Accuracy, integrity and security in computerized vote-tallying.
Carroll County, Maryland: November, 1984
Carroll is a county of about 100,000 population located about 30 miles northwest of the city of Baltimore. On November 8, two days after the Tuesday, November 6, 1984 general election, and in accordance with the rules of the Maryland State Administrative Board of Election Laws (SABEL), voted punch card ballots from two districts of Carroll County were taken to a neighboring county, Frederick, to be rerun on an independently-managed system. (Similarly, ballots from Frederick County were taken to Caroll to be rerun.) This rerun is necessary under Maryland regulations to verify the original results before certification.
It was clear from these reruns that one of the computers used was in error in determining the outcome of a contest between Wayne Cogswell and incumbent T. Edward Lippy, for Carroll County School Board. Manual counts of the votes on ballots from both Frederick and Carroll counties showed that the Carroll County computer was the one that was incorrect. The initial but unofficial count, made public on the evening of the election, had indicated incorrectly that Cogswell was the winner.
An investigation undertaken the next day (November 9) by Craig Jester, a county computer program contractor, demonstrated that a wrong utility computer program for reading the ballot cards had been used. after the correct utility program was installed, the results coincided with those obtained manually and with the Frederick County computer. The utility prorgram, named COLBIN, had been previously written by Jester under contract to the county and had been successfully used in the May, 1984, primary election.
The purpose of the COLBON utility program was to read the voted ballot cards in the "column binary" format used for voting, rather than in a simpler format. At the request of Carroll County DP personnel to reduce the price, Computer Election Systems, the vendor of the vote-tallying system, had supplied the system with an elementary utility program that could read cards only in the simpler format. With this format, ballot cards would be required to have a maximum of one punch per column, not an acceptable situation for the Carroll County ballot. Carroll County contracted locally (with Pelorus, whose president was Craig Jester) for the COLBIN utility program.
On Saturday, November 10, the count was rerun (using the vote-tallying system including the COLBIN program). Members of the county Board of Elections and the County attorney were in attendance. The count indicated that Lippy was the winner. On Wednesday, November 14, eight days after the election, the Board of Elections certified the results. Lippy was named the winner.
The cause of the error was reported in the Carroll Sun on Nov. 18, 1984 in an article by Steve Kelly. A more complete explanation was provided in a letter, dated Nov. 26, 1984, from Thomas J. Van de Bussche, administrator of the Data Processing Center of Carroll County, to Dr. Thomas Lewis, resident of the Carroll County Election Board. Mr. Van de Bussche's letter was included in a report submitted by Dr. Lewis on December 5, 1984 to Mrs. Marie Garber, administrator of SABEL.
Mr. Van de Bussche admitted that, in testing an improved vote-tallying system provided by Computer Election Systems, he had inadvertently replaced the production version with a test version that did not include the COLBIN utility program. The logic and accuracy test of the vote-tallying system on Oct. 25, 1984, performed prior to the election in accordance with Maryland regulations, produced results consistent with the test ballots used. None of the test ballots had more than one punch in any column. Therefore, the test ballots did not reveal the error.
In the general election of November 6, 1984, the contest for the school board seat in question was listed in the same punch card columns as a home rule issue. The two contests were listed on different ballot pages of the "votomatic" ballot holder. The combination of votes for a school board candidate and a particular home rule position in the same column creat ed a punch configuration that was not recognized as valid by the elementary utility program. As a result, some valid votes were not recorded in both the school board and home rule issue contests. Most of the votes not recorded (about 13,000) were for Lippy, because many Lippy voters chose the home rule position listed in the same card column. Votes not recorded on the home rule issue did not affect the utlimate outcome for that question. If the COLBIN utility program had been used, all votes on the contests would have been recognized as valid.
In summary, the incorrect announcement of the result of the school board contest on election night was due to mistakes by the Data Processing Center of Carroll County in using the wrong utility program and in using a perfunctory logic test that did not disclose the problem before the election. No factual evidence is available that contradicts the documentation submitted to Mrs. Garber by Dr. Lewis and Mr. Van de Bussche.
The incorrect announcement was not due to any error in the vote-tallying computer system supplied by the primary vendor, Computer Election Systems, nor any activity undertaken by its representatives. Nevertheless, on July 29, 1985, the New York Times, in referring to this particular situation, reported that "The vote counting program that has been challenged in ... Maryland was developed by Computer Election Systems of Berkeley, Calif."
