 I'm Jenny Rosmersky and I have the great pleasure and actual gift of having Barbara on the campus to speak with us. I've known Barbara for a number of years and the entire time I've known her she has been a fighter for a cause. And it's been a variety of different causes but I can tell you that within the last few years electronic voting has consumed her life. She has taken this on with all of her energy and is traveling all over the country. As I looked at her resume I want to tell you I had the feeling and the question of myself of what have I been doing with my whole life. When I look at the things this woman has accomplished so let me tell you some of those things. Dr. Simon is co-chair of the Association of Computing Machinery, U.S. Public Policy Committee which she founded. She is past president of ACM, the Association for Computing Machinery which is the largest international association of technical people I believe in the world at this time. She was a member of the National Workshop on Internet Voting which was convened by President Clinton. She participated in the Security Peer Review Group for the U.S. Department of Defense's Internet Voting Project SERV and co-authored the report which ultimately led to the cancellation of SERV because of security problems. She's a fellow with ACM and with AAAS, the American Association for the Advancement of Science. She received the Alumnus of the Year Award from the Berkeley Computer Science Department, the Distinguished Service Award from the Computing Research Association, the Norbert Weiner Award for Computer Professionals for Social Responsibility and she was selected by CNET as one of the 26 Internet Visionaries and also a top 100 women in computing by Science Magazine. She is, as you can hear, active in all of the major associations that deal with issues of privacy, electronics, technology, public policy. She's on the board of the Electronic Privacy Information Center. She is on the board of directors of UC Berkeley Engineering Fund, Public Knowledge, and the Math Science Network, as well as the advisory boards of Oxford Internet Institute, Zero Knowledge, and the Public Interest Registry. So she's on boards all over the place. Dr. Simon earned her Ph.D. in Computer Science at the University of California Berkeley. Her dissertation solved a major open problem in scheduling theory and in 1980 she became a research staff member at IBM San Jose Research Center, which is now called Omidine. In 92 she joined IBM's Application Development Technology Institute as a senior programmer and subsequently served as Senior Technology Advisor for IBM Global Services. And I just have to tell you what her main areas of research are because I can read them, but I have no idea what they entail. Her areas of research have been compiler optimization, algorithm analysis and design, and scheduling theory. I know her as a very staunch advocate for public policy and privacy issues and it is my pleasure to have her as a friend as well. Dr. Barbara Simon. Well, let's see, oh it's on. First of all, I have to say that IEEE would probably be upset if you said ACM was the largest technical society, but if you qualify and say computer scientists that might work. Also I should say I have not been doing research for a few years because I've been focusing on technology policy issues and voting really for the past two years has just taken over my life. So a couple of quotes which I like. I believe this is Stalin, I've sometimes heard that it might have been somebody else, but those who cast the votes decide nothing, those who count the votes decide everything. And then this one I know is Teresa Lapour. We always pray for large margins. The designer of the infamous butterfly ballad who I'm happy to say was defeated recently in election, although she will be running the election, the 2004 election. So why are we talking about all this now? Well, Florida 2000 of course caused people to wake up and say oh my goodness, elections aren't going quite so smoothly as we thought. There are problems with votes being counted, but some of the wrong conclusions were reached. Organizations like the legal women voters felt that what the Florida ballot recount said was you can't count paper. And I think that this was a very naive conclusion to have reached. We count paper all the time in this country, banks count paper, race tracks count paper, other countries count paper ballots. You can count paper. One of the problems with Florida is they hadn't counted paper for many, many years, they hadn't counted ballots. New Hampshire does recounts all the time, hand recounts of paper ballots. They know how to do it. In California, there's a mandatory recount of 1% of the ballots randomly selected. In California, people know how to count paper ballots. In Florida, they've been avoiding it assiduously. And they just recently tried to avoid it again by passing a law saying that you can't do recounts of electronic voting. Well, there are questions as to whether you can or not anyway, but basically trying to avoid any kind of recounts. And that was thrown out by the courts, but the problem is they didn't know how to count them. And this image of people holding this up and looking in the light, there were a lot of problems with what they did. Another problem with Florida, of course, is that the Chad Trays hadn't been emptied in some of these areas. Coincidentally, quite a number of them were African-Americans voted. I mean, in California, we were using the same kind of ballots. We didn't have problems like they had in Florida because the machines in California will maintain certainly where I voted they were. And so if you don't see the Chad Trays and you try to punch a hole, obviously sometimes it will go all the way through. So there were a lot of problems with the voting in Florida. I'm not really going to talk about it, but another one, which I mentioned, which George didn't know about, is that between 1,500,000 African-Americans were taken off the voting rolls in 2000 on the grounds that they might be felons. I mean, the idea was to purge the list of felons. They were using a list of Texas felons and they were purging Florida voters. And anyone whose name was anywhere similar to a name on the Texas list got purged, including some people who held elected offices went to vote and found out that they were no longer on the voting rolls. So just another little tidbit. These are things you learn when you work on electronic voting. The whole idea of felon disenfranchisement is really an outgrowth of southern efforts to prevent African-Americans from voting. That's where it started. It started, I think, I'm not sure if it was reconstruction, but it started in the south, along with some of the other, the poll tax and the literacy test and so on, that were used to prevent African-Americans from voting. So that's a long digression. Anyway, it's a result, actually, of Florida 2002 when they again had problems, and believe me, they're going to have problems in 2004 as well. The Help America Vote Act was passed by Congress, and this act allocated almost $4 billion for new voting equipment. And part of the law is that punch card and lever machines were supposed to have been replaced. I think that may be by 2004, but people get waivers till 2006, and NIST was charged with setting standards. Unfortunately, no money was allocated for NIST. As a result, we had a gold rush mentality where there was all this money on the table. The vendors said, here by our products, the election officials had no guidelines, and furthermore, one of the secrets, which isn't talked about very much, is that the election officials and the vendors have a very close relationship in many cases. And certainly, when you start talking about these electronic voting machines, in many cases the election officials depend on the vendors to help them. And you go to meetings of election officials and the vendors are there whining and dining them. So I've had the feeling, as I've been involved with this, and I think a number of other computer scientists have too, that we're sort of walking in the woods and kicking along rocks, and you kick a rock and you turn it over and all these little creepy crawlies come running out. There's a lot of stuff that no one's been looking at that goes on with our voting, our whole election system. And coming in as outsiders and starting to look at these things, just thinking we would fix the voting machine problem, because why would anybody even consider buying electronic voting machines with no paper? We discover all kinds of other things going on. So this is an outline. I expect I'm not going to get through everything, but I'll just give you a rough idea of what I want to talk about. And you should interrupt me at any time, because I'm sure a lot of you have been following this issue closely and there are cases where you know more about it than I do. So join in. Just interrupt. Anyway, I want to talk about the basic different kinds of voting systems, testing and security, and I've got a special section for Diebold, which we all dearly love, because Diebold has just been in wonderful help in getting this issue out. So a few horror stories, and I have more horror stories I can give you later if I don't give you enough this time. A little bit about legislation, and then how to steal an election in parentheses, because I don't think I'll get to that, but anybody who's interested in just getting a rough idea of how to steal an election, I've got some of my slides that I crib from someone else. Before I go on with that, though, I was told that in Michigan, there's something which just came out, is that there are ballots for absentee voters, and please correct me if I get this wrong, that were printed out. And so these are like optical scan ballots where you draw a line between the name and the office, and apparently one column was shifted, so there's nothing opposite Bush, right, nothing