By Teresa Hommel, WheresThePaper.org, June 27, 2007
Numbers in brackets [ ] refer to comments embedded in the text of the bill at http://www.wheresthepaper.org/S1487withCmt.htm
Control of election administration is shifted from local and state governments to the federal level
S1487 takes control of elections out of local and state hands and gives it to the federal government. Is this wise?
There has been no national debate, no Congressional debate, and no Congressional hearings at which citizens can speak. There has been no request for such a shift of control from citizens or local or state governments. Our federal system should not be so profoundly altered in this casual way.
S1487 would accomplish the shift in two ways. First, it imposes dozens of new requirements on states, and second, it converts the Election Assistance Commission (EAC) from a temporary commission with minimum responsibilities that have not been successfully accomplished into a permanent regulatory agency with control over dozens of functions currently controlled by local and state governments. Here are links detailing the EAC's past dysfunction:
a. EAC, past dysfunction: http://www.wheresthepaper.org/HR811.html#EAC
b. GAO Report: All Levels of Government Need to Address E-Voting Challenges
c. EAC has failed its mission, Testimony of Ellen Theisen, March 13, 2007
d. EAC: political, secretive, unresponsive to citizen concerns, protective of vendor and
ITA interests. http://www.votersunite.org/info/EACFailedMission.asp
Many of S1487's requirements carry minimal benefit--the bill touches on important topics but in a trivial way. For example, it mandates "election observers" access to poll sites, along with enormous administrative overhead to states, but the observers are mandated permission only to watch three procedures that commonly are not performed in poll sites.
S1487's major requirements--why they are wrong, and suggested solutions
1. Moratorium on Paperless DREs
A moratorium on acquisition of new paperless electronic voting machines ("DREs") will begin upon passage of S1487.
Paperless DREs already acquired shall be replaced or refitted with printers to print a voter-verified paper audit trail (VVPAT) by January 1, 2010 . By July, 2009 states shall certify that they will replace or retrofit such systems.
Many activists for election integrity started by advocating VVPAT, but then we found out that VVPAT won't work:
a. The new Sarah Everett studies from Rice University confirm previous studies showing that voters are unable to accurately verify DRE summary screens or VVPATs. http://chil.rice.edu/research/pdf/EverettDissertation.pdf
b. Even if accurate verification was assured, DREs, with or without VVPAT, prevent appropriate citizen observation and understanding how votes are recorded, cast, stored, handled, and counted. It is appropriate for voters to observe the recording and casting of their own votes and ballot. It is appropriate for election observers to observe the storage, handling, and counting of the votes and ballots.
Meaningful observation is the basis of all election legitimacy. Historically, the only reason that elections have been conducted in a non-understandable or non-observable way has been to enable those who are running the election to commit fraud.
c. Verification of a DRE screen or VVPAT is a placebo exercise, since neither is counted for initial tallies nor 98% of final tallies under this bill--instead, invisible electronic votes inside the DRE, which voters cannot verify and observers cannot safeguard, determine election outcomes.
d. DREs currently in use probably do not work because they have never gone through the lengthy, expensive software testing and correction process that other software-related products go through. Ellen Stone, a software expert, explained the process in her testimony of November 21, 2006, to the New York City Board of Elections. http://www.wheresthepaper.org/EllenStone061121.htm
There are two reasons why DREs have not gone through the process. First, DREs were originally designed without VVPAT or any other mechanism for independent verification of accurate function. When there is no way for anyone to find out whether a product works accurately or not, there is no market pressure on manufacturers to ensure that the product works accurately as long as it looks like it does.
Second, certification testing has been a secret and probably sham process. Again, there has been no market pressure for certification testing to ensure that DREs work as long as they appear to. In a January, 2004 interview with a small voting machine vendor, one executive says "The ITA (independent testing authority) has a limited scope in what they can test and check on the system. It is based on time and economics. For an independent test authority to absolutely, thoroughly test under all possible conditions that the device will operate properly they would have to spend, in my estimation, 10 times the amount of time and money as it took to develop it in the first place. And the technology changes so rapidly, by the time they get done testing it, it's obsolete. ... Absolutely nothing will you see in the FEC requirements that this (puts hand on DRE voting machine) has to work. It has to have these functions. But it doesn't have to work. ... The states basically look at the federal qualification testing as being kind of the ultimate testing ground.
Since the Ciber testing laboratory scandal in January, 2007, we know that the certification testing process for nearly 70% of the DREs in America involved minimal if any testing and was meaningless. http://www.wheresthepaper.org/news.html#jan07 See also testimony at the May 7, 2007, Field Hearing on "Certification and Testing of Electronic Voting Systems" held by the Subcommittee on Information Policy, Census, and National Archives of the Committee on House Administration, U. S. House of Representatives, www.wheresthepaper.org/news.html#May7_07FieldHearing
There have been thousands of documented failures of certified electronic voting systems, but citizens have been prevented by vendors and election administrators from examining the systems to discover the specific reasons. However the "DRE Analysis for May 2006 Primary, Cuyahoga County, Ohio", published by the ESI in August, 2006, compared a hand count of VVPAT to printed tally reports, electronic totals, and a manual inspection of memory, and found:
16% of DRE tally reports did not match the hand count of votes on VVPAT
72% of DRE tally reports did not match the electronic totals
26% of DRE electronic tallies did not match the memory
76% of DRE's votes recorded in memory differed from the DRE's VVPAT.
