[House Hearing, 109 Congress]
[From the U.S. Government Publishing Office]
VOTING MACHINES: WILL THE NEW
STANDARDS AND GUIDELINES HELP
PREVENT FUTURE PROBLEMS?
=======================================================================
JOINT HEARING
BEFORE THE
COMMITTEE ON
HOUSE ADMINISTRATION
HOUSE OF REPRESENTATIVES
AND THE
COMMITTEE ON SCIENCE
HOUSE OF REPRESENTATIVES
ONE HUNDRED NINTH CONGRESS
SECOND SESSION
__________
JULY 19, 2006
__________
Serial No. 109-56
__________
Printed for the use of the House Committee on Science and House
Committee on House Administration
Available via the World Wide Web: http://www.house.gov/science
U.S. GOVERNMENT PRINTING OFFICE
28-627 WASHINGTON : 2006
_____________________________________________________________________________
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; (202) 512�091800
Fax: (202) 512�092250 Mail: Stop SSOP, Washington, DC 20402�090001
______
COMMITTEE ON SCIENCE
HON. SHERWOOD L. BOEHLERT, New York, Chairman
RALPH M. HALL, Texas BART GORDON, Tennessee
LAMAR S. SMITH, Texas JERRY F. COSTELLO, Illinois
CURT WELDON, Pennsylvania EDDIE BERNICE JOHNSON, Texas
DANA ROHRABACHER, California LYNN C. WOOLSEY, California
KEN CALVERT, California DARLENE HOOLEY, Oregon
ROSCOE G. BARTLETT, Maryland MARK UDALL, Colorado
VERNON J. EHLERS, Michigan DAVID WU, Oregon
GIL GUTKNECHT, Minnesota MICHAEL M. HONDA, California
FRANK D. LUCAS, Oklahoma BRAD MILLER, North Carolina
JUDY BIGGERT, Illinois LINCOLN DAVIS, Tennessee
WAYNE T. GILCHREST, Maryland DANIEL LIPINSKI, Illinois
W. TODD AKIN, Missouri SHEILA JACKSON LEE, Texas
TIMOTHY V. JOHNSON, Illinois BRAD SHERMAN, California
J. RANDY FORBES, Virginia BRIAN BAIRD, Washington
JO BONNER, Alabama JIM MATHESON, Utah
TOM FEENEY, Florida JIM COSTA, California
RANDY NEUGEBAUER, Texas AL GREEN, Texas
BOB INGLIS, South Carolina CHARLIE MELANCON, Louisiana
DAVE G. REICHERT, Washington DENNIS MOORE, Kansas
MICHAEL E. SODREL, Indiana DORIS MATSUI, California
JOHN J.H. ``JOE'' SCHWARZ, Michigan
MICHAEL T. MCCAUL, Texas
MARIO DIAZ-BALART, Florida
COMMITTEE ON HOUSE ADMINISTRATION
HON. VERNON J. EHLERS, Michigan, Chairman
BOB NEY, Ohio JUANITA MILLENDER-MCDONALD,
JOHN MICA, Florida California
JOHN T. DOOLITTLE, California ROBERT A. BRADY, Pennsylvania
THOMAS REYNOLDS, New York ZOE LOFGREN, California
CANDICE MILLER, Michigan
C O N T E N T S
July 19, 2006
Page
Witness List..................................................... 2
Hearing Charter.................................................. 3
Opening Statements
Statement by Representative Vernon J. Ehlers, Chairman, Committee
on House Administration, U.S. House of Representatives......... 10
Written Statement............................................ 12
Statement by Representative Juanita Millender-McDonald, Ranking
Minority Member, Committee on House Administration, U.S. House
of Representatives............................................. 13
Statement by Representative Sherwood L. Boehlert, Chairman,
Committee on Science, U.S. House of Representatives............ 14
Written Statement............................................ 16
Statement by Representative Bart Gordon, Ranking Minority Member,
Committee on Science, U.S. House of Representatives............ 17
Written Statement............................................ 17
Statement by Hon. Rush Holt, Representative from the State of New
Jersey......................................................... 18
Written Statement............................................ 18
Prepared Statement by Representative Tom Feeney, Member,
Committee on Science, U.S. House of Representatives............ 43
Prepared Statement by Representative Jerry F. Costello, Member,
Committee on Science, U.S. House of Representatives............ 43
Prepared Statement by Representative Lynn Woolsey, Member,
Committee on Science, U.S. House of Representatives............ 44
Prepared statement by Representative Mark Udall, Member,
Committee on Science, U.S. House of Representatives............ 106
Prepared Statement by Representative Darlene Hooley, Member,
Committee on Science, U.S. House of Representatives............ 44
Prepared Statement by Representative Sheila Jackson Lee, Member,
Committee on Science, U.S. House of Representatives............ 45
Witnesses:
Ms. Donetta L. Davidson, Commissioner, Election Assistance
Commission
Oral Statement............................................... 46
Written Statement............................................ 47
Biography.................................................... 52
Dr. William Jeffrey, Director, National Institute of Standards
and Technology
Oral Statement............................................... 52
Written Statement............................................ 54
Biography.................................................... 56
Ms. Mary Kiffmeyer, Secretary of State for Minnesota
Oral Statement............................................... 57
Written Statement............................................ 59
Ms. Linda H. Lamone, Administrator of Elections, Maryland State
Board of Elections
Oral Statement............................................... 60
Written Statement............................................ 62
Biography.................................................... 64
Dr. David Wagner, Professor of Computer Science, University of
California-Berkeley
Oral Statement............................................... 64
Written Statement............................................ 66
Mr. John S. Groh, Chairman, Election Technology Council,
Information Technology Association of America
Oral Statement............................................... 72
Written Statement............................................ 73
Biography.................................................... 78
Financial Disclosure......................................... 78
Discussion
Human Factors and HAVA Guidelines, Technology.................. 79
Security in Electronic Voting.................................. 80
Voluntary Nature of Standards.................................. 82
Paper Trails and Mandatory Audits.............................. 83
Role of EAC.................................................... 84
Dr. Wagner's Study............................................. 86
EAC's Guidelines to States..................................... 87
Paper Trails................................................... 88
Voluntary or Mandated Independent Testing Labs................. 89
Verification of Voter Identity................................. 97
State Role in Federal Elections................................ 98
Legislation That Addresses Voting Issues....................... 99
Voting Systems in Context of Katrina and Emergency Situations.. 99
Military Personnel and Voting.................................. 100
Standards for Failure Rate..................................... 101
Vulnerabilities of Paper Trails and Foreign Investment in
Voting Equipment............................................. 101
Poll Workers and Human Error................................... 105
Voter Confidence and Turnout................................... 105
Appendix 1: Answers to Post-Hearing Questions
Ms. Donetta L. Davidson, Commissioner, Election Assistance
Commission..................................................... 110
Dr. William Jeffrey, Director, National Institute of Standards
and Technology................................................. 122
Ms. Mary Kiffmeyer, Secretary of State for Minnesota............. 125
Ms. Linda H. Lamone, Administrator of Elections, Maryland State
Board of Elections............................................. 129
Dr. David Wagner, Professor of Computer Science, University of
California-Berkeley............................................ 136
Mr. John S. Groh, Chairman, Election Technology Council,
Information Technology Association of America.................. 149
Appendix 2: Additional Material for the Record
Statement of the U.S. Public Policy Committee of the Association
for Computing Machinery........................................ 156
Statement of Lawrence Norden, Chair, Task Force on Voting System
Security, Brennan Center for Justice, New York University
School of Law.................................................. 159
Comments on the 2005 VVSG, by Roy Lipscomb, Directory of
Technology, Illinois Ballot Integrity Project.................. 162
Statement of the National Committee for Voting Integrity (NCVI).. 167
Statement of VerifiedVoting.org.................................. 172
Maryland Registered Voters' Opinions About Voting and Voting
Technologies, Donald F. Norris, National Center for the Study
of Elections, Maryland Institute for Policy Analysis and
Research, University of Maryland, Baltimore County, February
2006........................................................... 177
A Study of Vote Verification Technologies for the Maryland State
Board of Elections............................................. 213
Statement of the U.S. Election Assistance Commission (EAC)....... 216
Voting System Independent Testing and Certification Process:
Comprehensive, Rigorous, and Objective, The Election Technology
Council, November 2005......................................... 221
Security Analysis of the Diebold AccuBasic Interpreter, David
Wagner, David Jefferson, and Matt Bishop, Voting Systems
Technology Assessment Advisory Board (VSTAAB).................. 224
VOTING MACHINES: WILL THE NEW STANDARDS AND GUIDELINES HELP PREVENT
FUTURE PROBLEMS?
----------
WEDNESDAY, JULY 19, 2006
House of Representatives,
Committee on House Administration,
joint with the
Committee on Science,
Washington, DC.
The Committees met, pursuant to call, at 2:02 p.m., in Room
2318 of the Rayburn House Office Building, Hon. Vernon J.
Ehlers [Chairman of the Committee on House Administration]
presiding.
hearing charter
COMMITTEE ON HOUSE ADMINISTRATION
U.S. HOUSE OF REPRESENTATIVES
JOINTLY WITH THE
COMMITTEE ON SCIENCE
U.S. HOUSE OF REPRESENTATIVES
Voting Machines: Will the New
Standards and Guidelines Help
Prevent Future Problems?
wednesday, july 19, 2006
2:00 p.m.-4:00 p.m.
2318 rayburn house office building
Purpose
The purpose of the hearing is to review new federal voluntary
standards for voting equipment, which were issued late last year, to
see if they are likely to improve the accuracy and security of voting,
and to see if states are likely to adopt the standards.
The new standards, known as the Voluntary Voting Systems Guidelines
(VVSG), were required by the Help America Vote Act (HAVA), which was
enacted in 2002. Under the Act, the Election Assistance Commission
(EAC) promulgates the standards, based on recommendations from the
Technical Guidelines Development Committee (TGDC), which is chaired by
the National Institute of Standards and Technology (NIST). The language
in the Act regarding the standards was written by the House Science
Committee and the House Administration Committee.
Witnesses
Ms. Donetta Davidson--Commissioner, Election Assistance Commission.
Dr. William Jeffrey--Director, National Institute of Standards and
Technology.
Ms. Mary Kiffmeyer--Secretary of State for Minnesota.
Ms. Linda Lamone--Administrator of Elections, Maryland State Board of
Elections.
Mr. John Groh--Chairman, Election Technology Council, Information
Technology Association of America.
Dr. David Wagner--Professor of Computer Science, University of
California at Berkeley.
Overarching Questions
The hearing will address the following overarching questions:
1. Are the new voting equipment standards, if adopted, likely
to improve the accuracy and security of voting? What additional
elements, if any, are needed to improve the standards? When
should the standards be updated?
2. Are states likely to adopt the new voting equipment
standards? What needs to be done, if anything, to make the new
standards more useful for states and voting equipment
manufacturers?
3. What is the status of certifying the labs, known as Voting
System Testing Laboratories (VSTLs), that will test voting
equipment to see if it complies with standards?
4. How will the new standards, particularly those sections
that addressing human factors in voting, improve the usability
and accessibility of voting systems?
Overview
``The U.S. election system is highly decentralized,
with primary responsibility for managing, planning, and
conducting elections residing at the local jurisdictions--
generally at the county level in most states, but some states
have delegated election responsibility to sub-county
governmental units. Sub-county election jurisdictions in nine
states account for about 75 percent of about 10,500 local
election jurisdictions in the United States, but about 12
percent of the 2000 U.S. Census population. Local election
jurisdictions vary widely in size and complexity, ranging from
small New England townships to Los Angeles County, whose number
of registered voters exceeds that of many states.''\1\
---------------------------------------------------------------------------
\1\ GAO, Elections: The Nation's Evolving Election System as
Reflected in the November 2004 General Election, GAO-06-450
(Washington, D.C.: June 6, 2006).
In October 2002, Congress enacted the Help America
Vote Act (HAVA) (P.L. 107-252) to help address problems with
voting machines that were brought to the public's attention
during the 2000 federal election. HAVA encourages states and
localities to eliminate punch card and lever voting machines by
providing funds to the states to replace such equipment. Under
HAVA, the states have received $2.9 billion since 2003 to
improve their elections processes, including by purchasing new
---------------------------------------------------------------------------
voting equipment.
HAVA established an Election Assistance Commission
(EAC) to carry out aspects of HAVA. HAVA also established a
number of basic requirements that voting machines and systems
should meet, and a process by which new voluntary technical
standards would be developed to ensure the reliability and
accuracy of new voting equipment.
Under HAVA, draft technical standards for voting
system hardware and software are developed by the Technical
Guidelines Development Committee (TGDC), a 14-member panel
chaired by the Director of the National Institute of Standards
and Technology (NIST). The TGDC recommends standards to the
EAC, which approves and promulgates voluntary standards after
review and input from a HAVA-established Standards Board
(composed of State and local elections officials) and a Board
of Advisors (appointed by associations representing governors,
legislators, election directors, county officials, and others).
The EAC approved the first edition of these
standards, the 2005 Voluntary Voting Systems Guidelines (VVSG),
in December 2005, but made the new standards (the 2005 VVSG)
officially effective as of December 2007.
The 2005 VVSG standards are voluntary. States are
free to adopt them, in whole or in part, or not at all, as they
see fit. Two earlier sets of voluntary standards promulgated by
the Federal Election Commission (FEC), one promulgated in 1990
and one promulgated in 2002, are also available. The voluntary
nature of these standards means that earlier standards are not
necessarily superseded by the promulgation of updated
standards. Some states have adopted the 1990 FEC standards,
some states have adopted the 2002 FEC standards, some states
are in the process of adopting the 2005 VVSG standards prior to
their official effective date, some states have created their
own standards, and a handful of states have not yet adopted
standards for voting equipment.
In a recent GAO report, The Nation's Evolving
Election System as Reflected in the November 2004 General
Election, which included a survey of states, the GAO noted
widespread inconsistency in the use of federal technology
standards. For the November 2006 election, 11 states will
require local jurisdictions to meet the 1990 FEC standards, 29
states will use the 2002 FEC standards, five will use the draft
version of the 2005 VVSG, and the remainder did not require
compliance with any federal standard, used a mix of federal
standards, had not decided, or did not respond.
In addition, the same GAO study noted that the
performance of the voting systems--such as accuracy,
reliability, and efficiency--was not consistently measured by
states. Half of jurisdictions were collecting such data,
meaning that there is no nationwide data on the performance of
voting systems. Such information could help improve technology
and elections in the future.
Issues
Timing of the 2005 VVSG Versus State Voting Systems Purchases--The
transition to the new standards regime has been slow. The members of
the EAC were not appointed until the end of 2003, and the EAC was
initially provided with little funding to support its activities,
including the development of standards. Furthermore, the TGDC could not
meet until the EAC had been appointed, so the first TGDC meeting did
not take place until July 2004. When the EAC began distributing funds
to the states to help them purchase new voting equipment to replace
punch-card and lever voting machines, the TGDC had not finished the
process of developing the 2005 VVSG.
This has raised concerns that the new standards will not have a
significant effect on the technology that is currently being purchased.
Today, voting systems meet the 1990 or 2002 FEC standards, but none are
certified to meet the 2005 VVSG standards. One of the reasons is that
although the 2005 VVSG have been adopted, they are generally recognized
to be incomplete. The TGDC still needs to develop a comprehensive suite
of tests that instruct vendors and accredited testing laboratories how
to assess the performance of voting systems versus the standards.
Another reason is that the EAC, when they approved the 2005 VVSG,
included a 24-month grace period for states to adopt the standards,
reasoning that the testing laboratories had yet to be accredited, there
were no test suites to accompany the 2005 VVSG, and that states and
vendors had not had time to review and digest the new standards. This
means that the standards effectively do not apply until 2007. By this
time, all of the federal funds provided to the states under HAVA will
have been disbursed.
Security--Numerous reports have been released by computer science
experts that detail specific security flaws in electronic voting
systems, particularly in voting systems software used in direct record
electronic (DRE) or ``touch-screen'' voting machines. Due to these
flaws, most of these experts recommend the use of an independent paper
record to ensure that elections officials can audit election results,
spot-check for accuracy, and re-count should electronic results be lost
or compromised. They have also recommended various security procedures
to ensure access to the voting machines is strictly controlled.
These reports have been criticized by the voting systems vendors
and by some elections officials as offering unlikely and alarmist
scenarios. They point out that, to date, there is no evidence that an
electronic voting system has been hacked. They also point out that the
creation of a paper record creates additional opportunities for
mischief and management headaches for election workers. However,
computer security experts warn a relatively unskilled hacker with even
a few minutes' access to the machines--either through physical contact
or through a wireless connection--could change election results.
Hacking aside, they point out that software errors, or errors that are
made during the programming of the ballot into the machine to get it
ready for a specific election, can lead to errors in the vote count. Up
to now, it is these types of problems, rather than hacking, that have
led to counting errors by electronic voting machines.
The 2005 VVSG includes technical standards related to electronic
voting machine security, but some security experts say that the
standards require additional scope and detail. In particular, they say
that true security testing goes beyond running through a checklist of
tests and should include actually trying different ways of breaking
into a system to alter vote counts. This type of testing should be
required and carried out routinely on voting systems, they say, before
there will be any assurance that systems are truly secure. The 2005
VVSG also contains guidelines for the use of a voter-verifiable paper
trail, should states decide to require one. Currently 27 states have
chosen to do this. Another eight do not have the requirement although
individual jurisdictions within those states have chosen this
technology.
Testing--The 2005 VVSG consists of two volumes totaling 370 pages.
Volume I National Certification Testing Guidelines describes the
minimum capabilities, hardware, software, security, and functionality
requirements that a voting system should have. This includes such
topics as human factors that affect the usability of these systems,
requirements for ballot preparation and election programming, and
environmental tolerances for heat, cold, and rough treatment such as
dropping.
For a standard to be useful, there must be a test or tests to
validate that it has been met. For this reason, Volume II Voting System
Performance Guidelines contains procedural requirements for vendors and
test labs and a high level description of the areas that shall be
tested. However, it does not contain tests for every topic covered by
the 2005 VVSG and therefore the 2005 VVSG will have to be updated with
more detailed testing protocols. Currently the VVSG include protocols
for the most basic varieties of environmental testing. For example, the
guidelines describe a test (Section 4.6.5.2) where the equipment is
heated for a specific period of time to ensure that variations in
environmental conditions do not interfere with its basic functions,
since equipment could be used or stored (up to months or years) under
extremely hot (or cold) temperatures. In another section of the
guidelines, standard tests from the International Electrical Code that
are already in use are recommended to test for resilience to power
disturbance, electromagnetic radiation, lightning surges, and other
phenomena.(Section 4.8.1-4.8.8).
However, for more advanced matters such as software security, tests
have not been fully detailed in the 2005 VVSG. For example Volume I has
an extensive section on standards to protect the security of voting
systems. Volume II's section on testing for security mostly relies on
requiring the vendor to describe their own security testing, or on the
test laboratory designing tests. Although there are tools used by the
software industry to check software for errors, as well as malicious
code, no specific techniques, procedures, de-bugging software or other
tools are listed as mandatory for labs to test voting systems software
to meet a security standard. However it is important to note that in
the broader software industry software security testing is not
particularly standardized because there is so much customization in
software.
Usability--Electronic voting machines (i.e., computers, often with
``touch screens'') have the potential to simplify voting and reduce
errors. Their similarly to Automated Teller Machines (ATMs), which many
people use on a routine basis, has made their use in the polling place
more intuitive for many voters. Electronic voting machines can also be
outfitted with devices to help the disabled vote without assistance.
Nevertheless, problems with the design and set-up of voting machines,
ballots, and the polling places themselves still can make voting a
confusing and discouraging experience. But even when the machines are
user-friendly and intuitive for voters, they may still remain
problematic for poll workers who need to set them up and break them
down on Election Day, and solve problems when voting machines do not
perform as expected.
In May 2004, before the formation of the TGDC, NIST published a
report entitled ``Improving the Usability and Accessibility of Voting
Systems and Products.'' This report, often referred to as ``the Human
Factors Report,'' detailed how research and best practices developed in
human-machine, human-computer, and usability engineering disciplines
could be applied to improve the usability of voting systems, both for
voters and poll workers, and for the disabled community. The report
noted that usability and accessibility were only partially addressed in
the FEC voting systems standards, and made recommendations on how
usability and accessibility could be addressed in the standards updates
mandated by HAVA.
Background
A Brief History of Voting Standards--Before the passage of the Help
America Vote Act (HAVA), voluntary voting systems standards were
developed and promulgated by the Federal Election Commission (FEC).
There were two versions of these standards, the 1990 version, and the
2002 version. These standards were developed by volunteers from the
elections community that did not necessarily include a range of
expertise on technical issues, such as security. The accreditation of
the testing laboratories that tested equipment against the FEC
standards was performed by the National Association of State Elections
Directors. The FEC standards had been originally developed in
recognition of the need for minimum performance requirements for voting
technologies that were becoming increasingly complex and sophisticated.
However, compared with most technical standards, these standards were
more descriptive than prescriptive. The design of tests to comply with
them was generally left to individual testing laboratories, resulting
in differences in interpretation and application of the standards. For
these and other reasons, HAVA included the language requiring the
development more rigorous standards.
The 2005 VVSG used the 2002 FEC standards as a starting point,
although they significantly expanded and refined them. HAVA transferred
the responsibility for accrediting the testing laboratories to the
newly created EAC, which would accredit laboratories upon the
recommendation of NIST. These testing laboratories are now referred to
as Voting Systems Testing Laboratories (VSTLs). NIST is evaluating
prospective VSTLs through its National Voluntary Laboratory
Accreditation Program. NIST will make recommendations to the EAC based
on those evaluations about which laboratories to accredit.
VVSG Development and Approval Process--HAVA directed the TGDC to make
recommendations to the EAC, which would then have the recommendations
reviewed by the EAC Board of Advisors, a 37-member body drawn from
federal, state, and local entities, and Congressional appointees, and
by the EAC Standards Board, which is composed of 110 members drawn from
State and local election officials. The first meeting of the TGDC was
held July 9, 2004, and the TGDC has held regular meetings and
teleconferences since that date. The TGDC submitted its recommended
draft standards to the EAC May 9, 2005.
HAVA required a public comment period of unspecified length on the
draft standards. The EAC held a 90-day public comment period during
which time it received and reviewed over 6,000 comments on the proposed
guidelines. The EAC made some changes to TGDC's recommended standards
based on the public comment, and comments by the Board of Advisors and
the Standards Board. The EAC voted to approve the final standards on
December 13, 2005, while delaying their official effective date by 24
months to December 2007.
The TGDC continues to meet, as it believes there are major areas
for improvement and expansion in the standards. In addition to the test
suites to accompany the 2005 VVSG, the TGDC and NIST are working to
update the VVSG for 2007, which will complete the standards and
guidelines that were not fully addressed in the 2005 VVSG.
Recent Issues--Although the majority of new electronic voting equipment
performed well in the 2004 election and in the 2006 primaries held thus
far, some problems have occurred. During the 2004 election, the race
for the post of agriculture commissioner in North Carolina had to be
re-run because a problem in a voting machine caused it to stop counting
votes. During the Indiana and West Virginia primaries this year,
election officials in several counties had to manually count ballots
because of programming errors in the equipment that tabulated the
results from the voting machines. Recently tests in Utah revealed
potential security vulnerabilities in one manufacturer's machines (see
attached news article). Many new voting systems that have exhibited
problems related to software errors had their systems evaluated and
passed by testing laboratories, which did not catch these errors. This
raises questions about how to improve software standards and testing
for voting systems so that these types of errors are caught in the
future.
Witness Questions
The witnesses were asked to address the following specific
questions:
Ms. Donetta Davidson--Commissioner, Election Assistance Commission
(EAC).
1. What is the EAC doing to encourage states to adopt the 2005
Voluntary Voting Systems Guidelines (VVSG)? How many states
have adopted the VVSG for the 2006 election? How many states do
you anticipate will adopt the VVSG for the 2008 election? Why
are states adopting or failing to adopt the guidelines?
2. Does the EAC intend to update the VVSG? If so, when will
they next be updated and what standards, testing procedures,
and other technical issues will be considered as part of the
update? What impact will these updates have on equipment
already in use?
3. To what extent did you review the VVSG with respect to
human factors and usability issues? To what extent do you think
human factors and usability need to be addressed in updates of
the guidelines?
4. What is the EAC's role in the approval of a certification
process for Voting Systems Testing Laboratories (VSTLs) and
what is the status of this process? When will the first VSTLs
be approved?
5. What actions, in addition to establishing a process to
certify VSTLs, does the EAC need to take to ensure that voting
equipment meets the 2005 VVSG and future updates?
Dr. William Jeffrey--Director, National Institute of Standards and
Technology (NIST).
1. What is the TGDC doing to update the 2005 Voluntary Voting
Systems Guidelines (VVSG)? What are the primary gaps in the
2005 VVSG that need to be filled? To what extent would voting
equipment still be subject to problems if it complied with the
2005 VVSG?
2. What is NIST doing to implement a certification process for
Voting Systems Testing Laboratories (VSTLs) and what is the
status of this process? How many testing laboratories have
applied for approval and when will recommendations for
qualifying laboratories be submitted to the Election Assistance
Commission (EAC)?
3. What were the findings and recommendations of NIST's 2004
report ``Improving the Usability and Accessibility of Voting
Systems and Products,'' which addressed human factors in
voting? To what extent were those findings and recommendations
reflected in the 2005 VVSG? To what extent do the 2005 VVSG and
the 2004 human factors reports emphasize the importance of ease
of use of voting systems for both poll workers and voters?
Ms. Mary Kiffmeyer--Secretary of State for Minnesota.
1. To what extent are the 2005 Voluntary Voting Systems
Guidelines (VVSG) being used by Minnesota and why? If Minnesota
is not adopting the 2005 VVSG, what standards are you using for
voting equipment purchasing decisions and operation, and why
did you select these standards?
2. Are the 2005 VVSG comprehensive enough to guide states'
voting equipment purchasing decisions and voting systems
operation during elections? If so, why, and if not, why not?
3. What do the Election Assistance Commission (EAC) and
Technical Guidelines Development Committee (TGDC) need to do to
make it more likely that states will update equipment using the
latest VVSG? Do the 2005 VVSG need to be changed or improved in
any way to make them more useful to the states? If so, what
changes or additional information would you recommend for the
VVSG? If not, why not?
4. How important are human factors, such as those described in
the National Institute of Standards and Technology (NIST) 2004
report ``Improving the Usability and Accessibility of Voting
Systems and Products,'' in your selection of voting equipment?
Is this report, together with the 2005 VVSG, having an impact
on voting systems and elections, and if so, how? If not, why
not?
Ms. Linda Lamone--Administrator of Elections, Maryland State Board of
Elections.
1. To what extent are the 2005 Voluntary Voting Systems
Guidelines (VVSG) being used by Maryland and why? If Maryland
is not adopting the 2005 VVSG, what standards are you using for
voting equipment purchasing decisions and operation, and why
did you select those standards?
2. Are the 2005 VVSG comprehensive enough to guide states'
voting equipment purchasing decisions and voting systems
operation during elections? If so, why, and if not, why not?
3. What do the Election Assistance Commission (EAC) and the
Technical Guidelines Development Committee (TGDC) need to do to
make it more likely that states will update equipment using the
latest VVSG? Do the 2005 VVSG need to be changed or improved in
any way to make them more useful to the states? If so, what
changes or additional information would you recommend for the
VVSG? If not, why not?
4. How important are human factors, such as those described in
the National Institute of Standards and Technology (NIST) 2004
report ``Improving the Usability and Accessibility of Voting
Systems and Products,'' in your selection of voting equipment?
Is this report, together with the 2005 VVSG, having an impact
on voting systems and elections, and if so, how? If not, why
not?
Mr. John Groh--Chairman, Election Technology Council, Information
Technology Association of America (ITAA); and Vice President of
Marketing and Director of International Sales, Elections
Systems and Software, Inc., a voting machine manufacturer.
1. To what extent are the 2005 Voluntary Voting Systems
Guidelines (VVSG) sufficient to inform the development and
manufacture of new voting machines? Is there additional
information and guidance voting machine manufacturers need?
2. Do you believe that changes are needed to the 2005 VVSG,
and if so, what are they and why are they necessary? If not,
why not?
3. What does your industry need in terms of tests and other
procedures to ensure that your products meet these guidelines?
Do you believe the current process for approval of Voting
Systems Test Laboratories (VSTLs) for voting equipment will
meet your needs?
4. How important are human factors, such as those described in
the National Institute of Standards and Technology (NIST) 2004
report ``Improving the Usability and Accessibility of Voting
Systems and Products,'' in your design of voting equipment? Did
this report, together with the 2005 VVSG, impact your industry,
and if so, how? If not, why not?
Dr. David Wagner--Professor of Computer Science, University of
California at Berkeley.
1. What should the Technical Guidelines Development Committee
(TGDC) and the Election Assistance Commission (EAC) do to
improve the 2005 Voluntary Voting Systems Guidelines (VVSG)?
What are the primary gaps in the 2005 VVSG that need to be
filled? To what extent would voting equipment still be subject
to problems if it complied with the 2005 VVSG?
2. What are the most effective and practical measures that
election officials can take today to make existing voting
systems as secure and reliable as possible in November?
3. Do the VVSG adequately address human factors and usability
issues? Do you think that they need to be improved in this
area? If so, why, and if not, why not?
Chairman Ehlers. This hearing will come to order. Welcome
to today's hearing on Voting Machines: Will the New Standards
and Guidelines Help Prevent Future Problems?
First, a few things to get out of the way. We have a
unanimous consent on rules for the joint hearing, since this is
a joint hearing of both the Science Committee and the Committee
on House Administration.
I ask unanimous consent that we conduct today's hearing
under Science Committee rules, the five-minute rule, and using
the following order of recognition. Opening statements by the
Chair, then Ranking Member of House Administration, opening
statements by Chair, then Ranking Member of the Science
Committee. Following witness testimony, questions from the
Chair, then Ranking Member of House Administration. Questions
from the Chair, then Ranking Member of the Science Committee,
questions from a majority, then minority Member of House
Administration, questions from majority, then minority Members
of the Science Committee, and so forth, until each Member
present has been recognized for the initial round of questions
under the five-minute rule. The presiding Chairman may use
discretion to ensure orderly and balanced recognition, based
upon time of arrival and seniority, as may be appropriate under
the circumstances. Without objection, so ordered.
I also ask unanimous consent for the gentleman from New
Jersey, Mr. Holt, to join us on the dais for today's hearing,
that he be able to ask questions of the witnesses and introduce
a statement for the record. Without objection, so ordered.
Now, having taken care of that bit of business, to organize
the meeting of the joint Committees, I just want to do a brief
explanation of procedure for the witnesses and the Members and
audience. Now, we are likely to have a vote on the Floor very,
very soon, and the bells will ring, and we will have to go
vote. I am hoping it will be only one vote, in which case we
probably can go to the Floor vote and be back within 15
minutes. If there is a series of votes, it will be longer, and
I beg your forbearance during that time. But we will certainly
do it as expeditiously as possible, and I also am very hopeful
that we will not have another vote during the course of this
hearing, so that we can proceed directly through it.
So, I am pleased to welcome all of you to this joint
hearing of the Committees on Science and House Administration
to review the development and implementation of the Voluntary
Voting System Guidelines.
My main objective in holding this hearing is to discuss how
voting technology standards can help us come closer to two very
important goals. First, that every citizen knows that their
vote is being accurately counted, and second, that every
citizen knows that their vote is not being diluted by illegal
or improper votes. At this hearing, I look forward to hearing
testimony from expert witnesses who may help us understand how
voting equipment standards and testing can help improve the
accuracy and security of the country's voting systems, and
prevent errors and fraud.
The new Voluntary Voting System Guidelines were developed
pursuant to the requirements of the Help America Vote Act of
2002, or HAVA, and it was the Science Committee and the House
Administration Committee that wrote the language requiring
these federal technical guidelines. So, the technical part of
the HAVA bill originated in this committee, and it was also
very much a joint minority-majority effort--as I recall, Mr.
Barcia was the Ranking Member at that time, and he and I worked
hand-in-hand in drafting that.
Under HAVA, these draft technical standards for voting
systems are developed by the Technical Guidelines Development
Committee, TGDC, a 14-member panel chaired by the Director of
the National Institute of Standards and Technology, better
known as NIST. And the Director is present to offer testimony.
The TGDC recommends standards to the Election Assistance
Commission, EAC, which approves the voluntary standards after
review and input from a HAVA-established Standards Board and
Board of Advisors composed of federal, State, and local
election officials.
This sounds like an incomprehensible alphabet soup, but the
system, although cumbersome, was designed to provide input and
action from experts in the field from all different areas,
ranging from the smallest township in the country to the
largest manufacturers.
The first set of standards under HAVA, known as the
Voluntary Voting System Guidelines, were approved by the EAC in
December 2005, although their official effective date was
delayed until December 2007.
The creation of the 2005 Voluntary Voting System Guidelines
was an important step in improving voting standards, but the
utility of the guidelines in ensuring honest and fair elections
will only be demonstrated by their adoption and implementation
in the states. Also, NIST still needs to approve test protocols
at companies that will certify that voting systems meet the
guidelines.
I look forward to hearing from our witnesses how the
guidelines will be used by states in the selection and use of
voting equipment, and when we can expect NIST to complete
certification of the testing companies. Our hearing today
should give us a better understanding of our progress in
applying these standards, as well as the efforts underway to
facilitate their adoption.
Another important issue with regard to voting standards is
the ability to update the guidelines as circumstances change
and technologies evolve. In the event that the guidelines are
updated, some existing equipment may fall out of compliance
with the updated regulations. We need to understand what impact
these updates will have on equipment--pardon me--already in
use, and what guidance the EAC will offer the states in
assessing this impact and helping them deal with it.
The matters we will discuss today are technical in nature,
and while they may be complicated, the underlying question is a
simple one. How will the new standards improve the integrity
and accuracy of our voting systems? As the name suggests, the
Help America Vote Act was enacted to help our citizens exercise
their right to vote. Technology can help us advance that goal,
but it must be deployed with the proper standards, standards
that take into account the human factors that will determine
whether or not real people, the voters, will be able to use the
technology with ease and confidence. Our objective is to ensure
that every person who is eligible to vote is able to do so with
the assurance that their vote will be accurately counted, and
that their vote will not be nullified by fraud.
I would like to thank our witnesses for offering their
insight into these issues, as we continue to improve our voting
systems and processes on behalf of all Americans.
Now, just one last, one other quick comment. I notice a
number of Members in the audience wearing T-shirts
demonstrating their support for a paper trail. That is a very
important issue. It is not likely to be addressed today, unless
some of the witnesses bring it up, but I have discussed it with
Dr. Holt, to whom we have granted the privileges of sitting
with us and commenting and questioning.
And I am trying to arrange a hearing, a separate hearing on
the paper trail, presumably some time in September, but we had
too much to do already in this hearing, without having to deal
with that separate issue, which is complex and important, and I
felt it deserved a hearing of its own.
With that, I am very pleased to now recognize Ms.
Millender-McDonald, the Ranking Member of the House
Administration Committee, for an opening statement.
[The prepared statement of Chairman Ehlers follows:]
Prepared Statement of Chairman Vernon J. Ehlers
Good afternoon. I want to welcome everyone to this joint hearing of
the Committees on Science and House Administration to review the
development and implementation of the Voluntary Voting Systems
Guidelines (VVSG).
My main objective in holding this hearing is to discuss how voting
technology standards can help us come closer to two very important
goals: First--that every citizen knows that their vote is being
accurately counted, and second--that every citizen knows that their
vote is not being diluted by illegal or improper votes. At this
hearing, I look forward to hearing from expert witnesses whose
testimony may help us understand how voting equipment standards and
testing can help improve the accuracy and security of the country's
voting systems, and prevent errors and fraud.
The new Voluntary Voting System Guidelines were developed pursuant
to the requirements of the Help America Vote Act of 2002, or HAVA, and
it was the Science Committee and House Administration Committee that
wrote the language requiring these federal technical guidelines.
Under HAVA, draft technical standards for voting systems are
developed by the Technical Guidelines Development Committee (TGDC), a
14-member panel chaired by the Director of the National Institute of
Standards and Technology (NIST). The TGDC recommends standards to the
Election Assistance Commission (EAC), which approves the voluntary
standards after review and input from a HAVA-established Standards
Board and a Board of Advisors composed of federal, State and local
election officials.
The first set of standards under HAVA (known as the Voluntary
Voting Systems Guidelines (VVSG) ) were approved by the EAC in December
2005, although their official effective date was delayed until December
2007.
The creation of the 2005 Voluntary Voting Systems Guidelines was an
important step in improving voting standards, but the utility of the
guidelines in ensuring honest and fair elections will only be
demonstrated by their adoption and implementation in the states. Also,
NIST still needs to approve test protocols at companies that will
certify that voting systems meet the guidelines. I look forward to
hearing from our witnesses how the guidelines will be used by states in
the selection and use of voting equipment, and when we can expect NIST
to complete certification of the testing companies. Our hearing today
should give us a better understanding of our progress in applying these
standards, as well as the efforts underway to facilitate their
adoption.
Another important issue with regard to voting standards is the
ability to update the guidelines as circumstances change and
technologies evolve. In the event that the guidelines are updated, some
existing equipment may fall out of compliance with the updated
regulations. We need to understand what impact these updates will have
on equipment already in use, and what guidance the EAC will offer the
states in assessing this impact and helping them deal with it.
The matters we will discuss today are technical in nature and,
while they may be complicated, the underlying question is a simple
one--how will the new standards improve the integrity and accuracy our
voting systems? As the name suggests, the Help America Vote Act was
enacted to help our citizens exercise their right to vote. Technology
can help us advance that goal, but it must be deployed with the proper
standards--standards that take into account the human factors that will
determine whether or not real people--voters--will be able to use the
technology with ease and confidence. Our objective is to ensure that
every person who is eligible to vote is able to do so, with the
assurance that their vote will be accurately counted, and that their
vote will not be nullified by fraud.
I would like to thank our witnesses for offering their insight into
these issues, as we continue to improve our voting systems and
processes on behalf of all Americans.
Ms. Millender-McDonald. Thank you so much, Mr. Chairman,
and I, too, would like to join you in welcoming all of the
expert witnesses, those who are participating with us in the
audience, and others today. It is great to see you all here as
we convene this joint hearing.
And given that it is a joint hearing, I would like to thank
both Chairmen, my own Chair, Ehlers, and Chairman Boehlert, for
calling this very important joint oversight hearing.
Given that the Election Assistance Commission, EAC, was
created to be the election issue clearinghouse, they are
working tirelessly to remedy the inherent problems with lever
and punch card machines that plagued past elections. This issue
was clearly brought to light during the 2000 Presidential
election in Florida. As part of HAVA, the EAC was tasked with
updating the Voluntary Voting System Guidelines, which were
promulgated by the now-defunct FEC Office of Election
Administration. The EAC worked in tandem with the National
Institute of Standards and Technology and the Technical
Guidelines Development Committee to address computerized voting
equipment as well as standards.
The media has focused much of its attention in the last few
years on the perceived problems with direct recording
electronic, DRE, voting machines, as well as calls for a voter-
verifiable paper audit trail, VVPAT. The EAC was tasked by HAVA
to determine if there are actual versus perceived problems with
paperless DRE voting machines, and recommend standards for
states that have decided to implement VVPAT.
I believe that the EAC's chief functions in determining
these standards will be the testing certification,
decertification, and recertification of voting system hardware
and software. To that end, the EAC heard public opinion on the
Voting System Guidelines, received over 6,500 comments from the
public, and incorporated elements of these comments into the
Election Management Guideline Project.
Elections today are not the same as they were 200 years
ago, not even 60 years ago. We are moving to a more
technologically-driven world, and we need comprehensive
standards to reflect these changes. States may decide to adopt
the Voluntary Voting System Guidelines in their entirety or in
part prior to the effective date of December 2007. However, we
are hopeful that all states will implement these standards.
During a hearing held by our committee in July of 2004,
Brit Williams, Kennesaw State University Professor of Computer
Science, suggested one way to improve the way elections are run
is to test machines before, during, and after elections to
verify their soundness. I am interested in hearing the panel's
thoughts on this concept. As we are in the midst of the 2006
election cycle, I intend to ask about one of HAVA's mandates
for states which requires that each polling station be equipped
with at least one machine that is fully accessible to the
individuals with disabilities. That mandate became effective
January 1 of this year.
One way states may satisfy this obligation is with the use
of DRE voting equipment. Now, are all states going to be
compliant before this upcoming November election? That is yet
to be determined. DRE machines were at one point thought to be
the great panacea to the problems associated with the 2000
election, but much concern has continued to brew since the
enactment of HAVA. These Voluntary Voting System Guidelines
will be directly affecting the way elections are conducted.
So, I look forward to the hearing today, from the panel of
experts, about voting machines, and the hearing, and to hear
their answers to such questions as, ``Will they be secure,
while still allowing for people with a disability to vote
without assistance and in private?'' And Mr. Chairman, I am
very pleased that you have suggested that we will have a
hearing some time in the near future on the paper trail.
When I had my week off, we all had weeks off here a couple
of weeks ago, I heard from an overwhelming amount of
constituents on the paper trail issue, and I think it is
important that we bring this to the forefront, so Americans
across this nation can hear our thoughts on a paper trail.
So, I thank the two Chairmen for convening this hearing,
and I look forward to the testimony of this esteemed panel, to
answer those questions, some of which I have raised.
Thank you, Mr. Chairman.
Chairman Ehlers. Thank you for your comments. Next, I am
pleased to recognize a very, very distinguished gentleman, the
Chairman of the full Science Committee, who has devoted a good
share of his life to the Congress and to this committee, and
unfortunately, has chosen to retire, and will be honored today
at a retirement reception.
But Congressman Boehlert from New York has done yeoman
service, and I think, frankly, we should, we have a good group
here, let us all give him a round of applause for his good
work.
The Chairman is recognized for his opening statement.
Chairman Boehlert. Thank you very much, Mr. Chairman.
And I have to observe at the outset that we have the entire
Congressional Physics Caucus with us here today on the dais.
Both Chairman Ehlers and Dr. Holt are distinguished scientists
in their own right. Both have Ph.D.s in physics, so it is a
pleasure to work in association with you. They are scientists
first, politicians second.
I want to join the Chairman in welcoming everyone to this
extraordinarily important hearing. Elections are obviously the
keystone of our entire democratic system. If elections are not
seen as legitimate, the entire American system unravels. But
making sure that election results are credible is a trickier
and more technical matter than first appears to be the case.
That is why our committees worked together under the leadership
of Dr. Ehlers to craft language in the Help America Vote Act,
requiring new technical standards for voting equipment, and a
new testing regime for those standards. That is not the part of
the law that got the most attention, but it may prove to be the
most important part of the law for the future of American
democracy.
I say that because, as the Nation moves to electronic
voting systems, that is, to computers, which is a good trend on
the whole, the kinds of things that can go wrong with voting
machines may become harder to recognize, harder to fix, and
harder to prevent. I am referring here mostly to unintentional
problems, but security issues become more complex as well.
Over the long-run, newer voting machines are going to
require clear, comprehensive technical standards, and testing,
to ensure that election results are credible. In the short-run,
I think we also need to require paper trails, even though they
have their own problems, to ensure that election results can be
checked.
I think, excuse me, I think all of us need to pay close
attention to the testimony that will be offered today by Dr.
Wagner, and to his recommendations for making sure that
electronic voting machines make voting more accurate and more
secure, not the opposite. I am not endorsing all the
recommendations at this point, but I am going to want to hear
from each of our witnesses what they think of each of Dr.
Wagner's recommendations.
And I don't simply want to hear that the recommendations
will be expensive. How much is American democracy worth? As a
nation, we ought to be willing to invest in election equipment,
invest as much in election equipment as we invest in campaign
ads. Frankly, we in Congress haven't invested as much as we
should in the development of the new standards, which have been
delayed as a result. I am not happy to learn that new standards
are not likely to be fully enforceable until 2010, at the
earliest, and that is only in states that choose to adopt them.
I have to say that I had wanted the Help America Vote Act to
require any state using federal money to purchase voting
equipment to abide by the standards, but we weren't able to get
that language into the bill.
But what we have now is an entirely voluntary system, and
we need to make sure that it works. I hope that today, our
committees will get clear guidance on what needs to be done to
ensure that comprehensive standards get developed, to ensure
that those standards are capable of preventing problems with
electronic voting machines, and to encourage states to adopt
and effectively implement those standards.
And once again, let me say, if we are going to spend
taxpayer dollars to develop federal standards, I think we
should require that the states that want to access those
federal dollars should meet those standards. I am not enamored
with the concept that they voluntarily can choose to comply.