The error was discovered after the election but before certification because of a Maryland regulation that required recounting on an independently managed system. This specific regulation was based on a recommendation that "further confidence in the machine-counted results can be achieved if mandatory machine recounting of a percentage of the precincts for each race is carried out on a different, independently managed computing system than that used to produce the official count".
On June 11, 1985, another recount of the school board race in question was carried out, using the Carroll County computer, again including the COLBIN program. This recount was undertaken at the request of the State court in which Mr. Cogswell, the defeated candidate, had filed a suit asking that the results of the election be re-examined. The recount verified the correctness of the election results certified on Nov. 14, 1984, although Mr. Van de Bussche has indicated that the recount results did not exactly match the count reported in the certification.
Mr. Van de Bussche has stated that the recount, carried out with all sides in attendance, was hurried and less than precise in that, with the permission of the court, card reader "checks" were ignored in the ballot-reading process. Usually a card reader "check," indicative of a reading failure, would result in a decision to re-read the entire precinct of voted ballot cards. Instead, the card or cards causing the "check" remained unread and the reading process continued. The failure to re-read an entire precinct upon occurrence of a read "check" resulted in a small but random reduction of votes to both candidates, according to Mr. Van de Bussche. The differences were not significant enough to raise reasonable doubt as to the correctness of the certified results.
According to a July 11, 1985 story by Chris Guy in the Carroll County Times referring to the court-ordered recount, "...defeated candidate Wayne Cogswell had verification that use of an incorrect computer program caused a nearly 13,000-vote mistake in the unofficial totals released election night".
Stark County, Ohio: May, 1986
The following descrition is adapted from the account given in the July 21, 1986 issue of Election Administration Reports, Richard G. Smolka, editor, with permission of the publisher.
Stark is a county of about 400,000 population located about 60 miles south-southeast of Cleveland. An unprecedented court-ordered "audit" (hand recount) of a Stark County computer recount in a county commissioner's primary contest again named as winner the candidate who had apparently won in the official results of the May 6, 1986 primary but lost in the computer recount. The audit revealed a computer program error that permitted over 100 invalid punchcard ballots to be counted in the recount.
At the end of the election-night count, Robert A. Capestrain held a 26-vote lead in the three-person contest to be Democratic nominee for county commissioner. A recount by computer on May 27 (held because of the closeness of the original tally) put Patty Miller ahead by 5 votes. For the computer recount, the computer program used to obtain the original results was not used. Instead, a special computer program was written, in order to count only the disputed contest and not the other contests on the ballot. The mystery, however, was why 165 additional votes had been tallied in the recount although the number of ballots read by the computer was the same.
The following table provides the votes for the three candidates in the computer tally of the primary, the computer recount, and the hand counted audit:
The 165 additional votes in the recount were randomly distributed throughout the 481 precincts. Most precincts had no changes, and most of those with changes had a one-vote increase. All candidates gained votes. The names of the candidates were rotated by precinct in the ballot booklets in positions 98-100-102, and the extra votes were distributed among these numbers on the ballot cards. Each of the three positions received approximately the same number of additional votes.
Initially, there seemed to be no satisfatory explanation for the additional votes. Hanging chad (bits of paper remaining after holes are punched) was suspected as a possible cause. Fraud was much less likely because it would have required access to ballots from all affected precincts, working knowledge of the ballot rotations, plus sufficient time to locate and punch ballots which had not been voted for county commissioner.
Following the computer recount that indicated a reversal of the initial count, candidate Capestrain filed suit challenging the recount. Because of the unusual nature of the recount result and rumors of fraud, the candidates, attorneys, election board, and court agreed to audit procedures that would resolve any identifiable problems with hanging chad as well as ensure that the vote count would be complete and accurate. Most importantly, the all agreed that the audit would constitute a final resolution of the vote count dispute. Judge Harold E. DeHoff of the Stark County Court of Common Pleas included a provision in the agreement that all parties would waive any rights of appeal.
The audit included a manual count and a computer count. A large number of 2-person teams were assigned to manually count the ballots under specific rules. The court order also provided guidelines on removal of hanging chad and specified that only the two master commissioners, appointed by the court, could remove a suspected chad or hanging chad.
Before the start of the audit, Ohio Director of Elections Dorothy Woldorf and area manager Robert Braun of the vote-counting system vendor gave the counting teams both written and verbal instructions on procedures to be followed. The manual recount began at 9:00 a.m. and continued until completion at about 7:45 p.m.
