About the Author: Brit Williams is a Professor Emeritus of Computer 
Science and Information Systems at Kennesaw State University.  He was a 
consultant to the FEC during the development of the FEC Voting System 
Standards in 1990 and again in 2002.  He is currently a member of the 
NASED Voting Systems Board and Chair of the NASED Voting Systems Board 
Technical Committee.  He has been conducting certification evaluations 
of computer-based voting systems for the State of Georgia since 1986. 
He also assists the states of Pennsylvania, Maryland and Virginia with 
certification evaluations of computer-based voting systems.
 
 
Security in the Georgia Voting System
Britain J. Williams, Ph.D.
April 23, 2003
 
 
Introduction:  The State of Georgia replaced all voting systems 
statewide with a computer-based voting system.  This system, known as a 
direct recording electronic (DRE) voting system, was first used in the 
November 2002 election.  This voting system, described in the next 
section, is computer based. As a result, questions have been raised 
regarding the vulnerability of the system to attacks by hackers and 
persons attempting election fraud. 
 
Overall security of any computer-based system is obtained by a 
combination of three factors working in concert with each other.  
First, the computer system must provide audit data that is sufficient 
to track the sequence of events that occur on the system and, to the 
extent possible, identify the person(s) that initiated the events.  
Next, there must be in place well defined and strictly enforced 
policies and procedures that control who has access to the system, the 
circumstances under which they can access the system, and the functions 
that they are allowed to perform on the system.  Finally, there must be 
in place physical security; fences, doors, locks, etc.; that control 
and limit access to the system.  This article describes how these 
factors are
incorporated into the election system in the State of Georgia.   
 
Overview of the Georgia Voting System: The computer-based election 
system deployed in the State of Georgia is classified as a direct 
recording electronic (DRE) system.  The components of the system 
consist of the following:
 
Standard personal computers running an executable module known as GEMS, 
Global Election Management System.  This system, called the GEMS 
computer, is used to define the election, enter the candidates and 
questions, and format the ballots for the voting devices. This computer 
also accumulates the votes after the polls close and prints various 
reports and audits.
 
Touch-screen voting stations are used for in-person voting.
 
Optical ballot scanners are used for absentee and provisional voting.
 
 
Each county election office in the State is equipped with a GEMS 
computer.  This computer is used to define elections and format the 
ballots for both the touch-screen voting stations and the absentee
(paper) ballot scanners.  The system also produces files that can be 
sent directly to a printer to print the absentee and provisional 
ballots.
 
When the election definition is complete, the GEMS system produces 
PCMCIA cards, also called PC memory cards, which are used to program 
the touch-screen voting stations and the ballot scanners.  One card is 
produced for each voting station and ballot scanner. 
While still in the county warehouse the voting stations are arranged by 
precinct and the PC cards are inserted. In the days just before the 
election a series of tests called Logic and Accuracy tests are 
conducted.  These tests are designed to confirm that the voting 
stations have been properly prepared for the election and that they 
correctly
register all votes cast.   These tests are open to the public.  At the
completion of the Logic and Accuracy tests the voting stations are 
sealed and delivered to the precincts.
 
On the morning of Election Day the Precinct Manager and Assistant 
Precinct Manager break the seals and prepare the voting stations for 
the election. The first step in this process is to print out a 'zero 
totals tape'.  This tape verifies that no votes have been recorded on 
the voting stations prior to the opening of the polls.  As the voters 
cast their ballots on a touch-screen voting station their choices are 
recorded on the PC memory card. The absentee ballots and provisional 
ballots are processed through ballot scanners and their votes are 
recorded on PC memory cards.
 
After the polls close all of the memory cards from the voting stations 
in the precincts and from the absentee and provisional ballot scanners 
are returned to the county elections office for tallying.
 
Certification of the Voting System: Georgia participates in the Federal 
Election Commission (FEC) Voting Systems Standards program. This 
program defines three levels of tests that a voting system must pass 
before it can be used in Georgia.  These three levels are federal tests 
called Qualification Tests, state tests called Certification Tests, and 
local tests called Acceptance Tests.
 