opposite Bush, then you go down to Kerry and there's the first thing. So in other words, it's skewed. So if you think you're voting for Kerry, you might actually vote for Bush. The same thing, and the song's the same old story four years ago in the Florida, right? The Butterfly Ballot. So that was an accident, right? This is the neighbor. Song's smells Bush wrong way. Yeah, so they've been reprinted and mailed out, as I have been told. I mean, I just found this out a few minutes ago, so this is not something I knew. But I don't know what happens if somebody gets, you know, sends in one ballot and gets a new ballot and sends that in. How do they decide which one to count? They count them both, they throw them both away. I mean, this thing sounds like it's a real mess. And I have to say, for the life of me, I would have had how anyone could have let that go out, because that's such a glaring mistake that you have to wonder. By the way, the Butterfly Ballot was not legal, according to Florida law. And Theresa LePore, who was a Democrat at the time she approved of it, had not been a Democrat before then, and I think is not a Democrat now, in any case. Okay, computerized voting machines. Do I have that story right, by the way? Yes? Okay. So optical scans, and we were just talking about an optical scan ballot. So you basically have paper ballots. This whole system is cheaper than getting electronic voting machines, touchscreen voting machines. You, by definition, have a voter verified paper ballot because the voter has to mark the ballot so the voter has clearly verified the voter's choice, because you see it, it's right there on the ballot. The kind of system which I believe one should have right now is an optical scan system with a precinct-based scanner. The idea is one of the problems with some of these optical scan systems is you can, first of all, you can have overvotes, which you'd make because you're not being careful, or you can have a straight pencil mark. Overvotes means, for example, two votes for president, which makes your ballot illegal, at least for that office. So you want to make sure you don't have overvotes, undervotes if you don't vote for it in as many positions as you can, or you don't vote at all for a position. So an optical, a precinct-based optical scanner can warn you if you've got something illegal on your ballot, if it picks up an overvote, and it can also warn you if there's nothing on your ballot. You could fine-tune them in theory, so they also warn you if you don't vote for particular offices, but as of now, I don't know of any optical scan readers that give that kind of feedback, but in principle, you could do it. The disadvantages of multilingual ballots can be a problem, and disabled, and by disabled, usually they're talking about blind voters can have problems with optical scan ballots. So now this, now something which I call screen-based systems, and this is not what the advocates for paperless machines, this is not the way they'll frame it, but I want to frame it as screen-based systems. So you have a screen-based system, you've got a computer screen, and you can have earphones for people with vision impairment and literacy problems. These, of course, have multi-language capabilities. You can avoid overvotes by not allowing people to vote twice, say for president, if you vote for one, and then you vote for a second, it'll undo the first vote, so it won't let you do an overvote. It'll warn you of undervotes. You can modify your vote before you finally say, okay, finalize it, so you can go back and change it on the screen, and it satisfies Hava requirements for disabled people. So one of the things that Hava has written into it is that people have to be able to vote independently by 2006, that is to say, blind people, which is one of the reasons why people are going out and buying all of these paperless touchscreen voting machines, because certain advocates say, this is what you've got to get for blind people. That's not true. You just have to have something that lets them vote independently. There are other systems that are available, which I like to call ballot marketing and generating systems. So getting back to the whole optical scan machine, you could, for example, make it possible for blind people to verify their votes if you had headphones attached to the reader, and then that reader will tell you what's on your ballot. That doesn't tell you how you mark the ballot, but you could verify the ballot. And then there are two systems that are in the process of being certified. One is by a company called Vogue Election Systems, which is now being marketed by ESNS, which is one of the three major vendors. I'll get to that in a minute. And they make something called AutoMark. And the way the AutoMark works is you take a blank optical scan ballot, insert it in the back of the machine, and then it's got a touchscreen if you're blind, you can have headphones. And you do it just the way you would with any touchscreen voting, except when you had cast my ballot, it does not record your ballot internally. It marks the optical scan ballot. And then you can take it and put it into a reader. And now you have a paper ballot. You can look at it and make sure it marked it correctly. If it doesn't, you can request another ballot. You can say there's a problem. So you can verify that your ballot was correctly marked, correctly recorded. You can also run it through the reader to at least check, double check on things. But in principle, it shouldn't make a mistake. It can prevent you from doing any overvotes because it behaves the same way any of these computer-based voting machines behave that won't let you vote twice when you're only allowed to vote once. There's also a company called Populux, which has a screen, but you use a stylus to mark. And that actually prints out the ballot. But it was designed all along to print out the ballot. This isn't a retrofit. And when it prints out the ballot, it prints out... I mean, this is not a perfect design, but it prints out the numbers for all the offices you voted for. So you can go back and look at the original ballot and check to make sure it recorded things correctly. And it also prints out a barcode, which of course most people can't read, but which makes the optical scanner less likely to make any mistakes. And you can get people who can read barcodes. You can go back and verify that there's no cheating on these ballots. As I say, I think from a human factors perspective, it's not ideal, but you can verify your vote that it was recorded correctly, and you can check to make sure the barcode is not wrong. And if it is wrong, you've got the numbers that have been verified. So the thing that's causing all the fur, or primarily causing the fur, is what's called direct recording electronic, or DRE. And these are the touchscreen, basic, most of them are touchscreen, one of them isn't, or maybe more than one. And they're generally speaking to not have a voter verified or voter verified audit trail. So, for example, in the case of California, where we have a law that mandates a 1% manual recount, 1% randomly selected precincts, manually recounted. And that law was passed, by the way, when the optical scan machines came in as a check on them, because those sometimes make mistakes too. I'll get to that later. What they do here in California is they print out the ballot images at the end of the day. And then they manually recount those to satisfy the law. So anyone who knows anything about computers knows they're just doing a memory dump, right? So you're going to see what's inside the computer all right, but you don't necessarily know that what was stored inside the computer was what you intended to vote. Because you've got this gap between what's on the screen and what gets stored inside the computer. And you could certainly have malicious or buggy software that can change the vote. And you have no way to catch that by printing out the ballots at the end of the day. So these machines, there's no audit trail, and therefore you really, really, really have to get it right if you're going to even use these things, and I don't think you should, but that's another, hopefully I'll convince you of that too. So when these machines were sold to election officials, they were told, look how easy this is. At the end of the, you know, when the election's over, you push a button, you get all the tallies, you go home. Basically, I mean, it's not quite that simple. But that's the idea. You don't have to do a recount because they don't make mistakes. And it saves you lots of money. You don't have to print out ballots. You know, it's just a lot easier. And you can understand why this would be very appealing to people. But what they weren't told was you have to be very careful with the security of these machines because these machines have software in them. So they have to be very securely stored prior to during and after elections, and they must be extensively tested. And I can tell you that very few of them are extensively tested. And in many cases, storage is not what it should be. There's a story, I don't know if it's apocryphal or not, that was told that a couple of years ago. Well, during the California primary, I guess it was, some Berkeley students volunteered their home as an election, as a precinct. And a week before the election, all these machines were delivered to their house. Now, you know, we know that Berkeley students never cheat or do anything wrong. But in theory, they could have. Now, there are these secure tags that are now being used to try to make sure that you can tell if somebody does anything that they shouldn't be doing. But if you have a week, and you know what the tags look like, the tags are often numbered, but given what the stakes are, it seems to me there's a good chance that you could make some, you could go in there and fiddle with it. Now, admittedly, in that situation, the