That is what is necessary to have credible election results
in the future. The essayist E.B. White once defined democracy
as ``the recurrent suspicion that more than half of the people
are right more than half of the time.'' That makes democracy a
pretty fragile construct to begin with, but it is an unworkable
idea if we can't accurately count what half of the people are
thinking.
I look forward to today's testimony, and I thank you, Mr.
Chairman, for the courtesy.
[The prepared statement of Chairman Boehlert follows:]
Prepared Statement of Chairman Sherwood L. Boehlert
I want to join Chairman Ehlers in welcoming everyone here to this
extraordinarily important hearing. Elections are obviously the keystone
of our entire democratic system. If elections are not seen as
legitimate, the entire American system unravels.
But making sure that election results are credible is a trickier
and more technical matter than first appears to be the case. That's why
our committees worked together, under the leadership of Dr. Ehlers, to
craft language in the Help America Vote Act requiring new technical
standards for voting equipment and a new testing regime for those
standards. That's not the part of the law that got the most attention,
but it may prove to be the most important part of the law for the
future of American democracy.
I say that because, as the Nation moves to electronic voting
systems, that is, to computers--which is a good trend, on the whole--
the kinds of things that can go wrong with voting machines may become
harder to recognize, harder to fix, and harder to prevent. I'm
referring here mostly to unintentional problems, but security issues
become more complex as well.
Over the long-run, newer voting machines are going to require
clear, comprehensive technical standards and testing to ensure that
election results are credible. In the short-run, I think we also need
to require paper trails--even though they have their own problems--to
ensure that election results can be checked.
I think all of us need to pay close attention to the testimony that
will be offered today by Dr. Wagner and to his recommendations for
making sure that electronic voting machines make voting more accurate
and more secure, not the opposite. I'm not endorsing all of his
recommendations at this point, but I am going to want to hear from each
of our witnesses what they think of each of his recommendations.
And I don't simply want to hear that the recommendations will be
expensive. How much is American democracy worth? As a nation, we ought
to be as willing to invest in election equipment as we are in campaign
ads.
Frankly, we in Congress haven't invested as much as we should in
the development of the new standards, which have been delayed as a
result. I'm not happy to learn that new standards are not likely to be
fully enforceable until 2010 at the earliest--and that's only in states
that choose to adopt them. I have to say that I had wanted the Help
America Vote Act to require any state using federal money to purchase
voting equipment to abide by the standards, but we weren't able to get
that language into the bill.
But what we have now is an entirely voluntary system, and we need
to make that work. I hope that today our committees will get clear
guidance on what needs to be done to ensure that a comprehensive
standards gets developed, to ensure that those standards are capable of
preventing problems with electronic voting machines, and to encourage
states to adopt and effectively implement those standards. That's
what's necessary to have credible election results in the future.
The essayist E.B. White once defined democracy as ``the recurrent
suspicion that more than half of the people are right more than half of
the time.'' That's makes democracy a pretty fragile construct to begin
with. But it's an unworkable idea if we can't accurately count what
half of the people are thinking.
I look forward to today's testimony. Thank you.
Chairman Ehlers. And I thank you for your comments. And
before we go to the next person, I just want to comment on the
reference to Dr. Holt and myself as physicists. We are the
first two research physicists elected to the Congress. When he
was elected, we decided to form a Physicists' Caucus. Since
then, we have been looking for a suitable office for the
caucus, but so far, we have not found a phone booth with a
chalkboard. And physicists can't meet without a chalkboard.
Having said that, it is my pleasure to recognize the
Ranking Member of the Science Committee. I am pleased to
recognize Mr. Gordon for his opening statement.
Mr. Gordon. Thank you, Mr. Chairman. Let me add my welcome
to everyone that is here today. It is good to see a full house.
I also want to welcome our friends and colleagues from the
House Administration, many of whom had little trouble finding
this room, since Dr. Ehlers and Zoe Lofgren also do double duty
here, so we welcome you, and certainly, Rush Holt, who has
taken a major role in this issue.
But most importantly, I want to welcome our distinguished
guests today, who are going to be speaking to us. I am in that
position where, being the fourth speaker, most everything has
been said. I haven't said it, and I am going to leave it that
way, and just quickly say that as my friend, Chairman Boehlert,
pointed out, the root and foundation of any democracy is a
feeling among its people that once the election is over with,
you were treated fair and square, and that you can go home, be
upset maybe that your candidate didn't win, but you can then be
a part of the loyal opposition, and the process can move
forward until the next election.
When you don't have that, as we are seeing in Mexico right
now, problems persist. Recently, concerns have developed in our
country about that level of being fair and square, whether it
is intentional or unintentional, and so, I hope that today's
hearings will help us to move forward. I have to say that I am
disappointed that we are behind schedule, and I do not see,
obviously, much taking place in 2006, maybe not even 2008. We
need to move forward. There needs to be transparency. There
needs to be credibility in this process, and we need to move on
with it.
So, thank you, and hopefully, this hearing today will allow
us to do so.
[The prepared statement of Mr. Gordon follows:]
Prepared Statement of Representative Bart Gordon
I want to welcome everyone to this afternoon's hearing and to
welcome our House Administration colleagues to the Science Committee
hearing room.
The development of new voting standards by NIST and the Election
Administration Commission (EAC) was meant to improve the accuracy,
reliability and integrity of our voting systems. However, the facts
highlight that these updated guidelines may have little impact on the
2006 or even the 2008 elections.
According to a June 2006 GAO report, eleven states are still using
the 1990 Federal Election Commission (FEC) standards which are known to
be inadequate. Twenty-nine states are using the 2002 FEC standards
which GAO has also found to be weak. Currently, only five states plan
on using the new 2005 standards developed by the EAC and NIST during
the 2006 elections. In addition, there are serious questions about the
current testing procedures used to determine if voting equipment meets
any standards. The current conformance testing is not transparent and
results are not public. This issue needs to be addressed now.
While NIST has worked hard to develop new standards, the revised
EAC/NIST standards will not go into effect until December 2007. For
these new standards, transparent conformance tests still need to be
developed. While these standards and test methods were being developed,
states were already purchasing new voting equipment.
Will this new equipment meet the 2005 standards? At this time I
don't think we know with any certainty.
We do know that there are questions about the security and
integrity of direct recording electronic voting equipment. And some
states have experienced significant problems with these voting systems.
Finally, if purchased equipment does not meet updated standards and
conformance tests, we need to decide who will pay for equipment
upgrades.
I don't have the answers to these questions, but we have a
distinguished panel with a wide range of experience and views on this
issue. I hope they can shed some light on the issues I've raised, and I
look forward to their comments.
Chairman Ehlers. I thank the gentleman for his statement,
and I do have good news. We thought we would be interrupted by
votes before this, but fortunately, the manager's action on the
House floor have taken up three suspensions, which will
postpone votes, perhaps to the point where we can finish the
hearing. That remains to be seen.
Mr. Holt. Mr. Chairman.
Chairman Ehlers. Yes.
Mr. Holt. I would like to thank you for the courtesy of
taking part in this. I appreciate your calling the hearing. I
would like to ask unanimous consent to put, at this point, in
the record a written statement, which will make the basic point
that the subject of today's hearing, standards for design and
certification, are good, but not sufficient, and that one needs
auditability, and a required audit process, as well.
And I will have to excuse myself at some point soon for an
Intelligence Committee hearing, but I thank the gentleman, the
Chairman, for his courtesy.
Chairman Ehlers. Well, I thank you, and it is a pleasure to
find out that there is some intelligence in the Congress.
I will make the general statement, if there are Members who
wish to submit additional opening statements, your statements
will be added to the record. Without objection, so ordered.
[The statement of Representative Rush Holt follows:]
Prepared Statement of Representative Rush Holt
Chairmen Ehlers and Boehlert, Ranking Members Millender-McDonald
and Gordon, Honored Members of the Committees, I am Rush Holt,
Representative from the 12th District of New Jersey. I would like to
reiterate my gratitude, as expressed on the occasion of the House
Administration Committee's recent hearing on the issue of voter
identification, that the Committees are jointly addressing another
critical aspect of election reform--the Voluntary Voting Systems
Guidelines for voting equipment. But I would like to say again,
however, that I fear that our opportunity to meaningfully and
decisively address the very real issue of the security risks and
accuracy problems plaguing our electronic voting systems is passing us
by. At a result, this November may yet again strike a blow to the
public's confidence in our elections.
It was my honor to speak before the House Committee on Science,
Subcommittee on Technology, on this matter two years ago, when it held
a hearing in June 2004 entitled ``Testing and Certification of Voting
Equipment: How Can the Process Be Improved?'' In my statement to the
Committee, I reviewed some of the history of the development of voting
system standards, first implemented in 1990, and updated in 2002, to
cover punch card, optical scan, and direct recording electronic (DRE)
voting systems.
But I also directed the Committee's attention to the 2001 Report of
the CalTech MIT Voting Technology Project--``Voting--What Is, What
Could Be,'' which stated that ``[t]he existing standards process is a
step in the right direction, but it does not cover many of the problems
that we have detected. . .important things are not reviewed currently,
including ballot and user interface designs, auditability, and
accessibility.'' The CalTech MIT study also recommended, under the
heading ``Create a New Standard for Redundant Recordings,'' that
``[a]ll voting systems should implement multiple technological means of
recording votes. For example, DRE/touchscreen systems should also
produce optical scan ballots. This redundancy insures that independent
audit trails exist post-election, and it helps insure that if fraud or
errors are detected in one technology there exists an independent way
to count the vote without running another election.''
Since then, the same recommendation has been made by one
authoritative body after another. In the wake of the 2004 election, the
Commission on Federal Election Reform, Co-Chaired by former President
Jimmy Carter and former Secretary of State James Baker, again studied
the problem of electronic voting security. The Commission released its
findings in September 2005, in a report entitled ``Building Confidence
in U.S. Elections.'' The Commission concluded, among other things, that
``of course, DREs are computers, and computers malfunction,'' and that
``[t]he standards for voting systems, set by the EAC, should assure
both accessibility and transparency in all voting systems.'' However,
the EAC cannot mandate transparency in the standards because HAVA does
not mandate it. Therefore, the Commission recommended that ``Congress
should pass a law requiring that all voting machines be equipped with a
voter-verifiable paper audit trail and, consistent with HAVA, be fully
accessible to voters with disabilities.'' It further noted that
``[t]his is especially important for [DREs]'' in order to ``provide a
backup in cases of loss of votes due to computer malfunction'' and ``to
test--through random selection of machines--whether the paper result is
the same as the electronic result.'' Finally, it noted that ``paper
trails and ballots currently provide the only means to meet the
Commission's recommended standards for transparency.''
Just last month, the Brennan Center for Justice, working in
conjunction with NIST, Ron Rivest of M.I.T. (a co-author of the
CalTech/MIT study), Howard Schmidt, former White House Cyber Security
Advisor for George W. Bush and Chief Security Officer for Microsoft and
eBay, and other computer security experts, released the most
comprehensive and rigorous analysis to date of e-voting security risks
and remedies. My colleagues Tom Davis and Tom Cole joined me at a press
conference commending the Brennan Center on the Report.
Entitled ``The Machinery of Democracy: Protecting Elections in an
Electronic World,'' the report explained in detail the various risks
associated with using all of the three major types of voting systems
now used in the United States. The report assumed, in its analysis,
that (1) an Independent Testing Authority (ITA) has certified the model
of voting machine used in the polling place; (2) Acceptance Testing was
performed on machines as soon as or soon after they were received by
the County; (3) pre-election Logic and Accuracy testing was performed
by the relevant election official; (4) prior to opening the polls,
every voting machine and vote tabulation system was checked to see that
it was still configured for the correct election, including the correct
precinct, ballot style, and other applicable details; and (5) the
jurisdiction was not knowingly using any uncertified software that is
subject to inspection by the ITA. Even so, however, the report found
that ``[a]ll three voting systems have significant security and
reliability vulnerabilities, which pose a real danger to the integrity
of national, State, and local elections.'' To mitigate those risks, the
report recommended a voter-verified paper record accompanied by
automatic routine random audits of those records, a ban use of voting
machines with wireless components, and other security measures, all to
be implemented as expeditiously as possible.
That same month, the National League of Women Voters issued similar
recommendations in a resolution passed at its Annual Convention in
June. The resolution states that the League of Women Voters ``supports
only voting systems that are designed so that: they employ a voter-
verifiable paper ballot or other paper record, said paper being the
official record of the voter's intent. . .the paper ballot/record is
used for audits and recounts. . .the vote totals can be verified by an
independent hand count of the paper ballot/record. . .and routine
audits of the paper ballot/record in randomly selected precincts can be
conducted in every election, and the results published by the
jurisdiction.''
I expect the Chairman recalls the testimony of Michael Shamos,
Professor of Computer Science at Carnegie Mellon University, who also
spoke before the Subcommittee on Technology during its hearing in June
2004. At the very outset of his remarks, he said: ``I am here today to
offer my opinion that the system we have for testing and certifying
voting equipment in this country is not only broken, but is virtually
nonexistent. It must be re-created from scratch or we will never
restore public confidence in elections. I believe that the process of
designing, implementing, manufacturing, certifying, selling, acquiring,
storing, using, testing and even discarding voting machines must be
transparent from cradle to grave, and must adhere to strict performance
and security guidelines that should be uniform for federal elections
throughout the United States.''
Chairman Ehlers, you and I are scientists. Like scientists, we rely
on evidence. Scientists can collect evidence and collect more evidence.
As policy-makers, we know that for policies that determine how our
government functions, we must not wait so long that delay harms the
functioning of our government and thus harms the people. We are at that
point today: we need no more inquiry on the issue of the transparency
and independent auditability in our elections. The public, numbering in
the millions--and I believe that is no exaggeration--is losing
confidence in the integrity of our voting systems. This undermines the
essential democracy of America. Citizens are beginning to doubt our
ability to govern ourselves. What could be more important?
We have heard from a President, a Cabinet Secretary, a White House
advisor on computer security, computer security experts at NIST,
election integrity experts at the Brennan Center for Justice, the
League of Women Voters and many other voting integrity activists, and a
lengthy list of this nation's top computer security experts. After
extensive study and consideration, they all agree that (1) no matter
how rigorous the testing and certification process, it cannot, by
itself, prevent fraud or errors; (2) voter-verified paper records
accompanied by routine random audits are necessary as an independent
audit mechanism; and (3) paper is the only technology available at this
time by which we may establish such independent auditability.
I have attached a document prepared by the voting integrity group
VotersUnite.org. This map sets forth a partial list--51 reported
incidents--in which ballot programming errors recently resulted in
votes being recorded other than as evidently intended by the voter. It
is important to note that in every single instance, the machines which
failed had already been tested and certified and were either deployed
or about to be deployed for use in actual elections, under our existing
testing and certification regimen. What follows are just a few examples
from this document, entitled ``Vote-Switching Software Provided by
Vendors'':
In June, 2006, in Pottawattamie County, Iowa,
software in optical scanners recorded votes inaccurately. The
County Auditor became suspicious when a college student was
found to be leading the incumbent County Recorder (who'd held
the job since 1983) by a count of 99 to 79 absentee votes. She
stopped the computer count and ordered a hand count of the
paper absentee ballots, and the result was reversed--the
incumbent had 153 votes and the student had just 25.
In May 2006, in a School Board election near Grand
Rapids Michigan, optical scanners erroneously gave votes to
non-existent write-in candidates. Brand new machines
malfunctioned in 15 of 16 townships and the town of Hastings in
Barry County, recording in one instance 90 write-in votes in a
contest that received in only 127 votes. In only one township,
as confirmed by a hand count of the optical scan ballots, did
the software count the votes accurately.
In June 2006, in Leflore and Jackson Counties,
Mississippi, various glitches were experienced in the use of
new paperless voting machines, including ballots not being
properly customized for each precinct. An AP story published on
June 7 about the irregularities quoted a County-level political
official as saying: ``If a hacker comes in and hacks that
program, what are we going to do then? . . .We're praying that
everything will work out for us.''
These are but a few of the numerous incidences of electronic voting
irregularities that have plagued this year's primary season. And the
most important point about these examples is that, in the first two
incidents, something unusual tipped off election officials and, because
optical scan ballots were used, they were able to prove who actually
won by counting those voter-verified paper ballots. In the third
example, the fact that the ballots were not programmed correctly for
each precinct was discoverable, but, because paperless touch screens
produce no voter-verified paper ballots, the accuracy of the ultimate
vote count could not be confirmed. In this third example, the political
official in question was left to simply ``pray'' for accuracy.
Hoping and praying for an accurate vote count is simply
unacceptable in a democracy. We need no further study to conclude that
vote counting must be transparent, and that the only way to achieve
transparency today and for the foreseeable future is to require a
voter-verified paper audit trail on all election machines. My
legislation, the Voter Confidence and Increased Accessibility Act of
2005 (H.R. 550) would establish a uniform national requirement for a
voter-verified paper record for every vote cast, routine random audits
of a small percentage of the electronic tally of those votes, a ban on
the use of wireless devices, and other measures that will ensure not
just the accessibility, but the independent auditability and
transparency of our elections.
I thank the Committees again for giving their time and attention to
matters of election reform, and I urge the Committee on House
Administration to conduct a hearing or schedule a mark-up of my Voter
Confidence Act as expeditiously as possible.
[The prepared statement of Mr. Feeney follows:]
Prepared Statement of Representative Tom Feeney
Today's hearing continues our effort to ensure that every properly
completed ballot is counted and fraud and error do not dilute
legitimate votes. The adoption and implementation of technical
standards for voting equipment ensure that the best technology and
operational practices are applied to each election.
In order to achieve these goals, I have introduced H.R. 3910, the
Verifying the Outcome of Tomorrow's Elections (VOTE) Act. As to voting
equipment standards and guidelines, the VOTE Act requires that:
1. direct recording electronic systems also produce voter-
verified paper records;
2. technical standards address the security of data
electronically transmitted or received by voting systems; and
3. ballot tabulation equipment is regularly tested to ensure
compliance to prescribed error rates.
However, technical standards are only one part of preserving the
integrity of every vote. You can cast your vote on technically flawless
equipment. But if ineligible voters also cast ballots or corrupt
election officials oversee the process, your vote is cheapened.
Accordingly, the VOTE Act implements these security procedures:
1. each election official is subject to a criminal background
check;
2. political party representatives can observe ballot
tabulations; and
3. voters must present photo identification before casting a
ballot.
Let's not delude ourselves into believing that technology by itself
creates honest and fair elections. We should focus on preserving the
integrity of the overall election system in which technology plays an
important but not exclusive role.
[The prepared statement of Mr. Costello follows:]
Prepared Statement of Representative Jerry F. Costello
Good afternoon. I want to thank the witnesses for appearing before
our committee to review new federal voluntary standards for voting
equipment which were issued late last year. Today's hearing serves as
an opportunity to examine the accuracy and security of voting and to
see if states are likely to adopt the Voluntary Voting Systems
Guidelines (VVSG) standards.
In October, 2002, Congress enacted the Help America Vote Act (HAVA)
to help address problems with voting machines that were brought to the
public's attention during the 2000 federal election. HAVA established a
number of basic requirements that voting machines and systems should
meet and a process by which new voluntary technical standards would be
developed to ensure the reliability and accuracy of new voting
equipment.
Since HAVA's enactment, the states have received $2.9 billion to
improve their election systems. In my home State of Illinois, it has
received $143 million and has adopted the 2002 Federal Election
Commission standards. Further, Illinois continues to work on the
computerized state voter registration system to bring it into full
compliance with the HAVA.
While I recognize the benefits of using electronic voting equipment
to improve the accuracy of the ballot tallies, I believe we should
proceed with caution. Reliability, efficiency, security, and usability
concerns must be reviewed thoroughly to ensure electronic voting
machines can be used by all registered voters and that election results
are not compromised.
Further, consistent, nationwide data on the performance of voting
systems would be useful to help improve technology and elections in the
future. In the recent report completed by the Government Accountability
Office (GAO) titled, The Nation's Evolving Election System as Reflected
in the November 2004 General Election, it notes that the performance of
the voting systems in the surveyed states was not consistently
measured. I am interested to hear from our witnesses their comments on
GAO's findings.
I look forward to hearing from the panel of witnesses.
[The prepared statement of Ms. Woolsey follows:]
Prepared Statement of Representative Lynn Woolsey
Mr. Speaker, I commend Chairman Boehlert and the Science Committee
for holding this hearing today. The fairness and integrity of our
federal elections is of paramount concern.
One need only look at the last two presidential elections to cite
serious, well-documented concerns about disenfranchisement and voting
rights violations without any Congressional investigation.
The U.S. is supposed to be a beacon of freedom. . .the greatest
democracy in the world. . .yet we cannot seem to guarantee that the
votes of our citizens are counted.
During the 2004 election we saw it all--from votes outnumbering
voters in some precincts, to blatant voter intimidation in others. The
time is long overdue for us to investigate these serious violations to
our democracy and ensure that our voting machines are held to the
highest standards possible.
And, there's also a tragic irony here: we're sacrificing thousands
of American lives and billions of dollars to try to establish democracy
in Iraq, yet we can't seem to get our own Democratic house in order.
This is not about which candidate won and which candidate lost on
November 2, 2004. It's not about politicians at all; it's about
citizens and their most fundamental rights.
We must ensure that any and all future elections are unmarred by
fraud or even human error. A solution to this problem is not pie-in-
the-sky--it can be solved. It's time this Congress stepped up to the
plate and did something about it.
[The prepared statement of Ms. Hooley follows:]
Prepared Statement of Representative Darlene Hooley
Thank you Chairman Boehlert and Chairman Ehlers for holding this
hearing today on this vitally important issue.
The ability to vote, and the knowledge that your vote will be
counted, is a right that every American knows is guaranteed to them by
the Constitution.
As technology has improved, our ability to make sure that every
vote is counted has been improved.
The election of 2000 demonstrated flaws within the system and gave
us in Congress the opportunity to revise the standards for voting in
this country and allow us to make better use of computers and other
forms of technology to assist us in the goal of counting every vote.
Now we have a chance to review the standards that were put into place
as part of the Help America Vote Act, see what has worked and what
needs to be improved.
One issue that I know my constituents in Oregon, and our fellow
citizens across the country, care about is that of ballot security.
Numerous reports have been released by computer science experts that
detail specific security flaws in electronic voting systems. These
reports have been criticized by the voting system vendors and by some
elections officials as offering unlikely and alarmist scenarios. These
people have correctly pointed out that, to date, there is no evidence
that an electronic voting system has been hacked. I am glad that we are
going to have the opportunity today to hear from experts about the
possible security threats to these voting machines and I look forward
to hearing their testimony.
One simple fix that I support is the use of an independent paper
record to ensure that elections officials can audit election results,
spot-check for accuracy, and re-count should electronic results be lost
or compromised.
My state is unique in the country in that we only have vote-by-mail
and, as such, are guaranteed to have a paper trail that election
officials can refer to if the need arises. It is not difficult to
recognize the wisdom of having a paper trail to make sure that votes
are being recorded and counted. Any action that can be taken by
election officials to reassure citizens that their votes are being
counted is one that I believe needs to be taken.
The final issue that I want to highlight is the difficulty that our
senior citizens may have with these new voting machines. In an average
election, around 70 percent of our nation's seniors vote and some of
them have limited experience with computers or other electronic
devices.
In addition, many of the precinct workers who man the polls on
Election Day and may be called upon to offer technical assistance if
one of these voting machines crashes may lack proper training. How do
we know that these people are able to handle not just mis-voting and
voter assistance, but also machine malfunction?
I look forward to hearing from the witnesses today and I am
thankful to the Chairman and Ranking Members of the Science and House
Administration Committees for holding this hearing and giving us all
the opportunity to review voting guidelines. The American people need
to feel secure in their belief that when they cast a vote, it will be
recorded and counted.
I am confident that we will do everything that we can assure our
fellow Americans that their belief is well-founded and that their votes
are secure.
[The prepared statement of Ms. Jackson Lee follows:]
Prepared Statement of Representative Sheila Jackson Lee
Mr. Chairman, thank you for holding this crucial hearing today, in
which once again, we find how important science is not only to our
economy and technological expertise around the world, but to our
ability to protect and defend the most basic American civil rights. Now
that voting standards have been promulgated, it is time to focus on
their accuracy, reliability, and effectiveness.
Under the authority of the Help America Vote Act of 2002, the
Election Assistance Commission was created to oversee and spearhead
standards for voting equipment, and produce voluntary voting system
guidelines for states to follow. Clearly, this was in response to the
voting process disaster in 2000 election.
So far, the Election Assistance Commission has experienced
significant delays and funding problems, resulting in only limited
changes to the original Federal Election Commission standards. These
new changes have been met with criticism because of 1) the undue burden
it places on manufacturers of voting machines, 2) the fact that the
standards are not comprehensive, 3) the fact that paper trails were not
addressed, and 4) that conformance tests were not developed.
Just last month, the GAO published a report documenting the
difficulties that states have with voter information databases, such as
the surge of last minute voter registrations, inaccurate information on
registration materials, and the varied means of counting the votes
between states.
In addition, a report from the Brennan Center at the New York
University School of Law highlighted problems in the verification
process of registered voters. For example, one existing database in
Florida contained as many as 40 misspellings of the word ``Fort
Lauderdale.'' If the voter-verification system in place relies on data
matching, this would clearly obstruct an individual's ability to vote.
It is inexcusable that there should ever be barriers that prevent
U.S. citizens from performing their civic duties. Just last week, we
reauthorized the Voting Rights Act, thereby reaffirming our social and
political commitment to civil rights. Today, we address the
technological and procedural problems that remain in delivering these
civil rights to every American.
It is shameful that in 2006, the 21st century, we are lacking in
procedures to ensure open and fair elections. There must be a paper
trail on every electronic voting machine. We experienced the failures
of a paperless voting system in the 2000 and 2004 election. A voting
machine without electronic paper trail is a voting machine doomed for
fraud. Any standard must ensure that the minority vote is counted, and
that discrepancies are thoroughly reviewed. America should be ashamed
of itself, and the fact that it denies the opportunity to have
elections reviewed transparently, legitimately, and credibly.
The problems that exist in voting machine and voting process
standards are complex, and yet resolvable. I look forward to the
testimony today to illustrate the evidence and the direction in which
we should pursue legislative recourse, if necessary.
Thank you, Mr. Chairman, and I yield the balance of my time.
Chairman Ehlers. At this time, I would like to introduce
our witnesses. We have an excellent panel. We thank you very
much for coming here.
First, we have Ms. Donetta Davidson, Commissioner of the
Election Assistance Commission, and the member of the
commission, six-member commission. She is the member who is the
techie, as you might call it. At least, you pay the most
attention to it. Dr. William Jeffrey, a fellow physicist,
Director of the National Institute of Standards and Technology,
and chair of the Technical Guidelines Development Committee.
Next, I recognize the Member of this committee, the
gentleman from Minnesota, Mr. Gutknecht, to introduce our third
witness. Mr. Gutknecht is recognized.
Mr. Gutknecht. Thank you, Mr. Chairman.
I am pleased to announce, or to introduce Secretary Mary
Kiffmeyer from Minnesota. Mary and her husband Ralph have been
dear friends of mine for 25 years. She is Minnesota's twentieth
Secretary of State. She was first elected in 1998, and was
reelected in 2002. She is also the former President of the
National Association of Secretaries of State, and she has been
very active in the Election Assistance Commission Standards
Board. Mary takes her job extremely seriously, and I don't know
of anybody in elected office who works harder than Mary
Kiffmeyer.
Minnesota has a reputation for clean elections, and she has
done her level best to make certain that we maintain that
reputation. So, Mary, we are delighted to have you here today,
and I am honored to call you my friend, and even more honored
to call you our Secretary of State.
Chairman Ehlers. Thank you, and we are pleased to have you
here, and Minnesota is a good state. It is my birthplace.
Next, Ms. Linda Lamone, Administrator of Elections, the
Maryland State Board of Elections. Mr. John Groh, Chairman,
Election Technology Council, Information Technology Association
of America. And Dr. David Wagner, Professor of Computer
Science, University of California at Berkeley, the finest
public university in this country. I just happened to have
graduated from there.
Chairman Boehlert. Mr. Chairman, are we going to have all
these commercials all day?
Chairman Ehlers. Thank you for yielding the chair to me. I
am enjoying doing this.
As our witnesses should know, spoken testimony is limited
to five minutes each, after which, the Members will each have
five minutes to ask questions. And we are pleased to start by
hearing the testimony of Ms. Davidson.
STATEMENT OF MS. DONETTA L. DAVIDSON, COMMISSIONER, ELECTION
ASSISTANCE COMMISSION
Ms. Davidson. Good afternoon. Chairmen, Ranking Members,
and Committee Members of both committees. My name is Donetta
Davidson, and I am with the Election Assistance Commission.
As a result of the Help America Vote Act, about one-third
of our voters will be voting on new equipment in 2006. HAVA
established minimum requirements that all voting systems must
meet. The law also mandated that EAC adopt Voluntary Voting
System Guidelines. The TGDC delivered guidelines within the
nine months, and at that time, prior to our adoption, we held
three public meetings, received and reviewed over 6,500
comments, and had a very transparent process.
The states have always been the decision-makers when it
comes to making the decision on what equipment they are goint
to use. HAVA did not change that, as some have stated. The VVSG
was an initial update to the 2002 Voting System Standards that
was in place. We focused mainly on security, usability,
accessibility, and created a usability section, address the
needs of all voters, and empowers election officials to adjust
voting systems to improve interaction.
The EAC and NIST are already working on future iterations--
software, forms of independent verification, security,
comprehensive test suites, the mean time between failure rate,
and detailed threat analysis for voting systems are being
addressed. HAVA mandates that the EAC also certify voting
systems against new guidelines. The EAC has just adopted the
first phase of the program for testing and certifying of voting
systems.
The program will be more rigorous, transparent, and
thorough than ever before. We will have to remember that voting
systems are only half of the equation though. Voting is a human
exercise. We must focus on protecting the integrity of the
whole process, just not the machine. The bottom line is the
voting equipment, whether it is paper or electronic, is only as
good as the operator.
Attempts to compromise a voting system requires two
things--access and knowledge of the voting system. That is why
election officials must adopt management guidelines to make
sure that we protect the process all the way. Speaking of
training, the EAC has already developed a Quick Start Guide
that we have here today for everybody. That will give the
individuals and the states ideas, and make sure that they
follow procedures to make sure that they address everything in
a new voting system.
The larger part, we will be issuing election management
guidelines that will cover the following topics: security
protocol, all phases, setup, storage, transportation, election
day, post-election, archiving, logic and accuracy testing,
tabulation, training of employees and poll workers. As a former
Secretary of State, I could tell you that regardless of what
kind of voting equipment is in place, some things never change.
Controlling access, having enough people to work in the polls,
and making sure those people are well-trained, testing the
equipment, and putting contingency plans into place are the
highest priority.
Voting systems and people are not mutually exclusive. We
must keep that in mind as we move forward, to make sure that
the next generation of voting equipment is secure, accurate,
and reliable.
Thank you, and I would be happy to answer any questions at
this time.
[The prepared statement of Ms. Davidson follows:]
Prepared Statement of Donetta L. Davidson
Good morning Chairmen Ehlers and Boehlert and Members of the
Committees. I am pleased to be here this afternoon on behalf of the
U.S. Election Assistance Commission (EAC) to discuss the changes in
voting that have been effectuated by the Help America Vote Act of 2002
(HAVA) and the role that EAC plays in supporting the states and local
governments in implementing HAVA-compliant voting systems.
INTRODUCTION
EAC is a bipartisan commission consisting of four members: Paul
DeGregorio, Chairman; Ray Martinez III, Vice Chairman; Donetta
Davidson; and Gracia Hillman. EAC's mission is to guide, assist, and
direct the effective administration of federal elections through
funding, innovation, guidance, information and regulation. In doing so,
EAC has focused on fulfilling its obligations under HAVA and the
National Voter Registration Act (NVRA). EAC has employed four strategic
objectives to meet these statutory requirements: Distribution and
Management of HAVA Funds, Aiding in the Improvement of Voting Systems,
National Clearinghouse of Election Information, and Guidance and
Information to the States. Each program will be discussed more fully
below. The topic at hand involves our strategic efforts to aid in the
improvement of voting systems.
AIDING IN THE IMPROVEMENT OF VOTING SYSTEMS
One of the most enduring effects of HAVA will be the change in
voting systems used throughout the country. All major HAVA funding
programs can be used by states to replace outdated voting equipment.
HAVA established minimum requirements for voting systems used in
federal elections. Each voting system must:
Permit the voter to verify the selections made prior
to casting the ballot;
Permit the voter to change a selection prior to
casting the ballot;
Notify the voter when an over-vote occurs (making
more than the permissible number of selections in a single
contest);
Notify the voter of the ramifications of an over-
vote;
Produce a permanent paper record that can be used in
a recount or audit of an election;
Provide accessibility to voters with disabilities;
Provide foreign language accessibility in
jurisdictions covered by Section 203 of the Voting Rights Act;
and
Meet the error rate standard established in the 2002
Voting System Standards.
According to HAVA, the requirement for access for voters with
disabilities can be satisfied by having one accessible voting machine
in each polling place. In addition to these requirements, Congress
provided an incentive for states that were using punch card or lever
voting systems by providing additional funding on a per precinct basis
to replace those outdated systems with a voting system that complies
with the requirements set out above.
HAVA also provides for the development and maintenance of testable
standards against which voting systems can be evaluated. It further
requires federal certification according to these standards. EAC is
responsible for and committed to improving voting systems through these
vital programs.
Voluntary Voting System Guidelines
One of EAC's most important mandates is the testing, certification,
decertification and recertification of voting system hardware and
software. Fundamental to implementing this key function is the
development of updated voting system guidelines, which prescribe the
technical requirements for voting system performance and identify
testing protocols to determine how well systems meet these
requirements. EAC along with its federal advisory committee, the
Technical Guidelines Development Committee (TGDC), and the National
Institute of Standards and Technology (NIST), work together to research
and develop voluntary testing standards.
On December 13, 2005, EAC adopted the first iteration of the
Voluntary Voting System Guidelines (VVSG). The final adoption of the
VVSG capped off nine months of diligent work by NIST and the TGDC. In
May of 2005, the TGDC delivered its draft of the VVSG. EAC then engaged
in a comprehensive comment gathering process, which included comments
from the general public as well as from members of its Board of
Advisors and Standards Board. Interested persons were able to submit
comments on-line through an interactive web-based program, via mail or
fax, and at three public hearings (New York, NY; Pasedena, CA; Denver,
CO). EAC received more than 6,000 individual comments. EAC teamed up
with NIST to assess and consider every one of the comments, many of
which were incorporated into the final version.
The VVSG is an initial update to the 2002 Voting System Standards
focusing primarily on improving the standards for accessibility,
usability and security. The 2005 VVSG significantly enhances the
measures that must be taken to make voting systems accessible to
persons with disabilities and more usable for all voters. For example,
the 2002 VSS contained 29 accessibility requirements, focusing
primarily on accommodating persons with visual disabilities. The 2005
VVSG contains 120 requirements that establish testing measures to
assure that voting systems accommodate all persons with disabilities,
including physical and manual dexterity disabilities. In addition to
ensuring accessibility requirements were increased and strengthened,
the 2005 VVSG includes for the first time a usability section, which
addresses the needs of all voters, empowering them to adjust voting
systems to improve interaction. Those testing measures include allowing
adjustment of brightness, contrast, and volume by the voter to suit
his/her needs.
The 2005 VVSG also incorporated standards for reviewing voting
systems equipped with voter-verifiable paper audit trails (VVPAT)\1\ in
recognition of the many states that now require this technology. In
accordance with HAVA and to assure that persons with disabilities had
the same access to review their ballots as non-disabled voters, the
2005 VVSG required VVPATs to be accessible when the paper record would
be used as the official ballot or as definitive evidence in a recount.
In addition, the VVSG addressed new technologies that emerged on the
market since the 2002 VSS, such as wireless technology. Standards were
established to require the wireless mechanism to be disabled during
voting and to provide a clear, visual indicator showing when the
wireless capability is activated. VVSG also establishes testing methods
for assessing whether a voting system meets the guidelines. A complete
listing of the changes and enhancements included in the 2005 VVSG can
be found on the EAC web site, http://www.eac.gov/Summary%20of%
20Changes%20to%20VVSG.pdf.
---------------------------------------------------------------------------
\1\ VVPAT is an independent verification method that allows the
voter to review his/her selections prior to casting his/her ballot
through the use of a paper print out. VVPAT is merely one form of
independent verification. EAC is currently working with NIST to develop
standards for additional methods such as witness systems, cryptographic
systems, and split process systems.
---------------------------------------------------------------------------
The 2005 VVSG, like the 1990 and 2002 VSS, is a voluntary set of
voting system testing standards. States choose to make these standards
mandatory for equipment purchased in those states by requiring national
certification according to those standards in their statutes and/or
rules and regulations. Currently, approximately 40 states require
certification to either the 2005 VVSG or the 1990 or 2002 VSS. When EAC
adopted the 2005 VVSG, it did so with an effective date of December 13,
2007. This two-year period was designed to allow states the time needed
to make changes to their laws, rules and regulations to require
certification to the new standards, as is standard practice when
introducing new industry guidelines. New York has already legislatively
mandated certification to the 2005 VVSG, and EAC expects over the next
several years that the vast majority of the states will make changes to
their legislation requiring certification to the 2005 VVSG. Prior to
December 13, 2007, voting systems, components, upgrades and
modifications can be tested against either the 2002 VSS or the 2005
VVSG, depending on the requirements of the states and manufacturers'
requests. After December 13, 2007, EAC will no longer test systems to
the 2002 VSS; systems and upgrades will only be tested to the 2005
VVSG.
Significant work remains to be done to fully develop a
comprehensive set of standards and testing methods for assessing voting
systems and to ensure that they keep pace with technological advances.
In FY 2007, EAC along with TGDC and NIST, will revise sections of the
VVSG dealing with software, functional requirements, independent
verification, and security and will develop a comprehensive set of test
suites or methods that can be used by testing laboratories to review
any piece of voting equipment on the market. Much like the roll out of
the 2005 VVSG, these future iterations will be adopted with an
effective date provision and a procedure for when new voting systems,
components, upgrades and modifications will be required to be tested
against the new iteration of the VVSG.
Accreditation of Voting System Testing Laboratories
HAVA Section 231 requires EAC and NIST to develop a national
program for accrediting voting system testing laboratories. NIST's
National Voluntary Laboratory Accreditation Program (NVLAP) will
initially screen and evaluate testing laboratories and will perform
periodic reevaluation to verify that the labs continue to meet the
accreditation criteria. When NVLAP has determined that a lab is
competent to test systems, the NIST director will recommend to EAC that
a lab be accredited. EAC will then make the determination to accredit
the lab. EAC will issue an accreditation certificate to the approved
labs, maintain a register of accredited labs and post this information
on its web site to fully inform the public about this important
process.
In June 2005, NVLAP advertised for the first class of testing
laboratories to be reviewed under the NVLAP program and accredited by
EAC. Three applications were received in the initial phase, with two
additional applications following in late 2005. Pre-assessments of
these laboratories began in April 2006 and formal review is proceeding.
NVLAP will conduct full evaluations of at least two initial applicants
this fall and, depending on the outcome of the evaluations, will make
initial recommendations to the EAC before the end of the year. All
qualified candidates from among the pool of five applicants will be
sent to the EAC by spring 2007.
In late 2005, EAC invited laboratories that were accredited through
the National Association of State Election Directors (NASED) program as
Independent Testing Authorities (ITAs) to apply for interim
accreditation to avoid a disruption or delay in the testing process.
All three ITAs have applied for interim accreditation. Interim
accreditation reviews by EAC contractors are under way and are expected
to be completed by September 2006. ITAs will be accredited on an
interim basis until the first class of laboratories is accredited
through the NVLAP process. After that time, all testing labs must be
accredited through the NVLAP evaluation process.
The National Voting System Certification Program
In 2006, EAC is assuming the duty as prescribed by HAVA to certify
voting systems according to national testing standards. Previously,
NASED qualified voting systems to both the 1990 and 2002 Voting System
Standards. Historically, voting system qualification has been a labor
intensive process to ensure the integrity and reliability of voting
system hardware, software and related components. In six months, NASED
received 38 separate voting system test reports for review and
qualification. All requests were received, processed and monitored
while the testing laboratory assessed compliance. Once a test report
was produced, technical reviewers analyzed the reports prior to
certification.
EAC's certification process will constitute the Federal
Government's first efforts to standardize the voting system industry.
EAC's program will encompass an expanded review of voting systems, and
it will utilize testing laboratories accredited by EAC and experts
hired by EAC to assure that the tested systems adequately met the
standards.
The EAC will implement the Testing and Certification Program
required by Section 231(a)(1) of HAVA in two distinct phases (pre-
election phase and full program). Both phases will be rolled out in
2006. The first phase of the program will begin on July 24, 2006 and
terminate upon the EAC's implementation of the program's second phase.
The second phase (full program) will begin on December 7, 2006.
The pre-election phase of the program focuses on providing
manufacturers a means to obtain federal certification for modifications
required by state and local election officials administering the 2006
General Election. This pre-election phase will ensure a smooth and
seamless transition from the NASED program (which has qualified voting
systems at the national level for more than a decade) to the more
rigorous and detailed EAC program. This will be done by delaying
implementation of some the procedural requirements found in the full
program until after the critical pre-election period. This will allow
the EAC to diligently review voting system modifications while, at the
same time, ensuring a smooth transition and avoiding the unacceptable
delays often associated with rolling out a new program.
The full program will begin in December by requiring every voting
system manufacturer that desires to have a product certified to
register and disclose information about the company and its owners,
board members and decision-makers. Manufacturers will be subject to a
conflict of interest analysis including reviewing whether any owners or
board members are barred from doing business in the United States. EAC
will test complete voting systems including new components and how they
integrate with the entire voting system. This process will be achieved
by having technical experts review the reports provided by accredited
testing laboratories to assure that the tests performed and the results
are consistent with a system that conforms to the VVSG. These experts
will recommend conforming systems for certification. Another new
feature of the EAC certification program will be the quality assurance
program. Through site visits to manufacturing facilities and field
inspections, EAC will confirm that the systems that are being
manufactured, sold to and used by election jurisdictions throughout the
country are the same as those certified by EAC. Last, EAC will
introduce a decertification process that will allow involved persons to
file complaints of non-conformance, provide for the investigation of
those complaints, and if warranted decertify systems because of a
failure to conform to the VVSG.
Election Management Guidelines
To complement the VVSG, the EAC is creating a set of election
management guidelines. These guidelines are being developed by a group
of experienced state and local election officials who provide subject
matter expertise. The project will focus on developing procedures
related to the use of voting equipment and procedures for all other
aspects of the election administration process. The election management
guidelines will be available to all election officials if they wish to
incorporate these procedures at the State and local levels. These
guidelines cover the following topics:
Storage of equipment
Equipment set up
Acceptance testing
Procurement
Use
Logic and accuracy (validation) testing
Tabulation
Security protocols (all phases--storage, set up,
transport and Election Day)
Training of employees/poll workers
Education for voters
The first of these management guidelines was issued by EAC in June
2006 in the form of a Quick Start Guide for election officials. This
guide focused on the issues and challenges faced by election officials
as they accept and implement new voting systems. The guide gave tips to
the election officials on how to avoid common pitfalls associated with
bringing new voting systems on line.
2006: A YEAR OF CHANGE, CHALLENGE AND PROGRESS
The federal elections in 2006 have and will mark a significant
change in the administration of elections. In compliance with HAVA,
states have purchased and implemented new voting systems. There is a
strong shift to electronic voting, although optical scan voting is
still popular. In addition, states have imposed new requirements on
their voting systems, and they have implemented their own testing
programs for voting systems they purchase. And, in at least 25 states,
voter-verified paper audit trails (VVPAT) have been required for all
electronic voting. Due to the introduction of new voting systems
throughout the Nation, the voter's experience at the polls will be
quite different in 2006 than it was in 2000. It is estimated that one
in three voters will use different voting equipment to cast their
ballots in 2006 than in 2004.
Voters with disabilities will likely experience the most dramatic
changes. For the first time, every polling place must be equipped with
voting machines that allow them to vote privately and independently.
For many voters with disabilities, this may be the first time that they
will cast ballots without the assistance of another person.
Voting systems do not represent the only changes in election
administration that will be apparent in 2006. States have also
developed statewide voter registration lists, which will provide the
ability to verify voters' identity by comparing information with other
State and federal databases. This will result in cleaner voter
registration lists and fewer opportunities for fraud. Another
anticipated benefit of the statewide lists will be a significantly
reduced need for provisional ballots, as was the case in states that
had statewide voter registration lists in 2004.
This year is one of transition, which is difficult to overcome in
any business; elections are no different. The introduction of new
equipment will present some challenges and hurdles to overcome. For
State and local governments, there are also a host of new obligations.