After the first several precincts were manually counted, it became evident that the audit was producting totals more closely matching the original count rather than the recount. By 11:00 a.m., the recount program error had been uncovered. The error was due to the failure of the recount program to distinguish between Democratic, Republican, and unaffiliated ballots.
In the May 8 primary, voters were given Democratic, Republican, or unaffiliated ballots, depending on their party registration. The logic in the computer program and associated header cards that were used to tally the primary ballots was able to distinguish among the different types of balots, event though all the ballots were tallied on the same computer equipment.
In the recount, all the ballots were again tallied together on the same equipment, but the logic of the recount program could not distinguish among the different ballot types. It was apparently believed by the author of the recount program that the assignment of unique ballot positions to each contest and candidate was sufficient to separate the ballots. However, some Republican and unaffiliated voters had "voted" (i.e., punched out chad) in a ballot position assigned to a candidate in the Democratic county commissioner contest. These ballots were not counted in the Democratic primary tally, but they were counted by mistake in the computer recount.
In the audit on July 8, the ballots were first separated by party before being given to the two-person teams. The separation was easily accomplished because the ballot types were distinguishable by color. Consequently, in the manual recount, "votes" by Republican and unaffiliated voters were not tallied.
During the audit, the master commissioners completed removal of chad on 28 ballot cards. Nine of these were identified as hanging chad, and the others were termed "bulging chad." One commissioner said that it was obvious that the voter had detached the chad, but that it had been pressed back into position, probably when the cards were stacked. The removal of the chad by the commissioners had no effect on the outcome, but did increase the vote by a net of 26 over the original count.
SUMMARY OF CONCLUSIONS AND
This report has been prepared with funding provided by the John and Mary R. Markle Foundation of New York City. The Markle Foundation requested that the National Bureau of Standards (NBS) undertake this study because of public concern about the potential for inaccuracy or fraud in computerized vote-tallying. NBS was approached because of its experience with the subject matter as the result of a previous project undertaken by the author for the U.S. General Accounting Office.
Concern had been heightened by a series of articles published in the summer of 1985 in the New York Times. The articles cited statements by two computer experts reporting that a computer program widely used for vote-tallying was vulnerable to tampering. Several elections were identified in which losing candidates claimed that it would be possible to fraudulently alter the computer programs that were used in their contests.
In preparation for this report, a review of recent public statements and documents was undertaken that indicated concern about computerized vote-tallying. The review showed that the problems could be categorized as follows: there is difficulty in verifying results; there is the possibility of undiscoverable frauds; and election administrators lack the necessary knowledge and resources.
There is a continuing problem of public confidence. While proof of actual computer program manipulation appears to be lacking, documentation conclusively demonstrating otherwise is generally insufficient, due to the manner in which many computerized elections are conducted. It has been clearly shown that audit trails that document election results, as well as general practices to assure accuracy, integrity, and security, can be considerably improved.
The recommendations that respond to these problems are directed to state and local government election officials. Elections for state and federal offices are conducted by local government (generally county, township, and city) administrators. In about one-third of all counties, including over one-half of all registered voters, voting is carried out using computerized equipment. The local administrators require the necessary resources and expertise to efficiently and effectively carry out their responsibilities.
These responsibilities generally include procurement of vote-tallying systems and supporting services. An effective procurement must include the development of specifications so that accuracy, integrity, and security will be assured. The local administrators also have the responsibility for implementing the necessary management control systems to enable the public to have confidence in the results produced.
Election officials require a source of neutral expertise for the receipt of new technical and administrative information. The establishment of the Election Center in the Academy for State and Local Government clearly fulfills a need. Its efforts should be expanded.
Implementation of an Internal Control Function
Essential recommendations are that the concept of internal control should be extended so as to be applicable to vote-tallying, and that persons knowledgeable in that professional field should be utilized to assist in the establishment and implementation of sound operational procedures. To the extent that computerized voting equipment and software must have supporting capabilities, these procedures should be reflected in procurement specifications.
Internal control, which is nearly universally used as a management technique in financially oriented applications (e.g., in banking or manufacturing, or to safeguard assets in any type of organization), has not been applied to vote-tallying because those operations are not priced. Applicability of internal control to vote-tallying requires only the redefinition of the concept of a transaction. A transaction is now defined as a business event that is measured in money and that is entered into accounting records; the redefinition would allow a transaction to include a step in the implementation of an entitlement that is not measured in money.
