HR 811: Ten Blunders in A Deceptive Boondoggle

Originally published at

February 21, 2007

Holt's HR 811, A Deceptive Boondoggle -- 10 Blunders to Fix

By Bruce O'Dell

HR 811 Rush Holt's Bill To Clean Up E-Voting perpetuates major blunders of the past. Radical surgery to simplify it can salvage it, particularly by removing the provisions that will line the pockets of the "I.T"
experts who will benefit from it as-is.

Over the past several decades, the entire end-to-end election process has been allowed to break down -- and it's in many people's best interests to keep it that way.

The low point in this long, shameful story was surely the "Help America Vote Act" of 2002 (HAVA). Passed in the aftermath of the presidential coup in 2000, HAVA was intended to improve the process of voting in America. But as a direct result of its enactment, computer voting technology known to be wide-open to insider manipulation has taken almost total control of American elections, with little or no public input and without the most rudimentary of meaningful checks and balances. After thousands of reported problems nationwide affecting newly-deployed electronic voting equipment in the subsequent elections of 2002, 2004 and 2006, it is clear that HAVA has had precisely the opposite effect to its stated intention.

The proposed "Voter Confidence and Increased Accessibility Act of 2007" (HR 811) is one response to the disastrous side-effects of HAVA. But to avoid reprising HAVA's failures - and to truly have a chance of
restoring public trust and confidence in our electoral system - we need to look much more closely at how HR 811 perpetuates the "Top Ten" voting technology blunders.

Blunder #10: We can shut off remote access to voting equipment

HR 811 recognizes the extreme risks when voting equipment is exposed to the internet via built-in wireless devices, network connections or telephone modems. While it is clearly a good idea to ban such devices
in principle, in practice it's a bit more tricky.

Voting is very geographically-dispersed; voting hardware is deployed at more than 170,000 precincts and in more than three thousand counties. The physical logistics of moving all that equipment out to the field, and
then getting election results back to the central tabulators for the official canvass is challenging, to say the least. There really are only two options for transmission of results - courier and electronic remote transmission. HR 811 appears to ban electronic remote transmission and mandate hand-delivery of results, presumably on some kind of electronic media. But the means to ensure that this process is secure are not defined. But let's assume that everything can be safely transmitted by couriers as they wander to and fro... surely that's an improvement.

But... how will we know there are no wireless capabilities in the voting equipment, other than by trusting the vendor? As one excellent study has pointed out, it is by no means difficult to conceal a long-range wireless receiver within a chip inside a voting machine. Sounds far fetched? Such a custom chip would not only be relatively inexpensive to fabricate, it would be almost impossible to detect, and would, of course, provide an essentially unlimited return on investment. In fact, such a device would have so many ... shall we say ... interesting capabilities beyond subversion of voting equipment that I would not be surprised if something like it already exists. Care to bet your family's freedom I'm wrong?

Blunder #9: We need computers for ADA accommodation

The accessibility requirements of HAVA were widely interpreted as to mandating universal conversion to DRE equipment, which, via magnification of text, special input-output attachments for the mobility impaired, and provision of text-to-audio capabilities were touted as a major advance. Yet some states like Minnesota chose instead to deploy one touch-screen ballot printer in each precinct for accessibility compliance while retaining its existing suite of optical scan equipment. The ballots printed by the touchscreen equipment and
the ballots marked by hand are tallied using the same precinct-based optical scan equipment. HR 811 is consistent with this approach, but it does not go far enough.

I won't stand in the way if a visually impaired voter wishes to use such touch-screen technology to cast their
ballot in privacy. But my profession should also disclose to those voters that that for all the reasons that I describe below, if they cannot see their paper ballot record, they will be unable to know with certainty whether their choices were printed as cast.

There are non-computerized alternatives which might help a visually-impaired voter to know with greater certainty that his or her vote is recorded as intended. Ballot template technology, such as the Voting on Paper Assistive Device (VotePAD) is a low-tech alternative already in use in many venues, including Wisconsin and Rhode Island in the US. Of course such inexpensive, low-tech but appropriate paper-based alternatives tend to be automatically ruled out by many of my IT colleagues -- including some of those who make their living from the e-voting industry -- but others are more open to the option.