worst-case scenario is that they would only be able to change a few machines. And of course, one of the problems when you've got these machines that all have the same software on them is if you can change the software at the source, you can have major impact. Anyway, as I say, the testing is security-aggressively inadequate, and I'll get to that. So this is an old slide. When I originally wrote it, I said all these machines are already purchased for over 20% of the U.S. voters. It's now around 30%. So these paperless voting machines are going to be used by almost a third of the voters in the United States in the 2004 election. A small number of vendors nationally. The software is secret, and independent computer security experts are not allowed to test or view the software. Sometimes the code is held in escrow, but that doesn't mean that you can look at it. Now, there are a couple of DREs that produce paper ballots. One is called Avante, and it produces a paper ballot under glass. So when you finish voting, it rolls out a paper ballot, and you can look at it and verify, but you can't touch it, and then it goes into a box. The second one is called Acupole, and I should mention that Sequoia, which is one of the major manufacturers of DRE, has retrofitted their machines to produce a paper ballot or paper audit trail, and they just used this recently in Nevada. Now, one of the problems with the Sequoia system is that they're printing it out on a roll. And so you have to worry about the whole privacy issue, because if you know the order that people went to the polls, you might be able to deduct, to figure out how people voted. So just having these things printed out isn't necessarily a panacea, you have to do it right. I mean, one of the problems with these machines is that so many things that weren't done right and aren't being done right, and we just have to get them right. There are these things called the Federal Election Commission Standards. There are two of them, 1990 and 2002. Most of the machines that are currently in use, the DREs, were certified to the earlier standard, the 1990 standard, which is totally inadequate. I can tell you the 2002 standard is inadequate also. But both of these machines did have paper ballots as their initial design, they're not retrofit. The Avanti and the Acupol originally were designed to have paper ballots, whereas the Sequoia, which I just mentioned, it's retrofit. So you've probably heard the cry, voter verified or voter verifiable ballots, yeah. So the idea is that one must be able to verify the ballot. It should be deposited in a secure ballot box. You cannot take it with you. So some people refer, especially people who don't like this, refer to them as receipts, and these are not receipts, because receipts are illegal, for one thing, because if you get a receipt for how you vote, you can take it out inside your vote. So you don't want people to have receipts. You don't want them to leave the polling place. You might want a receipt showing you voted, but not how you voted. So you can't have a receipt which says how you voted. It's a ballot, or it's an audit trail. I like to think of them as ballots, because my feeling is if the voter has been able to verify, it should be the final tally, not what's inside the computer. There must be manual recounts of at least some percentage of the ballots, because otherwise you could print out paper ballots which accurately reflect your vote, and the machine has a different tally, and you have no way of knowing if you don't do some sort of check. So you have to be able to check these things. So you have to have some amount of manual recounts, hand recounts, that are done. And I don't know if one percent is the right figure. I don't know what the right figure should be, but one percent seems to me to be a minimal number, and they should be randomly selected, because if it's known beforehand which ones you're going to recount, and if you wanted to do something with the election, you make sure those are accurate, and you've jimmied with the others. So one of the problems that I think we've observed with elections since 2000, or maybe before, is that sometimes it's hard to get a recount. Some states make it almost impossible to get a recount. And so in addition to worrying about the technology, I think we also have to worry about some of the laws we have in this country, some of which I think are quite archaic, and are not designed to make things more democratic, to make things more transparent. Now, I'm going to talk a little bit about internet voting because of history of Michigan. This is the only reason for having PowerPoint. So as Professor Rosmiowski said, I was involved with a study of the Department of Defense project, which I'll get to in a minute. But I remember a couple of years ago, I was speaking before a group of women state legislators, and I made the remark in passing that internet voting would be a disaster. And afterwards someone came up to me and said, I'm really surprised here. You say that because everyone's been telling us how wonderful it would be that it would be a wave-increasing participation. That all these young people who aren't voting now would go vote if we had internet voting. And I think that's still the view that a lot of people have. But if you think about it, internet voting is a much harder problem, for example, than electronic commerce. Because, first of all, clearly, our democracy depends upon voters believing and trusting the outcome of elections. The stakes are very high. As we've seen in this current election, huge amounts of money are being spent. So if you're going to bribe someone, either for internet voting or for these paperless touchscreen machines, the amount of money it would cost to give someone an extraordinarily handsome bribe to fix it is a small fraction of the money that's being spent on the election. And of course you've got this other issue about who votes for whom and coercion. So even if it's not coercion, it's not okay for my husband to vote for me, even though I might not mind if he uses my credit card. And if you have a denial-of-service attack, do you folks know what a denial-of-service attack is? It's basically when you can't get to a website or you can't get through the internet. If you have a denial-of-service attack on voting, that could be a major problem because some people might not get a chance to vote. Whereas if you have a denial-of-service attack say on the Amazon website, well, I'm sure Amazon's not happy if they lose sales, but those sales that got through are fine and people can come back the next day and make the purchase or a few hours later. But with voting, there is no next day if you're voting on election day. And so it's really not the same. And then you've got this ultimate problem, which is that voting is an anonymous activity. Electronic commerce in general is not. If I'm buying a book from Amazon.com, I want them to know who I am and precisely what book I'm buying. Whereas if I'm voting, I don't want you to know precisely how I'm voting. So it's a much harder problem. Furthermore, if there's a failure, like if I don't get my book from Amazon.com, you know, I know I haven't gotten it. And I can tell them I haven't gotten it. And generally speaking, they'll send me another book. But if my vote hasn't gotten recorded or if it hasn't been recorded correctly, how do I know? There's no way to know. So it's just a much harder problem. And then you've got this issue of failure. So some people go around saying, well, you know, you'll fly on an airplane. So why don't you trust an airplane? So why don't you trust these voting machines? Well, of course, first of all, I don't mention this here. But the software that's used on airplanes, in fact, the software that's used on gambling machines in Las Vegas, is much more thoroughly tested than the software that's used on our voting machines. But also, you could detect failures. I mean, I don't want to think that if I fly on an airplane and it crashes, well, good people can detect failure. But the fact of the matter is that aviation has been made more secure because that does happen. And furthermore, we have an incident reporting mechanism in place for aviation, which we do not have for voting. There is no centralized incident reporting mechanism available. And so what do you do, for example? Some people who are worried about these machines say, well, let's have good exit polls. I mean, I'm all in favor of exit polls. But what do you do if you have good exit polls and the exit poll tallies do not match the numbers reported by the machines? What do you do? We have no mechanism for saying, okay, we've got to redo the election here or something like that. We just don't. And then there are other major security problems with internet voting in particular. Well, in general, with any kind of computerized voting software bugs, which may or may not also be a security issue, or may or may not look like an insider attack depending on what they do. Insider attacks. And insider attacks, I think, are the most, in some ways, the hardest kinds of problems to deal with. Because, I mean, if you look, for example, at other forms of security, if you look at national security, the major incidents where national security has been compromised in this country for the past 15 or 20 years have involved insiders, frequently highly placed insiders who were trusted. And so how do you deal with that when you're dealing with voting machine, voting software? For internet voting, you have to worry about the vulnerabilities of the client side voting equipment. So if I'm voting on my computer, my computer could have some sort of virus in it, which can do who knows what. Maybe change my vote, whatever. Denial of service attacks, I've already mentioned. Automated vote buying and selling is much easier to do on the internet. And a man in the middle of attack, a man in the middle of