"Computerized Voting -- No Standards and a Lot of Questions"
 

----------------------------------------------------------------------

Subject: "Computerized Voting -- No Standards and a Lot of Questions"
To: risks@sri-csl
Date: Mon, 14 Apr 86 21:50:29 -0500
From: Ron Newman <newman@ATHENA.MIT.EDU>

The following is a slightly edited version of an article I wrote for the
April, 1985 issue of the Computer Professionals for Social Responsibility
Boston Chapter newsletter.

~~~~~~~~~~~~~~~
Our guest at CPSR/Boston's March 19 meeting was Eva Waskell, an independent
science writer, former computer programmer, and current stringer for The
Economist.  She spoke with considerable alarm about the rapid and
unregulated spread of computerized vote-counting systems in American
elections.

Waskell became interested in computerized vote-counting when Severo Ornstein
of CPSR National suggested that she look into several lawsuits pending against
Computer Election Systems (CES) of California.  CES is the leading vendor of
such software; it estimates that approximately 25% of the U.S. popular vote is
cast on its equipment.  Losing candidates in three states have sued the
company, claiming that its system produced inaccurate or fraudulent results.
While investigating, Waskell was appalled to find out that only one person
outside of CES, a consultant for one of the plaintiffs, had ever examined the
code.  Waskell's investigation resulted in several New York Times
articles last summer.

To use a computerized ballot system, a voter inserts a punch card into a book
containing the names of each candidate for office.  The voter casts a vote by
pushing a stylus through a hole in the book next to the name of the candidate.
thus punching out the appropriate hole in the punch card.   When the polls
close, punch cards from all the precincts are trucked to a central location
and tabulated on a mainframe, using software provided by CES or a competitor.

The first such system was developed by IBM in 1964, for use in Los Angeles
elections.  In 1969, there were accusations of fraud in LA's elections.
Fearing unfavorable publicity, IBM got out of the election business.  Four of
IBM's employees left IBM to form CES.

Waskell pointed out four problems with this type of system:

1) A single central computer, in a single location, is counting all the votes.
This takes control away from precinct poll workers, who formerly counted the
votes and could recognize deviations from traditional voting patterns in their
precincts.  It also makes rigging the election much easier:  instead of having
to buy off many individual precinct workers, who are known to the community,
one need bribe only a single computer operator, who is known by almost none of
the voters.

2) Election officials must now be much more than clerical workers -- they must
have technical skills.  Frequently, new people are hired from the outside to
learn and operate the computer equipment.  Officials often do not know what
the new people are doing.  In one state, workers rubber-stamped computer
printouts without examining them.  A Minnesota election official commented:
"It's kind of like black magic -- we really don't know what's going on."

3) There are no standards for election software, so anyone can write a
vote-counting program.  Vendors often talk state legislators into writing
enabling legislation which is vague and favors their company.  When a state
Board of Elections certifies a computer system, the board often fails to
consult any computer experts, and when it does consult experts, it may ignore
their advice.  The state of Pennsylvania certified a computerized election
system despite strong objections from two CMU professors.  (One of the
CMU professors, Michael Shamos, wrote a report called "The Votomatic
Election System: An Evaluation" in November 1980.)

4) Vendors consider their software to be proprietary.  As a result, in the last
20 years, almost nobody has examined any of the software.  Compare this to
accounting software, which is subjected to audit by third parties.  It is hard
to have confidence that software is performing accurately when you cannot look
at the code.
 

Waskell said that states and municipalities have ignored four clear warnings
against adopting these systems.  In 1970, a Los Angeles blue-ribbon committee
recommended that all vote-counting software be independently audited.  Similar
recommendations have been issued by the National Bureau of Standards (1975),
CMU computer science professor Michael Shamos (1980), and the independent
auditing firm of Coopers & Lybrand (1982).  Nevertheless, none of the programs
has been audited.

According to Waskell, vote-counting programs are typically 4,000-5,000 lines
of COBOL "spaghetti code."  Earlier this year, an Indiana consulting firm
analyzed CES's program on behalf of one of the losing candidates who is suing
CES.  They found numerous problems, including the following:

  The translation between the Hollerith punch card code and characters was