Congress should ban the use of DREs, and not spend more taxpayers' money on these machines that undermine the legitimacy of our elections in these fatal ways. The benefit of accessibility for voters with disabilities, non-English languages, and illiteracy can be achieved without DREs--and even if it couldn't, accessibility to a placebo vote is not beneficial to either the individual voter or our country.
2a. Audits, Part a, "verifying the vote"
All voting systems shall use or produce a "voter-verified paper record" which is defined as either VVPAT or voter-marked paper ballots, and the voter must be "permitted to verify the vote in a paper form" "before the voter's vote is cast and counted." This paper record must be suitable for a manual audit and must be counted in recounts or audits of elections for federal office.
If the law repeats an untruth often enough, will it become true? No. With DREs, the vote that gets counted exists only inside the computer's internal electronic circuits, and it cannot be verified by the voter. VVPAT is not the vote, and it is not the vote in paper form, and DREs do not produce the vote in paper form. This is a result of our law, which does not require counting the VVPAT for initial election-day tallies, nor for almost all final tallies.
Before Congress decides to call something that will not be counted "the ballot" (as in HR811) or "the vote" (as in S1487) consider what happened after Governor Richardson of New Mexico recently said he supported HR811 because it requires a paper ballot. People assumed that he had not read the bill, and didn't know what he was talking about.
There is no solution that can make DREs support legitimate democratic elections. DREs are a failed experiment, and it's time to get rid of them and move on.
2b. Audits, Part b, "audit inconsistencies"
In states using electronic voting systems, audits shall compare vote tallies "from the hand count" of the paper records ... with electronic vote tallies."
If inconsistencies occur between electronic tallies and paper tallies determined by hand-counting, the paper tally shall be used, except:
if an unspecified entity shows that sufficient paper records were compromised before the start of the recount, audit or proceeding, such that the election result would be changed, then electronic vote tallies in the precincts where paper records were compromised may, as provided under State law, be taken into consideration as one of several factors, to determine the outcome.[15,16,17] It is unclear whether the compromised paper records alone must be sufficient to change the outcome, or whether these numbers can be extrapolated to the other 98% of precincts.
The term "electronic vote tallies" allows such tallies to be the machine-by-machine tallies from each machine at a selected precinct, or the aggregated tallies from all machines at that precinct, or the tallies reported for that precinct by the central tabulator.
Some jurisdictions do not require machine-by-machine polling place tallies to be publicly posted immediately at the close of voting on election night. This allows tampering with both the paper records and the electronic tallies to ensure that they match and produce a desired outcome.
S1487 doesn't give anyone permission, authority or responsibility to investigate and "determine" that the paper has been compromised.
Assuming that wrong computer tallies have caused all inconsistencies will encourage tampering with the paper ballots or paper trail--and vice versa.
When inconsistencies between electronic and paper tallies occur, the law should assume that both the computers and the paper may have been tampered with, and the law should require investigation of both. The law should also require immediate access to the systems used as well as all election materials and documentation for the purposes of investigation by voters, candidates, and law-enforcement.
Inconsistencies are evidence of possible crime, and vendors' trade secrets and proprietary interests should not prevent investigation and collection of evidence.
The bill says that if enough paper has been compromised to change election outcomes, the state has to figure out how to take electronic tallies into consideration. Yet, it would be unusual in a 2% recount to find a sufficient number of paper records had been compromised to change an election result. Would the numbers found in the 2% audit be required or allowed to be extrapolated to the other 98% of unaudited precincts or machines? Is this a requirement designed to prevent the electronic equipment from being investigated, and the electronic tallies from being taken into consideration?
The law should require the electronic tally from each machine to be available to observers in each precinct at the close of voting on election night, and all electronic tallies must be announced to the public prior to beginning the audit. The VVPAT from each machine should be retained in a separate container for auditing of the machine that produced them.
The law should require citizens to be able to observe election materials and procedures from the time the polls open till the election is certified. The law should also require citizen to have access to records and systems. In case of inconsistencies, the law should require law enforcement investigation. Without this, only insiders and vendors will be able to "determine" anything and no one else will be able to corroborate or disprove such determinations.
2c. Audits, Part c, "repeated state guidelines, EAC voluntary model audit guidelines, 2% non-surprise public audits"
90 or more days before each general election, each State shall set up guidelines and standards for audits by local jurisdictions, for which states shall consider the EAC's voluntary model audit guidelines.[54,55]
At least 2% randomly-selected precincts per state shall be audited "at the same time as the official canvass" and in a public and transparent manner.[56,57,58,59,60]
It is unclear why states must repeatedly publish auditing guidelines and standards. Does this mean that audit guidelines and standards will always be a political football? Or that such guidelines and standards can be continuously improved?
2% audit is better than none, but does not ensure any degree of statistical confidence.
The word "transparent" means different things to different people, and inappropriate for use in legislation.
"Surprise" is not required, which means that the precincts to be audited can be known in advance. The purpose of surprise is to prevent time to adjust the records and/or computer tallies so that they match, as happened in Ohio.
One historical method of method of tampering involves holding back the tallies from certain precincts until the tamperer knows the returns from all other precincts and can calculate how many votes will be needed for the tamperer's candidate(s) to win. HR811 provides that all precincts must return their tallies before selection of precincts to be audited, while S1487 does not. Neither bill's approach prevents holding back certain precincts to be tampered with, and S1487 does not require the audit to begin upon selection of the precincts to be audited, thus allowing time for the electronic and paper records to be altered.
