Banned Test Lab Certified Machines 68.5% of US Voters Used in 2006

EAC secretly pulled Ciber's accreditation last year, without informing the public

By Michael Richardson

Last week Christopher Drew of the New York Times informed a shocked nation that the leading "independent testing authority" of electronic voting machines, Ciber, Inc. of Greenwood Village, Colorado had not been following its own quality-control procedures and could not document that it completed required tests for reliability and security.

The federal Election Assistance Commission, which accredited the Ciber testing lab, secretly pulled its interim accreditation last year, without informing the public or election officials relying on Ciber's results. Independent testing centers, including Ciber, are not really independent at all and are funded by voting machine vendors to whom they issue their testing reports and only recently have come under federal scrutiny.

The EAC has yet to explain why it withheld the accreditation of Ciber from the voting public and the omission has entangled the controversial election oversight panel in the growing national distrust of electronic voting machines and may threaten its continued existence.

How many voting machines might be affected by the lax security inspections of Ciber?

Respected electronic voting machine authority and self-described "politechnologist" Joseph Hall did some digging. "The answer was not something I would have predicted...I knew Ciber did a good deal of software ITA testing, but it looks like, in terms of voting system deployment, that Ciber qualified the voting systems used by 68.5% of the registered voters (67.9% of precincts) in the 2006 election."

Hall explained the difficulty he encountered to acquire his data. "Since the test reports are not public, it is difficult to find information about who tested what when."

Undeterred by the veil of secrecy surrounding the testing of electronic voting machines, Hall used old testing identifiers, called NASED numbers, to track the deployment of voting machines around the nation. Ciber tested any machine that had a NASED number beginning with the digit "1".

"With this key piece of information, we can use published lists of qualified voting systems to determine which models were qualified by Ciber." explains Hall. Discovering that Ciber tested the vast majority of machines in the country Hall says, "In fact, it is much more simple to list which systems were not qualified by Ciber."

Hall concludes, "I suppose it would have been completely impractical to decertify all these systems. Even decertifying those systems in which the qualification testing Ciber performed was specifically lacking would likely be a significant double-digit percentage of voting systems used by registered voters."

One thing the ITA laboratories, or any other testing agency, cannot determine is if an electronic voting machine has been rigged with malicious self-deleting software code. All voting machines and optical scan vote-counters are subject to being hacked with self-deleting code that cannot be detected with any test. Self-deleting software code does its dirty deeds, including flipping or erasing votes, and then deletes itself erasing any sign of tampering.

A growing number of election integrity advocates are realizing that software technology has no place in the election systems of our country because of the inability to even detect mischief. The solution that is emerging is both simple and obvious, a return to time-tested hand-counting of paper ballots.

Author: Michael Richardson is a freelance writer based in Boston. Richardson writes about politics, election law, human nutrition, ethics, and music. In 2004 Richardson was Ralph Nader's national ballot access coordinator. "The way to be happy is to make others happy."

Barbara Simons Named to EAC Advisory Board

Thu Aug 7 10:29:36 2008 Pacific Time
ACM Press Advisory
CONTACT:
Virginia Gold
212-626-0505
[email protected] [1]

ACM Electronic Voting Expert Named to Key Federal Advisory Committee;
Dr. Barbara Simons Fills Position for Technology Professionals

NEW YORK, Aug. 7 (AScribe Newswire) -- Dr. Barbara Simons, a computer scientist and founder of ACM's U.S. Public Policy Committee (USACM), has been appointed to the Board of Advisors for the Election Assistance Commission (EAC), the Federal body that oversees voting technology standards. Simons, a past president of ACM, fills a vacancy on the Board. The seat is one of four positions out of a total of thirty-seven members allocated for representation by science and technology professionals. Simons was appointed to the board position by Senate Majority Leader Harry Reid. The EAC was established by the Help America Vote Act of 2002 (HAVA) to assist in the administration of Federal elections.

