Debugging the vote

A new year is coming, and voting officials across the county have until January 1 to buy voting systems that meet new federal standards. They can use paper ballots or touch-screen voting machines, but counties must provide terminals where people with disabilities can vote independently, and they must produce a voter-verifiable paper trail.

“A lot of counties are in a trying position,” said Alice Jarboe, assistant registrar of voters for Sacramento County. “They’re required to do what the vendors have just become able to do.”

Both Sacramento and Yolo counties have chosen paper ballot systems that meet the new requirements. Yolo plans to have its system in place before the June primary, but Sacramento took its new system out for a spin for the first time this November election. At each polling place, an Election Systems & Software optical scanner accepted ballots and confirmed on site that ballots had been counted.

“The system’s not designed to say the vote’s been counted correctly,” Jarboe said. “If there’s a question, we have the paper ballot.”

To verify the system’s accuracy, Jarboe led a mandatory recount of 1 percent of the ballots. Hand-counted ballot totals were checked against printouts from scanners. The canvass, completed in early December, convinced Jarboe that the voting system “functioned perfectly.”

However, 16 machines out of 419 experienced technical problems on Election Day—a sign that the system isn’t exactly perfect. Most of those machines went down early in the morning, said Jarboe, and tech crews immediately replaced them with functioning machines.

Jarboe said that Sacramento chose the current system after putting the project out to bid three times following the hotly contested 2000 election. On the strong preference of the county board of supervisors, Sacramento chose to stay with paper ballots rather than “direct recording electronic voting machines,” or DREs.

Jarboe said that the ES&S system was the only one that met the county’s requirements for an auditable paper ballot and a terminal that meets disability-accessible requirements. Sacramento’s system consists of 1,000 scanners, 1,000 ballot boxes, 1,000 accessible terminals and four scanners kept in the central offices. All together, the system cost the county about $11 million. Jarboe said that DREs would have cost twice as much, because each polling place would need multiple machines rather than one scanner.

“There’s a sense of comfort with paper,” said Jarboe, but she does believe that DREs, like touch-screen systems, are inevitable in the future. “I don’t know if we’ll see it within 15 years,” she said. “I don’t think we’ll see it in five.”

The Help America Vote Act (HAVA) of 2002 established the new standards, and California Secretary of State Bruce McPherson has added further requirements, but elections experts wonder if systems designed to meet those standards are secure and accurate. Computer programmers fear that DREs and optical scanners can be secretly hacked, and election officials worry about basic human error. Academics have found that even with rigorous testing, mistakes in computer code slip through.

These issues were up for discussion during a recent two-day symposium hosted by California’s secretary of state. Citizen activists, standards experts, election officials from all over the country, vendors and reps from federal testing labs gathered in a conference room at the Hyatt Regency. Vendors stressed that the testing procedure for new systems is already arduous.

Currently, equipment is designed, tested by the vendor and then tested again by federal testing labs. That process, according to Diebold representative Ian Piper, takes six to 18 months. Equipment is then tested by each state that wants to certify it for purchase. A single machine can go through multiple state tests that result in a mishmash of change requests for the vendor—there is no consortium of states pursuing one set of standards, though vendors recommend one.

Even with the intensive testing, said Kim Alexander, founder of the California Voter Foundation, systems have performed poorly in California volume tests—tests during which many machines were put through their paces at the same time.

One study this July tested 96 Diebold TSx DREs with AccuView printers and logged 34 separate system failures. The machines were tested for “5.33 hours in a setting designed to emulate a real election,” according to a report by the Voting Systems Technology Assessment Advisory Board. “The 34 failures broke down into 14 printer jams and 20 software failures. … For some of the failures, the machine reported a fatal error and was unable to proceed. Other failures left the machine stuck, hung, or frozen in some state and unresponsive to voter input.”

That system had been previously decertified by former Secretary of State Kevin Shelley but had been up for recertification this fall. Seventeen counties authored a letter to McPherson saying that their TSx machines functioned fine in previous elections and should be recertified, according to Jennifer Kerns, a representative for the secretary of state.

On December 20, McPherson’s office said that security concerns would keep California from certifying these systems until the source code was federally evaluated.

In a press release, McPherson said he “will continue to work closely with counties to develop a plan for compliance with both state and federal requirements.”

In October, McPherson released a 10-point list of requirements for new voting systems in California. No. 10 says that all new systems will be subject to volume testing.

Along with the threat of technical failure, software experts are sensitive to the threat of sabotage.

At the symposium, Stanford professor David Dill suggested that hackers might avoid detection even in a manual recount by hacking into electronic equipment and flipping only 1 percent of the votes for a specific race. Such “malicious code” might never be discovered since the code is considered proprietary and not available for public scrutiny.

This brought up a major question: Is anyone out there trying to hack into voting machines? Citizen groups like Black Box Voting (BBV) have created nationwide lists of suspicious results, but Barbara Guttman, a group manager with the National Institute of Standards and Technology, claimed that in the United States, most inaccuracies are due to human error and systems glitches, or people intentionally voting more than once. She does not know of any group trying to secretly hack into voting systems and change election results.

However, hackers have worked with officials to show them how accessible some systems are. It’s been reported that McPherson’s office had invited hacker Harri Hursti, who’s associated with Black Box Voting, to intentionally try to hack into Diebold TSx machines, but those tests never occurred. Kerns wasn’t sure whether such tests would occur in the future.

Though security will continue to be an issue, academics stressed that current error rates, even without sabotage, are unacceptable. One panelist wondered why we tolerate any error at all in the nation’s most important democratic activity. Michael Shamos of the Institute for eCommerce at Carnegie Mellon University reminded participants that these machines only have to work a few hours a year. “If new laptops failed after 12 hours,” he said, “we’d be in an uproar.”

Though three test labs were asked to send representatives to the symposium, only one, Brian Phillips from SysTest Labs of Denver, actually appeared.

Shamos told Phillips that he sees the machines right after the federal testers. “Occasionally, we find serious flaws,” he said.

“We report every flaw,” Phillips replied, but, he added, the vendor doesn’t necessarily need to correct every flaw in order to have a system certified. He also explained that each state has a slightly different balloting process, and only states can test a system for its own unique permutations.

“I think the standards don’t deal with all the bad things voting systems can do,” he said.

Freddie Oakley, registrar for Yolo County, chose a paper ballot system because, she said, “I want my voters to know that what I’m counting is the vote they actually cast.”

But Oakley also said that relying on any technology was risky because registrars don’t personally have the technical programming skills or the access to the code to ensure machines are functioning properly—though California’s new requirements mention that the state “reserves the right to perform a full independent review of the source code.”

To protect security, Oakley makes sure that no one person is ever alone with the equipment. Voting machines are not connected to the Internet or any other computer network.

Was there any fraud detected during the canvass of the November election?

“In every election, people vote twice,” Jarboe said. The county sends letters to the fraud division in each case.

She estimated that maybe 15 to 20 people voted more than once in Sacramento in November. “It’s not going to change the vote,” she said.