The percentage of precincts to be audited should be made by considering various factors. Simple language for a more powerful, less burdensome audit mechanism is at http://e-voter.blogspot.com/2007/04/amend-hr811-to-allow-states-to-use.html
To avoid the appearance of opportunity for tampering. and the appearance of sham audits that use already-altered materials, the law should require all ballots and other election equipment and materials used in the audits to be subject to public scrutiny from the start of voting on election day until the election is certified.
Similarly, the law should require all electronic tallies per machine in each precinct to be announced and posted immediately at the end of voting prior to connection of any precinct machine to the central tabulator. This is because unannounced electronic precinct tallies can be altered by the central tabulator at any time once the communications connection is established.
All DREs and optical scanners can print multiple copies of their tally reports, and each observer should receive an original printout that has been signed by the poll workers responsible for that machine.
The term "transparent" should be replaced by the unambiguous phrase "meaningfully observable so that non-technical citizens can understand, witness, and attest to the proper conduct of the audit."
2d. Audits, Part d, "EAC must publish state reports"
States shall send the EAC a report on the results of their audit. The EAC may ask for more information, and shall publish each report upon receipt.
States may not certify their election results prior to completing the audit and sending results to the EAC, effective 1/1/10.
The EAC may be able to delay the certification of state results by requesting more information.
The EAC's failure to function properly and with appropriate speed in the past calls into question its ability to publish 50 reports "upon receipt."
Audits are required to start in 2010, but should start in 2008.
3. Model Audit Guidelines
To assist the EAC in developing model audit guidelines, the EAC shall establish an Audit Guidelines Development Task Force composed experts in election audits, recounts, computer technology, and election management, and reflecting the demographic composition of the voting age population of the United States. The EAC shall consult with the Technical Guidelines Development Committee (TGDC) on the composition and members of the Task Force.[66.67]
The Task Force shall make recommendations to the EAC within 10 months after being set up, for ensuring efficient, transparent, and accurate audits and recounts. The EAC shall publish the recommendations, accept public comment, hold a public hearing on the record, and then adopt whatever the majority of commissioners want.
The EAC will maintain a clearinghouse of information on State and local governments' experience in implementing the guidelines and conducting audits.
Testimony by Doug Lewis of The Election Center on March 23, 2007, made clear that many election people believe that elections should not have to follow professional audit standards and practices. For example, election administrators do not believe that they should have to audit computers to ensure that they are functioning properly. www.wheresthepaper.org/HouseAdminTestimonyDougLewis3_20_2007.pdf
The TGDC developed America's voting system certification standards, which have been widely criticized as ineffective and allowing use of machines that have caused thousands of documented failures during elections. Due to this history of shoddy performance, Congress should not designate this body to develop model audit guidelines.
It is unclear what benefit S1487 hopes to achieve by requiring Task Force members to reflect the demographic composition of the voting age population of the United States.
The EAC has not complied with its missions up until now, and should not be given more responsibility.
Any "clearinghouse" of information about audits will be incomplete if only reports from State and local officials are included. Such officials have a conflict of interest in reporting problems, since their job is to not have problems.
The law should require accepted professional standards for audits, and accepted professional practices for verification of computer processing and results, to be followed in the field of elections. Toward this objective, the law should require the Audit Guidelines Development Task Force to have a majority of members from outside the field of elections. Suggestions include: representatives selected by NIST, the nonpartisan U.S. Government Accountability Office (GAO), both major political parties as well as minor parties recognized in one or more states, mathematicians, statisticians, gaming professionals, Certified Public Accountants, computer auditors, professionals who investigate computer fraud, and good government groups.
If "transparent" means "meaningfully observable" then the latter term should be used. If "transparent" means something else, then a different and more precise term should be used.
NIST should be given the task, with funding, to develop standards.
Any "clearinghouse of information" should include reports from candidates, parties, citizen observers, and good government groups.
4. Money to be authorized
a. Money to replace or retrofit noncompliant systems.
The EAC shall disburse $600,000,000 to States for costs incurred on or after January, 2007 for replacing or retrofitting DREs. To get their money, states must submit a notice specifying their number of "remedial precincts" and describing how they will use the money to meet the new requirements. If state legislation is required, it need not be enacted before the state submits its notice.
Systems to be replaced are DREs that lack vote verification and audit capacity, or systems that do not "provide that the entire process of vote verification was equipped for individuals with disabilities."[2,3]
Congress appears to be ignorant of the thousands of documented failures of electronic voting equipment in American elections during the past few years, scandals around the testing laboratory Ciber, the possibility that 68.5% of electronic equipment now in use that was certified by Ciber was never actually tested, and the unsavory character of the major vendors of electronic voting equipment in this country.
Before Congress authorizes more spending of public money on computerized voting, Congress needs to consider the basic question of whether electronic equipment is appropriate for use in the first place, and then, whether it can be made secure by the expenditure of more money and the addition of paper trails. Congress has held no hearings at which the public can speak.
There is one thing that is worse than making a mistake-that is, refusing to acknowledge it and refusing to correct it. HAVA and the use of DREs were mistakes. As described elsewhere, Congress needs to ban DREs, require the use of voter-marked paper ballots, and require citizen observation.
b. Research on verifiable, auditable, and accessible systems, and research on accessibility of paper records
The EAC shall disburse $3,000,000 to "entities" for research and development of verifiable and accessible systems. Apparently vendors are eligible for these grants.[4,5]
The EAC shall study accessibility of paper records by 1/1/10[22,23], and $1,000,000 is authorized for this. The EAC shall coordinate this study with the $3,000,000 research on verifiable, auditable and accessible systems.
