No Leaky Buckets
Needed: Voting Security and Election Results Credibility
"If you cannot trust the way your votes are counted, nothing much else in politics matters!"
    Home     All The Holes      Publications      Demos      Reference-Materials      Legislative     Brazil 

Recognize and fix all the leaks in our balloting and counting systems!
Permission: This message/document MAY be copied and redistributed widely, but only in its entirety and with credit to the author, including this line:.....................

Review and Critique, by Marian Beddill, LWV Bellingham/Whatcom-WA and founding member, Whatcom Fair Voting, of...
The Machinery of Democracy:
Protecting Elections in an Electronic World
Executive Summary by the Brennam Center Task Force on Voting System Security


I have carefully read the Executive Summary ( 19 pages plus 6 pages introduction )., available at: ; and at:

Here are my comments. July 18, 2006

In general, I find this to be an excellent document, carefully researched, and approached from the civic-consciousness which protecting democracy merits. My only concerns are with some details and phrases which could be expressed better, within the concept and goals stated.

First, the list of collaborators - members of the convened Task Force, is extensive and impressive, with one exception. I did not perceive a professional business/financial auditor in the list (as distinguished from an elections official, also commonly titled "Auditor".) Perhaps one of the named individuals is a professional auditor, but it did not show.

The study is "systematic" - which is an essential. So many opinion pieces deal with only one element of a situation - this one incorporates all steps from the mind of the voter while voting, to the certification of the election results. A leak in a bucket anywhere lets the water run out, they acknowledged that the whole bucket is essential, although giving only a single phrase to "appropriate physical security and accounting practices" needing to be in place.

I have a concern over two phrases, commonly used in the voting system discussions. Let me begin by citing an example from another context, to make my point.
You are reviewing dress-shirts. You tell me: Is there a difference between these two statements?:
     "This shirt is washable."
     "This shirt is washed." Different meaning? Of course. Capable, versus history.
Now, in our context:
     "This paper ballot is verifiable."
     "This paper ballot is verified." Capable, versus history.
The Brennen Center Report uses the common phrase: "voter-verified" as the definition of the system, even though they later specifically cite the LACK of actual verification by too many voters, as a serious problem. My proposal is to use "voter-verifiable paper ballot " as the phrase for VVPB -- and my question to the Brennan editors is: "Did your team purposely and consciously choose the past-tense form, rather that the characteristic form, of verify?" Justify.

Closely related, is the references to "trail", as in "audit-trail" or the legalistic "trail-of-custody". I find inconsistent and unclear use of the term "trail" throughout the executive summary. Perhaps the lack (?) of a professional audit expert on the Task Force, let that phrase remain vague

One more concern, is the slight attention given to "CCOS" systems (Central-Count Optical Scan) such as used in all of Oregon and much of Washington state. In those two states, VBM is the norm (Vote-by-Mail) and there are no longer traditional Polling-Places in most counties. This does widen the avenues for interference with the casting of ballots, as there is only a loose chain-of-custody between the moment a ballot is delivered to the postal box of a voter, and the moment it is returned to the possession of the elections office.

Those are my observations on Page 1 - on the scope and general terminology in the report.

The meat of the Report is exceptionally well done. The Core Findings (Page 2) are excellent, and the Conclusion (Page 19) are clear and elegantly stated. They acknowledge that most systems have security vulnerabilities, they can be substantially remedied, and that few jurisdictions have done much, yet. Highly relevant is the realization that the implementation of the recommendations are neither difficult nor overly expensive. I will add -- What price Democracy and Freedom?

A critical statement, one I have been making for years, is that the paper ballot is of little value for system security unless it is USED to verify the machine counts. They repeatedly insist that audits must be automatic and routine. Page 3 lists six specific steps which jurisdictions can and should take, including (as the first) "automatic routine audits" for "every election".

On Page 4, they missed an opportunity to insert two words. "...citizens to have full confidence that their votes will be accurately recorded." -- could have concluded: "...and counted."

Overall, they also note that simple mistakes in systems - programming or implementation - can corrupt the results; it is not necessary to presume criminal intent. People make mistakes, and management needs to have methods to catch them, then correct them.

Another point is scope of impact - the number of votes which could be affected by an "impropriety" in the system, accidental or intentional. Centralized processes, which apply to large numbers of ballots, obviously have a greater impact. Thus, those systems need even more scrutiny, by diligent watchers, than the systems at pollsites. Likewise, large jurisdictions (states, big cities) merit more effort than smaller ones, notwithstanding that a close race could be affected even by changes in a small jurisdiction.

I found it initially troubling (Pages 5-6) that they simplified the threat-measure to a single parameter - number of people needed to execute an attack. However, the conclusions are consistent with my own analysis.

Pages 6-9, and 11, give real-world examples, in plain language, with graphics, that should be easy for even the newcomer to the topic to understand. The examination of DRE's on Page 11 cites the situation where voters MIGHT NOT verify the paper record created by the system, and gives a simple, clear example of how fraud could be introduced in that case, and why a followup audit is necessary. In that description, I learned one new thing - the necessity for ALSO tabulating and conducting a review of overvotes and undervotes,; including those statistics in any report, and investigating cases where those counts were exceptionally high.

Two points which should be obvious (at least to any person familiar with the concepts) are banning all wireless capabilities, and using de-centralized programming and system administration. Wireless is a simple, open door for anyone with basic knowledge to wreak havoc. Centralized programming (including the now-common practice of having the VENDOR set up the features of the system individually for EVERY election), maximises the effect of any improper process - the whammy is bigger and harder to deal with. Selection of systems which are locally-managed and configured, reduces the impact.

The final recommendation, #6, (Pages 16-18) is expressed in simple, clear language, the list of things which all jurisdictions should do. Again, they emphasize the need (now evidently little done) to have clear procedures in law and regulations, for what to do WHEN corruption is suspected or found. They start with additional in-depth review, and conclude with annulling the election and conducting it again.

I agree, because "If you cannot trust the way your votes are counted, nothing much else in politics matters!"

My final recommendations to everyone who is involved in elections systems are -- Read the Brennan Report. It is written in plain language (for the most part), so techno-gobbledy-gook will not be a deterrent. And -- work on your election officials, local, state and federal, to achieve the items recommended in the Report.

Marian Beddill
LWV Bellingham/Whatcom, WA
360.223.5718 by Marian Beddill,
an independent citizen activist in Whatcom County, WA - last edited:  2005-03-11