Blunder #8: Voting systems don't deserve the strongest protections

Perfect security of any manual or automated system, is, of course, impossible. But many of my colleagues are content to set the bar rather low when it comes to protecting voting systems. For example, Michael Shamos, a
noted expert in the field, advocate of computerized voting, and a long-time consultant to states on the certification of their electronic voting systems has stated:

"The fact that banks can be robbed is not a valid justification for keeping your money in a shoebox. The reasons are that
(1) the chance of a robbery is low;
(2) even if money is stolen you will not necessarily suffer a loss; and
(3) the bank keeps only a small portion of its assets in the form of cash.

Why should voting systems be held to a standard of perfection when nothing else in society is? Nonetheless,
electronic voting watchdogs insist that election equipment must be perfect or it is totally unusable. The analogy between voting systems and the bank is particularly apt because

(1) the chance of a system being tampered with successfully is low;
(2) even successful tampering does not necessarily result in the wrong candidate being elected; and
(3) only a small portion of the vote is cast on one machine."

This is a misstatement of the views on security held by "electronic voting watchdogs", of course, and he also glosses over the inconvenient fact that 70% of losses due to fraud in banks are perpetrated by knowledgeable and malicious insiders, who are ideally situated to bypass any security measures. It is certainly naïve to seriously state that exploits would be limited to one machine. But fundamentally
it is a delightfully circular argument, since by definition, successful tampering would go undetected - and, thanks in part to Shamos, would be almost certainly impossible to detect.

Many of my colleagues (perhaps more so, for those gaining financially by their involvement with electronic voting industry) seem to utterly
miss the essential point. Computerized voting systems are actually national defense systems
deserving a much higher standard of protection than conventional applications, such as mere banking software. Undetected widespread covert manipulation of computerized voting systems is the functional equivalent of invasion and occupation by a foreign power. In either case, the American people lose control of their destinies, perhaps permanently. Covert manipulation of voting systems could even be worse in one key way than mere invasion, since the "electoral coup" would appear to occur with the illusion of the manufactured consent of the governed, and there would be no "tanks in the street" to galvanize resistance.

Voting systems used in American federal elections grant regulatory powers over the world's largest economy, disbursement authority for the federal procurement budget, control of the composition of the Supreme Court and federal judiciary, and command of the world's only superpower military. Yet despite the fact that our
computerized voting systems represent the most irresistible target for insider manipulation in the history of the world, they are not currently given even the level of protection of systems I'm familiar with in banking and financial services. Shamos agrees:

What auditing an election really means is verifying that the software was working correctly, that no unauthorized acts or steps occurred
during the election (such as resetting the counters to zero) and maintaining intermediate records so that votes will not be lost in case of an equipment or power failure. Auditing does not, and cannot, mean
the ability to rebuild each individual ballot after the polls have closed.

These logical impossibilities do not prevent states from imposing the audit requirement, vendors from attempting to satisfy it, and examiners from certifying the systems anyway. On many occasions I have recommended certification of a system that had an imperfect auditing mechanism. The reason is that I felt the audit trail was adequate under the circumstances. (my emphasis)

In other words, he actually believes an independent audit of a DRE's internal electronic vote tally is a "logical impossibility", and he calls that "adequate". In banking, we'd call that "grounds for termination for cause", assuming we found out before the Bank Examiner or FDIC did; otherwise, the Board of Directors could be facing serious jail time.

The fact that national security systems, protected by such a casual standard of security, are nevertheless still allowed to be used to elect our leaders is a national scandal, and a disgrace to my profession.
And as we shall see, HR 811 continues the historical pattern of misunderstanding the nature and seriousness of the threat, while at the same time focusing on utterly ineffective countermeasures.