"With the increasing use of technology in the voting process, it is important for the EAC to have the benefit of strong scientific knowledge and advice," said Eugene H. Spafford, who chairs USACM. "Dr. Simons brings valuable technical expertise to the Board of Advisors to help inform the Commission's focus on the intersection between voting issues and computing technologies. Her extensive experience with USACM as well as her advisory roles in high-profile national voting groups qualifies her as an expert on voting systems, election technology, and election processes."

Dr. Simons was a member of the National Workshop on Internet Voting, convened at the request of President Clinton, which produced its report in 2001. She participated on the Security Peer Review Group for the U.S. Department of Defense's Internet voting project (SERVE), and co-authored the report that led to the cancellation of SERVE because of security concerns. Dr. Simons also co-chaired the ACM study of statewide databases of registered voters.

An encryption and privacy expert, Dr. Simons served on a subcommittee of the President's Export Council for Encryption. In preparation for anticipated security considerations for the year 2000, Dr. Simons also served on the information Technology-Sector of the President's council on the Year 2000 Conversion.

In 2005, Dr. Simons became the first woman to receive the Distinguished Engineering Alumni Award from the College of Engineering of the University of California, Berkeley. She received the Alumnus of the Year Award from the Berkeley Computer Science Department; the Distinguished Service Award from the Computing Research Association; and the Norbert Wiener Award from Computer Professionals for Social Responsibility. She was also awarded the Outstanding Contribution Award from ACM and the Pioneer Award from the Electronic Frontier Foundation.

Dr. Simons was selected by C|Net as one of its 26 Internet "Visionaries" and by Open Computing as one of the "Top 100 Women in Computing." Science magazine featured her in a special edition on women in science.

A Fellow of ACM and the American Association for the Advancement of Science, Dr. Simons was president of ACM from July 1998 to June 2000, and founded USACM in 1993, where she served for many years as chair or co-chair. She is retired from IBM Research, and is co-authoring a book on voting machines with computer scientist Douglas W. Jones of the University of Iowa.

About ACM
ACM, the Association for Computing Machinery ( http://www.acm.org/ [2] ), is the world's largest educational and scientific computing society, uniting computing educators, researchers and professionals to inspire dialogue, share resources and address the field's challenges. ACM strengthens the computing profession's collective voice through strong leadership, promotion of the highest standards, and recognition of technical excellence. ACM supports the professional growth of its members by providing opportunities for life-long learning, career development, and professional networking.

About USACM
The ACM U.S. Public Policy Committee (USACM) http://www.acm.org/usacm [3] serves as the focal point for ACM's interaction with U.S. government organizations, the computing community, and the U.S. public in all matters of U.S. public policy related to information technology. Supported by ACM's Washington, D.C., Office of Public Policy (http://www.acm.org/usacm/staff.html [4]), USACM responds to requests for information and technical expertise from U.S. government agencies and departments, seeks to influence relevant U.S. government policies on behalf of the computing community and the public, and provides information to ACM on relevant U.S. government activities. USACM also identifies potentially significant technical and public policy issues and brings them to the attention of ACM and the community.

EAC Gopher Bash

April 14, 2007

By Nancy Tobi

The Holt Bill (H.R. 811) is being advertised as a "paper trail" bill, but it also makes permanent the Election Assistance Commission (EAC). The EAC is four White House appointees who control the nation's voting systems.

Holt Bill proponents say that this is not a problem. They point to recent news coverage of the EAC, showing its incompetence and its questionable and even fraudulent actions. They say that the EAC has conducted itself so poorly as to make itself irrelevent. They look to hiring new Commissioners to "do a better job".

But the issue is not who are the Commissioners or how they conduct themselves. The issue is the very entity itself: four White House appointees with the power to determine what voting equipment is in use in our nation's elections, and to influence policy through the release (or nonrelease, as the case may be) of valid (or fraudulent) studies and reports.