attack, basically, is that you can basically position yourself between the voter and the place where the voting is occurring, and perhaps see what the vote is, change it, and so on or shift it off someplace else. And for people who think that, well, we don't have to worry about that, I like this little example. I don't mean to pick on Microsoft, but this is just one example. I mean, anyone who's used PCs know that there are software fixes that go on all the time. There was a vulnerability in 2003, which would allow hackers to seize control of the machines, mail, and so on. And this sort of thing, if it went around on election day or during the election period, could have a major impact on the outcome of an election. So this is the DOD voting system that was proposed. And the idea was that for the 04 elections, both primaries and the general election, people would be able to vote you over the internet. Originally, there were ten... So because voting is done at the legal voting requirements are done at the state and local levels as opposed to national, basically each state had to decide if it was going to participate or not. And then within the state, localities had to decide if they were going to participate or not. So by the time we were finalizing our report, there were seven states and 50 counties in the total of those states who were going to participate. And it would have allowed military anywhere and their families who were from those states or localities to vote over the internet and also civilians from those states and localities living outside the country. And here's the website. I don't know if they still have stuff up there or not. I haven't checked it recently where they had information. And by the way, I can always send people a slide so you don't have to write stuff down. And here are the system requirements that they had. Windows 95 or above, although I have a question mark because it wasn't clear if Windows 95 would have been adequate. By the way, it had to be a Windows machine. I couldn't have used my Mac. MS Explorer 5.5 and above are Netscape Navigator 6.x through 7. The Internet Connections Violet, Modem, Cable, and so on, you can see it and you had to download an ActiveX component. The user was responsible for maintaining the security of their computers, could vote from anywhere. Public libraries, cyber cafes in Thailand, anywhere. So you can go in and vote from a cyber cafe. You don't know what's on that machine. There could be spyware on that machine which is looking at what you vote and maybe changing if it doesn't like it. So basically, we were going to have voting for our national election using proprietary software, secret testing, insecure clients, and an insecure network. And that's basically what we said in our report. And much to our amazement, we released the report on the 21st of January and on the 30th of January we heard, I mean it was a few days afterwards that it happened, we got the news, but on the 30th of January Wolfowitz issued a memorandum saying kill-serve. So it's not going to be used. Now, they were also behind schedule too so I don't know to what extent they were happy that we did our report. So these are some of our conclusions served. It contains all the security vulnerabilities of paperless touchscreen voting machines, internet and PC-based made it vulnerable to potentially catastrophic well-known cyberattacks and something that, again, I think a lot of people who like the idea of internet don't think about is that the attacks can come from anywhere, including other countries, including criminal elements, and so on. We really tried to think of some alternatives, maybe even doing registration online and we felt everything we came up with seemed insecure. And of course as this issue could appear to work flawlessly and you have no way of knowing for sure if it did or didn't, but even if it did, then there's this danger that it would become widespread and once you have widespread use of the internet and there's much more motivation for stealing the election. So we basically were very concerned that it would be used to know for and things would appear to go fine and people would say, great, let's continue. In fact, that's what Michigan did. So how many here voted over the internet in the primary? Anyone? Yeah, you had to fill in paper so it was sort of not entirely internet pure thing. Did you ever, were you able to verify that your vote was correctly recorded? No. So of course you don't have a secret ballot in the Michigan Democratic primary. So they could have actually done a testing, but they didn't. I got involved with Michigan primary because at the 11th hour there was an effort made to stop the internet voting. This was being done, I forget the name of the man who was pushing it. His argument was that it discriminated against minorities and poor people because they were less likely to be able to use the internet. So I happened to be in town when the DNC was holding hearings and so I was given seven and a half minutes. Two of us were given total 15 minutes. I was the one talking about security. Seven and a half minutes to make the case that this was an insecure system to use. Seven and a half minutes and then there was the head of the Michigan Democratic National Committee the Michigan Democratic Committee came after me and attempted to rebut everything I said and I had no opportunity to respond so we really didn't get much of a hearing. But I was given documents beforehand that I looked at and so the documents made the claim internet voting is secure. And that's in black and white and these documents now I happen to know it's not secure. But these are the kinds of claims that were being made. Now as I mentioned here there wasn't much motivation to steal this election so I'm not claiming that there was any malfeasance or even anything wrong with what happened in the Michigan Democratic primaries internet vote. My concern was that by going ahead and doing this people were getting the idea that it was a safe thing to do and at one point Donna Brazil turned to me and said well do you think that the military one is secure and I said no this is before our report came out. And I think people were rather shocked by that because of course the SERV project was at least being vetted. I don't know what this one was. I mean I was given a document which talked about security and large chunks of it were adapted so I couldn't even tell. Anyway my favorite is what Missouri, North Dakota and Utah are going to do. And I often start this talk by saying I like to tell jokes I didn't do it this time because I knew I had made this slide last night. So Missouri that's wisdom is going to allow people in combat areas to vote using a combination of email and faxes. This was announced just a few weeks ago by the Secretary of State of Missouri who is also the Republican candidate for governor. And what I'm telling you is what we've been able to figure out but there is no documentation I've been able to see as to how this is going to work. It does not appear to have been adequately vetted by anybody on security grounds or any other grounds. So the idea is the voter will scan his or her ballot into the computer. At first you get a ballot. Oh and by the way they won't fax the apparently Missouri, some places do this but Missouri does not fax the blank ballot to the voter which would save a lot of time right there. So you have to get the ballot by mail then you fill it in then you scan it into the computer which is presumably PDF file which you then email I believe it's over the military secure network. I'm pretty sure that's true. To some place in the DOD, the Pentagon I think where contractors will download the ballots, print them out and fax them to the local election officials. Okay anyone want to come up with some possibilities for fraud here? I don't know what kind of security review? No secret ballot. So the voters have to, so our troops who are defending democracy have to sign away their right to secret ballot if they're going to use this mechanism. Now coercion of course is always a concern, it's a concern with any kind of absentee ballot. But of course the military having a fairly hierarchical structure you have to worry about it even more in my opinion. I don't know of anything in place to observe the contractors. What could you do? Well you can conveniently lose ballots you don't like right? I mean who will know? Now these ballots have signatures you know cut the signature I think I mean you understand I'm not, I don't hold me to specific details because we don't know exactly what this entails but we do know you have to sign, you take the signature, you attach it to another ballot. Remember these things are being faxed and scanned, scanned a couple of times, get rid of any lines, mail that one in. Or you can just conveniently add another vote maybe for an office that hasn't been voted or if you don't like the vote for a particular office make it into an overvote so it doesn't count. You know those are just things off the top of my head. I'm sure there are other ways one could commit fraud here. So I mean I don't know what you could do to stop it. I mean it's just to me it's so it's as a computer scientist it's just insane. Well I mean you think it's insane too right? Yeah. Testing. By the way join it you know say something. No? Testing. So one of the arguments for having secret software is that it makes things more secure because the bad guys can't see the software so they don't know what the vulnerabilities are. And it's sort of fundamental rule in computer security that you have to assume the bad guys have access to everything and you still want it to be secure in particular to argue that keeping software secret gives you security is what's referred to as security through obscurity. And as you can tell from the name people don't view it as a very highly as a method of security. One of the things, those of you who found