Last updated on: 4/23/2008 12:23:00 PM PST
Is There a Method in Place to Make Sure the Electronic Voting Machines Used by Voters on Election Day Are Fully Certified and Identical to the Machines That Were Tested?
The National Academy of Sciences' 2005 report "Asking the Right Questions About Electronic Voting," stated:
"A digital signature of the software running on any given [electronic voting] station can be taken for comparison with a known version... A digital signature is a unique, algorithmically generated fingerprint of any digital object (such as a software module). By comparing signatures, one can easily determine if two objects are identical. NIST maintains a library of certified code to which ITAs [Independent Testing Authorities] can submit qualified election software and firmware versions, with a digital signature that enables states and local election officials to check whether individual machines utilize exactly the same software."
2005 - National Academy of Sciences (NAS)
Britain Williams, PhD, voting machine examiner for the State of Georgia, offered the following explanation in his May 5, 2004 testimony before the U.S. Election Assistance Commission (EAC):
"When the system successfully passes the State Certification and is certified for use in Georgia, the KSU [Kennesaw State University] Center for Election Systems prepares an electronic signature of the system and archives the software source code and object code... When the vendor notifies the State that they have completed installation in a particular county, the KSU Center for Election Systems sends a team to the county to conduct Acceptance Tests. These tests verify that the hardware is operating correctly and the correct version of the software has been installed. During these tests the electronic signature of the software installed in the county is compared with the electronic signature of the software archived by the KSU Center for Election Systems to validate that the county system is identical to the system that was State certified...
Rigid policies and procedures are in place that control who can access the election system, when they can access the system, what components they can access, and what function they are allowed to perform... Many of these procedures are directed toward insuring that the correct versions of the system software are initially installed in the GEMS computers and voting stations and, subsequently, testing at various times to insure that this software has not been altered."
May 5, 2004 - Britain Williams, PhD
Kathy Rogers, Director of Election Administration for the State of Georgia, stated in her May 5, 2004 testimony before the U.S. Election Assistance Commission:
"The Center for Election Systems at KSU tested every touch screen unit, encoder, optical scan ballot reader and server used in the 2002 General election... An important function of this testing is to assure that the correct, current, state-certified and NASED-qualified software is operating on all components of the election platform. As such, the State and its counties are not forced to solely rely on the representations of the vendor, but instead benefit from the expertise of an independent and technically capable partner to assure consistency and quality control statewide.
During acceptance testing technicians from the Center for Election Systems at KSU utilize a software-hashing program that verifies the system installed by the vendor is identical to the system certified at the state level."
May 5, 2004 - Kathy Rogers
Herb Deutsch, Product Development Manager for Election Systems and Software (ES&S), stated in his Sep. 21, 2004 testimony before the Technical Guidelines Development Committee Subcommittee on Computer Security and Transparency:
"The programs used in tabulation and voting equipment are not election specific. They are unit specific and, as part of the Independent Test Authority (ITA) certification testing by an approved ITA, have their source code reviewed for structure, both for maintainability and for improper execution, and for the existence of surreptitious code. The compilation of this reviewed code, which is version identified, is witnessed by the ITA and both source code and the compiled executable code is archived. In many cases this code is sent directly to the State, who also must certify the equipment, by the ITA where it is archived for purposes of auditing against what is installed in units shipped by the vendor... It should be noted that the firmware/software version used in the test is auditable to ensure that it is the same as the version that was certified for use in the state."
Sep. 21, 2004 - Herb Deutsch, MA
The Government Accountability Office (GAO) 2005 report "Elections: Federal Efforts to Improve Security and Reliability of Electronic Voting Systems Are Under Way, But Key Activities Need to be Completed," explained:
"The voting system software installed at the local level may not be the same as what was qualified and certified at the national or state levels... Either intentionally or by accident, voting system software could be altered or substituted, or that vendors or local officials might (knowingly or not) install untested or uncertified versions of voting systems. As a result, potentially unreliable or malicious software might be used in elections. For example, in separate instances in California and Indiana, state officials found that two different vendors had violated regulations and state law by installing uncertified software on voting systems."
2005 - US Government Accountability Office (GAO)
Doug Jones, PhD, Associate Professor of Computer Science at the University of Iowa, stated in his Sep. 20, 2004 testimony before the Technical Guidelines Development Committee Subcommittee on Computer Security and Transparency:
"How can an observer assure himself or herself that the software that is actually in use is indeed the very same software that has been approved for use?... Unfortunately, the self-reported identity of a piece of software does nothing to assure an observer that this software is honest... The use of 'software fingerprints' computed by some cryptographically secure hash function does nothing to change this fact. So long as the observer is limited to inspecting the self-declaration of identity of the system, there is no way for the observer to know whether that identity is declared honestly or not... Only if the observer can directly examine the memory of the computer and compare it with a reference memory image can the observer really know that what is in the computer and what is authorized to be there are the same. If we allow this comparison, we compromise the author's right to retain this software as a trade secret. In addition, if we are not very careful, the same memory access that allows inspection can also allow modification, thus elevating the election observer to the status of a security threat."
Sep. 20, 2004 - Douglas W. Jones, PhD
Kevin Shelley, former Secretary of State of California, stated in the Apr. 20, 2004 "Staff Report on the Investigation of Diebold Elections Systems, Inc.":
"For the March 2, 2004 Statewide Primary Election (March Primary), three California counties (Alameda, Los Angeles, and Plumas) utilized the TS, and four counties (San Diego, Solano, San Joaquin, and Kern) used the TSx system. Diebold marketed, sold, and installed its TSx in these four California counties prior to full testing, prior to federal qualification, and without complying with the state certification requirements...
The VSPP [Voting Systems and Procedures Panel of the State of California] initiated an audit of all 17 California counties using Diebold voting systems. The audit discovered that Diebold had, in fact, installed uncertified software in all its client counties without notifying the Secretary of State as required by law... In sum Diebold marketed and sold the TSx system before it was fully functional, and before it was federally qualified; ...installed uncertified software on election machines in 17 counties; sought last minute certification of allegedly essential hardware, software, and firmware that had not completed federal testing; and in doing so, jeopardized the conduct of the March Primary."
Apr. 20, 2004 - Kevin Shelley, JD
The Raw Story, an online news source, stated in their Feb. 16, 2006 article "Documents Show Maryland Held Election, Primary on Uncertified, Illegal Diebold Voting Machines":
"The Maryland State Board of Elections allowed Diebold Election Systems to operate its touch-screen voting machines during the state's 2002 gubernatorial election and the 2004 presidential primaries before the state agency actually certified the controversial machines, according to recently disclosed documents... In November 2002, Linda Lamone [administrator of the State Board of Elections] allowed Diebold to operate its machines in four counties for the state gubernatorial election... In March 2004, during the presidential primary elections, Maryland became one of only two states in the country to use Diebold voting machines throughout the entire state. A month later, [activist Linda] Schade had filed her lawsuit...but at that time, Schade had no idea that Lamone had not even bothered certifying the machines. In fact, the machines did not get certified until the following month. The machines were finally certified May 20, 2004."
Feb. 16, 2006 - The Raw Story