Despite HAVA requirements for a "manual audit capacity" and accessibility, nearly five years after HAVA passed and after deadlines by which such systems are supposed to be in use, S1487 offers money for research and development of such systems. Privatization has failed to produce compliant equipment, but unauditable and inaccessible equipment has already been purchased and used.
Money needs to be authorized to develop devices for accessible use of paper ballots, and procedures for secure handling of paper ballots.
The law should specify who owns the results of this government-funded research, and who can use the results to manufacture and sell products.
Unlimited funds for an unlimited time are authorized for the EAC.
The EAC has failed to comply with its mission to date, and Congress should not convert this dysfunctional, secretive, partisan, temporary agency with a limited mission into a regulatory agency with power to set policy for state and local elections.
Disband the EAC and let states run their own elections. Give citizens a private right of action to compel timely compliance with legal requirements. Establish requirements for citizen observation as described above in "2. Audits" and appropriate remedies.
5. Exemption from Paperwork Reduction Act
This may exempt the EAC from having to comply with FOIL requests.
Wrong! The solution is to eliminate this provision.
At least one voting system per polling place must be equipped for individuals with disabilities and allow the voter to privately and independently verify his or her paper record through conversion of human-readable printed vote selections into accessible form, and ensures that the entire process, including vote verification and vote casting, is equipped for individuals with disabilities[19a]. This requirement does not preclude the supplementary use of Braille or tactile ballots.
Conversion of human-readable printed vote selections to accessible form requires use of text conversion technology, none of which has been implemented on DRE voting machines, much less certified yet.
The language "ensures that the entire process, including vote verification and vote casting, is equipped for individuals with disabilities" raises a red flag, because similar language has been used to argue that paper ballot systems should be illegal because they require some voters with disabilities to have assistants carry their marked ballot from the marking device to the scanner, and insert it into the scanner.
The Vote-PAD and AutoMark, devices for use with voter-marked paper ballots, convert vote selections to accessible form. The Vote-PAD is not a computer device. The AutoMark is a computer device and has been certified. The law should make explicitly clear that computer devices and DREs are not required for accessibility.
The law should make explicitly clear use of a privacy sleeve to protect the secrecy of the ballot for voters with disabilities meets the requirement that the "entire process, including vote verification and vote casting, is equipped for individuals with disabilities." The provision that accessible voting systems can be supplemented by Braille or tactile ballots does not serve this purpose.
7. Error Rates, Benchmarks
7a. Error Rates
System error rates for vote counting shall not exceed standards in the Voluntary Voting System Guidelines (VVSG), but errors attributable to acts of voters need not be taken into account.
The EAC and VVSG have kept voting systems error rates low by attributing errors to "poorly trained voters and poll workers" and failing to keep records of the incidents. See the testimony of John Washburn, http://www.wheresthepaper.org/JohnWashburnTestimony20070507.pdf especially beginning on page 5, as well as other testimony presented at the May 7, 2007, Field Hearing of the Subcommittee on Information Policy, Census, and National Archives of the Committee on House Administration, U. S. House of Representatives, www.wheresthepaper.org/news.html#May7_07FieldHearing
Due to the absence of any forensic or investigatory process for determining the cause of a given error, or whether it occurred during, or was caused by, system recording, casting, storage, handling or counting of votes, any errors can be attributed to any cause. Thus the EAC has been able to disregard common-sense evidence of fraud and system malfunctions by attributing errors to acts of voters.
Meanwhile, persons who have wished to investigate errors have been prevented from doing so by vendors and state and local election administrators, citing trade secret provisions of their contracts for purchase of electronic voting systems. No freely-conducted forensic examination or study of system-related irregularities has ever been allowed.
Lastly, it is unclear how the act of a voter can cause a machine to count erroneously.
All errors should be recorded and studied. The law should designate a technical entity to be responsible for monitoring the error rates of voting systems, identifying the cause of errors, and maintaining a database of errors so that error patterns can be identified over time.
7b. Residual Ballot Performance Benchmark
The EAC shall issue a "residual ballot performance benchmark" that includes overvotes, spoiled or uncountable votes, and undervotes, but excludes intentional undervotes. The EAC shall base the benchmark "on evidence of best practices in representative jurisdictions." States may not exceed this benchmark.
The EAC can set different rates for "distinct communities", because "Congress finds that there are certain distinct communities in certain geographic areas that have historically high rates of intentional undervoting in elections for Federal office, relative to the rest of the Nation."
The EAC shall identify distinct communities with "significantly higher than average rates of historical intentional undervoting" and set a separate benchmark for local jurisdictions "in which that distinct community has a substantial presence" or exclude such jurisdictions from the national benchmark, as appropriate.
DREs are the first voting technology that can determine the ethnicity of a voter (based on the language selected for display of the ballot on the touchscreen) and can be programmed to "lose" a given percentage of votes. "Lost" votes can be randomized per machine, so, for example, if 8% of votes are to be "lost" in a given geographic area, three specific machines can "lose" 12%, 8% and 4% respectively, to conceal the appearance of systematic fraud.
Mounting evidence shows that votes cast via non-English language displays on DREs are subject to separate treatment by the DRE, and subject to some votes being blanked out.