National laboratories selected by and monitored by the National 
Association of State Election Directors (NASED) Voting System Board 
administer the Qualification tests.  During these tests the system is 
evaluated for accuracy, reliability, availability, and maintainability. 
In addition, the system is subjected to various environmental 
conditions that simulate the conditions under which an election system 
may be transported and stored. A major component of these tests is a 
line-by-line examination of the source code for the system.  This 
review includes an evaluation of the function of each module of the 
code to insure that no extraneous code is contained in the system.  A 
complete description of the Qualification tests can be found in the FEC 
Voting System Standards section on the FEC web site: 
http://www.fec.gov.
 
After the system has successfully completed qualification testing it is 
brought into the State for Certification testing.  Certification 
testing is conducted by the Center for Election Systems at Kennesaw 
State University. Tests are conducted to verify that the voting system 
complies with the requirements of the Georgia Election Code, the Rules 
of the Georgia Secretary of State, and the Rules of the Georgia 
Election Board.  A mock election is defined and executed in order to 
evaluate whether or not the system can be installed and operated by 
personnel in a typical Georgia election office.  During this mock 
election a sufficient number of ballots is cast to ensure that the 
system has the capacity to accommodate the maximum number of ballots 
that may be cast in a Georgia precinct. A major component of the 
certification tests is to install security features.
 
The final level of tests, Acceptance tests, are conducted in the county 
offices after the voting system has been delivered and installed.  The 
purpose of these tests are to verify that the system as delivered and 
installed in the county is complete, is working properly, and is 
identical to the system that was previously Qualified by the ITA and 
Certified by the State. The KSU Center for Election Systems also 
conducts Acceptance tests.
 
Types of Threats to an Election System: There are two reasons why a 
person might launch an attack against an election system: to disrupt 
the election or to commit election fraud.  In the first instance, the 
intent of the perpetrator is simply to disrupt the election, an act of 
terrorism. Although a terrorist act against an election is disruptive, 
it is not a threat to the integrity of the election.  On September 11, 
when the twin towers in New York were attacked, there was an election 
in progress in New York City.  One of the precincts was in the shadow 
of 'ground zero'.  The election was completely disrupted.  New York 
election officials re-conducted this election with such quiet 
professionalism that very few people outside New York are even aware 
that an election was in progress on that fateful day.  No matter how 
severe, an act of terrorism against an election is disruptive and 
expensive but it is no threat to the electoral process.
 
Election fraud is an attempt to alter the outcome of an election.  In 
order to be successful election fraud must go undetected.  Once 
detected election fraud is simply another form of terrorism and can be 
dealt with accordingly. 
 
The security features installed in the Georgia voting system protect 
against both terrorism and election fraud, but the main emphasis is on 
preventing election fraud.
 
Computer System Security Features: The computer portion of the election 
system contains features that facilitate overall security of the 
election system.  Primary among these features is a comprehensive set 
of audit data.  For transactions that occur on the system, a record is 
made of the nature of the transaction, the time of the transaction, and 
the person that initiated the transaction.  This record is written to 
the audit log. If an incident occurs on the system, this audit log 
allows an investigator to reconstruct the sequence of events that 
occurred surrounding the incident.
 
In addition, passwords are used to limit access to the system to 
authorized personnel.
 
Procedural Security Features: There are rigid policies and procedures 
that control who has access to the election system, when they can 
access the system, what components they can access, and what function 
they are allowed to perform.  The most familiar of these procedures is 
the process that a voter must go through in order to cast a vote on the 
system.
 
Many of these procedures are directed toward insuring that the correct 
versions of the system software is initially installed in the GEMS 
computers and voting stations and, subsequently, testing at various 
times to insure that this software has not been altered.
 
To insure that the initial installation of the software is correct, the 
following steps are rigidly enforced.
 
