Open Letter to NIST on Electronic Voting Machine Recommendations

Originally published by Democracy for New Hampshire

Open Letter to NIST on Electronic Voting Machine Recommendations

Comments on the (Un)verifiability of Election Equipment


We read your draft paper "Requiring Software Independence in VVSG 2007: STS Recommendations for the TGDC" with considerable interest. Reading between the lines, I get the distinct impression that you're working your way toward some of the same conclusions our local group has reached -- and some that the New Hampshire legislature has reached. Perhaps if I lay out our line of reasoning, it will let you know that you're not alone in the direction you appear to be going. (This is basically a summary of what we said in our comment in the recent EAC inquiry, which I've attached as a PDF.)

Let me start with your words "...the DRE, which does not produce an independent voter-verified audit trail. Therefore, audits of its electronic records cannot be against any independent evidence of the voter's intentions as cast and as a consequence, its electronic records cannot be audited independently..." Right there is the heart of the matter. It goes straight to the nature of modern elections. Fundamentally, we're dealing with a problem in public records. The secret ballot was introduced into our election laws late in the 19th century in order to correct a major integrity problem: improper influence on voters. As long as it was possible to tell how a citizen voted, voter bribery and intimidation were rampant. The secret ballot fixed that, but it brought on a side effect. It made the vote recording step a single point of failure. The only person who's in a position to tell whether a vote is recorded correctly is the voter, and only while still in the voting booth.

more below the fold

But the only way the voter can tell for sure that the vote is recorded correctly and can't be changed is to see it, with his or her own eyes, indelibly marked on a durable paper ballot. Letting electronics get between the physical recording medium and the human-viewable display breaks the feedback loop. There's no way the voter, let alone any auditor coming afterward, can tell whether the display matches the recorded data. Unlike a banking system, there's no system of monthly account statements to expose errors -- and because of the nature of the secret ballot, there's no way such a thing could be introduced. Voter-retained receipts not only wouldn't provide a usable audit trail, because they could never all be collected, but they would destroy the secret ballot by providing a tangible record of who voted how. Then we come to the vote counting step. In order to make sure that the vote that counts is the same one the voter cast, it's necessary to require that the ballot counters, whether they're people or machines, look only at the physical marks the voter saw and verified.

The logical consequence follows inescapably: it's not only unacceptable for votes to be recorded electronically instead of on paper ballots, it's unacceptable to record them electronically *in addition to* paper ballots. In fact, human-readable indelible marks, on durable paper ballots that can survive storage and re-counting, are the only way to record votes that can support an open and verifiable election system. And that's exactly what the New Hampshire legislature figured out last spring, and wrote into law. For good measure, they passed a second law requiring all recounts to be done "by direct inspection of the ballots, without electronic, mechanical, or optical devices". Basically, that's what an audit is, and it depends on a reliable and durable public record as a starting point -- pretty much along the lines of what you said on page 3.

Obviously, that blows a hole in the concept of VVPAT. It's nothing but a public relations sham. It can't fix anything. This line of analysis doesn't directly invalidate EBM. Simple economics does. It makes no sense to spend hundreds or thousands of dollars on a complex machine that attempts to reproduce the function of a 50-cent hand-held pen, while introducing failure modes the pen isn't capable of. And it's a lot easier for cash-starved precincts to supply enough pens to handle the election day traffic than enough vote recording machines. Also, the hand-held pen is superior from a human factors viewpoint. There's a lot less chance of missing an incorrectly marked vote if the voter doesn't have to look at a screen, and then check the marked ballot to make sure it matches. With hand marking, the physical ballot is the only thing the voter has to look at. Voting with the pen is probably faster, too. There's no extra verification step.

Having talked about the crucial vote recording step, I've set the stage to talk about op scan machines. You wrote "Clearly, the needs of voters and election officials need to be addressed with improved and new technology. The STS believes that current paper-based approaches can be improved to be significantly more usable to voters and elections officials..." and "If an undetected change or error in the optical scanner's software were to cause erroneous counts, subsequent audits would show the errors." Yes and no. That depends on the audits actually being performed.

Op scan machines exist in the first place because today's ballots have so many races and questions on them that local officials can't count them all by eye in a secure and public environment, unless they set up a three-shift operation that can be sustained for several days. So in practice, the hand recounts don't get done unless somebody suspects a discrepancy and pays the recount fee. This means that an election using op scan machines isn't open and verifiable in actual practice, unless we can make certain that the machine won't cause an undetected error. That puts the machine into the category of safety-critical products, which just happens to be a very mature branch of engineering and administrative law. The FAA is very experienced in this field. Since you're a federal agency with an important problem, I'd hope they'd be willing to let you pick their brains.

