Copyright © 2007 jsd

Free, Fair, Accurate, and Trustworthy Elections
A Manual for Voters, Poll Workers, and Administrators

1  General Principles

1-1.    Hope for the best, but prepare for the worst. Do not assume everything will go well. Be prepared for hardware crashes, for operator errors, and for out-and-out hostile attack. In particular, be prepared for the possibility that every phase of the election is subject to skilled, determined, and well-financed attacks.

1-2.    There is a maxim that says “treat ballots like money”.

When I cash a check at the credit union, the teller counts the money twice, while I watch. Then I count the money while the teller watches. The teller is not insulted by this. When I count the money I am not impugning the integrity of the teller; I just want to count the money. Double-checking never hurt anybody. Redundancy is your friend.

Treat ballots like money.

1-3.    It should be routine to count the ballots more than once. Any requirement that you have to prove there has been fraud or error before you can have a recount is insane. At the very least, there should be a routine hand count of a statistically significant sample of the ballots, as discussed in section 4.

1-4.    The routine redundant count should be prompt. If you wait until one candidate has conceded before producing a reliable count, it defeats the purpose.

1-5.    There is another maxim that says if you don’t have physical security, you don’t have security. Ballots should never be left unsecured even for a moment. They should be diligently guarded and/or locked in a secure vault. The vault should have a time lock, to protect against out-of-hours access, especially if guards and surveillance are not available 24 hours a day.

All ballots must be accounted for, including unused ballots.

If you don’t have physical security
you don’t have security.

1-6.    The need for physical security applies to hardware as well. Voting machines and tabulating machines need to be subject to strict security from the moment they are built until the moment they are retired. Even if they are idle for months or years, they need to be locked up and guarded the whole time. Tampering is a very real threat.

1-7.    In addition to physical security, we need secure procedures.

1-8.    As a corollary of item 1-7 and of item 1-2 (“treat ballots like money”), any update to the vote-tallying software should be treated like a purchase order. For starters, any update should be reviewed and signed off by two responsible officials before being committed. There should also be a permanent, easy-to-follow audit trail, as discussed in section 5.

1-9.    As a corollary of item 1-7, there needs to be individual accountability. This means (among other things) no sharing of login IDs, no sharing of passwords, no "group" logins, et cetera. A shared password is considered a compromised password, and therefore must be changed, so that only the person authorized to use that login can use that login. "Admin" is a privilege level, not an identification. We need identification, to maintain the audit trail. There is never a good reason to share a password, as explained in reference 21.

This may sound obvious, but believe it or not there are some election boards that have established only one login to the the vote-tallying machines, the "Admin" login, and all users share the password to that login.

By way of analogy, the accouting department would not be amused by a purchase order initiated by "admin" and approved by "admin".

1-10.    Security requires balance, as discussed in section 3. Some things require unceasing attention to detail, while others may be amenable to spot-checking.

1-11.    Secrecy is not the same as security. Secrecy does not guarantee security, and security does not require secret methods. Good practice is to use open methods and open software. All of the secrecy is in the passwords and cryptologic keys. The point is that you can change your password when necessary, choosing from a huge number of possibilities, but you cannot change your methods so easily, so it is foolish to assume your methods will remain secret over the long term. It has been known for 125 years that if you need to follow secret methods, your methods are no good. This is known as Kerckhoffs’s principle. See reference 5.

Vote counting should be secure – which means it should not be done using secret methods or secret computer programs.

Votes should be cast in private, but they should be counted in public.

2  Checklist

2-1.    Encourage everyone you know to follow the recommendations given here. It doesn’t suffice for you to vote securely if dozens of your neighbors cast votes that can be flipped.

2-2.    Given the current crop of possibilities, the best available front end is a piece of paper that is marked by the voter, in the polling place on election day.

Rationale for paper ballots: The paper ballots form a permanent record. They can be machine counted on the spot. They can also be hand counted. They can be recounted as many times as desired.

Additional rationale: Mark-sense paper ballots can be scanned to detect common types of voter errors, while the voter still has a chance to make corrections. Detectable errors include overvotes and some types of undervotes.

