Frequently Asked Questions on Voting Systems and Elections
Are direct recording electronic voting systems with Voter Verified Paper Ballots (VVPB)really the wrong solution? Or, is it the poor design and engineering used in DREs with VVPB the real problem?
- AVANTE has proven that properly engineered DRE with VVPR (VVPB or VVPAT) can work flawlessly in elections since 2002. These successful implementations have been limited to relatively small jurisdictions or pilot deployments. They are mostly not noted by the general public and certainly did not contribute much in counting the nation’s ballot. It is none-the-less evidence that a properly engineered and designed DRE with VVPB can be made to work perfectly to provide accessibility and 0% residual votes.
- DRE with VVPR may be the only method that can help to guide the voters to make 0% mistakes while ensuring the highest security among all kinds of voting methods. Most, but not all, of the engineering errors have been pointed out and corrections are being implemented to be in compliance with the federal Election Assistance Commission (EAC) 2005 Voluntary Voting System Guidelines (VVSG). As a community of vendors, we have yet to face up to the responsibility of providing the best-known and proven solutions.
- Some of the activist groups along with some computer scientists are now calling for the use of paper ballots counted with optical scanning technology as the “right” solution. The advancing argument is that with voter marked paper ballots, one can always trace back to the original votes as cast. Of course, that implies that we actually manually examine these paper ballots and that they can be protected to stay the same as originally marked. This argument forgets the history of ballot tampering over the last hundred years along with the fact that a “precinct-based optical scan” is also read and counted by electronics.
- In a way, the downsides are known in DRE systems with or without VVPR (VVPB or VVPAT). Can we say the same for paper ballots that are electronically read and tabulated by using optical scanning electronics and computers?
- One cannot stop but wonder what additional security, accuracy, and reliability problems we will discover if we put the same amount of effort and intensity that we used on DREs to carefully examine optical scanning and electronic voting systems. After all, if we cannot trust electronics that record votes that have been verified by voters on the voting machine screen and on its corresponding paper records, how can we really trust electronic systems that scan and tabulate paper ballots without telling the voters how the paper ballots are being deciphered beyond whether there may be over-votes or under-votes?
Are there any accuracy, security and reliability issues in precinct-based optical scanning voting?
- Possibly the first thing we should do is to properly name the voting system used to count paper ballots. Most people tend to forget that an optical scan system is also an electronic system. The term “optical scan voting system” seems to ignore that electronics actually drive the more critical resolving and counting function of the system. Instead of calling it a “Precinct-Based Optical Scan (PBOS)” system, a more descriptive name will be “Precinct-Based Direct Recording Optical Scanning Electronic (DROSE) System.”
- The name is more proper because it provides the final tallies as deciphered from the paper ballots being scanned. Almost all of the commonly used precinct-based optical scan systems do not show or tell the voters how their submitted ballots are being counted visually or orally. The 2005 standard only requires the system to alert voters of whether the systems have detected any over-voted or under-voted contests but not how the ballots are being counted.
- While the original ballots as submitted leave an audit trail, ballots can be easily tampered with post election. They can get lost, replaced, modified, etc. Combined errors by voters and the system can range from 2-20 % and cover any and all tampering that one wishes to do. History has proven tampering is easily done.
- The vulnerability to counterfeiting, tampering via smearing, changing and substitution of choices, and adding or removing paper ballots is well documented for more than 100 years. None of these problems have been addressed by the DROSE systems deployed today.
- It has been documented that imperfect software and hardware can cause incorrect reading and/or recording of the ballots. The data transfer media uses flash memories that lack adequate security leading to results that can be changed without leaving a trace.
What are proper audits and improvements needed for the precinct-based optical scan solutions to achieve the level of the best DRE with VVPR (VVPB, VVPAT)?
- One of the urgently needed improvements is to include a visual display and/or aural reading of HOW the ballot marked and submitted is being read before actually counting them electronically. If one cannot trust what is touched and confirmed on DRE screens, how can one trust a computer that performs the complex operation of correctly converting marks in special positions on a piece of paper?
- The authenticity of the marked paper ballots depends entirely on the proper handling and processing of the paper ballots after the election. It makes sense to take a picture of every marked ballot while they are being deciphered and counted. These picture images are also scrambled as required (for privacy concerns) for electronic counting of the ballots. This is as good as shooting video of the counting process. Of course, loss of privacy results due to sequencing inherent in video recording.
- Ideally, there should be an “electronic tag” on the electronic picture image of the ballot and the corresponding deciphered result (commonly referred to as “ballot image”) in a DRE. This image will provide a one-to-one audit making it much easier to find any errors and/or tampering.
- An even better approach is to use a randomly generated ballot identifier to provide authenticity of every ballot that is being submitted and counted. The wide use of absentee ballots and “all mail paper balloting” allows potential voters to sell their votes or be coerced to vote in certain ways. A copy of the marked paper ballot can be produced to anyone to prove you have voted in a certain way.