Blunder #7: It's a good idea to inspect the source code

HR 811 states that election officials will be required to provide "the source code, object code, and executable representation of the voting system software and firmware to the Commission, including ballot
programming files", which will then be made available to the public on request. For years, our voting equipment vendors have insisted on classifying their software as a trade secret, naturally leading to the
presumption that they have something to hide. Clearly, public disclosure of their software must be a good thing?

Well,actually, no. If a malicious insider at Diebold or ES&S truly wanted to corrupt vote tabulation logic, he or she would hardly put it in the official release handed over to the EAC. And there's simply no
reason to trust that any software delivered to the EAC would bear any relationship whatsoever to the logic that actually runs on voting devices in an election.

Consider that the source code disclosure requirement is unenforceable in practice - there are a lot
of hardware and software components inside voting equipment. Not only proprietary software developed by voting equipment vendors, but also mass market consumer products like Microsoft Windows, and also a host of highly complex, very specialized software from vendors, many of them offshore. Surprisingly those other vendors simply have no interest at all in giving away their crown jewels to their competition.

But HR 811 as written would require depositing tens of millions of lines of source code with the EAC; even if it magically materializes, it would be far more than any one person could hope to read, much less understand with complete clarity. But even if I could somehow get my hands on an accurate copy of the hundreds of thousands of pages of all the vendors' closely-guarded source code, I'm still wasting my time. Here's an example to explain why: simply looking at the official source code for Windows, Microsoft Office, and all the hundreds of other software applications and components I've installed over time tells me precisely nothing about the true, current state of my individual PC here in Minneapolis. I cannot tell by inspecting the
official source code whether my particular PC has malware, spyware or, worst of all, a rootkit.
Much less can I possibly know precisely how a particular application on my PC will behave at an arbitrary time in the future by looking at source code. It's the same for voting systems, or any real-world computing device.

If source code inspection could allow us to reliably predict how a particular instance of a program will actually work in the field, Microsoft Windows would be a rock-solid, bulletproof product -- after all, tens of thousands of programmers spend their professional careers scrutinizing its source code every day. It's
simply goofy for serious IT professionals to state that it would be anything more than a sham to "inspect" whatever source code that HR 811 manages to dredge out of the vendors. Worse yet, it misleads the public, making it seem as if IT professionals have superhuman powers to "know" the source code is benign, and to "know" precisely what it will and won't do, and to "know" where and how it is actually running in a
particular device - when of course, we do not.

Source code inspection is simply a quality assurance technique we use in an environment where we are reasonably sure that the source code we're looking at will be the same as is run, but it is hardly a security mechanism. For it to be so, we would have to trust the vendor, as well as every link in the rest of the very long chain of individuals involved in the end to end process of manufacturing, deploying, configuring, testing, operating, storing and monitoring the equipment and software. This magical level of trust is, well, inappropriate when dealing with national defense systems.

Blunder #6: It's a good idea to inspect the executable code, too

If source code inspection is ultimately a waste of time, what about the other stuff HR 811 would mandate the EAC to collect for our perusal -- the "object code" and "executable representation" of the source code?

Even in the highly-controlled, regulated and audited environment of a bank or brokerage house, it is extraordinarily difficult in practice to know precisely what software components are executing on which devices at any given time. But in theory, with specialized equipment and intensive hands-on effort, a skilled computer forensics auditor could rigorously examine each hardware component of an election system and compare the detailed contents of the installed software components to the version of the executables registered with the EAC. If they trust their forensic software, of course, and if they always accurately report
their findings. Care to bet the Republic on that?

But wait; there are tens, if not hundreds of thousands of devices to potentially check, so not only is this extreme degree of forensic comparison impossible to contemplate doing for every voting device prior to every
election, it's also ultimately pointless. Since real-world computer systems involve complex inventories of hundreds or even thousands of application program modules, firmware, device drivers and operating system components, static inspection alone will never be able to reliably determine what those components will actually do at any given point in time. There's simply no reason to believe that a given executable corresponds to the given source code, and no way to truly know what the executable is doing - except by running it. I'd ask my colleagues who disagree to consider how you would detect "Cheating with Hardware - Malware Loader" as described in this study?