Rationale for going to the polling place: Although polling places are not completely immune to abuse, they have been around for a long time, and people have a relatively good idea how to secure them.

Rationale for waiting until election day: Any kind of early voting (whether by mail or in person at an early-voting precinct) puts the voter at a disadvantage because less information is available. Sometimes highly persuasive information about the candidates may pop up in the last days before the election. Early voters forfeit the chance to take this information into account. For example, in a multi-way race, such as we often see in a primary election, one candidate might drop out of the race just before election day, after the “early” votes have already been cast. Early voters forfeit the chance to shift their vote to one of the remaining candidates.

2-3.    The worst of the commonly-used options is Direct Recording Electronic (“DRE”) voting machines. If you are forced to choose between DRE and a mail-in paper ballot, choose the mail-in paper ballot. See threat 7-9.

2-4.    Obviously punch-card ballots are to be avoided. The 2000 Florida election showed that there are too many things that can go wrong with punch cards. For starters, it is too easy for the punch card to be misaligned relative to the template that carries the candidates’ names. And then there are the infamous hanging chads, dimpled chads, pregnant chads, et cetera. If you are forced to choose between a punch-card baalot and a mail-in paper ballot, choose the mail-in paper ballot.

2-5.    Except as noted in item 2-3 and item 2-4, avoid mail-in ballots whenever possible. If you really are going to be absent, then sure, send in an absentee ballot. Otherwise, if at all possible, go to the polling place.

Rationale: Mail-in ballots create too many opportunities for vote-buying and voter intimidation (threat 7-1). After they have been mailed in, there are too many ways for ballots to get selectively lost or changed (threat 7-3, threat 7-4, threat 7-5).

Additional rationale: Mail-in voting forfeits any chance of scanning the ballot for errors and allowing the voter to make corrections, as mentioned in item 2-2.

2-6.    The names of the candidates (and other ballot issues) should be printed right on the ballot, not on a separate template. See threat 7-7.

Note that many jurisdictions “rotate” the names on the ballot, since being first on the list is known to confer an advantage. This places a nontrivial burden on the vote-tallying system, since it must match the filled-in marks to actual names, not merely to positions on the page.

2-7.    In some jurisdictions, it is arranged that in each precinct, the poll worker staff has bipartisan balance. See reference 2. This is infinitely preferable to having any possibility that the staff in a given precinct will be entirely or even predominantly co-partisans.

Similar principles apply to the staff at any point where votes are aggregated or tallied. At every stage, there needs to be bipartisan oversight of any activity that could possibly affect the tally.

2-8.    The observers need to be able to verify the details of what is going on.

By way of counterexample, consider the following scenario: At each precinct, boxes of ballots are sealed with special numbered seals. The boxes are transported to the central counting facility. The boxes are opened and the ballots are counted. In this scenario, it is not sufficient to have observers confined to a gallery, watching from such a distance that they cannot tell whether the seals have been tampered with.

2-9.    Last-minute changes in the location of the polling place are often a sign of hanky-panky. It increases the burden on the voters, because of confusion and additional time and transportation costs. Selectively disrupting some precincts can produce significant distortions of the overall results. The parties need to be vigilant and need to vigorously protest and litigate such cases.

2-10.    Parties should calculate well in advance the resources and staff required at each polling place. They should obtain commmitments as to how many voting machines, check-in stations, etc. will be provided. They should vigorously protest and litigate if these commitments are not honored.

Keep in mind that machines per se are not the only bottleneck. It does no good to have lots of voting stations standing empty while there is a huge bottleneck at the table where voters are checked in. Parties should calculate well in advance the needed quantities of registration books and/or other check-in resources, staff, floor space, etc., and make sure everything will be available.

2-11.    Similarly, there needs to be enough parking. It seems foolish to conduct voting at a school on a day when the school is in session, and all the parking spaces are taken by staff and students. It is unreasonable to ask voters to park far away and then trudge through the freezing rain to get to the polling place. This is not an imaginary threat; examples of this occurred during the Tue 12 Feb 2008 primary in Maryland.

2-12.    There should also be enough space for a waiting line. Unless there are enough resources to handle peak voter demand, there will be waiting lines during at least part of the day, and voters in line should be protected from the weather.