- Even with these improvements, proper election management processes must still be observed.
How should a voter-verified paper record (or “voter verified paper audit trail”, VVPAT or “voter verified paper ballot”, VVPB) be incorporated into DREs to provide an irrefutable audit trail?
- All voter-verified paper records (VVPR, VVPB, VVPAT) should be individualized and not continuous in a roll to provide maximum voter privacy.
- The VVPR should not carry any time-stamp. A time-stamp has the potential to invade voter privacy. A date stamp is fine.
- All paper records should include a unique randomly generated number (or code) identifier that is linked to the electronic ballot images that are being stored as individual records. This feature allows one-to-one paper record to electronic record audit. This is a good verification that remaining paper records are correct even when some paper records are not printed or have been lost (as in the case of Ohio election in 2006). Otherwise without linkage, none of the paper records can be trusted if some are missing.
- A relational check code or encryption code should be generated binding the votes with the unique randomly generated ballot identifier to provide additional system security.
- Make sure the printing of paper records is in suitable font size and presented at eye level for ease of verification by the voters.
- Make sure that the paper records are in locked and sealed ballot boxes that are not accessible to voters and polling officials without proper tracking records.
What are the needed improvements in DREs having properly engineered VVPR (VVPAT or VVPB)?
- NIST promoted the use of write-once-read-many electronic transfer media (such as CD-Rs) in place of flash memories when drafting the 2005 VVSG but was voted down by some of the older established vendors. There is no encryption technique the can mitigate the potential for insider tampering when read/write flash memories are used.
- Voter verified paper ballots that are not linked to the respective electronic ballot images are meaningless in end-to-end auditing. This is critical in close races. Original VVPBs can be easily replaced with fake paper ballots.
- An incomplete paper record error of 1% will render the other 99% of the paper records useless if the election losing margin is within 1%. There is no way to prove or disprove whether the rest of the unlinked 99% is accurate.
- Being able to change ballot images and tallies on flash memories makes tampering easy. It unavoidably creates confidence problems with the use of DREs without write-once-read-many electronic transfer media even if the DRE has VVPBs.
- The “potential loss of privacy concern” argument against the use of random voting session identifiers (machine and/or human readable) on the VVPB as required in the 2005 VVSG is ridiculous. Are we really worried about someone being able to read the barcode identifier or use a 24-digit code to prove to someone they have voted in certain way? Wouldn’t those that are interested in buying or coercing someone’s vote be more convinced with a physical picture captured by a cell phone of the paper ballot hanging inside the DRE when the voter is prepared to cast his/her vote rather than being given a 24 digit number that they couldn't ever verify?
- All paging DREs with VVPB should present contests to voters one at a time. If choosing not to vote on any individual contest or question, the option to choose “skip contest” should be given to the voter to avoid any confusion over the voter’s intent (did he/she or didn't he/she intentionally not want to vote that contest). Such simple software guidance costs nothing and will dramatically improve system accuracy to 0% residual votes versus the average of 1.8% (presidential races).
- All full-face DREs with VVPB should ask voters to positively acknowledge their wish to skip any contests. This is a proven tested feature of the AVANTE system. Such low cost solutions eliminate all unintentional under votes.
How should one provide “accessibility” to visually impaired voters when a VVPR (VVPB or VVPAT) is used with DREs or marked paper ballots are produced with a “ballot marking device”?
- Technically, a truly independent and private verification of paper ballots for visually impaired voters would be to have an equivalent to a “voting system based person” reading back the choices as recorded on the voter verified paper ballot. This capability would need to be independent of the voting system manufacturer. The best mode of operation would require a system (hardware-firmware-software) that is commercial-off-the-shelf (COTS) and preferably based on open standards.
- All of the current ballot-marking devices (BMD) use templates to print or mark on pre-printed ballots, or print the ballot and mark it. When these printed/marked ballots are re-fed for the read back of choices, the machines do not use third party Optical Character Recognition or a barcode reader independently from the voting machine. Instead, they retrieve and use the same template to compare the marked areas and then read it back to the voters. There is no difference in terms of independence whether reading from the data stream for printing or reading back by using the template after scanning.
- The only commercial-off-the-shelf (COTS) means of reading a paper ballot would be through use of optical character recognition (OCR, still lacking common industrial standards), or by independently reading a condensed representation such as 2-D barcode (e.g. PDF-417) that has public standards.
- In the case of the BMD system, the use of OCR coupled with a text-to-speech engine represents the most direct method enabling use of third party or open source software. The accuracy is not yet 100% which may cause confusion.