Activists point to the EAC's first Chair, DeForest Soaries, now a vocal critic of the Commission. One of Soaries' first acts as Chair was to seek the authority to cancel national elections in case of a "homeland security threat". Soaries' resignation, and his subsequent criticism of the EAC is not about the inherently undemocratic nature of the Commission in our political structure, but rather the lack of authority held by the EAC. There is no solace to be found in this school of thought. The problem is not, as some activists claim, that we need to hold the EAC accountable or even replace current Commissioners with "better" ones. The problem is the existence of the entity itself.

The Holt Bill neither broadens nor weakens their power per se. Last year's version of the bill, H.R. 550, did broaden their powers, giving them audit and de facto recount authority, but this year's version H.R. 811 was changed, possibly to defuse that criticism. But H.R. 811 makes the EAC a permanent entity, removing the EAC sunset date imposed by the Help America Vote Act (HAVA) when it created the EAC.

HAVA created the EAC as “an advisory” commission, with the exception of granting it regulatory power over the NVRA. As an executive commission it can become 100% regulatory with the insertion of one line of text in any congressional legislation.

This is how the FEC became regulatory; it began advisory just as did the EAC.

If the EAC had been created as a congressional commission this picture changes, because a congressional commission can never be regulatory. This, in fact, was the rationale behind the advise of then counsel for the architects of HAVA. Counsel advised against making the EAC executively appointed, but the HAVA gang of four (McConnell, Dodd, Hoyer, and Ney) overrode his objections.

We don’t know why they wanted to centralize election control, but we know full well the implications and we need to make this clear to all those good people supporting Holt because they think it requires paper trails and that is the full essence of the bill.

Holt's office and his supporters want us to believe that making the EAC permanent is a “nonissue”. But if they think it is such a great idea, then why did Hholt's office deliberately remove the word "Permanent" from the December draft of the bill, and make the section header " sec. 4. Extension of authorization of election assistance commission" instead of “PERMANENT Extension…" as it had been spelled out in the December draft. Do they think that by removing the word "permanent" we won't understand that the unlimited extension means the same thing?

As appalling as is the notion of cancelling elections proposed by former Chair Soaries, the who and how question with respect to the EAC Commissionres is not really the issue. It is, rather, the unprecedented proposal in H.R. 811 for Congress to use its constitutional authority to preempt state sovereignty in the conduct of elections in order to shift power not to itself, a representative body, but to a nonrepresentational executive commission of four White House appointees, and to permanently change the entire structure of governance and control in the United States.

Historically, Congress has taken the dramatic step of intervening in election administration when it held in doubt the states' intentions to carry out their duties to preserve and protect the rights of their voters. A GAO report ("The Scope of Congressional Authority on Elections" - March 2001) on this matter states:

"Congress has passed legislation relating to the administration of both federal and state elections, pursuant to its various constitutional powers. Federal legislation has been enacted in several major functional areas of the voting process, as described in more detail below. These areas include the timing of federal elections; voter registration; absentee voting requirements; accessibility provisions for the elderly and handicapped; and prohibitions against discriminatory voting practices."

But it is unprecedented for Congress to pass legislation that makes permanent an unchecked and unbalanced executive commission with broad powers and control in the matter of elections.

I will note at this point that we have, in our Request by Voters ( http://www.wethepatriots.org [5] ) proposed an alternative solution to shift EAC responsibilities to the HAVA-created Standards Board, which unlike the EAC, is a truly representational body.

With the EAC in permanent control over voting system technologies and standards, the American people lose all control and decisionmaking authority over our elections. Any mandates we impose at our state or local levels are easily overridden by the EAC. And any action we may want to take against questionable electronic voting technology is mooted by the EAC, which is the final authority on what electronic voting technology is not only approved and recommended, but may actually be mandated in our cities and towns.

Just like the Gopher Bash (or Whack-a-Mole) arcade game, you can keep bashing the gophers, but they will keep popping up again. You can bash down DREs, and the EAC can pop them back up.

With an Executive Commission permanently controlling election systems, no matter what your local, state, or federal government may legislate, the EAC gopher can come up with its own voting system requirements whenever they want.

