ballot formats, disconnect of remote terminals during vote tabulations, and specific scrutiny of ballot count discrepancies.
1.6 Recommendations On Software
1.6.1 Certification
Products to be certified should include all vote-tallying software and all software to be mounted together with vote-tallying software. Certification implies State approval. Only certified software should be permitted to be used within the State. After software has been certified, no design changes should be permitted without a re-certification. All software that has been certified should be deposited with the chief election official of the State. Consistent with the revised Texas statute, the materials on file should not be public information, but should be available to law enforcement authorities, on proper application, for investigation of election irregularities.
Specialization of vote-tallying software for a particular election should occur only with a "fill-in-the-blanks" procedure, not with logic design changes. Header cards used in vote-tallying operations should not change the logic of a program.
1.6.2 Integrity and Logical Correctness
As a requirement for certification, all vote-tallying software, and all software used with it, should be reviewed for integrity, that is, for the ability to carry out its asserted function and to contain no hidden code. Vote-tallying software should be tested, in addition, for logical correctness. Vote-tallying software includes software for election specialization and ballot generation, as well as vote-summarizing software. Satisfaction of the requirements may be done as part of qualification.
As part of the effort to maintain integrity of software, accountability of the source is essential. Copying of software from unaccountable sources must be forbidden. To minimize requirements for testing, all software should be obtained from a stock of products offered publicly by reputable vendors. Software that cannot be obtained in this manner must be thoroughly checked.
1.6.3 Dedicated Software Use and Dedicated Operation
An important procedure to assure system integrity is to isolate vote-tallying and support software from influences over which the election administration has no control.
After all software to be used together has been certified, it should be maintained separately under the control of the election administration and not used together with uncertified software. It is strongly recommended that certified vote-tallying software not be allowed to run on a multiprogrammed general-purpose computer on which uncertified support software or applications also are being run.
1.7 Recommendations On Hardware
1.7.1 Accuracy Of Ballot Reading
The value of a ballot-tallying system is that it should be possible, with a recount, to duplicate the result of an election. The problems found in ballot-reader inaccuracy, both in the count of ballots, and in the count of votes on ballots, are a significant source of lack of confidence in vote-tallying.
A recommended goal is that a computerized vote count should be able to be reproduced on a recount with no more than a change in one vote for each ballot position in ballot quantities of up to 100,000 when machine-generated (ideal) ballots are used. A ballot reader should be able to tolerate a wide range of punching or marking behavior by a voter without a significant increase in error.
1.7.2 Elimination of Pre-Scored Punch Card Ballots
The use of pre-scored punch cards contributes to the inaccuracy and to the lack of confidence. It is generally not possible to exactly duplicate a count obtained on pre-scored punch cards, given the inherent physical characteristics of these ballots and the variability in the ballot-punching performance of real voters.
It is recommended that the use of pre-scored punch card ballots be ended. One method now available to eliminate pre-scored cards, while retaining the "votomatic" concept, is with a new type of hole-punching stylus that uses spring-loading. A hole of consistent and acceptable dimensions can be created by a voter using the new stylus without the need for pre-scoring. The internal construction of the "votomatic" ballot holder must be altered with the use of the new stylus. Other devices and methods for elimination of pre-scored punch card ballots also may be effective.
1.7.3 Counting of Rejected Ballots
If a ballot cannot be read by machine, administrative controls should be in place to permit such ballots to be counted manually. A voter's choices should not be lost because of machine failure.
1.7.4 Required Research
Testing to determine the accuracy of current ballot reading systems (such as that now being carried out by ECRI of Plymouth Meeting, PA), and research to improve ballot tallying systems in accuracy and ease of voter use, are important to pursue.
1.7.5 Design of Direct Recording Electronic (DRE) Machines
With DRE machines, no ballot is used. The voter enters choices directly into a storage unit of the machine with the use of pushbuttons, a touch-screen, or similar devices. As no voter-generated records of choices exist, and no recount independent of the machine is possible, steps should be taken in the design of these machines to assure complete confidence in the reported results.
A problem with most DRE machines as currently designed (as with lever machines, their predecessors), is that there is no difference in the results seen between a voter's failure to cast a vote and the machine's failure to record a vote.
Recording of Undervotes: It is recommended that each DRE machine be designed so as to take a positive action indicating a "no vote" for every choice that the voter fails to take. When voting is complete, the voter's choices, and any "no votes" for votes not taken, would be transferred to a more permanent storage for summation with other voters' choices. The required transfer and summation of the "no votes" would serve as positive indications of the voter's failure to make certain specific choices. Thus, there would be no ambiguity about whether the voter failed to vote or the machine failed to record selections.
Retention of Voter-Choice Sets for Summation Verification: Each voter-choice set (i.e., the machine's record of all choices of a voter) should be retained in the machine on a removable non-volatile medium (e.g., magnetic disk). Storage locations of the voter-choice sets would have to be randomized to prevent association of a particular set with a particular voter. The retention of the voter-choice sets makes possible a verification (on an independent machine) of the DRE machine's summation of the voters' choices that it recorded. The correctness of the machine's data entry process cannot be checked in this manner.
1.7.6 Certification of DRE Data Entry Logic
DRE data entry hardware should be certified for logical correctness, by examination of the logic design and by testing under a large variety of different conditions. The DRE data entry function must be correct, as there are no ballots to provide an independent check. The data entry logic and its documentation should be deposited with the State, as described above in 1.6.1.
1.8 Recommendations On Operational Procedures
1.8.1 Pre-Election Checkout
Lack of sufficient pre-election testing appears to be a major source of operational difficulty. Sufficient pre-election testing should be done so that errors in software specialization or in implementation of logical rules, if any, will become obvious. It is recommended that to the greatest extent possible, all hardware and software to be utilized should be given a dry run simulating specific conditions to be faced on election day and election night.
1.8.2 Audit Trails
Audit trails provide the supporting documentation through which the correctness of the reported results may be verified. Two types of audit trails are necessary to document operations and provide confidence in the results reported. One type records steps in the operation of the equipment, while the other records steps in the voting and vote-tallying processes.