Blunder #5: It's also a good idea to test and certify voting systems

HR 811 calls for what appear to be improvements to the independent testing and certification of voting equipment. For example, it prohibits direct conflicts of interest between vendors and testers, allows EAC to
randomly select the laboratory, requires public disclosure of test results, and even allows an expert named by the EAC to observe the testing process. Sounds good, right?

Well, no, actually. It is a truism in my profession that the purpose of testing is to find "bugs" --
not to indicate that a piece of software contains no flaws. It's a subtle point, but what it really means is that if I've found 100 errors, there is simply no magic oracle that will then tell me "well, that's all, we're done, no more bugs". If it was possible to test quality - much less security -- into any piece of software, well... Microsoft Windows would be the bug-free, highly secure platform we all know it to be, since Microsoft has the world's most sophisticated automated testing tools, thousands of paid testers, and hundreds of thousands of people worldwide who volunteer to help. Yet even so several critical Microsoft security defects have been reported every month for the last several years. But not to pick on Microsoft; just take a look at some of these other recent security issues for several thousand other vendors; in every case these security flaws were discovered after completion of formal testing. Take your time; the list is 685 pages long.

Of course, Michael Shamos (consultant on the certification of electronic voting systems, for six states, going back to 1980) still has a charming faith in the power of testing:

"One may readily argue that no reasonable sequence of tests can exercise every possible logical branch of a complex computer program. So be it. Neither can any such test guarantee that the navigation system of a 747 is working properly, or that it will continue to work during flight, but for some reason this fact does not keep me from flying. (The reason is probably that plane crashes are statistically rare.)"

I'm not sure Shamos really meant to contrast aviation software to voting systems; they lie worlds apart. Aircraft systems are typically tested to demonstrate a "Mean Time Between Failure" of between 12,000 and 21,700 hours - that's just one failure every 500 to 900 days in-flight. On the other hand, the National Institute of Standards and Technology has recently agreed that even the pitifully lax standard for voting equipment, on average one failure every 168 hours(!) -- that more or less ensures a substantial number of machines will "crash" during any given election - is not worth bothering about anymore and should be removed.

But the real problem is Shamos' analogy totally misses the point: commercial plane crashes are "relatively rare" in part because avionics does not have an adversarial insider threat model. By that I mean no one at Boeing could possibly benefit from subverting the stated mission of the organization, by injecting malicious software to deliberately crash their planes. On the other hand, consider the benefits accruing to insiders at ES&S, Diebold and Sequoia -- much less at the county election office -- from subverting the stated mission of their organization, by injecting malicious software to deliberately change the outcome of elections.

As socially-responsible professionals we must openly acknowledge the inherent limitations of our ability to ensure voting is as trustworthy as a critical national security system should be. We cannot and should not ask the public to simply trust the outcome of any testing and certification process, no matter how many "experts" say so.

Blunder #4: We need machines to mark our ballots for us.

Strange as it may seem, some of my colleagues even doubt a voter's ability to even mark a piece of paper without machine assistance. For example, the authors of a study
published by ACCURATE (you know, the folks with the $7.5 million grant)
entitled "Measuring the Usability of Paper Ballots" were surprised to
discover that "over 11% of the [paper] ballots contained at least one
error". But they measured "errors" by asking their test voters to vote
three times in succession using three different ballots with different
layouts; hardly a realistic case. Their conclusion that such a test "is
a clear cause for concern, with possible public policy implications
such as procedures for handling of narrow margins of victory and
recounts" seems overblown.

Let me go out on a limb and state I
believe that we voters in America, like voters throughout the world,
can bravely take command of our own destinies and mark our own ballots. And count them, too.