In other words, you can fight to amend Holt so it bans DREs, or you can knock down the technovote gopher in your own home states by passing laws requiring paper ballots and manual recounts, but the EAC can pop up those technovote gophers by writing contravening and contradictory requirements into their voting system guidelines.

The technovote gopher then becomes the law of your state if your state requires compliance with federal voting system guidelines, or if something like the Holt Bill comes along and just writes them into federal law, as it has done with the EAC-recommended text converter technology.

Consider this: Dixville Notch, NH has roughly 16 registered voters. They cast and count their ballots by hand. It might cost them under $100 to run their elections. They don’t need to worry about the EAC’s technovote gophers because they have no technology in their polling jurisdiction. Right?
Wrong.

In January 2007 Holt’s office, citing the EAC’s “voluntary” voting system requirement, inserted into its bill a mandate for an entirely new technological device to be used in every polling jurisdiction in the nation.

This ballot text converter, a scheme concocted by the EAC in 2005 against the advice of the Standards Board, may or may not even exist. Industry experts say it does not exist. Nonetheless, the Holt Bill mandates it for use in every polling place in the nation for the 2008 elections. Voila. The EAC's "voluntary" voting system guideline is now the law of the land. Presumably some industry maven will come up with something that is claimed to meet the requirement, and there goes another $4 billion of our American taxpayers money into more proprietary, nontransparent, undemocratic, but federally mandated voting system technology.

So where does Dixville Notch come up with the $6,000 initial investment for this device, and will it fit nicely, do you think, on top of their old wooden ballot box to “read back” the voter’s choices as prescribed by the EAC and Holt?

In March 2007 the EAC’s Technical Guidelines Development Committee (TGDC) had a lengthy discussion as to whether to use the language of “should” or “shall” regarding their new resolution for “accessibility of paper-based vote verification.” Their proposed resolution initially was drafted as follows:

“For the purpose of allowing voters to verify their ballot choices then the system should provide a mechanism that can read that record and generate an audio representation of its contents. The use of this system should be accessible to voters with dexterity disabilities.”

I don't want to spend too much time even going into the meaning of this particular TGDC resolution. But it would be irresponsible of me to not at least point out that it is "simply" requiring all paper-based voting systems to talk and be independently mobile (the paper ballot needs to get itself into the ballot box independent of the voter, who may have dexterity disabilities). . . . Hmmm . . . Do you think this is do-able or feasible in any economic, practical, or realistic way?

What I'd like us to focus on here is not the idea of a group of people (with little to no election experience) sitting around a DC office coming up with all sorts of pie in the sky ideas (just because they can), which our states, cities and towns can neither afford nor implement. I'd like to instead really take a close look at the decisionmaking process itself and what that means to the nation.

Holt proponents claim that the EAC is ineffective and benign. But we have already seen that EAC "guidelines" are easily transformed into the law of the land through bills like H.R. 811.

Holt proponents like to say that the EAC is only an advisory committee. A look at the TGDC's discussion tells us otherwise. The TGDC discussion around the use of two words: should and shall, reveals the extent to which the EAC understands its inherent regulatory nature. Bear with me on this slightly esoteric jaunt down a linguistic pathway.

In statutory language, should is very different from shall. Shall is mandatory, but should is recommended. During the discussion, TGDC member Paul Miller, representing the Standards Board, made the statement,

“If you make this a ‘shall’ there are implications because it [equipment meeting this requirement] doesn’t yet exist’.”

Changing the language to shalleffectively means the “voluntary” guideline will apply to all electronic voting systems and not just “accessible” systems. It means that should another bill like the Holt Bill come along, this requirement for talking and walking paper ballots becomes the law of the land.

In practical terms, it means further complexification of our elections, further nontransparency of the vote casting and counting processes, and expanded costliness of high tech voting equipment.

And it also means, for all intents and purposes, the death of the simple hand count paper ballot voting system.