The waiting line should be located so that it does not interfere with efficient processing of those who make it to the front of the line. Otherwise things go from bad to worse, as congestion causes inefficiency which causes more congestion......

There should only be one line. First come, first served. It is outrageous to have a situation where someone waits in line, only to be told that they have waited in the “wrong” line and they have to start over.

2-13.    It is OK to give voters a receipt or other token that says they voted. In contrast, it is not OK to give them any kind of reciept that says how they voted. Rationale: They could sell the receipt. This is a form of vote-buying (threat 7-1).

3  Security Requires Balance

A good way to think about this is in terms of series versus parallel.

3.1  Threats in Parallel

When threats can operate in parallel, security requires tremendous attention to detail. As the proverb says, a chain is only as strong as its weakest link. The same applies to fences (and gates). The same applies to walls (and doors and windows).

By way of object lesson, consider a room that has four strong doors, equipped with an electronic locks that record who comes in and when. All that counts for nothing if there is a fifth door with a low-tech combination lock, where the combination is widely shared, and there is no hope of recording who came in or when. (This is not a made-up example. Just such a room was used for central election tabulating operations in 2008.)

When threats can operate in parallel, the more threats there are, the less security there is. A long, rambling fence is more vulnerable than a compact fence.

Parallelism applies to time as well as space. Defenses must be maintained at all times as well as all places. Remember the attacker has the initiative. That is, the attacker gets to choose the time and place of the attack.

3.2  Defenses in Series or in Layers

It is desirable to have a layered defense. As a preliminary example, consider multiple concentric fences, such that the attacker must get through N fences before he can do any harm. In this case, the larger N is, the more security there is (assuming that each of the N fences contributes some nonzero amount).

It is preferable to have multiple layers of different kinds (rather than just adding more layers of the same kind). For example, having guards on patrol plus video surveillance is preferable to having just guards or just video. That’s because the video serves as a check on the guards. A trick that gets past the guards won’t necessarily get past the video. (In contrast, having N identical concentric fences is not optimal, because an attacker who figures out how to defeat one fence may be able to defeat all the others.)

A layered defense creates an element of helpful redundancy.

Maintaining a layered defense requires some discipline. If you get sloppy, you might not worry about layer #1 because layer #2 will take up the slack, and you might not worry about layer #2 because layer #1 will take up the slack, et cetera. If you follow this sloppy practice too long, layer after layer will fail, and you won’t notice until there is a catastrophic failure of the whole multi-layer system. Therefore the rule is: It does not suffice to test a layered system as a whole. Fastidiously maintain each layer separately. Test each layer separately. (You can also do an end-to-end test of the multilayer system if you like, but that’s not a substitute for layer-by-layer testing.)

3.3  Statistical Checks and Deterrence

Some goals can be achieved by spot-checking. A simple, well-known example is highway speed enforcement. The police do not need to catch every single speeder. If only a small percentage of speeders are caught, and a sufficient penalty is imposed, deterrence is achieved.

It must be emphasized that the penalty is an indispensable part of the deterrence scenario. If the penalty is too small, speeders will speed as much as they want, because they don’t mind getting caught. This may sound obvious, but there have been cases where large-scale electoral wrongdoing has been detected, but those responsible suffered no penalty. See reference 17.

As an important application of spot-checking, hand-counting 100% of the ballots may not be necessary, except in unusually close elections. Hand-counting a statistical sample, if done right, should serve as a satisfactory check on the accuracy of the machine count. See section 4.

4  Routine Hand Counting of a Sample

As discussed in detail in reference 1, there are several good reasons to hand count a statistically significant sample of the ballots right there in the precinct, right after the polls close. This is in addition to the usual machine count of 100% of the ballots.

Hand counting 10% of the ballots shouldn’t take too long, and will predict the outcome of the full count with a 1% margin of error with 99% confidence.

Anybody who wanted to hack the election would need to hack the hand count and then hack the machine count by the same amount.

Redundancy is your friend.

Also, whenever the machine count indicates that the race is close, within a percent or two, it should be routine to hand-count 100% of the ballots for that race, and then do a second machine count. This makes a total of three counts.