They must receive and test a fleet of new voting equipment. Training
for staff and poll workers must be organized and conducted. And,
extensive education programs must be implemented to inform the public
about the new voting equipment.
Although EAC cannot be on the ground in every jurisdiction to lend
a hand in these tasks, we have issued a Quick Start Guide to assist
election officials as they implement new voting systems. We also
encourage states to take proactive measures to test their voting
systems and voter registration lists prior to the federal elections.
Such activities have proven to be an excellent tool to identify
problems and solutions prior to the stresses and unpredictability of a
live election.
CONCLUSION
Over the past four years, significant changes have been made to our
election administration system. New voting systems have been purchased
and implemented. Each state has adopted a single list of registered
voters to better identify those persons who are eligible to vote.
Provisional voting has been applied across all 50 states, the District
of Columbia and four territories. However, one thing has not changed.
Elections are a human function. There are people involved at every
level of the election process, from creating the ballots, to training
the poll workers, to casting the votes.
With these changes will come unexpected situations, even mistakes.
We cannot anticipate in a process that involves so many people that it
will work flawlessly the first time. What we can embrace, however, is
that the process has been irrevocably changed for the better. There is
a heightened awareness of the electoral process in the general public.
There have been significant improvements to the election administration
process. And, more people have the ability to vote now than ever
before.
Messrs. Chairmen, thank you for the opportunity to address the
Committees today. I will be happy to answer any questions that you may
have.
Biography for Donetta L. Davidson
Ms. Donetta L. Davidson was nominated by President George W. Bush
and confirmed by unanimous consent of the United States Senate on July
28, 2005 to serve on the U.S. Election Assistance Commission (EAC). Her
term of service extends through December 12, 2007. Ms. Davidson,
formerly Colorado's Secretary of State, comes to EAC with experience in
almost every area of election administration--everything from County
Clerk to Secretary of State.
Ms. Davidson began her career in election administration when she
was elected in 1978 as the Bent County Clerk and Recorder in Las
Animas, Colorado, a position she held until 1986. Later that year, she
was appointed Director of Elections for the Colorado Department of
State, where she supervised county clerks in all election matters and
assisted with recall issues for municipal, special district and school
district elections.
In 1994, she was elected Arapahoe County Clerk and Recorder and re-
elected to a second term in 1998. The next year, Colorado Governor Bill
Owens appointed Davidson as the Colorado Secretary of State, and she
was elected to in 2000 and re-elected in 2002 for a four-year term.
She has served on the Federal Election Commission Advisory Panel
and the Board of Directors of the Help America Vote Foundation. In
2005, Ms. Davidson was elected President of the National Association of
Secretaries of State, and she is the former President of the National
Association of State Elections Directors (NASED). Prior to her EAC
appointment, Ms. Davidson served on EAC's Technical Guidelines
Development Committee (TGDC).
In 2005, Government Technology magazine named Ms. Davidson one of
its ``Top 25: Dreamers, Doers, and Drivers'' in recognition of her
innovative approach to improve government services. She was also the
1993 recipient of the Henry Toll Fellowship of Council of State
Governments.
Davidson has devoted much of her professional life to election
administration, but her first love is her family. Ms. Davidson was born
into a military family in Liberal, Kansas and became a Coloradoan
shortly thereafter when her family moved first to Two Buttes, then to
Las Animas where they settled. Whenever possible Ms. Davidson spends
time with her family, son Todd, daughter and son-in-law Trudie and Todd
Berich, and granddaughters Brittany and Nicole.
Chairman Ehlers. And thank you very much for staying well
below the five minute limit. Dr. Jeffrey.
STATEMENT OF DR. WILLIAM JEFFREY, DIRECTOR, NATIONAL INSTITUTE
OF STANDARDS AND TECHNOLOGY
Dr. Jeffrey. Chairmen, Ranking Members, and Members of the
Committee, thank you for the opportunity to testify today on
``Voting Machines: Will the New Standards and Guidelines Help
Prevent Future Problems?''
I am William Jeffrey, Director of the National Institute of
Standards and Technology, and I am pleased to be offered this
opportunity to participate in today's discussion.
NIST works closely with the Election Assistance Commission,
by providing technical support directly to them and to the
Technical Guidelines Development Committee, or TGDC. NIST is
pleased to be working on this matter of national importance
with our EAC and TGDC partners.
Today, I will focus on NIST's role in meeting the
requirements of the Help America Vote Act of 2002, including
development of voluntary guidelines for voting systems and
laboratory accreditation.
HAVA assigned three major responsibilities to NIST. First,
develop a report to assess areas of human factors research, and
to ensure the usability and accuracy of voting systems. Second,
chair and provide technical support to the TGDC. And third,
recommend testing laboratories to the EAC for accreditation. We
believe that we have met or are on track to meeting these three
responsibilities.
First, in January 2004, NIST completed the report, which
assessed areas of human factors research. The recommendations
from this report are being addressed in the Voting System
Guidelines to ensure the usability and accuracy of voting
systems.
Second, NIST is chairing and providing technical support to
the TGDC, which is developing new voluntary voting system
guidelines for consideration by the EAC. HAVA mandated that the
first set of recommendations be delivered to the EAC nine
months after the formal creation of the TGDC. To meet this
incredibly aggressive schedule, NIST and the TGDC conducted
workshops, meetings, and numerous teleconferences to gather
input, pass resolutions, and review and approve NIST-authored
materials. This was done in a fully transparent process, with
meetings conducted in public, and draft materials available on
the Web. The resulting document was delivered on schedule to
the EAC in May of 2005.
These new guidelines are built upon the strengths of the
previous Voting System Standards, enhancing areas needing
improvement, and adding new material. The new material focuses
primarily on usability, accessibility, and security. The new
section on security includes the first federal standard for
voter-verified paper audit trails. The new voluntary guidelines
takes no position regarding the implementation of such paper
audit trails, and neither requires nor endorses them. If states
choose to implement the voter-verified paper audit trails, the
new voluntary guidelines provide requirements that will help to
ensure that their systems are usable, accessible, reliable, and
secure. The new security section also contains requirements for
addressing voter systems software distribution, validation of
software used on Election Day, and wireless communications.
Immediately after completing its work on the '05
guidelines, NIST and the TGDC began work on the next version,
currently planned for delivery to the EAC in July of 2007. The
'07 voluntary guidelines will build upon the '05 version, but
takes a fresh look at many of the requirements. The '07
guidelines will review every section of the current standard,
and will consider inclusion of additional requirements, as
identified by the TGDC.
NIST is aware that in addition to the '07 voluntary
guidelines, an open test suite needs to be developed, so that
the requirements in the new standard can be tested uniformly
and consistently by all of the testing labs. The test suite
development is planned to begin in Fiscal Year 2007.
The third task that NIST is given under HAVA is
recommending testing laboratories to the EAC for accreditation.
Simply stated, laboratory accreditation is formal recognition
that a laboratory is competent to carry out specific tests.
NIST is using its National Voluntary Laboratory Accreditation
Program to accomplish this task. Thus far, we have received
applications from five labs, and are working to submit the
qualified labs to the EAC for accreditation in early 2007.
Thank you for the opportunity to testify, and I would be
happy to answer any questions that the Committee might have.
[The prepared statement of Dr. Jeffrey follows:]
Prepared Statement of William Jeffrey
Introduction
Chairmen Ehlers and Boehlert, Ranking Members Millender-McDonald
and Gordon, and Members of the Committees, thank you for the
opportunity to testify today on ``The Status of Voluntary Voting System
Guidelines.'' I am William Jeffrey, Director of the National Institute
of Standards and Technology (NIST), part of the Technology
Administration of the Department of Commerce. I am pleased to be
offered the opportunity to add to this discussion regarding standards
development for voting systems.
I will focus my testimony on NIST's role in meeting the
requirements of the Help America Vote Act of 2002, specifically in
providing technical expertise towards the development of voluntary
guidelines for voting systems and providing assistance to the Election
Assistance Commission (EAC) with respect to voting system testing
laboratories. I will discuss NIST's role in producing the Voluntary
Voting System Guidelines (VVSG) of 2005 and then discuss our current
and future work, which is to produce a next iteration of the VVSG that
is more precise and testable and to produce associated test suites for
this redesigned VVSG. Lastly, I will discuss the status of our work in
assessing potential voting system testing laboratories and recommending
them to the EAC for accreditation.
HAVA
I will begin by giving a brief review of the Help America Vote Act
(HAVA) of 2002 with respect to NIST's role. HAVA provided for the
creation of the Technical Guidelines Development Committee (TGDC) and
mandated that the TGDC provide its first set of recommendations to the
Election Assistance Commission (EAC) not later than nine months after
all of its members have been appointed.
HAVA assigned three major items to NIST. First, NIST was tasked
with the development of a report to assess the areas of human factors
research, which could be applied to voting products and systems design
to ensure the usability and accuracy of voting products and systems.
Second, NIST was tasked with chairing and providing technical support
to the TGDC, in areas including (a) the security of computers, computer
networks, and computer data storage used in voting systems, (b) methods
to detect and prevent fraud, (c) the protection of voter privacy, and
(d) the role of human factors in the design and application of voting
systems, including assistive technologies for individuals with
disabilities and varying levels of literacy. Third, NIST is to conduct
an evaluation of independent, non-federal laboratories and to submit to
the EAC a list of those laboratories that NIST proposes to be
accredited to carry out the testing.
The first major item assigned by HAVA was the production of a human
factors report. This report, titled ``Improving the Usability and
Accessibility of Voting Systems and Products,'' was completed by NIST
in January 2004. It assesses human factors issues related to the
process of a voter casting a ballot as he or she intends. The report
recommends developing a set of performance-based usability standards
for voting systems. Performance-based standards address results rather
than equipment design. Such standards would leave voting machine
vendors free to develop a variety of innovative products and not be
limited by current or older technologies. The EAC delivered this report
to Congress on April 30, 2004.
Second, HAVA assigned NIST to provide technical support to the TGDC
in the development of voluntary voting system guidelines. The TGDC
provides technical direction to NIST in the form of TGDC resolutions,
and it reviews and approves proposed guidelines and research material
written by NIST researchers. The TGDC ultimately is responsible for
approving the guidelines and submitting them to the EAC.
These voluntary guidelines contain requirements for vendors when
developing voting systems and for laboratories when testing whether the
systems conform to, or meet, the requirements of the guidelines.
Voluntary standards or guidelines are common in industry. Voluntary
standards encourage the adoption of requirements and procedures without
the enforcement of regulation or law. The marketplace--in this case,
the states and the public--provides the impetus for software developers
to implement and conform to the standard.
2005 VVSG
I will now discuss NIST's role in producing the 2005 VVSG for the
EAC. HAVA mandated that the first set of recommendations be written and
delivered to the EAC nine months after the final creation of the TGDC.
To meet this very aggressive schedule, the TGDC organized into three
subcommittees addressing the following areas of voting standards: core
requirements and testing, human factors and privacy, and security and
transparency. Over nine months, NIST and the TGDC conducted workshops,
meetings, and numerous teleconferences to gather input, pass
resolutions, and review and approve NIST-authored material. This was
done in a fully transparent process, with meetings conducted in public
and draft materials available over the web. The resulting document, now
known as the VVSG 2005, was delivered on schedule to the EAC in May
2005.
The VVSG 2005 built upon the strengths of the previous Voting
Systems Standards and enhanced areas needing improvement and added new
material. The new material adds more formalism and precision to the
requirements using constructs and language commonly used in rigorous,
well-specified standards. This includes rules for determining
conformance to the standard and a glossary for clarifying terms, which
is very important when one considers that each voting jurisdiction may
define terms differently.
The new material focuses primarily on usability, accessibility, and
security. The usability section includes requirements on voting system
controls, displays, font sizes, lighting, and response times. It also
requires voting systems to alert voters who make errors such as over-
voting so as to reduce the overall number of spoiled ballots. The
accessibility section is greatly expanded from the previous material
and includes requirements for voters with limited vision and other
disabilities. It also addresses the privacy of voters who require
assistive technology or alternative languages on ballots.
The new section on security includes the first federal standard for
Voter Verified Paper Audit Trails (VVPAT). As you know, many states
require that their voting systems include a voter-verified paper trail.
The VVSG takes no position regarding the implementation of VVPAT and
neither requires nor endorses them. If states choose to implement
VVPAT, the VVSG's requirements help to ensure that their VVPAT systems
are usable, accessible, reliable and secure, and that the paper record
is useful to election officials for audits of voting equipment.
The new security section also contains requirements for addressing
how voting system software is to be distributed. This will help to
ensure that states and localities receive the tested and certified
voting system. Moreover, the section also includes requirements for
validating the voting system setup. This will enable inspection of the
voting system software after it has been loaded onto the voting
system--again to ensure that the software running on the voting system
is indeed the tested and certified software. Lastly, there are
requirements governing how wireless communications are to be secured.
The TGDC concluded that, for now, the use of wireless technology
introduces severe risk and should be approached with extreme caution.
Wireless communications are currently permitted in the VVSG if security
measures and contingency procedures are in effect.
The TGDC-approved version of the VVSG 2005 was sent to the EAC in
May 2005. Following that, the EAC conducted a 90-day public review and
received thousands of comments; NIST provided technical assistance to
the EAC in addressing these comments. The EAC published its version of
the VVSG on December 13, 2005. This version included changes to the
TGDC-approved version, reflecting the EAC's additional review.
2007 VVSG
Immediately after completing its work on the VVSG 2005, NIST and
the TGDC began work on what is now called the VVSG 2007, currently
planned for delivery to the EAC in July 2007.
The VVSG 2007 builds upon the VVSG 2005 but takes a fresh look at
many of the requirements. It will be a larger, more comprehensive
standard, with more thorough treatments of security areas and
requirements for equipment integrity and reliability. The TGDC will
consider updated requirements for accessibility and requirements for
usability based on performance benchmarks. They will also consider
updated requirements for documentation and data to be provided to
testing labs, and for testing laboratory reports on voting equipment.
The requirements will be structured so as to improve their clarity to
vendors and their testability by testing labs.
The VVSG 2005 included a discussion of voting systems with
Independent Verification (IV). IV means that the voting systems produce
a second record of votes for ballot record accuracy and integrity. For
VVSG 2007, the TGDC will update this discussion for consideration as
new requirements. The TGDC will also consider a number of updated
requirements dealing with voting equipment integrity and reliability.
NIST is aware that, in addition to the VVSG 2007, an open test
suite needs to be developed so that the requirements in the VVSG 2007
can be tested uniformly and consistently by all of the testing labs.
The development of a test suite is a major undertaking and once
complete, will add significantly to the trust and confidence that
voting systems are not only being tested correctly, but are robust,
secure and work correctly. Test suite development is planned to begin
in fiscal year 2007.
Laboratory Accreditation
I will conclude my remarks with the status of NIST's third major
item under HAVA, laboratory accreditation. NIST has been directed to
recommend testing laboratories to the EAC for accreditation. In order
to accomplish this, NIST is utilizing its National Voluntary Laboratory
Accreditation Program (NVLAP). NVLAP is a well-established laboratory
accreditation program that is recognized both nationally and
internationally.
Simply stated, laboratory accreditation is formal recognition that
a laboratory is competent to carry out specific tests. Expert technical
assessors conduct a thorough evaluation of all aspects of laboratory
operation using recognized criteria and procedures. General criteria
are based on the international standard ISO/IEC 17025, General
Requirements for the Competence of Testing and Calibration
Laboratories, which is used for evaluating laboratories throughout the
world. Laboratory accreditation bodies use this standard specifically
to assess factors relevant to a laboratory's ability to produce
precise, accurate test data, including the technical competency of
staff, validity and appropriateness of test methods, testing and
quality assurance of test and calibration data.
Laboratories seeking accreditation to test voting system hardware
and software are required to meet the ISO/IEC 17025 criteria and to
demonstrate technical competence in testing voting systems. To ensure
continued compliance, all NVLAP-accredited voting system testing
laboratories will undergo periodic assessments to evaluate their
ongoing compliance with specific accreditation criteria.
NVLAP has received applications thus far from five laboratories. We
are conducting on-site visits and examining their qualifications to
test voting systems and be granted NVLAP accreditation. NVLAP is
working to submit the qualified labs from the five applications to the
EAC for accreditation in early 2007.
Conclusion
NIST is pleased to be working on this matter of national importance
with our EAC and TGDC partners. NIST has a long history of writing
voluntary standards and guidelines and developing test suites to help
ensure compliance to these standards and guidelines. NIST is using its
expertise to work with our partners to produce precise, testable voting
system guidelines and tests that will reduce voting system errors and
increase voter confidence, usability, and accessibility.
Thank you for the opportunity to testify. I would be happy to
answer any questions the Committee might have.
Biography for William Jeffrey
William Jeffrey is the 13th Director of the National Institute of
Standards and Technology (NIST), sworn into the office on July 26,
2005. He was nominated by President Bush on May 25, 2005, and confirmed
by the U.S. Senate on July 22, 2005.
As Director of NIST, Dr. Jeffrey oversees an array of programs that
promote U.S. innovation and industrial competitiveness by advancing
measurement science, standards, and technology in ways that enhance
economic security and improve quality of life. Operating in fiscal year
2006 on a budget of about $930 million, NIST is headquartered in
Gaithersburg, Md., and has additional laboratories in Boulder, Colo.
NIST also jointly operates research organizations in three locations,
which support world-class physics, cutting-edge biotechnology, and
environmental research. NIST employs about 2,800 scientists, engineers,
technicians, and support personnel. An agency of the U.S. Commerce
Department's Technology Administration, NIST has extensive cooperative
research programs with industry, academia, and other government
agencies. Its staff is augmented by about 1,600 visiting researchers.
Dr. Jeffrey has been involved in federal science and technology
programs and policy since 1988. Previous to his appointment to NIST he
served as Senior Director for Homeland and National Security and the
Assistant Director for Space and Aeronautics at the Office of Science
and Technology Policy (OSTP) within the Executive Office of the
President. Earlier, he was the Deputy Director for the Advanced
Technology Office and chief scientist for the Tactical Technology
Office with the Defense Advanced Research Projects Agency (DARPA).
While at DARPA, Dr. Jeffrey advanced research programs in
communications, computer network security, novel sensor development,
and space operations.
Prior to joining DARPA, Dr. Jeffrey was the Assistant Deputy for
Technology at the Defense Airborne Reconnaissance Office, where he
supervised sensor development for the Predator and Global Hawk Unmanned
Aerial Vehicles and the development of common standards that allow for
cross-service and cross-agency transfer of imagery and intelligence
products. He also spent several years working at the Institute for
Defense Analyses performing technical analyses in support of the
Department of Defense.
Dr. Jeffrey received his Ph.D. in astronomy from Harvard University
and his B.Sc. in physics from the Massachusetts Institute of
Technology.
Chairman Ehlers. Thank you for your testimony. Next, we
recognize Ms. Kiffmeyer.
STATEMENT OF MS. MARY KIFFMEYER, SECRETARY OF STATE FOR
MINNESOTA
Ms. Kiffmeyer. Chairman Ehlers and Chairman Boehlert and
Members, thank you for the opportunity to address the U.S.
House of Representatives Committees on House Administration and
Committee on Science. The opportunity to inform the Committees
of the needs of the states regarding ``Voting Machines: Will
the New Standards and Guidelines Help Prevent Future
Problems?'' is very important to me, and to other election
officials in other states.
Minnesota has long been a leader in elections in this
country. We have led the Nation in voter turnout for several
years, including the important 18- to 24-year-olds, but one
reason for that high involvement is that Minnesotans have
demanded that elections meet the highest standards of accuracy,
access, integrity, and privacy. So, the implementation of HAVA
has only helped to assist in this process.
In the implementation of HAVA in Minnesota, access and
privacy are being greatly increased through the use of
disability accessible voting equipment. In the process of
evaluating potential equipment, accuracy and integrity were
deemed important objectives, along with the 2005 VVSG. In
addition, the Secretary of State and all major parties came to
the conclusion that Minnesota should hold to a long-established
requirement of paper ballots for elections.
To what extent are these guidelines being used for
Minnesota and why? Minnesota chose to use the 2005 Voluntary
Voting System Guidelines in order to be in line with the best
information we could get on election systems. In 2005, the
State of Minnesota published a request for proposal for the
statewide purchase of HAVA-compliant voting equipment, both
assistive and vote tabulating equipment. In preparation of the
RFP, the 2005 VVSG were used to establish accessibility and
usability requirements for the assistive voting equipment, and
the RFP required that all equipment purchased under the
contract comply with the 2005 VVSG.
At the time the RFP was published, the 2005 VVSG were not
yet adopted. Therefore, the final contract required that the
voting equipment vendor would be responsible for bringing the
systems into compliance with the VVSG upon final adoption by
the EAC.
The Minnesota State Plan also called for the state to make
grants to counties from HAVA funds for the purchase of this
equipment. Counties were required to prepare plans that they
would purchase with this grant funds. Many counties already had
voting tabulating equipment. However, it was learned that the
vendor would not be upgrading the older equipment to the 2005
VVSG. Consequently, the state made the choice to permit the use
of grant funds to replace this older equipment, with the intent
to bring all voting equipment in the state up to the 2005 VVSG
standards.
Finally, due to security concerns raised during the comment
period for the adoption of the 2005 VVSG, it was decided in the
interests of Minnesota voters who shared these concerns for
security, that Minnesota would only permit the use of paper
ballots in its elections. Therefore, statutes were amended in
the 2006 legislative session, implementing this strict paper
ballot requirement.
Are the VVSG comprehensive enough, in the 2005 guidelines,
to guide purchasing decisions? No, the security standards of
the 2005 VVSG are not sufficiently comprehensive to ensure
security in our election systems. The use of technology for
voting increases the risk that security of the voting system
will be breached if proper safeguards are not taken.
I believe that more comprehensive treatment in two areas
alone would increase confidence in the electronic voting
systems. First is the use of wireless components. Because of
concerns with wireless components in the polling place,
wireless components should only be turned on after the polls
close and voting is complete, or strict security guidelines are
developed.
Also, to provide for maximum trust in election systems in
the United States, I believe that a voter-verified paper audit
trail should be highly considered required in the VVSG. In
Minnesota, I am pleased to say we have the ultimate voter-
verified paper trail, the actual ballots that the voters have
marked. This standard will help provide assurance that the
elections process is being conducted in an accurate and fair
manner. I believe that voters should be able to verify their
votes in complete confidence that they are counted as cast, and
that a VVPAT is necessary for purposes of a recount, and that
of an audit trail.
The current VVSG is good, for as far as it goes, but it
needs to be evaluated after the next election, to see how the
equipment functioned, and what would be better. Any necessary
modifications need to be made with an emphasis on software
changes and hardware security changes first. The cost of
implementing new hardware could be a burden on the taxpayers,
and should be avoided if at all possible.
So, what do these TGDC need to do to make it more likely
that states will update the equipment? Time is an issue. The
next effective date is too close for election administrators to
both evaluate the current system and propose improvements.
Through study of the effectiveness and the conduct of
elections, we will be able to have more information to make the
improvements necessary in the next versions. Caution should be
given to large capital expenditures that would waste today's
money.
Human factors are extremely important, and I have
sufficient testimony as well that is written today that I could
submit, seeing my time has concluded.
Thank you very much for the opportunity to testify today.
[The prepared statement of Ms. Kiffmeyer follows:]
Prepared Statement of Mary Kiffmeyer
Chairman Ehlers and Chairman Boehlert and Members, thank you for
the opportunity to address the U.S. House of Representatives Committees
on House Administration and Committee on Science. The opportunity to
inform the committees of the needs of the states regarding ``Voting
Machines: Will the New Standards and Guidelines Help Prevent Future
Problems?'' is very important to me and to other election officials in
other states. Minnesota has long been a leader in elections in this
country.
Minnesotans have led the Nation in voter turnout for several years
now including the important 18- to 24-year-old segment of the voting
population. One reason for high involvement is that Minnesotans have
demanded that elections meet the highest standards of accuracy, access,
integrity, and privacy. So, the implementation of HAVA has only helped
to assist in this process.
In the implementation of HAVA in Minnesota, access and privacy are
being greatly increased through the use of disability-accessible voting
equipment. In the process of evaluating potential equipment, accuracy
and integrity were deemed important objectives, along with the 2005
VVSG. In addition, the Secretary of State and all major parties came to
the conclusion that Minnesota should hold to a long-established
requirement of paper ballots for elections.
Q. To what extent are the 2005 Voluntary Voting Systems Guidelines
(VVSG) being used by Minnesota and why? If Minnesota is not adopting to
the 2005 VVSG, what standards are you using for voting equipment
purchasing decisions and operation, and why did you select these
standards?
A. Minnesota chose to use the 2005 Voluntary Voting Systems Guidelines
in order to be in line with the best information we could get on
election systems. In 2005, the State of Minnesota published a Request
for Proposals (RFP) for the statewide purchase of HAVA-compliant voting
equipment, both assistive-voting equipment and vote-tabulating
equipment. In preparation of the RFP, the 2005 Voluntary Voting System
Guidelines (VVSG) were used to establish accessibility and usability
requirements for the assistive voting equipment and the RFP required
that all equipment purchased under the contract comply with the 2005
VVSG. At the time the RFP was published, the 2005 Voluntary Voting
System Guidelines had not yet been adopted. Therefore, the final
contract required that the voting equipment vendor would be responsible
for bringing the systems into compliance with the Voluntary Voting
System Guidelines upon final adoption by the EAC.
The Minnesota State Plan called for the state to make grants to
counties from HAVA funds for the purchase of this equipment. Counties
were required to prepare plans for the voting equipment they would
purchase with these grant funds. Many counties already had vote-
tabulating equipment; however, it was learned that the vendor would not
be upgrading the older equipment to 2005 VVSG standards. Consequently,
the state made the choice to permit the use of grant funds to replace
this older equipment with the intent to bring all voting equipment in
the state up to the 2005 VVSG standards.
Finally, due to security concerns raised during the comment period
for the adoption of the 2005 VVSG standards, it was decided, in the
interest of Minnesota voters who shared these concerns for security,
that Minnesota would only permit the use of paper ballots in its
elections. Therefore, statutes were amended in the 2006 legislative
session implementing this strict paper ballot requirement.
Q. Are the 2005 VVSG comprehensive enough to guide states' voting
equipment purchasing decisions and voting systems operation during
elections? If so, why, and if not, why not?
A. No, the security standards of the 2005 VVSG are not sufficiently
comprehensive to ensure security in our election systems. The use of
technology for voting increases the risk that security of the voting
system will be breached, if proper safeguards are not taken. More
comprehensive treatment in two areas alone would increase confidence in
electronic voting systems. First is the use of wireless components.
Because of concerns with wireless components in the polling place,
wireless components should only be turned on after the polls close and
voting is complete or strict security guidelines are developed. Also,
to provide for maximal trust in election systems in the United States,
I believe that a voter-verified paper audit trail should be highly
considered required in the VVSG. (In Minnesota, I am pleased to say, we
have the ultimate voter-verified paper trail: the actual ballots that
voters have marked.) This will help provide assurance that the
elections process is being conducted in an accurate and fair manner. I
believe that voters should be able to verify their votes in complete
confidence that their votes are counted as cast. And a VVPAT is
necessary for purposes of a recount and that of an audit trail.
The current VVSG is good for as far as it goes, but it needs to be
evaluated after the next election to see how the equipment functioned
and what would be better. Any necessary modifications need to be made
with an emphasis on software changes and hardware security changes
first. The cost of implementing new hardware could be a burden on the
taxpayers and should be avoided if at all possible.
Q. What do the Elections Assistance Commission and Technical
Guidelines Development Committee (TGDC) need to do to make it more
likely that states will update equipment using the latest VVSG? Do the
2005 VVSG need to be changed or improved in any way to make them more
useful to the states? If so, what changes or additional information
would you recommend for the VVSG? If not, why not?
A. Time is an issue. The next effective date is too close for election
administration to both evaluate the current system and propose
improvements. Thorough study of the effectiveness of the equipment in
the conduct of elections must be evaluated. After that study ideas and
suggestions must be given regarding the improvement of the election
process. This takes time and the current timeframe is much too short.
In addition, caution should be given to large capital expenditures
to replace equipment. If at all possible software changes and upgrades
that would improve the process would be preferred and allow the
hardware changes to take affect later in order to make maximum use of
current expenditures by the Federal Government, states and local
jurisdictions.
Q. How important are human factors, such as those described in the
National Institute of Standards and Technology (NIST) 2004 report
``Improving the Usability and Accessibility of Voting Systems and
Products,'' in your selection of voting equipment? Is this report,
together with the 2005 VVSG, having an impact on voting systems and
elections, and if so, how? If not, why not?
A. Human factors were extremely important in the development of voting
equipment requirements for the State of Minnesota. In the early stages
of HAVA, our state worked closely with the disability community to seek
their advice as to the human factors in their voting experience. We
considered them the experts.
When it was decided that the state would be acquiring new voting
equipment, one of the first actions taken was to form a diverse group
of citizens to assist the Secretary of State in defining the
requirements for voting systems to be used in Minnesota. A Voting
Equipment Proposal Advisory Committee (VEPAC) was established for this
purpose. This group included members with different disabilities for
their input on accessibility and usability, local election
administrators, and citizens motivated to improve the election process
in the state. This committee researched the election equipment study
reports, including the report, ``Improving the Usability and
Accessibility of Voting Systems and Products,'' and made
recommendations to the Secretary of State that were incorporated into
the final equipment requirements of the state voting equipment
contract. Members of the committee then helped score RFPs and select
equipment. Accessibility and usability of the equipment eventually
chosen was of the greatest importance in its ultimate selection in
addition to the critical base requirements of security, accuracy and
integrity.
Thank you for the opportunity to testify before your committees and
your willingness to hear from those who administer elections in the
states. I would like to re-emphasize that no matter what modifications
may be made to the VVSG, it must incorporate the need for access,
accuracy, integrity, and privacy. And for the best use of funds already
invested both now and in the future, please give the needed time for
evaluation of the current situation of the election systems prior to
implementation of new standards.
Chairman Ehlers. And thank you very much. Ms. Lamone.
STATEMENT OF MS. LINDA H. LAMONE, ADMINISTRATOR OF ELECTIONS,
MARYLAND STATE BOARD OF ELECTIONS
Ms. Lamone. Chairmen, Members of the Committee, I am a
lawyer by training, not a physicist, but I will try to overcome
that deficiency.
Chairman Ehlers. We would appreciate that.
Ms. Lamone. One of the things I think everyone needs to
remember when we are talking about the issue that is before the
Committee today, that the voting process is really a four-
pronged, and a very large enterprise.
Not only do you have the voting equipment in place, and
that seems to be the focus of a lot of people, but you also
have to have an examination of the processes that surround the
election, the security, which is a huge issue in Maryland, and
of course, all the people.
And one of the things that concerns me about some of the
dialogue that is occurring around the country, not necessarily
here, is that we tend to lose focus on the huge number of
absolutely wonderful people that we have working in elections
across the country, from people like me, I am not that
wonderful, but people like, in my position, down to my
employees, the county people, the town people, and most
importantly, the poll workers. And they are a very important
prong to this process, and we need to make sure that they feel
like they are a part of it, and a welcome part of it.
The other part of this whole thing, of course, is also the
voters. What are we doing to make sure that they feel confident
that we are doing our job well, and not trying to undermine
their confidence, which I think a lot of the discussion is
tending to do.
You have heard from three of my distinguished colleagues
about some of the issues with the guidelines. I think one of
the most important things we need to remember is that this is
an evolution. It is not a simple step to improve the process.
In Maryland, we started, in 2001, with the General Assembly of
Maryland passing a law requiring a uniform statewide voting
system, and it has taken me until this year to fully implement
law, with Baltimore City becoming the last jurisdiction. So, in
the fall of this year, every voter in Maryland will be voting
on touchscreen voting.
The amount of money that it has taken me and the State of
Maryland to implement that decision of the General Assembly is
huge. Not only do I have over $50 million invested in the
voting system, I have many, many more millions invested in
security procedures, security processes, that we necessarily
have to take to ensure the integrity of this voting system.
If, for some reason, the existing system that we have in
Maryland is not compliant with any future guidelines issued by,
through the cooperation of NIST and the EAC, will the taxpayers
of my state be willing to spend another $50 million on voting
systems? Now, I suggest to you that that is going to be a very
tough decision on the part of my governor and my General
Assembly. So, that is something that we all have to keep in the
back of our minds when we are talking about this. And a lot of
the other states are going to be in the same position. Georgia
has a statewide system. They use the same system that I do, and
a lot of the counties are out there purchasing, or have
purchased for this upcoming fall elections, because they had
to, under the Help America Vote Act.
I would just like, and I know it is going to come up, so I
might as well hit it right on the head, the verified paper
trail has, for me, two main issues. One, it is going to stifle,
and it already has, to some extent, the development of any
other kind of independent verification technologies. I have
seen some things out there that are still prototypes that I
would love to see go onto the market, because they would
provide me with all kinds of wonderful tools, as well as
providing a way to audit and verify the election.
The other thing that has me greatly concerned about it is
its impact on the disabled voters, particularly those with
vision problems or blind voters. They have no way of verifying
in privacy what that piece of paper said, and it seems to me
that one of the major thrusts of the Help America Vote Act was
to assist this huge population of people, who either can't
read, don't know how, or can't read because they can't see.
I think in this debate, we need to keep them in our minds,
because we certainly have done everything we can in Maryland to
reach out to this population.
[The prepared statement of Ms. Lamone follows:]
Prepared Statement of Linda H. Lamone
Thank you for the opportunity to address the Committee on House
Administration and the Committee on Science on the impact of the voting
systems guidelines adopted by the U.S. Election Assistance Commission
in December 2005. As the Chief Election Official in Maryland and an
active member of the National Association of State Election Directors,
federal voting system standards have historically provided state and
local election officials with a level of assurance that a voting system
accurately counts and records votes and meets the minimum performance
and testing standards. The 2005 Voluntary Voting Systems Guidelines
(VVSG) enhance the prior voting system standards and, by raising the
minimum standards, will provide greater assurances to election
officials, candidates, and the voting public.
Application of Federal Voting Systems Standards in Maryland
Under section 9-102 of the Election Law Article of the Annotated
Code of Maryland, a voting system in Maryland cannot be State certified
unless an approved independent testing authority has tested the voting
system and shows that it meets the performance and test standards for
electronic voting systems. Although Maryland's law does not require
that a voting system meet a specific version of the standards, the
current language enables the State of Maryland to have voting systems
tested against the most recent standards without having to amend the
statute each time the standards are revised.
The State of Maryland began its implementation of a statewide,
uniform voting system in 2002. The request for proposals required that
``all equipment and software proposed must comply with the Federal
Election Commission's voting system standards regarding DRE and optical
scan equipment.'' \1\ Since Maryland's voting system was procured and
implemented in twenty-three of twenty-four jurisdictions before the
voluntary voting system standards were released for comment, the voting
system met the current standards at the time--the 1990 and later the
2002 standards.
---------------------------------------------------------------------------
\1\ See Section 2.1, Request for Proposals: Direct Recording
Electronic Voting System and Optical Scan Absentee Voting System for
Four Counties, Project No. SBE-2002.01, www.elections.state.md.us/pdf/
procurement/rfp.pdf.
---------------------------------------------------------------------------
As section 9-102 of the Election Law Article includes the VVSG and
any subsequent revisions, no additional steps are necessary for the
State to adopt these guidelines. Once the independent testing
authorities begin testing against the VVSG, future software versions of
the State's uniform voting system will be tested against these
guidelines.
Impact of 2005 Standards on Purchasing & Operational Decisions
As every jurisdiction should know that the VVSG are the only
federal standard against which voting systems will be tested starting
December 2007, the ability of a voting system to meet the VVSG should
be a critical factor for a jurisdiction selecting a voting system. With
at least forty-seven states requiring local jurisdictions to comply
with federal standards and guidance, the majority of states recognize
the importance of federal standards and guidance.\2\ That being said, I
suggest to you that whether the VVSG are ``comprehensive enough'' is
not a factor guiding voting system purchasing decisions (although it
may be factor in determining whether additional testing is required);
the paramount inquiry is whether the voting system meets the
guidelines.
---------------------------------------------------------------------------
\2\ ``States and the District of Columbia Reported Requirements for
Local Jurisdictions to Use Federal Standards for Voting Systems,''
Appendix X, The Nation's Evolving Election System as Reflected in the
November 2004 General Election, GAO-06-450, June 2006.
---------------------------------------------------------------------------
Improve Likelihood of States to Accept VVSG
It is my opinion that the VVSG will become de facto mandatory for
several reasons. First, the majority of states require compliance with
federal guidelines. These states laws may already require compliance
with new guidelines once they become effective.
Second, jurisdictions using old voting systems (i.e., punch card
voting system and mechanical lever machines) can no longer use those
systems if they accepted federal funds under the Help America Vote Act
of 2002. As vendors will not likely risk losing potential clients by
selling voting systems that do not meet the VVSG, they will most likely
only be offering voting systems that meet the VVSG. As a result, the
majority, if not all, of voting equipment on the market for the 2008
elections will most likely meet the VVSG.
Third, according to the U.S. Election Assistance Commission, voting
systems will no longer be tested against prior versions of the
guidelines once the VVSG are in effect. Once testing against prior
guidelines ends, new voting systems and upgrades to existing systems
will need to meet the VVSG or risk not being certified. With no other
guidelines against which to test, there will no longer be different
standards of certification (i.e., meets 2002 standards but not VVSG,
etc.)
Lastly, the political pressure against purchasing or using a system
that does not meet the guidelines will be high. With the litigious
nature of advocacy groups, it will be difficult for jurisdictions to
justify selecting and using a voting system that does not meet the
guidelines.
Although I believe that most states will accept the VVSG, there is
one additional enhancement to the guidelines that could provide an
additional incentive. In addition to certification by the U.S. Election
Assistance Commission, many states have a state certification process.
To the extent that the VVSG could be revised to include state-specific
certification requirements, state election officials could accept the
certification by the U.S. Election Assistance Commission as the basis
of state certification. This joint certification would reduce the
resources needed to conduct state certification without a reduction in
confidence in the voting system.
Human Factors & Voting Systems
Under Maryland law, a system's ``ease of understanding for the
voter'' and ``accessibility for all voters with disabilities recognized
by the Americans with Disabilities Act'' are required considerations
for State certification of a voting system.\3\ Although usability of
voting systems generally gets lost in the on-going debate about voting
systems, the ability of a voter to understand how to vote is equally
important as the security of a voting system.
---------------------------------------------------------------------------
\3\ See 9-102(d)(6) and (10), Election Law Article, Annotated
Code of Maryland.
---------------------------------------------------------------------------
The new usability guidelines in the VVSG are an important addition.
The new requirements and the expected usability guidelines in the next
version of the VVSG, coupled with recent studies by the National
Institute of Standards and Technology (NIST) and other academics, will
only enhance the usability of voting systems.\4\ Although Maryland's
voting system vendor has incorporated findings of prior usability
studies into its voting systems, I expect that greatest impact of these
requirements and studies will be in future voting systems and software
upgrades.
---------------------------------------------------------------------------
\4\ See Herrnson et al., A Project to Assess Voting Technology and
Ballot Design, www.capc.umd.edu/rpts/VoteTechFull.pdf.
---------------------------------------------------------------------------
Conclusion
It is important to consider the VVSG as a long-term strategy to
improve voting systems in the United States. These guidelines cannot be
viewed as a panacea with an immediate and dramatic impact on elections;
their impact will be gradual and will not be known for several election
cycles.
Voting system vendors need time to make the required software and
hardware changes to their products. Similarly, independent testing
authorities need time to develop the necessary performance and test
guidelines to use during testing. Although the guidelines are referred
to as the ``2005 VVSG,'' the U.S. Election Assistance Commission
recognized that the infrastructure would need to develop before the
VVSG could be effective. For this reason, the Commission made the
guidelines effective in December 2007. For these reasons, the first
elections when voting systems tested against the VVSG would most likely
be used are the 2010 elections.
Equally important, State and local jurisdictions typically consider
voting systems as long-term investments. Maryland, for example, has
projected a fifteen-year life cycle for its current voting system. When
the VVSG become effective, some jurisdictions might be faced with the
following choice--either scrap a voting system that does not meet the
VVSG or procure a voting system that does. Although federal funding
offset some of the expenses associated with purchasing and implementing
a new voting system, it cannot cover all of the on-going maintenance
costs or costs of a new system.
Also, the involvement of the NIST in the election arena is new.
NIST's leadership of the Technical Guidelines Development Committee has
been critical in updating the voting system standards, and its
establishment of the National Voluntary Laboratory Accreditation
Program will impact future testing against the standards. As their role
has just begun and continues to evolve, it is important to allow NIST
to put into place standards and procedures to impact voting system
certification.
In conclusion, I would like to compare the process of improving
voting systems to the process of improving air quality. When the U.S.
Congress enacts a law to limit air pollution, the date by which the
affected industry must comply is often ten years down the road. This
delayed effective date allows the industry to evaluate options, develop
technologies that will enable them to comply with the mandates, and
implement the necessary changes to the industry's infrastructure.
I believe this is how voting system technology should be viewed. In
the meantime, however, the VVSG are a good first step, but they must be
viewed as the first step of many. Like cleaning our air, improving
voting systems takes time, and I caution you not to expect overnight
changes to voting systems.
Biography for Linda H. Lamone
Linda H. Lamone was appointed by the Governor to be the State
Administrator of Elections on July 1, 1997. As the State Election
Administrator, Ms. Lamone, by statute, has been charged with maximizing
the use of technology in election administration. Since her
appointment, Ms. Lamone is overseeing the second development and
implementation of a statewide voter registration system and a mandate
for a uniform statewide voting system. Additionally, Ms. Lamone has
administered the development of a sophisticated candidate and campaign
finance management program and an election management system that
creates and certifies each ballot layout for the State of Maryland.
Ms. Lamone serves on the Executive Committee of the National
Association of Secretaries of State and the U.S. Election Assistance
Commission's Standards Board and Advisory Board. She is also Vice Chair
of the Attorney Grievance Commission of Maryland and Chair of the
Character Committee for the Fifth Appellate Circuit and the Select
Committee on Gender Equality.
Chairman Ehlers. Thank you very much. Dr. Wagner.
STATEMENT OF DR. DAVID WAGNER, PROFESSOR OF COMPUTER SCIENCE,
UNIVERSITY OF CALIFORNIA AT BERKELEY
Dr. Wagner. Chairmen, Committee Members, thank you for the
opportunity to testify today. My name is David Wagner. I am an
Associate Professor of Computer Science at UC Berkeley. My
expertise is in computer security and electronic voting.
In my research into electronic voting, I have come to the
conclusion that the federal standards process is not working.
The federal testing labs are failing to weed out machines with
serious security and reliability problems. We know that the
federal testing labs have approved machines that have lost
thousands of votes. We know that the testing labs have approved
machines that have serious reliability problems.
How do we know that? Well, the State of California, my home
state, does its own reliability testing, using a methodology
that is more rigorous than occurs at any level of federal
testing, and when the State of California went to test one
federally approved system last year, they discovered mechanical
and software reliability problems so severe that if those
machines had been used in a real election, on election day, 20
percent of those machines would have failed.
Fortunately, California is on top of things, and was able--
has been able to detect and fix these problems before they
impact an election, but it raises questions about how the
testing labs came to approve a system like this.
Also, the federal testing labs, we know, are approving
machines that have security problems. We know that because
Finnish researcher Harri Hursti, an outsider, has found serious
security vulnerabilities in federally approved voting systems.
And in my own research, when I was commissioned to analyze one
federally approved voting system, I too found security
vulnerabilities that the federal testing labs had overlooked.
So, in short, the testing labs aren't getting the job done,
and what is more, so far, the federal standards, even the 2005
federal standards, have yet to address these problems. So, that
is the first of several shortcomings in the federal standards
that I wanted to highlight today.
The second is that it is my opinion that the standards are
not sufficiently grounded in a solid understanding of the
scientific and engineering principles. There is a broad
consensus among the technical experts who have studied these
issues that today, the best tool we have for protecting the
reliability and the security of our elections is the use of
voter-verified paper records, along with routine manual audits
of those records.
We know that computers can fail. We know that computers can
make mistakes, and part of the problem with paperless voting
machines is that they don't provide any independent way to go
back and reconstruct the voter's intent if voting software
should prove faulty, or be tampered with.
This is not a minority opinion. For instance, recently, the
Brennan Center, in collaboration with a large group of
technical experts and election officials, has completed a
comprehensive, 150-page analysis of some of the threats facing
voting systems. Their conclusion was that without voter-
verified paper records, a single person may be able to switch
votes on a large scale, possibly undetected, and potentially
even swing a close election.
So today, I don't know of a single colleague in the
computer security community who believes it is possible to have
full confidence in election outcomes without paper, given our
current state of our voting equipment. However, this consensus
among technical experts has yet to be reflected in the federal
voting standards. So, this is one example, and there are many
others, of how the federal standards are lagging behind the
best scientific and engineering understanding.