1. HAVA and HR811 - Voting Machines' Impact on Minority Communities
2. Wrong Time for an E-vote Glitch - Evidence that minority ballots can be handled
3. New Mexico - 2 DREs accounted for 8% Hispanic and Native American undervotes
4. New Mexico undervote rate plummets after switch from DREs to paper ballots
5. Palm Beach County, Florida, Parallel Testing Program, Findings (lost votes on Spanish ballots, pages 24-27) www.wheresthepaper.org/Limited_Parallel_Testing_Findings.pdf
6. PRLDEF statement, www.wheresthepaper.org/PRLDEF5_07PaperBallots.pdf
This section of S1487 empowers the EAC to set separate or no benchmarks for "distinct communities" that they "study" and assert have high "historical intentional undervoting," thus establishing a legal reason to ignore evidence of fraud, and legitimize and continue historical patterns of disenfranchisement under a new guise.
This section empowers the EAC to "estimate" and use only "available research" rather than do new research or exit polls, and falsely asserts that Congress has found that certain people like to undervote.
This section on error rates and benchmarks should be eliminated. The law should require that high undervote rates should trigger openly- and meaningfully-observed forensic computer examination of the specific machines used, to determine whether ethnic profiling and targeting of minorities has taken place.
Under current law, each state can set its own voting system standards, and decide whether its voting systems must meet federal standards.
Under S1487, no voting system in use before 1/1/10 shall contain or use software that has not been certified by the EAC or the State. No voting system in use after 1/1/10 shall contain or use software not certified by the EAC.
The EAC shall set up expedited certification for software additions and patches to existing voting systems, for use when there is inadequate time for normal certification, and may exempt commercial off-the-shelf software that is not "election-dedicated."
After 1/1/10, all voting systems must be certified by the EAC, giving them control of a vast marketplace and the conduct of elections nationwide.
The EAC shall establish guidelines for expedited certification of software changes for the next Federal election, allowing the use of untested changes.
Given past failures of the EAC to comply with its mission, and the presence or influence of vendors and other who are connected with past failures of certified equipment, this section is unwise.
Eliminate this section.
9. Disclosure of Software
9a. Disclosure to states already using the software
Disclosure of software is supposed to enable citizens to have oversight of vote recording, casting, storage, handling and counting.
Currently, secrecy of software is supported by trade secret and intellectual property provisions of vendors' contracts of sale.
S1487's disclosure section would limit disclosure and make non-disclosure a legal mandate.
"Election-dedicated software" and "information as necessary to assess the integrity and efficacy" of it must be disclosed to the EAC and to states that are already using the software.[30,31]
Software needs to be disclosed to states when they are evaluating the systems prior to certification, purchase, and use, not just states that are already using it. It is unclear whether this bill would preempt state law and prevent state law from requiring additional disclosure.
One important purpose of disclosure prior to use is to enable jurisdictions to verify that software delivered, present in systems after maintenance, or present in systems before or after elections, is the same as the software that was certified and ordered for purchase.
To assess the integrity and correct function of software, jurisdictions must perform comprehensive pre- and post-election logic and accuracy tests, and completely audit the work that the software performs. "Integrity" in the abstract is not a characteristic of software, but rather integrity is a conclusion that users of the software can draw after verification of the work the software has performed and determination that no errors were made. No computer scientist has ever claimed to be able to read a large software product and determine that it is free of errors and malicious code. Moreover, since malicious code can delete itself, it is questionable whether any Board of Elections can properly confirm what software is in its machines during any election, even if they were willing to attempt to do so.
Either drop the entire "disclosure" section, or mandate that software be disclosed to all states and to citizens who sign a non-disclosure agreements.
9b. Other software in a voting system
Voting systems may contain any software whatsoever as long as the manufacturer discloses information about it that the EAC determines is appropriate to the EAC, NIST, and states already using the system.
This is a dangerous loophole that circumvents certification testing, and enables voting systems to contain undetected malicious code.
Eliminate this loophole which serves no public purpose.
9c. Privatization of Software Escrow
The EAC shall store disclosed software with an entity selected by NIST.
Public servants in an accountable and capable governmental agency should hold the software. The law should not require privatization of functions related to elections.
NIST should both receive and store the software, because NIST has the skills to manage these functions.
Disclosed information may be provided to the EAC; NIST; the Chief State election official of a state already using the software; Federal or State governmental entities that administer or enforce election laws (but only for administering or enforcing election laws, or for review, analysis, and reporting); parties in litigation over an election in which the software is used but only as necessary for the review and analysis for the litigation; independent technical experts; and persons and entities who meet standards to be set by the EAC but only for reviewing, analyzing, and reporting on the operation.[34,35,36]
The scope of review, analysis, and reporting is limited to describing operational issues including vulnerabilities, and describing or explaining a failure voting system, but only if the information does not "compromise the integrity of the software or result in the disclosure of trade secrets or other confidential commercial information, or violate intellectual property rights in such software."[36a]
The limitations on disclosure in this section make clear that this section is intended to protect commercial rather than election integrity interests of citizens and candidates:
An unspecified entity will have responsibility and authority to administer disclosure: evaluate disclosure recipients and their purposes, establish a procedure for application and for appeal of decisions, enforce the restrictions, and provide the software to be disclosed.
Parties in litigation in which the voting system programming is in question need to have the software taken directly from the equipment that was used, in addition to the software that was certified and escrowed. One reason for having both is to determine whether the software actually in use in the equipment is the proper version, or is corrupted.
It is unclear what information may be safely disclosed. For example, if a researcher discovers that a system uses a pre-coded easily-guessed password such as 1111, or that the software contains a "back door" that enables an insider to tamper with ease, could such information be claimed to be confidential commercial information, and could revealing it be claimed to compromise the integrity of the software?