Even if accuracy is not a problem, it still has many practical issues:
- Voting results read back with an OCR engine coupling with COTS text-to-speech engines must read the complete ballot including skipped choices. This would likely double the time from the 5-15 minutes a typical voter requires to 10-30 minutes. This may receive strong objections.
- By itself, COTS OCR will not know what a filled or unfilled oval means. Special programming is required. And sometimes, the system may be required to be pre-programmed to “read” the signature of the County Clerk and to disregard extraneous marks. This could require the use of non-COTS software.
- If only those candidates that have been selected are read, no technical difference exists with the method of reading back the results from the same data stream that is used to print the voter verified paper ballot. This is exactly what blind voters and their supporters object to.
- Another potential issue is the use of the “computer voice” read back some voters. If a recorded voice is to be used for read back, it will need separate programming on top of the open-source or public domain software.
- Unfortunately, OCR is not currently a real solution for total independent verification for visually impaired voters' ballots.
What are the merits of “complete escrow” of all source codes?
- "Complete escrow” of all source code used in voting systems meeting the current Federal election system standards is not practical without cooperation from the vendors of the computer hardware, third party firmware, and application developers used by the voting machine manufacturers.
- All voting systems meeting the HAVA requirements for accessibility require extensive use of third party software, embedded software (firmware) in chips, drivers for printers and touch-screens, and synthesized or recorded voice.
- Optical scan systems are required to decipher marks with accuracy improving from 1 in 500,000 to 1 in 1,500,000 marks. Without the use of more advanced imaging approaches this is not feasible.
- Voting system manufacturers could develop all of these required features or adopt more open source components whenever possible. However, to achieve such a feat would require duplicating all the commercial efforts that have been done over the last 20 years.
- AVANTE believes the current approach used by the EAC and NIST on source code is very practical. The following aspects could be made more specific.
- Require that COTS software and firmware be defined as those that have established commercial applications other than being used in voting systems.
- Require that no modifications on COTS firmware and software being used by voting system manufacturers be made to meet the specific needs of the voting systems incorporating that software.
- If it was allowed to modify firmware and software to meet a particular voting system application, that firmware and software would require certification and source code placed into escrow in NIST and other state agencies requiring escrowing of the specific source codes.
- Incorporate election codes (Federal, State or EAC requirements) that all source code in escrow can be reviewed only by court appointed experts. Expert opinion can be rendered on any aspect of the source codes as long as the actual source code itself is not disclosed.
- Even if machine vendors get most of their third party suppliers to agree to escrow their source codes (AVANTE has gotten agreements from some vendors including its touch-screen driver and printer manufacturers), all voting vendors will still have difficulty getting source code for the compilers that are used to converting its source code into execution code.
- One tends to forget that only execution codes are loaded into the voting systems. All manufacturers provide SHA-1 hash codes for all of such machine codes. These are the actual codes that execute the computing process.
- An expert can modify the execution code to perform unauthorized actions without directly using source code or the compiler. Source codes help to diagnose the problems whenever any “bugs” are found.
What are the merits of total system “open source”? Is total system “open source” achievable?
- AVANTE believes there is an implicit public responsibility of all voting system manufacturers. Such responsibility should include proper and adequate transparency. However, the public’s right-to-know must not damage the business interests of the entities that provide such commercial systems and services.
- AVANTE agrees with the team of computer and election experts associated with Accurate Voting and their position on restrictive and controlled disclosure of the source codes developed by the voting system manufacturers. Our rationale has been stated earlier.
The following outline some additional thoughts:
- Very light penalties have been imposed on offenders that have manipulated voting system source code without having prior state approval. This legal precedent provides very little deterrent to those that are willing to commit such offenses. Tracing to a responsible party is extremely difficult.
- Voting systems are managed independently by more than 100,000 independent jurisdictions nationwide, each with different state election codes and traditions. Each uses a different approach for election security protection. It might be unwise to have total open source for public scrutiny.
- Currently, experts appointed by the State (in some but not all states) can review and examine the source codes used in the voting systems.
- AVANTE agrees that source codes should be available for qualified independent public reviews.
AVANTE patented verifiable voting solutions with proven accuracy are configured with commercial-off-the-shelf (COTS) hardware of computers, printers, and document imaging scanners with flexibility to accommodate election and voting methods of:
- Counting voters marked ballots in precinct under public observation
- Counting voters marked ballots in counting centers with specific and limited precincts under public observation
- Counting voter marked and mailed-in ballots in central counting headquarters under public observation
- Counting ballots marked by automatic "ballot-marking-devices" under public observation
- Automatic "ballot marking devices" as "direct recording electronics"(DRE) with "voter-verified paper ballots"
These patented solutions are developed and proven with the most stringent accuracy and integrity requirements in mind to accommodate the spectrum of complex elections in USA, South America and others as well as more common and simpler parliamentary and presidential elections in Canada, Europe, Africa and Asia.