An Examination of Vote
Verification Technologies: Findings
and Experiences
from the Maryland Study[1]
April 15, 2006
Alan T. Sherman*, Aryya Gangopadhyay†, Stephen H. Holden†, George Karabatis†,
A. Gunes Koru†, Chris
M. Law†,
Donald
F. Norris**, John Pinkston*,
Andrew Sears†, and Dongsong Zhang†
National Center for the
Study of Elections
of the Maryland Institute
for Policy Analysis
and Research
University of Maryland,
Baltimore County
(UMBC)
Baltimore, Maryland 21250
*Department of Computer
Science and Electrical Engineering
†Department of Information Systems
**Department
of Public Policy, and Maryland Institute for Policy Analysis and
Research
Abstract.
We describe our findings and experiences from our
technical review of vote verification systems for the Maryland State Board
of Elections (SBE). The review included the following four systems
for possible use together with Maryland’s existing Diebold AccuVote-TS (touch
screen) voting system: VoteHere Sentinel; SCYTL Pnyx.DRE; MIT-Selker audio
system; Diebold voter verified paper audit trail. As a baseline, we also
examined the SBE’s procedures for “parallel testing” of its Diebold system. For each system, we examined how it
enables voters who use touch screens to verify that their votes are cast as
intended, recorded as cast, and reported as recorded. We also examined how well it permits post-election
auditing. To this end, we
considered implementation, impact on current state voting processes and
procedures, impact on voting, functional completeness, security against fraud,
attack and failure, reliability, accessibility, and voter privacy.
Our principal findings
are, first, that each system we examined may at some point provide a degree of
vote verification beyond what is available through the Diebold System as
currently implemented, provided the system were fully developed, fully integrated
with the Diebold system, and effectively implemented. Second, none of
the systems is yet a fully developed, commercially ready product.
This interdisciplinary
study—the first of its kind—is of interest for the way in which it evaluates
the systems, for the technical questions it raises about standard interfaces,
and as a snapshot of the state of vote verification technologies and their
commercial development.
Keywords.
Diebold AccuvoteTS, Diebold
VVPAT, Direct Recording Equipment (DRE), computer system security, electronic
voting systems, information assurance, Maryland State Board of Elections, MIT
Selker VVAATT, parallel testing, Scytl Pnyx.DRE, VoteHere Sentinel, vote
verification technology.
On August 19, 2005, the University
of Maryland, Baltimore County (UMBC)
on behalf of the University’s Maryland Institute for Policy Analysis and
Research (MIPAR) entered into a
memorandum of understanding with
the State Administrator of Elections to provide a technical analysis of
commercially developed vote verification technologies. This paper is a summary of Part 1
(Technical study) [Nor06a, Nor06b] of a two-part study.[2] Part 2 (Usability Study) was conducted
by Herrnson and other researchers [Her06] at the University of Maryland,
College Park. Separately, Norris
[Nor06c] surveyed how Maryland registered voters feel about voting and voting
technology.
We conducted this study at a time when
concerns about electronic voting on Direct Recording Electronic systems (DREs)–otherwise known as touch screen voting systems–and independent
verification of voting on DREs, have become a focus of national attention. Over the past year or so, a nationwide
rush to adopt a solution to the “problem” of touch screen voting appears to
have occurred. Twenty-six or
more states, for example, have adopted or appear to be in the process of
adopting requirements to include independent verification systems, nearly all
based on a voter verified paper audit trail (VVPAT). Unfortunately,
little is understood about verification systems. In the absence of scientific data to support a move to VVPAT,
and unlike many other states, Maryland commissioned a study before taking
action.
Issues commonly raised for DREs include
the following. Do they record, store, and count each voter’s vote as the voter
voted it? Can they be
corrupted? Can they be effectively
audited? Can their level of security
be assessed accurately?
The focused charge of the UMBC study was
to evaluate how effective certain vote verification systems are as a means for
(1) providing independent verification of the vote recorded on the Diebold
AccuVote-TS voting system used in Maryland, and (2) creating an acceptable
audit trail. The information
in our study is intended to help the citizens of Maryland, members of the
General Assembly, the Governor’s Commission on the Administration of Elections,
the State Board of Elections (SBE)
and the Governor in coming to informed decisions about how to administer
elections in Maryland.
The UMBC study did not examine the
security of the existing Diebold system, nor address the broader question of
what election system Maryland ought to use. Also, the systems examined were examined only for possible
use as verification systems, and not as stand-alone election systems. From the scope of the UMBC study, the
reader should not infer that the UMBC study group advocates using DREs, verification
systems, or any particular voting system.