First, the conduct of elections is of interest to every citizen, and if computers are used to record, cast, store, handle, and count votes, then all software used should be completely open.
Second, if non-disclosure agreements are to be required, they should be administered simply as they are in other industries, and should explicitly allow disclosure in the event of discovering evidence that the law has been broken.
Third, commercial interests of vendors are already protected by provisions in the contracts of sale, and there is no public benefit served by creating additional legal protection for the secrecy of software used in voting systems.
The entire section on disclosure should be eliminated.
9e. Protection of commercial interests
The EAC shall develop a process with manufacturers and holders of intellectual property to ensure protection of their commercial interests. Other stakeholders such as states, parties, and citizens, have no right to know how our elections are conducted.
Democracy requires citizens to know and meaningfully observe how their votes are handled and counted, and if the votes are handled and counted by software, that software has to be public knowledge and open to public scrutiny.
Eliminate this section on disclosure.
9f. Ballot Definition Files
The software to be protected from disclosure includes ballot definition files.
Ballot definition files must be routinely inspected before and after all elections by candidates, and should be publicly available at all times.
The bill should explicitly require Ballot Definition Files to be publicly available without limitation.
10. Communications Capability
Voting systems shall not use wireless, power-line, or concealed communications (except for infrared technology if certified with the voting system) but all other kinds of communications capability can be used.
At the least, the exemption for infrared needs to be reworded to exempt only infrared, and not exempt a system with infrared from the prohibition against all other wireless, powerline, or concealed communications.
At best, infrared should not be an exception, since its use is not required for any election-related function and its use is an arbitrary choice of a vendor to load ballot definition files via infrared despite the availability of other simple methods for loading such files.
The entire prohibition is weak, because all forms of communications are easy entry-points for tampering. The focus on specific types of communications (wireless, power-line, and concealed) betrays an unhistorical and superficial understanding of computers, which were subject to break-ins via the older telephone line/modem technology long before wireless and power-line came into use. The listing of specific types of communications will make this section obsolete soon. Nevertheless, if a list is used it should include "dial-up modem networking" or "telecommun-ications" or "connections to the public switched telecommunications network", as well as ultra- or sub-sonic audio transmission.
The law should ban all communications devices and technologies, known or to be developed, in all voting and vote-tabulating equipment.
11. Internet Connections
Voting machines shall not be connected to the internet, but Election Management Systems and vote tabulating equipment may be connected to the internet.[40,41]
There is no reason whatsoever to allow internet connections to any Election Management System (EMS) or vote tabulating equipment. This paragraph allows EMS, which are used to program ballot definitions, and tabulators to be internet-connected, thus facilitating tampering and denial-of-service attacks.
For example: many jurisdictions do not require poll workers to print and post tally reports PRIOR TO connecting their DREs or optical scanners via telephone line or other technologies to their central tabulator (or EMS system if it functions as the central tabulator) to send in the day's tallies. This paragraph allows tamperers to connect to the central tabulator and put in malicious code so that when individual DREs or optical scanners connect to the tabulator to transmit their tallies, the central tabulator ALTERS their tallies first, then lets them send in the altered tallies. Then the poll workers print the tally reports in the poll site-but the tallies have already been falsified.
This may have been what Clint Curtis was talking about when he testified before a Congressional panel and was asked, if tallies in the central tabulator are altered, won't people notice that the tallies in the poll sites are different? He replied, "Not if I did it!"
If all communications capability in all parts of voting systems are not banned, the law should require poll workers to print and post precinct tally reports from all DREs and optical scanners before connecting any of these machines via any method of communications to the central tabulator.
The law should support prohibition of communications capability by requiring inspection and enforcement. If a jurisdiction is incapable of inspection (for example, due to trade secret provisions in its purchase contract), the jurisdiction should be prohibited from using the equipment.
12. Security Standards
Security consists of:
--States must set standards for chain of custody documentation, state election officials must comply, and the documentation must be made available to the EAC upon request.
--Software must be disclosed as specified earlier.
--After a system is certified, the manufacturer may not alter the software, or insert or use any uncertified software (but, the EAC can provide emergency certification) .
--Upon request, states must submit information about the state's compliance to the EAC.
Chain of custody documentation is easily fabricated. This section establishes a relationship between manufacturers, states, and the EAC, but does not provide for citizen scrutiny and oversight which might be more likely to detect inconsistencies that indicate falsification or fabrication of the documentation.
The prohibition against changes to certified software should not be limited to the manufacturer.
Emergency certification is a loophole that nullifies the certification testing concept.
It is easier for a group of citizens to watch some ballot boxes for a few weeks than to examine chain of custody documentation, read disclosed software to determine whether it was corrupted by illegal alteration, and try to determine whether an untested software patch that received emergency certification caused a voting system to fail. This is another reason why the law should ban electronic voting systems and require all aspects of election administration to be open to meaningful public observation, and that the handling of votes and ballots be software independent.
If any electronic system is used, after it is certified, all persons should be prohibited from altering the software or inserting or using any uncertified software.
Chain of custody documentation should be publicly available for citizen scrutiny.
13. Emergency paper ballots in case of system or equipment failure
If circumstances at a polling place, including voting system failure, cause significant disruption of the voting process for voters, individuals waiting to cast a ballot shall be informed of their right to an emergency paper ballot, and upon request provided with one, which shall be counted as a regular ballot.[43,44]
"Failure of voting equipment" and "significant disruption" need to be defined. Otherwise voters can be blamed for vote-switching on the touchscreen, errors in the final review screen or VVPAT, and other common DRE failures, and voters can be forced to use malfunctioning equipment.