The consequence of these shortcomings is that the federal
standards are not sufficient to guarantee that federally
approved voting systems are able to adequately protect the
integrity of our elections, either against unintentional
failures, or against deliberate tampering.
I see that I have used up most of my allocated time. There
were a number of other points I wanted to make. In my written
testimony, I have discussed some of the steps that the EAC
could take to remedy these problems in the short term, as well
as some measures that election officials could take before
these November elections, to help as much as possible, and I
would welcome the chance to discuss this topic further with the
Committee Members.
Thank you.
[The prepared statement of Dr. Wagner follows:]
Prepared Statement of David Wagner
Thank you for the opportunity to testify today. My name is David
Wagner. I am an associate professor of computer science at U.C.
Berkeley. My area of expertise is in computer security and the security
of electronic voting. I have an A.B. (1995, Mathematics) from Princeton
University and a Ph.D. (2000, Computer Science) from U.C. Berkeley. I
have published two books and over 90 peer-reviewed scientific papers.
In past work, I have analyzed the security of cell phones, web
browsers, wireless networks, and other kinds of widely used information
technology. I am a member of the ACCURATE center, a multi-institution,
interdisciplinary academic research project funded by the National
Science Foundation\1\ to conduct novel scientific research on improving
election technology. I am a member of the California Secretary of
State's Voting Systems Technology Assessment Advisory Board.\2\
---------------------------------------------------------------------------
\1\ This work was supported by the National Science Foundation
under Grant No. CNS-052431 (ACCURATE). Any opinions, findings, and
conclusions or recommendations expressed in this material are those of
the author and do not necessarily reflect the views of the National
Science Foundation.
\2\ I do not speak for UC-Berkeley, ACCURATE, the California
Secretary of State, or any other organization. Affiliations are
provided for identification purposes only.
---------------------------------------------------------------------------
Background
Today, the state of electronic voting security is not good. Many of
today's electronic voting machines have security problems. The ones at
greatest risk are the paperless voting machines. These machines are
vulnerable to attack: a single person with insider access and some
technical knowledge could switch votes, perhaps undetected, and
potentially swing an election. With this technology, we cannot be
certain that our elections have not been corrupted.
Studies have found that there are effective security measures
available to protect election integrity, but many states have not
implemented these measures. The most effective defense involves
adoption of voter-verified paper records and mandatory manual audits of
these records, but only 13 states have mandated use of these security
measures. (At present, 27 states mandate voter-verified paper records,
another eight states use voter-verified paper records throughout the
state even though it is not required by law, and the remaining 15
states do not consistently use voter-verified paper records. Of the 35
states that do use voter-verified paper records statewide, only 13
require routine manual audits of those records.[1]) Voter-verified
paper records provide an independent way of reconstructing the voter's
intent, even if the voting software is faulty or corrupt, making them a
powerful tool for reliability and security.
Problems
The federal qualification process is not working. Federal standards
call for voting machines to be tested by Independent Testing
Authorities (ITAs) before the machines are approved for use, but the
past few years have exposed shortcomings in the testing process. The
ITAs are approving machines with reliability, security, and accuracy
problems. In the past several years:
ITA-approved voting machines have lost thousands of
votes. In Carteret County, NC, voting machines irretrievably
lost 4,400 votes during the 2004 election. The votes were never
recovered [2]. In 2002, vote-counting software in Broward
County, Florida, initially mis-tallied thousands of votes, due
to flaws in handling more than 32,000 votes; fortunately, alert
election officials noticed the problem and were able to work
around the flaws in the machines. In 2004, the same problem
happened again in Broward County, changing the outcome on one
state proposition [3,4], and in Orange County [5]. In Tarrant
County, Texas, an ITA-approved voting system counted 100,000
votes that were never cast by voters [6].
ITA-approved machines have suffered from reliability
flaws that could have disrupted elections. California's
reliability testing found that one ITA-approved voting system
suffered from mechanical and software reliability problems so
severe that, if it had been used in a real election, about 20
percent of machines would have experienced at least one failure
during election day and probably would have had to be taken out
of service [7].
ITA-approved machines have been found to contain
numerous security defects that threaten the integrity of our
elections. Over the past several years, we have been inundated
with revelations of security flaws in our voting systems from
academics (e.g., Johns Hopkins University, Rice University
[8]), industry consultants hired by election administrators
(e.g., SAIC [9], Compuware [10], InfoSENTRY [11], and RABA
[12]), and interested outsiders (e.g., Finnish researcher Harri
Hursti [13,14]). None of these flaws were caught by ITAs. In
the past five years, at least eight studies have evaluated the
security of commercial voting systems, and every one found new,
previously unknown security flaws in systems that had been
approved by the ITAs. In my own research, I was commissioned by
the State of California to examine the voting software from one
major vendor, and I found multiple security flaws even though
the software was previously approved by ITAs [15]. One of these
flaws was discovered at least three times by independent
security experts over a period of nine years (once in 1997,
again in 2003, and again in 2006), but was never flagged by the
ITAs at any point over that nine-year period [16].
All of these defects were ostensibly prohibited by federal
standards [17], but the ITA testing and federal qualification process
failed to weed out these problematic voting systems. The consequence of
these problems is that the federal qualification process is at present
unable to assure that voting systems meet minimum quality standards for
security, reliability, and accuracy.
Federal standards have so far failed to address these problems. The
2005 VVSG standards do not remedy the demonstrated failures of the
process to screen out insecure, unreliable, and inaccurate machines.
These failures have exposed structural problems in the federal
qualification process:
The ITAs are paid by the vendors whose systems they
are evaluating. Thus, the ITAs are subject to conflicts of
interest that raise questions about their ability to
effectively safeguard the public interest.
The process lacks transparency, rendering effective
public oversight difficult or impossible. ITA reports are
proprietary--they are considered the property of the vendor--
and not open to public inspection. Also, if a voting system
fails the ITA's tests, that fact is revealed only to the
manufacturer of that voting system. In one widely publicized
incident, one Secretary of State asked an ITA whether it had
approved a particular voting system submitted to the ITA. The
ITA refused to comply: it declined to discuss its tests with
anyone other than the voting system manufacturer, citing its
policy of confidentiality [18].
In addition, the secretive nature of the elections industry
prevents independent security experts from performing their own
analysis of the system. Technical information about voting
systems is often considered proprietary and secret by vendors,
and voting system source code is generally not available to
independent experts. In the rare cases where independent
experts have been able to gain access to source code, they have
discovered reliability and security problems.
Testing is too lax to ensure the machines are secure,
reliable, and trustworthy. The federal standards require only
superficial testing for security and reliability. For instance,
California's tests have revealed unexpected reliability
problems in several voting systems previously approved by ITAs.
In my opinion, California's reliability testing methodology is
superior to that mandated in the federal standards, because
California tests voting equipment at a large scale and under
conditions designed to simulate a real election.
Many standards in the requirements are not tested and
not enforced. The federal standards specify many requirements
that voting systems must meet, and specify a testing
methodology for ITAs to use, but many of the requirements are
not covered by that testing methodology. The ITAs only apply
whatever tests are mandated by the standards. The consequence
is that the federal standards contain many requirements with no
teeth. For instance, Section 6.4.2 of the 2002 standards
requires voting systems to ``deploy protection against the many
forms of threats to which they may be exposed;'' the security
vulnerabilities listed above appear to violate this untested
requirement. Likewise, Section 6.2 requires access controls to
prevent ``modification of compiled or interpreted code;'' three
of the major vulnerabilities revealed in the past two years
have violated this requirement. These requirements appear to be
ignored during ITA testing and thus have little or no force in
practice.
Parts of the voting software are exempt from
inspection, reducing the effectiveness of the federal testing.
The federal standards contain a loophole that renders
Commercial Off-the-Shelf (COTS) software exempt from some of
the testing. The COTS loophole means that the security,
reliability, and correctness of those software components are
not adequately examined. COTS software can harbor serious
defects, but these defects might not be discovered by the
federal qualification process as it currently stands.
Even if an ITA finds a serious security flaw in a
voting system, they are not required to report that flaw if the
flaw does not violate the VVSG standards. Thus, it is possible
to imagine a scenario where an ITA finds a flaw that could
endanger elections, but where the ITA is unable to share its
findings with anyone other than the vendor who built the flawed
system. Relying upon vendors to disclose flaws in their own
products is unsatisfactory.
There are disincentives for local election officials
to apply further scrutiny to these machines. Some local
election officials who have attempted to make up for the gaps
in the federal qualification process by performing their own
independent security tests have faced substantial resistance.
After one Florida county election official invited outside
experts to test the security of his voting equipment and
revealed that the tests had uncovered security defects in the
equipment, each of the three voting system vendors certified in
Florida responded by declining to do business with his county
[19]. The impasse was resolved only when the State of Florida
interceded [20]. In Utah, one election official was pressured
to resign after he invited independent security experts to
examine the security of his equipment and the testing revealed
security vulnerabilities [21,22]. The barriers to performing
independent security testing at the local level heighten the
impact of shortcomings in the federal standards.
If serious flaws are discovered in a voting system
after it has been approved, there is no mechanism to de-certify
the flawed system and revoke its status as a federally
qualified voting system.
The 2005 VVSG standards do not address these structural problems in
the federal qualification process. The 2005 VVSG standards were drafted
over a period of approximately three months. With such an extremely
constrained time schedule, it is not surprising that the 2005 standards
were unable to satisfactorily address the fundamental issues raised
above.
The shortcomings of the 2005 VVSG standards have several
consequences:
We are likely to continue to see new security and
reliability problems discovered periodically. The security and
reliability of federally approved systems will continue to be
subject to criticism.
Shortcomings at the federal level place a heavy
burden on states. The 2005 VVSG standards do not provide enough
information about the reliability and security of these
machines to help states and counties make informed purchasing
decisions. This places an undue burden on local election
officials. Some states are doing their best to make up for gaps
in the federal process, but many states do not have the
resources to do so.
Also, the increased scrutiny at the state level has the
potential to subject vendors to dozens of involved state-level
certification processes that have been instituted to make up
for the gaps in the federal process, increasing the compliance
burden on vendors.
Millions of voters will continue to vote on voting
machines that cannot be independently audited. This may
diminish confidence in election results. In the event of any
dispute over the outcome of the election, it may be impossible
to demonstrate whether the election was accurate. Allegations
of fraud may be difficult or impossible to rebut, due to the
fact that today's paperless voting machines do not generate and
retain the evidence that would be required to perform an
effective audit. The lack of openness and transparency
regarding voting system source code, testing, and equipment may
spawn further distrust in voting systems.
Voting equipment may still be subject to security and
reliability problems, even if they comply with the 2005 VVSG
standards. Many of the security and reliability defects
described above would not have been prevented even if the 2005
VVSG standards had been in force when the machines were
evaluated. Approval under the 2005 VVSG standards is not a
guarantee of security or reliability.
Recommendations
The Technical Guidelines Development Committee (TGDC) and the
Election Assistance Commission (EAC) could improve the VVSG standards
and begin to address these shortcomings by taking several steps:
Mandate voter-verified paper records and mandatory
manual audits. Stop approving paperless voting machines.
Today's paperless voting machines are not auditable. There is
no effective way to independently check whether their results
are accurate or to detect electronic fraud. The inability to
audit these machines greatly heightens the impact of security
problems. Ensuring that election results can be independently
audited would go a long way to reducing the impact of security
defects in voting equipment. The 2007 VVSG should mandate
voter-verified paper records and automatic manual audits of
those records after every election.
Broaden the focus beyond functionality testing, and
embrace discipline-specific methods of testing voting
equipment. Today, the standards primarily focus on
functionality testing, which evaluates whether the machines
implement all necessary functionality. Standards need to be
expanded to incorporate technical evaluations of the security,
reliability, and usability of these machines. The standards
must incorporate the different forms of evaluation these
disciplines each require. For instance, security evaluation is
unique, in that it must deal with an active, intelligent
adversary; functionality concerns the presence of desired
behavior, while security concerns the absence of undesired
behavior. Consequently, system security evaluations should
always include an adversarial analysis, including a threat
assessment and a source code review. The testing methods in the
standard should be updated to reflect the state of the art in
each discipline. Special attention will be needed to ensure
that the testing team has sufficient expertise, time, and
resources to perform a thorough evaluation.
Eliminate conflicts of interest in the federal
testing process. ITAs should not be paid by the vendors whose
systems they are testing. Several financial models are
possible, and all deserve consideration. For instance, one
possibility is for the EAC to collect a fee from vendors, as a
condition of eligibility for the federal qualification process,
to cover the costs of hiring ITAs to evaluate the system under
consideration.
Reform the federal testing process to provide more
transparency and openness. All ITA reports should be publicly
available. The documentation and technical data package
provided to ITAs should be made available to the public or to
independent technical experts so that they can independently
cross-check the ITA's conclusions and exercise public oversight
of the testing process. Also, the right of the public to
observe elections is rendered less meaningful if those
observing are unable to understand what it is that they are
seeing; under the current rules, observers have no access to
the documentation for the voting system they're observing,
which partially limits their ability to effectively monitor the
administration of the election.
Require broader disclosure of voting system source
code. The secrecy surrounding voting source code is a barrier
to independent evaluation of machines and contributes to
distrust. To enhance transparency, improve public oversight and
hold vendors accountable, voting software should be disclosed
more broadly. At a minimum, source code should be made
available to independent technical experts under appropriate
non-disclosure agreements. In the long run, source code should
be publicly disclosed. Source code disclosure does not prevent
vendors from protecting their intellectual property; vendors
can continue to rely on copyright and patent law for this
purpose.
Keeping source code secret does not appreciably improve
security: in the long run, the software cannot be kept secret
from motivated attackers with access to a single voting
machine. However, disclosing source code more broadly could
enhance public confidence in elections and is likely to lead to
improvements to voting system security.
Incorporate closed feedback loops into the regulatory
process. Standards should be informed by experience. At
present, there is no requirement for reporting of performance
data or failures of voting equipment, no provision for
analyzing this data, and no process for revising regulations in
a timely fashion in response. The 2007 VVSG should incorporate
a framework for collecting, investigating, and acting on data
from the field and should provide a mechanism for interim
updates to the standards to reflect newly discovered threats to
voting systems. For instance, the FAA requires airplane
operators to report all incidents (including both failures and
near-failures), uses independent accident investigators to
evaluate these reports, and constantly revises regulations in
response to this information. Adopting a similar framework for
voting systems would likely improve voting systems.
Strengthen the evaluation of usability and
accessibility. The discipline of usability has developed
methods for usability testing--such as user testing with actual
voters or poll workers, as well as heuristic evaluation by
usability and accessibility experts--but these methods are not
currently reflected in the VVSG standards. They would represent
a valuable addition to the standards. In addition, usability
experts have suggested it would be helpful to move away from
the current emphasis on functional requirements and towards an
evaluation regime based primarily on assessing performance
against some quantitative metric of usability [23]. The 2005
VVSG standards are a positive first step towards addressing
human factors issues, but there is room for further
improvement.
Increase the representation of technical experts in
computer security on the TGDC. The appointment of Prof. Ronald
Rivest to the TGDC was warmly welcomed by security experts:
Rivest is extremely qualified and very highly respected among
the computer security community. However, at present, Rivest is
the only member of the TGDC with substantial experience in the
area of security. Appointing more TGDC members with security
expertise would improve the ability of the TGDC to develop
effective standards.
Ensure that standards are grounded in the best
scientific and engineering understanding. Too often, decisions
have been made that do not reflect the best judgment of the
relevant experts. For instance, in 2004 the premier
professional organization for computing professionals surveyed
their members about e-voting technology. 95 percent of
respondents voted for a position endorsing voter-verified paper
records and expressing concerns about paperless voting
technologies [24]--yet two years later, this overwhelming
consensus among technical experts has yet to be reflected in
federal standards.
For further information, I refer readers to the ACCURATE center's
``Public Comment on the 2005 Voluntary Voting System Guidelines,'' [25]
which I have attached as an appendix to this testimony.
In the short-term, adopting the recommendations of the Brennan
Center report on e-voting is the most effective and practical step
election officials could take to make existing voting systems as secure
and reliable as possible for this November. These recommendations
include:
Conduct automatic routine audits of the voter-
verified paper records;
Perform parallel testing of voting machines;
Ban voting machines with wireless capability;
Use a transparent and random selection process for
all audits; and,
Adopt procedures for investigating and responding to
evidence of fraud or error.
For further information, see the Brennan Center report [26].
In addition, I encourage election officials to pay special
attention to their voter registration systems. In many states, voter
registration processes are in a state of flux, due to the HAVA
requirement that statewide registration databases be in place this
year. These databases could significantly improve elections if
implemented well; if implemented poorly, however, they could
disenfranchise many thousands of voters. See the USACM report on voter
registration databases [27].
Summary
In summary, the 2005 VVSG standards contain significant
shortcomings regarding the security, reliability, and auditability of
electronic voting. Members of the computer security community are
available to help devise better solutions.
Notes
1. ``The Machinery of Democracy: Protecting Elections in an
Electronic World,'' Brennan Center Task Force on Voting System
Security, June 27, 2006. Since that report was written, Arizona has
adopted voter-verified paper records and routine manual audits of those
records statewide.
2. ``Computer loses more than 4,000 early votes in Carteret County,''
Associated Press, November 4, 2004.
3. ``Broward Ballot Blunder Changes Amendment Result,'' Local 10
News, November 4, 2004.
4. ``Broward Machines Count Backward,'' The Palm Beach Post, November
5, 2004.
5. ``Distrust fuels doubts on votes: Orange's Web site posted wrong
totals,'' Orlando Sentinel, November 12, 2004.
6. ``Vote spike blamed on program snafu,'' Forth Worth Star-Telegram,
March 9, 2006.
7. ``Analysis of Volume Testing of the AccuVote TSx/AccuView,''
Report of the California Secretary of State's Voting Systems Technology
Assessment Advisory Board, October 11, 2005.
8. ``Analysis of an Electronic Voting System,'' Tadayoshi Kohno, Adam
Stubblefield, Aviel D. Rubin and Dan S. Wallach, May, 2004.
9. ``Risk Assessment Report: Diebold AccuVote-TS Voting System and
Processes,'' Science Applications International Corporation, September
2, 2003.
10. ``Direct Recording Electronic (DRE)Technical Security Assessment
Report,'' Compuware Corporation, November 21, 2003.
11. ``Security Assessment: Summary of Findings and Recommendations,''
InfoSENTRY, November 21, 2003.
12. ``Trusted Agent Report: Diebold AccuVote-TS System,'' RABA
Innovative Solution Cell, January 20, 2004.
13. ``Critical Security Issues with Diebold Optical Scan,'' Harri
Hursti, Black Box Voting, July 4, 2005.
14. ``Critical Security Issues with Diebold TSx,'' Harri Hursti, Black
Box Voting, May 11, 2006.
15. ``Security Analysis of the Diebold AccuBasic Interpreter,'' Report
of the California Secretary of State's Voting Systems Technology
Assessment Advisory Board, February 14, 2006.
16. ``Connecting Work on Threat Analysis to the Real World,'' Douglas
W. Jones, June 8, 2006.
17. For instance, the security vulnerabilities appear to violate the
requirements of Section 6.4.2 and Section 6.2 of the 2002 FEC
standards.
18. ``Election Officials Rely on Private Firms,'' San Jose Mercury
News, May 30, 2004.
19. ``Election Whistle-Blower Stymied by Vendors,'' Washington Post,
March 26, 2006.
20. ``Sort of fixed: Broader election flaws persist,'' Tallahassee
Democrat, April 15, 2006.
21. ``Cold Shoulder for E-voting Whistleblowers,'' The New Standard,
May 17, 2006.
22. ``New Fears of Security Risks in Electronic Voting Systems,'' The
New York Times, May 12, 2006.
23. ``Public Comment on the 2005 Voluntary Voting System Guidelines,''
ACCURATE Center, submitted to the United States Election Assistance
Commission, September 2005.
24. ``ACM Recommends Integrity, Security, Usability in E-voting, Cites
Risks of Computer-based Systems,'' USACM, September 28, 2004.
25. http://accurate-voting.org/accurate/docs/
2005-vvsg-comment.pdf
26. ``The Machinery of Democracy: Protecting Elections in an
Electronic World,'' Brennan Center Task Force on Voting System
Security, June 27, 2006.
27. ``Statewide Databases of Registered Voters: Study of Accuracy,
Privacy, Usability, Security, and Reliability Issues,'' commissioned by
the U.S. Public Policy Committee of the Association for Computing
Machinery, February 16, 2006.
Chairman Ehlers. Thank you very much, and after those
comments, perhaps we should have more distance between you and
Mr. Groh in the seating arrangement.
We will now call on Mr. Groh.
STATEMENT OF MR. JOHN S. GROH, CHAIRMAN, ELECTION TECHNOLOGY
COUNCIL, INFORMATION TECHNOLOGY ASSOCIATION OF AMERICA
Mr. Groh. Good afternoon. My name is John Groh, and I am a
Senior Vice President with Election Systems & Software, one of
the voting system vendors in the United States.
I am here to provide testimony on the part of, or on behalf
of the Information Technology Association of America, and its
Election Technology Council, which is a subset group. ITAA is
one of the oldest, the Nation's oldest and largest trade
associations for the information technology industry,
representing approximately 325 companies. The Election
Technology Council consists of companies which offer voting
system technology hardware products, software, services, to
support the electoral process.
These companies have organized within ITAA to work together
to address common issues facing our industries as a valued
stakeholder. Current members of the ETC are Advanced Voting
Solutions, Danaher Guardian Voting Systems, Diebold Election
Systems, Election Systems & Software, Hart InterCivic, Perfect
Voting Systems, and Sequoia Voting Systems, along with UniLect
Corporation. Our membership is open to all companies that are
interested in the voting environment.
Our member companies have a great stake in the conduct and
the outcome of this process. Indeed, voting solutions provided
and supported by our members account for over 90 percent of the
voting systems the marketplace uses today. Our members employ
over 2,000 dedicated citizen employees, who work hard to
support the success of American elections.
The ETC is pleased to respond to your request for a vendor
perspective on the issues surrounding the implementation of the
2005 Voluntary Voting System Guidelines, and the national
voting system certification and testing process. My written
testimony is much longer, but I would like to provide a few
detailed responses to specific issues.
First, I would like to acknowledge the very strong
partnership and alliance that the vendor community has with two
important organizational leaders in this area: the United
States Election Assistance Commission, and the National
Institute of Standards and Technology, as well as the Technical
Guidelines Development Committee. Both of these groups should
be commended for the focus and urgency with which they have
moved forward with the Voluntary Voting System Guidelines. It
has been a tremendous task to do this in a short period of
time, that was challenged with everyone in this.
Comments on the 2005 Voting System Guidelines process.
Turning to the specific issues of the VVSG, it is important to
first underscore the respect we have for the standards making
process, and our very belief, our real belief that a dynamic
standards process is key to motivating innovation and continued
enhancement of voting technology.
Having said that, there are several realities that the
voting system vendors believe must be acknowledged and
accounted for in laying the groundwork for successful rollout
of the 2005 VVSG. Issues our members wish to raise to your
attention include: one, the need to consider fiscal and
operational feasibility; two, the impact of certification and
testing; three, the need for continuing funding streams; and
four, the need for a phased-in implementation.
Let me touch first on the fiscal operational feasibility.
There is a discernible trend in the development of the 2005
Voluntary Voting System Guidelines to push the envelope of the
voting system capabilities. While vendors can develop and
deliver most of what is required in the VVSG, such requirements
will come at a cost. Eventually, addition of system features
and functions will be constrained by what the market will be
willing to pay or able to pay. A balance needs to be struck
between the development of new requirements and future versions
of VVSG, and the fiscal and operational realities that the
states and the counties and the United States that run
elections have to deal with.
The second issue, on the impact of certification and
testing on the guidelines. Certification and testing will be
critical to achieving full compliance with the 2005 standards.
To achieve federal certification of systems under the 2005 VVSG
by December of 2007, which is the effective date, the new
certification process will likely need to be in place before
the end of this year, with accredited testing labs ready to
test, and tests defined for every applicable requirement for
the 2005 guidelines. This is an extremely aggressive timeline
for the vendors, as well as many of us sitting at this table.
First, although the voting system features and functions
addressed for the first time require the development of a new
certification test, some of the 2005 Voluntary Voting System
Guideline requirements have no test defined to date. Second,
once the tests are in place, we would have to expect a learning
curve, and unforeseen difficulties associated with the change.
Then, some tests may add prohibitive delays or costs in the
certification process, and depending on the nature of the
problem, this may require modification to the guidelines or the
testing process itself. All of these challenges will require
some flexibility, as the revised guidelines and certification
process are implemented. The alternatives will be a possibly
unattainable or untestable standard.
I have other comments, but my time is up, and so I will
yield to the floor for questions.
[The prepared statement of Mr. Groh follows:]
Prepared Statement of John S. Groh
Good afternoon, Chairmen Ehlers and Boehlert, Ranking Members
Millender-McDonald and Gordon:
My name is John Groh and I am a Senior Vice President with Election
Systems & Software. I am here to provide testimony on behalf of the
Information Technology Association of America (ITAA) and its Election
Technology Council (ETC). The ITAA is one of the Nation's oldest and
largest trade associations for the information technology industry,
representing approximately 350 companies. The Election Technology
Council consists of companies which offer voting system technology
hardware products, software and services to support the electoral
process. These companies have organized within the association to work
together to address common issues facing our industry. Current members
of the ETC are: Advanced Voting Solutions, Danaher Guardian Voting
Systems, Diebold Election Systems, Election Systems & Software, Hart
InterCivic, Perfect Voting System, Sequoia Voting Systems, and UniLect
Corporation. Membership in the ETC is open to any company in the
election systems marketplace.
The ETC is pleased to respond to your request for vendor
perspective on issues surrounding the implementation of the 2005
Voluntary Voting Systems Guidelines (2005 VVSG) and the national voting
system certification and testing processes.
Our member companies have a great stake in the conduct and outcome
of this process. Indeed, voting solutions provided and supported by our
members account for over 90 percent of voting systems in the
marketplace today. Our members employ over 2,000 dedicated citizen
employees, who all work hard to support the success of American
elections.
First, I would like to acknowledge the very strong partnership the
vendor community has with two important organizational leaders in this
effort: the U.S. Election Assistance Commission (EAC) and the National
Institute of Standards and Technology (NIST)/Technical Guidelines
Development Committee (TGDC). Both should be commended for the focus
and urgency with which they have moved to implement the requirements of
the Help America Vote Act of 2002 (HAVA), the roll-out of the Voluntary
Voting Systems Guidelines, and the transition to a new voting system
certification process.
Comments on the 2005 Voluntary Voting Systems Guidelines Process:
There are several realities that voting system vendors believe must
be acknowledged and accounted for in laying the groundwork for a
successful roll-out of the 2005 VVSG. The delays at the beginning of
the EAC-NIST ramp-up period set the guidelines development process back
by about 12-18 months. The effort to issue the VVSG was unparalleled in
terms of the scope and speed of a technical guidelines development for
voting systems, and possibly for any comparable technology. Indeed,
similar efforts have taken many years to complete. However, the initial
delays compounded an already uncertain situation and many State and
local governments chose to delay purchases of HAVA-compliant voting
equipment in anticipation of the new guidelines.
Given the amount of installation work now being undertaken, and
despite the complexity and politics involved with voting systems
procurements, the implementation of new voting systems that meet the
requirements of HAVA is generally going smoothly. With primaries and
general elections now looming, elections officials must exercise
caution against taking shortcuts in important areas such as training,
testing, and preparation.
Many, if not most, of the problems that are experienced in the U.S.
electoral process today are not directly technological, but involve
humans and their interactions with technology. Reports of problems in
the 2006 primary elections have been largely attributable to
insufficient training and preparedness in the polling place. Those
closely involved in voting know that it is an exercise with a thousand
moving parts and most of those parts are processes conducted by human
hands.
The voting systems installation situation currently facing states
and local governments is unique. Once this work is complete, the
hardware may be in place ten years or more. While the immediate burdens
of procurement and installation will surely diminish, the ongoing
management and support of the large quantity of new systems, combined
with the upcoming VVSG effective dates and roll-out of a new
certification process, presents many new challenges and issues to
elections officials and their vendor partners. Issues our members wish
to raise to your attention include:
What is feasible both fiscally and operationally?
The impact of certification and testing on the
guidelines
The need for continued funding streams
The need for phased implementation
What Is Feasible Both Fiscally and Operationally?
There is a discernible trend in the development of the 2005 VVSG to
``push the envelope'' of voting system capabilities. While vendors can
develop and deliver most of what is required in the VVSG, such
requirements will come at a cost. Eventually, addition of system
features and functions will be constrained by what the market will be
willing and able to pay. A balance needs to be struck between the
development of new requirements in future versions of the VVSG and
fiscal and operational realities in the states.
Those overseeing development of new voting systems guidelines
should follow the old adage: ``perfect should not be the enemy of
good.'' While we always strive towards perfection, we believe that
making perfection the operating standards will have unintended
consequences. What may be perfect for an aspect of security may be a
limiting factor on usability. There may need to be compromises to find
a ``good'' and balanced system that can actually be produced, certified
and made affordable to jurisdictions using taxpayers' money.
The Impact of Certification and Testing on the Guidelines
As new voting systems certification and testing processes are
rolled out, there will be a learning curve that will cause delays in
the implementation of the guidelines. Once the guidelines are actually
applied by a test lab against a voting system, it is likely that the
complexity of the guidelines and conflicts between some requirements in
the 2005 VVSG will be discovered. As instances are discovered, further
interpretation and revision of the guidelines will become necessary.
Some examples that we know of to date are:
The subjective interpretation that will be required
in the area of testing systems for accommodating cognitive
disabilities (no one system can accommodate all disabilities
and there is no list of disabilities defined for the labs to
use in their testing.)
The addition of a standard port to read the DRE
memory without compromising security using an independent
system that hasn't been established.
Requirements that need to be tested, yet no tests are
yet defined (e.g., usability, benchmarks are still being
studied by NIST.)
Voting systems features and functions addressed for the first time
in the 2005 VVSG have mandated the development of new tests. Some of
the 2005 VVSG requirements have no tests defined to date. It is likely
that the development and initial implementation of new tests will run
into unforeseen difficulties and delays to determine objective and
effective parameters. Some tests may add prohibitive delays or costs to
the certification process. Depending on the nature of the problem, this
may require modification to the guidelines or to the testing process
itself.
These situations will demand some flexibility in revisions to the
guidelines and certification processes. The alternative will be to find
some voting systems, or even a generation of voting equipment,
uncertifiable against a possibly unattainable or untestable standard.
If that equipment can readily meet the requirements spelled out in
HAVA, such a result would be a poor outcome and one that may force
states to squander federal and state monies already appropriated,
disbursed and spent on HAVA compliant equipment.
Need for Continued Funding Streams
One shortcoming of the Help America Vote Act of 2002 is the lack of
a mechanism for continued funding to the states and election
jurisdictions. Under the 2005 VVSG and future iterations of the
guidelines, it is almost certain that states and election jurisdictions
will be required to purchase and deploy new voting systems hardware
and--more likely--firmware and software to be compliant with the new
guideline iterations. While much of the expense for new systems
compliant with the 2002 Voluntary Voting System Standards (2002 VVSS)
was covered by the first HAVA appropriations, much of the continuing
expense for modifications and upgrades demanded by changes in the 2005
VVSG and future iterations will fall to the states and local
governments.
In many states, the most significant expense not covered by federal
money was for Voter Verified Paper Audit Trail (VVPAT) equipment. The
purchase of VVP AT printers was not anticipated by HAVA, and not enough
money appropriated for it. In many states, legislative mandate has made
the VVP AT a necessary voting system component. The additional cost of
these devices has diverted monies from other important aspects of HAVA,
such as voter education and user training.
The increasing complexity required of voting systems by the
guidelines is creating a need for more user training. As I stated
above, the vast majority of problems experienced with voting systems
are attributable to insufficient training and preparedness in the
polling place. Some of these problems will decrease as elections
officials and other system users move along the technology learning
curve. But funding the necessary training will move elections
jurisdictions more rapidly along the learning curve, expediting the
drive to problem-free elections.
Need for Phased Implementation
The voting systems market will take some time to adopt fully the
new guidelines and certification process. For evidence of the time it
takes for the marketplace to completely adjust to and absorb a new
standard from release to widespread adoption, one need look no further
than the case of the 2002 VVSS. It took more than three years from the
initial release to adoption on a near-national basis. This lengthy
adoption period was not for a lack of trying on the part of states and
vendors but rather recognition that the process to make encompassing
changes requires the time to do it right. The funding that HAVA
provided facilitated the adoption of the 2002 VVSS by the states. As
there currently are no federal funds earmarked to facilitate the
implementation of 2005 VVSG compliant voting systems, the nation-wide
adoption of the 2005 VVSG may take even longer.
Given that the 2005 VVSG adoption process may take at least two to
three years to complete, our members have recommended a phased
implementation of the guidelines be taken under consideration by the
EAC.\1\ This is a critically important issue which merits consideration
by all interested parties.
---------------------------------------------------------------------------
\1\ ETC testimony before the U.S. Election Assistance Commission,
February 2, 2006; http://www.electiontech.org/downloads/
ETC%20Groh%20EAC%20Testimony%20-%202.2.06%20-%20Final.pdf
---------------------------------------------------------------------------
Our members believe that equipment certified under the 2002 VVSS is
HAVA-compliant. However, much of that equipment will not be compliant
with the 2005 VVSG at the time the new guidelines become effective in
December 2007. It is our position that voting systems certified to meet
2002 VVSS that are HAVA-compliant and have been proven in the field to
provide the customer and the voter with a satisfactory level of
usability, reliability, accuracy, and security should be grandfathered
under the 2005 VVSG. Many of the issues raised regarding 2002 VVSS
compliant equipment can likely be addressed through operational
procedure changes and software modifications.
If equipment certified under the 2002 standard is not grandfathered
under the 2005 guidelines, the cost burden to the customer will be
onerous as jurisdictions will have to replace their existing 2002 VVSS
and HAVA-compliant equipment with 2005 VVSG compliant equipment.
Without some type of grandfathering provisions under the 2005 VVSG,
additional federal funds will be necessary to cover the cost of
replacement equipment and upgrades. Jurisdictions should be able to get
at least a ten to fifteen year return on investment from their existing
equipment and not be forced to replace it every time a new version of
the guidelines are implemented.
Comments on National Voting Systems Certification and Testing
Processes:
The EAC provided the states and NIST a 24-month transition window
after the adoption of the 2005 VVSG on December 14, 2005 to migrate to
a new set of voting system guidelines and certification process. This
migration has already begun and the EAC approved adoption of an interim
set of federal certification procedures at its July 13, 2006 meeting.
To facilitate federal ITA certifications before the December 2007
deadline, the new certification process will likely need to be in place
before the end of this year, with accredited testing laboratories ready
to test, and tests defined for every applicable requirement in the 2005
VVSG.
There are several important issues that should be addressed in the
migration to new certification and testing processes, including:
Testing Frequency and Repetition
Developing New Uniform, Economical Testing Practices
Certification for Systems Developed under a Previous
Standard
Testing Frequency and Repetition
As the EAC and NIST move forward in the design and implementation
of a new certification process, our members believe the EAC should give
serious consideration to the fundamental issue of testing frequency and
repetition. State and county election officials, and their vendor
partners, face an ever-increasing volume of federal qualification and
state testing activity. Reducing the cost and delay imposed by
continual--and often repetitive--testing should be a primary
consideration of the new certification process. By combining the
federal level ITA certification testing and basic state level tests,
the system certification process could be made more streamlined and
uniform, saving valuable time for election officials and reducing
redundant non-value added costs for everyone.
Developing New Uniform, Economical Testing Practices
Not only is testing voting systems for the purpose of obtaining
federal and State certifications becoming too frequent and overly
costly, the situation may soon be aggravated by the need for new and
fairly complex tests mandated by the 2005 VVSG. The guidelines put
forth several new requirements for which no appropriate tests currently
exist. According to experts in the standards and testing field, the
most challenging tests may prove to be in the areas of system usability
and security.
Further, the advent of state-mandated volume testing has
dramatically increased costs of certification in some states. Volume
testing incorporates the use of at least 100 DREs, each unit counting
hundreds of ballots over the course of days to emulate the election-day
experience at a polling site. While the goals of this type of testing
are worthy, cost increases have resulted.
Without the development of new tests that are uniformly applied
from testing lab to testing lab, and designed from the outset to
diminish the need for repetitive tests, a potentially vast new area of
vendor expense may be created. Testing expense has the potential to
drive up voting system costs significantly and slow the entry of new
systems into the market. The ETC believes that the EAC, NIST, and other
concerned groups should quickly take steps to begin work on developing
more uniform and economical testing for voting systems.
Certification for Systems Developed Under a Previous Standard
In previous communications with the EAC, we have asked the
Commission to recognize and retain the good and common elements of the
pre-existing NASED voting system certification procedures. We expect
that the EAC certification process will likely incorporate several
elements of the NASED procedure.
One element of the current NASED certification process that the EAC
has indicated it will carry forward is the discontinuation of
certifying voting system platforms that were certified under a previous
standard. It is important that Members of Congress understand the
economic and election performance impacts of such a step on state and
county election administrators, the voters and vendors.
We know that stopping any and all certification of systems
certified under the 2002 VVSS, on a certain date, without an allowance
for state required enhancements or to fix errors found, will impose
major economic consequences on states or election jurisdictions which
have recently purchased voting systems under those standards. Due to
the many meaningful changes made under the 2005 VVSG, there may be no
way to economically retrofit some voting systems. Such equipment may
have to be discarded and new procurements undertaken with new purchase
costs to the election jurisdictions.
In addition to cost and other economic impacts, the EAC should
consider election management and performance issues in setting
transition policy for systems certified under the 2002 VVSS. States and
jurisdictions make voting system acquisitions with an expectation of a
10- to 15-year service life. This timeframe allows the customer to
refresh technology when it becomes near-obsolete or to take advantage
of technology upgrades as they become available in the market. As
states and jurisdictions introduce new technology, they must move along
the learning curves for system usage, support, and training. Changes to
hardware platforms can impact the training that the customer has
invested in its poll workers as well as associated voter education
programs.
Concluding Remarks:
In providing this testimony, our intention is to give Members of
the Committees vendor perspective on the roll-out of new voting systems
guidelines and certification processes to the vendor community and, as
we see it, to the states and election jurisdictions--our valued
customers whom we serve.
It is our belief that the adherence to standards and rigor of the
certification process is critical to maintaining the integrity of our
elections. State adoption of the federal Voluntary Voting System
Guidelines is what makes the standard effective.
The Election Technology Council and its members are committed to
working with the EAC, NIST, and our customers, to see the 2005 VVSG and
a new certification process through to successful implementation.
Further, we look to EAC and NIST as the bodies best positioned and
armed to tackle the tasks at hand. We hope that other parties
interested in working on elections equipment and administration issues
would similarly recognize the importance of the EAC and NIST
initiatives and refrain from launching parallel and--in some
instances--conflicting initiatives.
Above all, we are responsive to customer needs and are committed to
providing safe, secure, accurate, reliable and accessible voting
systems under any standard or certification program. We only ask that
the appropriate time be allowed so it can be done right and that the
funding and costs of implementation be considered when creating new
guidelines and certification processes. We all recognize and accept
that with new voting system technology comes complexity and need for
changes in election administration, poll worker skills and increased
voter education and outreach programs.
We are all involved in this process together, and by working
together we can improve the process of voting, voter access and
participation.
Biography for John S. Groh
John Groh came to Election Systems & Software in 1995 to focus the
company on a growth strategic plan that included development of new
products, pursuing international markets for election automation, and
growth through acquisitions. During this period ES&S has grown from 40
associates to well over 400; with a customer base that has grown from
600 local jurisdictions to more than 2,300 world-wide. The company's
product offerings now cover the entire spectrum of end-to-end
integrated voting systems--in paper, and electronic form.
John S. Groh functions in several roles at ES&S, including
President of ES&S International, Senior Vice-President of Voter
Registration Sales, and Senior Vice President of Marketing,
Communication & Public Relations. Additionally in his role as Senior
Vice-President of Government Relations he has served as ES&S' liaison
with the U.S. Election Assistance Commission and has participated in
the NIST-TGDC process of creating the new voting system guidelines.
Further still, he represented ES&S at NASS and NASED events, and serves
as spokesperson for ES&S on policy issues.
Mr. Groh currently serves as the Chairman of the Information
Technology Association of America's (ITAA's)--Election Technology
Council. He has offered testimony twice in front of the EAC on the HAVA
implementation process.
Discussion
Chairman Ehlers. Thank you, and thank you all for staying
within your time limits. I think that may have set a record for
this committee.
The panel is being joined by Mr. Skall, from NIST, who will
assist in answering technical questions addressed to Dr.
Jeffrey.
I will begin the first round of questions, and recognize
myself for five minutes.
First of all, I just want to comment on, I believe it was
Ms. Lamone, you referred to the poll workers, as I recall, and
I have always admired the incredible dedication of the poll
workers, who come out at minimal pay, for incredibly long
hours, a difficult job, and do it year after year after year,
and I have the highest respect for them.
And partly for that reason, partly for other reasons, when
we had the fiasco a few years ago in the Presidential election,
and people were talking about solutions, I repeatedly heard
people say, ``Well, we have to train the poll workers better,
and we have to train the voters better.'' And I am a former
professor. I have great respect for education, but I always
said ``Bunk.'' If you are having people who do something twice
a year on average, in some cases less, you can train all you
want, but they are not going to remember for six months or a
year, just precisely what they have to do. You have to design
the systems so that they are intuitive and operation is self-
evident, and that is where the term human factors come in. So,
I have pushed very hard on having human factors done first.
Human Factors and HAVA Guidelines, Technology
And Dr. Jeffrey, on that point, one of NIST's earliest
products under HAVA was its Human Factors Report, partly, I
suspect, because of my insistence on it. To what extent have
the findings of this report been incorporated into the 2005
guidelines, and what kinds of guidelines remain to be written?
Dr. Jeffrey. Thank you, sir.
The 2004 report listed ten major recommendations on human
factors, and these included incorporating the U.S. Access Board
requirements and suggestions into the guidelines, developing
performance-based, as opposed to design-based usability
requirements, and looking at usability testing for voting
systems.
Half of those, of the ten recommendations, have made it
into the 2005 VVSG. The other half are being addressed, and
will be addressed in the 2007 version. And I would just like to
add that part of those usability requirements are not just for
the voters, but they also include usability for poll workers,
though it is not as comprehensive as for the voters, but it is
included in there.
Mr. Baird. Mr. Chairman, could we check and see if the
witnesses' mikes are all turned off.
Chairman Ehlers. Pardon?
Mr. Baird. We are getting some--it is this one over here.
Chairman Ehlers. I am sorry. Could you just turn off all
your mikes for the moment, please. I am sorry, I can't hear
you. Members turn off their mikes, too, unless you are
speaking, yes. Yeah, just wait until the things really get
rolling here. Okay, well, I appreciate your answer to that.
Are there other guidelines that you are preparing on human
factors?
Dr. Jeffrey. On human factors, the other five
recommendations. Actually, Mark, if you want to add the
additional ones beyond the 2004 report.
Mr. Skall. Yes. We are, again, in the 2007 proposed
standard, we are adding looking at each usability requirement,
again, as Dr. Jeffrey said, we are making them performance-
based, adding actual testing benchmarks, and doing research to
update all the accessibility and usability requirements that
were contained in 2005.
Chairman Ehlers. Thank you. Mr. Groh, just to what extent
has this better understanding of human factors affected the way
that countries have, companies have designed their equipment,
and to what extent have you been able to incorporate the human
factors into your products?
Mr. Groh. Well, I think it has been a multi-step approach.
The first hurdle was to meet and manage and adapt systems that
would allow states and counties to get an accessible voting
system. Accessible voting systems are a difficult hurdle to
cross over, because no single system will manage every voter
with a disability issue that they face. But we have attempted
to provide as many of them as we possibly can.
Because the 2005 Voluntary Voting System Guidelines were
still in development during all of 2005, and were not issued
until January 1, or the January timeframe of '06, we were
looking at and waiting for the final draft and the final
guidelines to come out, and so, we have just begun to create
the next level, or the next wave of accessibility, as well as
human factors issues with it. And we are looking for the
performance and the testing criteria, because that is what will
drive us as to how we build the technologies, because we want
it to fit within the guidelines, and we want it to pass the
testing.
Chairman Ehlers. Thank you very much. My time has expired.
I want to pursue that a little more later on, with a few other
witnesses, but at this time, I recognize the gentlewoman from
California, Ms. Millender-McDonald, for five minutes.
Ms. Millender-McDonald. Thank you so much, Mr. Chairman.