1.8.3 Complete Data From Split Precincts
Each split of a split precinct should be treated like a separate precinct for the reporting of ballots and votes cast. However, voter privacy must be a concern for splits containing a very small number of voters.
1.8.4 Access Controls
Access (i.e., security) controls must be in place during preparations for voting, voting itself, and vote-tallying. These controls concern access to sites, areas, facilities, equipment, documents, files, and data. The controls cover transportation of ballots and telecommunication of results.
1.8.5 Application Internal Controls for Ballot-Tallying Systems
These controls should be in place to prevent all types of ballot frauds and miscounting errors, and to provide the documentation and assurance that the correct results are reported. Controls on ballots cover printing and distribution, accounting for use, validity, and prevention of errors due to mishandling. Controls on data and calculations provide for accurate telecommunication of data, recording of undervotes and overvotes, vote reconciliations that demonstrate consistency, and assurance of accurate vote summarization. A manual recount of at least one percent of the ballots of each contest is recommended. Responsibility for selection of some of the precincts to be recounted should be granted to candidates or parties.
1.8.6 Application Internal Controls for DRE Systems
These controls should be in place to provide documentation and assurance that the correct results are reported when DRE systems are used. The controls cover matching machine use with voter totals, vote reconciliations on each machine, recounting of voter-choice sets, and post-election checkout of machines.
1.9 Relative Vulnerabilities Of Different System Types
Each type of system has its own particular vulnerabilities. A comparison of system types shows that each has its advantages and disadvantages. It is possible to effectively utilize any of the computerized systems discussed (punch card, mark-sense, or DRE) provided that, among other requirements, procurement specifications are well-written in accordance with needed performance, and factors of accuracy, reliability, and recommended design concepts are included in the specifications.
1.10 Review Of Recent Difficulties In Computerized Vote-Tallying
Ten computerized voting situations in which difficulties occurred are reviewed in detail in this report. The four situations identified in the New York Times article of July 29, 1985 are among those reviewed. Problems in several other situations are briefly described.
Although none of the situations has provided solid evidence of computer program manipulation, the reviews have revealed the need for improvements in hardware and software performance and in operational procedures, and they have provided support for the need for institutional changes. Thus, the reviews have influenced the recommendations provided in this report.
Specific recommendations directly resulting from the reviews of difficulties include the recommendations on improved accuracy in ballot tabulation, elimination of pre-scored punch card ballots, assurance of the counting of ballots rejected by readers, provision of complete data from split precincts, and more thoroughness in pre-election checkout.
1.11 Future Vote-Tallying Systems
While vote-tallying using telephones or stations similar to automatic teller machines is technologically feasible, the decision to implement such a system must be based on more fundamental factors. Any installed system must meet political and economic requirements, as well as technical requirements of accuracy and reliability. Political needs include equal access by individuals, the ability to verify registration, and the ability of the voters to vote in secret without intimidation. Internal controls must be implementable to demonstrate the correctness of the reported results. Benefits, such as increased voter convenience and possible improved participation rates, must be compared against the costs of implementation.
2. BACKGROUND, AND RECENT SIGNIFICANT EVENTS
This report has been prepared in partial fulfillment of the conditions of funding received in November, 1986, by the Institute for Computer Sciences and Technology (ICST) of NBS from the John and Mary R. Markle Foundation of New York City. The Markle Foundation is privately endowed, and has a programmatic interest in the role of computer technology and communications in public affairs.
As a nonregulatory agency of the U.S. Department of Commerce, NBS was established in 1901 specifically to aid manufacturing, commerce, government, and academia through application of its expertise in science and technology. In connection with its consulting role, NBS may accept outside funding that is consistent with its mission and programs.
ICST carries out the responsibilities mandated to the Department of Commerce under the Brooks Act (P.L. 89-306). ICST develops techniques and tools to help organizations make more effective use of computers and information technology. In addition, ICST serves government and industry by developing Federal Information Processing Standards (FIPS), technical reports, and test methods, and by providing technical assistance to advance new uses of computer technology. In 1987, additional responsibilities were assigned to ICST due to the passage of the Computer Security Act (P.L. 100-235). In accordance with this act, ICST will develop standards and guidelines on computer security to protect the U.S. Government's sensitive but unclassified information.
2.1 Accuracy, Integrity, And Security
This report concerns measures to assure the presence of accuracy, integrity, and security in computerized vote-tallying. Accuracy is the essential requirement of a computerized vote-tallying system, but its achievement may not be possible without the implementation of integrity and security. Even if accuracy is attained, confidence in the results may not be assured unless the other two factors can be shown to be present. Thus, for vote-tallying systems, these factors are not mutually exclusive parameters that can be separately considered.
Definitions, for the purpose of this report, are as follows:
accuracy: conformity of the output data of a vote-tallying system with logically correct and acceptably precise treatment of all input data provided to the system;
integrity: the state of a vote-tallying system in which it will correctly perform the functions specified for it, and only those functions;
security: the achievement of a desired control of access to vote-tallying facilities, areas, equipment, supplies, documents, media, files, and data.
2.2 ICST's 1974/1975 Project On Computerized Voting
The origins of the current project go back to 1974. In February of that year, ICST was asked by the General Accounting Office (GAO) to "conduct a systems analysis and evaluation of the role of automatic digital processing equipment in the vote-tallying process." The year-long project, undertaken also by the author of this latest report, was completed in 1975.
The project had been requested by the GAO through one of its components, the National Clearinghouse on Election Administration of the Office of Federal Elections, in recognition of concerns expressed in Congress, and by election officials and the public, about the use of computing technology in vote-tallying. These concerns had been aroused by the issue of the potential for the fraudulent alteration of vote-tallying computer programs, and by actual difficulties experienced in computer-based elections. The possibility of fraudulent manipulation of computer programs had been raised by computer experts in Los Angeles in 1969. Serious problems in computerized vote-tallying had been experienced in San Francisco in 1968, in Los Angeles and Detroit in 1970, in Los Angeles and Houston in 1972, and in other places in the years immediately prior to the request for the report.
