This web page lists public comments by Individuals from the Secretary of State's website, with selective highlights from each, to give the flavor of the public comment.
The 60+ public comments submitted by individuals are posted on the Secretary of State's site as a single pdf of over 140 pages (and cut-and-paste doesn't seem to work on it). The links below go to copies I made with each public comment stored in a separate web page.
Disclaimer: These highlights are by Jerry Berkman, not by the Secretary of State's office. There are so many quotations and partial quotations that quotation marks are not used as they would be a distraction. See the full text on the Secretary of State site if you are concerned about accuracy.
The Secretary of State's office deleted all personal information, so I can't tell who wrote the public comments. If you sent a comment and want me to add your name, send me email at jerry on berkeley dot edu, replacing on by "@" and dot by ".".
A physical configuration audit of the software and hardware components of certified system should be published by the state so that local election officials may be able to ascertain if the system they have on their machines is certified.
Also, the letter asks the Secretary of State to verify that systems in use are in fact what is generated by compiling and building the escrowed source software.
Supports electronic voting system, and thinks the main need is better training for poll workers.
Ask to add conformance to the 2002 VVSG. Examples: Diebold in San Diego does not add in-process audit records, failures to meet the error rate of the VVSG, etc.
You must redo the ITA work to include completeness of adherence to the 2002 VVSG or you will "repudiate the hearings you held while a Senator ..."
Also require all electronic equipment and software not currently subject to certification, e.g. electronic poll books and signature comparison software, to meet standards set by the Secretary of State.
Procedures must require testing of all machines before use in an elections. San Diego only tested 6 touchscreens and 80 memory cards before last November election, and it took 2 weeks. If testing all takes too long, don't use them in elections.
For sleepovers, need more protections.
Thanks Secretary Bowen for undertaking the review.
Describes how to "game" the VVPAT.
Red team testing - testers should have access to source code, as real attackers could be vendor's software programmers.
The focus should be expanded to usability by voters, and not just usability by pollworkers and security testing.
Demand that designing and generating ballots is easy enough that local elections officials can do it themselves
We must return to paper ballot, probably hand-counted, with investigations if exit polls differ from the results.
Concerned that the draft Criteria don't apply to optical scan systems, and that it also ignores the problem of securing paper ballots.
The writer has a great new election system, and wants to know how to propose such a system to the state of California.
Doesn't trust electronic voting systems, not even optical scan systems. Believes there is wide spread election fraud. Wants hand counted paper ballots.
Includes the text of an ACM article on COTS (custom-off-the-shelf) software, and its inappropriate use in election systems. That article is also available on OpEdNews.com at
http://www.opednews.com/articles/opedne_rebecca__070409_cots_and_other_elect.htm
Gives many examples of why the system doesn't work and the Secretary of State should decertify all DREs. Examples include Avi Rubin's testimony, NIST's report on software independence, the EAC's failure with the Ciber test lab.
An easier to read html version.
Main points include:
Will there be tactile ballots for profoundly deaf-blind voters?
Can options not installed be used for certification?
Wants 10% random, mandatory audit of all precincts, performed at the precinct.
"Citizen oversight" at the county site are "charades", because you only see part of what is happening, can't verify chain of custody, and can't tell if ballots have been manipulated.
Need 10% random, mandatory audit of all precincts.
Citizen access is restricted, creating an opaque election environment ruled by county officials who at times don't even follow our minimal laws.
We must move to transparency, and the Secretary of State must cause that to happen for the Presidential election because the counties won't.
Need to test BMD (ballot marking devices) and BOD (ballot on demand) systems, and to test usability and accuracy.
Need to test for both traceable and untraceable vote tampering.
Chain of custody needs to include vendors, contractors, etc.
No wireless communications. No public phone lines without secure scramblers.
Verification from a printer data stream, Draft Criteria II.2.(f)(2), has serious drawbacks; e.g. can't tell if ballot premarked, no module isolation.