Expertise in internal control (which includes computer security) should be added to the personnel complement in election administration in order to assure implementation of its concepts. In addition, an internal auditor should be available to independently review the implementation of internal controls and report on their effectiveness. Internal control is a professional activity; trained persons, texts, and a community of practitioners are available. Internal control expertise may be shared among government agencies if individual agency resources are insufficient.
An important function of internal control is to identify system vulnerabilities and convert them into a set of realistic threats. Responses must be devised that are consistent with available or obtainable resources, based on a risk analysis determining the likelihood and cost of actual exploitation of a particular vulnerability. As a result, internal controls personnel should be able to provide assurances to the public that the potential threats are understood, have been prioritized for significance, and are being countered.
The availability of internal control specialists should relieve election administrators from having to be personally knowledgeable about specific technical matters best left to individuals who are professionally qualified in that field. With the addition of needed technical resources to the staff, election administrators would be able to retain management control, and not have to abdicate it to others, such as vendors or data processing center directors. Thus, election administrators would be able to retain the capability of directing that the objective of assuring accuracy, integrity, and security in vote-tallying be carried out.
FEC Clearinghouse Specifications
The performance specifications developed by the National Clearinghouse on Election Administration of the Federal Election Commission (FEC Clearinghouse) are approaching completion, and they are intended for statewide adoption. Each state should consider the adoption of these specifications when they are issued.
Acceptance procedures for hardware and software should be consistent with the FEC Clearinghouse implementation plan for adoption of these specifications. That plan calls for qualification and certification prior to final acceptance. Qualification implies conformance with standards and functional requirements, and may be done once to satisfy many states. Certification ensures that the product meets state requirements. Acceptance testing evaluates the degree to which the specific units delivered to the local government conform to approved characteristics.
Revised Texas Statute on Electronic Voting Systems
The requirements of the revised Texas statute on electronic voting systems should be considered for adoption in those states that have not already adopted equivalent or more stringent provisions. Requirements of the Texas statute include audit trails, deposit of computer programs with the secretary of state, assurance that programs used in vote-tallying are identical to those deposited, mandatory one percent manual recount of all contests, testing of equipment using all applicable ballot formats, disconnect of remote terminals during vote tabulations, and specific scrutiny of ballot count discrepancies.
The value of a ballot-tallying system is that it should be possible, with a recount, to duplicate the result of an election. The problems found in ballot-reader inaccuracy, both in the count of ballots, and in the count of votes on ballots, are a significant source of lack of confidence in vote-tallying.
A recommended goal is that a computerized vote count should be able to be reproduced on a recount with no more than a change in one vote for each ballot position in ballot quantities of up to 100,000 when machine-generated (ideal) ballots are used. A ballot reader should be able to tolerate a wide range of punching or marking behavior by a voter without a significant increase in error.
The use of pre-scored punch cards contributes to the inaccuracy and to the lack of confidence. It is generally not possible to exactly duplicate a count obtained on pre-scored punch cards, given the inherent physical characteristics of these ballots and the variability in the ballot-punching performance of real voters.
It is recommended that the use of pre-scored punch card ballots be ended. One method now available to eliminate pre-scored cards, while retaining the "votomatic" concept, is with a new type of hole-punching stylus that uses spring-loading. A hole of consistent and acceptable dimensions can be created by a voter using the new stylus without the need for pre-scoring. The internal construction of the "votomatic" ballot holder must be altered with the use of the new stylus. Other devices and methods for elimination of prescored punch card ballots also may be effective.
If a ballot cannot be read by machine, administrative controls should be in place to permit such ballots to be counted manually. A voter's choices should not be lost because of machine failure.
Testing to determine the accuracy of current ballot reading systems (such as that now being carried out by ECRI of Plymouth Meeting, PA), and research to improve ballot tallying systems in accuracy and ease of voter use, are important to pursue.
Design of Direct Recording Electronic (DRE) Machines
With DRE machines, no ballot is used. The voter enters choices directly into a storage unit of the machine with the use of pushbuttons, a touch screen, or similar devices. As no voter-generated records of choices exist, and no recount independent of the machine is possible, steps should be taken in the design of these machines to assure complete confidence in the reported results.
A problem with most DRE machines as currently designed (as with lever machines, their predecessors), is that there is no difference in the results seen between a voter's failure to cast a vote and the machine's failure to record a vote.