The product of the 1974/1975 project was a report entitled Effective Use of Computing Technology in Vote-Tallying [1]. The report identified the hardware, software, and administrative problems that had been encountered at that time, and specified operational guidelines that election administrators could implement to help assure the accuracy and security of the vote-tallying process. Several thousand copies of the report were distributed to election administrators throughout the nation by the National Clearinghouse on Election Administration. That organization, in 1975, had become a part of the newly established Federal Election Commission; it is identified elsewhere in this report as the FEC Clearinghouse.
2.3 Some Pertinent Technological Changes Since 1975
Since the 1975 report, there have been many additional experiences in the application of computerized vote-tallying, and considerable improvements in computer technology. In computer hardware, the most important changes have been improved speeds of operation, smaller physical size, and availability of larger quantities of random access and disk memory. The improved speeds and memory quantities are obtainable at considerable reductions in cost. The lower costs and improvements in technology have made possible the proliferation of smaller computers with considerable capability. Thus, it is now possible for many smaller election administrations to consider the acquisition of their own computing power, in order to achieve efficiencies and provide more direct management control over their operations.
There has been, also, continued improvements in tools and techniques for the management of technology. Tools include the availability of new standards in computer technology such as for media, programming languages, communications protocols, and data protection. Techniques include the concepts of software engineering, computer security, internal control, and EDP (electronic data processing) auditing.
The changes in computer technology, and the availability of new tools and techniques, have been considered in the development of the recommendations of this report.
2.4 Development Of Standards For Voting Equipment
In January, 1980, partly as a result of the 1975 ICST report, Congress adopted P.L. 96-187, Section 302, which stated that:
"The Federal Election Commission, with the cooperation and assistance of the National Bureau of Standards, shall conduct a preliminary study with respect to the future development of voluntary engineering and procedural performance standards for voting systems used in the United States. The Commission shall report to the Congress the results of the study, and such report shall include recommendations, if any, for the implementation of a program of such standards (including estimates of the costs and time requirements of implementing such a program). The cost of the study shall be paid out of any funds otherwise available to defray the expenses of the Commission."
In 1983, the preliminary study was completed with the recommendation that "performance standards for voting systems are both needed and feasible." In 1984, the FEC Clearinghouse began to develop such standards. As of the summer of 1988, the hardware, software, and test standards for punch card, mark-sense, and DRE voting systems are approaching completion [2]. An executive summary of these standards also is being prepared [3]. The FEC Clearinghouse has also prepared a draft implementation plan for the voting system standards [4], and a "System Escrow Plan" [5]. The latter concerns the problem of controlling access to proprietary source code while States and local governments (or their agents) are provided with the ability to test the vote-tallying software for integrity.
Implementation of the standards would address some of the identified problems of computerized vote-tallying summarized below in section 2.9.
2.5 Establishment Of The Election Center
The Election Center, affiliated with the Academy for State and Local Government, was established in 1984. The Center is an independent non-profit resource center serving registration and election officials. National and regional election conferences sponsored by the Center, as well as reports and other data distributed to officials, provide training and information in some thirty-five areas of election administration.
The Center has recently distributed the report of a workshop [107] held on Captiva Island, Florida, in February, 1987. The workshop concerned computerized vote-tallying and included, as participants, election officials, vendors, computer scientists, and others interested in the election process. The workshop was funded by grants to the George Washington University by the John and Mary R. Markle Foundation. The Election Center had no part in the workshop but, because of its clientele, served as a convenient avenue of distribution for the report.
The Academy for State and Local Government is a non-profit research organization that fosters understanding of American government at all levels. The Academy is governed by a board of trustees composed of the executive directors of seven organizations representing States, counties, cities, and the chief officials of these jurisdictions.
2.6 New York Times Articles On Computerized Voting
A series of articles on computerized voting was published in the New York Times in 1985, commencing on July 29 of that year. In the first article, published on page one and entitled "Computerized Systems for Voting Seen as Vulnerable to Tampering" [6], it was charged that:
"The computer program that was used to count more than one-third of the votes cast in the Presidential election last year is very vulnerable to manipulation and fraud, according to expert witnesses in court actions challenging local and Congressional elections in three states...
"The vote counting program that has been challenged in Indiana, West Virginia and Maryland was developed by Computer Election Systems of Berkeley, Calif. In Indiana and West Virginia, the company has been accused of helping to rig elections. The computer program has also been challenged in Florida, but so far experts have not been permitted to examine the program in connection with the challenge.
"John H. Kemp, president of Computer Election Systems, said in a telephone interview that he absolutely denied that the company was involved in fraudulent schemes. County officials involved in the cases also have categorically denied participation in fraud."
The article went on to state that allegations that the computer program provided by Computer Election Systems was "open to manipulation and fraud were supported by two ... experienced computer consultants who independently examined material obtained in the pending court cases for the New York Times." The two experts cited were Howard Jay Strauss, associate director of the Princeton University Computer Center, and Eric K. Clemons, an associate professor of decision sciences at the Wharton School of the University of Pennsylvania.
Mr. Strauss was reported as saying that "the program used to count Indiana votes was vulnerable to manipulation." He was additionally quoted as follows:
" 'Extra votes may be entered in the form of bogus ballots on punch cards, or vote totals may be altered through the use of control cards,' Mr. Strauss said. 'Either of these assaults on the system could be performed successfully by a computer novice.'
"Mr. Strauss added that someone with 'a fair amount of computer knowledge' could turn off the portion of the program designed to document any changes made in either the program or the votes being counted by the program."
However, an examination of the complete text submitted by Mr. Strauss to the New York Times shows that he also stated that:
"If a better audit trail was part of the program, and if better procedures were followed in running the program, then all of the assaults on the system described above [for entering extra votes or altering votes] could easily be detected...
In addition, in response to the question, "Can the program be made safer?" Mr. Strauss responded:
"...there is no way to design a tamper proof program. If prudent procedures are not followed in running it, any program can be compromised. The NBS publication Effective Use of Computing Technology in Vote-Tallying makes this point very clearly and provides reasonable guidelines for designing and running vote-tallying programs." [7]
These qualifying remarks were not reported in the New York Times article.
