Testimony by Rebecca Mercuri, Ph.D.
Presented to the U.S. House of Representatives Committee on Science
Subcommittee on Environment, Technology, & Standards
Tuesday, May 22, 2001, Room 2318, Rayburn House Office Building
Good Morning. I am Dr. Rebecca Mercuri of Lawrenceville, New Jersey, an Assistant Professor of Computer Science at Bryn Mawr College in Pennsylvania, and President of Notable Software, Inc. (a New Jersey computer consulting firm). My testimony today represents my own opinions and not those of my employers or any professional organizations with which I am affiliated. Thank you for the opportunity to address your Committee on this important matter.
For the last decade, I have investigated voting systems, with particular emphasis on electronic equipment (hardware and software) used to collect and tabulate ballots. Through this research, I have identified numerous flaws inherent to the application of computer technology to the democratic process of elections. These flaws are both technologically and sociologically based, so a quick (or even long-term) fix is not readily apparent. For example, present and proposed computer-based solutions are not able to resolve (and in some cases even increase) the likelihood of vote-selling, coersion, monitoring, disenfranchisement, and fraud in the election process.
Some of the problematic issues with electronic balloting and tabulation systems are as follows:
* Fully electronic systems do not provide any way that the voter (or election officials) can truly verify that the ballot cast corresponds to that being recorded, transmitted, or tabulated. Any programmer can write code that displays one thing on a screen, records something else, and prints yet another result. There is no known way to ensure that this is not happening inside of a voting system.
* Electronic balloting and tabulation makes the tasks performed by poll workers, challengers, and election officials purely procedural, and removes any opportunity to perform bipartisan checks. Any computerized election process is thus entrusted to the small group of individuals who program, construct and maintain the machines. The risk that these systems may be compromised is present whether the computers are reading punched cards or optical scanned sheets, or are kiosk-style or Internet balloting systems.
* Although (in many states) convicted felons and foreign citizens are prohibited from voting in U.S. elections, there are no such laws regarding voting system manufacturers, programmers and administrative personnel. Felons and foreigners can (and do!) work at and even own some of the voting machine companies providing equipment to U.S. municipalities.
* Each election season, newly deployed voting equipment fails to perform properly in actual use. Communities that rely on promises of security and accuracy when purchasing such systems, run the severe risk that they will administer an election whose results may be contested. Even worse, system defects may be revealed years after an election, making all earlier results questionable.
* Electronic balloting systems without individual print-outs for examination by the voters, do not provide a wholly independent audit trail (despite manufacturer claims to the contrary). As all voting systems (especially electronic) are prone to error, the ability to also perform a manual hand-count of the ballots is essential.
* Some electronic systems actually make the balloting process more lengthy, tedious and confusing, by requiring additional keypresses or transactions. The use of such devices has even been viewed, by some, as a modern-day literacy test.
* Encryption can not be relied on to provide end-to-end privacy assurance. Nor can it assure the accuracy of ballot data recorded and tallies rendered. Cryptographic systems, even strong ones, can be cracked or hacked, thus leaving the ballot contents (and possibly also the identity of the voter) open to perusal.
* Internet voting (whether at polling places or off-site) provides avenues to the entire planet for malicious denial-of-service attacks. If the major software and hardware manufacturers in the United States are incapable of protecting their own companies from repeated Internet attacks, one must understand that voting systems (created by these firms or others) will be no better (and likely far worse) in terms of vulnerability.
* Off-site Internet voting also creates unresolvable problems with authentication, leading to possible loss of voter privacy, and increased opportunities for vote selling. Furthermore, Internet voting may make it easier for the techno-savvy elite to cast ballots, while potentially disenfranchising or at least creating a digital divide for the poor, elderly, rural, and disabled voters who do not have equal access to the Web.
* It is not possible to create a standardized voting system that could be used in all municipalities (as has been proposed by some members of Congress), without treading seriously on States' rights issues, and without mandating changes in many conflicting election code laws to provide conformity. (For example, in some States, one can cast a "straight party" ballot in a general election; some States require full-face ballots, etc.)
These are but some of my concerns, many more appear in articles and papers I and other computer industry experts have written on this subject over the last few years. (Most of which are accessible via my website at notablesoftware.com or mainline.brynmawr.edu These concerns are not new -- Roy Saltman noted many of these issues in his 1988 NBS report.
Now the computer industry has already established standards for secure system certification, mandated by Congress under the Computer Security Act of 1987. NIST typically administers this certification for devices purchased by the Department of Defense. Congress, though, exempted itself from compliance with the Act, hence they have never certified the accuracy and integrity of any computer-based voting systems used in Federal elections. This loophole must be changed. The existing standards are far from perfect, but they are the best assurance mechanism that the computer industry has at present. (It is important to understand that the Federal Election Commission does not now have voting system standards in place. Instead, the purchasers and vendors use an obsolete set of suggested practices that were never adopted by all of the States.)
To date, no electronic voting system has been certified to even the lowest level of the U.S. government or international computer security standards (such as the ISO Common Criteria or its predecessor, TCSEC/ITSEC), nor has any been required to comply with such. No voting system vendor has voluntarily complied with these standards (although voluntary compliance occurs within other industries, such as health care and banking), despite the fact that most have been made aware of their existence and utility in secure product development. There are also no required standards for voting displays, so computer ballots can be constructed to give advantage to some candidates over others.
I have long recommended that the NIST standards be applied to voting systems. As a part of my Doctoral Dissertation at the University of Pennsylvania, I performed a detailed evaluation of the Common Criteria against the features of voting systems. The painstaking description in the thesis provides an excellent starting point for the development of a voting standard. (I have provided the House Science Committee with a complete copy of my thesis, additional copies may be ordered from me via the contact information at the end of this testimony.) I have also formulated lists of questions that voting system vendors should be required to answer about their products. (Two of these lists are attached to this testimony -- it should be noted that the answers are non-trivial and may require months of effort to produce validating documentation, as would be necessary for a Common Criteria evaluation.)
I would suggest that first a trial standard be developed, along with an assessment procedure. Then, voting systems (applying different state requirements) should be constructed and assessed against the standard to see what level of conformance is possible using current technologies. It is important that any new systems maintain a human-readable independent auditing mechanism, and that off-site voting not be used (for reasons mentioned above). All new systems must be subjected to real-world testing conditions (not simulations) to determine usability and discover risks.
In conclusion, I would like to remind the Committee that technology can not and does not, at present, provide a solution to the balloting and tabulation problem. Our society has become increasingly enamored with computers, yet we all have experienced, first-hand, their (sometimes catastrophic) failures in products we use every day. The same is true for computer-based voting systems, but here, there are no warranties and insurance provided if we have problems with the results. It is therefore crucial that we continue to maintain and impose human checks and balances throughout our election process. This is the only way to insure that our democracy does not become one that is by the machines, of the machines and for the machines. Thank you.
Contact info: Dr. Rebecca Mercuri, 107 Village Mill East, Lawrenceville, NJ 08648
609/895-1375 215/327-7105 mercuri@acm.org notablesoftware.com
house.gov |