Recording of Undervotes. It is recommended that each DRE machine be designed so as to take a positive action indicating a "no vote" for every choice that the voter fails to take. When voting is complete, the voter's choices, and any "no votes" for votes not taken, would be transferred to a more permanent storage for summation with other voter's choices. The required transfer and summation of the "no votes" would serve as positive indications of the voter's failure to make certain specific choices. Thus, there would be no ambiguity about whether the voter failed to vote or the machine failed to record selections.
Retention of Voter-Choice Sets for Summation Vertification. Each voter-choice set (i.e., the machine's record of all choices of a voter) should be retained in the machine on a removable non-volatile medium (e.g., magnetic disk). Storage locations of the voter-choice sets would have to be randomized to prevent association of a particular set with a particular voter. The retention of the voter-choice sets makes possible a verification (on an independent machine) of the DRE machine's summation of the voters' choices that it recorded. The correctness of the machine's data entry process cannot be checked in this manner.
DRE data entry hardware should be certified for logical correctness, by examination of the logic design and by testing under a large variety of different conditions. The DRE data entry function must be correct, as there are no ballots to provide an independent check. The data entry logic and its documentation should be deposited with the state.
(Software recommendations are discussed in the accompanying box "Vulnerabilities of Vote-Tallying Software" beginning on p. 1190.)
RECOMMENDATIONS OF OPERATIONAL
Lack of sufficient pre-election testing appears to be a major source of operational difficulty. Sufficient pre-election testing should be done so that errors in software specialization or in implementation of logical rules, if any, will become obvious. It is recommended that to the greatest extent possible, all hardware and software to be utilized should be given a dry run simulating specific conditions to be faced on election day and election night.
Audit Trails. Audit trails provide the supporting documentation through which the correctness of the reported results may be verified. Two types of audit trails are necessary to document operations and provide confidence in the results reported. On type records steps in the operation of the equipment, while the other records steps in the voting and vote-tallying processes.
Complete Data from Split Precincts. Each split of a split precinct should be treated like a separate precinct for the reporting of ballots and votes cast.
Access Controls. Access (i.e., security) controls must be in place during preparations for voting, voting itself, and vote-tallying. These controls concerns access to sites, areas, facilities, equipment, documents, files, and data. The controls cover transportation of ballots and telecommunication of results.
Internal Controls for Tallying Systems. These controls should be in place to prevent all types of ballot frauds and miscounting errors, and to provide the documentation and assurance that the correct results are reported. The controls on ballots cover printing and distribution, accounting for use, validity, and prevention of errors due to mishandling. The controls on data and calculations provide for accurate telecommunication of data, recording of undervotes and overvotes, vote reconciliations that demonstrate consistency, and assurance of accurate vote summarization. A manual recount of at least one percent of the ballots of each contest is recommended. Responsibility for selection of some of the precincts to be recounted should be granted to candidates or parties.
Internal Controls for DRE Systems. These controls should be in place to provide documentation and assurance that the correct results are reported when DRE systems are used. The controls cover matching machine use with voter totals, vote reconciliattions on each machine, recounting of voter-choice sets, and post-election checkout of machines.
Although none of the computer difficulty situations (reviewed in this report) has provided solid evidence of computer program manipulation, the reviews have revealed the need for improvements in hardware and software performance and in operational procedures, and they have provided support for the need for institutional changes. Thus, the reviews have influenced the recommendations provided in this report.
Specific recommendations directly resulting from the reviews of difficulties include the recommendations on improved accuracy in ballot tabulation, elimination of pre-scored punch card ballots, assurance of the counting of ballots rejected by readers, provision of complete data from split precincts, and more thoroughness in pre-election checkout.
While vote-tallying using telephones or stations similar to automatic teller machines is technologically feasible, the decision to implement such a system must be based on more fundamental factors. Any installed system must meet political and economic requirements, as well as technical requirements of accuracy and reliability. Political needs include equal access by individuals, the ability to verify registration, and the ability of the voters to vote in secret without intimidation. Internal controls must be implementable to demonstrate the correctness of the reported results. Benefits, such as increased voter convenience and possible improved participation rates must be compared against the costs of implementation.
|Printer friendly Cite/link Email Feedback|
|Title Annotation:||includes related article on vulnerabilities of vote-tallying software; excerpts|
|Author:||Saltman, Roy G.|
|Publication:||Communications of the ACM|
|Date:||Oct 1, 1988|
|Previous Article:||Computers and elections.|
|Next Article:||Random number generators: good ones are hard to find.|