Mr. Groh, were you saying that because of the lateness or
just recently receiving the standards and whatever, you are now
just beginning to design or to look into the software or
whatever needs to be done, in terms of the testing? I was kind
of talking when----
Mr. Groh. No, my question was in regards to the human
factors element, or human interface, and the ease of human
interface, or as Chairman Ehlers put out earlier, the
intuitiveness that would be there. And as technology evolves,
there is new technology that is available today, our cell
phones that we have in our pockets today, from five years ago
are----
Ms. Millender-McDonald. Okay.
Mr. Groh.--greatly different, as are voting technologies or
voting systems.
What we focused on initially was the accessibility
component of the 2002 and the HAVA requirements, because they
were known. The accessibility and human factors component was
not completed in time for us really to effectively apply
those----
Ms. Millender-McDonald. Okay. That is what I heard.
Mr. Groh.--in this timeframe.
Ms. Millender-McDonald. All right. Very well. Thank you so
much.
Security in Electronic Voting
What we have heard from all of you, or what I have heard
from all of you, is security. That is one of the words I have
heard from each of you, security, and in hearing that, it is
extremely important, as Ms. Lamone said, about security is a
big factor with the people whom we all serve, and with those
voters who are out there, who is depending upon voting
machines, or whatever the methodology is, to have security in
their voting.
Given all of this, we are also hearing from Dr. Wagner, who
said, and I am just underscoring all of these different things
that I am hearing, the state of electronic voting security is
not good. He states that, and yet, Dr. Jeffrey, you were said
to state that the testing labs that you have begun to do, or
have successfully been done, seem to have been, or working
toward some successful conclusions.
What can we do, each of you, to ensure that security is
foremost in our voting system? Voters are very concerned that
their vote is not being counted, and that is why they want a
paper trail, so that they can ensure at least some methodology
of security of their voting. Will you each answer to me, and to
us, why is it that Dr. Wagner says the electronic voting
security is not good, and he also said that it seems that the
federal standards are no long applicable, and I might be
putting some words in your mouth, but if you can each respond
to that?
In conclusion, Ms. Lamone stated that there are four prongs
to this whole notion of voluntary voting standards, and the
whole notion of voting period. And one is that of people. And
my recent legislation is putting more money into the till for,
to train more poll workers to be well trained for upcoming
elections, because we do find that the average voting age poll
worker is 72, and that the training has been very ineffective
and inefficient.
Will you please speak to the security part of this, and if,
by Dr. Wagner's assessment that the federal standards are out
of whack, or not working, then what are we going to do in terms
of security?
Dr. Jeffrey. Well, thank you very much.
Ms. Millender-McDonald. Throw it out there, and whichever
one falls----
Dr. Jeffrey. Okay.
Ms. Millender-McDonald.--we will hear from one or the
other.
Dr. Jeffrey. Let me start, and clarify a couple points. One
is the role of the testing and the accreditation. NIST is
actually brand new to this process. Under the Help America Vote
Act, the accreditation of laboratories, the laboratories that
do the independent testing, is completely different, and so, we
are on a brand new process. The old accreditation process which
was done by NASED, the National Association of State Election
Directors. That was a phenomenal process that they put into
place, in terms of being run, set up by essentially volunteers
within the organization, with minimal resources, and they
basically did a yeoman's job of getting the first level of
accreditation and testing going.
Under the HAVA, where NIST is now involved in helping to do
the accreditation in the labs, we are using a very different
process, a much more rigorous process, to initiate that. We
have, within NIST, a program called NVLAP, which is, well, I
won't bore you with the acronym, but it is an internationally
recognized process for having independent testing labs be
accredited to have the level of competence to make these kind
of tests.
I will give you some examples of some of the differences.
Under the NASED, when an independent testing lab was
accredited, it was accredited once, and that was good forever.
Under NVLAP, they have to be accredited, and once they are
accredited annually for the first three years, and then
biannually after that. So they have to maintain proof that they
are still competent to do that. There are also the people who
go do the accreditation are internationally recognized experts
in the validation and accreditation of the labs' process. So,
there is a series of things that are going on in the testing to
change them.
One last point I would like to make on that as well that is
different is that just the fact of going from the 2002
standards to, ultimately, the 2007, the clarity and precision
in those standards are going to be so improved that right now,
there is a lot of ambiguity, which makes testing difficult.
That is being fixed. That is one of the things that is
specifically being addressed. That will help significantly, and
will help minimize a lot of the problems that were mentioned,
as well as the open test suite that will be developed for that.
Chairman Ehlers. The gentlewoman's time has expired. If
there is further time, we will take further answers to this
next. We will have more than one round, I am sure.
But since we have so many, I want to make sure everyone has
a chance.
Chairman Boehlert is next, and recognized for five minutes.
Voluntary Nature of Standards
Chairman Boehlert. I would like to be quite basic, and I
look at the title of the hearing: ``Will the New Standards and
Guidelines Help Prevent Future Problems?'' I think what we are
all looking for, some way to guarantee the integrity of the
system.
And I guess my basic question is, how can standards and
guidelines which are voluntary guarantee anything?
Ms. Lamone. They call them voluntary, but there is not a
vendor that is going to sell a viable product in the United
States that is not going to have their system tested against
them, because most of the states require our voting systems to
meet the standards.
So, for the states that don't want to participate, their
vendors are going to have met, and had their equipment tested
anyway. So, I think focusing on the word voluntary is probably
not the right way. You need to see what and how the states
are--because I think most of us are going to adhere to them,
and I know all the vendors will.
Chairman Boehlert. You all agree with that answer? Is that
satisfactory for all of you?
Ms. Davidson. You know the other thing I think that we need
to remember is we have been working with the players, the
counties, the states, so they feel comfortable with those, and
the more that they see how useful they are, the more states
will join it. And we have over 40 states now that are already
in some type of a process with the federal accreditation of the
standards.
Chairman Boehlert. Well, counsel advises me that what you
say is not true. When will the manufacturers start only selling
to the standards. They are not doing that now. Mr. Groh.
Mr. Groh. Well, to represent all of the manufacturers, one
is public opinion is the strongest approach that drives us, as
well as the state election directors and the secretaries of
state. I know of no state that does not demand and require that
you have gone through a certification, a federal certification
process.
Today, the one that exists is under the 2002 Voluntary
Voting System Standards. It will soon be upon us that will
under a new set of standards and a new set of test procedures.
So, for us, as Ms. Lamone mentioned or stated, it is very
correct. No way would we be able to sell to any jurisdiction in
the United States something that had not been through the
appropriate accreditation and the recognized accreditation
process.
Chairman Boehlert. Which is inadequate right now, as we all
know. And that is why we have got the problems enumerated in
Dr. Wagner's testimony. Dr. Wagner, do you agree with what you
are hearing?
Dr. Wagner. Well, I think one problem we have is that even
the new 2005 standards have significant shortcomings. And the
second problem we have is that there are delays in these
standards being adopted. The 2005 standards will not become,
will not take effect until 2007, and so, we can expect to see
quite a few years delay until this influences the majority of
voting systems used in the U.S.
Paper Trails and Mandatory Audits
Chairman Boehlert. Those are years wasted. Let me get right
to the heart of another question, and it is brought up the
commentary in Dr. Wagner's excellent testimony. And the
recommendations are to mandate voter-verified paper records,
and mandatory manual audits. Sounds pretty good to me. Anybody
care to comment on it? Ms. Kiffmeyer.
Ms. Kiffmeyer. Yes, Mr. Boehlert, without a doubt, even a
state such as Minnesota, which has adopted those standards,
because they were not ready, we have complied with them, but it
is just simply a matter of time until we actually do that.
But you are exactly right, that it is a real issue, and it
is more a function of time then it is lack of willingness of
either the vendors or the states to comply with them, and I
think that is an important recognition.
Chairman Boehlert. Come sit in the Congress of the United
States and hear some of our colleagues tell us repeatedly we
don't want government mandates, this is wrong, and we don't
need paper trails, and you have got some of the vendors that
are saying the same thing. We don't need paper trails. I kind
of think it is we need something that is auditable, that we can
check to make sure that, you know, things worked the way they
were intended to work.
So, I grant you, we need a little more time, but this is--
what about paper trail, what about all these paper trail
recommendations? I mean, so many, you embraced them, obviously.
Ms. Kiffmeyer. Absolutely, Chairman Boehlert, without a
doubt. Recognizing the reality of the situation we were in
today, the option for us was to do the actual, even better than
the paper audit trails, to do the actual paper ballots, because
the environment we are in right now today gave us that greatest
level of security. But even there, Minnesota has chosen to do a
source code review. We have chosen to do post-election audits
as well, because we want to wrap the whole system.
I mean, it is a system. There are many components, not just
the technology, not just the box, but there are the people,
those poll workers, a very important part of that aspect as
well. And the aggressive training that we are doing in that
area as well. The procedures and the aggressiveness of
interoffice and working together with the locals, to make sure
we have that all wrapped with the procedures and all of those
things. And it is a situation that we have wrapped all of that
together.
That is what we have chosen to do in Minnesota, and I wish
that we were all in that stage right now, but the reality and
the facts are that the standards, the implementation and those
things are the reality, and I think that most have tried to
comply with those realities in the best way they could at this
time.
But we are not stopping. This is not the conclusion.
Chairman Boehlert. Well, count Ms. Kiffmeyer as for a paper
trail. Dr. Wagner, we know you are for it, because you
recommended it. Ms. Davidson, yes or no?
Ms. Davidson. I was Secretary in Colorado when we passed
paper trails, and we had an audit of that paper trail, with the
machine. So, I can only speak of myself. I am not speaking as
an agency, but just so that you know where I really came from.
You know, one thing I would like to add is when we
rethink----
Chairman Boehlert. Not too quick, because my time is up,
but----
Ms. Davidson. Okay. You go ahead.
Chairman Boehlert. I just--so, you are for a paper trail.
That is three to nothing now. Now, Dr. Jeffrey.
Dr. Jeffrey. As a representative of the TGDC, we put in the
guidelines specifically for technical hardware. We don't make
policy calls, in terms of what should be implemented, but if
one does implement the paper trails, we put in the guidelines
to help ensure that they will meet the levels of security and
accessibility and openness. But we defer to the EAC for the
policy calls.
Chairman Boehlert. So, I could have said, that is the
official answer, but let us get the answer as a citizen. The
citizen Jeffrey, rather than the head of----
Chairman Ehlers. The gentleman's time has expired.
Chairman Boehlert. Oh, boy oh boy. Did he tell you one on
that one.
Dr. Jeffrey. Fellow physicists.
Chairman Ehlers. Yes. Okay. The next is the Ranking Member
of the Science Committee, and I believe he has left, so next in
line is Ms. Hooley, the gentlewoman from Oregon.
Ms. Hooley. Thank you, Mr. Chair. I am one of these people
that, having talked to a lot of people in my district, they
really care about the integrity of the election system, and
want to make sure that there is some way to go back and verify
and recheck and make sure that their vote counted.
Role of EAC
I have a lot of questions. I am going to direct most of my
questions to Ms. Davidson. The EAC collects data on how systems
perform in actual elections. For example, do you collect
information on failure rates and other problems? If so, how is
this information used to improve standards? There have been
several incidents of security, reliability, and usability flaws
discovered in the independent testing authority approved voting
equipment, either during elections, or during state
certification. When flaws are uncovered, what is the process
for ensuring that the same mistakes are not repeated in the
future? This is a multipart question I am asking you. Has the
EAC published any report or analysis on how or why flaws were
not discovered during inspection and testing?
The premier professional organization for computing
professionals, the Association of Computing Machinery, surveyed
their members about evoting technology; 95 percent of
respondents voted for a position endorsing voter-verified paper
records, and expressing concerns about paperless voting
technologies. If the computer scientists are concerned about
security and reliability of voting machines, and recommend that
all voting systems produce a voter-verified paper record that
can be audited, why hasn't the EAC taken a stronger position?
Ms. Davidson. Okay, let me see if I can start.
Ms. Hooley. Remember all of those.
Ms. Davidson. No, I am sure I won't. And you are certainly
welcome to help me----
Ms. Hooley. Right.
Ms. Davidson.--with the questions. You know, first of all,
our process of taking over the certification process from NASED
is beginning Monday morning. This will be the first time that
the Federal Government has had anything to do with the
certification process. So that is number one.
And yes, we do intend to go out and review any type of
problem that is in the field, whether it is a mechanical
problem, just an error by a judge or somebody that programmed
the equipment. To really look into what kind of the issues they
are, and keep a record of what the issues are out there. We do
not know, and I am sad to say, we do not have any background at
all, and we have not given any written documents saying what--
--
Ms. Hooley. Okay.
Ms. Davidson.What those scenarios are, because we don't
have any way of even capturing that right now. But that is part
of our process that will be in place as we get certifications
that come from NVLAP to us before we certify the independent
test authorities.
But in the process, obviously, we have decertifying for the
first time. We have never had a decertifying process before,
and this type of process. So, the decertifying will be very
important. If there is a system that is not working, and it is
failing, one, we can notify all of the states that have that
equipment. We are asking for all of the vendors to tell us
exactly what they have in every state, so that we have a record
of each individual type of equipment being used in every
jurisdiction of the United States.
So, that will start our information, and knowing what is
going on. You know, there are a lot of other questions that go
in there, that you have asked.
Ms. Hooley. But it is not very long until the election of
2006. I mean, that is right around the corner in a couple of
months. So, I am concerned about this next election, and what
happens, and what happens when you have a machine that goes
down during the election. I know that the election workers know
how to help a person redo their ballot, but I will give them
some assistance, but what happens if you have a breakdown of
the equipment during an election?
I mean, how do we know what is going to happen? And then,
again, the last question was will the EAC take a stronger
position on some kind of a paper verification system?
Ms. Davidson. Okay. First of all, the first one that you
asked is what are we going to do before the 2006 election.
Ms. Hooley. Right.
Ms. Davidson. Obviously. Part of the certification requires
that if equipment goes down, that the information on the
machine--the votes on them--are able to be taken and retrieved.
So, that is part of the testing. We need to make sure that
voters know that if something happens to a piece of equipment,
that information is still there, and is available to go into
the count at the end of the night.
The other thing is the EAC looked at people asking us to
take a strong position on it. The EAC didn't feel we had the
authority to take that type of position, because we are only an
assistance commission in that area, and we really feel that we
have not ever supported any vendor or any type of equipment.
There is also testing that is going on currently of what other
types of independent tests there are available. So, taking a
position on one particular type, would be inappropriate for us
to do at this time.
Ms. Hooley. Well, I don't think you are talking about one
piece of equipment or one vendor, when you say you would
support paper verification.
Ms. Davidson. Well, that is true, but knowing----
Ms. Hooley. I mean, that is a general principle, as opposed
to a specific kind of technology.
Ms. Davidson. You know, I think that what we definitely
support is verification. What form of verification is being
studied now and the decision must be left up to the states.
Ms. Hooley. So, a paper trail or verification is possible
with the kind of voting machines that are out there.
Ms. Davidson. That is true.
Ms. Hooley. And the state could do that.
Ms. Davidson. That is exactly right, and over 20, I think
it is about 26 states have some sort of verification, paper
verification, the VVPAT verification in their law right now, or
in their rules and regulations. And besides that, they also
have an audit mechanism in one way or another.
Ms. Hooley. Okay, thank you.
Chairman Ehlers. Next, I am pleased to recognize the father
of HAVA, Congressman Ney from Ohio, who guided the bill through
all the shoals and difficulties and the sharks, I might add, of
the Congress, and managed to get the bill passed. I am pleased
to recognize him for five minutes.
Mr. Ney. The child has been well behaved, but it has gotten
a little older, so we have to judge whether it is unruly or not
at this time, so--I want to, just to ask for some quick
answers, because I have got a few things to go through, if we
can.
Dr. Wagner's Study
Dr. Wagner, I was interested, when you said about that you
had looked at what the testing board did, and you found some
things they didn't uncover. Do you have something available on
that you can give us as a committee?
Dr. Wagner. Certainly. I would be pleased to provide you
with a copy of the report that we wrote. The report is publicly
available.
Mr. Ney. Thank you. Have you went back to the testing board
to say look, how did you miss this, or----
Dr. Wagner. The tests, I have not gone back to the testing
labs. The testing labs have a relationship with the vendor, not
with outsiders.
Mr. Ney. Or the EAC. Does the testing lab have any
relationship with the EAC?
Ms. Davidson. The test lab will have a relationship with
the EAC, and we are setting up the procedures right now of what
the test labs will make public information, and----
Mr. Ney. So, you will be able to go back and say, look, Dr.
Wagner did this study. Here is what he says, and what do you
say about that? And that will--that would be, I think, would be
a good counterbalance and check on the system. You will be able
to do that?
Ms. Davidson. We will be able to do that in the future.
EAC's Guidelines to States
Mr. Ney. Okay. The question I had, Commissioner Davidson,
and thank you for the job you do on the EAC, the guidelines
were delayed for 24 months, and as Ms. Lamone said, some won't
be, the voting systems won't be tested, I guess the 2005
guidelines won't be done until 2010.
So, what would the EAC be doing in the interim to help make
decisions with states to assist them on what they are going to
do about their voting systems? Are there any plans for that?
Ms. Davidson. The first thing we did was a gap analysis in
July of 2005, to make sure that the states met the HAVA
requirements. Then, at that time, we adopted the VVSG in
December of 2005. We looked at the timeframe, and decided to
follow what the FEC had done with the 2002 Guidelines, and
create the two-year gap, which allows the vendors time to
produce what is required in the standards, and it allows the
states to change their laws and procedures, because a lot of
our states only have legislation every two years. So, that was
the process we took.
Mr. Ney. I had a question, actually, anybody else that
would want to, but Ms. Kiffmeyer, Ms. Lamone, Mr. Groh, and Dr.
Wagner. Do you think the 2005 Voting System Guidelines are an
improvement over the previous voting standards, and do you have
ideas, maybe not for today, my time won't allow it, but ideas
how they could be improved? But basically, do you think they
are an improvement over previous voting standards or not? Dr.
Jeffrey, I didn't mean to exclude you too, if you want to.
Dr. Wagner. I will start. I think they are definitely an
improvement. They are a good start. There is a long way to go.
They were drafted over a period of only three months, and that
is not really sufficient time to address some of the
substantive issues.
Ms. Kiffmeyer. I think in general that is what we would all
say. It was a good start. It is not where we want to end up,
not where you want us to end up, not where the voters want us
to end up, but you have got to start from somewhere, and in the
time constraints, it was a step forward.
Dr. Jeffrey. I certainly agree. We actually are working on
updates to that. We think that the '05 are improvements over
the '02, but there are clearly issues that we have already
identified, that the TGDC is working, include things like
security, audit control, new security testing, much of what Dr.
Wagner has talked about in his testimony, are issues that we
are actively addressing.
Paper Trails
Mr. Ney. Let me just close by saying, you know, when
Congressman Hoyer and I began this journey on this bill, and it
went to the Senate with Senator Dodd and McConnell and Bond,
and over here with Congressman Hoyer and Blunt and others, you
know, everybody was alarmed about the cheating, the potential
discrepancies, the hanging, the dimpled, and the pregnant chads
and all that we knew about. The bill far went beyond that.
Frankly, there wasn't a lot of discussion about a paper
trail during those deliberations, and my state does a paper
trail. We never said you couldn't. My state does a paper trail,
and I know this about voting systems, and as, you know, this
hearing. But we tried to make the bill premise easier to vote
and harder to cheat.
Again, my state does a paper trail. I think it is something
that can be looked at. Frankly, when it was introduced, I have
had discussion with Mr. Holt when it was introduced, to have
moved at that point in time, I think, would have caused total
chaos in the system. If you can go to China and put a card in
an ATM and your money is secured, and nobody can hack into that
system, we ought to be able to have tests and security, which I
think EAC ought to look at in the future, and the final issue
of whether we can have a paper trail or not.
Just let me say in conclusion, I want to thank Linda Lamone
for her work on this, from its inception, and the job that you
did for us to be able to get the bill. Also, there is still
$900 million owed to the locals by this Federal Government. We
give $5 billion overseas to grow democracies, that is great.
Congressman Hoyer and I, and I would hope I would get everybody
on both sides of the aisle to try to get that other $900
million to the states for the systems.
Thank you, Mr. Chairman.
Chairman Ehlers. The gentleman's time has expired. Next, I
am pleased to recognize a minority Member of the House
Administration Committee, and that is the gentlewoman from
California, Ms. Lofgren.
Ms. Lofgren. Thank you, Mr. Chairman.
And I think this is an important hearing, and certainly,
there is nothing really more important that goes just to the
essence of our democracy than making sure that every vote that
is cast is counted accurately. And the concern that exists,
that that is not happening, is just devastating for a vigorous
democracy. So, I think one of the most important things that we
can do here, in Congress and with our partners in state and
local government, is to make sure that every American knows
that this is all on the up and up, and then, as I think the
chairman or someone said, you know, you can win or lose an
election, and if you know it was fair, you can deal with that,
but if you think there was something unsavory or corrupt, it is
a disaster for our country.
So, having said that, I know that we are going to have a
hearing on the paper trail issue. I am so glad that we are. It
has been a long time coming, and I think it is very important
that we do that. I won't dwell on that, as a consequence today,
but I am interested, Dr. Wagner, in your comments. You
mentioned, and because I am from California, I am aware that
the testing that we have done there is more vigorous than has
been required, and that we found, with that higher level of
testing, there is a very high failure rate, 20 percent or so. I
mean, you know, or a quarter that fails.
The thing--that is not good, it is not acceptable, but one
thing about it is that if it fails, it fails in a kind of
unbiased way. That is different than the concern about someone
hacking a system, or intentionally skewing the outcome of an
election through hacking or a virus or a Trojan, for example,
if you were able to manipulate the outcome of a vote in that
way.
Do you have concerns about that latter issue, or is it just
about the reliability of systems overall?
Dr. Wagner. Well, I have concerns both about the
reliability, as well as the potential for deliberate fraud. You
are right. I have high praise for the State of California. I
think if every other state followed California's lead, we would
be in a lot better position.
There is some potential here, even with unintentional
failures, that this could cause biases. For instance, there
have been cases where more affluent areas have had higher
technology voting systems, and so, if there is some correlation
between----
Ms. Lofgren. Right. Right.
Dr. Wagner.--then that could potentially influence the
results. But I am also concerned about the integrity of the
elections and protection against deliberate fraud, and I think
there are some serious issues there as well. And we have a long
way to go to bring the testing up to snuff.
Ms. Lofgren. Have you taken a look at--there are some who
have talked to me, from--I come from Silicon Valley, and this
is a high interest item in the Valley, people in the technology
industry and computer scientists, who suggested to me that even
the California systems are susceptible to viruses or to hacking
today. Do you believe that is correct, and if it is, what, if
you were sitting in my seat, what would you do about it?
Dr. Wagner. Well, we should recognize that none of the
voting systems are perfect, and they never will be. And it is
true that some of the California systems have some, are not
perfect either, but the State of California has gone a long way
in instituting rigorous use procedures, procedural mitigations
to make up for problems in the technology, and I have
confidence in the California equipment, as a result of that. We
have to recognize that places a heavy burden on our poll
workers and our election administrators. This is very complex
and not easy.
Voluntary or Mandated Independent Testing Labs
Ms. Lofgren. Would you recommend that the--right now, we
have these independent testing labs that really don't report
out publicly, and are not transparent, in my judgment, in the
way that the California system is. Would you suggest that a
system similar to California for testing be either suggested or
mandated, for the states and localities, and that the results
of testing of systems be made public?
Dr. Wagner. I think California has got a pretty good story
on reliability, and if we adopted California's reliability
tests at the federal level, that would go a long way on
reliability. On security, the issue is very much still up in
the air. There is a lot of challenges there, to make sure that
we can have confidence in the software. So, I think that is one
we still have to work out.
Ms. Lofgren. Let me ask Mr. Skall, you are the technical
expert, I understand, from NIST. Do you agree with Dr. Wagner,
or do you have differences that you would like to bring to our
attention?
Mr. Skall. No, I think he is absolutely correct. Computer
systems in general, you can never have 100 percent assurance
they will work correctly. What you do through testing is
increase your level of assurance, and we are working through
tests, and coming up with more specific requirements, to
increase our level that they work correctly.
And as far as public availability of test reports, I think
most people would agree that would certainly improve the
process. That is something we have discussed within the TGDC,
and something we have discussed with the EAC, and it looks like
that is one of the things that will be recommended in the near
future.
Ms. Lofgren. Thank you. I see my time has expired, Mr.
Chairman.
Chairman Ehlers. The gentlewoman's time, indeed, has
expired. Let me just take just a moment to enter into the
record two items that appeared recently in the press, not that
these are the most excellent articles, but they certainly
illustrate the concerns.
And it is a June 7 article from Roll Call by Mr. Ornstein,
and a May 30 article in the Washington Post by Mr. Goldfarb.
Without objection, those will be placed in the record.
[The information follows:]
Chairman Ehlers. Next, I am pleased to recognize the
gentleman from Minnesota, Mr. Gutknecht, for five minutes.
Mr. Gutknecht. Thank you, Mr. Chairman, and I am going to
thank you and Dr. Wagner for your comment you made just a
minute ago, and that is that there is no perfect system. I
think we have to be careful we don't try to artificially set a
standard that is virtually impossible to meet.
Verification of Voter Identity
I also want to call everybody's attention, in just a few
minutes, the buzzers are going to go off, and we are going to
go over and vote, and in terms of paper trail, and I want
everybody here to know that I support the concept of paper
trails, but do understand, we are going to vote, and we are
going to vote with these little cards, okay, and this little
voting card has an embedded computer chip, so that when I put
it in the slot, it will know that it is me, or it will know
that I or somebody using this card is putting that into the
machine that represents me. But it has my picture on it, it has
a hologram, and as I say, it has got an embedded computer chip.
I want to call your attention to that, because one of my
concerns is not so much that our voting machines don't work
correctly. I think there is also the element that is of growing
concern to some of us, that not only that every vote counts,
but only those people who are eligible to vote actually go to
the polls, and this is sort of something, I guess, we don't
really want to talk about, but making sure that the people who
are voting are who they say there are.
And Ms. Kiffmeyer, you know, in Minnesota, we still have a
little bit of, we have a little more of a problem, or potential
problem; I don't want to say it is a problem, but I have some
concern about this, because we have same-day voter
registration. We also have the system where people can
literally come in and vouch for people at the polls, and so
far, there is not a whole lot of evidence that that has been
abused, but it is kind of difficult to, you know, say that it
couldn't be abused, and what I am concerned about is some kind
of verifiable ID system, where you have a photograph and/or
something else.
Ms. Kiffmeyer, I wonder if you could talk a little bit
about that concern, and I will just leave it open-ended. What
are some of your thoughts about that?
Ms. Kiffmeyer. Chairman Ehlers, Chairman Boehlert, and
Representative Gutknecht. Certainly, that is the case, as you
have stated, in Minnesota. I think integrity, in all aspects of
the election system, those entitled to vote get a vote, those
who aren't, the system owes it to have integrity in that part.
And just as we do in election equipment, we want a provable
issue, provable to the standard of a recount in a close
election.
It is a transactional load unlike any other, where you
separate the voter from the vote, so you need to be sure that
both sides of the transaction are very important, both who is
voting, in regards to the integrity of that aspect of the
system, and also, the counting of the ballots, when that is
completed, and to the standard of a recount. And I think those
are very important components. I think issues such as the ID,
issues such as the voter-verified paper trail, or an actual
ballot, those are components of integrity in all aspects of the
election. Those who are guiding the polling place are poll
workers, their training, those issues, all of those are
certainly very important, and the one you bring up, as well, is
something that I think in Minnesota is an area that we need to
make some improvements on, to come up to the standards, as
other states as well.
Mr. Gutknecht. Let me just add one other, go to a different
subject, because if I recall correctly, and I hate to sound
like a bean counter who has served on the Budget Committee for
eight years, but I believe this bill actually authorized $2.3
billion. I have not been here so long that I still think that
that is a lot of money.
State Role in Federal Elections
I guess the question I would have for some of the folks who
may represent the states--I mean, the integrity of our
elections is certainly a federal issue--is an important issue
at the federal level, but it is no less important to the states
and local units of government, and I am wondering: what do you
see as their role in terms of picking up their end of whatever
costs there are of buying, acquiring new technology for our
elections?
Ms. Lamone. The costs of complying with HAVA is far more
than what Congress has appropriated, and in Maryland, what we
have done with the voting system, and anything connected to the
voting system, the county must pay half of it by law, and
believe me, they have been screaming bloody murder as a result
of that, because, as I said, the costs associated not only with
the voting units, but all the security procedures, and the
multi-layered testing that we do, before, during, and after the
election, costs money, and it is very expensive to try and do
the California model, because I think California copied me.
Mr. Gutknecht. Excellent staff work. Before I go to Ms.
Kiffmeyer, the staff tells me that we actually have
appropriated $3.0 billion, so anyway. Ms. Kiffmeyer.
Ms. Kiffmeyer. Chairman Ehlers, Chairman Boehlert, and
Congressman Gutknecht. In regard to that question, you are
right, $3 billion. But I remember when we were having the
discussion with HAVA, and that the Federal Government money was
really there to close the gap, because there was a tremendous
need, and to help get at that, but it was also a very important
issue, that we leave it to the states to continue, as they
always have been, it has been a state responsibility to take
care of elections, and it has usually been a local
responsibility, as it is in Minnesota, to pay for that
equipment, and it is a cooperative relationship.
But it is a state responsibility, and it always has been,
and my concern is that while we appreciate the federal money at
this point, and the $3 billion in Minnesota, we were able to
use that money, in addition to the five percent match, to
totally cover the costs of that election equipment, and some
money for licensing, maintenance, training, and some operating
money as well, especially in the first three years, and then
after that.
But we were able to structure it, and also, the additional
money that we used on the state level through my office, in
designing systems that will support and reduce the overall cost
of elections. So, we worked very hard to stay within that
fiscal restraint, and we in the State of Minnesota really want
to carry forward that. So, I would appreciate the additional
$900 million, as was originally discussed, to help conclude
that on that part of it, but nonetheless, I appreciate your
concern, and that $3 billion, but I also respect states'
rights.
Mr. Gutknecht. Thank you.
Chairman Ehlers. The gentleman's time has expired. Next, we
are pleased to recognize the gentleman from Washington, Mr.
Baird, for five minutes.
Let me just interject. It appears that votes are going to
appear fairly soon, so we are going to--I hope we can wrap this
up before the votes, because it is going to take us at least 45
minutes to vote.
So, Mr. Baird, you are recognized for five minutes.
Mr. Baird. I thank the Chair.
I want to begin by commending my good friend and colleague,
Rush Holt, for his legislation, and I want to thank the many
folks who have come here today to express support.
Legislation That Addresses Voting Issues
It has been six years since the most contested election in
many decades in this country, and my recollection is that the
most objective and comprehensive analysis after that election
revealed that had all the votes been accurately cast and
counted, a different outcome would have resulted.
Six years later, we still have not enacted legislation to
prevent that from happening again, and a commonsense bill that
would require a paper trail has not been brought to a vote. And
I would just have to ask--I do not, for the life of me,
understand why, if we truly care about counting people's votes,
the majority party has not brought this up so that
representatives of the people can exercise the people's will
and insist on a paper trail, so that we know our votes are
counted fairly.
Having said that, I have a concern about the time it takes
to put one of these institutions, or these implementations in
place. My concern is this. This Congress passed a law that
requires that following the catastrophic event with large
losses of numbers of Members of the Congress, we would be
required within 49 days to elect new Members to this body. In
other words, select candidates, have a primary, have a general
election in 49 days.
Voting Systems in Context of Katrina and Emergency Situations
From your knowledge of what it takes to train poll workers,
implement these systems, verify the systems, distribute the
equipment, et cetera, could you tell me if you think that is
reasonable, and I would just contextualize that by pointing out
that post-Katrina events in Louisiana took them more than six
months to have an election, and even then, it was subject to
great controversy. So, I would appreciate any insights into
that.
Ms. Davidson. I will ask my colleagues to join in.
Obviously, what took place in Orlando, I mean, excuse me, in
Louisiana was unprecedented. They even had to start building
files of their voters. Things like voter registration forms had
been destroyed amongst everything else. So, it did take a long
time, and they did a tremendous job in carrying that process
through, and having that election.
I think that one of the things that we really need to think
about in the process is, it just went right out of my head. So,
I will let somebody else go ahead, and then, I will jump----
Ms. Kiffmeyer. Chairman Ehlers, Chairman Boehlert, and
Congressman, as well. Your point is very valid. What can we do
in 49 days? In Minnesota, we had the tragic death of Senator
Wellstone eleven days before election day, but it was already
scheduled. But nonetheless, we had to get a new candidate, we
had to get names on the ballot, get it done, and we did a hand
count of that U.S. Senate race alone, statewide, that night,
and had the results by 2:00 a.m. in the morning.
So, I think we as a state feel very confident, but I think
one of the best things in regards to HAVA is the requirement of
every state to have a central voter registration system. The
ability, through technology in this particular area, is very,
very helpful in regards to conducting an emergency election,
but it also requires a system around that, such as our state
has, which is a five deep backup, so that we are able to pull
the plug, as we practice routinely, and keep that voter
registration system available to us anywhere within the Nation
at any time, should that happen.
I think that, again, it is an issue of time, those central
voter registration systems. I mean, you can do a paper ballot.
There are things that you hand count, and you would still have
equal treatment of voters, but having that voter list and all
those components will be a challenge, and certainly, I think
that our state is ready to do it. I think you might
underestimate the ability and the resilience of our country in
that kind of catastrophic situation, which could have many
things, would I even be here to do that? So we will do that.
Mr. Baird. You mean to tell me that you are confident that
if a nuclear weapon were detonated in some of our major cities,
we could--or several nuclear weapons, we could confidently have
a valid election, reflecting the will of the people, within 49
days of that event?
Ms. Kiffmeyer. I think in any circumstance like that, sir,
it would be extremely difficult, without a doubt. Absolutely
without a doubt. But you have a country that needs to move
forward, and we have to do the best we can under those
extremely challenging circumstances.
Military Personnel and Voting
Ms. Davidson. And I will add, the one thing that I think is
one of the biggest problems that we have is our overseas and
military that is abroad.
Mr. Baird. I was just going to ask that next question.
Ms. Davidson. So, that is one of our biggest areas, and we
are doing a study on overseas and military, what states are
doing currently, and making sure that they have their right to
vote. There is electronic transmittal of those ballots over,
and some states require that they mail them back, to make sure
that we cut down on that timeframe. Because obviously, time
getting ballots over there and back, is running around 40 days,
that is what we are told.
Standards for Failure Rate
Mr. Baird. Mr. Chairman, I appreciate the comments. One
final question left for me by Mr. Holt that I just want to get
on the record, and I don't think there will be time to answer
it, is this. He points out that apparently, under the Voluntary
Voting System Guidelines, there is an acceptance of a 9.2
percent failure rate of all voting machines used in any 15 hour
period. I am curious if that is actually the standard that we
have set, a 9.2 percent failure rate, and if that is an
acceptable standard, I am very puzzled by that. That is, by the
way, far less than an incandescent light bulb.
Mr. Skall. Yes, that comes from the existing standards, and
we are researching right now to actually update that, to make a
much more acceptable failure rate.
Mr. Baird. Given that many of us have lived or died on less
than a percentage point margin in elections, including yours
truly, I would kind of like to see a little higher level of
reliability.
Mr. Skall. Yes, we agree.
Chairman Ehlers. The gentleman's time has expired, and I
certainly share his feeling that we should. I would just like
to point out the issue of the paper trail has come up
repeatedly. For those who came here later, we do plan a hearing
on that some time in September, but I also wish to point out
that a paper trail can also be altered, either mistakenly or
intentionally, and I would also remind everyone that--and I am
not against a paper trail, I don't want you to misinterpret
this, but I would point out that the big problems we had in
Florida with the Presidential election also involved paper
ballots, and that did not resolve the problem.
Mr. Baird. Mr. Chair--if I may.
Chairman Ehlers. No, I want to move on. I don't want to get
into a debate. I just wanted to point out we are having a
hearing on this later. I also want to point out to Mr.
Gutknecht, before he leaves, he brought up a very important
point about ensuring that the correct people are voting. We
have had one hearing on Mr. Hyde's bill requiring proof of
citizenship to register to vote, and a photo ID to vote. We
will be conducting hearings throughout the United States in the
next month, and so, we expect to get good testimony on that.
With that, we have Mr. Diaz-Balart.
Mr. Diaz-Balart. Thank you very much, Mr. Chairman.
First, I want to clarify something. Then, I have two
questions. Just to clarify something, because a lot of times,
things get thrown out there, and they become facts, and they
are not. After the election in Florida, a number of media
outlets, including the Herald and USA Today and a bunch of
others did their own recount, and they all agreed that the
result was the same. I just want to make sure that the facts
are out, and I would be more than willing to share with anybody
who would like to see that.
Vulnerabilities of Paper Trails and Foreign Investment in
Voting Equipment
But I have two questions. And I want to thank the chairman
and this committee for this hearing, and also, for the hearing
that we are going to have on paper trails. You are absolutely
right, Mr. Chairman, that we have had some issues in the past
with paper trails. There is no panacea. However, though it
doesn't mean that paper trails will make things perfect,
obviously, and we have heard some of the possible problems
without having the paper trail. Does anybody have any reason to
not have paper trails? Can paper trails be worse, if we have
them? And I know there is an issue of cost. That is one
question.
And secondly, does anybody have any heartburn, or some
concerns about the possibility of some of either hardware or
software companies being owned by foreign investors, including
some who may not have a tradition of favoring the democratic
process? And we have read a number of articles about that.
And those are my two questions, and I would like to kind of
do them quickly, so we can hopefully get some good answers.
Thank you, Mr. Chairman.
Ms. Davidson. Well, on the foreign investors, because of
the rigorous process that we are putting into place, each
vendor or manufacturer will have to register the people that
are involved with their organization, all of the top people.
Those will be checked to see if there is anybody that has not
been, you know, that is put on record that they cannot do
business in the United States. So that is public information.
So, we want to make this a more open process than what it has
been in the past, because we do feel that the citizens need to
be aware of all the issues.
Mr. Diaz-Balart. Do you--anybody want to add anything to
that?
Mr. Groh. Well, and let me take a crack at some of this. As
the vendor, it is difficult for me a lot of times to speak up,
because I think the most important people at this table in a
hierarchy are the Election Assistance Commission, and
Commissioner Donetta Davidson has a stellar background, having
been a local county election official, Secretary of State, now
sitting on that commission brings a depth and wealth of
knowledge. And if you go down from the Honorable Mary
Kiffmeyer, and Linda Lamone, who has a reputation that excels
and exceeds all of her colleagues, they can speak much better
to this.
As a vendor community, it is our responsibility and role to
meet the standards that we have in front of us. We do not feel,
as a vendor community, we should stand up and say we are for or
against something. Our challenge and job is to enhance the
voting process for all voters, maintain voter confidence, by
meeting the standards that are out there, that the ITAs test
to.
As far as the ownership component of it, I think if you
have good standards, and you have a good testing process, and
the decisions are made through an RFP process at the state and
county level, it should be for them to determine that. As a
company, I am based in Omaha, Nebraska. I am a U.S. based
company, but I also want to do business globally in other parts
of the world. And my fear is that if I become, you know,
constrained to others coming in, and doing business here, and
don't allow it, the same is going to happen to me. So, there is
a balance that has to be struck, and I think that is through
the testing, the certification, the request for proposal, and
that evaluation process, and then, people like Mary Kiffmeyer,
who will go through a process that is very rigorous, in
determining who they are going to buy from.
Ms. Lamone. I had asked you your--I guess your first
question.
Chairman Ehlers. Is your microphone on?
Ms. Lamone. I think so, yes. We commissioned a study, the
State of Maryland did, with the University of Maryland of
Baltimore County, to look at the various verification
technologies available, or in prototype. And including the
paper trail, and the conclusion of the multiple disciplinarian
team was that none of them were ready for primetime, including
the paper trail, and I will be happy to leave a copy of the
study with the committee. It is on our web site. It is on the
University's website, but I think they did a very thorough job,
and provided some very valuable information, and we had it done
for the policy-makers of the State of Maryland.
Ms. Kiffmeyer. And I would also like to make a statement at
this time that it is really about the voters and their
confidence in the systems, because we as a system act on their
behalf, and I think it is very important in making decisions
that it is the citizens and the voters, and their sense, not
only on election day, but after election day, in a close
recount, that they have confidence.
Mr. Diaz-Balart. Chairman, I believe I am out of time. I do
want to clarify that, to make sure that it was the Opinion
Research Center, University of Chicago, conducted a survey in
Florida for eight news companies. They examined 99 percent of
all the ballots in the 67 counties, and that included the
Herald, CNN, and others. I just want to make sure that when
things are said, that we stick to the facts. I had a colleague
who used to say don't allow the facts to confuse the issue. I
want to thank this chairman for never letting that happen.
Thank you, sir.
Chairman Ehlers. Well, I appreciate you getting that into
the record. I am aware of that. I found it fascinating they
spent $150,000 for it, hoping to get a story out of it. The
result was headlines on page Z27. But nevertheless, it verified
it.
The bells have rung for votes. At least, I assume that is a
vote. Yeah, okay. So, this is an opportune time. The other
remaining Members have indicated that they would forego their
opportunity to question, rather than coming back again at 5:00,
when it will take us at least 45 minutes for the series of
votes.
Ms. Millender-McDonald. Mr. Chairman. May I just ask--okay.
Chairman Ehlers. Just one moment. I just wanted to make one
wrap-up comment. We have talked a great deal about standards
and security, but I want to make certain that we also recognize
that the key item is accuracy. We want to count the votes
accurately, and secondly, we don't want any fraud whatsoever,
and so, I will be pursuing those issues in the months ahead.
Mr. Ney. Mr. Chairman.
Chairman Ehlers. I--yes, we have a few people who want to
make comments. We will first go to the Ranking Member.
Ms. Millender-McDonald. Only, Mr. Chairman, that there is a
Member on our committee who wishes to raise at least----
Chairman Ehlers. All right.
Ms. Millender-McDonald.--a question, and then, perhaps, at
least for the record. Mr. Brady.
Chairman Ehlers. All right. All right. I will recognize him
in just a moment. Mr. Ney asked----
Mr. Ney. I just want to, without objection, I would like to
enter a statement into the record reaffirming Ms. Lamone's
statement about including all the considerations of persons who
have a form of a disability, if we go down the path of a paper
trail.
Chairman Ehlers. Without objection, so ordered.
[The information follows:]
And I am now pleased to recognize our final questioner, Mr.
Brady, the gentleman from Pennsylvania.
Mr. Green. There will be one additional person, if we have
time.
Poll Workers and Human Error
Mr. Brady. Thank you, Mr. Chairman. I will be short and
brief, so maybe my colleague can also get a question in.
I would just like to commend and thank Ms. Lamone for
recognizing our poll workers and our committee people. In the
city of Philadelphia, we have 1,700 poll workers, 1,700 polling
districts, 17,000 poll workers that do an excellent job. And I
often wondered, a lot of times, when they get criticized, what
would happen if we called the election off? What would happen
if the poll workers didn't get to the machines, didn't get to
the polling place, didn't get to the chairs? You can't do
nothing to them, three quarters of them are volunteers. The
other quarter gets paid less than $100 for 15, 16 hours a day
work. Our training there is excellent. They get two or three
sessions prior to every election, and they do an excellent job.
So, my issue is this problem is not human. It is not a
human problem. It is not a problem with people working when
they--or not working. It is a mechanical or an electronic
problem that we need to fix. Ironically, in Arizona, I heard
today that, on the radio that they are having a lottery for
anybody, they are going to put on a referendum on the ballot,
that if you do vote, you have a chance to win a million
dollars. There is a lottery pick that you get one chance, if
you vote once. If you vote twice, you get two chances. So--once
in the primary, and once in the general, all I am saying. A lot
of you people from Philadelphia, you are talking about voting
twice.
Voter Confidence and Turnout
But my point is, we are trying to increase voter turnout,
and yet, we wind up losing the confidence of the people that do
come out, and do come out and vote. We just need to fix this
problem. I commend and thank the chairman for having these
hearings. Thank you for your input, the information, we are
going to need a lot more of it. We do need to have a failsafe,
when somebody comes out to vote, that who they vote for, they
voted for, and not somebody else, that their vote does count,
and we need to instill the confidence back in the American
people, and I look forward to being a part of the next set of
hearings where we do talk about a paper trail, or whatever we
come up with that can fix this problem.
So, thank you, and thank you for your participation.
Chairman Ehlers. And thank you for your comments, and the
gentleman from Texas, Mr. Green, wishes to ask a question.
Mr. Green. Yes, thank you, Mr. Chairman, and I am honored
to be with you, Mr. Chairman, and thank you for holding this
hearing, and the Ranking Member as well.