Blunder #3: We should hand-count as few ballots as possible

And yet some of my colleagues have argued that paper ballot records are a bad thing. Shamos again:

"Ballot systems are sometimes naively regarded as the safest, a vestige
of our faith in the superiority of paper records over the electronic. The dream is that in order to verify the election one need do no more than gather up the ballots and tabulate them a second time. However,
ballot systems are not only unsafe but completely unauditable."

Well...that's a rather cheeky statement, and it must come as something of a revelation to professional auditors. Here's a quick reality check: if you agree that it is impossible to effectively audit and safeguard
paper, stop by your local bank and help yourself to the cash on the way out. Or if you're in Washington, please drop in at the White House and pick up your own copy of the President's Daily Brief; I've heard it's
fascinating reading.

Paper based processes are not perfectly secure, of course. But there are people who certainly think we've figured out how to audit and safeguard paper-based systems to an acceptable degree of public and commercial confidence over the last few centuries.

The bizarre assertion that it is impossible to audit paper election records also must be a surprise to the citizens of Canada, the United Kingdom, New Zealand, Germany, Ireland, Iraq, Palestine... and so on, all of whom not only conduct their elections (exclusively) on paper, but also manage to audit the outcome with an acceptable level of public satisfaction with the results. If you do not believe me, Google the
phrase "Disputed Canadian Election".

In fact one reason why the outcome of paper-based balloting is so uncontroversial in those countries is that "ballot box stuffing" (that great bugaboo of so many of my colleagues who coincidentally make a living off of the electronic voting industry) in practice seems rather difficult to pull off without being detected.

Blunder #2: Computers count ballots better than people

This is a supreme article of faith among my technical peers. Yet surprisingly enough, there is little evidence in its favor.

In fact, there is a fascinating study
from 2001 (interestingly enough, published shortly before HAVA was
enacted) which concluded that not only were hand-counted paper ballots
the most accurate of all vote counting methods, measuring by residual
vote rate, but that every single technological "innovation" of the last
century - lever machines, punch cards, optical scan, DRE - actually measurably decreased the accuracy of the voting process. Their conclusion:

These results are a stark warning of how difficult it is to implement new voting technologies. People worked hard to develop these new technologies. Election officials carefully evaluated the systems, with
increasing attentiveness over the last decade. The result: our best efforts applying computer technology have decreased the accuracy of elections, to the point where the true outcomes of many races are

It will come as no surprise that some of my colleagues still question whether multiple citizens (each with competing political allegiances,
and drawing upon the processing power of the one thousand trillion synapses in the massively-parallel neurocomputer we call a human brain) are collectively better able to interpret voter intent as marked on
paper, as opposed to a "dumb" optical scanner. Of course, the people also have to count way up to 500 or so several times. Clearly, a job that calls for a machine.

Blunder #1: We don't need to justify using computers

Voting is not the first time IT professionals have created a solution in search of a problem, and it won't be the last. And while the IT profession is a leading contributor to our current predicament, it is by no means the only one. The entire end-to-end voting process has broken down and it's in many people's interests to see it remains that way, including our elected officials. No career politician is likely to voluntarily do anything that might undermine the legitimacy of their position.

Since the heady days of the 1960s, a new, multi-billion-dollar a year electronic voting industry with world-wide growth aspirations has emerged. Whether the original drive to automate our voting was driven by genuine desire to improve elections, naive faith in progress, blissful ignorance of the potential threats, bad
technical advice or coldly calculated self-interest, that industry is now so entrenched it has now become almost impossible to question the original decision to apply computer technology to voting. Surprisingly
strong passions are aroused in defense of the machines.

In fact, we've had more than enough hands-on independent analysis of voting equipment to confirm what should have been utterly obvious all along: the machines were, are and will remain totally untrustworthy.

I think the truth is more cleverly hidden. Voting systems are riddled with so many brazen vulnerabilities that can be exploited through hands-on access that surely some must be deliberate features of
the products and no accident. Black Box Voting has documented just how much certain election officials appear to appreciate the "back doors" built into their voting equipment. To the extent that such "features" have actually been exploited by unscrupulous local election officials, they have been co-opted, and certainly will not voluntarily relinquish computerized voting.