the crypto wars will know that at one point there was an argument that the encryption algorithm should be secure that the secret that that would give more security. But ultimately what the government has decided is to make these algorithms all public and in fact the most recent process for choosing a new encryption algorithm, new standard was all public where everybody submitted their algorithms people tried to break them and so on. And the feeling was that if people, very smart people try to break it and can't then you have more confidence that it's secure. And that's sort of one of the fundamental principles of computer security. So this contradicts the basic notions of computer security. And there's a lack of strong national standards for testing insecurity. Now the testing is done, testing for these machines, electronic voting machines, is done by things called independent testing authorities or ITAs. There are three of them. They're private entities. The testing and the results are secret. They use test scripts. They test to the Federal Election Commission standards. I said there were two of them, 1990 and 2002. Presumably now they're testing to the 2002 standards. It does not include what computer scientists refer to as a code review. A code review is when you get a team and you sit down with the software and you go over line by line and you check to see if you go someplace what that does and then you double back. You want to understand the logic of the program. You want to make sure that you don't have any software there which you can't get to from anywhere. That's called that code. That sort of thing isn't done because it's not part of the standards. So they basically have a checklist where they test the standards. Now a lot of things in the standards are reasonable. For example, for those of you who are computer who have done programming, they require that subroutines have a single entry, single exit. Okay. That's not unreasonable. You need a lot more than that. In fact, one of the issues with computer security is that you can't just list a whole set of rules which guarantee security because if you could we wouldn't have problems like the one I just pointed out from Microsoft in 2003. We wouldn't have all these software fixes that get sent out all the time. We basically cannot solve this problem. In general, we do the best we can. And the more effort you put into it the more time and effort and smart people you have working on it, the more likely the more secure the system is. With airplanes, again, there are lots and lots of rules with gambling machines. With gambling machines there are lots and lots of rules but not with these voting machines. So in particular, you're going to test for the most likely problems, the most likely bugs. That means you're not very... you're not very likely to find something which is very obscure because it's not likely. There are a few things to test for. And yet, if you're going to undermine an election, if you're going to steal an election, what are you going to do? You're going to try to hide it. You're going to try to make it obscure. So a clever trojan horse, a malicious software that's been embedded in the software, you're not very likely to find it. I can't say you won't find it, but it's not very likely. Especially if you've got 50,000 lines of code which is what Diebold has in their rig in their machine. Now, again, if I were to write malicious software to change an election, what I would do is I would make it behave in a random fashion. So I would, for example, if I wanted a bush to win, I would flip a coin and a certain number of times I'd look at the ballot. Sometimes I wouldn't even bother. And I would just make sure that ballot said bush. If it already said bush, I wouldn't change it. If it said carry, I'd change it to bush. But again, and a certain number of times I'd look at the ballot and I would make sure it said carry. But the number of times I would change to carry would be fewer than the number of times I would change to bush. So that there would be more of a shift it over. Now, if I do this randomly, it's possible someone might find there's a problem. You run the software again, it'll be different. It'll behave differently because it's random. It won't repeat the same process again. And again, those of us who've done those, a bug that doesn't behave predictably tends to be harder to find. And sometimes you can't tell if it's a bug or if it's a malicious code. And in fact, you might be able to write things cleverly enough so that it won't be obvious that it's a malicious code. That could be difficult. But anyway, so that's testing. So, I thought I'd talk about de-bold a little bit. But I don't have too much more time. I'm wondering, do people want to hear about de-bold? Some of the de-bold chronicles? So, de-bold, Georgia, some of these machines are being purchased statewide. Some of them are being purchased locally. So in California, some voting districts have DREs, some have optical scans. Georgia decided to go all with DREs and they purchased de-bold. In the 2002 Georgia election all of the races were held on de-bold machines. That's the race where Max Cleveland, who was an incumbent Democratic Senator, lost. By the way, also the Democratic Governor lost. The Cleveland race was an upset and it may very well have been completely accurate, but we have no way of knowing. There's nothing to recount because everything's electronic. There were no... There's no paper on a trail. One of the reasons why a lot of people are suspicious about de-bold is that the CEO of de-bold I know he regrets it a lot, but he said he was involved with doing fundraising for Bush and he said in a letter that went out that he was committed to helping Ohio deliver its electoral votes to the president next year de-bold is located in Ohio. And there were also some emails some emails, somebody went in and got some emails from people who were working in de-bold who were doing patches for the software and that was posted on the website and a number of people had copies on their websites some of them were Swarthmore students, undergraduates who posted on their website and they received threatening letters a number of people did from de-bold threatening them under the Digital Millennium Copyright Act which basically well I won't go into details of the DMCA but basically they threatened them under the DMCA which has both civil and criminal penalties for certain types of violation of copyright for posting these emails which de-bold also disclaimed not their emails but they were going after the many way for copyright violation let's see did I finish that somewhere I have a slide maybe it's later on which tells what happened with those students but let me first get on to this and then I'll get back and tell you what happened so the de-bold saga really started when Bev Harris who has been very active in finding these paperless voting machines discovered when she was just using the net she discovered a bunch of de-bold files on the net and she got some of these over to Avi Rubin who was at Johns Hopkins and he and three other people two of his students and Dan I think it was anyway someone who's a professor at Rice University started looking at the software and they come up with a whole bunch of problems for example they found that there was an encryption key that was hardwired into the software it was written into the software a single key and if someone got a hold of this key you could make major changes just one key the same thing for everybody for all machines basically de-bold didn't understand key management which is a fundamental notion in computing amazingly fundamental and they've been told about that five years earlier by someone named Doug Jones so that's the kind of sloppiness that they had and in fact the fact that the software was on the website was another example of bad security some of the files were called Rob Georgia which got people really upset that this was around the time of the Georgia election and the explanation was that there was this guy named Rob who was working on the Georgia file and he happened to be up in Canada and so he was doing things remotely which is why they had it on the internet an open FTC website so then after the Hopkins paper came out which was just when Maryland made this decision the state of Maryland had decided to buy de-bold machines they commissioned a company called SAIC to do another study of de-bold and so SAIC produced a report which I urge you to read it's very short because only about a third of it is public two-thirds of it is redacted and Maryland went ahead and purchased the machines anyway and then afterwards they also had excuse me Rob and other company have a red team go in and spend about a week trying to hack into the machines I was talking to someone who was on the on the Rob team and he said Bill Arbach he said well my job was to try to break into the machine physically and you know I spent a few minutes and got into it and that was it I was done I didn't have to do anything the rest of the week the Ohio Secretary of State had been considering buying de-bold but because actually I think of one very outspoken member of the legislature there he didn't he was originally going to buy it for the whole state now here's what the SAIC report some of the stuff about the SAIC report their entire section 5 is called risk assessment findings including a discussion of the SBE security requirements blah blah blah basically the risk assessment section was redacted now even the title of that section was redacted in the index but I you know not that I'm such a detective but I was able to figure out what the title was because you know when they give the overview of the paper they forgot to scratch out that title so that part wasn't redacted so it was easy to see what section 5 was not to read section 5 but to see what it was that they redacted they also have this is a direct