Despite Mr. Miller's acknowledgment that they were mandating something that doesn't even exist, a nearly unanimous vote (with Mr. Miller voting in assent and only one dissenter) adopted the statutory “SHALL” rather than “SHOULD".

At the heart of this discussion we can see clearly that the TGDC, as they craft their expensive and possibly non-implementable, and therefore destabilizing to our election systems, “voluntary guidelines” are fully aware that their use of language can easily transform their “voluntary” system to statutory given the right conditions (such as federal or state law, or even just the industry product development meeting those EAC requirements).

So now you see how, just like a Gopher Bash, with a permanent EAC, technovoting requirements can keep coming back to haunt you. You can knock down as many gophers as you want, but the EAC can keep making them pop up again.

And the gophers will have ruined your country. Game Over.

Take action to Halt Holt. Election Defense Alliance has complete information and action pages. Click here [6]!

Authors Website: www.democracyfornewhampshire.com [7]
Authors Bio:
Nancy Tobi is the author of numerous articles on election integrity, including "The Gifts of HAVA: Time to Ask for a Refund," "What's Wrong with the Holt Bill,"and the newly released "We're Counting the Votes: An Election Preparedness Kit." She is Legislative Coordinator of Election Defense Alliance, co-founder of Democracy for New Hampshire and Chair of the New Hampshire Fair Elections Committee. Her writings may be found at www.electiondefensealliance.org [8]and www.democracyfornewhampshire.com [7]

Open Letter to NIST on Electronic Voting Machine Recommendations

Originally published by Democracy for New Hampshire [9]

Open Letter to NIST on Electronic Voting Machine Recommendations

Comments on the (Un)verifiability of Election Equipment

Gentlemen:

We read your draft paper "Requiring Software Independence in VVSG 2007: STS Recommendations for the TGDC" with considerable interest. Reading between the lines, I get the distinct impression that you're working your way toward some of the same conclusions our local group has reached -- and some that the New Hampshire legislature has reached. Perhaps if I lay out our line of reasoning, it will let you know that you're not alone in the direction you appear to be going. (This is basically a summary of what we said in our comment in the recent EAC inquiry, which I've attached as a PDF.)

Let me start with your words "...the DRE, which does not produce an independent voter-verified audit trail. Therefore, audits of its electronic records cannot be against any independent evidence of the voter's intentions as cast and as a consequence, its electronic records cannot be audited independently..." Right there is the heart of the matter. It goes straight to the nature of modern elections. Fundamentally, we're dealing with a problem in public records. The secret ballot was introduced into our election laws late in the 19th century in order to correct a major integrity problem: improper influence on voters. As long as it was possible to tell how a citizen voted, voter bribery and intimidation were rampant. The secret ballot fixed that, but it brought on a side effect. It made the vote recording step a single point of failure. The only person who's in a position to tell whether a vote is recorded correctly is the voter, and only while still in the voting booth.

more below the fold
--------------

But the only way the voter can tell for sure that the vote is recorded correctly and can't be changed is to see it, with his or her own eyes, indelibly marked on a durable paper ballot. Letting electronics get between the physical recording medium and the human-viewable display breaks the feedback loop. There's no way the voter, let alone any auditor coming afterward, can tell whether the display matches the recorded data. Unlike a banking system, there's no system of monthly account statements to expose errors -- and because of the nature of the secret ballot, there's no way such a thing could be introduced. Voter-retained receipts not only wouldn't provide a usable audit trail, because they could never all be collected, but they would destroy the secret ballot by providing a tangible record of who voted how. Then we come to the vote counting step. In order to make sure that the vote that counts is the same one the voter cast, it's necessary to require that the ballot counters, whether they're people or machines, look only at the physical marks the voter saw and verified.

