California Voter Foundation Logo

Voting Technology

California Secretary of State Hearing Examining Voting System Software Flaws

Testimony by Kim Alexander, President & Founder
California Voter Foundation
March 17, 2009


The Secretary of State’s report appears to minimize the scope of the potential damage of the latest security breach.  The report seems to try to isolate or localize the security problem to the specific version of GEMS that was evaluated (1.18.19).  Yet the problem with the audit log - being that it is unreliable and fails to record all actions on the system - is a significant problem that we now know persists in later versions that have been certified.

I suggest that the Secretary of State broaden the scope of its investigation and verify that the security problems identified in this specific version studied are present in more recent versions.

It seems inappropriate that any voting software be used in California that is only qualified to the 1990 Federal Voting System Standards, as was the case with the software that was used in Humboldt, and that the SoS needs to routinely and proactively reconsider the versions of software in use in CA counties to ensure those programs are upgraded on a regular basis.  I realize this is easier said than done but it seems like it's a policy that nonetheless should be implemented.

This whole episode feels a lot like deja vu, because nearly five years ago this same vendor was found to have failed to keep its clients or the Secretary of State informed about security problems with its equipment - back then, in 2004, the problem was the widespread use of uncertified software and equipment.  This year, in 2009, the problem is unsafe use of certified software.  While it appears unlikely that Diebold broke a specific state law this time around, the company's repeated lack of action or concern to address a known security problem is deeply troubling, and short of decertifying the vendor entirely (which may not be practical to do at this time) the Secretary of State ought to consider specific terms of use for this vendor to place a burden on them to repeatedly, loudly and routinely notify the state and its client counties when a problem is known to exist.

Whether we are using paper or electronic ballot systems, all of these systems are software-driven.  Software-driven means it is dynamic – that means addressing known bugs, which other software makers do routinely – but not in this industry. And that is largely because of the federal and state certification process. We need to find ways to have a robust testing and certification process that is designed to facilitate routine software upgrades.

This latest problem is also an example of why the manual tally process must compare paper ballots with the end results, and not just printouts of in-precinct totals.  We want to be sure that the final vote count is accurate, that the ballots have been properly processed from start to finish.

It also shows why the one percent manual tally is not sufficient and why extra measures, such as the Secretary of State’s 10 percent post-election manual tally regulations (which require additional ballots to be counted by hand to verify the results in extremely close contests) are needed.

Site Map | Privacy Policy | About

This page was first published on March 17, 2009 | Last updated on March 18, 2009
Copyright California Voter Foundation, All Rights Reserved.