Professor Clemons was quoted in the July 29, 1985 article as saying that because of the excessive complexity of the program,
" '...a doctored version of the code could be used to modify election results, and it would take weeks of study to determine what had happened.'
" 'Code this complex is very difficult to trust,' Mr. Clemons said. One particular flaw that he cited was that 'the main program does not log all invalid ballots.' Another was that the printed log of error messages could easily by edited or altered."
An examination of the complete text submitted by Professor Clemons to the New York Times shows that he also stated that:
"This does not mean that the code was constructed this way in deliberate violation of [FEC Clearinghouse] recommendations or current practice; this was a very common programming style in the 60s and mid-70s. And it does not mean that anyone is using the system to influence election results." [8]
These qualifying remarks, similarly, were not included in the New York Times article.
The July 29, 1985 article was distributed by the New York Times News Service, and also appeared, in whole or in part, in other papers, including the Greensboro (NC) News & Record and the Norfolk (VA) Virginian-Pilot.
Another article in the series, on August 21, 1985, entitled "Vote by Computer: Some See Problems" [9], reported that:
"Many local election officials are baffled by computers and are unable to understand, question and challenge the computer systems.
"Election system vendors are often forced by competitive bidding pressures to offer jurisdictions the cheapest possible systems, and the products they offer do not maximize fraud protection."
In explanation, the article continued:
"The industry has been faced with competition to produce low-cost systems that can produce a quick tally, but it has not devoted much attention to devising systems that could be understood by local officials and that would provide features such as audit trails to make fraud difficult."
2.7 California Attorney General's Report
In December, 1985, the Office of the Attorney General of the State of California began a study that was "prompted ... by several nationally published news stories" [10], by which the New York Times series was meant. The study concentrated on "an analysis of the nature and extent of reported problems attending the computerization of the vote counting process" [11]. Almost every county in California uses computerized vote-tallying systems, and the systems include a significant number provided by the vendor named by the New York Times.
The report, on April 23, 1986 by Robert R. Granucci, Deputy Attorney General, might be summarized with the following quote:
"My general conclusions are that while there have been no proven instances of vote counting fraud, certain concerns that have been expressed about the security and accuracy of computerized elections appear to have validity. However, these concerns are receiving serious attention and improvements are being made. A principal concern is that the most widely used vote counting software has been criticized for lacking a reliable audit trail and having a program structure that is very difficult even for computer professionals to understand.
"It appears that most of the reported problems associated with computerized vote counting have occurred the first time the system is used by local election officials, and decrease in later elections. If experience is any guide, inaccuracies in tallying election results will tend to diminish as local election officials gain familiarity with electronic systems, but the potential for fraud may tend to increase.
"The Attorney General should urge the Secretary of State to require that all electronic vote tallying systems have reliable, tamper-proof audit trails." [12]
(Note: compare final sentence above with Strauss quote in section 2.6 that "...there is no way to design a tamper-proof program. If prudent procedures are not followed in running it, any program can be compromised" [7]. It would seem that the essential need is for "prudent procedures.")
The Attorney General's report was publicized by the San Francisco Examiner in an article on October 20, 1986. The article reported that, according to the Secretary of State's office, which regulates elections, "in 25 years, no error has affected the outcome of a California election." However, there have been "sporadic glitches," the article reported. Several examples were given: in San Francisco in 1983, "an electrical power fluctuation during the vote count" added votes incorrectly to one candidate's totals; in Orange County in 1980, "a computer programmer's mistake" gave about 15,000 votes meant for two candidates to two other candidates; and in San Joaquin County in 1984, "a misplaced piece of punch card caused the system to indicate that one precinct had not been counted when it had been." [13]
The article also reported that:
"'Rigging a computer vote would require a conspiracy of six to eight people,' said Deborah Seiler, head of the state secretary of state's computer voting division. 'The greatest possibility of error that I'm aware of is human error,'" she said.
"San Francisco Registrar [Jay] Patterson said that many election offices depend on manufacturers and county data processors to operate the systems. 'That certainly is not the best of situations when the person responsible for the vote count is not actually involved in it,' said Patterson.
"Some counties with 'sloppy procedures' have failed to test computer equipment as required by the state, according to Robert Naegele, a technical consultant to the state and the Federal Election Commission. Each county must run 'logic and accuracy tests' of its system before and after the vote count." [13]
2.8 Texas Controversy, Hearings, and Legislation: 1986/1987
2.8.1 Controversy Over 1985 Dallas Mayoralty Contest
Following the April, 1985, Dallas mayoralty contest, Ms. Terry Elkins, campaign manager for losing candidate Max Goldblatt, approached the office of the attorney general of Texas with concerns about the manner in which the election was conducted. The attorney general's office asked a consultant to carry out an investigation. As a result of the investigation, Assistant Attorney General Robert L. Lemens wrote a letter to Ms. Karen Gladney, Director of Elections for Texas. The letter, on July 15, 1986, included the following statement:
"...although [the consultant] has insufficient evidence to conclude that fraud has been committed, the electronic voting system in use lacks adequate security features to provide any assurances of the absence of fraud. As a result, this office has found that it will be difficult to demonstrate to the complainants that Texas elections are free from fraud and, thereby, free local election officials from suspicion." [14]
Further investigations followed by both the office of the attorney general and the office of the secretary of state (the latter included Ms. Gladney's office). On September 23, 1986, the Dallas Morning News reported the following story:
"The state attorney general's and secretary of state's offices are investigating discrepancies found in the computerized voting records of several recent Dallas and state elections to determine if the results may have been obtained fraudulently...
"The probe centers on allegations that computerized voting equipment and computer programs used to tabulate state and local elections may have been tampered with to bring about 'preprogrammed results,' [Attorney General Jim] Mattox said....
"Terry Elkins, who managed [Max] Goldblatt's [1985] bid against [incumbent Mayor of Dallas Starke] Taylor, said ... that she has given to state officials 18 months of research documenting the discrepancies [in the 1985 mayor's race]. Chief among the discrepancies, she said is a claim that there were more votes cast than there were voters' signatures.