quote from the report the voting terminal is an embedded device running Microsoft Windows redacted as its operating system now why would they redact the name of the operating system any ideas the reason is that it was Windows CE now Windows CE is kind of a roll your own operating system the idea is you take it and you tweak it to fit particular devices now I didn't mention this but one of the issues with testing is that commercial off the shelf software is not tested because you can't look at the software right so it gets a blanket exemption now when you test the whole system you're running the commercial off the shelf software in that system when you're testing but nobody goes and examines say the Windows operating system to see if there's any malicious code in there so that's not looked at at all so the idea is that Windows CE is a commercial off the shelf software doesn't have to be looked at but the fact of the matter is the default one may change us to it because that's what you do I mean not condemning default for it, that's the nature of Windows CE so the theory is that the reason they redacted the name of the operating system is they didn't want to make the obvious point that this is an operating system and nobody's looking at it the currently used version of the AccuVote TS that's the name of the default system software is redacted written in C++ I don't know why that was redacted and then the RABA team which I say was the third study there was the the SAIC study and then the RABA trying to break in found poor security and then there's a nice quote from Laura Boggs saying I can say with confidence that nobody looked at the system with an eye to security who understands security and this is after these other reports had come out and they presumably made changes and Marilyn now has a system where there are 16 Windows security patches so they're using Windows for their counting program their counting program is used by their optical scan machines as well as their touch screen machines their counting program basically Windows software in it 16 security patches they can't install them because it makes the machine crash so according to Michael Wertheimer who was also on the RABA study who testified at a recent court case trying to force Marilyn to provide paper ballots that was thrown out by the court but anyway at least the injunction was thrown out essentially you have a system that must be insecure in order to function and then I mentioned the default emails where I get to what happened to the Swarthmore students Debalt when EFF and Stanford Law Clinic sort of stood up to Debalt's threat, Debalt withdrew its threat but then the Swarthmore students brought their own suit and they just won in September they basically claimed and the courts agreed within the Debalt knowingly misrepresented copyright claims so now Debalt has to pay court costs which is going to amount to a few thousand dollars it's not a great deal in California but the Secretary of State discovered that Go into a little more detail there as to what the copyright violation was that Debalt found it was asserting under DMCA I'm not sure the details although the person behind the camera here might know because I think he did something similar in terms of putting the software on his system I mean the emails on his system but the Digital Millennium Copyright Act makes it illegal to circumvent any kind of copyright protection mechanism and I think that they felt that by breaking into the system they may have had some kind of protection there that they were circumventing it and that was why they would be held to DMCA requirements, do I have that one correct you now? Nevermind So the courts found that they didn't have that claim the courts found that Debalt's copyright claim was not valid and I'm not sure exactly why I haven't read the decision Does anybody else know? Anybody in the class know more detail on that? Okay so California Secretary of State Kevin Shelley discovered that all the Debalt system voting machine software used in California was not certified by the state so I should mention with certification there are these federal certification that's done to these FEC standards some states also have their own state certification California is one of them so he got pretty upset because he had been told that it was certified I'm sorry he got upset about that and then he was also told that a particular Debalt TSX was not entirely certified and it wasn't so what Shelley did was he conditionally decertified all Debalt TS all DREs decertified all DREs conditionally and then he had a set of requirements that companies had to fulfill to get temporarily recertified but he just ruled out Debalt TSX completely to use in California obviously some of the areas where these have been purchased the election officials were not happy in one case I think it was Solano County they actually were able to return the machines some of the election officials sued Shelley but it was thrown out of court and now California is suing Debalt on charges of defrauding the state with false claims about its products that suit was started about six months ago by some local activists and the Attorney General recently announced that California was joining it and on the suit I should also mention for those of you who are of political junkies I don't know if you get this here but in California there's been a lot of news about Shelley and election contributions and misusing Hava fund and so on so Shelley's in the hot seat right now unfortunately he had been sort of a leader in the country and holding these DREs making them accountable so he's mandated that by 2006 all voting machines in California all paper audit trails and all new ones by 2005 and in fact there was just a law passed by the California Legislature signed by Schwarzenegger which says the same thing but Shelley's in trouble and it sounds to me like he made some bad decisions, did some bad things maybe but I also suspect that one of the reasons this was uncovered was that there were some companies that didn't like seeing him there horror stories okay Boone County, Illinois I rather like this one but election results showed 144,000 ballots were cast in a county with fewer than 19,000 registered voters only 5,532 actually voted the county clerk said it was a glitch in the software now glitch is a word that gets used a lot now but this what we're not talking about is glitch I mean I really hate it when they say glitch because it makes it sound like it's no big deal but this is a big deal we're talking about our vote here and who gets to run the country it's a glitch in the software they fixed it so everything's okay except we have no way of knowing if they fixed it right yeah Hine County, Mississippi the DREs were down in the morning problems all day, no paper ballot alternatives voters had to wait in long lines wrote makeshift paper ballots inadequate privacy, still in lines at 8 p.m. and the Mississippi State Senate actually declared the results invalid and new election was held now had there been paper ballots available at least as an alternative they could have avoided this whole thing and getting back again to California another thing that Shelly mandated was that for the 04 election paper ballots must be provided for people who don't want to vote on these machines and I just signed up to be an election official so I figured I should get some hands on experience and I went to class and I was told in class that we're not allowed to tell people that they have this option and I said excuse me why aren't we allowed to tell them well it's a law so I said would you please check that and she checked it wasn't the law and she said well it was something that Shelly said it turns out it wasn't something that Shelly said basically you get a lot of resistance on the part of election officials they don't want people doing this and so they're actually going out and telling at least in the case of the class that I went to and I'm sure this is happening throughout Santa Clara County that people are being told you cannot volunteer this information and in fact that's not true Broward County to I forget where that I think it's Florida of course there was a special election held only to fill one house seat that's all it was for it was for nothing else a special election for one house seat 134 people use the ESNS DREs didn't cast any ballots whatsoever the winning candidate won by 12 votes now Florida has a law mandating a recount the election was within a certain percentage and it was here but there was no recount held because there was nothing to recount the idea is to recount to go back and look at the ballots that were presumably not voted but there's no way they could look at them because they weren't there Baton Rouge Mayor Reyes in 2002 the former Mayor Emile Dasieu came in third it was 8% under vote low numbers reporting his home precinct now it turns out well first of all Sequoia sold the system with trade secret protection they all do and that's why you can't they won't really reveal the software because it'd be a felony turns out when they did testing for this machine they only tested the first place on the ballot this guy was third on the ballot so there's no testing done to see if if votes were recorded for every single place on the ballot and then after the election they they changed they took it out of voting mode and you couldn't go back and do the testing so legislation Rush Holt has had legislation in the House of Representatives for quite a while obviously it's not going anywhere this year called HR2239 and he wants to mandate a voter verified paper ballot and he also wanted to mandate a half a percent manual recount for all elections and forbid the use of undisclosed software also banning wireless communication devices he thinks would be obvious but it's not anyway this is what the legislation says it's not going to pass there were some bills introduced