Friends, it is my opinion that we live in a world where it
is not enough for things to be right, they must also look
right. And to most Americans, it doesn't look right to cast an
electronic ballot, and not have some verification that is
audible and tangible. They want to see that their vote was cast
properly, and they want a verification process that allows that
proper audit to take place.
Most Americans believe that if you can go to a service
station, and you can purchase gasoline, and get a receipt on
demand at the point of contact, they believe that you should be
able to get some sort of tangible evidence of your vote, so
that you can place that in some container someplace, in the
event there is some malfunction in the electronic process.
This really is not asking too much. It is not a question of
will or way, it is a question of will. Do we have the will to
abide by the will of the American people? My position is
eventually, we will abide by the will of the people. We cannot
continue to have elections questioned in this country. This is
the greatest country in the world, not because we have tall
buildings, but because we have a process by which we can verify
the elections that we all honor, and if we lose that faith in
our system, we can lose our government.
So, let us stand up for the government. That is what I am
going to do, and I am going to vote for some verifiable system
that probably will include paper, since I haven't heard
anything that--talk of anything that can substitute for paper.
In this country, we honor paper. Our IDs are on paper. When we
go over and vote today, there will be a paper verification of
our votes today. Let us continue to honor paper, and make real
the great American ideal of every vote counting and counting
every vote.
Thank you, Mr. Chairman.
Chairman Ehlers. I thank the gentleman for his comments.
The gentleman from Colorado, did you have anything you wanted
to say? Apparently not. I--before we bring the hearing to a
close----
Ms. Millender-McDonald. There is one other thing.
Chairman Ehlers. Oh, I am sorry. Mr. Udall, yes.
Mr. Udall. Chairman Ehlers, I appreciate the opportunity
just to say a couple of words. I wanted to first acknowledge
our former Secretary of State, Donetta Davidson, who is here,
and I am going off script a little bit, but I would tell you,
as an elected official, she had to identify with one of the
major political parties in the State of Colorado, but she was
widely respected by both political parties for her sense of
fairness and her principles, and her ability to get the job
done, and I know she has that reputation nationally.
And if I could, I would like to submit for the record a
longer introduction that I intended to make of her as the panel
began.
Chairman Ehlers. Without objection, so ordered.
[The prepared statement of Mr. Udall follows:]
Prepared Statement of Representative Mark Udall
I would like to welcome all of our witnesses and thank the Chairman
for the opportunity to introduce one of our witnesses today,
Commissioner Donnetta Davidson.
I am pleased that she is joining us for this hearing as she has
extensive experience in elections on the local, State, and national
level.
Commissioner Davidson started her career with elections as the
Clerk and Recorder of Bent County in Colorado and later became Director
of Elections for the Colorado Department of State.
Through this position she handled several issues with local
elections such as special district and school district elections.
In 1999, while serving as the Clerk and Recorder of Arapahoe County
in Colorado, she was appointed by Colorado Governor, Bill Owens as the
Colorado Secretary of State.
She was later elected to this position and served four terms.
Commissioner Davidson has served as President to both the National
Association of Secretaries of State and the National Association of
State Elections Directors.
On a federal level, she served on the Federal Election Commission
Advisory Panel. And in 2005 she was unanimously confirmed to her
current position as commissioner to the U.S. Election Assistance
Commission.
Commissioner Davidson clearly has a wealth of experience with
election systems and I am eager to hear your thoughts on this country's
efforts to establish standards in our voting machine system.
Commissioner--welcome, and thank you for joining us today.
Mr. Udall. And I also had a series of questions that I
wanted to direct to the panel that they could answer within the
time limit that we have defined for them, and I would ask
unanimous consent to submit those questions.
Chairman Ehlers. So ordered. And any Member can do that. I
will get to that in just a moment.
Mr. Udall. Thank you, and I will yield back all the time I
have remaining.
Chairman Ehlers. The gentleman yields back his time. Before
we bring the hearing to a close, I want to thank the witnesses.
You have been a superb panel, and I wish we had more time, and
I certainly wouldn't mind sitting around a table with you, and
just getting into more depth on these issues, and I believe our
Ranking Member, Ms. Millender-McDonald, would feel the same
way.
This has been a highly educational hearing for everyone
here, and I really appreciate your objectivity and your
helpfulness in your responses. Many of these issues will be
continued through other hearings. I hope that ultimately, we
develop as nearly perfect a system as one can develop.
If there is no objection, the record will remain open for
additional statements from the Members, and for questions to be
submitted by the Members to the panel, and for answers from
these followup questions from any members of the panel. So, you
may hear from us with some questions. We would appreciate your
responses. All of that will be entered into the record.
Without objection, so ordered.
Finally, thank you once again for being such great
witnesses. Thank you for your helping us.
The meeting is adjourned.
[Whereupon, at 4:08 p.m., the Committee was adjourned.]
Appendix 1:
----------
Answers to Post-Hearing Questions
Answers to Post-Hearing Questions
Responses by Donetta L. Davidson, Commissioner, Election Assistance
Commission
INTRODUCTION
Following the hearing and the testimony provided by the witnesses,
the U.S. Election Assistance Commission (EAC) feels that it is
important to provide some basic information about the history of voting
systems, voting system certification and the role of EAC to clarify
some misunderstandings or misconceptions that were put forth at the
hearing.
Voting system standards and voting system testing are not new
concepts. In 1990, the Federal Election Commission (FEC) published the
first set of voting system standards (1990 VSS), following a
Congressional mandate and feasibility study. These standards were
voluntary. States were not required to use systems that met the 1990
VSS. States could adopt the standards by statute or regulation and
thereby make them mandatory for voting systems used in the state.
The FEC was not authorized or funded to develop a companion program
for testing voting systems to those standards. That testing process was
developed and implemented in 1994 by the National Association of State
Election Directors (NASED), a trade association of state election
directors. This group of volunteers established a testing program,
including accrediting laboratories to test voting systems to the voting
system standards, a process for review of the reports generated by the
laboratories, and a means of assigning and tracking qualification
numbers.\1\ NASED did not receive federal funding to administer its
testing process. In addition to this voluntary national qualification
program, states also began developing and implementing their own
certification programs in which they reviewed voting systems for
conformance with standards established in that state.
---------------------------------------------------------------------------
\1\ NASED implemented a ``qualification'' procedure in which voting
systems were qualified against the standards developed by the FEC. The
term ``certification'' was reserved for the processes of reviewing
voting systems that were conducted by the various states.
---------------------------------------------------------------------------
In 2002, the FEC adopted a new set of voting system standards (2002
VSS). These standards were also voluntary. They updated and expanded
upon the 1990 VSS. At this point, the Federal Government still had not
entered the voting system testing arena. NASED continued to qualify
voting systems against the 1990 and 2002 VSS. It was not until the Help
America Vote Act of 2002 (HAVA) was passed that the Federal Government
was given a role in testing voting systems.
HAVA took several actions with regard to voting systems. First,
HAVA required that all voting systems used in elections for federal
office meet the requirements of Section 301(a). Specifically, those
systems must:
Allow voters to review and alter a selection prior to
casting the ballot;
Produce a permanent paper record of the election
which could be used in an audit or recount;
Be accessible to individuals with disabilities,
allowing them to vote with privacy and independence;
Provide ballots in languages required by Section 203
of the Voting Rights Act in covered jurisdictions; and
Meet the error rate standard established in the 2002
VSS.
HAVA did not set out a method of determining compliance with these
requirements.
Second, HAVA required the EAC to adopt a new set of voting system
guidelines.\2\ These guidelines were to be voluntary, just as the 1990
and 2002 standards were voluntary. Third, HAVA required the EAC to
provide for the testing and certification of voting systems and for the
accreditation of laboratories to test those voting systems.
Participation by the states in the certification program, like the
voting system guidelines, is voluntary. However, states may incorporate
this requirement by statute or regulation, thereby making the EAC
certification a requirement for voting systems used in the state.
---------------------------------------------------------------------------
\2\ The term ``guidelines'' was used instead of ``standards.''
---------------------------------------------------------------------------
On December 13, 2003, more than a year after the passage of HAVA,
the EAC Commissioners were appointed and the agency was established.
The EAC embarked on a partnership with the National Institute of
Standards and Technology (NIST) to develop a set of testable standards
against which voting systems could be measured. In July 2004, the
Federal Advisory Committee required by HAVA to work with NIST on the
voting system guidelines held its first meeting. The Technical
Guidelines Development Committee (TGDC) is a Federal Advisory Committee
that consists of 15 members. The membership of the TGDC was dictated by
HAVA and includes four technical advisors appointed jointly by NIST and
the EAC as well as the representatives of the following organizations:
EAC Standards Board;
EAC Board of Advisors;
Architectural and Transportation Barrier Compliance Board;
American National Standards Institute (ANSI);
Institute of Electrical and Electronics Engineers (IEEE);
and
National Association of State Election Directors.
The TGDC and NIST worked over the next nine months to produce a
draft set of voting system guidelines. The EAC published the draft
guidelines, held hearings in three locations in the U.S. and
established a user-friendly and accessible online tool for collecting
comments. Comments were accepted for 90 days. During that period, the
EAC received more than 6,500 separate comments from the public,
academia, industry and the election community. The final version of the
2005 Voluntary Voting System Guidelines (VVSG) was adopted by EAC on
December 13, 2005.
At the same time, the EAC and NIST had already begun work on an
accreditation program for laboratories that would be used to test
voting systems. The EAC and NIST partnered to use the National
Voluntary Laboratory Accreditation Program (NVLAP) already in place at
NIST to review and accredit laboratories. NIST sought applications from
laboratories beginning in July 2005. To date, five applications have
been received. Assessments of these laboratories are underway, and NIST
anticipates having recommendations on three of the five laboratories by
December 2006, with the remainder by Spring of 2007. The EAC has also
developed an interim accreditation program to assure that there will be
accredited laboratories in place to test modifications to voting
systems prior to the upcoming 2006 elections. In addition, the EAC
engaged the assistance of an expert on laboratory accreditation to
review the laboratories that were previously accredited by NASED
against the International Standard Organization's (ISO) protocol for
laboratories, ISO 17025. To date, the EAC has accredited one laboratory
under its interim accreditation program.
While the EAC focused its efforts on developing a new set of voting
system standards and establishing a process for accrediting
laboratories, NASED continued to serve the election community by
operating its voting system qualification program. On July 24, 2006,
the EAC began its certification program. There are two phases to the
EAC's voting system certification program. The first focuses on
reviewing modifications to voting systems previously qualified by NASED
prior to the November 2006 elections. The EAC recognizes that voting
system certification is a very technical, complex and time-consuming
process. As such, it would be impossible to retest every voting system
prior to the November 2006 elections. Knowing that there would be
changes and modifications needed to adapt voting systems for the
upcoming elections, the EAC developed a process through which
modification to voting systems would be provisionally certified based
upon a review of the modification and integration testing. These
provisional certifications expire in December 2006. At that time, the
EAC will have begun the second phase of its voting system certification
program.
Phase two of the EAC's program begins a new era in voting system
testing and certification. All voting systems will be eligible to apply
for EAC certification, regardless of whether the system had previously
been qualified by NASED. The process begins with registering of the
manufacturer, which includes disclosure of certain business information
that will be used to determine if any conflicts of interest exist. Once
a manufacturer is registered, the manufacturer will submit its system
for testing by one of the EAC accredited laboratories. The laboratory
will then provide a testing report to the EAC, where it will be
reviewed by a committee of technical experts to assure that the
laboratory conducted the proper test and that the voting system
conforms to the voting system standards or guidelines. If a voting
system successfully passes the testing and review and no conflicts of
interest exist, the system will be granted an EAC certification.
In addition to this certification process, the EAC is incorporating
two other features into its program: (1) a quality assurance program,
and (2) a decertification process. Through its quality assurance
program, the EAC will visit and review production of voting systems at
the manufacturer's facility to assure that the manufacturer is
producing the same system that was certified by the EAC. In addition,
the EAC will visit states and local jurisdictions to assure that
manufacturers are delivering the same system that was certified by the
EAC.
The EAC decertification process will allow knowledgeable
individuals such as election officials, technicians, and manufacturers
to report instances where they believe voting systems failed to conform
to the standards or guidelines. The EAC will investigate the complaints
and determine if evidence exists to suggest that a voting system fails
to comply with the standards or guidelines. If a system is found to be
out of compliance, the EAC will begin the decertification process which
will result in decertification if the manufacturer fails to bring all
such systems into compliance.
Questions submitted by Chairman Vernon J. Ehlers and Chairman Sherwood
L. Boehlert
Q1. In his testimony, Dr. Wagner recommended that the Technical
Guidelines Development Committee (TGDC) and the Election Assistance
Commission (EAC) take the following actions to improve security and
reliability of voting systems. For each recommendation listed below,
please answer these questions: Do you agree with the recommendation? If
so, what is the EAC doing to implement the recommendation? If not, why
not?
A1. In his testimony, Dr. Wagner inaccurately characterized the
function of the EAC, the intent of the HAVA, and the current role of
the Federal Government in monitoring and reviewing voting systems. Some
of Dr. Wagner's suggestions were legitimate. However, they do not take
into account several issues such as the authorities vested in the
various branches of government, programs or processes that are not
operated by the Federal Government, and federal programs currently in
place. The EAC has been and will continue to be willing to speak with
Dr. Wagner and others to discuss their ideas and inform them of the
legal, fiscal, and practical limitations under which the EAC and the
system of election administration in this country work. Through the
following responses, the EAC will correct the inaccurate statements as
well as clarify the misconceptions put forth regarding the method in
which elections are administered.
a. Mandate voter-verified paper records and mandatory manual audits.
The EAC received its authorization from Congress regarding its
duties, responsibilities and powers. HAVA specifically limited the
EAC's power to develop voluntary guidelines and guidance for the
states. HAVA recognized that the administration of elections is
decentralized, being operated by the states and local governments. HAVA
did not seek to upset that balance of power and limited the EAC's
authority so that this agency would also respect that balance. The EAC
was given no regulatory authority, except as it relates to the National
Voter Registration Form, and that is the same authority previously held
and exercised by the FEC. As such, the EAC is not authorized to mandate
voter-verifiable paper audit trails (VVPAT). In addition, VVPAT is not
one of the voting system requirements listed in 301(a) of HAVA.
However, recognizing that many states have imposed VVPAT
requirements for voting systems used in their states, the EAC, NIST and
the TGDC developed testable standards that could be used to evaluate
VVPAT components. The VVPAT testing standards were included in the 2005
VVSG. In addition, EAC also recognized that the free market system had
developed other forms of independent verification, such as witness
systems, cryptographic systems and split processing systems. There are
several companies that market witness systems and at least one company
that currently markets a cryptographic system. As such, the EAC has
charged NIST and TGDC with developing testing standards for these
independent verification systems.
In conclusion, the EAC has no authority to mandate VVPAT or any
other kind of voting technology. In elections, one size does not fit
all. In our decentralized election system, states and counties have
countless different types of voting equipment for various reasons, and
election officials choose voting equipment that best fits the needs of
their respective voters. The EAC believes it is best to continue to
allow election officials the freedom to choose from different
technologies that offer the same benefits. Mandating VVPAT would
possibly stifle the development of technology and the innovation of
election administrators throughout the country. In addition, such a
requirement does not recognize the ability of the states to choose
voting systems and technologies that best serve the needs of their
respective voters.
The authority and the decision as to whether to mandate VVPAT rests
with Congress. The EAC is poised to provide information from election
officials that have used VVPAT and research that NIST has conducted on
VVPAT and other independent verification methods.
b. Expand standards from focusing primarily on functionality testing to
incorporate technical evaluations of the security, reliability,
and usability of voting machines.
Dr. Wagner states ``[t]oday, the standards primarily focus on
functionality testing, which evaluates whether the machines implement
all necessary functionality.'' This is an inaccurate statement
regardless of whether it refers to the 2002 VSS or the 2005 VVSG. Thus,
it is not clear as to what Dr. Wagner is suggesting with this
recommendation. The 2002 VSS sets forth standards for testing
accessibility, reliability and security. Specifically, the 2002 VSS was
the first set of standards to establish requirements for voting systems
to provide access to both physically and visually disabled individuals.
In addition, the 2002 VSS established an error rate against which
voting machines are tested as well as other tests to determine whether
voting systems will reliably count votes and store results even under
extreme conditions.
The 2005 VVSG significantly expand on all three categories of
testing which Dr. Wagner says are lacking. Section 7 of the VVSG is
devoted exclusively to security requirements, including requirements on
the following security topics:
Access Control
Physical Security
Software Security
Telecommunications and Data Transmission
Use of Public Communications Networks
Wireless Communications
Independent Verification Systems
Voter Verifiable Paper Audit Trail Requirements
In addition, Section 3 of the VVSG contains the usability and
accessibility requirements. These requirements were increased from 29
requirements in 2002 to 120 requirements in 2005. Reliability of voting
equipment to count, maintain, and report results accurately continues
to be a significant part of the 2005 VVSG as it was in the 2002 VSS.
For more information on requirements see the full text of the VVSG.
c. Eliminate conflicts of interest in the federal testing process by
establishing a new funding process whereby Independent Testing
Authorities (ITA) are not paid by the vendors whose systems
they are testing.
The process of testing to which Dr. Wagner refers is not a
``Federal'' testing process. Accordingly, to suggest that there was a
conflict of interest in a ``Federal'' testing process is inaccurate.
Testing has been conducted by NASED, a trade association of state
election directors. It was neither sanctioned nor funded by the Federal
Government.
As for the EAC's voting system certification program, the EAC is
not currently authorized by Congress to charge a fee to manufacturers
for testing or to redirect such a fee to the voting system testing labs
through a contract or other arrangement to procure such testing. For a
Federal Government agency to take in and redirect funds, it must have
specific authority from Congress, which the EAC does not have.
Furthermore, Congress has not authorized the expenditure of federal
funds to test privately developed voting systems. Thus, the EAC
currently anticipates operating a voting system certification process
that will involve the manufacturers paying an accredited voting system
testing laboratory directly for the services that the laboratory
performs in testing that voting system. The accredited laboratory
report will then be forwarded to the EAC for a determination of whether
certification is warranted. If Congress changes these authorizations or
funding, other options will be considered.
d. Reform the federal testing process to make all ITA reports publicly
available and documentation and technical package data
available to independent technical experts.
Again, Dr. Wagner refers to the prior existence of a ``Federal''
testing program, when the previous testing program and all testing
laboratories were administered exclusively by NASED. Regardless, the
EAC has already anticipated the need and legal requirements for
additional disclosure of information related to voting system testing.
Unlike NASED, the EAC is subject to laws that dictate what information
a Federal Government agency can and cannot disclose, including the
Freedom of Information Act (FOIA), 5 U.S.C. 552 and the Trade Secrets
Act, 18 U.S.C. 1905. These statutes specifically preclude the release
of trade secrets information and privileged or confidential commercial
information.
The EAC will abide by the letter and spirit of these laws. Within
their constraints, the EAC will make available information contained in
testing reports and technical data packages that are legally
releasable.
e. Require broader disclosure of voting system source code, at a
minimum to independent technical experts under appropriate non-
disclosure agreements.
To the extent that source code is a trade secret or confidential or
privileged commercial information, the EAC is precluded by FOIA and the
Trade Secrets Act from releasing that information. However, the EAC has
already made provision in its upcoming certification program to have
manufacturers submit the final build of the software to an escrow
agent. In addition, election officials will be provided with a
mechanism to compare the software that they are delivered by the
manufacturer against the final build and executable code.
f. Institute a process for collecting, investigating, and acting on
data from the field on performance of voting equipment,
including a mechanism for interim updates to the standards to
reflect newly discovered threats to voting systems.
The EAC has already anticipated a need for collecting,
investigating and acting on allegations of system malfunction and
nonconformance with the voting system standards. The EAC has included a
decertification process in its voting system certification program that
will allow informed persons (i.e., election officials, manufacturers,
and poll workers) to make complaints of machine malfunction or an
instance where they believe that a machine does not conform to the
standards to which it has been tested and certified. Each allegation
will be investigated and if evidence of nonconformance is discovered,
the EAC will begin the process of decertifying the system.
It is important to note, here, that the EAC did not issue or adopt
the certifications issued by NASED. Thus, the EAC has no authority to
revoke those certifications or to decertify those systems. For systems
that have been certified by NASED, such allegations will be considered
in any review of that system for EAC certification.
g. Increase the representation of technical experts in computer
security on the TGDC.
As has been previously discussed, the Technical Guidelines
Development Committee is a Federal Advisory Committee established by
the EAC and prescribed by HAVA. The membership of the committee is set
forth in Section 221 of HAVA. The committee consists of 15 members,
which include:
The Director of the National Institute of Standards
and Technology
Members of the EAC Standards Board
Members of the EAC Board of Advisors
Members of the Architectural and Transportation
Barrier Compliance Board
A representative of the American National Standards
Institute
A representative of the Institute of Electrical and
Electronics Engineers
Two representatives of the National Association of
State Election Directors
Other individuals with technical and scientific
expertise relating to voting systems and voting equipment.
Thus, unless Congress changes the legal structure of the TGDC, the
EAC is limited in the appointments that it and NIST can make. All but
four members of the TGDC are currently dictated by HAVA. The four
members who were appointed jointly by the EAC and NIST based upon their
technical and scientific expertise are: Dr. Ron Rivest, Professor,
Massachusetts Institute of Technology, Department of Electrical
Engineering and Computer Science; Ms. Whitney Quesenbery, President,
Usability Professionals' Association; Mr. Patrick Gannon, President and
CEO, OASIS; and Dr. Daniel Schutzer, Vice President and Director of
External Standards and Advanced Technology, e-Citi, CitiGroup.
Q2. In his testimony, Dr. Wagner said that the federal standards
process is not working, and that ``Federal standards are not sufficient
to guarantee that federally-approved voting systems are able to
adequately protect the integrity of our elections, either against
unintentional failures, or against deliberate tampering.'' Do you agree
with this statement? If so, why, and if not, what is your assessment of
the current state of voting equipment in terms of reliability and
security?
A2. Dr. Wagner again mistakenly assumes that the Federal Government has
been testing voting systems. At the time of the hearing, all voting
systems were ``qualified'' by NASED, a non-government association, that
received no funding from the Federal Government. Therefore, it is
inaccurate and premature to state that the ``Federal process is not
working.''
The EAC began its voting system certification process on July 24,
2006. The EAC has implemented the first phase of its certification
process, which focuses on the need to review modifications prior to the
November 2006 elections. The second phase will begin in December 2006
and will include additional processes to assure that the systems that
are fielded are the same as the systems that are tested. These
processes include screening manufacturers for conflicts of interest,
implementing a quality control program that includes site visits to
manufacturing facilities and localities that use the systems, and a
decertification program to review and act on allegations that a voting
system does not conform to standards.
In regards to protecting the integrity of elections, having
stringent, thorough voting system guidelines against which voting
systems are tested and a testing and certification program are only
half of the equation. When voting systems successfully meet the
guidelines, they should also be subjected to rigorous testing,
evaluation, and implementation at the state level. Many states have
already developed thorough state certification programs wherein they
test systems for specific capabilities required by state law or
according to more stringent standards than those required on a national
level. In addition, states should actively participate in the
acceptance process to assure that the systems that they buy and receive
meet the same requirements as the systems that were tested. Finally,
voting systems must be implemented using a thorough management process
in which security and access procedures are applied at the locations in
which the systems are operated. Those procedures include securing the
location where equipment is stored, developing chain of custody for the
transport of equipment, and training and protocols for those operating
the equipment. The EAC's work in developing management guidelines for
election administration will provide states with suggested practices on
implementing and managing voting systems. The first of these management
guidelines pieces was made available to election officials in June 2006
and others will be distributed before the November elections.
Q3. Will the EAC be providing an incident reporting system for the
2006 election through which election managers can report problems with
voting equipment? If so, what will the process be and will the results
be made available to the public or to independent technical experts? If
not, why not?
A3. In 2004, the EAC collected this data as a part of its Election Day
Survey. The information was made available to the public through its
report on the Election Day Survey, which can be found on the EAC's web
site. With the onset of the EAC certification program, this data will
be collected through the decertification process of that program.
Information on the certification program and processes will also be
made available through the EAC web site.
Q4. The 2005 Voluntary Voting Systems Guidelines contain an appendix
on independent dual verification systems that could perform the same
functions as a voter-verifiable paper audit trail. Is this technology
being used in voting systems today or is more research needed to make
it operational? What are the advantages and disadvantages of this
technology? To what extent are there other technologies that could
perform the same function as a voter-verifiable paper audit trail?
A4. There are currently several forms of independent verification other
than VVPAT on the market, including witness systems, cryptographic
systems, audio verification systems, and split processing systems.
There is at least one company that markets each of the alternative
independent verification systems. However, there are no standards
currently available to test these systems. Thus, the EAC, NIST and the
TGDC have made developing testing standards for independent
verification systems a priority. The current section on independent
verification can be found in Section 7 of the VVSG. This section
includes one form of independent verification, specifically VVPAT. The
next iteration of the VVSG will include testing methods for alternative
forms of independent verification.
Questions submitted by Democratic Members
Q1. Ms. Davidson, there have been several incidents of security,
reliability and usability flaws discovered in Independent Testing
Authority (ITA) approved voting equipment--either during elections or
during state certification. When such flaws are uncovered, what is the
process for ensuring that the same mistakes are not repeated in the
future? Has the Election Assistance Commission published any report or
analysis on who or why flaws were not discovered during inspection and
testing?
A1. The ITAs that have previously tested voting systems were
administered under the NASED program. When the EAC began its
certification program in July 2006, the EAC reviewed the three testing
laboratories accredited under the NASED program for interim
accreditation by the EAC to serve in the first phase of its
certification program. The laboratories were assessed by an expert in
the field of voting systems and a certified laboratory reviewer to
determine if the laboratories conform to ISO 17025. Of the three
laboratories, the EAC has currently granted interim accreditation to
one laboratory. In addition, the EAC is working with the National
Voluntary Laboratory Accreditation Program (NVLAP) of NIST to review
labs for accreditation to test systems under the second phase of the
EAC's certification system. NVLAP is also reviewing labs according to
the requirements of ISO 17025. In December 2006, NIST expects to have
completed reviews of at least two of the five laboratories that have
applied to the NVLAP program for accreditation.
Thus, the EAC and NIST are taking steps to assure that the
laboratories that test voting systems under the EAC's certification
program are qualified and apply the appropriate procedures, processes
and tests to assure that voting systems tested in their facilities are
adequately reviewed for conformance with the voting system standards.
Q2. Ms. Davidson, several states including California, Florida, and
Georgia, appear to have more exacting certification processes than
those required by the Election Assistance Commission. For example,
California has adopted a ``volume testing'' of voting machines;
machines are voted on as realistically as possible for at least six
hours, to ensure that they will actually function on election day. In
one case, California discovered that 20 percent of a particular
Independent Testing Authority (ITA) approved machine failed this volume
testing. Do you see these more extensive tests as evidence that current
federal standards and certification processes need to be revised and
made more robust? Will the Election Assistance Commission incorporate
the more exacting certification processes of these states to revise
federal testing standards and conformance tests?
A2. Again, the testing and certification program that has previously
been in place to assess voting system conformance was administered by
NASED, not the EAC. The EAC has developed testing standards, but is
awaiting test suites or testing protocols to be developed by TGDC and
NIST. If the technologists at NIST and the member of the TGDC believe
that additional volume testing are necessary, we will see that
reflected in the testing protocols that will be developed for the
testing laboratories to implement when testing each discrete voting
system.
State certification programs have existed for many years and many
states like California have solid programs that focus on additional
requirements of that state's certification program or additional
testing in certain areas. The EAC encourages states to continue their
work not only in the state certification programs, but also in
acceptance testing to assure that they have field voting systems that
are accurate and reliable.
Q3. Ms. Davidson, is there any clear mechanism for suspending or
revoking the certification of machines with serious defects in the
security, reliability, usability, or accessibility of certified when
discovered? It is common in other industries to mandate recalls when
products are found to have serious security or safety defects. Is this
an issue that should be addressed by the Election Assistance Commission
and the latest set of standards/guidelines?
A3. The EAC anticipated the need for a decertification process, and it
will be implemented in phase two of the EAC's certification program.
Informed individuals (i.e., election officials, manufacturers, and poll
workers) will be able to report machine malfunctions and instances in
which the individual believes a voting system does not conform to the
voting system standards to which it has been tested. The reports will
be investigated, and where evidence of nonconformance is found, the EAC
will begin the process of decertifying the voting system.
It is important to note that decertification will be applied only
to systems that have been tested and certified by the EAC. The EAC has
not and will not adopt qualifications issued by NASED. Systems that
have been previously qualified by NASED will be eligible for testing
and certification under the EAC program, just like newly manufactured
systems. Because the EAC has not adopted NASED qualifications, it has
no authority to revoke those certifications. The EAC can, however,
consider allegations of nonconformance in its review of any systems
submitted under the EAC certification program.
Q4. Ms. Davidson, the General Accounting Office's June 2006 report
identified five states that plan to use the Election Assistance
Commission's 2005 guidelines (Voluntary Voting Systems Guidelines,
VVSG) in the 2006 election. How many voting systems have begun testing,
completed testing and been certified against the 2005 standards/
guidelines (VVSG)? How many systems do you expect to see certification
against these standards prior to the 2006 general election?
A4. The EAC has not received any systems to be tested and certified to
the 2005 VVSG. Furthermore, the EAC will not be able to accept any
systems for such testing and certification until December 2006, when
NVLAP has reviewed and recommended qualified laboratories for
accreditation to test voting systems to the 2005 VVSG.
Q5. Ms. Davidson, the Election Assistance Commission has now assumed
responsibility for certifying voting systems against current national
standards/guidelines. This change was intended to improve the
consistency and transparency of the certification process. What
criteria, steps and personnel are being used by the EAC to certify
voting systems for the 2006 elections and is this information available
to the public? What qualifications are required of individuals
responsible for reviewing certification of test results and
recommending EAC's approval for certification?
A5. The EAC has adopted phase one of its certification program, which
focuses on testing and certifying modifications to voting systems prior
to the November 2006 elections. Information regarding the process for
certification under phase one is available on the EAC's web site.
Systems submitted with modifications during phase one will be tested to
the 2002 VSS, a document which is also available to the public.
In December 2006, the EAC will launch its full certification
program. By October 2006, the EAC will publish the details of that
program in the Federal Register and on its web site for comment by the
public. This program will be rigorous and thorough, and one that will
include registering manufacturers, assessing manufacturers for
conflicts of interest, testing according to the 2002 VSS or 2005 VVSG,
quality assurance, as well as decertification, when warranted.
The EAC sought technical reviewers with the following
qualifications to staff its review of the testing reports that will be
provided by the accredited testing laboratories:
Minimum Qualifications. Candidates for the position must
possess the following minimum qualifications:
Bachelor's degree from an accredited college
or university; or equivalent education and experience.
Demonstrated knowledge of the VVS and/or
VVSG.
Knowledge of computer science and testing,
including, but not limited to, software coding
conventions, hardware, computer security, and software.
Excellent written and verbal communication
skills.
No financial, political, or personal conflict
of interest.
Preferred Qualifications. The successful candidate should also
have outstanding skills and abilities in the following areas:
At least five (5) years experience in voting
software or hardware testing; voting technology
development; or some combination of the two.
Knowledge of election procedures in the
United States. Familiarity with laws and procedures
governing the election process.
Knowledge of the legal, accounting, and
auditing requirements for elections.
Knowledge of quality testing, including, but
not limited to International Standards Organization
(ISO) (particularly ISO 17025 and ISO 9000).
Experience with software and/or hardware
testing methodologies, including, but not limited to,
(1) minimum standards for test plans, (2) methods of
ding testing, and (3) requirements for testing hardware
and software.
Additional Considerations. Successful candidates will be
required to demonstrate that they can operate as fair,
impartial, and unbiased parties by certifying that they are not
subject to conflicts of interest.
These persons make recommendations to the EAC's Executive Director
as to which systems should be certified.
Q6. Ms. Davidson, do vendors currently provide election officials with
documentation that explain the security features of the systems that
they sell and the procedures that need to been in effect for the
election to be secure? If not, is this something that needs to be done?
A6. This is a question for the voting system manufacturers, as these
materials would be provided under contractual agreements between
themselves and the election jurisdiction purchasing the equipment.
Q7. Ms. Davidson, Dr. Wagner made a number of short-term
recommendations based on the Brennan Center report that he believes
could improve the security and reliability of voting equipment that
will be used this November. These recommendations include routine
audits of voter-verified paper records, performing parallel testing of
voting machines, adopting procedures for investigating and responding
to evidence of fraud or error, and banning voting machines with
wireless capabilities. Would you please comment on these suggestions?
A7. In his testimony, Dr. Wagner demonstrated a misunderstanding of
HAVA, the role of the EAC, voting systems, and the history of voting
system certification in this country. Some of Dr. Wagner's suggestions
were legitimate. However, they do not take into account several issues
such as the authorities vested in the various branches of government,
programs or processes that are not operated by the Federal Government,
and federal programs currently in place.
The following are recommendations made by Dr. Wagner:
a. Mandate voter-verified paper records and mandatory manual audits.
The EAC received its authorization from Congress regarding its
duties, responsibilities and powers. HAVA specifically limited the
EAC's power to develop voluntary guidelines and guidance for the
states. HAVA recognized that the administration of elections is
decentralized, being operated by the states and local governments. HAVA
did not seek to upset that balance of power and limited the EAC's
authority so that this agency would also respect that balance. The EAC
was given no regulatory authority, except as it relates to the National
Voter Registration Form, and is the same authority previously held and
exercised by the FEC. As such, the EAC is not authorized to mandate
voter-verifiable paper audit trails (VVPAT). In addition, VVPAT is not
one of the voting system requirements listed in 301(a) of HAVA.
However, recognizing that many states have imposed VVPAT
requirements for voting systems used in their states, the EAC, NIST and
the TGDC developed testable standards that could be used to evaluate
VVPAT components. The VVPAT testing standards were included in the 2005
VVSG. In addition, EAC also recognized that the free market system had
developed other forms of independent verification, such as witness
systems, cryptographic systems and split processing systems. There are
several companies that market witness systems and at least one company
that currently markets a cryptographic system. As such, the EAC has
charged NIST and TGDC with developing testing standards for these
independent verification systems.
In conclusion, the EAC has no authority to mandate VVPAT or any
other kind of voting technology. In elections, one size does not fit
all. In our decentralized election system, states and counties have
countless different types of voting equipment for various reasons, and
election officials choose voting equipment that best fits the needs of
their respective voters. The EAC believes that it is best to continue
to allow election officials the freedom to choose from different
technologies that offer the same benefits. Mandating VVPAT would
possibly stifle the development of technology and the innovation of
election administrators throughout the country. In addition, such a
requirement does not recognize the ability of the states to choose
voting systems and technologies that best serve the needs of their
respective voters.
The authority and the decision as to whether to mandate VVPAT rests
with Congress. The EAC is poised to provide information from election
officials that have used VVPAT and research that NIST has conducted on
VVPAT and other independent verification methods.
b. Expand standards from focusing primarily on functionality testing to
incorporate technical evaluations of the security, reliability,
and usability of voting machines.
Dr. Wagner states ``[t]oday, the standards primarily focus on
functionality testing, which evaluates whether the machines implement
all necessary functionality.'' This is an inaccurate statement
regardless of whether it refers to the 2002 VSS or the 2005 VVSG. Thus,
it is not clear as to what Dr. Wagner is suggesting with this
recommendation. The 2002 VSS sets forth standards for testing
accessibility, reliability and security. Specifically, the 2002 VSS was
the first set of standards to establish requirements for voting systems
to provide access to both physically and visually disabled individuals.
In addition, the 2002 VSS established an error rate against which
voting machines are tested as well as other tests to determine whether
voting systems will reliably count votes and store results even under
extreme conditions.
The 2005 VVSG significantly expand on all three categories of
testing which Dr. Wagner says are lacking. Section 7 of the VVSG is
devoted exclusively to security requirements, including requirements on
the following security topics:
Access Control
Physical Security
Software Security
Telecommunications and Data Transmission
Use of Public Communications Networks
Wireless Communications
Independent Verification Systems
Voter Verifiable Paper Audit Trail Requirements
In addition, Section 3 of the VVSG contains the usability and
accessibility requirements. These requirements were increased from 29
requirements in 2002 to 120 requirements in 2005. Reliability of voting
equipment to count, maintain, and report results accurately continues
to be a significant part of the 2005 VVSG as it was in the 2002 VSS.
For more information on requirements see the full text of the VVSG.
c. Eliminate conflicts of interest in the federal testing process by
establishing a new funding process whereby Independent Testing
Authorities (ITA) are not paid by the vendors whose systems
they are testing.
The process of testing to which Dr. Wagner refers is not a
``Federal'' testing process. So, to suggest that there was a conflict
of interest in a ``Federal'' testing process is inaccurate. Testing has
been conducted by NASED, a trade association of state election
directors. It was neither sanctioned nor funded by the Federal
Government.
As for the the EAC's voting system certification program, EAC is
not currently authorized by Congress to charge a fee to manufacturers
for testing or to redirect such a fee to the voting system testing labs
through a contract or other arrangement to procure such testing. For a
Federal Government agency to take in and redirect funds, it must have
specific authority from Congress, which the EAC does not have.
Furthermore, Congress has not authorized the expenditure of federal
funds to test privately developed voting systems. Thus, the EAC
currently anticipates operating a voting system certification process
that will involve the manufacturers paying an accredited voting system
testing laboratory directly for the services that the laboratory
performs in testing that voting system. The report of the accredited
laboratory will then be forwarded to the EAC for determination of
whether certification is warranted. If Congress changes these
authorizations or funding, other options will be considered.
d. Reform the federal testing process to make all ITA reports publicly
available and documentation and technical package data
available to independent technical experts.
Again, Dr. Wagner refers to the prior existence of a ``Federal''
testing program, when the previous testing program and all testing
laboratories were administered exclusively by NASED. Regardless, the
EAC has already anticipated the need and legal requirements for
additional disclosure of information related to voting system testing.
Unlike NASED, the EAC is subject to laws that dictate what information
a Federal Government agency can and cannot disclose, including FOIA and
the Trade Secrets Act, 18 U.S.C. 1905. These statutes specifically
preclude the release of trade secrets information and privileged or
confidential commercial information.
The EAC will abide by the letter and spirit of these laws. Within
its constraints, the EAC will make available information contained in
testing reports and technical data packages that are legally
releasable.
e. Require broader disclosure of voting system source code, at a
minimum to independent technical experts under appropriate non-
disclosure agreements.
To the extent that source code is a trade secret or confidential or
privileged commercial information, the EAC is precluded by FOIA and the
Trade Secrets Act from releasing that information. However, the EAC has
already made provision in its upcoming certification program to have
manufacturers submit the final build of the software to an escrow
agent. In addition, election officials will be provided with a
mechanism to compare the software that they are delivered by the
manufacturer against the final build and executable code.
f. Institute a process for collecting, investigating, and acting on
data from the field on performance of voting equipment,
including a mechanism for interim updates to the standards to
reflect newly discovered threats to voting systems.
The EAC has already anticipated a need for collecting,
investigating and acting on allegations of system malfunction and
nonconformance with the voting system standards.
The EAC has included a decertification process in its voting system
certification program that will allow informed persons (i.e., election
officials, manufacturers, and poll workers) to report machine
malfunctions or an instance where they believe that a machine does not
conform to the standards to which it has been tested and certified.
Each report will be investigated and if evidence of nonconformance is
discovered, the EAC will begin the process of decertifying the system.
It is important to note that the EAC did not issue or adopt the
certifications issued by NASED. Thus, the EAC has no authority to
revoke those certifications or to decertify those systems. For systems
that have been certified by NASED, such allegations will be considered
in any review of that system for the EAC certification.
g. Increase the representation of technical experts in computer
security on the TGDC.
As has been previously discussed, the Technical Guidelines
Development Committee, is a Federal Advisory Committee established by
the EAC and prescribed by HAVA. The membership of the committee is set
forth in Section 221 of HAVA. The committee consists of 15 members,
which include:
The Director of the National Institute of Standards
and Technology
Members of the EAC Standards Board
Members of the EAC Board of Advisors
Members of the Architectural and Transportation
Barrier Compliance Board
A representative of the American National Standards
Institute
A representative of the Institute of Electrical and
Electronics Engineers
Two representatives of the National Association of
State Election Directors
Other individuals with technical and scientific
expertise relating to voting systems and voting equipment.
Thus, unless Congress changes the legal structure of the TGDC, the
EAC is limited in the appointments that it and NIST can make. All but
four members of the TGDC are currently dictated by HAVA. The four
members who were appointed jointly by the EAC and NIST based upon their
technical and scientific expertise are: Dr. Ron Rivest, Professor,
Massachusetts Institute of Technology, Department of Electrical
Engineering and Computer Science; Ms. Whitney Quesenbery, President,
Usability Professionals' Association; Mr. Patrick Gannon, President and
CEO, OASIS; and Dr. Daniel Schutzer, Vice President and Director of
External Standards and Advanced Technology, e-Citi, CitiGroup.
Q8. Ms. Davidson, Dr. Wagner's testimony outlines problems that we
frequently see reported in news articles about problems with voting
equipment. In addition to his comments on the current status of voting
equipment, he makes a number of longer-term recommendations, many which
focus on conformance criteria and testing of voting machines. Would you
please comment on these recommendations?
A8. Please see response to question 7.
Q9. Ms. Davidson, as a former Secretary of State, would you discuss
steps we can take to assure Americans that elections held in this
country are accurate and secure. For example, how would you respond to
the issues raised in Dr. Wagner's written testimony about the
independent testing authority and conformance testing or reports from
several states that have had problems with voting equipment that has
been approved by an independent testing authority?
A9. Voting security is a multi-faceted issue that can only be addressed
by examining each of the points of potential weakness. Certainly,
security in the voting system itself is important. The EAC, NIST, and
TGDC have made a good start at developing security standards for the
voting equipment. Those standards are not, however, the only factor in
the security equation. Election officials must be diligent in policing
access to voting systems, programming equipment and equipment that
provide results. Physical security of these systems is equally, if not
more important, than the processes, hardware and software that protect
the voting machine itself. If a bad actor does not have access to the
voting system, then it is increasingly difficult to manipulate the
results.
The EAC has begun developing a series of suggested practices that
will focus on the physical security and administration components of
conducting a secure election. The first issue of EAC's management
guidelines was issued in June 2006 and was a Quick Start Guide for
election officials to use as a checklist for accepting, testing, and
securing voting systems. A more comprehensive physical security
document will be released shortly to augment the initial concepts
outlined in the Quick Start Guide.
Answers to Post-Hearing Questions
Responses by William Jeffrey, Director, National Institute of Standards
and Technology
Questions submitted by Chairman Vernon J. Ehlers and Chairman Sherwood
L. Boehlert
Q1. In his testimony, Dr. Wagner recommended that the Technical
Guidelines Development Committee (TGDC) and the Election Assistance
Commission (EAC) take the following actions to improve security and
reliability of voting systems. For each recommendation listed below,
please answer these questions: Do you agree with the recommendation? If
so, what is the TGDC doing to implement the recommendation? If not, why
not?
A1. Let me first clarify how the TGDC operates. There are 15 members on
the TGDC whose membership is either specified in the HAVA statute or
are chosen based upon their expertise. NIST is only allotted one slot
on the TGDC as chair. Specific areas for research are determined by
majority vote of the TGDC members. The next version of the Voluntary
Voting System Guidelines is scheduled for July, 2007. Between now and
July, 2007 the TGDC will have several plenary meetings where decisions
will be made concerning the content of the July Guideline.
Consequently, the decisions to implement any of Dr. Wagner's, or any
other, recommendations have not yet been made and will, if appropriate,
be debated among the TGDC members. My responses to the specific
questions are detailed below:
a. Mandate voter-verified paper records and mandatory manual audits.
I support some form of independent verification (IV). Voter-
verified paper records are one form of IV--but not the only form that
could be implemented. It should be noted that VVPATs have several
disadvantages, especially in terms of usability for voters and election
officials, as well as accessibility. NIST is researching other types of
IV systems, such as witness systems and cryptographically-based systems
that have the potential to provide increased security with a reduced
impact on usability and accessibility.
For the VVSG 2007, the TGDC is considering requirements for three
or four different IV techniques, including voter-verified paper
records. It is important to note that IV by itself will be
insufficient. Robust operational procedures (i.e., concepts of
operation) must also be implemented which are not technical and thus
cannot be specified by the TGDC. These operational procedures must be
developed and practiced at the State/local level. Best practices for
operations can be captured and promulgated through the EAC and other
organizations. However it should be noted that more research is needed
generally in the area of independent dual verification (IDV or IV).