�	The State does not accept software from any source except the
ITA that conducted the NASED Qualification Tests on the software.  When 
the ITA completes Qualification Testing of the software they submit to 
the KSU Election Center a copy of the source code and the resulting 
object code.
�	As a part of the State Certification Testing the KSU Election
Center prepares a validation program, similar to a virus detector 
program, that is subsequently used to verify that versions of the 
software installed in the county systems is identical to the software 
that the KSU Center certified.  This validation program is structured 
such that it provides a 1/1,000,000,000 chance that someone could alter 
the software without being detected.
�	When the software is installed in a county system, a member of
the KSU Center travels to that county and runs the validation program 
to verify that the installed software is correct.
�	This validation program is routinely run before an election is
begun to verify that the software is correct.  It is run again after 
the election to verify that the software did not change during the 
election.
�	The validation program can be run at any time that an incident
occurs that might potentially alter the software.  An example of such 
an event might be a nearby lightning strike that caused the GEMS 
computer to crash.
 
Physical Security Features: The first line of defense in any system is 
physical security.  The following is an overview of the physical 
security implemented in State elections.
 
�	The GEMS computers are kept in locked offices within the county
election offices.
�	The GEMS computers are not connected to any communication
system, including the Internet, and contain no software other than the 
Windows operating system and the Global Election Management System 
object code.
�	A security program, similar to a virus detector program, is run
against the Windows operation system and the GEMS object code prior to 
beginning the definition of an election to verify that the code has not 
been altered.  This program is repeated after the close of the election 
to verify that the code did not change during the election. 
�	No person is allowed access to the GEMS computer until his or
her identity has been clearly established by the county Election 
Superintendent.
�	The voting stations are stored in their voting booth cases in
stacks of five in a locked county warehouse facility.
�	The PC memory cards in the touch screen voting stations are in a
locked compartment.  The Precinct Manager is the only person in a 
precinct with a key to this compartment.
�	After the polls close a summary report of the votes cast in the
precinct is posted on the precinct door.
�	The PC memory cards from a precinct are transported from the
precinct to the county elections office by a sworn election official or 
a sworn law enforcement officer.
�	The area of the precinct that contains the voting stations is
secure.  A voter is not allowed to enter this area until a voting 
station is available for his or her use.
 
Specific Comments:  In the following paragraphs we address specific 
comments that have appeared in the press and open literature.
 
"If the only way you know that it's working incorrectly is when there's 
four votes instead of 1,200 votes, then how do you know that if it's 
1,100 votes instead of 1,200 votes?  You do not know.", Rebecca Mecuri, 
Professor, Bryn Mawr College, Washington Post, New Voting Systems 
Assailed, March 28, 2003
 
In a Georgia precinct there are three separate manual counts of the 
number of voters that cast ballots in the precinct.  These are 1) the 
number of people that fill out a registration slip (called a voter's 
certificate), 2) the number of people checked on the voter registration 
list, and 3) the numbered list of voters (i.e. the number of ballots 
issued).  When the polls are closed these three numbers are audited 
against the number of ballots recorded as cast on the voting system. 
Any discrepancy between these four totals is immediately obvious and 
must be accounted for in order to close the precinct.
 
"No official at Diebold or the Georgia Secretary of State's office has 
provided any explanation at all about program files contained in a 
folder called 'rob-georgia' on Diebold's unprotected FTP site.  Inside 
'rob-georgia' were folders with instructions to 'Replace what is in the 
GEMS folder with these' and 'Run this program to the C-Program Files in 
Winnt System32 Directory' ".  Beverly Harris, Black Box Voting: Ballot-
Tampering in the 21st Century, http://www.blackboxvoting.com, March 3, 
2003
 
Apparently, there was an FTP site that Diebold employees used to store 
and transfer versions of the system that were under development.  The 
contents, or even existence, of the 'rob georgia' folder has not been 
established.  
 
However, for the sake of this discussion, we will assume that the FTP 
site existed, that the version of the GEMS system used in Georgia was 
on that FTP site, that the 'rob georgia' folder existed, and that there 
was a rogue employee at Diebold that intended to use the 'rob georgia' 
folder to corrupt the Georgia voting system.
 