in the Senate Graham introduced a bill called S1980 which was basically this bill there were a couple of other bills that were introduced Hillary Clinton had a bill Barbara Boxer had a bill but none of them is going anywhere so ACM which is not as big as IEEE issued a voting a statement on e-voting and I co-chair of the U.S. Public Policy Committee of ACM we had taken a position on e-voting quite a while ago calling for voter verifiable paper trail but this is ACM this is the parent organization so it's a big deal for ACM to issue a statement for those of you who are members of ACM here in fact there was actually a survey done on the web where the statement was posted and of the members who responded over 95% agreed with the statement basically saying that there should be some sort of physical record for voters and of those who were not in that 95% over 95% most of them complained about the fact that the statement only talked about security and didn't talk about human factors, not human factors which I haven't talked about is another important issue the whole butterfly ballot issue in fact this Michigan ballot you don't want it to be easy for people to make mistakes you want to be easy for people to do what they intend to do and human factors is a very important thing the whole design of the ballot the whole way the machines work is very important and I can understand people's concern about that but we also want to try to keep it to a single issue and show you what you can do David Dill who is a computer scientist at Stanford has been very active in this and he has a website verifiedvoting.org this slide is way out of date the petition has over 2,000 technical people have signed it and there are also signatures for other people for attorneys, for election officials for anybody to sign calling for voter verifiable audit trail and then you can go to the USACM website and see what we have done and then there's the ACM statement so I think I think it's probably a good place to stop like I've gone over let's take questions from the audience you probably haven't I have a question here's one in the back recently most of the concern has been about security and I had a more basic question and I had two ATM experiences recently a couple years ago my bank replaced the branch ATMs with new robust ATMs that are touchscreen and have all of it and one of the machines sometimes has trouble and I think it's a hardware part of it and I remember trying to find the button to get it to work and it didn't work and I kept on trying to get it to work and it ended up taking out three times more money I found it three times so there was a counter somewhere in the software that counted it up three times pretty out in receipt told me I'd taken that three times much more money but this was not malicious it wasn't intentional it was just a mess it's just a hardware thing and sometimes the buttons don't work and I just envision all of these machines going into all of these precincts and if they don't work the precinct workers it's not their fault they just lost it it's not going to know what to do if you have a big election like we may have there's going to be those huge lines of people and if the machines don't work it's a huge disaster absolutely that's one of the reasons why I think we should have paper ballots there too for people to use but I think there's going to be a lot of court cases after November 2nd not only I don't know at the presidential level but I think also other levels because when people lose on these machines they're going to be upset there's another thing I didn't get into this thing called the ballot definition files and ballot definition files and this is an issue for optical scan machines and for DREs so you don't know who the candidates are until relatively close to the election presumably and so especially if you've got a screen based machine but this is also an issue for optical scans you've got to put down who the candidates are with a screen you've got to say you've got to have a way to link when someone votes for Kerry or Bush to link that vote to the counter inside the computer correctly and with optical scans when you put them through you've got the same issue where you've got to read what's on the ballot you've got to get it linked inside the computer to the place where these candidates are being counted and in fact some of you may remember there was a primary after Kerry was already the obvious winner where Gephart received a lot of votes he had already I think withdrawn from the race it was probably Missouri and it was an optical scan machine and so people were able to go back and look at the paper ballots and realize that this thing had been programmed wrong I don't think again I don't think it was malicious that votes for Kerry were being credited to Gephart now because there were paper ballots when people saw an anomaly they were able to go back and look and say wait a minute what's going on here and figure it out but if there are no paper ballots if you've just got electrons so how do you do it and of course what do you do if it's not an obvious anomaly I mean you know they really voted for Kerry they voted for Bush you know the ways you can mask cheating that will not be so obvious as with the Gephart vote Yes when Congress passed the law and threw $4 billion into it do they also come up with specifications of what is expected, required or else I mean it seems like it's sort of a hell of a burden the mentality of sorts Well NIST was supposed to come up with specifications and that's not unreasonable I mean you don't I don't think it would have been appropriate for Congress to come up with it because some of these are technical specifications I mean some of what you want and Congress is not necessarily technical so you want people who can take time and study the problem to come up with specifications so having NIST come up with specifications was probably a reasonable thing to do but then NIST wasn't funded now I should mention something else because there's a standards committee called P1583 which is being run by IEEE which is coming up with standards for electronic voting machines that committee initially was pretty much controlled by the vendors some of us have gotten involved with it since and we're trying very hard to make the standards reasonable I think that these are the standards that are going to be adopted by the EAC the Election Assistance Commission which is basically it was also put in which was created by HAVA to oversee elections they don't have funding either they don't have adequate funding DeForest Soares is the chair of the EAC and I think that his heart is really in the right place I think he's really trying to do the right thing but you know these IEEE standards are going to come along and they're probably going to be adopted let me do a follow up on that for a second so if NIST didn't receive any funding did NIST play any role in trying to involve and engage the professional associations The professional associations aside from IEEE which was written in the HAVA they were actually given a seat on one of the committees it was written in the HAVA I guess they've got good lobbyists in Washington so aside from IEEE's involvement both in the standards and with this HAVA seat no I mean certainly ACM has not been involved the only involvement we had was when they were here until before HAVA was passed we were able to get a slot for Rebecca Mercury to testify before one of the committees although she did not officially testify for USACM she testified only for herself but aside from that we had not really been involved So what did NIST do? I think they've been able to do much I mean they weren't happy They weren't happy, they didn't get funding and so they really haven't taken the leadership I mean how could they have the resource? Yes What I heard at the night of the conference the people in the committee had a really hard time like the experts in security had a really hard time getting onto that committee for some reasonable reason Are you going to be hanging out afterwards? I can tell you more about it Because it was dominated probably by vendors There have been a lot of bizarre things happening Okay, here's one, John Presumably from the people's perspective that they employed computer scientists What's their motivation for designing the system the way they did Is it radically cheaper to do it that way? Design the system doesn't work and I'm trying to understand from people's perspective what makes them... I have no idea who they employed but they certainly didn't employ security experts, I think that's pretty clear But one of the motivations was to get the machine out fast And so there really wasn't a motivation to put them at the best standard It was to produce them and get them into the hands to get the content out The development of electronic voting machine just pick up right after 2000 Well, there have been some that have been used for a long time, I understand Indiana for examples had people had not the bulk but some other company some Indiana company I mean some of these machines have been around for a while it doesn't mean that they're necessarily secure but they have been around for a while but there are sort of... there's the big three or the big four there's Deebold, ES and Essence and Sequoia the big three and then there's HardinterCivic sort of the fourth one and those are the major vendors and it's sort of... so the history actually so Deebold... I actually wrote a paper on the site which I can send people a copy of I have a copy of it in my briefcase over there so I don't remember all the details but recently the head of the Deebold computing a voting subsidiary because of course Deebold's main product is ATMs so they got into the voting business relatively recently so they purchased another company and that's sort of how they got into it so the head of their voting subsidiary was the brother, I mean