George,

I am a Charlottesville native and UVa SEAS graduate (Computer Science class of 2000). I have been involved in electronic voting issues for the last few years, and was part of a panel at the Virginia Legislative Electronic Voting Committee on Monday. I was there for Mr. Sincere's comments, and saw the video of his comments on July 19th . ... [T]his link ... shows that the video ... is unedited and has his complete 8-minute testimony, from the time he approaches the podium to the moment he walks away: [Edited slightly for clarity].

http://www.cs.duke.edu/~justin/voting/sincere_20050719.mpg (32.1 MB)

This past Monday, Mr. Sincere presented testimony that was wrong on the facts, displayed a fundamental misunderstanding of the problems of source code quality assurance, displayed a fundamental misunderstanding of the important issues to consider when choosing a voting system, and presented a financial "study" that has since been discredited.

Mr. Sincere testified that an attacker would have to bribe nearly a dozen people -- if not more -- to hack into a voting system. This shows a lack of imagination as to how hackers actually get into computer systems. Last summer I created a write-up of how one might break into a voting system, with only modest means. This write-up was subsequently linked to in Bruce Schneier's monthly computer security newsletter, Crypto-Gram, required reading for any security professional.

http://www.cs.duke.edu/~justin/voting/PrezNader.html

http://www.schneier.com/crypto-gram-0406.html

Second, Mr. Sincere testified that the federal government, Virginia, and Charlottesville all examine and test voting machines, which catch all possible problems. As a computer scientist and North Carolina resident, I can attest that this is simply wrong. Many modern touchscreen systems are based on Windows XP or an embedded form of Windows (CE); the source code for these operating systems consist of between 15 and 45 million lines of source code, NONE of which is ever examined. Federal voting system standards explicitly exempt commercial off-the-shelf (COTS) products used in voting machines. Even though this software constitutes the bulk of the code on your modern paperless machine, it is never examined by the feds, and only tested to meet low standards; for example, the mean-time-between-failure for even the most recent voting system standards is 163 hours. This means that on election day in Virginia, nearly 10% of the voting machines can experience a failure and still meet federal standards; during the two-week early voting in North Carolina, over 90% of the machines can experience a failure and still pass federal standards.

On a more simple basis, every single voting machine failure to date -- including the permanent loss of 4,500 votes in Carteret County, North Carolina -- occurred on a voting machine that passed all stages of testing and examination. If Mr. Sincere was correct about the effectiveness of testing, we wouldn't be seeing these problems in the first place.

Thirdly, Mr. Sincere repeatedly pushed the fact that voters "liked" the new machines. Usability and reliability have nothing to do with each other. I'm sure there were many satisfied owners of Ford Pintos (well, right up until their car exploded in a crash). The question is not "do the voters like it?", but rather "will it work reliably?" Mr. Sincere wrote on his blog on Monday:

Given the undisputedly high levels of voter satisfaction with Charlottesville's eSlate system, and the lack of complaints from voters at large, the burden of proof is on Councilor Lynch and others who insinuate that the system is untrustworthy or inadequate.

I would counter with this statement:

Because the idea that you accept risks, the consideration of this thing is always during flight. It is a flight review, and so you decide what risks to accept. I read all of these reviews, and they agonize whether they can go even though they had some blow-by in the seal or they had a cracked blade in the pump of one of the engines, whether they can go the next time or this time, and they decide yes. Then it flies and nothing happens.

Then it is suggested, therefore, that that risk is no longer so high. For the next flight we can lower our standards a little bit because we got away with it last time. If you watch the criteria of how much blow-by you're going to accept or how many cracks or how long the thing goes between cracks, you will find that the time is always decreasing and an argument is always given that the last time it worked.

It is a kind of Russian roulette. You got away with it, and it was a risk. You got away with it, but it shouldn't be done over and over again like that. When I look at the reviews, I find the perpetual movement heading for trouble.

The above was said by Dr. Richard Feynman on April 3, 1986, during the Presidential Commission on the Space Shuttle Challenger Accident. That Commission concluded

[the] eventual cause of the Challenger accident was a technical failure of a solid rocket booster O-ring. This hardware failure was a direct result of management failures that included poor communications, misinterpretation of information, incentives to launch unless proven categorically unsafe and excessive optimism under schedule pressures.

This sentiment was echoed in 2003 by NASA Director Sean O'Keefe in the wake of the Columbia disaster.

[T]here needs to be a fundamental shift from the current ethic of 'prove that it is unsafe' to one wherein all the processes seek to 'prove that it is safe.'

The burden is to prove that electronic voting is safe, not for opponents to prove that it is unsafe.

Finally, Mr. Sincere submitted a financial report to the Committee, created by George Gilbert, the Director of Elections in Guilford County, North Carolina. This study has since been refuted by the state's own financial research on this issue, research that Mr. Gilbert himself helped perform:

http://www.ncleg.net/Sessions/2005/FiscalNotes/Senate/PDF/SFN0223v5n1.pdf

This study was done with the help of Gary Bartlett, another advocate of paperless voting systems. However, Mr. Bartlett is more willing to have an honest discussion about the costs and tradeoffs of different systems.

Mr. Gilbert has a history of making wildly inaccurate statements and asserting that his opponents are lying, without provided any hard proof of his statements. Anyone looking to take advice from Mr. Gilbert -- or from anyone else, for that matter -- should be certain that statements are backed by facts and research, rather than simple assertion.

Justin Moore (electronic mail, August 24, 2005)

P.S. In his blog, Mr. Sincere cites a FAQ from the League of Women Voters in support of paperless systems. This FAQ runs contrary to the official position of the LWV, which is simply that any voting system must be "Safe, Accurate, Recountable, and Accessible." The FAQ is a remnant of the old pro-DRE position of the LWV leadership, which lead to a heated debate at the 2004 LWV National Conference, and the change of official position by the LWV. In short, Mr. Sincere is relying on yet another document that misrepresents the facts; in this case, the official position of the LWV.

Duke University Department of Computer Science, Durham, NC 27708-0129
Email: justin@cs.duke.edu
Web: http://www.cs.duke.edu/~justin/