The logical consequence follows inescapably: it's not only unacceptable for votes to be recorded electronically instead of on paper ballots, it's unacceptable to record them electronically *in addition to* paper ballots. In fact, human-readable indelible marks, on durable paper ballots that can survive storage and re-counting, are the only way to record votes that can support an open and verifiable election system. And that's exactly what the New Hampshire legislature figured out last spring, and wrote into law. For good measure, they passed a second law requiring all recounts to be done "by direct inspection of the ballots, without electronic, mechanical, or optical devices". Basically, that's what an audit is, and it depends on a reliable and durable public record as a starting point -- pretty much along the lines of what you said on page 3.

Obviously, that blows a hole in the concept of VVPAT. It's nothing but a public relations sham. It can't fix anything. This line of analysis doesn't directly invalidate EBM. Simple economics does. It makes no sense to spend hundreds or thousands of dollars on a complex machine that attempts to reproduce the function of a 50-cent hand-held pen, while introducing failure modes the pen isn't capable of. And it's a lot easier for cash-starved precincts to supply enough pens to handle the election day traffic than enough vote recording machines. Also, the hand-held pen is superior from a human factors viewpoint. There's a lot less chance of missing an incorrectly marked vote if the voter doesn't have to look at a screen, and then check the marked ballot to make sure it matches. With hand marking, the physical ballot is the only thing the voter has to look at. Voting with the pen is probably faster, too. There's no extra verification step.

Having talked about the crucial vote recording step, I've set the stage to talk about op scan machines. You wrote "Clearly, the needs of voters and election officials need to be addressed with improved and new technology. The STS believes that current paper-based approaches can be improved to be significantly more usable to voters and elections officials..." and "If an undetected change or error in the optical scanner's software were to cause erroneous counts, subsequent audits would show the errors." Yes and no. That depends on the audits actually being performed.

Op scan machines exist in the first place because today's ballots have so many races and questions on them that local officials can't count them all by eye in a secure and public environment, unless they set up a three-shift operation that can be sustained for several days. So in practice, the hand recounts don't get done unless somebody suspects a discrepancy and pays the recount fee. This means that an election using op scan machines isn't open and verifiable in actual practice, unless we can make certain that the machine won't cause an undetected error. That puts the machine into the category of safety-critical products, which just happens to be a very mature branch of engineering and administrative law. The FAA is very experienced in this field. Since you're a federal agency with an important problem, I'd hope they'd be willing to let you pick their brains.

There's probably a lot of material in their standards RTCA/DO-178B and RTCA/DO-254 that you could adapt. You're right that absolute correctness and absence of bugs can't be demonstrated by testing; it's done by a comprehensive analysis that requires access to the complete documentation for the whole system and everything it relies on for proof of correctness. Unlike safety-critical aviation flight controls, op scan ballot counting machines fall into the class of safety-critical devices in which a safe shutdown is possible. That comes very close to the family of safety-critical products I designed several years ago, flame safety controls. What we were required to prove to the satisfaction of the engineers at UL and their European counterparts was that the logical design was correct, and that if any component were to fail, the device would either operate within its specifications, or fail in a safe manner. A safe failure meant that the fuel valve would close and prevent a furnace explosion. (You really don't want a furnace explosion to happen in a 1-gigawatt steam power plant.)

A safe failure for a ballot counting machine would be one where it completely stops working and doesn't report any result. The standard we followed was UL 372, and it goes into great length on the requirements for a comprehensive Failure Mode Effects Analysis. I think a lot of that could be pasted into a standard for op scan machines. How to go about designing and approving a provably correct, fail-safe op scan machine? There's an engineering aspect, and an election law aspect. For an election to earn public confidence and so confer legitimacy on the elected public officials, everything about the election must be open and verifiable -- including the formal proof that everything about the ballot counting machine is correct in design and fail-safe in operation. So the complete design and all the records showing compliance with safety-critical product standards must be public records, and approved through an open regulatory process as required by the U.S. Administrative Procedures Act or equivalent state law.