"'The allegation is that the computer used to count the votes was given new instructions after it calculated that Max Goldblatt was leading Starke Taylor by 400 votes,' Mrs. Elkins said." [15]
(Note: A detailed discussion of vote-tallying problems in the Dallas 1985 mayoralty election is given in section 4.3.)
The following day, September 24, 1986, the Dallas Times Herald reported this additional information:
"[Attorney General] Mattox said [on September 23] that the investigations call into question the ability of local city and county elections officials to vouch for the integrity of their elections when they use the automatic vote-tallying system.
"The punch card system, which uses a computer to count ballots marked by voters, is so complex that election fraud could go unnoticed, Mattox said.
"'I would say that the system appears not to have the kind of safeguards that election authorities would like to have to give them the independent capability to judge whether there has been fraud in an election,' he said.
"'It would not be easy even for a computer expert to determine that there was fraud,' he said." [16]
2.8.2 Texas Secretary of State's Directive
As a result of the uncertainties created by the charges of vote fraud, and the ensuing investigations, the Secretary of State of Texas issued a directive on October 14, 1986 detailing additional security procedures for computerized vote-tallying to be used by county clerks and election administrators. The provisions of the directive were directly responsive to identified deficiencies in vote-counting procedures. Some of the provisions are as follows:
"Under no circumstances may the computer-generated printed log of computer activity that occurs during the tabulation be turned off. The log must record all operator commands and inputs to the system from any device. The log must indicate for each precinct the to-tal number of ballots that are entered into the central computer.
"Each page of the log must reflect the correct time of day.
"Each [of at least three cumulative reports produced throughout the tabulation process] shall include ...the number of over votes and under votes in each race.
"... a computer-generated report that indicates the number of ballots cast in each precinct [shall be prepared].
"... the secretary of state may order a manual count of ballots cast in the election to ensure the accuracy of the count." [17]
2.8.3 Legislative Hearings
On November 25, 1986, the Texas House of Representatives Committee on Elections, chaired by Representative Clint Hackney, held a hearing on possible changes in the election laws of Texas related to computerized vote tallying. Statements made by testifiers concerning the general problems of computerized voting included the following, by the indicated individuals:
Dr. Michael Ian Shamos, computer scientist, and one of three statutory examiners of electronic voting systems for the Pennsylvania Bureau of Elections:
"Punched-card systems have two significant positive features. One is that they cause a permanent physical record to be kept of every ballot cast....A second positive aspect is that cards can be counted very rapidly....
"...punched-card systems have no other redeeming features and in fact present great dangers. These are[:]
"...the ballot itself contains no candidate names and is meaningless when examined. This problem greatly increases voter confusion....
"The voter is unable to determine whether he has cast a complete ballot or whether he may have voted for more candidates that he is entitled. An overvote will result in an invalid ballot, and the voter's legitimate choices will go uncounted....
"It is a straightforward matter to alter a punched-card voting booth so that votes cast for one candidate will be recorded as though they were for another....Any required tampering can be performed during the election and all traces removed before any investigation can occur....
"....the computer hardware and software used to tabulate the ballots is subject to tampering. Furthermore, such tampering is relatively easy and invisible....Computers can be manipulated remotely, by wire or radio, or by direct physical input. The memories on which these computers operate can easily fit into a shirt pocket and can be substituted in seconds. The software can be set to await the receipt of a special card, whose presence will cause all the election counters to be altered. This card could be dropped into the ballot box by any confederate. The possibilities for this type of tampering are endless, and virtually no detection is possible once tabulation has been completed....
"Even if the software is not altered, there is no reason to believe that it is correct. Many tests performed on such programs have revealed faulty logic and wildly incorrect results.... Many jurisdictions, such as Pennsylvania, have complex rules for counting such situations as cross-filed candidates in vote-for-many offices and it is stretching to believe that an election system vendor would be aware of all such combinations of conditions to have produced perfect software. It is axiomatic in the computer industry that all large computer programs contain errors, and the more extensive the software the more errors it contains....
"When one company or a conglomerate of companies supply unauditable software from a central distribution point, or participate directly in ballot setup procedures, there exists the possibility of large-scale tampering with elections. An errant programmer or tainted executive could influence or determine the outcome of a majority of election precincts in the country...." [18]
Ms. Suzan N. Kesim, vice-president of a security consulting firm of South Bend, Indiana:
"The program for counting elections should use structured programming techniques. A detailed flow chart of the program should be required [to be submitted]....
"Whether you are adding dollars or votes, you can apply many of the same auditing standards.... Many of the computer auditing procedures used by the banking industry that have been tried and true could easily be modified or used as they are for auditing elections....
"Pre-punching the ballots with the precinct could be a really crucial way of checking and making sure that ballots don't slide from precinct to precinct....
"Fraud possibilities include 'hidden programs'....
"Write a public domain software program to count votes, open to public scrutiny...." [19]
Anita Rodeheaver, County Clerk, Harris County (Houston), Texas:
"A computer, whether it is in a bank or a hospital or a collection agency, or being used for elections, is only as good as the people that run it....
"It upsets me when continually we work so hard to have good honest elections and we continually get hit with things that could happen or 'supposedly are happening,' but no one ever comes up with any concrete evidence that they did happen...." [20]
Tom Eschberger, Vice-President of Business Records Corp.:
"In twenty years, I have seen two cases of attempted fraud on an election system. I saw one in Albuquerque, New Mexico on lever machines, and one in Pueblo, Colorado attempted on punch cards. I have personally run about one thousand elections around the country.... Those were the only two cases where I was convinced that somebody had tried to defraud somebody.
"I have seen a lot of cases where people make dumb mistakes, where the totals don't add up.... Elections are run by amateurs. [Other than experienced election administrators,] there are 400 people out in the precincts who got just a one-hour training class. People are not going to have perfect elections. People are going to have the best elections that well-intentioned honest people can run, and that well-intentioned honest companies can run....