Similarly, the reader should not infer that the UMBC group is against
any particular voting technology, including precinct-count optical scan.
A unique feature of the interdisciplinary UMBC
study of verification technologies is that it was carried out within the context
of the processes and conduct of real elections. To this end, we examined the detailed procedures used to
conduct elections in Maryland, as defined by the SBE [Mar06].
The systems for possible inclusion in this
study were VoteHere Sentinel, SCYTL Pnyx.DRE, MIT-Selker audio system, Diebold
VVPAT, Democracy Systems, Inc. (DSI) VoteGuard, IP.Com, and Avante. VoteGuard is a visual system that
includes a record of screen images from each DRE (and election management
system). We also examined the SBE’s
procedure of “parallel testing” of
the Diebold AccuVote-TS voting system. We used the Diebold DRE system as currently
implemented in Maryland with parallel testing as a baseline against which to
evaluate each vote verification system.
Ultimately, the
following three systems were not included in the study. IP.Com did not meet the criteria of an
independent vote verification system. Avante indicated it did not want to
participate. DSI would not provide its system. UMBC signed a non-disclosure
agreement with each of the other vendors to have access to their systems. DSI, however, required that UMBC also
sign a non-compete agreement, which UMBC refused to do as a matter of policy.
The scope of work
included six tasks.
(3) Analyze
the susceptibility to attack, fraud or failure of each of the verification systems.
(4) Assess the accessibility (e.g., for
individuals with disabilities, the elderly) of each vote verification system.[3]
We took the position that our role was to
provide the SBE with objective scientific assessments for each of the review
criteria, and not to weight and balance these criteria.
For purposes of this study, auditing means the ability, through an alternative means and
after the election is conducted, to establish that the votes recorded by the
Diebold system correspond to the votes recorded by the independent vote
verification system. Vote verification means the ability to confirm the accuracy of the Diebold system
independently.
Although we carried out our study in the
context of a particular Diebold System as used within Maryland elections, our
work generalizes to most any DRE and any state.
We had agreed to provide a draft report by December 15, 2005, but we
were unable to meet this deadline because we did not gain access to the VoteHere
system until November 16, and to the Diebold VVPAT until December 20.
The rest of this paper is organized in ten
sections. Section 2 reviews
previous work. Section 3 describes
voting in Maryland. Section 4
summarizes our study methods.
Sections 5–9 analyze each of the study systems. Section 10 discusses issues raised by
our study, and Section 11 summarizes our conclusions and recommendations.
Voting methods in American elections have been called
into serious question in recent years, specifically as a result of problems
that occurred in the 2000 election in Florida [Cra03,Wan04, Cal01]. This election dramatically brought to
the attention of the public the possibility of errors with punch card voting
systems [Bei89a,Cra03]. Optical scans and lever systems
have also been prone to undervoting (not voting in a race), overvoting (voting
multiple times for one race) and misvoting [Cra03].
Due to these reported
problems with other systems and as a result of the issues surrounding the 2000
presidential election in Florida, there has been movement toward electronic or
touch screen voting [Cra03].
According to one study, the proportion of voters using electronic
systems is expected to have increased from 13 to 29 percent between 2000 and
2004 [Wan04,Ele04]. Touch screen
voting systems are also popular because it is felt that the systems are easy to
use, more accessible to persons with disabilities, better able to accommodate
multiple languages, prevent overvoting, provide quick results (with less human
error), and eliminate costs associated with printing ballots [Bur03,Wan04]. A
principal concern about touch screen voting systems is whether the underlying
software of these systems can be trusted, especially whether the software can
be trusted to record and count votes as cast by voters.
The election controversies of November
2000 also prompted a response at the federal level. In 2002, Congress passed
the Help America Vote Act (HAVA).
This legislation attempted to bring voting procedures, which until that point
had been the responsibility of individual state governments, under the purview
of the federal government [Kur04].
The bill was designed to combat a host of
issues plaguing the voting process. Through a mix of new guidelines,
requirements, and federal programs and funding, this legislation provides
assistance for states as they update and improve their voting processes. Among
other provisions, it requires states to upgrade away from the older voting
systems, in this case mainly away from lever and punch card systems, and toward
new touch screen and optical scan systems [Hol05].