This would have had absolutely no effect on the election system as 
implemented in Georgia.  The State does not obtain its election system 
code from an FTP site or even from Diebold.  The process is as follows:
 
�	The vendor, Diebold, submits the source code to the ITA.
�	The ITA conducts a line-by-line examination of the source code
to determine that no extraneous code is present (i.e. that all code 
presented has a direct relationship to the functions of conducting an 
election).
�	After completing their evaluations, the ITA oversees the
compilation of the source code into object code.
�	The ITA, not the vendor and certainly not an open FTP site,
provides the KSU Election Center with the source code, the object code, 
and various related files.
�	The KSU Election Center conducts Certification Tests on the code
provided by the ITA.
�	After successful completion of Certification Tests the vendor is
allowed to install the certified object code in the county computers.
�	The KSU Center conducts audits to verify that the code that the
vendor installs in the counties is identical to the code that was 
obtained from the ITA.
 
"A patch to the underlying operation system - Windows - can slip 
through without scrutiny." Beverly Harris, Black Box Voting: Ballot-
Tampering in the 21st Century, http://www.blackboxvoting.com, March 3, 
2003.
 
This comment assumes that the State of Georgia allows changes and/or 
upgrades to the Microsoft operating system.  This is not the case.  
 
The vendor, Diebold,  submits to the ITA a specific version of the 
operating system and a specific version of the election software.  This 
specific version of the operating system and the election software 
undergoes ITA testing and State Certification testing.  The State 
Certification is for this specific version of  the Microsoft operating 
system and the Diebold election system.  After State Certification any 
change to either the Microsoft operating system or the Diebold election 
system voids the State Certification. 
 
If a change to either the Microsoft operating system or the Diebold 
election system becomes desirable or necessary, this change voids the 
State Certification.  The revised system then must then go back through 
the entire ITA Qualification and State Certification process.
 
"It requires one programmer at the company who has a political agenda 
or who has been bribed or somebody who can break into the company's 
network, who can hack the code when they're not looking," David Dill, 
Professor, Stanford University, High Tech Train Wreck, Creative 
Loafing, April 2, 2003.
 
This is the vendor version of the comment above and is equally 
unlikely. Let's look at what must transpire in order for a rogue 
employee of the vendor to effectively commit election fraud.
 
First, (s)he must figure out how to defraud an election that has not 
yet been defined and that will occur several years in the future.  
Since the races, much less the candidates, have not yet been defined 
the best you can hope for is to favor certain parties.  In Georgia this 
is not a trivial matter.  The State does not use the party affiliations 
built into the election system.  Instead, the State embeds the party 
affiliation in the candidate name field.  Thus, the rogue code must 
parse the name field looking or "R" or "Rep" or "REP" or "Republican" 
or "REPUBLICAN", and "D" or "Dem" or "DEM" or "Democrat" or "DEMOCRAT", 
etc.
 
Second, in a primary election all choices on a given ballot belong to 
the same party, it would be impossible to favor an, as yet, 
undetermined candidate in a primary election.
 
Finally, for this approach to election fraud to succeed, this code must 
lie dormant during all testing phases, ignore a primary election but 
become active during a general election, and lie dormant during all 
post election testing.
 
The code required to accomplish the foregoing is substantial.  It is 
extremely unlikely that this amount of code would escape detection by 
the ITA during Qualification Testing.
 
Finally, if all else fails and rogue code finds its way into the State 
election system, it would be detected during State certification tests. 
The contention is that this code could be cleverly devised to become 
active only on the dates of a general election.  When we conduct our 
mock election we set the date on the computer to the date of a general 
election.
 
"A person could insert a memory card into a voting machine that would 
change the program on the machine.", Anonymous.
 
This conjecture assumes that one can simply walk up to a voting station 
in the State and insert a PC memory card.  It is not this simple.
 
The following steps would be necessary in order to commit election 
fraud by altering the code in the voting stations employed in Georgia.
 
First, one would have to obtain the code installed in the voting 
station and alter it to suit their purpose.  This is no small feat but, 
for the sake of this discussion, let us assume that it is done. Assume 
that the perpetrator has in their possession a supply of PC memory 
cards that can alter the code in a voting station in such a way as to 
alter the outcome of an election.  One must now get this bogus system 
installed in the voting stations.
 
The voting stations can be attacked either before or after they are 
installed in the precincts.  Before they are installed in the precincts 
the voting stations are stored in county warehouse facilities.  In 
these warehouses, the voting stations are enclosed in their voting 
station cases and stacked five high.  To alter the voting stations in 
this environment, one would have to gain access to the warehouse, 
remove the voting stations from the stacks, open the cases, unlock the 
memory card access door (having obtained a key from somewhere), insert 
the bogus PC memory card, boot the voting station to install the bogus 
code, shut down the voting station, remove the bogus PC memory card, 
close the case, and return the voting station to the stack. All of this 
must be accomplished without being detected by any of the county 
warehouse employees.
 