Require systems to be simple enough for poll workers to be trained upon.
Same as message 12.
This is an addendum to a previous message. Since identifying material has been deleted, we don't know for sure which other messsage to refer to. It may be message 20.
The note discusses how to describe types of attacks criteria are trying to defend against.
General comments citing the NIST and GAO reports on unreliability of electronic voting machines, and MIT/Cal Tech study saying hand counted paper ballots are most secure.
This is a technical description of attacks that may not be caught by the review.
It says to also check security of electronic pollbooks.
It says II.2.(f) is "meaningless from a security perspective". This is the option to bypass readback of the VVPAT.
Discusses her daughter's problems getting registered when she turned 18. When original registration apparently never got registered with the registrar's office, they were told to fill out a second, and a third, ... But the second would cancel the first, showing she registered too late; would that cancel the provisional ballot eligibility check?
It took 5 months, three tries, and her provisional ballot was not counted. This message includes posts from democraticunderground.com's Election Reform Forum discussing her discoveries, and about Los Angeles's voter registration system purchased from Diebold.
Includes copies of:
http://www.democraticunderground.com/discuss/duboard.php?az=show_topic&forum=203&topic_id=468433 (2 pages)
http://www.democraticunderground.com/discuss/duboard.php?az=show_topic&forum=203&topic_id=468282 (5 pages)
http://www.democraticunderground.com/discuss/duboard.php?az=show_topic&forum=203&topic_id=467517 (1 page)
http://www.democraticunderground.com/discuss/duboard.php?az=show_topic&forum=203&topic_id=465855 (1 page)
http://www.democraticunderground.com/discuss/duboard.php?az=show_topic&forum=203&topic_id=462545 (2 pages)
http://www.democraticunderground.com/discuss/duboard.php?az=show_topic&forum=203&topic_id=458059#458161 (look for message 8. from rumpel) (2 pages)
http://ohiovigilance.org/Counties/Cuyahoga/Analysis/CuyProblemDIMS.htm
http://www.dailykos.com/story/2005/3/17/102054/261
... plus more ...
Include the Micro Tally System (MTS) used by Los Angeles in the review.
Change the Criteria to check for both "traceable and untraceable vote tampering".
Examine the operating system, even if widely available, for signs of changes.
Includes suggestions for disability access criteria.
Test electronic signature comparison equipment.
This is a repeat of message 11 (except Prof. Avi Rubin's name was deleted).
Two major criteria, dependability and reproducibility, are missing from the Criteria.
The systems should include safeguards such that electrical interference or crashes, etc. do not interfere with the recording of the vote. You need error detection and correction logic built into the hardware, software, and human factors design to mitigate the risks of these kinds of errors.
There should be alternate vote counting methods such as Approval Voting.
"Source code review" should be changed to "Review of Software, Firmware and Hardware Design and Implementation", as compilers, etc. may subvert the source code.
The writer wants an investigation in Riverside County due to problems with open government and open bidding for contracts.
The message includes an editorial from the North County Times praising the review of systems and the red team tests. Due to hilighting in the paper copy, it is almost unreadable in the letter on the Secretary of State site, but you can read it at: http://www.nctimes.com/articles/2007/03/30/opinion/editorialscal/17_08_143_29_07.txt
From security researchers and graduate students at U.C. Davis.
Findings of source code review and red team testing, as much as possible, should be published. These will be invaluable, as have been the Compuware Report and SAIC report commissioned by other states.
Red team and source code team should overlap.
The system must be tested as a whole, not just components.
COTS (Commercial-Off-The-Shelf) software, embedded systems, etc. should not automatically be excluded.
The vulnerabilities found by Harri Hursti and Black Box Voting and confirmation of these by Princeton researchers are enough to decertify Diebold systems unless the problems are already fixed.
Any system that can be upgraded can also be upgraded corruptly.
DREs can not be made secure from insiders and ; election policy must also be involved in security.