Also do a 100% hand count in any precinct where the 10% hand count differs from the machine count by more than the expected 1% margin of error. Note that this will happen in at least 1% of the precincts, due to statistical fluctuations in the 10% sample. This is a significant burden, because it means that 10% of the precincts will be late in reporting their results.

As a further check, it would be worthwhile to do a 100% hand count of some randomly selected precincts, even if the race is not close and even if the 10% hand count was not discrepant.

It is to be emphasized that all this happens routinely, not based on any request or challenge from any candidate.

5  Software Audit Trail

Keep in mind that the primary, fundamental, and overarching goal is to have free, fair, accurate, and trustworthy elections in the future.

Also keep in mind the maxim: Treat ballots like money. As a corollary, changes to the election system should be treated like purchase orders.

Suppose that someone uses county funds to purchase a ladder. A routine audit shows that the purchase was requested by "Admin" and the purchase order was approved by "Admin". Since Admin is a pseudonym, there is no accountability. No auditor would tolerate this.

This is intolerable because there is no way of knowing whether purchase is proper or not. Let’s be clear: The burden of proof is not on the auditor to prove that the purchase is improper. The burden is on the purchase to prove that it is proper. Prudent business practices demands keeping an audit trail, so that it is easy to demonstrate that each and every purchase was proper.

Any competent business manager will institute systematic purchasing procedures before there is a huge financial fraud. By the same token, a competent election manager will institute systematic procedures before there is a huge fraud. The controls have two purposes: (a) to make sure there is no impropriety, and (b) to make sure there is not even the appearance of the possibility of impropriety.

Procedures and software tools are available to facilitate doing such things much more systematically. We can look to the Linux kernel as an example. Do you think anybody would tolerate a patch to the official Linux kernel where we didn’t know who submitted the patch, who tested the patch, who committed the patch, or why?

The Linux project uses "git". The author of a patch can digitally sign the patch. Those who test the patch can digitally sign their test reports. The guy who commits the patch to the official repository can digitally sign the commit message. The commit message answers the question of "why" the patch was desirable. For an example of what a git log looks like, see e.g. http://mapserver.flightgear.org/git/gitweb.pl?p=fgdata;a=summary

Doing things properly comes at a cost. Having two people sign off on every patch to the election systems creates bureaucratic burden on the people who do the work. This is entirely analogous to the bureaucratic burden of filling out purchase orders whenever you want to buy something with government money. This burden is part of the cost of doing business. It is necessary to prevent impropriety and to prevent the appearance of impropriety.

5-1.    There should be a log file. Any changes to the system software should be logged. User login and logout should be logged. Backups should be logged.

5-2.    The log file should be immutable. That is, it should be routine to append new entries at the end of the log, but it should not be possible to erase or modify old entries.

One way to protect the audit log is to make multiple copies and distribute them widely.

5-3.    It helps to make plenty of backups. At the very least, there should be one backup every day from the start of early voting until all voting-related issues are settled. The backups should be retained for as long as any other election-related materials (two years, at least). To protect the backups from tampering, the HMAC of the backup file should be logged.

There should be an easy way to make backups “at the push of a button”. The backup file should have an auto-generated unique name, to minimize the chance of inadvertently overwriting an earlier backup.

It wouldn’t hurt to make the backup file read-only. This is no protection against intentional tampering, but it offers some token resistance to unintentional snafus.

6  Miscellaneous Observations

6-1.    The following things should be separate: (A) the access control file (aka “passwd” file), listing who is allowed to log in, passwords, privilege levels, et cetera. (B) The configuration file, describing the layout of the ballot, who is running in which races, rotation policy, and other information that should not change during the course of the election. (C) The database containing the tally of votes. (D) The immutable logs.

The Diebold GEMS system keeps all three of those things in the same database. (I’m not kidding. You can’t make this stuff up.) This makes it super easy to tamper with the votes and/or tamper with the configuration, and then tamper with the audit log so as to cover your tracks.

6-2.    There needs to be lots of separation of privilege. The following activites are logically separate:

To say the same thing the other way, it would be a Bad Idea to have one omnipotent “Admin” account that is needed for doing routine things but capable of doing non-routine things.