However, there are some voting systems that utilize this technology and
cryptographically-based systems that have the potential to provide
increased security with a reduced impact on usability and
accessibility.
b. Expand standards from focusing primarily on functionality testing to
incorporate technical evaluations of the security, reliability,
and usability of voting machines.
I agree with this recommendation. VVSG 2005 incorporated new
requirements for the security and usability of voting machines. VVSG
2007 will consider incorporating more detailed and comprehensive
requirements for security and usability as well as new requirements for
reliability. These VVSG requirements will provide for a comprehensive
technical evaluation of these items.
c. Eliminate conflicts of interest in the federal testing process by
establishing a new funding process whereby Independent Testing
Authorities (ITA) are not paid by the vendors whose systems
they are testing.
NIST and the TGDC have discussed various reimbursement models for
the ITAs with the Election Assistance Commission (EAC). However, this
is a policy issue that is not within the purview of a technical
guidelines committee and is ultimately a decision of the EAC.
d. Reform the federal testing process to make all ITA reports publicly
available and documentation and technical package data
available to independent technical experts.
This is a reasonable recommendation. Making summary reports
publicly available is not an uncommon practice. For instance, test
reports provided by Telecommunication Certification Bodies (private
organizations accredited by ANSI and designated by the FCC) for
equipment subject to the FCC's certification process are retained by
the FCC, which makes summary information publicly available. The TGDC
will consider specifying the set of testing material that should be
made public. There are, however, several legal and policy issues that
would need to be addressed prior to implementation. These issues are
not under the purview of NIST or the TGDC, but rather the Election
Assistance Commission.
e. Require broader disclosure of voting system source code, at a
minimum to independent technical experts under appropriate non-
disclosure agreements.
Broader disclosure of source code that can be reviewed by experts
could increase the probability that errors, particularly security
flaws, could be detected earlier. This is, however, a policy and legal
issue that would not be appropriate in a technical guidelines document.
f. Institute a process for collecting, investigating, and acting on
data from the field on performance of voting equipment,
including a mechanism for interim updates to the standards to
reflect newly discovered threats to voting systems.
A process for collecting data on performance of voting equipment
would be very useful to document newly discovered threats, as well as
to detect errors in the voting hardware and/or software. This
information could then be used to either modify or generate new
technical requirements to mitigate these threats or errors in updates
to the guidelines.
g. Increase the representation of technical experts in computer
security on the TGDC.
I agree that the TGDC is under-represented with respect to security
experts. I am actively encouraging HAVA mandated TGDC organizations to
consider security expertise as a qualification for their nominations to
fill vacancies on the TGDC.
Q2. In his testimony, Dr. Wagner said that the federal standard
process is not working, and that ``Federal standards are not sufficient
to guarantee that federally-approved voting systems are able to
adequately protect the integrity of our elections, either against
unintentional failures, or against deliberate tampering.'' Do you agree
with this statement? If so, why, and if not, what is your assessment of
the current state of voting equipment in terms of reliability and
security.
A2. The new guidelines in VVSG 2005 enhance the security and integrity
of voting systems by providing the first guidelines for Voter Verified
Paper Audit Trails; requirements for addressing how voting system
software is to be distributed; validating the voting system setup; and
governing how wireless communications are to be secured. But there is
more that needs to be done. Standards are a necessary but not
sufficient condition to protect the integrity of our elections. In
addition to standards, a comprehensive test suite to help ensure that
the voting systems correctly implement the standard is necessary. NIST
will begin the development of such a test suite in FY 2007.
Additionally, comprehensive procedures for election officials are
needed as well. Until all of these components are in place, our ability
to guard against failures or tampering will not be as robust as
desired.
Q3. How will you know if the Voluntary Voting Systems Guidelines
(VVSG) are leading to improvements in voting systems? Are there
mechanisms available to the National Institute of Standards and
Technology (NIST) or the TGDC to track the performance of voting
systems, ensure that standards are effective, and obtain feedback on
the performance of the standards themselves? If so, what are these
mechanisms? If not, what is needed?
A3. Tracking the effectiveness of security guidelines is especially
difficult. The absence of known security breaches does not establish
that breaches have not occurred or that they are unlikely to occur in
the future. In this area, ongoing scrutiny of security specifications
and testing methods is needed. This scrutiny should come from voting
officials, national and state testing entities, and the public.
Improvements in usability and accessibility, on the other hand, will be
much easier to track through analysis of voting trends and from
feedback from the community.
Q4. How do the TGDC or NIST plan to address security in the 2007 VVSG?
What kinds of security tests are being contemplated and how do the
compare to security tests used for computer equipment in other
industries? Is security testing different from other types of testing,
and if so, how?
A4. The VVSG 2007 will likely contain several chapters with significant
security-related material. The security-related material that is under
consideration includes: General Requirements; General Design
Requirements; Voting Variations, Security & System Integrity;
Cryptography; Access Control; Voting System Records Audit; System
Integrity Management; System Auditing & Logging; Physical Security;
Usability; Accessibility; Hardware & Software Performance; Workmanship;
Archival Requirements; Inter-operability; and Requirements by Voting
Activity.
Security tests will include tests of the functionality of security
features (such as access controls), reviews of security documentation,
including an assessment to determine if security features function
together as intended, and open-ended security testing, including
penetration testing. These are common types of security testing used in
many industries. Security testing is indeed different from other types
of testing. In ``regular'' (or conformance) testing, one simply tests
each requirement to ensure it is implemented according to the guideline
or standard. Security testing is more difficult. In security testing,
you have an unbounded field of possible security threats to address.
NIST and the TGDC are researching open-ended testing and other forms of
security testing as part of the overall testing strategy to be included
in the VVSG 2007.
Q5. Are there any plans to issues advisories on voting equipment that
does not meet the 2005 VVSG and subsequent versions? Will NIST be
providing an incident reporting system or other feedback system so that
lessons learned from testing laboratories can be disseminated to
election officials? If so, what will the process be? If not, why not.
A5. Providing information and best practices to the election officials
is the responsibility of the Election Assistance Commission.
Q6. The 2005 VVSG contains an appendix on independent dual
verification systems that could perform the same functions as a voter-
verifiable paper audit trail. Is this technology being used in voting
systems today or is more research needed to make it operational? What
are the advantages and disadvantages of this technology? To what extent
are there other technologies that could perform the same function as a
voter-verifiable paper audit trail?
A6. More research is needed generally in the area of independent dual
verification (IDV or IV). However, there are some voting systems that
utilize this technology. NIST sees voter-verified paper audit trail
(VVPAT) as a type of IV system. VVPATs have several disadvantages,
especially in terms of usability for voters and election officials, as
well as accessibility. NIST is researching other types of IV systems,
such as witness systems and cryptographically-based systems that have
the potential to provide increased security with a reduced impact on
usability and accessibility.
Answers to Post-Hearing Questions
Responses by Mary Kiffmeyer, Secretary of State for Minnesota
Questions submitted by Chairman Vernon J. Ehlers and Chairman Sherwood
L. Boehlert
Q1. In his testimony, Dr. Wagner recommended that the Technical
Guidelines Development Committee (TGDC) and the Election Assistance
Commission (EAC) take the following actions to improve security and
reliability of voting systems. For each recommendation listed below,
please answer these questions: Do you agree with the recommendation? If
so, to what extent and how is Minnesota implementing the
recommendation? If not, why not?
Q1a. Mandate voter-verified paper records and mandatory manual audits.
A1a. Agree. Minnesota not only requires a voter-verified paper record
it requires an actual paper ballot.
Q1b. Expand standards from focusing primarily on functionality testing
to incorporate technical evaluations of the security, reliability, and
usability of voting machines.
A1b. Agree. Minnesota requires a source code review that assures that
the votes are accurately recorded and counted.
Q1c. Eliminate conflicts of interest in the federal testing process by
establishing a new funding process whereby Independent Testing
Authorities (ITA) are not paid by the vendors whose systems they are
testing.
A1c. Disagree. It is like the use of the Underwriters Laboratories to
grade consumer products. Even though the manufacturer pays for the
testing it does not mean that the system is corrupt.
Q1d. Reform the federal testing process to make all ITA reports
publicly available and documentation and technical package data
available to independent technical experts.
A1d. Agree with limits. As long as the reports or documentation does
not assist persons with malicious activities in mind do not get
information that would assist them to do things to affect the recording
and tabulating of votes.
Q1e. Require broader disclosure of voting system source code, at a
minimum to independent technical experts under appropriate non-
disclosure agreements.
A1e. Disagree. The wide distribution of source code could lead to the
loss of source code to those who have malicious intents.
Q1f. Institute a process for collecting, investigating, and acting on
data from the field on performance of voting equipment, including a
mechanism for interim updates to the standards to reflect newly
discovered threats to voting systems.
A1f. Agree. The accuracy and the integrity of elections are essential
to the process of fair and honest elections. All new methods of
ensuring the correct outcome of every election has value.
Q1g. Increase the representation of technical experts in computer
security on the TGDC.
A1g. Agree. In the review of our source code there were requirements to
have security experts as part of the team reviewing the source code.
Q2. In his testimony, Dr. Wagner said that the federal standards
process is not working, and that ``Federal standards are not sufficient
to guarantee that federally-approved voting systems are able to
adequately protect the integrity of our elections, either against
unintentional failures, or against deliberate tampering.'' Do you agree
with this statement? If so, why, and if not, what is your assessment of
the current state of voting equipment in terms of reliability and
security?
A2. The security standards of the 2005 VVSG are not sufficiently
comprehensive to ensure security in our election systems. The use of
technology for voting increases the risk that security of the voting
system will be breached, if proper safeguards are not taken. Wireless
components should only be turned on after the polls close and voting is
complete or strict security guidelines are developed. Also, a voter-
verified paper audit trail should be required in the VVSG to provide
assurance that the elections process is being conducted in an accurate
and fair manner.
Q3. What are your top three priorities for updates to the 2005
Voluntary Voting Systems Guidelines (VVSG)?
A3. Priorities for updates to the 2005 VVSG include introducing a VVPAT
requirement, banning the use of wireless components during elections,
and requiring post-election audits of voting systems.
Q4. If the EAC or another organization provided an incident reporting
system for the 2006 election through which election managers could
systematically report problems with voting equipment, would this be
useful to you, and if so, how would you recommend the system be
structured?
A4. An incident reporting system for the 2006 election through which
election managers could systematically report problems with voting
equipment would be an effective tool. In Minnesota, election judges can
record any unusual events or any problems on the precinct incident log.
On this form, election judges could record any problems with the voting
equipment that may have taken place during the election. In terms of an
incident reporting system, an effective mechanism would be for the
election judges to submit the data recorded on the incident log and
submit this to election managers so that voting equipment problems in
all precincts are recorded and in one centralized location.
Q5. The 2005 VVSG contains an appendix on independent dual
verification systems that could perform the same functions as a voter-
verifiable paper audit trail. Is this technology being used in voting
systems today or is more research needed to make it operational? What
are the advantages and disadvantages of this technology? To what extent
are there other technologies that could perform the same function as a
voter-verifiable paper audit trail?
A5. Minnesota law does not allow for the use of an independent dual
verification system.
Questions submitted by Democratic Members
Q1. Ms. Kiffmeyer, what documentation do your voting system vendors
currently provide you that explain the security features of voting
systems and the procedures required for your elections to be secure?
A1. Minnesota requires that vendors applying for voting system
certification provide recommended procedures for use of the system at
Minnesota elections which includes security issues.
Q2. Ms. Kiffmeyer, what additional improvements are needed (if any)
voting for the voluntary guidelines and national certification process?
Also, what additional steps should the Election Assistance Commission
take to support efforts of states and local jurisdictions to acquire
and operate accurate, reliable, and secure voting equipment?
A2. The 2005 VVSG and its strength will be tested in the elections this
Fall and in elections to come even more so. The guidelines will need to
be evaluated after the elections in order to ascertain how the
equipment functioned and what, if any, standards need to be improved.
One of the main objectives of the VVSG was to create standards by which
to guide an effective elections process, and a look into what might
still be lacking and how best to remedy the situation will provide both
insight and a benefit to all.
Q3. Ms. Kiffmeyer, GAO recently reported that only about 15 percent of
jurisdictions collect measures on voting equipment failures. Does your
state collect data on voting equipment failures and what have you found
from the data you've collected? What are your views on collecting this
information on a national basis.
A3. The state collects data on voting equipment incidents at the local
level. However, every polling place is required to keep an incident log
which is returned to the counties and would include apparent issues of
equipment failure. In addition to having a paper ballot system, the
counties have machine backups for tallying and the incidents of machine
problems are very few and usually rectified immediately on election
day.
Minnesota also has a new statute this year to require a post
election review of voting equipment including a hand tally to compare
to the machine tally results This review will be conducted with a
randomly selected number of precincts per county with additional
requirements if there are sufficient enough errors found in the
counting of results. This information will be collected by the state
and posted on the web site.
Elections have been to this point a function of the states and
local election officials and the collecting of the information should
be kept to the responsibility of state and local election officials.
Q4. Ms. Kiffmeyer, Dr. Wagner made a number of short-term
recommendations based on the Brennan Center report that he believes
could improve the security and reliability of voting equipment that
will be used this November. These recommendations include routine
audits of voter-verified paper records, performing parallel testing of
voting machines, adopting procedures for investigating and responding
to evidence of fraud or error, and banning voting machines with
wireless capabilities. Would you please comment on these suggestions?
A4. The short-term recommendations made in the Brennan Center Report
are ones that will help improve both security and reliability. Routine
audits of voter-verified paper records also provide an additional level
of fairness and accuracy in our elections process. Procedures for
investigating and responding to evidence of fraud or error are
efficient tools necessary to the integrity of the process. In regards
to performing parallel testing of voting machines, Minnesota does not
require such a test at this time, but may in the future. As there is a
valid concern for wireless components being used during voting in the
polling place, Minnesota law prohibits wireless functions to take place
during voting. In other words, wireless components should only be
turned on after the polls close and voting is complete.
Q5. Ms. Kiffmeyer, Dr. Wagner's testimony outlines problems that we
frequently see reported in news articles about problems with voting
equipment In addition to his comments on the current status of voting
equipment, he makes a number of longer-term recommendations, many which
focus on conformance criteria and testing of voting machines. Would you
please comment on these recommendations?
Q5a. Mandate voter-verified paper records and mandatory manual audits.
A5a. I agree. Minnesota not only requires a voter-verified paper
record, it requires an actual paper ballot.
Q5b. Expand standards from focusing primarily on functionality testing
to incorporate technical evaluations of the security, reliability, and
usability of voting machines.
A5b. I agree. Minnesota requires a source code review that assures that
the votes are accurately recorded and counted.
Q5c. Eliminate conflicts of interest in the federal testing process by
establishing a new funding process whereby Independent Testing
Authorities (ITA) are not paid by the vendors whose systems they are
testing.
A5c. I agree as long as the funding is certain and long-term.
Q5d. Reform the federal testing process to make all ITA reports
publicly available and documentation and technical package data
available to independent technical experts.
A5d. I agree but with limits. As long as the reports or documentation
does not assist persons with malicious activities in mind to get
information that would assist them to breach security or make it easier
to hack and to affect the recording and tabulating of votes.
Q5e. Require broader disclosure of voting system source code, at a
minimum to independent technical experts under appropriate non-
disclosure agreements.
A5e. I believe that the voting system source code should require
security in its distribution as concerns for giving knowledge to those
with malicious intents is a risk. Until the security and risk concerns
can be addressed, the wide distribution of source code could lead to
the loss of source code to those who have malicious intents and thus
lead to greater security risk or risk of hacking. That is an ultimate
possible unintended consequence. We must act carefully on this matter.
Q5f. Institute a process for collecting, investigating, and acting on
data from the field on performance of voting equipment, including a
mechanism for interim updates to the standards to reflect newly
discovered threats to voting systems.
A5f. I agree. The accuracy and the integrity of elections are essential
to the process of fair and honest elections. All new methods of
ensuring the correct outcome of every election has value and every
effort should be made and funded fully to accomplish that laudable
goal.
Q5g. Increase the representation of technical experts in computer
security on the TGDC.
A5g. I agree. In the review of our source code there were requirements
to have security experts as part of the team reviewing the source code.
However, election practitioners especially at the state level should
also be in high representation with the technical experts. Security is
more than the technological box. It is the sum total of the election
system including voter registration.
Answers to Post-Hearing Questions
Responses by Linda H. Lamone, Administrator of Elections, Maryland
State Board of Elections
As I stated in my testimony, it is important to recognize that the
new voting system standards are the first step in an evolution, not a
panacea with an immediate and dramatic impact on elections as some
observers believe.
Before responding to your questions for the record, I would like to
share with you some important information that seems to have been lost
in the ongoing debate about voting systems.
First, it is important to understand why jurisdictions chose Direct
Recording Electronic (DRE) voting systems in the first place. DRE
voting systems are the most accurate voting systems. They eliminate
issues of voter intent and over-votes, offer accessible voting to most
voters with disabilities, and easily accommodate multiple languages.
One way to measure the accuracy of a voting system is to evaluate
the number of voters who cast a ballot but did not record a vote for
the highest contest on the ballot (typically President or Governor). In
2000, there were 10,553 voters in Maryland who went to the polls to
vote and did not have a vote recorded for President. In 2004, there
were 7,541 voters who voted but did not have a vote recorded for
President.\1\ This represents a 29 percent decrease in the number of
voters who voted but did not record a vote for President. As
demonstrated in Maryland and other states, the transition from lever
machines, punchcard, and optical scan voting systems to DRE voting
systems has translated into more voters having their votes counted.\2\
This, of course, is the reason for elections--to capture the will of
the people.
---------------------------------------------------------------------------
\1\ In 2000, nineteen counties in Maryland used optical scan voting
systems, three counties used mechanical lever machines, one used a
punchcard voting system, and one used a DRE voting system. In 2004, all
twenty-four jurisdictions used a DRE voting system; twenty-three
counties used the same DRE, with the remaining jurisdiction using a
different DRE. In 2006, all twenty-four jurisdictions will be using the
same DRE.
\2\ See Stewart, Charles III, ``Residual Vote in the 2004
Election,'' CalTech/MIT Voting Technology Project, February 2005, http/
/vote.caltech.edu/media/documents/wps/vtp-wp25.pdf
---------------------------------------------------------------------------
Second, it is commonly accepted by computer scientists that no
voting system can be made 100 percent secure. While security procedures
have been standard operating procedures in election administration, it
is important to recognize that paper ballots pose an equal--if not
greater--security risk than DRE voting systems. Throughout this
nation's history, there are countless examples of outright fraud to
questionable procedures with paper ballots. While I am not questioning
the integrity of elections conducted on paper-based voting systems, it
is important to recognize that implementing these systems do not
eliminate or even reduce security concerns. Actually, paper-based
systems are more vulnerable as there is no special technical knowledge
that is required to alter or remove a paper ballot.
Third, although the advocates opposing the use of DRE voting
systems are organized and active, they do not represent a majority of
voters in Maryland. Earlier this year, I commissioned a public opinion
poll to assess what Maryland voters thought of the DRE voting system
used in Maryland. Eighty-two percent of the respondents thought their
votes on DRE voting systems were counted and recorded accurately, and
76 percent had a favorable opinion about touchscreen voting.
Interestingly, 77 percent of the survey respondents were not even aware
of the debate about electronic voting. This survey clearly shows that,
in Maryland, there is no ``crisis of confidence'' in the voting system.
A copy of the report is enclosed for your information.
Questions submitted by Chairman Vernon J. Ehlers and Chairman Sherwood
L. Boehlert
Q1. In his testimony, Dr. Wagner recommended that the Technical
Guidelines Development Committee (TGDC) and the Election Assistance
Commission (EAC) take the following actions to improve security and
reliability of voting systems. For each recommendation listed below,
please answer these questions: Do you agree with the recommendation? If
so, to what extent and how is Maryland implementing the recommendation?
If not, why not?
A1.
Mandate voter-verified paper records and mandatory
manual audits.--Because of the extensive pre-election, Election
Day, and post-election testing we conduct on the State's voting
system and numerous security analyses and resulting security
procedures, we are confident that the voting system accurately
counts and records votes. For this reason, I do not believe
that a voter-verified paper record improves the accuracy of a
thoroughly tested voting system.
Additionally, I am concerned that a mandatory voter-
verified paper record would stifle--and likely already has--the
development of other independent verification technologies.
Last winter, I contracted with two University of Maryland
institutions to conduct an independent study on vote
verification systems, including voter-verified paper trails.
Several of the technologies were very promising and offered
audit and verification tools that are not possible with voter-
verified paper records. One, for example, could provide the
amount of time it takes poll workers to prepare the voting unit
for voting. This information could be used to enhance poll
worker training and inform the vendor on how the opening
process on the voting unit could be improved. Mandating voter-
verified paper records would prevent the development and
testing of other verification solutions.
Expand standards from focusing primarily on
functionality testing to incorporate technical evaluations of
the security, reliability, and usability of voting machines.--I
agree that all aspects of voting systems should be tested and
that testing should extend beyond just functional testing.
Although Dr. Wagner states that the current ``standards
primarily focus on functionality testing,'' this is not the
case. Both the 2002 Voting Systems Standards and the Voluntary
Voting System Guidelines (VVSG) incorporate standards for
testing accessibility, reliability, and security.
Eliminate conflicts of interest in the federal
testing process by establishing a new funding process whereby
Independent Testing Authorities (ITA) are not paid by the
vendors whose systems they are testing.--The testing process
under the National Association of Election Directors, the
entity that previously oversaw the testing process, has been
conducted with the highest integrity. Although I am open to
discussing different federal testing structures, the current
testing process is objective, and to suggest that there are
conflicts of interest implies that the vendors have influence
over the voting system testing process solely because they pay
for testing. This is not the case.
Reform federal testing process to make all ITA
reports publicly available and documentation and technical
package data available to independent technical experts.--With
the EAC assuming responsibility for the voting system
certification process, more information about voting system
testing will be available.
Require broader disclosure of voting system source
code, at a minimum to independent technical experts under
appropriate non-disclosure agreements.--In the EAC's upcoming
certification program, voting system vendors will be required
to submit a final software version to an escrow agent and allow
election officials to compare the delivered software against
the software version on file with the escrow agent. Maryland
has previously used NIST's National Software Reference Library
to compare the version of the software being used in the State
against the version qualified by the National Association of
State Election Directors. This comparison has been performed
both before and after statewide elections and reassures
election officials that no unauthorized software is being used.
Institute a process for collecting, investigating,
and acting on data from the field on performance of voting
equipment, including a mechanism for interim updates to the
standards to reflect newly discovered threats to voting
systems.--It is my understanding that the EAC has developed a
process to collect and investigate claims that voting systems
are not performing appropriately and are not in compliance with
voting system standards, and I support this effort. It is
important that the EAC serve as both a resource to election
officials for investigating potential voting system
malfunctions and noncompliance with standards and, if
necessary, initiating a decertification system if the
allegations are substantiated.
Increase representation of technical experts in
computer security on the TGDC.--Four of the fifteen--or 25
percent--of the TGDC's current members are technical experts.
(Election officials currently hold four seats on the TGDC, the
same number as technical experts.) Increasing the number of
technical experts at the expense of other subject matter
experts would not reflect the realities of voting systems and
elections administration and would alter the balance that
currently exists on the TGDC. While technical experts play an
important role in improving election administration, they are
but one voice in the debate.
Q2. In his testimony, Dr. Wagner said that the federal standards
process is not working, and that ``Federal standards are not sufficient
to guarantee that federally-approved voting systems are able to
adequately protect the integrity of our elections, either against
unintentional failures, or against deliberate tampering.'' Do you agree
with this statement? If so, why, and if not, what is your assessment of
the current state of voting equipment in terms of reliability and
security?
A2. As the VVSG are not yet in effect nor being used for testing and
the EAC has only just started its work in accrediting testing
laboratories, I do not believe that the decision can be made that the
federal standards process does not work. As I noted earlier, the voting
system standard process is an evolution, and no one should have
expected that the VVSG was going to improve dramatically and
immediately voting systems and the testing process. It is important to
give the current VVSG and future versions time to impact voting
systems.
While I think the VVSG and new testing structure will improve
voting systems over time, I believe that the current voting systems are
reliable and secure with appropriate security policies and procedures
in place. Like any information technology system, the security of the
system is more than just the hardware and software; it includes the
people that work with the system and the procedures that surround the
system. Best practices and management standards can be shared among
election officials to improve the security of voting systems.
Q3. What are your top three priorities for updated to the 2005
Voluntary Voting System Guidelines (VVSG)?
A3. As the VVSG are not yet in effect nor being used for testing and
the EAC has only just started its work in accrediting testing
laboratories, it is important to give both the VVSG and the EAC time to
work before making significant recommendations. That being said, I
recommend that future versions of the VVSG include state-specific
certification requirements. This would enable state election officials
could accept the EAC's certification as the basis of state
certification. This joint certification would reduce the resources
needed to conduct state certification without a reduction in confidence
in the voting system and would greatly benefits states with less
financial resources for testing. Incorporating a joint certification
could also provide an additional incentive for states to adopt the
VVSG.
The EAC has contracted with two experienced and well-respected
election officials to develop management standards. While these
management standards will cover many topics related to elections
management, they will also focus on standards for voting systems. I
believe that this effort has enormous potential to improve election
administration and the security of voting systems. I also believe tha
the EAC could provide much needed assistance to states and counties by
offering best practices and assistance in negotiating contracts with
voting system vendors.
Q4. If the EAC or another organization provided an incident reporting
system for the 2006 election through which election managers could
systematically report problems with voting equipment, would this be
useful to you, and if so, how would you recommend the system be
structured?
A4. Maryland collects information on reported voting system
malfunctions from a variety of sources: (poll workers, voting unit
technicians, State and local election officials, and vendor's help
desk). Either county or State election officials follow-up on the
information and determine the root cause of the problem.
A 2004 analysis of voting units from Maryland's largest
jurisdiction showed that many of the voting units flagged by election
officials and poll workers as requiring special attention or review
were voting units that did not have the power cord properly inserted,
causing the internal battery to drain, and the voting unit to
eventually lose power, physical damage to the voting unit booths (which
may include issues such as broken legs or cases); any voting unit that
has substantially fewer ballots cast on it than others in the same
precinct; or any other reason that an election judge or local election
board staff member feels the voting unit needs to be analyzed, either
because a problem was observed or reported by a voter. After careful
review of all of the voting units referred for additional analysis,
State election officials found that only .4 percent of that county's
voting units had issues on Election Day.
I believe that it is important to collect this information at the
national level to assist election officials with identify summon
concerns and work collaboratively to address any issues. As with any
national survey and the resulting conclusions based on the data, it is
important that there are standard and clear definitions and that the
data is used to improve the voting process, not for criticizing
election officials or a specific vendor, and that election officials
have time to conduct an initial review of the reported voting system
malfunctions. For obvious reasons, a voting unit with a broken leg must
be recorded and analyzed differently than a voting unit that freezes
during voting hours. The EAC has a similar belief as it has developed a
process to collect and investigate allegations of malfunctioning voting
systems and systems that are in compliance with voting system
standards.
Q5. The 2005 VVSG contains an appendix on independent dual
verification systems could perform the same functions as a voter-
verifiable paper audit trail Is this technology being used in voting
systems today or is more research needed to make it operational? What
are the advantages and disadvantages of this technology? To what extent
are there other technologies that could perform the same function as a
voter-verifiable paper audit trail?
A5. As I noted earlier, two University of Maryland institutions
conducted an independent technical and usability study on four vote
verification systems. The systems included in the study were VoteHere's
Sentinel, SCYTL's Pnyx.DRE, MIT Professor Ted Selker's voter-verified
audio audit trail, and Diebold Election Systems, Inc.'s voter-verified
paper audit trail. A copy of the combined report is enclosed for your
information.
The study found that none of the vote verification systems--
including voter-verified paper trail--are fully developed and that
implementing any one of the systems would greatly increase the
complexity of the election and, as implemented in Maryland, jeopardize
the secrecy of the ballot. That being said, the researchers found that
each of the systems could provide some level of vote verification if
the system was fully developed, fully integrated with the voting
system, and effectively implemented. Although the conclusion of the
study was to recommend against implementing any one of the
participating vote verification systems, these systems might become
viable with further development and testing. As a result, it is
important that further development not be stifled by mandating a
specific vote verification system for use.
Questions submitted by Democratic Members
Q1. What documentation do your voting system vendors currently provide
you that explain the security features of voting systems and the
procedures required for your elections to be secure?
A1. The State's voting system vendor provides the standard ``User's
Guide'' for the touchscreen and a guide for the software. These
documents give an overview of the security features, such as data
encryption and the use of dynamic keys, provide recommendations for
their use, and detailed instructions on how to use those features. For
new software releases, they also provide release notes that detail new
or updated security features.
With respect to the procedures required to secure elections, I
believe that this is the responsibility of election officials, not
vendors. While election officials should consider the vendor's
recommendations for operating a secure voting system, it is ultimately
the duty of election officials to implement security procedures.
In Maryland, we have contracted with outside firms to conduct a
variety of security assessments and have internal resources implement
the recommendations of these assessments and develop procedures to
protect the election process. The agency's Chief Information Officer
has significant experience in security-related matters, and a Chief
Information System Security Officer is on staff to review the vendor's
recommendations and develop security procedures for all aspects of the
election process. These internal resources, combined with the vendor's
recommendations and outside analyses, demonstrate the commitment to
preserving the integrity of the election process and reducing the
likelihood of any tampering with the election.
Q2. What additional improvements are needed (if any) for the voluntary
guidelines and national certification process? Also, what additional
steps should the Election Assistance Commission take to support efforts
of states and local jurisdictions to acquire and operate accurate,
reliable, and secure voting equipment?
A2. As the Voluntary Voting Systems Guidelines (VVSG) are not yet in
effect nor being used for testing and the Election Assistance
Commission (EAC) has only just started its work in accrediting testing
laboratories, it is important to give both the VVSG and the EAC time to
work before making significant recommendations. That being said, I
recommend that future versions of the VVSG include state-specific
certification requirements. This would enable state election officials
to accept the EAC's certification as the basis of state certification.
This joint certification would reduce the resources needed to conduct
state certification without a reduction in confidence in the voting
system and would greatly benefits states with less financial resources
for testing. Incorporating a joint certification could also provide an
additional incentive for states to adopt the VVSG.
The EAC has contracted with two experienced and well-respected
election officials to develop management standards. While these
management standards will cover many topics related to elections
management, they will also focus on standards for voting systems. I
believe that this effort has enormous potential to improve election
administration and the security of voting systems. I also believe that
the EAC could provide much needed assistance to states and counties by
offering best practices and assistance in negotiating contracts with
voting system vendors.
Q3. GAO recently reported that only 15 percent of jurisdictions
collect measures on voting equipment failures. Does your state collect
data on voting equipment failures and what have you found from the data
you've collected? What are your views on collecting this information on
a national basis?
A3. Maryland collects information on reported voting system
malfunctions from a variety of sources (poll workers, voting unit
technicians, State and local election officials, and vendor's help
desk). Either county or State election officials follow-up on the
information and determine the root cause of the problem.
A 2004 analysis of voting units from Maryland's largest
jurisdiction showed that many of the voting units flagged by election
officials and poll workers as requiring special attention or review
were voting units that did not have the power cord properly inserted,
causing the internal battery to drain, and the voting unit to
eventually lose power, physical damage to the voting unit booths (which
may include issues such as broken legs or cases); any voting unit that
has substantially fewer ballots cast on it than others in the same
precinct; or any other reason that an election judge or local election
board staff member feels the voting unit needs to be analyzed, either
because a problem was observed or reported by a voter. After careful
review of all of the voting units referred for additional analysis,
State election officials found that only .4 percent of that county's
voting units had issues on Election Day.
I believe that it is important to collect this information at the
national level to assist election officials with identifying common
concerns and working collaboratively to address any issues. As with any
national survey and the resulting conclusions based on the data, it is
important that there are standard and clear definitions, that the data
is used to improve the voting process, not for criticizing election
officials or a specific vendor, and that election officials have time
to conduct an initial review of the reported voting system
malfunctions. For obvious reasons, a voting unit with a broken leg must
be recorded and analyzed differently than a voting unit that freezes
during voting hours.
Q4. Dr. Wagner made a number of short-term recommendations based on
the Brennan Center report that he believes could improve the security
and reliability of voting equipment that will be used this November.
These recommendations include routine audits of voter-verified paper
records, performing parallel testing of voting machines, adopting
procedures for investigating and responding to evidence of fraud or
error, and banning voting machines with wireless capabilities. Would
[you] please comment on these suggestions?
A4. I generally agree with Dr. Wagner's recommendations to the extent
that election officials should implement recognized best practices and
measures that verify the accuracy and integrity of the voting system.
To that end, Maryland has implemented pre-election and Election Day
parallel testing, has procedures for investigating and responding to
allegations of fraud or error, and does not use voting systems with
wireless capabilities. Although the State's voting system does not have
a voter-verified paper record, there are routine audits performed after
each election to verify the accuracy of the voting system.
Jurisdictions that are not already planning on implementing these
short-term recommendations for the upcoming November elections may not
have sufficient time to implement best practices and develop and
implement these recommendations.
Q5. Dr. Wagner's testimony outlines problems that we frequently see
reported in news articles about problems with voting equipment. In
addition to his comments on the current status of voting equipment, he
makes a number of longer-term recommendations, many which focus on
conformance criteria and testing of voting machines. Would you please
comment on these recommendations?
A5. Before responding to Dr. Wagner's recommendations, I think it is
very important to recognize that many ``problems'' reported in the news
are not voting system problems; they are, in fact, problems caused by
human error. For example, in 2004, the media reported that voting
systems in several Maryland precincts failed. The voting units
prevented voting, because precinct-specific encoders (the device that
tells the voting unit which ballot to load) were delivered to the wrong
precinct. The voting system worked exactly as it should have; that is,
it prevented the wrong encoder from working with the voting system.
Although reported as such, this was not a voting system problem; it was
simply a human mistake.
After each of Dr. Wagner's recommendations, I have provided
comment.
Mandate voter-verified paper records and mandatory
manual audits.--Because of the extensive pre-election, Election
Day, and post-election testing we conduct on the State's voting
system and numerous security analyses and resulting security
procedures, we are confident that the voting system accurately
counts and records votes. For this reason, I do not believe
that a voter-verified paper record improves the accuracy of a
thoroughly tested voting system.
Additionally, I am concerned that a mandatory voter-
verified paper record would stifle--and likely already has--the
development of other independent verification technologies.
During our study of vote verification systems, several of the
products were very promising and offered audit and verification
tools that are not possible with voter-verified paper records.
One, for example, could provide the amount of time it takes
poll workers to prepare the voting unit for voting. This
information could be used to enhance poll worker training and
inform the vendor on how the opening process on the voting unit
could be improved. Mandating voter-verified paper records would
prevent the development and testing of other verification
solutions.
Broaden the focus beyond functionality testing.--I
agree that all aspects of voting systems should be tested and
that testing should extend beyond just functional testing.
Although, Dr. Wagner states that the current ``standards
primarily focus on functionality testing,'' this is not the
case. Both the 2002 Voting Systems Standards and the 2005 VVSG
incorporate standards for testing accessibility, reliability,
and security.
Eliminate conflicts of interest in the federal
testing process.--The testing process under the National
Association of Election Directors, the entity that previously
oversaw the testing process, has been conducted with the
highest integrity. Although I am open to discussing different
federal testing structures, the current testing process is
objective, and to suggest that there are conflicts of interest
implies that the vendors have influence over the voting system
testing process solely because they pay for testing. This is
not the case.
Reform federal testing process to provide more
transparency and openness.--With the EAC assuming
responsibility for the voting system certification process,
more information about voting system testing will be available.
Examples of information that will be available from the EAC
include testing reports and technical data packages.
Require broader disclosure of voting system source
code.--In the EAC's upcoming certification program, voting
system vendors will be required to submit a final software
version to an escrow agent and allow election officials to
compare the delivered software against the software version on
file with the escrow agent. Maryland has previously used MST's
National Software Reference Library to compare the version of
the software being used in the State against the version
qualified by the National Association of State Election
Directors. This comparison has been performed both before and
after statewide elections and reassures election officials that
no unauthorized software is being used.
Incorporate closed feedback loops into the regulatory
process.--It is my understanding that the EAC has developed a
process to collect and investigate claims that voting systems
are not performing appropriately and are not in compliance with
voting system standards, and I support this effort. It is
important that the EAC serve as both a resource to election
officials for investigating potential voting system
malfunctions and noncompliance with standards and, if
necessary, initiating a decertification system if the
allegations are substantiated.
Strengthen the evaluation of usability and
accessibility.--I believe that the enhanced usability and
accessibility standards in the VVSG are an important first
step. I understand that the 2007 standards will include
additional usability and accessibility factors.
Increase representation of technical experts in
computer security on the TGDC.--Four of the fifteen--or 25
percent--of the TGDC's current members are technical experts.
(Election officials currently hold four seats on the TGDC, the
same number as technical experts.) Increasing the number of
technical experts at the expense of other subject matter
experts would not reflect the realities of voting systems and
elections administration and would alter the balance that
currently exists on the TGDC. While technical experts play an
important role in improving election administration, they are
but one voice in the debate.
Ensure that standards are grounded in the best
scientific and engineering understanding.--While I agree with
this recommendation, the science of voting systems must be
balanced against the realities of elections.
Answers to Post-Hearing Questions
Responses by David Wagner,\1\ Professor of Computer Science, University
of California-Berkeley
---------------------------------------------------------------------------
\1\ This work was supported by the National Science Foundation
under Grant No. CNS-052431 (ACCURATE). Any opinions, findings, and
conclusions or recommendations expressed in this material are those of
the author and do not necessarily reflect the views of the National
Science Foundation. I do not speak for UC-Berkeley, the National
Science Foundation, or any other organization. Affiliations are
provided for identification purposes only.
Questions submitted by Chairman Vernon J. Ehlers and Chairman Sherwood
---------------------------------------------------------------------------
L. Boehlert
Q1. How do you think the sections of the 2005 Voluntary Voting Systems
Guidelines (VVSG) that deal with security should be improved?
A1. I recommend sweeping changes to how the 2005 Voluntary Voting
Systems Guidelines (VVSG) deal with security, to bring them up to date
with fundamental changes over the past decade in how voting systems are
built. The 2007 VVSG are in the process of being drafted, and I propose
several suggestions for consideration.
Require that systems provide voter-verified paper
records. The single most effective step that the VVSG could
take to improve security would be to stop certifying new voting
systems that do not provide a voter-verified paper record. The
VVSG could also be revised to require that the use procedures
provided by the vendor specify how to perform a routine manual
audit of these paper records.
Given the current state-of-the-art, there is no known way
to provide a comparable level of security without voter-
verified paper records. In the long run, as technology
advances, it may be possible to develop alternative voting
technologies that provide an equal or greater level of security
without using paper. Consequently, it may be appropriate to
structure the VVSG to permit other systems that demonstrably
provide an equal or greater level of security as voter-verified
paper records with manual audits. However, any such provision
would need to be accompanied by a new process for determining
which systems meet this criteria. The current evaluation and
testing process is not capable of making these determinations
with any credibility; major reforms of the current processes
would be required before such a provision would be safe to add.
Adding such a provision without accompanying reform of the
process used to evaluate which systems qualify for the
exception would eliminate much of the benefit of a requirement
for voter-verified paper records. In addition, it should be
expected that evaluating the security of systems that do not
use voter-verified paper records will be considerably more
expensive and difficult than evaluating systems that use voter-
verified paper records, due to the fact that paperless systems
do not record a permanent copy of the voter's intent that the
voter can verify.
Begin enforcing existing requirements. At present,
many of the security requirements in the 2005 VVSG are not
enforced or tested by the federal qualification process. While
the existing requirements of the VVSG are, for the most part, a
fairly reasonable start at specifying security requirements for
a voting system, the lack of enforcement renders these well-
intentioned requirements ineffective.
The VVSG do not specify any specific testing procedure for
many of the security requirements, and perhaps as a
consequence, the federal testing labs apparently do not perform
an independent analysis of whether these requirements are met.
Instead, the testing labs seem to concentrate their efforts on
requirements for which there is a concrete testing procedure
defined in the VVSG. We now know of multiple examples where the
federal testing labs have approved voting systems that contain
violations of the VVSG [1].
Create faster ways to investigate and act on
experience from the field. At present, the EAC has no way to
respond quickly to new discoveries about the security of
deployed voting systems. Currently, the only mechanism the EAC
has to affect the machines that voters vote on is to revise the
VVSG. However, these revisions take an extremely long time to
take effect. For instance, the next revision of the VVSG is not
scheduled until 2007. Moreover, the 2007 VVSG are not expected
to take effect until 2009. Furthermore, when the 2007 VVSG do
go into effect in 2009, they will only affect newly developed
or modified systems submitted for certification after that
date. Any systems that had been already certified or already
deployed at that time would be grandfathered. Consequently, any
new provisions in the 2007 VVSG will only affect systems
purchased after 2009, and possibly only systems that were both
developed and purchased after 2009. Because jurisdictions
purchase new systems only rarely--perhaps once a decade or so,
at best--any revisions to the VVSG that the EAC wished to make
today might not have any impact on the machines that a majority
of Americans vote on until 2015 or so.
Moreover, the EAC has no formalized, systematic way to
gather data from the field about the performance of voting
systems or to track incidents and failures across the country.
In comparison, the aviation industry has more effective
mechanisms for investigating and responding to new discoveries
about threats to aviation safety. Whenever a plane crash or
other serious in-flight anomaly occurs, federal investigators
immediately investigate the cause of the failure. If serious
problems are found, federal regulators have the authority to
require that corrective action be taken immediately, if
necessary. The consequence is that federal authorities have the
ability to respond to serious problems that affect aviation
safety in a matter of months. The EAC lacks any corresponding
capability to investigate or respond to voting system failures.
It would help to create ways to investigate voting system
failures, to require reporting of election incidents, to gather
data from the field and quantitatively measure the rate of
failures, to update voting standards more frequently in
response to this data, and to require timely adherence to the
standards [2].
Also, it would help to establish a process to decertify
voting systems that are certified and then are subsequently
discovered to have security flaws or to violate the standards.
It would help if the EAC were to exercise its authority to
decertify systems when they are found to have security
vulnerabilities.
Require some additional safeguards recommended by
security experts. Many security experts have recommended
several additional safeguards: banning wireless communications
in voting systems; banning some forms of interpreted code;
banning code stored on removable storage media. These would not
on their own fix all the security problems we are currently
experiencing, but they would help address some known gaps in
the standards.
Q1a. Do you think that the way in which security for voting systems is
tested needs to change? If so, how, and if not, why not?
A1a. Yes. The current process is not working: systems with serious
security vulnerabilities are getting approved. I suggest several
reforms.
Convene a panel of security experts to conduct
independent security evaluations of every system submitted for
certification. Each time a voting system is submitted to the
federal qualification process, the EAC could convene a panel of
leading security experts from both academia and industry to
perform an independent security analysis of the system.
Independent security evaluations are standard practice in the
field of computer security; the election industry has lagged
behind the rest of the field in this respect.
Over the past few years, external experts have been much
more effective at finding security flaws and assessing the
security of today's e-voting systems than the federal testing
labs. Consequently, it makes sense to enlist those who have
demonstrated skill at finding security vulnerabilities in
voting systems, so that we know about the flaws and can take
appropriate action before the systems are deployed in the
field. For instance, in 2003 four academics found more security
flaws in one voting system in 48 hours of examination of the
voting software than the federal testing labs had in the years
that the system was deployed. In 2005, a Finnish security
researcher found two significant security vulnerabilities after
approximately one week of study of a voting system, upon the
request of a county election official in Florida. In 2006, the
same Finnish researcher found another serious security
vulnerability after another week of study of the same voting
system, at the request of a county election official in Utah.
Independent security evaluations could help reduce the chances
of approving and deploying a flawed system.
Given that many have lost faith in the ability of federal
testing labs to evaluate the security of voting systems,
independent security evaluations would provide an independent
check on the federal testing labs. Because the effectiveness of
an independent security evaluation is highly dependent upon the
skills of the participants, it is important that panelists be
chosen from among the best minds in computer security. To this
end, I would recommend that the EAC consult with the ACCURATE
project to identify potential panelists. The panel should have
full access to all technical information about the voting
system, including all source code. The panel should also have
full access to a working unit of the voting system, and the
authority and ability to physically inspect and run tests on
that unit. The panel should be asked to write a report of their
findings, and the report should be made public in its entirety.
If necessary, the vendor's proprietary interests can be
protected, while preserving transparency and the independence
of the evaluators, through an appropriate non-disclosure
agreement.
Require vendors to disclose the source code of all
voting system software by a specified future date. The use of
secret software has contributed to a loss of transparency and
eliminated opportunities for public oversight of important
parts of the machinery of our elections [3]. This secretiveness
has contributed to a loss of confidence in the voting systems.