And worst of all, an extraordinarily dangerous feedback loop is enabled through the unwarranted belief of the trustworthiness of computerized voting technology. A series of deceptive election results over time that
remain unchallenged can lead to the manufactured illusion of a shift in the underlying voting patterns of the electorate. Not all at once, and not in every election. But over time, the perception becomes reality,
insofar as we can tell. Exit polls and even the weighting criteria for public opinion polls (the so-called "likely voter cutoff model") are all eventually calibrated to match official election results.

This nightmare scenario is uniquely enabled by unwarranted trust in computerized voting technology, it is certainly technically feasible to pull off given enough time, and, God help us, could actually be well underway.

How can HR 811 overcome the top ten blunders?

There are industry best practices that suggest a radically different approach to positively transform HR 811. Personally, I don't want to salvage computerized vote tabulation, much less allow DREs in any form; but
regardless of what I might wish, eradication of computerized voting is going to take some time. In the meantime, we need to get legal ballots back on paper, and more and more of them counted by people.

HR 811 is on the right track by mandating archival paper ballots as the source of truth in an election. These paper ballot records, if properly used, would allow us to treat electronic vote tallying as a "black
box". In engineering terms, "black box" testing means that if we can measure the accuracy of the outcomes, we can ignore all the intermediate steps.

Don't manage the process; measure the outcome.

In other words: eliminate code inspection, independent testing labs, and certification
because ultimately they can provide only "voodoo security." Trumpeting the mere appearance of trustworthiness as the genuine article critically deceives the non-technical public and is profoundly unethical.

Setting aside for now the details of the competing proposals, a robust statistically-valid hand check of machine accuracy is certainly feasible. The essential prerequisite (overlooked in HR 811) is to finally get serious about absentee and early ballot chain of custody, and paper-handling procedures in general. They do have good ideas on how to do this in Canada, and we could also consider common-sense measures such as storing early
and absentee ballots in a secure third-party facility -- like the nearest federally-chartered bank.

Whenever the electronic tally, however produced, departs from the mandatory hand count by a defined legal threshold we should fine the responsible vendor on a sliding scale. And require the vendor to pick up the full costs for an expanded hand recount. And unlike HR 811 -- and like we do in Minnesota - the criteria for expanding the scope of any hand count should be clearly defined legally and
automatically triggered.

Although it falls far short of my preferred voting method -- 100% in-precinct hand counting with chain of custody reform for all ballot types - this suggested approach radically simplifies HR 811. It eliminates the false sense of security that inspection, testing and certification leave in their wake; it reduces
cost to taxpayers, and if done properly and with much tighter control of the ballot paper trail, it should make both accidental and systematic electronic vote mistabulation much easier to reliably detect.

On the other hand, it does have the side-effect of significantly reducing the income of those of my colleagues who make all or part of their living through testing and certification work paid for, directly or
indirectly, by the electronic voting industry -- and ultimately, by us taxpayers. Good luck to them moving on; there's certainly no shortage of honest work elsewhere in the computer security and quality assurance


According to DRE advocate Michael Shamos,

...I believe I and the republic will survive if a president is elected who was not entitled to the office....

That's preposterous. A republic falls when power is seized by those not entitled to office.

Given the current state of world affairs, I doubt we will be able to confirm Shamos'prognosis for the survival of the republic anytime prior to noon on January 20, 2009. Perhaps, not even then. Whether we will live
and die as citizens or serfs is at stake, and it's long overdue to put our legal ballots back on paper and our citizens back at work counting them.

Authors Bio: Bruce O'Dell is a self-employed information technology consultant with more than 25 years' experience who applies his broad technical expertise to his work as an election integrity activist. He is Data Analysis Co-Coordinator with Election Defense Alliance, and Data Architect for the EDA Election Data Archive (accessible at
He lives just outside Minneapolis, Minnesota, and shares a love of good books with his wife - and her beautiful garden, with their talkative cat.