To attack the voting stations in a precinct one would have to gain 
access to the secure area of the precinct.  The only people allowed in 
this area are poll workers and registered voters.  Poll workers only 
work in one precinct and do not move from precinct to precinct. 
Altering the voting stations in only one precinct is not likely to 
alter the outcome an election.  Thus our perpetrator must either be or 
impersonate a registered voter in the precinct.  Once in the secure 
area, the perpetrator must remove the right-hand security screen, 
unlock the memory card access door (having obtained the key from 
somewhere), remove the PC memory card in the voting station and insert 
the bogus PC memory card, reboot the voting station, remove the bogus 
PC card and re-insert the original card, reboot the voting station, 
lock the access door, and replace the security screen.  All of this 
must be accomplished without attracting the attention of any of the 
poll workers, candidate poll watchers, or party poll watchers.  This 
procedure must then be repeated for the other voting stations in the 
precinct.
 
The above scenarios describe the effort required to alter a single 
voting station.  In order to impact a statewide race our perpetrator 
must modify a significant portion of the 22,000 voting machines in the 
State.  To impact an election in Fulton or DeKalb County one would have 
to alter a significant portion of 3,000 voting stations.  On the other 
hand, if one's ambition were to be a county commissioner in Talliaferro 
County, population 2077, he would only have to alter 8 voting stations.
 
"When Georgia debuted 22,000 Diebold touch screens last fall, some 
people touched one candidate's name on the screen and saw another 
candidate's name appear as their choice. Voters who were paying 
attention had a chance to correct the error before finalizing their 
vote, but those who weren't did not.", Dan Keating, Washington Post 
Staff Writer,  New Voting Systems Assailed Computer Experts Cite Fraud 
Potential, Washington Post, March 28, 2003.
 
"In Georgia, newly using touch-screens, some voters reported their 
votes being recorded for other candidates", Peter G. Neumann, SRI, The 
2002 General Election, The Risks Digest, Volume 22, Issue 36, November 
6, 2002.
 
During the 2002 General Election in Georgia there were five reported 
instances of persons touching a name on the ballot and adjacent name 
lighting up.  In each case, technicians were sent to the precinct, but 
in each case the problem could not be duplicated.  
 
This can occur as a result of a calibration error on a voting station. 
If the voting station is not perfectly calibrated there will be a small 
area between two names where pressing in this area will register for 
the wrong name.  Since most voters vote with the end of their finger, 
not with a sharp instrument such as a stylus, the voting station would 
have to be significantly out of calibration for this error to occur. 
 
When it does occur it is immediately obvious and easy to correct.  The 
voter simply de-selects the wrong name and selects the right name.  If 
the voter is not paying attention and misses this error when it occurs, 
(s)he gets another chance to correct the error when (s)he reviews the 
summary screen at the end of the ballot.
 
If the situation persists, the voter is moved to another voting station 
to continue voting and the poll manager recalibrates the errant voting 
machine.  It takes approximately two minutes to re-calibrate a voting 
machine.
 
"Computerized voting equipment is inherently subject to programming 
error, equipment malfunction, and malicious tampering. It is therefore 
crucial that voting equipment provide a voter-verifiable audit trail, 
by which we mean a permanent record of each vote that can be checked 
for accuracy by the voter before the vote is submitted, and is 
difficult or impossible to alter after it has been checked. . . . The 
paper ballots must be submitted by the voters, to be available for 
counting or recounting and to avoid vote-selling. The votes on the 
paper ballots must be regarded as the definitive legal votes, taking 
precedence over electronic records or counts. ",  David Dill, 
Professor, Stanford University, http://verify.stanford.edu/evote.html, 
January 20, 2003.
 
Complex problems rarely have simple solutions.  If all of the problems 
with an electronic voting system could be solved by the seemingly 
simple act of adding a printer to each voting station and printing 
paper receipts election officials would be clamoring for this to 
happen.  They are not.  Here are some of the reasons.
 