"A lot of counties want us to do the programming for them because it disassociates them from any candidate and any accusation of fraud or collusion.... [Persons intending to commit fraud would] have to have our source code, they would have to have collusion with somebody in the county, they would have to have access to the computer....
"[Filing the program with the secretary of state] might set some minds at ease. Then, someone could look at the code and know what's going on in an election if there were a problem. If someone said there was fraud and here's how they did it, then you have someone at the State level who is familiar with our source code that could say yes or no. Yes, it would be beneficial from that standpoint." [21]
Warner Croft, a partner in the public accounting firm of Arthur Anderson and Company:
"We do believe the election laws need to be codified to reflect the technology being employed today in the election process.
"We do believe that the Secretary of State needs to have the authority and the money to enforce those laws, to make sure that the proper audit trails are in place, so that whenever allegations do surface, ... the records are in place so that the State can, with a minimum of time and effort, go to those records and find out what happened.
"Unfortunately, the laws at this time are a bit too nebulous for that to be done....
"As long as there are winners and losers in elections, regardless of the system being used, there will be these allegations. You cannot legislate this problem away by requiring a higher generation of technology, another language.
"But what we can do is require an audit trail, so that the documents that represent the voter's intent are kept on file, for a predefined minimum period of time, so that no matter what went on inside the computer, we've got a source that we can go back to, to determine what the voter actually did...." [22]
2.8.4 Revised Texas Statute on Electronic Voting Systems
A revised statute on the use of electronic voting systems was passed by the Texas legislature and was approved in June, 1987 [23]. It took effect on September 1 of that year. Some of the revisions concerned the following topics:
Auditing: A voting system may not be used unless it is capable of providing records from which the operation of the system may be audited.
Deposit and Comparison of the Program: Copies of the "program codes" and related documentation must be filed with the secretary of state. The secretary of state must periodically compare the materials on file with those materials actually used to ensure that only approved materials are used. The software on file is not public information, although it may be made available to the attorney general for investigation of irregularities.
Use of Remote Terminals: Computer terminals located outside the central counting station must be capable of "inquiry functions only" during vote tabulation, and "no modem access to the tabulation equipment" must be available during tabulation.
Testing of Equipment: Each unit of tabulating equipment shall be tested "using all applicable ballot formats."
Discrepancies in Ballot Totals: If, in the use of a precinct-located computer, a discrepancy of more than three exists between the number of ballots recorded by the computer and the number of ballots written down by the precinct officials, the final count of that precinct shall be done centrally.
Manual Count: A manual count of all the races in one percent of the election precincts, but in no less than three precincts, shall be conducted at the local level. The secretary of state also may conduct a manual or automatic count of any number of ballots. No specific ground for obtaining an initial recount is required.
As a result of passage of the revised statute, all electronic voting systems now certified for use in Texas will need to be decertified. The revised statute specifically addresses some of the problems of computerized vote-tallying identified immediately below.
2.9 Current Problems Of Computerized Vote-Tallying
Current problems of computerized vote-tallying, including those identified by those who have recently made public statements or produced public documents, are summarized by the following categorizations. The relationship of the recommendations of this report to these problems is discussed in section 6.18.
2.9.1 Difficulty in Verifying Results
Results of elections announced by election officials are difficult to verify. The problem of verifying results is due to:
(a) lack of audit trails;
(b) poor design of computer programs;
(c) vendor-supplied computer programs that are unavailable to the scrutiny of responsible officials;
(d) administrative procedures that are incomplete and poorly implemented, resulting, for example, in the inability of observers to successfully compare computer reports of ballots cast with the same data reported by precinct officials.
2.9.2 Possibility of Undiscoverable Frauds
The lack of internal controls and failure to implement computer security increase the possibilities that unknown persons may perpetrate undiscoverable frauds. Methods of forcing incorrect results include:
(a) fraudulent alterations in the computer program or in control cards that manipulate the program;
(b) activation of a hidden program, possibly by means of a time-of-day match or with a specially encoded punch card ballot;
(c) manual replacement of the computer program by a fraudulent substitute;
(d) introduction of false ballots into the set of real ballots, through either addition or replacement; or introduction of false ballot data through interchange of ballots, by a perpetrator taking advantage of different ballot styles;
(e) introduction of false voting summaries through changes in data stored in removable data storage units of precinct-located, vote-counting devices;
(f) fraudulent alteration of the face of the voting device used by the voter at the polling location to mark a ballot or indicate choices;
(g) fraudulent alteration of the logic of precinct-located, vote-counting devices.
2.9.3 Election Administrators' Lack of Knowledge and Resources
Some election administrators have a lack of knowledge about computers, and they lack the necessary knowledge and resources to effectively negotiate with vendors. The effect of these deficiencies are:
(a) administrative errors in conducting elections, with increased potential for fraud or, at minimum, loss of public confidence;
(b) abdication of control over elections to vendors and county data processors, with the resultant inability to impose the necessary internal controls;
(c) inability to require vendors to provide computer programs, election equipment and supplies that include adequate safeguards against fraud and inaccurate reporting;
(d) increased risk to vendors in entering a market fraught with the potential for negative publicity, resulting in reduced competition and reduced investment in improved products;
(e) slower than adequate introduction of more effective technology.
3. TYPES OF VOTE-TALLYING SYSTEMS, THEIR VULNERABILITIES, AND THEIR
NATIONAL DISTRIBUTION
3.1 Vote-Tallying As Part Of Voting
Voting, as it is carried out in the United States today, may be said to consist of four distinct administrative steps. These are:
(1) voter authorization: the determination of whether the prospective voter is entitled to vote at a particular place, and for what set of offices and issues;
(2) secret choice: provision of the opportunity for the voter to express his or her choices without intimidation:
(3) precise recording of the expression of each voter's choices in a voter-disconnected and easily countable format; and (4) accurate summarization of all voters' choices by candidate and issue alternative.
Vote-tallying, a subset of voting, consists of steps (3) and (4), although the process involves concern for steps (1) and (2).