There exist various well-known techniques for achieving separation: Different processes on the same machine, different virtual machines on the same hardware, or even completely different machines (such as a separate, loosely-connected machine to receive immutable backups and logfile entries).

6-3.    At the very least, the tally machine should have some level of RAID, so that a disk crash won’t be tragic. Again, this doesn’t protect against intentional tampering, just against disk crashes.

Similarly we should insist that the tally machine use ECC memory.

7  Threat Model

7-1.    Voter coercion, including vote-buying. Note that anything that compromises the secrecy of the ballot (e.g. by tying a particular ballot to a particular voter) opens the door to coercion and vote-buying.

7-2.    Improper challenges to the eligibility of voters. Gratuitous challenges greatly slow down the voting process, leading to long lines. Selectively challenging in one precinct and not another can be used for unfair partisan advantage.

7-3.    Stuffing extra ballots into the ballot box.

Partial mitigation: Rigorous supervision and chain of custody.

Possible mitigation: Immediate hand-count of a statistically-significant random sample.

7-4.    Losing ballots from the ballot box.

7-5.    Similarly, “spoiling” ballots so they won’t be counted.

Possible mitigation: Scanning and tallying each ballot in real time, as it is cast, so we know it wasn’t “spoiled” when it went into the ballot box.

7-6.    Note enough resources (ballots, machines, indoor space, parking space, etc.) to accommodate the voters.

7-7.    Improper ballot rotation, or misalignment, so that a voter who thinks he is voting for one candidate gets tallied as if he voted for a different candidate, or none at all. Remember the butterfly ballots?

Mitigation: item 2-6.

7-8.    In some jurisdictions there is such a thing as early voting at some polling places. This creates a risk involving early tallying. The tally of early votes is, in effect, a super-accurate poll, and is super-valuable to anyone who can get their hands on the tally. Early tallying of mail-in ballots raises the same issues.

Mitigation: Any early tally must either be kept rigorously secret, or be made public, so that no one can derive any partisan advantage from it. It is paradoxical but true that complete secrecy is fair, and complete openness is also fair.

7-9.    The software in election-related computers could be programmed to steal an election. DRE machines are an especially tempting target. Other targets include the scanners that read mark-sense ballots, as well as the central tabulating machines.

Partial mitigation: avoid DRE: item 2-3. Other mitigation SORELY LACKING in current-generation tally machines.

Mitigation: In the longer term, secure hardware and secure open software.

8  Action Items

8-1.    In every jurisdiction, change the law so as to require a routine hand-count of a statistically-significant sample of the ballots in every precinct. See item 1-3.

8-2.    The political parties and/or some clean-government group should campaign to discourage mail-in ballots. See item 2-5.

8-3.    Repeal the Arizona law that allows political parties or political clubs to request batches of early ballots on behalf of their so-called members. This is horribly open to abuse, and the abuse is hard to detect. If these “members” can’t figure out how to vote on their own, they shouldn’t be voting at all.

8-4.    Change Arizona law to provide for observers during nominally “non-partisan” elections.

8-5.    Change Arizona law so that early ballots and mail-in ballots of every kind get treated the same as election-day ballots so far as possible. This includes sorting them into precincts.

Sorting could be made very easy with even a teensy bit of pre-planning. For starters, if there are N precincts, obtain N distinct PO boxes and print the appropriate PO box number on the envelopes, so that the Post Office does most of the sorting for you. Similarly print big fat stripes at precinct-dependent places on the envelopes, so that you can see at a glance if a stack of envelopes contains one that doesn’t belong.

8-6.    Change the law to define a concept of "insider information" in analogy to the concept used in securities trading. The idea is that some information (such as early-voting turnout numbers) can be released prior to the close of the election provided it is released to the public even-handedly, not selectively released to one party or another. Information that has not been released to everyone is considered insider information, and the law should prohibit releasing or using insider information. The rule is simple: if anybody gets it, everybody gets it.

9  Unsolved Problems

9-1.    Back in the olden days, ballots were printed using a printing press, and the theory was that it would be hard to produce “extra” blank ballots. Therefore, according to theory, if you accounted for all the voted ballots and all the unvoted ballots, this would make it hard to stuff the ballot box.