There are logistical problems associated with the introduction of paper 
ballots. 
�	The presence of the paper supply in the voting station would
increase the weight of the voting station. When fully loaded with 
paper, as at the opening of the polls, the current voting stations that 
provide paper receipts weight in excess of forty pounds, more than a 
typical poll worker is capable of lifting.
�	The component of an electronic system that is most likely to
malfunction is an electro-mechanical component.  Printers are more 
mechanical than electrical. Thus, the introduction of the printer to a 
voting station greatly increases the probability of the voting station 
failing during an election.
�	Poll workers must be trained to replace paper and ink.
�	Technicians must be available to replace failed printers.
�	Finally, there is the expense associated with the purchase,
installation, and maintenance of a large number of printers (22,000, 
and counting, in Georgia).
 
The contention is that the voter will check the paper receipt for 
accuracy before his ballot is cast. Georgia law requires that voters be 
allowed to change their ballots up to the time that the ballot is cast. 
Therefore, a voter who does not like what is on the paper ballot must 
be given an opportunity to change it, as many times as he wishes.  The 
present procedure for spoiling a paper ballot includes a requirement 
that the spoiled ballot be placed in an envelope to be available for 
auditing the number of ballots issued versus the number of ballots 
cast. If the voter can change his mind at random and print as many 
paper ballots as he wishes, how is the poll worker to know how many 
ballots have been spoiled and ensure that the correct paper ballot is 
deposited in the ballot box?
 
How do you handle the situation where a voter casts his electronic 
ballot before he notices that the paper ballot, for whatever reason, 
cannot be read? Now we have a valid electronic ballot, but no 
corresponding paper ballot. If we now use the paper ballots in any 
official capacity we have disenfranchised this voter.
 
A similar situation exists when a voter casts his electronic ballot and 
then insists that his paper ballot is incorrect.  How do we determine 
whether this is the result of a voter error or a system error?  If the 
voter admits to committing an error there is no way the error can be 
corrected.  We cannot let him obtain a paper ballot by voting again on 
the electronic system and changing the paper ballot introduces a 
discrepancy between the electronic ballots and the paper ballots.
 
It finally gets down to a question of need.  The primary argument in 
favor of a paper receipt is that it could be used to check the accuracy 
of the electronic system. The fallacy in this argument is that the 
paper receipts would, in fact, be less accurate than the electronic 
ballots they are supposedly checking.  The current DRE voting systems 
have been tested to an accuracy of better than one part in ten million, 
as per the FEC Voting Systems Standards.  Thus, the paper receipt is 
not needed to insure accuracy.  In fact, our past experience with 
manual counts of paper ballots proves that they cannot consistently 
achieve that level of accuracy.  
 
The paper ballots could be printed in a format that is machine-readable 
and counted on another computer.  But that would put us in the rather 
peculiar position of saying that we do not trust the computer that 
printed the ballots but we trust the computer that counted them.  
 
Summary:  In conclusion, we recognize that there is no such thing as a 
100 % secure computer system.  Yet we are willing to fly on airplanes 
that are controlled by computers. We allow a heart-lung machine 
controlled by a computer to monitor and control the vital functions of 
our body during an operation. In many phases of our lives we are 
willing to submit to various computer controlled situations.  Why 
should we not extend the same level of confidence to our voting 
systems.
 
We do not pretend that the security features described above make the 
State's voting system completely safe from attack.  We do believe, 
however, that these features reduce the chance of a successful election 
fraud in the State of Georgia to better than one in one billion. 
 
------------------------
 
About the Author: Brit Williams is a Professor Emeritus of Computer 
Science and Information Systems at Kennesaw State University.  He was a 
consultant to the FEC during the development of the FEC Voting System 
Standards in 1990 and again in 2002.  He is currently a member of the 
NASED Voting Systems Board and Chair of the NASED Voting Systems Board 
Technical Committee.  He has been conducting certification evaluations 
of computer-based voting systems for the State of Georgia since 1986. 
He also assists the states of Pennsylvania, Maryland and Virginia with 
certification evaluations of computer-based voting systems.