3.2 Paper Ballots
The uniform use of an official ballot containing the names of all candidates, printed on uniform paper by public officers at public expense, and distributed only at the polls where it is marked in secret, was adopted first in the Australian state of Victoria in 1856. In the years immediately following, the concept was adopted in other Australian states. Thus, it came to be called the "Australian ballot" [24]. The Australian ballot concept was the first successful attempt to meet the requirements of steps (2) and (3) above.
The Australian ballot had its first U.S. statewide application in New York in 1889, and was adopted widely throughout the Nation in the next decades. Prior to that, the application of the secret ballot was limited. In many cases, persons had to announce their votes publicly, or tell them to a sheriff who recorded them. In other cases, there were party-specific paper ballots, produced with different colors or weights of paper to reveal party choice.
During the early years of introduction of the Australian ballot, there was considerable controversy over whether the information on the ballots should be arranged in a "party" format (the set of all candidates of a single party listed together), or in an "office" format (the set of all candidates for a single office listed together). At present, most ballots are designed with an "office" format. However, in many states, voters are permitted to select all candidates of a particular party with a single "straight party" vote, with an allowance for "crossover" votes for specific candidates of any other party.
Paper ballots remain in use today in small communities and rural areas by about eleven percent of U.S. registered voters (see section 3.9.2 for the percentage of use of the various system types by counties and by registered voters).
3.2.1 Vulnerabilities of Paper Ballots
When effective administrative controls are not applied, paper ballots are subject to possible fraud and error in their distribution, in their use at polling places, and in counting.
Ballot frauds: Failure to properly account for ballots distributed may provide the opportunity for fraudulent addition of extra ballots into the ballot box, an activity generally referred to as "ballot stuffing." In places where votes are bought and real ballots are not sufficiently distinctive, voters may be handed pre-voted counterfeit ballots before entering the polling place. As an alternative fraud, voted counterfeit ballots may be substituted for real ballots already voted.
Chain voting: When administrative controls at the polling location are poorly implemented, and enough voters are willing, chain voting is a possibility. In chain voting, the first voter in the chain retains the unnoted ballot given to him at the polling place and, instead of voting, takes the ballot outside. This voter loses his vote, but starts the chain. Outside, a party worker fills out the ballot and hands it to a second voter who has also agreed to participate. The second voter turns in the voted ballot, but retains the unnoted ballot handed to him in the polling place for return to the party worker outside. Successive voters who participate receive a pre-voted ballot and return an unnoted ballot to the party worker.
Malicious invalidation: In counting paper ballots, extra marks may be made on ballots intended for an opposition candidate, thereby subjecting those ballots to invalidation in jurisdictions where extra marks are cause for that result. (Extra marks are often cause for invalidation because such marks may be used to indicate that a private agreement has been carried out in which a voter has agreed to vote as instructed in return for some consideration.)
Inaccurate counting: Hand counting of large numbers of paper ballots is generally inaccurate, because of human inattention and fatigue, compared with counting of machine-readable ballots.
3.3 Lever Machines
The first use of mechanical lever-type voting machines was in Lockport, New York in 1892 [25]. In the use of these types of machines, hereinafter referred to as "lever machines," each candidate or issue alternative is assigned a particular lever of a rectangular array of levers on the face of the machine that is seen by the voter. The levers are horizontal in their unnoted positions. The array of levers may be arranged with offices from right-to-left and parties from top-to-bottom, or vice-versa. A set of inserted printed strips visible to the voter identifies the lever assignments.
On entering the area of the machine (the "voting booth"), the voter enables the machine with a handle that also closes a privacy curtain. Then, in order to indicate choices, the voter pulls down selected levers. When the voter exits the voting booth by opening the privacy curtain with the handle, the levers are automatically returned to their original positions. As each lever returns, it causes a connected counter wheel within the machine to turn one-tenth of a full rotation. The counter wheel, serving as the "units" position of the numerical vote count for the associated lever, drives a "tens" counter one-tenth of a rotation for each of its full rotations. The "tens" counter similarly drives a "hundreds" counter. If all the mechanical connections are fully operational during the voting period, and the counters are initially set to zero, the position of each counter at the end of the voting period indicates the number of votes that were cast on the lever that drives it.
By 1930, lever machines had been installed in Denver, Milwaukee, Minneapolis, Newark, New York City, Pittsburgh, Philadelphia, and San Francisco [26]. One reason for the acceptance of the machines was the existence of significant fraud in the use of paper ballots. By the middle 1960s, just before the introduction of punch card voting, almost all large cities and many medium-sized ones used lever machines. It is likely that, at that time, over one-half the votes in the Nation were being cast on lever machines (now slightly more than one-third).
Lever machines are precinct-located devices, that is, the basic vote-count is accomplished at a neighborhood voting location that may be remote from the place where the votes are summarized to determine the outcomes of the contests. The number of machines at each location depends on the number of persons expected to vote there and the expected average time for a person to cast a complete set of votes. Separate machines may be required for each party in a primary election (conceivably, only part of the machine could be made operable for a voter of a specific party, with another part reserved for another party) and for each precinct voting at the same location.
3.3.1 Summarizing Lever Machine Results
After the close of the polls, the backs of the machines are opened. The number of votes is read off each of the counters, and each number is transcribed to official documents. Recently manufactured lever machines may allow for printing of the counter values on request. The official precinct documents are carried to the central vote-counting location for summarization.
With lever machines, only summarized voting results are available at the precinct level. No individual choices are available to be counted. Interlocks in the machines prevent overcoming (voting for more than the allowed number of candidates in a contest, e.g., voting for three candidates in a vote-for-two contest, such as for school board). There can be undervotes (voting for less than the allowed number of candidates in a contest, e.g., voting for one or no candidate in a vote-for-two situation).
3.3.2 Vulnerabilities of Lever Machines
With a lever machine, there is no ballot, i.e., no independent verification of each machine's recorded result. While the lack of ballots eliminates the possibility of chain voting, counterfeit ballots, and spoiling of the opponent's ballots, there are other possibilities for fraud or error, some available because there are no ballots.
Vote count frauds: The lever-machine equivalent to "ballot stuffing" is the casting of extra votes on the machine by party workers. When there is no genuine bipartisan staffing of a precinct polling place, any type of vote-tallying system is more easily subjected to fraud.