Openness and verifiability must be pervasive; no secrets, trade or otherwise, can be tolerated anywhere in the internals of a piece of election equipment. Anything that isn't open to public inspection and peer review is a place where bugs and sabotage can hide. A little thought will show that it's not enough that the software be correct. A bug in the logical design of the hardware that the software runs on can produce an incorrect result as easily as a software error; it's just a lot harder to commit fraud that way. Similarly, correctly designed hardware can still produce an incorrect result if a component is faulty or damaged; this is why failure mode analysis is necessary. Finally, the election configuration data must also be provably correct and subjected to public review.

Last May Anthony Stevens, our Assistant Secretary of State, asked me for any diagrams I had showing principles for a machine that could be trusted. I put together the attached block diagram of a hardware platform for a fail-safe op scan machine. The heart of the thing is the two CPUs. To achieve failure-safety, they continuously send each other test vectors, which systematically test each component of the opposite processor down to the transistor level. In order to present a written proof of completeness for the test vectors, the exact logical design of the processors must be known and frozen under official revision control. This means they have to be built the way computers were 40 years ago, out of individual gates and flip-flops.

(I know I'm being paranoid about this, but in the immortal words of an early CIA director, am I being paranoid enough?) Simplicity is part of the discipline of safety-critical product design. The functions required of an op scan machine are pretty simple in principle. I believe the software and the hardware logic could be designed at a technical level that a bright high school student could understand and prove correct. Politically, it's very important to have as wide a pool of citizens as possible who can review the design for themselves and criticize it in public, so that confidence in the design doesn't rest on a few elite specialists. That's still not as good as every citizen being able to independently analyze the design, as they can analyze the state election laws, but it's the best I can suggest.

You gave attention to security vulnerabilities in DRE machines. The same consideration applies to op scan machines. I've thought a lot about that. It can't be applied as an afterthought; it has to be provided for from the beginning of requirements analysis. Of course, I'm not a specialist in that field, so professionals could undoubedly add a lot; NSA might have some unclassified papers on the problem of authenticated distribution, for instance. I don't think we can rely on a machine being protected from tampering and accident during year-long periods in unguarded storage. Therefore I emphasize design features that provide ways for local officials, partisan election inspectors, and possibly random members of the public to verify at the polling place that the machine conforms to its published and approved engineering drawings, contains the approved firmware and election configuration data, and is isolated from outside influences.

When I say an op scan machine should be transparent, I mean it literally. The party inspectors should be able to see all of the internal parts without breaking the case seals or exposing it to ESD or RFI. They should be able to check board and IC part numbers and serial numbers, look for unauthorized cuts and jumpers, read the numbers and signatures on the socketed OTP EEPROMS containing the firmware and the configuration file, and dump the complete contents into their own laptops so they can compare it bit-for-bit to the published source code that they downloaded and compiled on their own machines. That approach makes the entire machine auditable at the point of use. The more independent routes there are from the peer-reviewed original design documents to the machines in the field, the harder it is to hide fraud, negligence, or just plain human fallibility.

The only thing I want to say at this point about vote recording devices for disabled voters is that "accessibility" and "privacy" must not be permitted to become excuses to justify exposing the votes of the great majority of citizens to hidden and unverifiable recording processes. It's essential to keep our priorities straight. Openness and verifiability are absolute requirements, and cannot be compromised without sacrificing the legitimacy of representative government itself. A way for a voter who can't see the ballot to vote without human assistance is a convenience, not a necessity. New Hampshire law permits a voter to appoint anyone except an employer or a union official to assist in the voting booth; we can rely on that until we can solve the truly formidable problems of coming up with a provably correct, fail-safe, tamper-evident method of letting a blind voter verify that the marks on a standard-issue paper ballot are correct. If political pressure forces less-than-airtight devices for disabled voters into use without an independent method of verification in the voting booth, then it's best to mitigate the risk by confining their use to the smallest possible population.

Sincerely,

John A. Carroll
Member, Fair Elections Committee
www.DemocracyForNewHampshire.com [10]

Why the Election Assistance Commission Must Be Abolished

Why the EAC Must Be Abolished

Download a PDF of this article [12]

For continued discussion of this subject, see also: EAC Gopher Bash [13]