Is there a method in place to make sure the electronic voting machines used by voters on Election Day are fully certified and identical to the machines that were tested?
The National Academy of Sciences' 2005 report "Asking the Right Questions About Electronic Voting," stated:
"A digital signature of the software running on any given [electronic voting] station can be taken for comparison with a known version... A digital signature is a unique, algorithmically generated fingerprint of any digital object (such as a software module). By comparing signatures, one can easily determine if two objects are identical. NIST maintains a library of certified code to which ITAs [Independent Testing Authorities] can submit qualified election software and firmware versions, with a digital signature that enables states and local election officials to check whether individual machines utilize exactly the same software."
Britain Williams, PhD, voting machine examiner for the State of Georgia, offered the following explanation in his May 5, 2004 testimony before the U.S. Election Assistance Commission (EAC):
"When the system successfully passes the State Certification and is certified for use in Georgia, the KSU [Kennesaw State University] Center for Election Systems prepares an electronic signature of the system and archives the software source code and object code... When the vendor notifies the State that they have completed installation in a particular county, the KSU Center for Election Systems sends a team to the county to conduct Acceptance Tests. These tests verify that the hardware is operating correctly and the correct version of the software has been installed. During these tests the electronic signature of the software installed in the county is compared with the electronic signature of the software archived by the KSU Center for Election Systems to validate that the county system is identical to the system that was State certified...
Rigid policies and procedures are in place that control who can access the election system, when they can access the system, what components they can access, and what function they are allowed to perform... Many of these procedures are directed toward insuring that the correct versions of the system software are initially installed in the GEMS computers and voting stations and, subsequently, testing at various times to insure that this software has not been altered."
Kathy Rogers, Director of Election Administration for the State of Georgia, stated in her May 5, 2004 testimony before the U.S. Election Assistance Commission:
"The Center for Election Systems at KSU tested every
touch screen unit, encoder, optical scan ballot reader and server used
in the 2002 General election... An important function of this testing
is to assure that the correct, current, state-certified and
NASED-qualified software is operating on all components of the election
platform. As such, the State and its counties are not forced to solely
rely on the representations of the vendor, but instead benefit from the
expertise of an independent and technically capable partner to assure
consistency and quality control statewide.
acceptance testing technicians from the Center for Election Systems at
KSU utilize a software-hashing program that verifies the system
installed by the vendor is identical to the system certified at the
Herb Deutsch, Product Development Manager for Election Systems and Software (ES&S), stated in his Sep. 21, 2004 testimony before the Technical Guidelines Development Committee Subcommittee on Computer Security and Transparency:
programs used in tabulation and voting equipment are not election
specific. They are unit specific and, as part of the Independent Test
Authority (ITA) certification testing by an approved ITA, have their
source code reviewed for structure, both for maintainability and for
improper execution, and for the existence of surreptitious code. The
compilation of this reviewed code, which is version identified, is
witnessed by the ITA and both source code and the compiled executable
code is archived. In many cases this code is sent directly to the
State, who also must certify the equipment, by the ITA where it is
archived for purposes of auditing against what is installed in units
shipped by the vendor... It should be noted that the firmware/software
version used in the test is auditable to ensure that it is the same as
the version that was certified for use in the state."
The Government Accountability Office (GAO) 2005 report "Elections: Federal Efforts to Improve Security and Reliability of Electronic Voting Systems Are Under Way, But Key Activities Need to be Completed," explained:
"The voting system software installed at the local level may not be the same as what was qualified and certified at the national or state levels... Either intentionally or by accident, voting system software could be altered or subsituted, or that vendors or local officials might (knowingly or not) install untested or uncertified versions of voting systems. As a result, potentially unreliable or malicious software might be used in elections. For example, in separate instances in California and Indiana, state officials found that two different vendors had violated regulations and state law by installing uncertified software on voting systems."
Doug Jones, PhD, Associate Professor of Computer Science at the University of Iowa, stated in his Sep. 20, 2004 testimony before the Technical Guidelines Development Committee Subcommittee on Computer Security and Transparency:
"How can an observer assure himself or herself that the software that is actually in use is indeed the very same software that has been approved for use?... Unfortunately, the self-reported identity of a piece of software does nothing to assure an observer that this software is honest... The use of 'software fingerprints' computed by some cryptographically secure hash function does nothing to change this fact. So long as the observer is limited to inspecting the self-declaration of identity of the system, there is no way for the observer to know whether that identity is declared honestly or not... Only if the observer can directly examine the memory of the computer and compare it with a reference memory image can the observer really know that what is in the computer and what is authorized to be there are the same. If we allow this comparison, we compromise the author's right to retain this software as a trade secret. In addition, if we are not very careful, the same memory access that allows inspection can also allow modification, thus elevating the election observer to the status of a security threat."
Kevin Shelley, former Secretary of State of California, stated in the Apr. 20, 2004 "Staff Report on the Investigation of Diebold Elections Systems, Inc." :
the March 2, 2004 Statewide Primary Election (March Primary), three
California counties (Alameda, Los Angeles, and Plumas) utilized the TS,
and four counties (San Diego, Solano, San Joaquin, and Kern) used the
TSx system. Diebold marketed, sold, and installed its TSx in these four
California counties prior to full testing, prior to federal
qualification, and without complying with the state certification
VSPP [Voting Systems and Procedures Panel of the State of California]
initiated an audit of all 17 California counties using Diebold voting
systems. The audit discovered that Diebold had, in fact, installed
uncertified software in all its client counties without
notifying the Secretary of State as required by law... In sum Diebold
marketed and sold the TSx system before it was fully functional, and
before it was federally qualified; ...installed uncertified software on
election machines in 17 counties; sought last minute certification of
allegedly essential hardware, software, and firmware that had not
completed federal testing; and in doing so, jeopardized the conduct of
the March Primary."
The Raw Story, an online news source, stated in their Feb. 16, 2006 article "Documents Show Maryland Held Election, Primary on Uncertified, Illegal Diebold Voting Machines":
Maryland State Board of Elections allowed Diebold Election Systems to
operate its touch-screen voting machines during the state's 2002
gubernatorial election and the 2004 presidential primaries before the
state agency actually certified the controversial machines, according
to recently disclosed documents... In November 2002, Linda Lamone
[administrator of the State Board of Elections] allowed Diebold to
operate its machines in four counties for the state gubernatorial
election... In March 2004, during the presidential primary elections,
Maryland became one of only two states in the country to use Diebold
voting machines throughout the entire state. A month later, [activist
Linda] Schade had filed her lawsuit...but at that time, Schade had no
idea that Lamone had not even bothered certifying the machines. In
fact, the machines did not get certified until the following month. The
machines were finally certified May 20, 2004."