Source code review should also include building and testing the system.
Nonvisual confirmation should be independent of the rest of the DRE.
It is more important to try to eliminate problems that permit a single individual, or a small group of individuals, from having a large impact.
Electronic voter registration and poll book systems should also be reviewed.
Paper ballots should be counted on two independent systems manufactured by distinct vendors.
A paper trail provides a false sense of security. Ban all electronic voting machines and return to paper ballots hand counted at the precinct level.
DREs can not meet your requirement of secure, accurate, accessible, and auditable. Ban DREs. Use VotePad, tactile ballots, etc. for the handicapped and blind voters..
Increase audit to 5%, with option for ROV to audit more.
Wonderfull! Unless the machines are bulletproof and verifiable, how can we the people trust the results??
Include Ballot Marking Devices, etc.
Include the Los Angeles County MTS system; it may be uncertified GEMS 2.
Make these tests public, and publish for the public the findings.
Check for both traceable and untraceable tampering.
Remove the wireless capacity in the L.A. County system.
Change "will" to "shall" withdraw certification if review conditions not met.
Sleepovers are not secure; how can sleepovers continue?
VVPATs need more light to be used.
Counties must provide copies of their procedures to you and to the public.
Counties need to be encouraged to increase the number of precincts being recounted in the manual audit.
When there are discrepancies, the manual tally must be expanded to more precincts.
Many of these recommended changes could be part of your election regulations. This would be much faster than amending the Elections Code.
Applauds this as the first review done under the Elections Code.
All hardware, firmware, and software used in connection with voting and voting systems be reviewed, including electronic poll books and signature comparison software. Signature comparison software can be adjusted to how close a match is needed; this can be used for disenfranchisement.
Physically review computers used in elections to ascertain what hardware, firmware, and software they contain.
Also review event and audit tapes or records from the last two years. As some counties, such as Los Angeles, have uncertified components on computers, such as GEMS 2. Review the event log to see what has been used, removed, disabled.
Review whether components meet reliability and accuracy standards of 2002 VSSG.
Review whether the system has the ability to alter recordings of voters' choices and alter audit logs. A more effective standard would be to make it impossible to alter a data file once written.
Any system should be capable of being run completely without any vendor support or specific programming such as ballot definitions, etc.
Review counties Procedures for Use of a particular voting system to see if compliant with adopted Procedures for Use.
As a poll-worker, the VVPAT printers are highly fragile and six of eight either broke down or were out of paper by the end of the day. We should go back to pen on paper whenever possible.
I would like us to shift from Plurality Voting systems to superior alternatives, but not Instant Runoff Voting.
There is no current safe way to use computer voting machines and insure 100% accuracy. The VVPAT may differ from the final tabulated vote. If you must use VVPATs, don't use laser paper. Scanners are better.
There have been way too many examples of the extreme efforts people have and will go to to manipulate elections to trust anyone anymore. Manufacturers of voting machines must be as non-partisan as possible.
This is a happy day. I am proud California is taking steps to secure the voting machines. Electronic voting is the future and there is no reason it cannot be implemented securely.
There is time, do it before the 2008 election (18 months away).
This is a response to Message 43 and is responding to that Message 43's cynicism about what Secretary Bowen might actually do.
I am absolutely against your interference with the voting systems selected by each county in our state. I protest vehemently!
This is about scanners used in Santa Barbara, and procedures at the polls which the writer believes are inconsistent and inadequate.
Eliminate the word "untraceable" from the Criteria; apply the Criteria to all forms of tampering, both traceable and untraceable.
Will there be blue teams to protect against the red teams?
The writer believes local elections officials will convince Secretary Bowen to not decertify anything.
DREs cannot be audited. Most audits are useless. Recounts are both too expensive and unavailable.
Even open source does not secure code; citing Richard Stallman of the Free Software Foundation.
Sleepovers eliminate security.