  nonstandard.  The 1971 NCR system which the software ran on did not use
  standard EBCDIC.

  The contents of memory were continually being redefined.  Numerous variables
  and fields were overlaid in memory.

  The same memory locations were re-used for the vote counts of different
  races.

  There was a total lack of structure.  The program contained no PERFORM UNTIL
  (DO-loop) statements but had numerous undocumented GOTOs.

  COBOL's ALTER verb was used, producing self-modifying code.

  A call was made to an undocumented, unknown subroutine.

  The program interacted heavily with the operator, who can operate the console
  switches to examine and modify any part of the memory or program after each
  set of data is tallied.

  The program made it easy for the operator to turn off error logging and audit
  trails, without leaving any trace.

  There was heavy use of control cards in the data deck to redefine data
  fields, raising the possibility that a "knowledgable" voter could punch a
  control card and drop it into the ballot envelope to change the program's
  processing of election results.

  CES sends undocumented "updates" to election personnel before each election.

  The program used a time card to set the time and required that the computer's
  clock be disabled.  This makes it impossible to determine how long the
  program runs or to accurately determine when logs or printouts are produced.

  The program did not correctly count "crossover votes," in which, for example,
  a voter punches a vote for a straight Democratic ticket and punches votes for
  several individual Republicans.  Before an election in West Virginia,
  newspaper publicity specifically said that such votes were allowed, yet the
  program failed to count them.

  The program failed to keep a count of invalid ballots.
 

A report to the Illinois Board of Elections in September, 1985, revealed that
of the voting systems that the state tested before elections, 28% contained
errors.  Although those errors were corrected, such a high error rate suggests
that many errors are never detected or corrected.  Waskell said that other
states' election officials are unaware of the Illinois findings.  It disturbed
her that Illinois failed to keep a record of the errors it found, but simply
sent them back to the vendors for correction.

Suits against CES have been filed in Indiana, West Virginia, and Florida, but
judges have dismissed several of the cases for lack of evidence, saying that
computer experts' testimony is mere "speculation" and "suspicion."  It is hard
to successfully prosecute such a case when the computer system itself is
designed to ensure that no evidence exists.

In the Indiana case, the plaintiff charged that a CES representative was in
the counting room on election night, turned off the program's logging, and
added two extra control cards after the last votes were counted.  In the West
Virginia case, a CES representative allegedly connected a modem to the
computer and was down on his hands and knees around the compter on election
night, claiming that "a screw was loose."   In addition, the West Virginia
candidate alleged that the county clerk's husband manipulated the computer's
switches during the count.  Evidence in this case is difficult to obtain
because the county clerk destroyed all the ballots 61 days after the election
and returned the program deck to the vendor.

According to Waskell, a company called Cronus recently purchased both CES and
two of its competitors, Thornber and Governmental Data.  Together, these three
companies market 60-80% of the voting systems in use.  Cronus is financially
tied to the Tyler Corp., whose chief executive officer is Fred Meyer, the
Republican Chairman of Dallas County, Texas.  Meyer announced his candidacy
for Mayor of Dallas one month after the city bought a CES voting system.

Ms. Waskell closed her presentation with a series of recommendations.  The
Federal Government, using election powers outlined in the constitution, should
mandate that all vendors conform to NBS standards.  State election laws should
be changed to show a greater understanding of the technologies.  Local
election officials must ensure that audit trails are always turned on and that
they are continuous and unbroken.  Also, local officials should count a random
5% sample of the vote by a different method, thoroughly test computer systems
before adopting them, and be accountable and responsible for their use.

People interested in more information about this subject may want to
read New York Times articles by David Burnham, published on  7/29/85, 7/30/85,
8/4/85, 8/21/85, 9/24/85, and 12/18/85, and a letter to the editor, 8/6/85.
Ms. Waskell was the source for much of the information in these
articles.   If you write to me (newman@mit-athena), I can tell you how
to reach Ms. Waskell--I'm uncertain whether she wants her address & phone
number posted on the net.

----------------------------------------------------------------------