If regular voting takes place with DREs, it is not clear when "regular ballots" on paper would be counted. If "regular ballots" on paper are primarily absentee ballots, they may be counted much later.
The law should list examples of failures of voting equipment that should cause the equipment to be taken out of service and emergency ballots to be used.
The law should explicitly describe examples of "significant disruption" that should cause emergency ballots to be used.
The law must require emergency ballots to be counted on election day and included in the first initial tally announced on after the close of voting on election night.
14. Laboratories' Conflicts of Interest
EAC-accredited laboratories must certify that only the EAC pays them for testing, that they meet standards the EAC will set to avoid the existence and appearance of conflict of interest, that they will permit an EAC-designated expert to observe testing, and that upon completion of testing a system they will disclose to the EAC their test protocols, results, and communications with the manufacturer.[46,47]
The EAC shall make information from laboratories available promptly to election officials and the public.
EAC should not have sole control over designating observers of testing.
The EAC is not required to make "all" the information available. "Promptly" is not specific.
States, parties, and citizens are stakeholders in elections, and the law should explicitly establish their right to observe certification testing upon signing a non-disclosure agreement that allows disclosure in the event of observing breaking of the law.
This section should require the EAC to make "all" the information available within an explicit specified time such as 24 hours or 3 business days.
15. Paying the Testing Laboratories
The EAC shall manage certification testing:
a. The EAC shall set up the "Testing Escrow Account" by 1/1/08.
b The EAC shall set the fees for testing voting systems in consultation with the labs.
c. Manufacturers must ask the EAC to submit their equipment to a randomly-selected lab for testing, but the identity of the lab will be secret.
d. Manufacturers will provide the money.[49,50] which the EAC will keep in the escrow account
e. When testing is done, the EAC shall pay the lab from the escrow account and reveal which lab did the work.
The EAC will accredit laboratories which can do certification testing. If the EAC revokes, terminates, or suspends the accreditation of a laboratory, or has "credible evidence of significant security failures" at a lab, the EAC shall notify Congress, the chief State election official of each State, and the public.
Full payment for testing only upon completion of tests can prevent small labs from doing this work.
It is unclear what purpose is served by secrecy regarding which lab is testing which product.
The EAC has to provide notification of evidence of security failures only if, in the EAC's discretion and judgment, the evidence is "credible" and the failure is "significant."
The law should require partial payment to small labs at milestones in testing.
The law should require the EAC to post notification on its web site of any evidence of security failures, because the credibility and significance often can be evaluated only in hindsight after patterns become clear.
16. Absentee Voting
States shall permit any persons to vote by absentee, and process their ballots as absentee ballots under State law, starting 1/1/08.
Whether or not to implement "no-fault" absentee voting is a decision that each state should make, and this decision should not be imposed by federal law.
No-fault absentee voting may increase the number of ballots that are not included in the election-night tallies and that are counted much later than on election day.
Extra security precautions and citizen observers would be needed to provide security for increased numbers of absentee ballots, which historically have been subject to various types of fraud.
Federal law should leave the decision to implement no-fault absentee voting to the states. This section should be eliminated.
17. Third-Party Voter Registration
States shall not refuse to register voters on the grounds that their registration application was submitted by a third party.
States shall not prohibit persons from assisting individuals in obtaining and completing, or from collecting or submitting, mail voter registration forms, or impose any burden on such assistance, collection or submission of the registration forms.
States may prohibit payment to persons collecting voter registration forms based solely on the number of forms collected.
Piece-work payment for completed forms should not be prohibited, and there is no public purpose for this bill to mention the subject.
The mention of payment to persons ... based solely on the number of forms collected should be eliminated.
18. Training of Poll Workers
Each state shall set minimum standards for, and set up a program for uniformity of, poll worker training, but standards may vary based on the type of voting system used in different locations.
The curriculum must be developed in conjunction with election and education experts; take into consideration EAC guidelines; and cover some aspects of election law and the use and maintenance of their voting systems.
Each state shall require all poll workers successfully complete the curriculum.
Each state shall develop manuals for poll workers at least 4 weeks before each election, distribute the manuals, and ensure that poll workers sign a certification that they have received and reviewed it, starting 1/1/08.
States should not be forced by federal law to get involved in poll worker training, which is typically a local activity.
If a program is required to meet minimum standards, it probably will never exceed minimum standards. Many local jurisdictions do excellent poll worker training.
Federal law should leave decisions about poll worker training to states and local jurisdictions. This section should be eliminated.
19. Equitable Allocation of Voting Systems, Poll Workers, and Election Resources
States shall equitably provide systems, poll workers, and resources for each poll site on election day and early voting days, considering EAC benchmark standards. If a state materially deviates from benchmarks standards set by the EAC, the State shall make a statement explaining the differences and the reasons for them, starting 1/1/10.
The EAC shall study equitable distribution, issue standards by 1/1/09 that consider such factors as voting patterns and voter turnout in prior Federal elections, demographic changes, voter registration, census data and demographic changes, abilities and training of poll workers, accessibility of poll sites, and available assistive technology, with the objective of preventing wait times of over 1 hour.
Equitable allocation is a state and local matter, and should not be handled via federal law.