This probably never worked perfectly, but it certainly doesn’t work now, since it is too easy to create plausible-looking ballots using a laser printer. Also current inventory-control methods are, in many cases, inadequate.

In accordance with the principle of treating ballots like money, you could imagine printing ballots on special paper using special ink and other fancy security measures, but this is not the usual practice.

Similarly note that paper money has serial numbers, whereas ballots customarily do not. This is a genuine dilemma. Serial numbers could be used to compromise voter privacy (leading to coercion, vote-buying, and other onesey-twosey attacks) but the lack of serial numbers makes the system more vulnerable to stuffing and other large-scale attacks.

Actually having some sort of unique numbering of ballots might not be so bad, if certain precautions were taken. The tracking number for each ballot comprises the precinct number and a unique random nonce. The nonce is random, not sequential, so it is technically not a “serial” number. The nonce is assigned on a per-precinct basis, so that it is possible for each precinct to determine which of its ballots has been used, without requiring any wide-area communication. The tracking number is printed on the ballot in some sort of bar code that is easy for a machine to read but hard for humans to read at a glance. This plus the fact that the nonces are not sequential makes it hard for pollwatchers to know which voter got which ballot.

Option A: The ballot-printing machine generates the tracking numbers, and keeps track of which numbers have been issued. This data is given to the tally machine, which checks off each number as it is used. It alarms if a wrong number shows up, or if a number is not on the list of issued numbers. In the case where the list of issued numbers is lost, the tally machine can revert to “legacy mode” i.e. it can count ballots without regard to the tracking numbers.

Option B: The tracking number is digitally signed. The private key must be very tightly protected. The public key can be widely known. The public key is used by the vote-scanning machine to check the validity of the tracking number. The machine then keeps track of which numbers have been used, and alarms if a number is re-used, or if an invalidly-signed number is used. Option B (unlike option A) means the tally machine does not need any prior knowledge of which tracking numbers have been issued. This is vulnerable to ballot-stuffing if the private key leaks out.

9-2.    There is always the threat of “ballot washing”. That means removing the ink from ballots so that the votes can be changed. This is in analogy to check washing, which is a rather prevalent form of fraud, estimated to be on the order of a billion dollars per year, which means there are a lot of crooks who know how to do it.

As a defense, most check-blanks nowadays use specially treated paper which shows if they are attacked by solvent.

In the case of ballots, it may be easier (and better) to give voters pens with relatively indelible ink. Chain the pen to the voting booth. Cheap “gel” pens are reputedly solvent-resistant, but it is possible to go much farther than that, including special inks that undergo an irreversible chemical reaction with the cellulose in the paper.

9-3.    Sometimes the memory cards from e-voting machines are erased soon after the first count. This is terrible; not only does it prevent a recount, it prevents forensic analysts from looking for fraud or error.

9-4.    You want to have a rule that there should be no stray marks on the ballot. You don’t want voters to “sign” their ballot or otherwise identify the ballot as being associated with a particular voter. This is part of the program to minimize coercion and vote-buying.

So the question arises, what do you do if stray marks are found? This is a dilemma. If you invalidate ballots that have stray marks, you solve one problem but create another: It becomes too easy for someone to tamper with the election by spoiling ballots after they are cast, simply by adding stray marks.

This dilemma can be mostly solved by scanning ballots at the time they are cast. If stray marks are detected at that time, the voter must re-vote using a new, clean ballot. If stray marks are not detected at that time, stray marks detected later will not invalidate the ballot. (I know of a loophole here, but I’d rather not discuss it.)