No audit trail of voter's intent: One effect of the unavailability of ballots is the lack of a true audit trail. No unequivocal distinction between an undervote and a machine failure can be made solely with a review of the vote counts. If the number of votes cast for an office is less than the number of persons that have voted on the machine (often indicated by a "public counter" that may be connected to the voting handle), then for each undervote, there are the following possibilities for a contest involving two candidates: either the voter failed to vote for either candidate, or the counter mechanism failed to turn for the voter's choice.
In general, it is not possible to determine which one of these possibilities is the correct one for any single undervote without a review of the internal condition of the machine. If a counter mechanism failed to turn, it may be due to an actual disconnect in the mechanical system, or it may be due to excessive friction in the connections. If a vote total reads 000 or some number up to 009 when many more might have been expected, a mechanical disconnect is a strong possibility. If a vote total reads 009 or 099, the possibility is increased that excessive friction at the point of highest mechanical resistance to turning (during an arithmetic carry operation) caused a failure. If the counter failed to turn correctly for any reason, there is no independent ballot available to verify the count. The voter's choices are lost, absent a court order for a new election.
No true recount capability: In a lever machine contest, a "recount" simply means that the precinct transcriptions are reviewed to determine if any precinct official erred in copying down the counter values or the precinct documents were fraudulently replaced on the way to the central summarization location.
Write-in difficulty: Another problem with lever machines is the difficulty of indicating write-in votes. The lever machine is not oriented towards individual idiosyncratic choice, but only choice from the available menu. If State or local law requires it, a roll of paper is made available with the machine for use by a voter in writing a name not available on a lever. However, the selection and use of this mechanism is noisy, and it is obvious to those around the voting area that a write-in vote is in progress. Since only a small number of voters may choose this possibility, privacy may be completely lost by those individuals in that instance.
Mis-labeling: A possibility for error or deliberate fraud is the insertion of incorrect identifying strips on the front of the machine, so that the levers are mis-identified to the voters.
Storage and transport: Lever machines are large and heavy, and therefore difficult to transport and expensive to store (compared with precinct-located electronic machines).
Setup errors or frauds: "Programming," i.e., pre-election setup with interlocks, requires specialized knowledge and is labor-intensive. Furthermore, the necessary specialized knowledge is not directly translatable to a variety of other work, for the support of the machine technicians between elections. As with any other situation where specialized knowledge may be employed for honest or dishonest purposes, the possibility of collusion involving lever-machine "programmers" must be considered.
Difficulty in operability verification: It is difficult to statistically test the correct operation of a lever machine by applying a large number of test votes. A lever machine is operated by direct human action, and the use of human labor to insert a statistically significant number of test votes to each counter would be expensive and error-prone. To effectively accomplish a statistical test of correct operation, a mechanism would need to be constructed that could vote on each lever a large number of times with an electromechanical drive that could be programmed. The mechanism would check the following: the single-vote recording operation of each counter, proper implementation of vote-for-more-than-one setups, overvote prevention, and proper operation of the arithmetic carry mechanism.
3.4 Punch Card Voting
Voting systems based on punch card ballots began to be used in the middle 1960s, and received considerable application in the western part of the U.S. by 1972. At that time, about 10% of U.S. voters used punch card ballots to record their choices [27] (but now, almost 45% use one of the two principal types of cards).
The introduction of punch card voting was an economic choice of many communities in their efforts to provide election services to an expanding population. Voting with punch cards does not require serial processing of many voters through a single voting station containing a complex machine. Several voting stations may be made available in one precinct with much less expense.
In the late 1960s and 1970s, punch card input of data to mainframe computers was commonplace. Punch card stock and punch card reader technology were widely available. American national standards, developed to specify the size of the cards [28] and the arrangement of holes in each card [29], were available to be adopted for punch cards used in voting.
The standard punch card has 960 potential punch locations arranged in 80 columns by 12 rows. In common business use, each column on a card represents one character (such as a letter of the alphabet or decimal digit). A standard data code for business use of the punch card has been developed, and it is called the Hollerith code [30]. In this code and in its recent extensions, a graphic character (a character seen in printed text) typically requires no more than three holes in a column to represent it. For each unique character, the holes representing it form a correspondingly unique pattern. When the pattern of holes in the twelve locations in one column is read by a card reader and converted to a sequence of 1s and 0s in a computer (e.g., 1 for a hole and 0 for no hole), the sequence may be recognized as the unique character by a computer program.
When the standard punch card is to be used to record votes, it is necessary to permit more variability in the use of punch locations than the Hollerith coding system allows. When any number and arrangement of holes in a single column are permitted, the coding system is called "column binary." However, not every location on the card can be used for voting. This restriction is generally due to ballot layout considerations, but some consideration must be given to the physical strength of the card when it is used with more intensive layouts. A further limitation on the use of punch locations is necessary if information about the candidates and issue choices is to be printed on the card.
3.4.1 Vulnerabilities of Punch Card Use
Punch card ballots have all of the vulnerabilities of paper ballots that are related to distribution, precinct use, and collection. Administrative controls may be implemented to prevent the typical paper ballot frauds. Most of these controls have been previously identified [1], and are proposed again in section 6.16.
Manufacturing requirements: Accurate dimensioning in manufacturing, and use of materials consistent with the needs of punch card readers, are additional requirements unnecessary for paper ballots.
Ballot-reader requirements: Accurate ballot reading is of fundamental importance in a punch card system. Assurance should be obtained, in both pre-election and post-election checkout, that the readers are correctly reading the ballots. In addition to the question of accurate recording of voters' selections, difficulties in ballot processing may include card jams, transport of more than one ballot at a time, and the inherent problem of pre-scored cards. If a card jams in the reader, it is essential to know whether or not the card was counted; otherwise, either the card and its votes may be counted twice, or not at all. Transport of more than one ballot, similarly, may cause a miscount of the cards as well as inaccurate reading. (The reader can accurately read only one ballot at a time.) The problem of pre-scored cards is considered in sections 3.4.3 and 3.4.4.
3.4.2