We have no way of knowing if central tabulators are connected to election riggers by WiFi or modem on election night.
The letter then discusses at length that the Ohio Secretary of State web site suspiciously moved from Ohio to a set of servers run by Smartechcorp and located in Tennessee for a few days during the votecount in Ohio in Nov. 2004. This set of servers also handles Republican National Committee business such as Karl Rove's email account. (See http://www.freepress.org/departments/display/19/2007/2562 and http://www.freepress.org/departments/display/19/2007/2553 for more details.)
It then copies an item from bradblog.com (see http://www.bradblog.com/?p=4329) in which a California Judge ruled that the VVPAT need not be used in a recount even though the recount requester asked for it to be recounted.
There needs to be measurement standards/tools as an integral part of the criteria.
Require that DREs, vote tabulating devices and ballot tally computers be tested multiple times through-out Election day.
With respect to audio output, there must be headphones, or everyone will hear the voters choices.
Decertify virtual ballots! The current DRE's system can be hacked in almost unlimited ways without showing any evidence. Require DRE numbers to be labelled as estimates.
Ordinary computers with programs running in random access memory are not capable of preventing vote tampering or "denial of service" attacks unless tested between counting every vote as the program can be changed anytime.
What about "denial of service" such as electrical power supply attacks?
Add accuracy and efficiency to criteria. Some of these machines just don't work well, and shouldn't be certified.
Vendors patching the systems with uncertified patches should not be allowed.
Change "may immediately initiate the process to withdraw certification" to "shall immediately ...". No Loopholes!
Optical Scanners are not free from being compromised. Due to all the problems, many computer professionals are advocating hand-counted paper ballots.
Thanks. I know you are under intense pressure from powerful entities that oppose your reforms. Please don't back down.
A one sentence message: "I am against all electronic voting systems."
Paper ballots are cheaper and do not have all the problems of DREs.
A 1% audit is not enough.
I feel very pessimistic about being sure my vote has been accurately counted.
DREs do not provide a real ballot!
Trying to see fraud in the election office is an exercise in futility.
Add transparency and verifiability to the goals of the review. Do not allow machines with undisclosed source.
Change "untraceable vote tampering" to "vote tampering"; any vote trampering is unacceptable.
Do not allow electronic tabulators; 92% of people have said that they don't want the votes counted by machines.
The Criteria need a definition of a proper voting procedure.
Thank you. It is high time to deal with the underhanded chicanery that has been offered as high tech modernization of voting.
The Criteria do not include hardware review. Examples of problems include the voter accessable yellow button of Sequoia to hidden battery test button of TSx. Also examine paper ballot scanner auto-calibration features.
I have been vocally opposed to any form of e-voting since it was first proposed in 1995. You can not secure it. It is not possible.
The writer was the first to reveal the full, unredacted SAIC report in Maryland. It shows over 250 ways to compromise the Maryland system.
Use open source software, with paper ballots, and a 10% random hand count in each precinct.
Also published, and easier to read, on his blog.
The Draft Criteria are underspecified and may lead to charges of arbitrary treatment, etc.
Some of the Criteria are unrealistic; e.g. only the AutoMark has the required read-back capability, which could lead to most counties having to both procure and use AutMark in each precinct.
Written reports should be issued to the public on any system not meeting the final adopted criteria.
The Criteria don't mention evaluation of blended systems.
Change "untraceable vote tampering" to "vote tampering"; any tampering is serious.
Both red and blue teams will need high level of knowledge about these systems, included all information in escrow.
There isn't enough time for a thorough source code review. The review must look not only for clearly mailicious code, but also designed-in "features" which may be misused.
Many of the disability requirements are not widely supported.
Would playback of VVPAT be in minority languages or only English?
Don't allow an option for DREs to be switched to manual mode, as is allowed in the Sequoia System. If the DRE fails, use paper ballots instead.
Go back to paper ballots with optical readers, as we had for many years. VVPATs are difficult to review, and not well received.