HAVA also provided for the formation of
the Election Assistance Commission (EAC), a federal body designed to promote the goals of the 2002 bill. Among
other duties, the EAC was charged with helping the states successfully make the
upgrade to new voting technology. The EAC would offer administrative and
technical support, as well as provide grants to develop and test new election
systems. It would also develop a program to test, certify and decertify
election systems as they were introduced [Ele05].
What raised the concerns of critics of
touch screen voting in this instance was that HAVA does not provide guidelines
for states regarding performance tests on the newly approved voting
technologies (especially touch screen voting systems), nor does it contain a
requirement for any sort of independent verification systems [Kur04,Hol05,Pyn05].
There are also problems with the
implementation timetable as far as providing access for disabled voters.
Although the law did not go into effect until January 1, 2006, some voting
system vendors are selling systems now, to be used for the foreseeable future,
which do not meet the access standards of HAVA [Pyn05].
To
address these criticisms, Representative Rush Holt (D-NJ) introduced the Voter
Confidence and Increased Accessibility Act [Hol05]. According to Representative
Holt’s web site, the bill is chiefly concerned with a requirement that all
voting machines produce a verifiable paper trail and a more general requirement
for an “accessible voter-verification method.” Finally, it addresses concerns raised by some security
experts who warn of hacks and attacks if a voting system is ever connected to
the Internet. Holt’s bill prohibits such systems from being connected to the
Internet or being attached to any insecure communication device. HR 550 has
been relegated to a subcommittee, and it is unknown whether or how soon it will
emerge, but it is important to note the bill because it encapsulates many of
the concerns that lawmakers have about touch screen voting and limitations in
HAVA’s scope.
Several
potential or actual problems have been identified around touch screen
voting. First, problems exist on
an individual level that might affect elections. These problems include voter trust in the system,
readability of the touch screen systems, problems with smart cards (which
prevent persons from voting more than once), issues around instructions and
assistance to voters, ability to write in candidates, issues concerning the
ability to administer the system, and privacy [Her05,Rub05].
To many, a greater concern involves the
security of touch screen systems.
Security issues include malicious programming, unintentional but
nevertheless bad programming, equipment errors, tampering with hardware, system
malfunctions including crashes, the inability to recount votes independently,
and issues about the correct capture of votes [Bur03,Cra03, Hal04,Mac04,Rub05,Sel04, Wan04,Han02]. To correct these security issues,
calls have been made for open source coding (which would allow for independent
examination of programming of electronic voting systems), voter verifiable
paper trails (which could also be used for auditing), and active testing
programs of the equipment and software [Bei89a,Bru04, Sel04,Han02].
In 2004, less than 40 percent of voters
actually looked at the VVPAT printer screen, compared its display to that on
the DRE, and touched the DRE to indicate they had verified [Los04]. For additional observations on
verification systems in real use, see Selker [Sel05].
In 2001, the Special Committee on Voting Systems and
Election Procedures recommended to the Governor and General Assembly that a
statewide voting system be implemented in Maryland. Subsequently, House Bill 1457 (2001) was adopted. This bill required a statewide, uniform
voting system for polling-place voting and a uniform system for absentee voting. After the law became effective, and as
the result of an open, competitive bid process, the State Board of Elections
(SBE) selected Diebold Election
Systems, Inc., to provide a DRE voting system for polling-place voting, and an
optical scan voting system for absentee voting.
This voting system was
implemented in three phases. Phase
I counties (Allegany, Dorchester, Montgomery and Prince George's Counties)
implemented the voting system for the 2002 elections. These counties were selected because they used the oldest
voting systems in the State: punch
card for Montgomery County and lever machines for the others. The contract for Phase I was signed in
2002. The Phase II contract was signed in 2003, and Phase II counties
implemented for 2004 elections.
Phase III, which includes Baltimore City, will be implemented for the
2006 elections. With the
completion of Phase III, Maryland will have almost 20,000 DRE voting units. Approximately 20,000 volunteers assist
with elections.
By FY 2009, a total of about $95.5 million
will have been spent by state government on this system. Of that amount, about $45.6 million
will have been spent on hardware and maintenance, and almost $50 million on a
variety of necessary support services including security measures, warehousing,
transportation, voter outreach, support services, technical support, testing of
various kinds, and project management.
This amounts to a state government cost of almost $2.82 for every
Maryland resident (5.6 million) and just over $5.10 for every Maryland registered
voter (3.1 million) per year for each of the six years. This cost includes providing every
jurisdiction in the state with all of the equipment needed to conduct an
election, as well as some level of technical assistance and voter outreach.
Maryland has a dual election system in which the SBE and the local boards of election (LBEs) share authority and responsibility for administering elections.