The meaning of "materially deviates" is undefined. The consequence to a state for materially deviating is trivial and cannot remedy any disenfranchisement that occurs due to inequitable distribution.
Benchmarks and standards that reflect voting patterns and voter turnout in prior elections would necessarily perpetuate prior disenfranchisement.
No one is given responsibility and authority for monitoring deviation, determining whether it is material, forcing a state to make a statement, or evaluating the statement to determine if it is truthful, plausible, or merely the often-asserted "We worked very hard and had a smooth election and no votes were lost and we are sure that the outcome was not affected by any problems, which were caused by poorly-trained poll-workers."
Federal law should leave equitable distribution to states and local jurisdictions. This section should be eliminated.
20. Prohibiting Campaign Activities by Chief State Election Officials
As of 1/1/08, no chief state election official shall take an active part in political management or in a political campaign for Federal office over which such officials have supervisory authority, unless the official is the candidate. Prohibited activities include:
(1) serving as a member of an authorized committee of a candidate for Federal office;
(2) making public comments in an official capacity to support or oppose such candidates;
(3) solicit, accept, or receive contributions on behalf of such candidate;
(4) share information on election counts, recounts, or audits with selected rather than all candidates.
Such officials may serve as a delegate to a national nominating convention of a political party and may attend political campaign events.
These trivial restrictions are unlikely to prevent an unfair advantage to candidates of the party of chief state election officials. Banned activities include being a member of an authorized committee (but being a friend is ok, and being a member of an unauthorized committee is ok), making statements in an official capacity (but making them in an unofficial capacity is ok), dealing with contributions (but letting an associate deal with them is ok), sharing certain information with a candidate or authorized committee (but sharing it with an associate of the candidate or an unauthorized committee is ok).
Federal law should leave conflict of interest laws and regulations concerning chief state election officials to the states. This section should be eliminated.
21. Standards for Purging Voters
As of 1/1/08, voters should not be erroneously removed from or prevented from being added to the voter registration lists due to errors or inconsistencies in data, or variations in names such as maiden names, nicknames, or middle names.
Procedures should allow voters who were erroneously removed or prevented from being added to voter registration lists to be restored or registered.
90 or more days before Federal elections, State must publish names of voters removed, along with criteria, processes and procedures for name removal.
Written notice in a form and manner set by the EAC must be mailed to voters before they are removed (except due to change of residence) with notice of the reason and how to stay registered. After notice is sent, names cannot be removed until after two general elections in which the person does not vote.
When names of voters removed are published, the procedure for correcting a mistake is not required to be published.
Individuals who receive notice have the burden of correcting their voter registration. Remedies are not specified for individuals who waste endless time trying multiple times to correct their voter registration. There is no requirement for states to restore the registration within a reasonable time upon receipt of a reasonable request, and no penalty for states upon failure to respond to such requests.
Eliminate this section or strengthen it by inclusion of remedies for individuals who make reasonable efforts to restore their registration and cannot get their state to comply, and penalties for states that ignore requests.
22. Accredited Election Observers
States shall set procedures for international and domestic election observers who meet accreditation standards to be set by the EAC to allow these observers access to polling places to observe processing of any absentee or provisional ballots, and counting of votes.[80,81,83]
States shall make public notice of any denial of a request to observe, saying why it was denied and how to appeal the denial.
S1487's requirement for observers to be allowed access to polling places only goes so far as permission to watch the processing of absentee and provisional ballots (not regular ballots), and the counting of votes (if done there). The value of this permission is null if local jurisdictions process their absentee and provisional ballots and count their votes elsewhere,.
The burden of administration for this scheme outweighs its value. States must set up procedures to process applications, evaluate compliance with EAC standards, provide public notice of any denial of requests to observe, explain why, provide an opportunity to appeal, and handle appeals.
The law should require opportunity for meaningful and appropriate observation of all materials, votes, ballots, and equipment by citizens from the time the polls open until the election is certified.
23. Early Voting
As of the general election of November, 2008, States shall conduct at least 15 days of early voting with at least 4 hours per day.
The EAC shall provide guidance for early voting including the nondiscriminatory geographic placement of polling places at which such voting occurs.
Whether or not to implement early voting is a decision that each state should make, and this decision should not be imposed by federal law.
Early voting may lower voter turnout. It requires extra security precautions and citizen observers to provide security for equipment and the ballots that are cast daily during the early voting period.
Federal law should leave the decision to implement early voting to the states. This section should be eliminated.
24. Counting Provisional Ballots
As of the enactment of this section, states shall count provisional ballots if the voter is registered anywhere in the state and eligible to vote, regardless at which polling place the ballot is cast.
This requirement may mean that states need to have provisional ballots available at every poll site in the state to serve voters from any district in the state. If this is the intent, or if this is how this requirement is interpreted, each poll site may need a ballot-printing device programmed to contain every ballot face in use in the state for the specific election. In addition, each poll site would need some way to determine if a voter is registered anywhere in the state. This requirement would create a huge market for more electronic equipment, such as electronic poll books which have had an extraordinarily high failure rate so far.
Revise the language of the requirement to clarify what is intended. If voters in the wrong poll site, or at the wrong table in the right poll site, are intended to receive the ballot for that poll site or that table, this should be made clear.
25. Military and Overseas Voting
States shall accept and process any otherwise valid voter registration or absentee ballot application submitted by an absent uniformed services voter or overseas voter that contains the information required on the official form.
States shall accept and process any otherwise valid write-in absentee ballot from an absent uniformed services voter or overseas voter that contains the information required.