There's probably a lot of material in their standards RTCA/DO-178B and RTCA/DO-254 that you could adapt. You're right that absolute correctness and absence of bugs can't be demonstrated by testing; it's done by a comprehensive analysis that requires access to the complete documentation for the whole system and everything it relies on for proof of correctness. Unlike safety-critical aviation flight controls, op scan ballot counting machines fall into the class of safety-critical devices in which a safe shutdown is possible. That comes very close to the family of safety-critical products I designed several years ago, flame safety controls. What we were required to prove to the satisfaction of the engineers at UL and their European counterparts was that the logical design was correct, and that if any component were to fail, the device would either operate within its specifications, or fail in a safe manner. A safe failure meant that the fuel valve would close and prevent a furnace explosion. (You really don't want a furnace explosion to happen in a 1-gigawatt steam power plant.)

A safe failure for a ballot counting machine would be one where it completely stops working and doesn't report any result. The standard we followed was UL 372, and it goes into great length on the requirements for a comprehensive Failure Mode Effects Analysis. I think a lot of that could be pasted into a standard for op scan machines. How to go about designing and approving a provably correct, fail-safe op scan machine? There's an engineering aspect, and an election law aspect. For an election to earn public confidence and so confer legitimacy on the elected public officials, everything about the election must be open and verifiable -- including the formal proof that everything about the ballot counting machine is correct in design and fail-safe in operation. So the complete design and all the records showing compliance with safety-critical product standards must be public records, and approved through an open regulatory process as required by the U.S. Administrative Procedures Act or equivalent state law.

Openness and verifiability must be pervasive; no secrets, trade or otherwise, can be tolerated anywhere in the internals of a piece of election equipment. Anything that isn't open to public inspection and peer review is a place where bugs and sabotage can hide. A little thought will show that it's not enough that the software be correct. A bug in the logical design of the hardware that the software runs on can produce an incorrect result as easily as a software error; it's just a lot harder to commit fraud that way. Similarly, correctly designed hardware can still produce an incorrect result if a component is faulty or damaged; this is why failure mode analysis is necessary. Finally, the election configuration data must also be provably correct and subjected to public review.

Last May Anthony Stevens, our Assistant Secretary of State, asked me for any diagrams I had showing principles for a machine that could be trusted. I put together the attached block diagram of a hardware platform for a fail-safe op scan machine. The heart of the thing is the two CPUs. To achieve failure-safety, they continuously send each other test vectors, which systematically test each component of the opposite processor down to the transistor level. In order to present a written proof of completeness for the test vectors, the exact logical design of the processors must be known and frozen under official revision control. This means they have to be built the way computers were 40 years ago, out of individual gates and flip-flops.

(I know I'm being paranoid about this, but in the immortal words of an early CIA director, am I being paranoid enough?) Simplicity is part of the discipline of safety-critical product design. The functions required of an op scan machine are pretty simple in principle. I believe the software and the hardware logic could be designed at a technical level that a bright high school student could understand and prove correct. Politically, it's very important to have as wide a pool of citizens as possible who can review the design for themselves and criticize it in public, so that confidence in the design doesn't rest on a few elite specialists. That's still not as good as every citizen being able to independently analyze the design, as they can analyze the state election laws, but it's the best I can suggest.

You gave attention to security vulnerabilities in DRE machines. The same consideration applies to op scan machines. I've thought a lot about that. It can't be applied as an afterthought; it has to be provided for from the beginning of requirements analysis. Of course, I'm not a specialist in that field, so professionals could undoubedly add a lot; NSA might have some unclassified papers on the problem of authenticated distribution, for instance. I don't think we can rely on a machine being protected from tampering and accident during year-long periods in unguarded storage. Therefore I emphasize design features that provide ways for local officials, partisan election inspectors, and possibly random members of the public to verify at the polling place that the machine conforms to its published and approved engineering drawings, contains the approved firmware and election configuration data, and is isolated from outside influences.

When I say an op scan machine should be transparent, I mean it literally. The party inspectors should be able to see all of the internal parts without breaking the case seals or exposing it to ESD or RFI. They should be able to check board and IC part numbers and serial numbers, look for unauthorized cuts and jumpers, read the numbers and signatures on the socketed OTP EEPROMS containing the firmware and the configuration file, and dump the complete contents into their own laptops so they can compare it bit-for-bit to the published source code that they downloaded and compiled on their own machines. That approach makes the entire machine auditable at the point of use. The more independent routes there are from the peer-reviewed original design documents to the machines in the field, the harder it is to hide fraud, negligence, or just plain human fallibility.

The only thing I want to say at this point about vote recording devices for disabled voters is that "accessibility" and "privacy" must not be permitted to become excuses to justify exposing the votes of the great majority of citizens to hidden and unverifiable recording processes. It's essential to keep our priorities straight. Openness and verifiability are absolute requirements, and cannot be compromised without sacrificing the legitimacy of representative government itself. A way for a voter who can't see the ballot to vote without human assistance is a convenience, not a necessity. New Hampshire law permits a voter to appoint anyone except an employer or a union official to assist in the voting booth; we can rely on that until we can solve the truly formidable problems of coming up with a provably correct, fail-safe, tamper-evident method of letting a blind voter verify that the marks on a standard-issue paper ballot are correct. If political pressure forces less-than-airtight devices for disabled voters into use without an independent method of verification in the voting booth, then it's best to mitigate the risk by confining their use to the smallest possible population.


John A. Carroll
Member, Fair Elections Committee