by Mary Howe Kiraly
Can we get in touch with that period, almost exactly seven years, ago when many of us were happily enjoying the word processing, email, and Google Search capabilities of our computers with little concern for the underlying technology? Who would have thought then that it would be incumbent upon us to become the technology-savvy watchdogs of the computerized voting industry? Or that we would rise to the occasion in such numbers and determination that one of the premier manufacturers of security systems in the world (Diebold Corporation) would be forced to change its election division’s name in an effort to preserve the corporate brand?
Let’s give ourselves a round of applause. Now we must get back to work because the task at hand is complicated; but we are up to the task.
Fortunately, a colleague who is savvier than I about the committees of the EAC, has provided us with the following information. If you go to the EAC website (www.eac.gov) and click on “TGDC Recommended Guidelines” you will be taken to a page where you can access the chapters of this report. There are two Sections in the EAC draft document that cover Secrecy of the Ballot In Part 1 (Equipment Requirements): Chapter 3, Section 3.2.3 and Chapter 7, Section 18.104.22.168-A.3. Secrecy of the ballot has become a pressing issue in states that use touch screen voting units because programmed “smart cards,” memory cards such as Voter Access Cards in Maryland, are used to activate the ballot and begin the voting process.
There are two points in the voting process where the potential for transferring data that could identify the voter with the ballot can occur. First, when the card is programmed at the check-in table through the use of an electronic pollbook and that card is then inserted in the voting unit to activate the appropriate ballot. Second, when the card is retrieved from the voting machine, after voting, and either reinserted in the e-pollbook for use by another voter or retrieved and saved. The VVSG has attempted to address these privacy concerns by restricting the data that can be programmed onto memory cards; but a potential vulnerability remains that requires our comments.
“For provisional voting, the voter’s identity is associated with the voter’s ballot so as to permit a subsequent decision whether to count the ballot. As an example, the activation device may create an identifier and associate it with the provisional voter’s identity, and then include this identifier with other information necessary to activate the ballot. The vote-capture device may store this identifier with the ballot so as to trace the ballot back to the voter’s identity for the purposes of deciding whether to count the ballot. The identifier must not itself identify the voter. For example, it must not include the voter’s identity or other information associated with the voter such as an SSN or other identifying information.”
In other words, this provision allows for the citizen’s selection to be associated in the voting machine database with a unique number associated with that voter, so that citizen’s vote can be removed later if deemed to be ineligible. (If you are a committed activist who has stayed with me to this point, I know your hair is now on fire!) The intention of this requirement may be to streamline the counting of provisional ballots, to make the job of election officials easier; but it totally compromises the secrecy of the vote. Not only for the counties which might use this capability for early voting; but also for all counties which use voting systems that have this built-in capability.
The best way to avoid a possible break down in privacy is to prohibit the vendors from building this capability into the voting system. This is where our comments are important.
Certification should require testing both the voting units and the ballot activation devices, through their source code, to verify that they do not have this capability. If the proposed guideline is implemented as written, and voting systems are permitted to accommodate this dangerous capability, it would require that each and every county that is concerned about the secrecy of the ballot, perform the necessary testing to ensure that it is not being used. Most counties do not have sufficient expertise to accomplish this task and such testing would be prohibitively costly.
The capability of tying a vote to a unique number identifying the voter is not theoretical; it appears to have been practiced in early voting in Georgia. “In the 2004 election, 367,777 Georgia voters-more than 10% of the state's electorate-unknowingly gave up the secrecy of their ballot, by taking advantage of the new early-voting process” (http://www.countthevote.org/no_secret_ballot.htm). John Sullivan, the Fulton County Election Superintendent, said that, “Early votes are marked with a numbered identification in case they are later challenged.” (Atlanta Journal-Constitution, 09/29/04, Carlos Campos)
With my thanks.