Is There an Effective Method in Place to Assure the Accuracy of Ballot Definition Files?
Cathy Cox, the Georgia Secretary of State, released a document titled "Multilevel Equipment Testing Program Designed to Assure Accuracy and Reliability to Touch Screen Voting System," www.sos.state.ga.us (accessed Apr. 5, 2006) which stated:
"'Logic and Accuracy' testing assures that all candidates and questions for each ballot style in each precinct [ballot definitions] are properly loaded onto the system. Sample votes are cast on the equipment and these totals are verified. Logic and Accuracy differs from [other] rounds of examination because the testing is specific to the exact ballot that will be displayed in a specific precinct on election day."
Dana DeBeauvoir, Travis County (Texas) Clerk, submitted a paper titled "Prevention of Attack, Not Detection After the Fact: A Note on Risk Assessment and Risk Mitigation" in conjunction with her public testimony before the U.S. Election Assistance Commission on May 5, 2004, which stated:
"Logic and Accuracy (L&A) testing proofs the ballot and proves that the system is properly adding votes to each candidate in the same quantity as the votes were manually entered. The system result is compared to a known set of data and must match.
There is a risk that inadvertently or deliberately a candidate would be left off the ballot or be assigned to the wrong precinct(s). Logic and Accuracy testing confirms that each candidate appears in the proper precinct, including split precincts, and does not appear in precincts outside that candidate's jurisdiction. L&A testing is the most important tool in confirming that the ballot is correct."
Sequoia, a manufacturer of electronic voting machines, released a paper on its website on July 30, 2003 titled "Sequoia Discusses Safeguards of Electronic Voting" in response to the Aviel Rubin et al. paper "Analysis of an Electronic Voting System." The Sequoia article stated:
"The Johns Hopkins researchers argue that if the [ballot definition] can be accessed by Internet connectivity or modem access...the system can be manipulated. The pre-election programming of Sequoia's AVC Edge [a model of electronic voting machine] is conducted at the election headquarters and secured inside the physical hardware of the machine before it is sent to a polling place.
The AVC Edge also stores all election data, including ballot definition, in redundant memory. The accuracy and content of these redundantly stored files is validated at power-up and again after every single vote is cast. If there is ever a discrepancy, the machine will halt operation."
Diebold Election Systems, Inc. released a paper titled "Checks and Balances in Elections Equipment and Procedures Prevent Alleged Fraud Scenarios" on July 30, 2003 on its website as a direct response to the Aviel Rubin et al. paper "Analysis of an Electronic Voting System." The Diebold article stated:
"Rubin et al. allege that 'by simply changing the order of the candidates as they appear in the ballot definition, the results file will change accordingly. However, the candidate information itself is not stored in the results file.'
This is incorrect. Changing the order of the candidates in the ballot definition would result in a change in the order of the results as well. Candidates would simply be listed in the wrong order on the ballot. It does not matter that the candidates are not stored in the results file. In reality, it is the very fact that the candidate keys are not stored with the results that makes the system immune to such tampering."
Barbara Simons, PhD, Computer Scientist and Former President of the Association for Computing Machinery (ACM) wrote in her paper "Electronic Voting Systems: The Good, the Bad, and the Stupid" ACM Queue, Oct. 2004:
"Although critical to elections, BDFs [ballot definition files] are never independently inspected by an ITA [Independent Testing Authorities]. While properly conducted pre-election testing should uncover errors in BDFs, such testing is not routine in many jurisdictions, where state laws merely require that the tests include casting at least one vote for each candidate in each race on the ballot, using each ballot style in use in the jurisdiction.
When errors in BDFs do occur - leading, for example, to votes for one candidate being credited to a different candidate - they can be detected with optical scan voting systems, because anomalous computer-reported results can be discovered through manual recounts of paper ballots. With paperless DREs, however, there is no way to perform such a recount."
Ellen Theisen, CEO of the Vote-PAD Company, stated in her 2005 paper "Ballot Definition Files: No Review Is Provided for a Key Component of Voting System Software":
"The ballot definition file is not subject to any certification other than whatever Logic and Accuracy (L&A) testing a jurisdiction chooses to do. Since L&A tests are performed in a different operating mode than actual elections, the ballot data is never subjected to a true field test before the election...
If an error, intentional or accidental, went undetected, the election outcome could easily be both incorrect and uncontested...With so many documented cases of ballot data errors on optical scan machines, it is unreasonable to believe they have not occurred on DREs, yet none have been documented. This is not surprising, since there would be no way to detect a ballot data error without paper ballots.
In response to the warnings of computer experts, many election officials have claimed that their security procedures guard against vulnerabilities. However, security procedures do not guard against the possibility of flawed ballot definition data. Furthermore, since the software underlying the ballot data is a trade secret of the vendor, there is no way for election officials to know precisely how the ballot data is being used."
Aviel Rubin, PhD, Technical Director of the Johns Hopkins University Information Security Institute wrote in his paper "Analysis on an Electronic Voting System" (Johns Hopkins University Information Security Institute Technical Paper TR-2003-19, July 23, 2003):
"If the voting terminals download the ballot definition over a network connection, then an adversary could tamper with the ballot definition file en-route from the back-end server to the voting terminal...[T]he adversary need not be an election insider; the adversary could, for example, be someone working at the local ISP [Internet service provider]. If the adversary knows the structure of the ballot definition, then the adversary can intercept and modify the ballot definition while it is being transmitted. Even if the adversary does not know the precise structure of the ballot definition, many of the fields inside are easy to identify and change, including the candidates' names, which appear as plain...text.
Because no cryptographic techniques are in place to guard the integrity of the ballot definition file, an attacker could add, remove, or change issues on the ballot, and thereby confuse the result of the election.
More subtle attacks are also possible. By simply changing the order of the candidates as they appear in the ballot definition, the results file will change accordingly. However, the candidate information itself is not stored in the results file, which merely tracks that candidate 1 got so many votes and candidate 2 got so many other votes. If an attacker reordered the candidates on the ballot definition, voters would unwittingly cast their ballots for the wrong candidate."