10  References

Election Defense Alliance “Universal Ballot Sampling”. Summary: http://www.electiondefensealliance.org/upspr
Full report:http://www.electiondefensealliance.org/files/New_UBS_811Update_061707.pdf

Avi Rubin “My experience as an Election Judge in Baltimore County” (Primary) http://avirubin.com/judge1.html

Avi Rubin “My experience as an Election Judge in Baltimore County” (General Election) http://avirubin.com/judge2.html

Mike Bryan, “Pima County Election Integrity Trial Home” http://arizona.typepad.com/blog/2007/12/pima-county-e-8.html

Auguste Kerckhoffs, « La cryptographie militaire », Journal des sciences militaires, vol. IX, pp. 5–38, Janvier 1883, pp. 161–191, Février 1883. http://petitcolas.net/fabien/kerckhoffs/

Wikipedia article, “Kerckhoffs’ Principle” http://en.wikipedia.org/wiki/Kerckhoffs’_principle

Tadayoshi Kohno, Adam Stubblefield, Aviel D. Rubin, Dan S. Wallach, “Analysis of an Electronic Voting System” http://avirubin.com/vote/analysis/

Aviel D. Rubin, Brave New Ballot http://www.bravenewballot.org/

Alec Yasinsac, John Kerski, David Gainey, Michael Gerke, Kristine Amari, and Donald Newell, “‘Software Review and Security Analysis of the Diebold Voting Machine Software”, TSX Supplement, For the Florida Department of State, September 28, 2007 http://election.dos.state.fl.us/pdf/SAITreport.pdf

Joseph A. Calandrino, Ariel J. Feldman, J. Alex Halderman, David Wagner, Harlan Yu, William P. Zeller, “Source Code Review of the Diebold Voting System” (July 20, 2007) (Report commissioned as part of the California Secretary of State’s Top-To-Bottom Review of California voting systems.) http://www.sos.ca.gov/elections/voting_systems/ttbr/diebold-source-public-jul29.pdf

Australian Capital Territory Electoral Commission, “Electronic voting and counting” (“eVACS”) http://www.elections.act.gov.au/elections/electronicvoting.html

Kim Zetter, “Aussies Do It Right: E-Voting” Wired Magazine (2003) http://www.wired.com/techbiz/media/news/2003/11/61045

C.H. Huckelberry, "Election Security Report" http://www.pima.gov/GenInfo/Pdfs/Election Security 101907.pdf

John Denker, “Comments on Draft Security Plan” /security/pima-security-plan.htm

M.A. Duniho, “Election Integrity Manual for County Chairs” /security/election-integrity-manual.htm

Michael Ian Shamos, “Voting System Security Review” http://evote-mass.org/Shamos_Security_Report.pdf

House Judiciary Committee Democratic Staff, “Preserving Democracy: What Went Wrong in Ohio”, http://www.nvri.org/about/ohio_conyers_report_010505.pdf

Robert F. Kennedy Jr. “Was the 2004 Election Stolen?” http://www.rollingstone.com/news/story/10432334/was_the_2004_election_stolen

Steven F. Freeman & Joel Bleifuss Was the 2004 Presidential Election Stolen? Seven Stories Press (2005). http://www.appliedresearch.us/sf/epdiscrep.htm

EVEREST: Evaluation and Validation of Election-Related Equipment, Standards and Testing http://www.sos.state.oh.us/sos/info/EVEREST/14-AcademicFinalEVERESTReport.pdf

Princeton OIT, “Are these good excuses to share my password?” http://web.princeton.edu/sites/password/why.htm

Jon Stokes, “How to steal an election by hacking the vote” (2006) http://arstechnica.com/articles/culture/evoting.ars http://arstechnica.com/etc/How_to_steal_an_election-ArsTechnica.pdf

Mark Crispin Miller, Fooled Again Basic Books (2005)

David Earnhardt, “Uncounted – The New Math of American Elections” (2007) http://www.uncountedthemovie.com/about-the-film.html

“Hacking Democracy”

BlackBoxVoting.org (“America’s Elections Watchdog Group”) http://www.blackboxvoting.org/

Open Voting Consortium http://www.openvotingconsortium.org/ http://www.openvotingconsortium.org/blog/2008-jan-14/open_voting_process_demonstrated_in_san_luis_obispo

Allen Raymond with Ian Spiegelman, How to Rig an Election: Confessions of a Republican Operative Simon & Schuster (2008).

Wikipedia article, “2002 New Hampshire Senate election phone jamming scandal” http://en.wikipedia.org/wiki/2002_New_Hampshire_Senate_election_phone_jamming_scandal

Copyright © 2007 jsd