they're still brothers but they're not in these positions anymore I think the vice president of ES and Essence and so these two men basically were in very high level positions for about two-thirds of the voting machines in the country it looks like you came up with something did you want to make a challenge? No, I was actually just going to... daily I think not that it's a real reliable source of information I can get to this I mean I have it on this paper I just don't remember the details the fact that they are brothers they've both since stepped down and in the past couple months they've both stepped down and I don't know why my guess is because people have been going around saying hey this isn't right this isn't right In terms of the coming election are there any trends or things that you're really watching for that will be assigned to you that something has gone wrong? Well I'm sure things will go wrong because things have been going wrong every time these machines are used in large quantities so things will go wrong I think I think it's pretty safe bet things will go wrong I don't know I mean like when you get 144,000 votes I mean that's kind of obvious Anything you're expecting are there people in your field are expecting Well I mean I don't know what to say I mean again if you what do you do if you get say exit polls which say the number should be this and the machines report that which is not the same does that mean something's gone wrong I don't know maybe people weren't being honest with the exit polls how do you what do you do I don't know without the audit it's not possible to detect parents yeah I would suggest in all the computer everything goes wrong there's nothing wrong about this whole family for a whole hour nothing is right in this computer and this fraud is wide open or don't we just go back to the old fashioned in the paper put the mark on this is the line that I want and I put it in the in the box or take it to the clerk's office and get the receipt that you have voted for the number on the then and leave it for that for each state this community and that's what you do in Europe the old fashioned way you don't have a problem well it's wide open for your small business well I got sort of two responses to that first of all with paper ballots we've had election fraud too and in fact if you have Michael Sheamus here to speak most of us talk will be how bad paper ballots are I mean I happen to disagree with him but you can't have fraud with paper ballots for sure we have which one is worse than the other well so I think one issue is with paper ballots you can definitely have fraud I mean ballot boxes were found in San Francisco Bay a couple years ago I mean that doesn't seem right to me but I sort of view this as a difference between wholesale and retail fraud so with paper ballots paper ballot elections have been rigged using paper ballots probably since paper ballots started being used but if you're going to go and rig an election you've got to deal with the actual ballot boxes you've got to get more people involved it's more of it's more of a on the scene kind of thing so you have more people involved so the greater risk of being caught you can only influence so many because of the physical because you're dealing with physical items whereas if you're dealing with software if you can go and change the code for the deep old TX machines those are widely used change the software in that you can impact elections in California I think that's what's used maybe in Georgia and Maryland wherever these particular brands of deep old machines are being used so that's like wholesale fraud as opposed to retail so I see the paper ballots as retail fraud the voting machines as potential wholesale fraud plus with the voting machines and again it's optical scan you have to worry about this too you have what's probably much more likely at least up till now is bugs I don't know if there's been any fraud maybe there has I don't know but I should know there have been bugs because we have evidence of the fact that there have been bugs so so well as I say you've got this additional problem with software that you can have software bugs which can change or ballot definition files which can record votes incorrectly and that's not an issue with paper ballots you have other issues with paper ballots but you don't have that the fact of the matter is we don't have any perfect system I like the optical scan based systems but if you don't do some sort of check on those machines you can rig those too so you have to do some kind of manual recount for anything people don't like hearing that because no one wants to do it but I think you have to do some kind of manual recount at least to some percentage of the ballots and I don't think we'll ever have a perfect system that we should be doing as China design systems that are harder to you know, that are more secure harder to rig as opposed to less secure I mean that's my main complaint is I think we're going the wrong way with these machines security should be a number one security and usability should be the major issues for these machines and we should be working to make them more secure and instead of having these machines which are trashy myself I think election officials should be trying to get their money back on the grounds that they were sold faulty products one of the problems is that they believe these vendors let's take two more questions from well let's take them first from non-class participants because the class will have a chance to ask questions of Barbara Lane others that are not in the 728 class yes I'm curious about the bills you were saying aren't going anywhere in Congress is that because someone is expecting to benefit from having faulty building machines I certainly can't say that I think it's mainly politics well first of all of course Congress is about to close down that's why I said it's not going anywhere given the timing I don't think anything's going anywhere they can't even get a budget passed but I was told that the Republicans in Congress didn't want this coming up right now I mean there are Republicans who have signed on to the whole bill not many but there are some and there are certainly Republicans I know who are actively working to try to get paper ballots and you know voter fraud auto trails are paper ballots and I think it would be a disaster to make this a Democratic versus Republican issue I think that would be an absolute disaster but what happened but what I was told was that the Republican leadership doesn't want this opened up right now because they don't want to raise any questions about the election so can you have a question yes I would like to have more details about absentee ballots how safe is that well absentee ballots have traditionally been a source for fraud by the way I just signed up for permanent absentee ballot a few months ago because we have touchscreen voting machines where I live and I voted for on the recall on it to see what it was like and I'm going to be running them in November 2 but I'm not going to vote on them so I have a permanent absentee ballot but traditionally absentee ballots have been a problem it depends on the state some states I understand don't even count them unless they could make a difference in the election some states do you've got a privacy issue with absentee ballots you've got coercion issue with absentee ballots right or you can have situations where for example somebody works at a retirement home and requests absentee ballots for all the people there and then fills them out so that's a kind of fraud one of the things you can do in California with absentee ballots and my guess is you can do it here but I don't know how things work in Michigan by the way one of the interesting things about doing this work is that there's so much to know and there's so much I don't know I just keep on learning things I just learned about this situation in Michigan today but I'm going to hand carry my absentee ballot to the place where I'm serving where I'm an election official and deposit it there because you can do that in California you can deposit it anywhere so you might want to hand carry it in perhaps I know that a lot of people are being encouraged to vote absentee where there are these touchscreen machines so that there will be a paper trail so whereas on the one hand absentee ballots have been a source of fraud on the other hand I mean I would rather vote absentee than vote on a touchscreen machine with no paper well I'm just going to deposit it in the precinct where I'm working but it's not it depends on the state I don't know does Michigan have much of a history of fraud do you think Michigan will be relatively there were three of them in Michigan I think in two times in three I don't know what it's like here and I don't know how they count the absentee in California you take your absentee ballot and you have to sign it I'm sorry you take your absentee ballot you put it into an envelope and then you take that envelope and you put it into another envelope and you put it into that outside envelope so that they can check you on the voting roll the same thing in Michigan what they're supposed to do is to have two processes they open the outside envelope and then they take the other envelope and they put it somewhere else and then later on they open the other envelope so that they can't link you to your vote done properly I think it's not bad I'm not saying there's going to be fraud with absentee ballots I'm just saying that absentee ballots are not a perfect solution either I don't refer to these paperless machines but you have to work I'm going to call this to a close now I'm going to invite people to have refreshments in the back to the room and class take a break and I think we're going to stay right in this room rather than go back to our classroom so let's take a break and give Barbara a chance to relax thank you take this thing off