Chronicle Prints USACM Response to E-voting Brouhaha
Last month the Chronicle of Higher Education ran a story (subscription required) about the unique relationship the State of Georgia has with Kennesaw State University. The State contracts with KSU to assist with all of Georgia’s e-voting machines, including inspection, ballot databases and training of poll workers. The article generated quite a bit of controversy within the computing community (Here is the start of a thread of debate within the community) about how it was written, the relationship between Georgia and KSU, and the topics it covered and missed. USACM felt the article missed several issues and responded with a letter to the editors. The Chronicle printed (subscription required) a condensed version of our letter on Monday. The full letter is below.
This snippet captures the main thrust of the article:
“The center [at KSU] has received attention in Washington lately as scientists and government officials search for ways to reform election procedures nationwide and look to states for new ideas. Some election experts laud Georgia for its centralized, orderly approach to running elections, crediting it with increasing voter participation. Others say the university has compromised its independence and is essentially giving the state political cover for its controversial decision to require all voting precincts to use electronic-voting machines.”
One of the several points of contention in the article was the closed nature of KSU’s enterprise. According to the article, their view is that the workings of the election process should be kept secret. This puts them at odds with a number of prominent security researchers that believe that security issues should be brought to the public’s attention with care, in order to improve the security of information systems. This is particularly true of e-voting machines, because the system’s integrity is dependent on its transparency.
The security discussion focused on whether e-voting machines were hackable and paper trails currently being produced on some direct recording the printers that are attached, usually as an ad-hoc at addition to support paper trail requirements, to many DREs. Merle S. King, the chair of KSU’s computer science department and director of the center said that “We’ve held 3,000 elections on this equipment,” he says. “We can’t hack it, and I have the source code. We can’t break the system.” Setting aside several studies that have revealed significant security flaws in e-voting systems (for a selecting list of reports see footnotes 1-4 in USACM’s July, 2006 letter to Congress), this focus misses the risks from insider fraud or unforeseen errors. Mr. King also criticized the current implementation of paper trails on many DREs, which consist of printing to a continuous thermal roll of paper. These systems are clearly flawed, but as our letter points out, there are other, more reliable, ways generating voter-verified paper audit trails or ballots.
Your article “Georgia’s Unusual ‘Electoral College'” misses several reasons why the computing community has expressed concerns about e-voting machines and called for independent verification of votes. The article also has statements that were simply quoted without verification or critical analysis.
Although the article focuses on direct recording electronic (DREs) machines’ vulnerability to hacking, hacker access is only one issue facing election officials. Elections can be undermined by undetected errors, unforeseen complications, or insiders seeking to commit election fraud. Some of the known problems from the November 2006 election occurred not because of hackers, but because the technology failed in unexpected ways.
The security, reliability and usability issues around these threats must be addressed responsibly. Based on decades of experience in building complex systems, experts in security and reliability have concluded that voters need a method of determining their votes independent of software to ensure the integrity of elections. Paper systems are currently the only way to provide this independent verification. ACM, our parent organization, formally adopted this position in 2004. In December 2006, National Institute of Standards and Technology (NIST) personnel reported that there is no way to write testable security requirements that will guarantee secure, reliable DRE’s. They concluded that paper trails are needed for voters to verify their votes independent of the underlying software.
Your article quotes Mr. King as suggesting that adding continuous roll paper rolls onto DREs represents the best practice for paper-based independent verification. To the contrary, these solutions undermine privacy, are unreliable, and represent an ad hoc approach rather than a carefully engineered audit system. Instead of indicting paper trails, we urge further research into verification systems. We also note that robust paper audit trails are produced by existing precinct-based optical scan machines and ballot marking systems, thus providing paper-based independent voter verification. Mr. King is also quoted as contending that paper systems cannot be used by the blind, or by those who cannot read English. In fact, several systems are available for use by the visually impaired, and ballots can be printed in other languages.
Mr. King’s assertion that the Georgia machines cannot be hacked is not verifiable. His claim contradicts decades of research showing that such determinations cannot be made for significantly-sized software artifacts and numerous independent studies revealing serious security flaws in e-voting machines. Additionally, voting machine vendors have continually erected legal barriers to prevent competent, independent researchers from gaining access to their source code so that it may be critically evaluated. Rather than have closed investigations of e-voting machines with potential conflicts of interest, such as at Kennesaw State, research should be done in an open and transparent way.
The public’s confidence in fair elections is crucial. Articles that fail to research and refute fallacious statements; that equate conclusions by internationally-known technology experts with statements of an undergraduate student; and that repeat pejoratives about respected professionals do a disservice to your readers and to the information technology community.
Eugene Spafford, Ph.D.
Barbara Simons, Ph.D.
On Behalf of the U.S. Public Policy Committee of the Association for Computing Machinery