Election Law: A defense of touchscreen security in Georgia

October 23, 2003

A defense of touchscreen security in Georgia

I received the following e-mail message from Bobby Kahn:

I would love to believe that Governor Barnes really won, and that he lost because of a computer meltdown or a grand conspiracy. Then maybe we can have a �do-over.� Truth is, Governor Barnes lost in large part as a result of a racist campaign by his opponent, who attacked Governor Barnes for spearheading a compromise effort to greatly reduce the size of the confederate battle emblem on the Georgia state flag. But that�s another story.

I now find myself a member of the Georgia State Election Board, which oversees elections in the state. As a result, I am reading more and more from conspiracy theorists and technophobes about touch screen voting.

By way of disclosure, I am predisposed to believe in the touch screen systems because following the 2000 elections, our office worked very closely with Secretary of State Cathy Cox to fund and implement the nation�s first uniform statewide touch screen voting system. Secretary of State Cox took a huge political risk, and did a first class job in implementing the system in Georgia�s 159 counties, which included training each of the 159 election superintendents and their poll workers responsible for conducting elections (Georgia has more counties than any state other than Texas!). She is at the forefront of post-Florida efforts to modernize voting.

Before addressing the feeding frenzy of charges, let�s look at what the touch screens replaced. I remember the first election in which I voted � 1976 presidential primary. Chatham County (Savannah) Georgia used lever machines. I pulled the lever for Jimmy Carter, and immediately wondered if the vote would ever count. I have wondered ever since. No paper trail. Nothing to recount. No redundancy. And the �technology� � give me a break. We are painfully aware of the drawbacks of punch cards, and less so, optical scan machines. And once the votes are cast, what becomes of the punch card, scan sheet, or machine. All are subject to tampering, with fewer checks than the touch screen system in use in Georgia.

Just what are the checks in Georgia? First, the system is qualified by an ITA, or Independent Testing Authority, which is the gold standard in this area. Georgia is fortunate to have the Center for Election Systems at Kennesaw State University (KSU), which has unmatched expertise in voting systems. KSU reviews the system for compliance with state law, and tests the system for presence of any unauthorized or fraudulent code. After the successful completion of this process, the system is then certified for use in Georgia. Once certified, the vendor is then allowed to install the system in local jurisdictions. As an additional guard against uncertified equipment being used in an election, KSU has developed a validation program to use to test the system as installed in local jurisdictions. Using this process, KSU verifies that the system installed by the vendor, Diebold, in the local jurisdiction is identical to the system received from the ITA and certified by KSU. Within each jurisdiction, software security includes audit logs and passwords. There are procedural security features regarding access, qualification testing, certification testing, acceptance testing and logic and accuracy testing. As for physical security, there are at least five requirements: servers are always kept in locked offices of county officials; no extraneous software can be installed on servers; no network connectivity; physical access limited to authorized personnel; and touch screen units are locked and sealed when not in use.

Security is an on-going process, and is constantly updated. Most recently, KSU developed a state-of-the-art �hashing� program used to examine the servers in all 159 counties. This program is designed to assure that software operating on the county servers matches precisely the software that was tested and certified at the national and state levels, and that no extraneous software resides on the servers. The Secretary of State plans to extend this �hashing� capability to all 26,000 touch screen terminals.

Still, the technophobes and conspiracy theorists don�t give up. Consider the charges:

-Hackers. Many of the critics and conspiracy theorists assume that all the equipment is networked and accessible via the internet. Not true, at least in Georgia. Hard to hack when not on the internet. Even if a hacker could physically gain access to the server at the state, or in one or more of Georgia�s 159 counties, there are all kinds of checks along the way. The hacker would also have to get to one or more of the touch screen machines. And to truly have an impact in a statewide election, the hacker would have to gain access to servers in more than one county. The hacker would have to do all this within a narrow timeframe, since there are physical seals and checks in place.

-Error. How do you know the vote was cast? How do you know it was counted. That�s the question I have about my vote for Jimmy Carter in 1976. Same question applies to touch screens today. No system is 100% error free. But the touch screen system comes close. And the undervote (a problem in Florida) has been significantly reduced. In Georgia, the undervote in the top ticket races in 1998 was 4.8%. In 2002, the undervote had fallen to less than 0.9%. Significant reductions came in minority precincts. Perhaps some of the critics of touch screen would prefer a greater undervote in minority precincts!
See Preliminary 2002 Undervote Analysis.

-Need for a paper receipt. The latest attack on touch screen systems has centered around the need for a paper receipt. In analyzing the Maryland touch screen system, SAIC (Science Applications International Corporation) addressed this issue: �A printed ballot (receipt) would still be subject to fraud. A compromised machine could be programmed to record votes incorrectly, but provide a correct paper ballot to the voter. Only in the event of a total recount would this be discovered. Additionally, the process of hand counting the millions of votes is time consuming and prone to error.� In addition to the fact that reintroducing paper into the process raises objections from advocates for voters with disabilities (see here), paper has been the source of many of the fraud cases, at least in Georgia. And paper is more prone to error � loss or destruction of ballots, whether intentional or not. With touch screen, on the other hand, there are redundancies built into the system, so even if a machine is damaged, there is at least one backup to make sure the votes are counted.

-The Rubin report. Technophobes and conspiracy buffs find comfort in a report by Johns Hopkins University Researcher Avi Rubin. He raises a number of the issues dealt with above, and is highly critical of Diebold. Many of his criticisms were theoretical, with very little real-world application. One aspect of the Rubin report has a great deal of real-world application � good old fashion conflict of interest. Turns out, Rubin had stock options in VoteHere, a competitor of Diebold. Rubin was also a member of VoteHere�s technical advisory board. (Atlanta Journal-Constitution, August 20, 2003; see here.).

I have just hit the highlights here. There are many other sources. See Letter from Secretary Cox to Election Board Members (here; here). Bottom line, the system we have in Georgia is not perfect, but I believe it is the best voting system in the world. Is there room for improvement? Yes, and Secretary of State Cathy Cox is working on implementing improvements every day. Am I happy with the results of the 2002 election? Of course not, but for better or for worse, the count was accurate.

Bobby Kahn

Thanks for writing.

Posted by Rick Hasen at October 23, 2003 09:52 PM