Return to Start
Since the mid-eighties, when computer experts first drew attention to the vulnerability of computerized voting systems, the FEC has paid a great deal of attention to this issue. The response has fluctuated between concerned and dismissive. In a 1990 FEC publication, Marie Garber wrote:
The advent of computerized vote counting... brought about demands for more stringent verification measures than had ever been required of the systems it replaced - mechancal lever machines and manually counted paper ballots. Although the older systems had manifold opportunities for error, they were never as widely distrusted as are computers, even to this day. For whatever reason - perhaps because so few people understand how computers work; perhaps because so many people have heard problems blamed on "computer error"; perhaps becasue of the sensationalist claims by so-called "computer experts" unfamiliar with the election process; or perhaps just because people are less reluctant these days to question their public institutions - computerized vote counting has from its outset been subject to exceptional demands that the vote count it produces be demonstrably and provably correct.At the same time, the FEC has published a variety of guidelines for computerized voting systems designed to protect against many of the possible vulnerabilities first identified by those computer experts. Two articles published in a 1988 Computer Professionals for Social Responsibility Newsletter suggested, between them, better testing, the independant review of software, comprehensive pre and post-election testing, standard data input formats, generic hardware and software, and a permanent audit trail which cannot be turned off. [Wilcox and Nilsson, pg 10] Each of these suggestions has since been incorporated in the FEC's guidelines.
[Garber, Issues... Disputed Elections, pg 32]
The 1990 publication Voting System Standards identifies three posible computer-enabled attacks on the election process: modification of the compiled or intepreted code; run-time alterations of flow-control or of data; and abstraction of the raw or processed voting data in any form other than a standard output report by an authorized operator. [Voting System Standards, pg 56]
In Voting System Standards the FEC suggests that vendors and election authorities must take steps to ensure the "integrity, reliability, and inviolability of the entire election process." Such responsibilities include the maintenance of controls minimizing the number of accidents, inadvertant mistakes, and errors, the protection of the system from "intentional, fraudulent manipulation, and from malicious mischief," and the identification of any fraudulent or erroneus changes to the system. [Voting System Standards, pg 55] Appropriate security measures include administrative and managerial controls such as data processing, operational proceedures such as the protection of secure passwords, the physcial arrangement and security of the systems development and election facilites, effective organizational responsibilities and personnel screening, and secure technical hardware and software. [Voting System Standards, pp 55-56] The FEC notes the additional security risk inherent in a public election, stating that, "security provisions for system functions shall be... compatable with operation by the public in a polling place. If access to a system funcion is to be restricted or controlled, then the system shall incorporate a means of implementing the access control requirement." [Voting System Standards, pg 55]
In Voting System Standards the FEC states, "All software (including firmware) for all voting systems shall incorporate measures to prevent access by unauthorized persons... and to prevent unauthorized operations by any person." [Voting System Standards, pg 56] Furthermore, to allow reviewers to asses these measures, "the vendor shall provide a penetration analysis relelant to the operating states of the system and to its environment. This analysis shall cover the individual use of program units or inadvertent sharing of program untis, and the resulting trasivity relationships. It shall identify all entry points and the methods of attack to which each is vulnerable. Such penetration analysis will be subject to strict confidentiality and non-disclosure by the test authority." [Voting System Standards, pg 57]
The most common means of evaluating computerized voting systems is the Logic and Verification test, in which the system processes a batch of ballots with a known number of of votes. The test is usually run both before and after the actual election. According to the FEC, the logic and accuracy test is almost always used on centralized voting systems, but rarely on the systems used to count ballots in individual precincts. Furthermore, the quality of the test is dependant upon its operators. "The tests accuracy varies... with the quantity of ballots in the test deck, the inclusion of all possible voting combinations, the use of actual ballots drawn from election stock, the testing of all ballot styles and rotations, and other such technical specifications... The deck should reflect all possible parameters and permutations that could or would be encountered with actual ballots." [Garber, Issues... Disputed Elections, pg 32] The FEC feels that "an adequate Logic and Accuracy test provides a substantial level of convidence in the reliability of the system as well as demonstrating that there has been no tampering with it;" however, additional tests include recounting a portion of the ballots by hand or with another computer system, recounting the ballots with the same system, and reviewing the system log. [Garber, Issues... Disputed Elections, pg 32]
The benefits of an audit trail are hard to argue, and the FEC agrees that they "provide inherent system security" [Voting System Standards, pg 56] and therefore, "any software certified for vote counting in a State should automatically produce a hard copy record of all activity on the system from the time vote couting begins until it is completed." [Garber, Issues... Disputed Elections, pg 56]
The FEC recommends that computerized voting sytsems be tested by experts outside of the vending company. "The role of independant test authorities in the implementation of the Federal Election Commission voting systems standards is a crucial one. Test authorities will make the initial determination of voting systems compliance with the voluntary standards, and will judge the systems' accuracy, security, and reliability. Therefore, a test authorityÕs expertise and impartiality are vital factors. It is important then, that vendors choose independant teste authorities (ITAs) competent to conduct qualification tests of their voting systems." [Voting System Standards, pg 1] Ideally, such testing will be centralized to remove the financial burden on individual precincts. To facilitate independant testing, "the FEC will attempt to enlarge the pool of available authorities willing and able to conduct qualification tests." [Voting System Standards, pg 2]