The best way to remedy this would be to require that vendors
make all source code, and other technical information about the
design and construction of their voting machines, publicly
available for all interested parties to examine [4]. Vendors
would still enjoy the protection of patent and copyright law
but would be required to forfeit trade secrecy in their
software to field systems in federal elections.
Some transition strategy may needed to phase in this
requirement. One possibility is to specify a date several years
in the future after which source code to voting systems would
be required to be disclosed and provide advance notice to
vendors of that date. In the short-term, source code might be
required to be disclosed to any accredited security expert who
is willing to sign appropriate non-disclosure agreements.
Eliminate the COTS loophole. The standards currently
contain an exception that exempts commercial off-the-shelf
software (COTS) from some of the testing. Because COTS software
has been implicated in some recent security vulnerabilities, I
believe there is a good argument for eliminating this
exception.
Eliminate conflicts of interest; ensure that
evaluators are truly independent. At present, the federal
testing labs work for the vendors: they are paid and selected
by the voting vendors. We need some other mechanism that better
ensures the independence of the testing labs.
One possibility would be for the testing labs to be paid by
the Federal Government, with vendors required to reimburse the
government for all costs incurred. For instance, in California
the state has set up an escrow account for each vendor. The
vendor is required to deposit sufficient funds to cover all the
costs of certification testing into this account; when the
state hires consultants or other experts, they are paid out of
this escrow account. The Federal Government could use a similar
system. This would make it clear that labs work for the Federal
Government and have a fiduciary responsibility to the
citizenry, not to the vendor.
It may be possible to devise creative new approaches that
rely on market forces to make testing more effective. For
instance, if federal labs had to pay damages when a voting
system they approved turned out to be insecure, they would have
an incentive to make their testing processes as effective as
possible. One possibility might be to require federal labs to
carry insurance and give all citizens standing to sue the labs
for approving insecure voting systems, setting the damages for
endangering democracy at a high dollar amount. Federal approval
of a voting system might mean far more if testing labs needed
to keep their insurance premiums down in order to remain
profitable. It is not clear whether such an approach can be
made workable, but new incentive structures may be worth
exploring.
Make all reports from the testing labs public. Today,
the results from the federal testing labs are not made
available to the public. The labs consider them proprietary and
the property of the vendor. If a system fails to gain the
testing lab's approval, this fact is not disclosed to anyone
other than the vendor who paid for the testing.
I recommend that the results of all testing at the federal
level be disclosed to the public. All reports produced by the
testing labs should be published in full, whether the systems
pass or fail.
Enforce all security requirements in the standards.
As mentioned earlier, many security requirements are never
tested and consequently are not enforced. Security evaluation
of voting systems should change so that all security
requirements are assessed. We should expect and require testing
labs to fail any voting system if they cannot demonstrate that
it meets all security requirements.
Q2. Is computer security testing different from other types of
conformance testing, and if so, how? Has this type of testing ever been
performed on voting equipment and if so, what were the results? Should
this type of testing be performed routinely on voting equipment?
A2. Yes, security evaluation is different from other types of
conformance testing. Conformance testing--commonly also known under the
name ``functionality testing'' or ``black-box testing''--is concerned
with ensuring that the system will respond in certain ways under
ordinary operating conditions. This makes conformance testing fairly
straightforward: the best simulates ordinary operating conditions and
then checks that the system responds as desired under these conditions.
For instance, if we want to test that a voting system correctly counts
write-in votes under normal operating conditions, then we can run a
mock election, cast several write-in votes, and confirm that they are
counted correctly. As this example illustrates, conformance testing is
often fairly straightforward.
In contrast, security evaluation is concerned with ensuring that
the system will not misbehave when it is intentionally misused. Thus,
ordinary conformance testing is concerned with how the system behaves
under normal conditions, while security evaluation is concerned with
how it behaves under abnormal conditions. Unfortunately, it is very
difficult to predict how an attacker might try to misuse the system. If
we could predict how the attacker were going to misuse the system, then
we could simulate such misuse and observe whether the system is able to
respond appropriately. However, usually we do not know how an attacker
might try to misuse the system, and there are too many ways that an
attacker might try to misuse the system to exhaustively enumerate them
all. Consequently, there is no way to simulate how the system reacts to
these kinds of unanticipated attacks. This makes security evaluation
more difficult than ordinary standard conformance testing.
For these reasons, standard conformance testing practices are not
effective at evaluating whether a system is secure or not. Security
practitioners are familiar with this phenomenon [5]. As a result, when
experienced practitioners need to evaluate the security of some
software, they normally use discipline-specific methods chosen to be
effective for security purposes, instead of just relying on testing.
These methods always include some form of adversarial analysis, which
may include elements of threat assessment, source code review,
architectural review, penetration analysis, and red teaming. Security
practitioners also understand that, to be most effective, adversarial
analysis should be performed by security experts who are neutral and
independent. This process of adversarial analysis, when performed by
independent security experts, is sometimes known under the name
``independent security evaluation.'' Use of these adversarial analysis
methods is routine practice in industries where security is mission-
critical.
Yes, these security evaluation practices have been applied, on a
limited basis, to several voting systems. In each case, serious
security flaws were found.
In 2003, researchers from Johns Hopkins and Rice
Universities undertook an adversarial analysis and source code
review of voting software used in Diebold touchscreen voting
machines [6]. They found numerous security vulnerabilities.
In 2004, a security consulting company (RABA
Technologies) performed an independent security evaluation of
Diebold voting systems and found several security
vulnerabilities [7].
In 2005, Finnish researcher Harri Hursti applied
source code analysis and testing to discover and confirm two
security vulnerabilities in an optical scan machine
manufactured by Diebold [8].
In 2006, I and several other security experts
analyzed source code provided by Diebold as part of our
independent security evaluation of Diebold systems [9]. We
confirmed that Hursti's vulnerabilities were present in both
Diebold optical scan and touchscreen machines. We also found 16
other security defects that had not been previously known.
In 2006, Hursti was asked to examine a Diebold
touchscreen machine, and he discovered another serious security
vulnerability using adversarial analysis [10].
In each case, the use of practices specific to the field of
computer security was central to the effectiveness of these security
evaluations. As far as I can tell, none of these security
vulnerabilities had been previously discovered by the federal testing
labs, perhaps because the labs were focused on standard conformance
testing and failed to use methods more appropriate to security
evaluation [11].
Yes, these security-specific evaluation methods should be applied
routinely to voting systems. They are the best tools we have for
weeding out insecure voting systems, for proactively finding and fixing
security vulnerabilities in voting systems before they are deployed,
and for increasing confidence in the security of these systems.
It is worth mentioning that the term ``testing'' has a more
specific meaning in the computer science jargon than its everyday
meaning. Someone who is not a computer specialist might use the word
``testing'' to describe any method for evaluating the quality of
software or for finding software defects. In contrast, computer
scientists use the term ``testing'' more narrowly to refer to one
specific method for evaluating software quality: among computer
scientists, the unqualified term ``test'' is often viewed as a synonym
for ``black-box testing,'' ``functionality testing,'' or ``conformance
testing.'' Computer scientists would say that ``testing'' is just one
method of assessing the quality of software, but that there are others,
as well. When it comes to security, those other methods are usually
more effective than ``testing.'' Because of the potential for
confusion, I will avoid use of the unqualified word ``testing;'' I will
use terms like ``functionality testing'' to refer to one specific
method of evaluating software quality, and terms like ``evaluation'' to
refer to the broad goal of evaluating software quality and finding
software defects.
Q3. In your written testimony, you stated that functionality testing
is not as good as discipline-specific testing. Please explain the
difference between functionality and discipline-specific testing, and
why you believe discipline-specific testing should be used for voting
equipment.
A3. ``Functionality testing'' is a synonym for ``black-box testing'' or
``conformance testing.'' Thus, my response to Question 2 is relevant to
this question as well.
As I mentioned, security practitioners have developed discipline-
specific methods--methods that are suited to the discipline of computer
security--for evaluating the security of computer systems. These
include source code analysis, independent security analysis,
architecture and design reviews, and red teaming. Functionality testing
verifies that a machine does what it is supposed to do, when it isn't
under attack; in contrast, these security evaluation methods verify
that a machine does not do what it isn't supposed to do, even when it
is under attack. These discipline-specific methods should be used on
voting equipment in addition to functionality testing, because they are
the best known way to assess the security of such systems.
The discipline of usability has also developed its own discipline-
specific methods for evaluating the usability and accessibility of
computer systems, including user testing with actual voters and poll
workers as well as heuristic evaluation by usability and accessibility
experts. These methods specifically cater to human factors concerns and
are designed to evaluate how the software influences interactions
between humans and computers. These methods are focused less on
functional requirements (e.g., can the system display candidate names
in a bold font?) and more on assessing performance via quantitative
metrics of usability. These discipline-specific methods should be used
for voting equipment, because they are the best known way to assess the
usability and accessibility of such systems.
Q4. Mr. Groh and Ms. Lamone expressed concerns about the use of the
voter-verifiable paper audit trail. These concerns included the
additional costs to jurisdictions of implementing these systems, and
the accessibility of such technologies to the disabled community. Ms.
Lamone also cited a Maryland study that indicated that the paper trail,
in addition to other verification technologies, was not ready for prime
time. Do you agree with these concerns? If so, why, and if not, why
not?
A4. In short: I agree with the concerns about cost; I do not agree with
the concerns about accessibility; I do not agree with Ms. Lamone's
characterization of the Maryland study. I provide my reasoning below.
I do share Mr. Groh and Ms. Lamone's concerns about
the costs of implementing systems that support voter-verified
paper records. Approximately 15 states have purchased paperless
voting systems that do not provide voter-verified paper records
[12]. Some of these paperless voting systems can be retrofitted
to produce a voter-verified paper trail, but in some cases
these systems cannot be easily upgraded or retrofitted with a
paper trail. Even when it is possible, retrofitting is not
cheap. Replacement is even more expensive, as it involves
throwing away equipment and replacing it with more modern
equipment. It is certainly understandable why states who have
made a significant investment into a particular voting system
would be reluctant to scrap these systems and incur significant
costs in replacing them. It is unfortunate that some states
bought paperless voting systems without realizing the security,
reliability, and transparency consequences of that action.
The costs would vary widely from state to state. Currently,
27 states require by law that all voting systems produce voter-
verified paper records, and another eight states have deployed
voting systems with voter-verified paper records even though
state law does not require it. In total, 35 states (70 percent
of states) have voting systems that already produce a paper
audit trail and would not need to be upgraded or replaced.
Those 35 states would not incur any cost. The remaining 15
states (30 percent) do not consistently use systems with a
paper audit trail statewide. In those states, some or all of
the voting equipment in the polling places would need to be
upgraded, retrofitted, or replaced. On the other hand,
equipment used for scanning absentee (mail-in) ballots, which
account for 30-40 percent of the vote in many states, would not
need to be changed.
Even within this class of 15 states, costs would vary by
state. At one extreme, some states use paperless DREs
throughout the state, and all of those DREs in every county
would need to be upgraded, retrofitted, or replaced. As best as
I can tell, there appear to be five states (DE, GA, LA, MD, SC)
in this category. Of those five states, two (GA, MD) use DREs
that would need to be completely replaced, because there is no
good way to upgrade or retrofit them with a paper trail; two
(LA, SC) use DREs for which an approved printer add-on is
already on the market; and I do not know whether retrofitting
is possible in the remaining state (DE). Obviously, replacing
all DREs is the most expensive possible case. At the other
extreme, in some states the voting equipment is not uniform
throughout the state and costs would be less in some counties
than in others. For instance, approximately 52 of 67 Florida's
counties use optical scan voting machines plus one accessible
voting system (DRE or ballot marking device) per polling place;
upgrades for those counties would be less expensive, because
the optical scan machines would not need to be upgraded,
retrofitted, or replaced.
Costs will also vary according to the system that is in
use. Many modern DREs (e.g., the Diebold TSx, ES&S iVotronic,
Sequoia Edge, and Hart-Intercivic eSlate) can be upgraded to
produce a paper trail: approved printer units are available on
the market. Upgrading these DREs to add a printer might cost
approximately $500-$2000 per DRE, depending on the vendor. Some
older DREs (e.g., the Diebold TS) cannot easily be upgraded or
retrofitted with a paper trail, and would have to be replaced
with all new equipment. Buying new DREs normally costs about
$3000-$5000 per DRE. However, in some cases it may be cheaper
to replace the paperless DREs with a hybrid system using
optically scanned paper ballots. These hybrid systems require
purchasing one optical scan machine plus one accessible voting
machine (DRE with VVPAT or ballot marking device) per precinct,
and this equipment typically costs in the ballpark of $10,000-
$12,000 per precinct. Because an all-DRE solution usually
requires several DREs per precinct, hybrid systems using
optical scanners may come out cheaper. The cost advantages of
hybrid systems are more pronounced in states that require DREs
to display a full-face ballot, because full-faced DREs are
significantly more expensive than standard DREs [13]. I would
encourage jurisdictions to consider all available options.
In summary, I do not know what the total costs might be,
but I share Mr. Groh and Ms. Lamone's concerns that the costs
of implementing a voter-verified paper trail will be
significant in some states.
I do not agree with their concerns about the
accessibility of these voting systems to the disabled
community. The disabled community has praised the development
of touchscreen voting systems as providing major improvements
in accessibility, and rightly so: the accessibility benefits
are significant and real. However, voter-verified paper records
are in no way incompatible with these benefits. Today, every
major vendor who offers a touchscreen voting machine also
offers a version of that touchscreen machine that produces a
voter-verified paper record. Those VVPAT-enabled versions
provide the same accessibility support--audio interfaces, high-
contrast displays, sip-and-puff devices, booths designed for
wheelchair voters, and so on--as their paperless brethren do.
Adding a printer makes the machine no less accessible.
I believe security and accessibility do not need to be in
conflict; I believe we can have both. This is fortunate,
because I believe both security and accessibility are important
goals.
I understand that one concern is that visually impaired
voters will not be able to independently verify what is printed
on the voter-verified paper record. This concern is valid, but
I do not consider it a persuasive argument against voter-
verified paper records. If a blind voter does not trust the
voting machine to work correctly, then it is true that they
have no way to independently verify that their vote has been
recorded correctly. In other words, blind voters must rely upon
the voting software to work correctly, and they are vulnerable
to software failures; they have no independent means of
checking that the software is working correctly. This situation
is truly unfortunate. However, this is the case for all
currently available voting technologies, whether they print a
paper record or not. If the machine prints nothing, then the
blind voter still cannot independently verify that their vote
has been recorded correctly on electronic storage. To put it
another way, with paperless voting machines, neither sighted
voters nor blind voters have any chance to independently verify
their vote; with voter-verified paper records, sighted voters
can independently verify their vote, but blind voters cannot.
Voter-verified paper records do not make the independent
verification problem any worse for blind voters; they just fail
to make things better.
The policy question is whether it is valuable to improve
security and reliability for most voters, even if there are
some voters who are not helped by these measures (but are not
harmed by them, either) and remain without any means of
independent verification.
I do not agree with Ms. Lamone's characterization of
the Maryland study. At present, Maryland uses a paperless
touchscreen voting machine, called the Diebold TS. The Maryland
study was commissioned to study whether there exists any
technology currently on the market that could be used to
upgrade or retrofit the Diebold TS with a way for voters to
independently verify that their vote was recorded, and to
evaluate whether any of these are ready for use in real
elections. The Maryland study was specifically limited to
studying methods of upgrading or retrofitting the Diebold TS;
replacement was out of scope for the study. The conclusion of
the study was that there was no good way of upgrading the
Diebold TS that would be ready for use in the near future. I
have read the study carefully and I agree with that conclusion.
I agree with Ms. Lamone that the study was ``very thorough''
and ``provided some very valuable information.''
However, I disagree with Ms. Lamone's characterization of
the study as finding that ``the paper trail'' was not ``ready
for prime time.'' In fact, the Maryland study's findings were
more narrow than that. The Maryland study was asked not to
consider any technology that would require replacing Maryland's
Diebold TS machines; they were asked to consider only
technology for upgrading those machines, and they did so. It is
indeed justified to conclude from the study that none of the
systems for upgrading the Diebold TS are ``ready for prime
time.'' However, the study says nothing about the viability of
other, more modern voting systems that do provide a voter-
verified paper trail. The correct conclusion to draw from the
Maryland study is that if Maryland wants to adopt voter-
verified paper records, they will need to replace their
existing Diebold TS machines; retrofitting is not a viable
option. The study says nothing about whether existing, deployed
systems that provide a paper trail are ready for prime time. I
believe there are existing paper-trail systems that are already
ready for prime time.
Maryland is in an admittedly difficult position. Maryland
was one of the first states to adopt touchscreen voting
systems, and while the Diebold TS machines they bought were
thought by some to be adequate at the time, at present the
Diebold TS machines are no longer the most current technology.
The Diebold TS was not designed to provide a paper trail. Its
successor, the Diebold TSx, does provide a voter-verified paper
audit trail. The other major voting system vendors also sell
voting machines that do provide a paper trail. Not all states
are in the same position that Maryland is in: many states
already use systems with a voter-verified paper trail; and some
states have voting systems that do not currently provide a
voter-verified paper trail, but that can be upgraded or
retrofitted to provide a paper trail.
Q5. The 2005 VVSG contains an appendix on independent dual
verification systems that could perform the same functions as a voter-
verifiable paper audit trail. Is this technology being used in voting
systems today or is more research needed to make it operational? What
are the advantages and disadvantages of this technology? To what extent
are there other technologies that could perform the same function as a
voter-verifiable paper audit trail?
A5. No, this technology is not being used today in any deployed voting
system that I am aware of. More research would be needed to determine
whether the approach can be made operational. The future of this
approach is uncertain at this point.
The advantages and disadvantages of any particular system will
depend on how that system is designed and implemented. It is difficult
to comment on advantages and disadvantages in the absence of a fully
implemented system. I can only speculate.
One potential disadvantage is that evaluating whether these systems
meet the security requirements is likely to be significantly more
expensive for paperless independent dual verification systems than for
systems producing a voter-verified paper record, both because the
certification process would need to be overhauled, and because
assessing whether paperless independent dual verification systems are
secure is inherently more difficult than assessing whether systems with
a paper trail meet their security goals. Another potential disadvantage
of paperless independent dual verification systems is that it may be
harder for voters who do not have a degree in computer science to know
whether they should trust those systems. One motivation for seeking
paperless systems is that eliminating the need to handle or store paper
could make election administration more efficient. Also, ideally such a
system might provide visually impaired voters with a way to
independently verify their vote, which would be a significant
advantage. Unfortunately, no such method is known at present.
At present, it is an open question whether it will be possible to
develop a paperless voting system that can perform the same function as
a voter-verified paper trail. There does not appear to be any firm
consensus among computer scientists on whether such an alternative is
even possible, given the current state of technology; on what
directions are most promising to explore; or on how far off this goal
may be. I believe that more research is warranted, but that we should
not expect deployable replacements for paper anytime soon.
Q6. Have you conducted any studies of the problems/deficiencies of
paper-based systems?
A6. Yes. I have conducted studies that revealed some problems and
deficiencies in certain paper-based systems. I have not attempted to
undertake any study to exhaustively categorize all possible problems or
deficiencies that can arise with paper-based systems. Of course, the
history of paper-based elections in this country dates back at least
two hundred years, and it is well-known that they can be susceptible to
certain kinds of problems (e.g., problems in the handling,
transportation, or storage of paper ballots) if elections are not well-
administered.
Q6a. Is your support for a voter-verified paper record principally
motivated by confidence in paper-based systems or a lack of confidence
in direct recording electronic systems? If the former, what is the
source of this confidence? If the latter, on what basis do you conclude
that paper-based systems are necessarily superior?
A6a. My support for voter-verified paper records is motivated both by
confidence in paper-based elections (if they are administered well) and
by my lack of confidence in paperless DRE machines.
My confidence in systems that produce voter-verified paper records
and include routine manual audits is based on my study of these systems
and on analysis of their security properties. My confidence in these
systems is based on the ability of voters to verify for themselves that
their vote was recorded as they intended, and on the ability of
observers to verify that votes were counted correctly and to exercise
effective oversight of the process.
My lack of confidence in paperless DRE machines is based on my
study of these systems, on analysis of these systems in the open
literature [14], and on the documented security flaws and failures of
these systems. For instance, the Brennan Center report found that with
paperless DRE machines, a single malicious individual with insider
access may be able to switch votes, perhaps undetected, and potentially
swing an election. The analysis in the Brennan Center report also found
that systems that produce voter-verified paper records and include
routine manual audits are significantly more secure against these
threats than paperless DRE machines.
Q7. Do you foresee any problems that might arise in jurisdictions
utilizing a voting system that attaches printers to Direct Record
Electronic voting machines? What do you think they might be?
A7. Yes. There are several issues such jurisdictions may want to be
aware of.
First, the introduction of printers raises questions of printer
jams and the reliability of these devices. California's solution to
this problem has been to adopt volume testing, where approximately
10,000 ballots are cast on 50-100 machines in a mock election. Volume
testing seems to be effective in weeding out unreliable machines and
improving the reliability of voting machines--including their
susceptibility to printer jams. The first such volume test found
serious printer jam problems in one voting system; fortunately, the
vendor was able to correct those problems, and subsequently their
system passed the volume testing with no serious problems. California
has now certified several DRE voting machines that come with an
printer, and these systems appear to provide a satisfactory degree of
reliability.
Second, a voter-verified paper record is only effective in
proportion to the number of voters who actually verify the paper record
as they cast their ballot [15]. Consequently, jurisdictions may wish to
consider undertaking voter education to inform voters of the importance
of checking the accuracy of the voter-verified paper record.
Third, there is no point in printing a voter-verified paper record
if those paper records will never be used or examined by election
officials for their intended purpose, i.e., to check vote counts. For
this reason, it is important that the jurisdiction create procedures
specifying the conditions under which those paper records will be
inspected, and what will be done in case of a discrepancy between the
paper record and the electronic record. My own recommendation is that
jurisdictions adopt routine manual audits; that discrepancies trigger
an investigation; that any unexplained discrepancies discovered trigger
a manual recount; and that in the event of a discrepancy between the
electronic record and paper record, the paper record verified by the
voter should have a (rebuttable) presumption of accuracy unless there
is some specific reason to believe that the paper records are
inaccurate or incomplete.
Fourth, in any election system that uses paper, the handling,
transportation, and storage of the paper records is crucial. It is
important that jurisdictions establish procedures to establish a good
chain of custody for paper ballots and paper trails. For instance,
analysis performed by the Brennan Center shows that, if the chain of
custody is done poorly, jurisdictions may still be vulnerable to fraud,
no matter what voting technology they use.
Finally, and most importantly, the success of an election is
determined by more than just technology: it depends crucially on the
people who run the election and the processes and procedures they use.
Effective and competent election administration is crucial--and
printers do not eliminate this important requirement.
Questions submitted by Democratic Members
Q1. Dr. Wagner, to what extent do voting system security
vulnerabilities outlined in the Brennan Center Study reflect weaknesses
in the 2002 standards and current certification process? To what extent
have those weaknesses been addressed in the 2005 version of the voting
systems guidelines and proposed certification process?
A1. The threats outlined in the Brennan Center study reflect
significant gaps in the 2002 standards and in the current certification
process. The Brennan Center study identified potential threats to
voting systems that are not addressed by the 2002 standards or by the
current certification process.
Those gaps have not been addressed in the 2005 standards or the
certification process it proposes. The Brennan Center study suggested
six concrete recommendations to improve the security of elections. None
of those are required or recommended by the 2005 standards. In some
cases, the 2005 standards takes stances that are directly at odds with
the recommendations of the Brennan Center study. For instance, the
Brennan Center study recommended banning all wireless communications,
yet the 2005 standards explicitly allow wireless communications under
certain conditions. One lesson from the Brennan Center study is that
the best defense against these threats is the use of voter-verified
paper records with routine manual audits; however, the 2005 standards
do not require voter-verified paper records or manual audits. If voter-
verified paper records are not in place, the Brennan Center recommended
that parallel testing be used as a stop-gap; however, the 2005
standards do not require parallel testing, and very few states
currently undertake the effort (and expense) of parallel testing.
Q2. Dr. Wagner, what additional measures need to be taken at the
federal level to reduce the incidence of voting system vulnerabilities
and problems across the U.S.?
A2. Please see to my answers to Question 1, starting on page 1, for
detailed suggestions.
The most significant step that could be taken is to mandate that
all voting systems provide voter-verified paper records, and that
jurisdictions perform routine manual audits of these records. Also, it
would help to conduct more rigorous testing of voting machines,
performed by truly independent authorities, using testing methods based
on the best scientific and engineering understanding from each
applicable discipline and performed by experts from each relevant
field; to invite outside security experts to perform independent
security evaluations of all voting systems before certification; to
increase transparency surrounding the federal testing and qualification
process; to begin enforcing the existing security requirements already
in the standards; to strengthen the security requirements and testing
processes so they reflect the latest understanding of voting systems;
and to disclose the source code of all voting systems.
Q3. Dr. Wagner, why do you believe that electronic voting machines
cannot be trusted?
A3. If the electronic voting machines are accompanied by a voter-
verified paper trail and routine manual audits, and if they are used
properly, I believe that they can be trusted. Under these
circumstances, they may offer some significant advantages.
However, I do not believe that paperless electronic voting machines
can be trusted. The evidence that would be required to trust them is
nowhere to be found.
It is beyond the state-of-the-art to verify that the software and
hardware used in voting systems will work correctly on election day.
For instance, how do we know that a programmer at the vendor has not
introduced malicious logic into the voting system? The short answer is
that we don't. Malicious logic that has been introduced into a voting
system could, for instance, switch five percent of the votes away from
one candidate and to the benefit of some other candidate; in a close
race, this might make the difference between winning and losing, and
such an attack might be very hard to detect. At present, we have no
good ways to gain any confidence that our voting systems are free of
malicious code; that is beyond the state-of-the-art [16]. Consequently,
it seems there is little alternative but to assume that, for all we
know, our voting systems could potentially be tampered with to
introduce malicious code that will be triggered in some future
election.
A second significant concern arises due to the possibility of
defects unintentionally introduced into voting systems. Modern
electronic voting systems are a highly complex assembly of software and
hardware, and there are many things that can go wrong. It is not
possible, given the current state of technology, to verify that voting
systems are free of defects, flaws, and bugs, or to verify that they
will record and count votes correctly on election day; given the
complexity of modern voting systems, this is beyond the state-of-the-
art.
Consequently, at the moment there seems to be little or no rational
basis for confidence in paperless electronic voting machines [17]. In
the end, it's not up to voters to take it on faith that the equipment
is performing correctly; it's up to vendors and election officials to
prove it.
Q4. Dr. Wagner, why is it that most security experts and computer
scientists believe it is necessary to regularly audit voter-verified
paper trails?
A4. Routine audits are crucial if we are to trust electronic voting
[18, 19]. With both DREs and optically scanned paper ballots, it is
important to routinely spot-check the paper records against their
electronic counterparts. As I explained in my response to Question 3,
there is no basis for confidence in the electronic records produced by
electronic voting systems--we cannot know, a priori, whether they are
correct or not. Given the stakes, we have to be prepared for the worst:
that the electronic records may be inaccurate or corrupted. The purpose
of a manual audit of the voter-verified paper records is to confirm
whether or not the electronic records match the paper records verified
by the voter.
The paper records verified by the voter are the only records that
we can rely upon to be accurate: they are the only hard copy record of
voter intent, and they are the only records that the voter has the
chance to inspect for herself. It would be perfectly adequate, from a
security point of view, to simply discard the electronic records and to
manually count all of the voter-verified paper records (without the
assistance of computers). Such a 100 percent manual count would produce
results that could not be corrupted by computer intrusions, malicious
logic, or software defects. However, manual counting of paper records
is labor-intensive and costly. Given the number of contests on a
typical American ballot today, routine 100 percent manual counts are
probably not economically viable.
To address these concerns, voting experts have devised an
alternative that preserves the cost-efficiency of electronic vote
counting with the trustworthiness of 100 percent manual counts [20].
This alternative is based around machines that produce voter-verified
paper records along with routine manual audits. During the audit, the
paper records from some percentage (perhaps one percent or five
percent) of the precincts are manually counted; then the paper tallies
are compared to electronic tallies. If they match exactly in all cases,
then this provides evidence that the electronic vote-counting software
produced the same vote totals that a 100 percent manual count would
have produced, which provides a rational basis for confidence in the
election outcome. On the other hand, any mismatches discovered during
the audit indicate that something has gone wrong. This provides an
opportunity to identify the problem and remedy it, if possible, or to
perform a 100 percent manual recount if the problem cannot be
identified.
Consequently, routine manual audits are the best way to ensure that
the electronic vote-counting systems are working correctly; to discover
and recover from major failures of the electronic vote-counting
software; to prevent and deter large-scale vote fraud; to provide
transparency; and to give election observers evidence that the election
was performed correctly. If done right, these audits provide us with a
powerful defense against errors and election fraud: the paper records
are a cross-check on the electronic records, and the electronic records
are a cross-check on the paper. It is for these reasons that I
recommend routine audits be used across the board, for both DREs and
optically scanned paper ballots.
Q5. Dr. Wagner, why is inspection of machine software and hardware not
sufficient for trusting a voting system?
A5. As explained in my response to Question 3, it is beyond the state-
of-the-art to verify through inspection that the machine software and
hardware will work correctly on election day. Given the current state
of technology, it is not feasible to verify that the machine software
and hardware is free of malicious logic, nor is it feasible to verify
that the machine software and hardware is free of defects, flaws, and
bugs.
Modern voting software and hardware is too complex to inspect
completely. The software in a typical voting machine might contain
hundreds of thousands of lines of source code. If all of this source
code were to be printed on paper, it would fill thousands of sheets of
paper. Each line of source code would have to be inspected manually by
software experts, and these experts would have to understand how those
lines of source code might interact with each other. This task is too
complex to perform with 100 percent confidence; it is simply too easy
to miss problems.
The U.S. Tax Code might provide a useful analogy [21]. The tax code
also contains thousands of pages of material, and probably no one
person understands it in its entirety. The tax code is infamous for
containing loopholes that aren't obvious on first inspection; so, too,
can source code contain malicious code or defects that aren't obvious
on first inspection. At the same time, tax code is written to be
interpreted by human judges, who might apply some degree of common
sense from time to time; in comparison, software is executed by
computers, who are unfailingly literal-minded, so while small
ambiguities in the tax code might be minor, small ambiguities in
software can be catastrophic. The analogy to the tax code is decidedly
imperfect, but it might help provide some intuition about why
inspection of voting software and hardware is not sufficient to trust a
voting system, given the current state of technology.
A second difficulty is that, given current practice, it is
difficult to be sure that the software and hardware that is running on
the machine on election day is the same as what has been inspected. The
existing technology does not provide any way to verify what software is
running on the voting machine. Moreover, some machines have known
security vulnerabilities that could allow an attacker to modify the
software installed on the machine, so that the software executed on
election day differs from the software that was inspected and
certified. Also, there have been documented cases where uncertified
versions of software were inappropriately installed and used in
elections [22,23,24,25].
At the same time, despite these limitations, inspection does have
benefits. While it is not sufficient on its own to provide a basis for
trust in voting systems, inspection--if done right--is still a good
idea that can help reduce the number of voting system failures.
Unfortunately, today's voting systems are not currently subject to any
meaningful form of inspection by independent parties. The source code
is kept secret by vendors, and access is tightly restricted. The
federal testing lab--one of the few parties who are routinely given
access to voting source code--do not perform meaningful inspections of
source code. (The limited inspection that federal testing labs perform
is more analogous to running a spell-checker on a student essay than to
checking whether the writing in the essay is grammatical, coherent,
meaningful, or persuasive.) In the few cases where independent experts
have had the chance to inspect voting source code, they have often
found serious flaws in these products which the testing labs overlooked
[26]. Consequently, I believe that broader inspections of voting system
software and hardware would help improve the reliability and security
of elections, even though they are not on their own sufficient and
would need to be supplemented with voter-verified paper records and
routine manual audits.
Notes
1. David Wagner, Written testimony before U.S. House of
Representatives at joint hearing of the Committee on Science and
Committee on House Administration, July 19, 2006.
2. ``Public Comment on the 2005 Voluntary Voting System Guidelines,''
ACCURATE Center, submitted to the United States Election Assistance
Commission, September 2005.
3. Douglas W. Jones, ``Voting System Transparency and Security: The
need for standard models,'' written testimony before the EAC Technical
Guidelines Development Committee, September 20, 2004. http://
www.cs.uiowa.edu/jones/voting/nist2004.shtml
4. Peter G. Neumann, Written testimony before the California Senate
Elections Committee, February 8, 2006. http://www.csl.sri.com/neumann/
calsen06.pdf
5. Aviel D. Rubin, Written testimony before the Election Assistance
Commission, May 5, 2005. http://avirubin.com/eac.pdf
6. Tadayoshi Kohno, Adam Stubblefield, Aviel D. Rubin, and Dan S.
Wallach, ``Analysis of an Electronic Voting System,'' May, 2004.
7. RABA Innovative Solution Cell, ``Trusted Agent Report: Diebold
AccuVote-TS System,'' January 20, 2004.
8. Harri Hursti, Black Box Voting, ``Critical Security Issues with
Diebold Optical Scan,'' July 4, 2005.
9. ``Security Analysis of the Diebold AccuBasic Interpreter,'' Report
of the California Secretary of State's Voting Systems Technology
Assessment Advisory Board, February 14, 2006.
10. Harri Hursti, Black Box Voting, ``Critical Security Issues with
Diebold TSx,'' May 11, 2006.
11. Douglas W. Jones, ``Connecting Work on Threat Analysis to the Real
World,'' June 8, 2006.
12. ``The Machinery of Democracy: Protecting Elections in an
Electronic World,'' Brennan Center Task Force on Voting System
Security, June 27, 2006.
13. New Yorkers for Verified Voting, ``Analysis of Acquisition Costs
of DRE and Precinct Based Optical Scan Voting Equipment for New York
State,'' April 13, 2005. http://www.nyvv.org/doc/
AcquisitionCostDREvOptScanNYS.pdf
14. Barbara Simons, ``Electronic voting systems: the good, the bad,
and the stupid,'' ACM Queue 2(7), October 2004.
15. Justin Moore, ``How Effective is an Occasionally-Used Paper
Ballot?'' http://www.cs.duke.edu/?justin/voting/
paper-effectiveness.pdf
16. Jonathan Bannet, David W. Price, Algis Rudys, Justin Singer, Dan
S. Wallach, ``Hack-a-Vote: Demonstrating Security Issues with
Electronic Voting Systems,'' IEEE Security & Privacy Magazine 2(1),
January/February 2004, pp. 32-37.
17. David L. Dill, Bruce Schneier, Barbara Simons, ``Viewpoint: Voting
and technology: who gets to count your vote?'' CACM 46(8), August 2003.
18. Douglas W. Jones, ``Auditing Elections,'' Communications of the
Association for Computing Machinery 47(10), October 2004, pp. 46-50.
19. Aviel D. Rubin, Written testimony before the Election Assistance
Commission, June 30, 2005. http://avirubin.com/vote/eac2.pdf
20. Roy G. Saltman, ``Final Project Report: Effective Use of Computing
Technology in Vote-Tallying,'' NBSIR 75-687, prepared for the
Clearinghouse on Election Administration, May 1975.
21. This analogy is taken from Barbara Simons, Jim Horning, ``Risks of
technology-oblivious policy,'' CACM 48(9), Sept. 2005.
22. ``Staff Report on the Investigation of Diebold Election Systems,
Inc.,'' Presented before the California Voting Systems and Procedures
Panel, April 20, 2004. http://www.openvotingconsortium.org/files/
shelly-diebold-reportapril20-final.pdf
23. ``Phase II County Voting System Review,'' R&G Associates, April
19, 2004. http://web.archive.org/web/20041108230726/http://
www.ss.ca.gov/elections/ks-dre-papers/
rg-phase-II-revised-report.p
df
24. ``E-Voting Undermined by Sloppiness,'' Kim Zetter, Wired News,
December 17, 2003. http://www.wired.com/news/evote/0,2645,61637,00.html
25. ``Diebold: Voting machine maker dinged in CA: Auditor says
software wasn't approved,'' Elise Ackerman, Mercury News, December 17,
2003.
26. Douglas W. Jones, ``Misassessment of Security in Computer-Based
Election Systems,'' Cryptobytes 7(2), Fall 2004, pp. 9-13.
Answers to Post-Hearing Questions
Responses by John S. Groh, Chairman, Election Technology Council,
Information Technology Association of America
Questions submitted by Chairman Vernon J. Ehlers and Chairman Sherwood
L. Boehlert
Q1. In his testimony, Dr. Wagner recommended that the Technical
Guidelines Development Committee (TGDC) and the Election Assistance
Commission (EAC) take the following actions to improve security and
reliability of voting systems. For each recommendation listed below,
please answer these questions: Do you agree with the recommendation? If
so, to what extent and how are voting systems manufacturers
implementing the recommendation? If not, why not?
Q1a. Mandate voter-verified paper records and mandatory manual audits.
A1a. Mandated voter-verified paper records: Although today's voting
equipment is reliable, accurate, and secure, the ETC and its members
recognize that some jurisdictions and/or states prefer the option of a
voter-verifiable paper audit trail (VVPAT). In response, most vendors
developed VVPAT technical options to meet that customer need. At this
time, some states (over half) have developed legislation requiring
VVPAT, but the cost of providing that equipment is the burden of the
state or jurisdiction. Before a federal agency mandates the use of
VVPATs, the ETC recommends that current VVPAT usage be monitored to
learn from real-world experience with the technology. Also, it should
be anticipated that additional federal funding will be needed to
accommodate that mandate.
Mandatory manual audits: The ability to audit an election as
prescribed by HAVA and other laws, rules, and regulations is an
important requirement of all voting system available today. However,
whether or not those audits are manual or automatic is a state or local
decision. The ETC and its members regularly work with jurisdictions
and/or states to implement and comply with specific election processes
and procedures. In considering federally mandated manual audits, it is
important to keep in mind that manual audits can provide a verification
of election results, but due to human error, a manual audit can also
create additional issues that would have to be anticipated and
addressed during implementation. Further, there are costs involved in
performing manual audits. If a federal agency mandates a manual audit,
then additional federal funding will be needed to accommodate that
mandate.
Q1b. Expand standards from focusing primarily on functionality testing
to incorporate technical evaluations of the security, reliability, and
usability of voting machines.
A1b. The EAC 2005 voting systems guidelines expand upon the FEC 2002
standards, particularly in the areas of security, reliability and
usability. However, tests and measures for these requirements have not
yet been fully defined to where the tests are objective and repeatable.
The ETC and its members, as stakeholders, have contributed to
development of the 2005 guidelines and have offered public comment on
their implementation. In general, our belief is that technical and
functional evaluations are both important aspects of the testing
process. In fact, technical evaluations against the federal
requirements have always been a part of federal certification. (Please
see the attached overview of the current federal certification
process.) Therefore, standards, and accompanying testing, should not
focus only on technical or functional aspects of voting equipment, but
rather continue to include both in balance.
In addition, federal standards should not be too prescriptive or
restrictive. Over regulation by the Federal Government could lead to
higher costs, could stifle innovation by slowing reaction to necessary
change or technological advances to meet emerging needs, and could
intrude on state and local authority or practices.
In considering additional federal action in this area, it is
important to keep in mind that the intent of the federal requirements
for voting systems has been to establish a ``minimum'' standard for
evaluating voting systems. Each state has the authority to mandate a
higher level and quite a few do require higher State level
certification standard. However, between states there are sometimes
conflicting requirements and there are also issues which are under the
authority of the state and not the Federal Government. In the past, the
federal standard has tried to not conflict with individual state
requirements and to not create requirements which are under a state's
authority to mandate. These elements need to be taken into
consideration whenever improving the federal standard.
Q1c. Eliminate conflicts of interest in the federal testing process by
establishing a new funding process whereby Independent Testing
Authorities (ITA) are not paid by the vendors whose systems they are
testing.
A1c. There is no influence that the vendors have over the work that the
ITAs perform. The ITAs are testing to a standard as they would test any
system to a standard. The ITAs are accountable to the EAC for the
testing to that standard, regardless of whether the ITAs are paid by
the vendors or by some other funding mechanism.
This situation is similar when a car owner takes car into an auto
service shop for required state emission testing to meet federal or
state standards. The car owner pays for the testing; however, he or she
has no influence over whether your vehicle passes the test or not. The
service shop is accountable to the state or local jurisdiction for
testing to the required standard.
While there may be other issues to consider in evaluating the
merits of providing federal funding for this function, conflict of
interest need not be one of them.
Q1d. Reform the federal testing process to make all ITA reports
publicly available and documentation and technical package data
available to independent technical experts.
A1d. The EAC is reforming the format of the ITA reports so that they
may be released to the public without compromising intellectual
property. The ETC vendor members endorse the public release of the
testing process and the testing results. The ITA reports that exist
today could be released to the public if they didn't contain the
intellectual property that is inherently embedded into them. The ETC is
hopeful that the EAC's reformatting of the ITA reports will allow the
testing information to be publicly available.
However, the Technical Data Packages (TDPs) contain intellectual
property of commercial value to the vendor and therefore are held as
confidential and cannot be released to the public. The TDP could be
made available to designated independent technical experts but only
with acceptable and binding non-disclosure agreements signed between
the independent expert and the vendor. Vendors have invested millions
of dollars in research and development to produce their product lines
and to compromise that investment without compensating the vendor would
not be economically viable.
Q1e. Require broader disclosure of voting system source code, at a
minimum to independent technical experts under appropriate non-
disclosure agreements.
A1e. See response above for question (d).
Q1f. Institute a process for collecting, investigating, and acting on
data from the field on performance of voting equipment, including a
mechanism for interim updates to the standards to reflect newly
discovered threats to voting systems.
A1f. Although we would need additional detail about the form, function,
and approach, the ETC agrees with the general concept. Currently, there
is a lot of mis-information about the performance of voting equipment.
As a result, voter confidence is unnecessarily compromised. It could be
beneficial to the public to task an agency which understands the
environment and ``totality of circumstances'' in which voting equipment
is used as an entity to investigate issues and report objectively on
their factual findings. That effort could provide a level of
transparency for the public and a level of fairness and truth in
reporting to the election industry and the general public.
Q1g. Increase the representation of technical experts in computer
security on the TGDC.
A1g. If the tests and measures defined are objective and repeatable,
increasing the representation of computer security experts will not add
any value; it would not matter who tested the equipment, as the results
would be similar. With subjective tests and measures, having more
technical experts will just provide more differing opinions without
agreement. Passing the security tests would then be a matter of who
tested it and not whether it met a standard. The goal should be to
define more objective tests and measures for security requirements, and
on this point computer security experts could play a role. An effort
was made but never concluded during the IEEE P1583 project to gain
agreement on an objective and repeatable set of tests and measures to
evaluate voting system security. Computer security experts could focus
their efforts on completing the process.
Q2. How do you think the sections of the 2005 Voluntary Voting Systems
Guidelines (VVSG) that deal with security should be improved? Do you
think that the way in which security for voting systems is tested needs
to change, and if so, how, and if not, why not?
A2. Although the 2005 VVSG have enhanced the security requirements for
voting systems, the testing of those requirements has not been well
enough defined. The tests currently proposed are very subjective, if
they exist at all. Studies need to be performed to develop tests and
measures that are objective and repeatable, otherwise, success in
testing will be a matter of who tests the equipment and not the
standard to which it is tested. If tests and measures are objective and
repeatable, it should not matter who tests a voting system as the test
results should be the same or similar between testers.
Q3. In your testimony you described an idea for phased implementation
of the 2005 VVSG. Please explain in more detail how a phased
implementation would work? Are there parts of the 2005 VVSG that could
be implemented now?
A3. Voting systems certified to the 2002 federal standards should be
grandfathered-in under the 2005 standard until additional federal
funding is provided to states and local jurisdictions to support
purchasing on newly upgraded equipment. Additionally the timeframe for
transition to a new voting system certified under the 2005 VVSG could
be allowed over an eight year period, or two voting cycles.
Q4. The 2005 VVSG contains an appendix on independent dual
verification systems that could perform the same functions as a voter-
verifiable paper audit trail. Is this technology being used in voting
systems today or is more research needed to make it operational? What
are the advantages and disadvantages of this technology? To what extent
are there other technologies that could perform the same function as a
voter-verifiable paper audit trail?
A4. Independent dual verification (or IDV) is a good concept, but there
are technological as well as economic and usability factors that must
be considered before implementing such a solution. This includes:
Complexity for the voter and poll worker.
Added costs for the jurisdiction in having two
independent systems for each voting station (including
material, storage, transportation)
Currently, some claim that other technologies could perform the
same function as a VVPAT, however it is important to point out that,
when compared to paper, those technologies are more complex for voters
and poll workers to understand and trust, and those technologies are
more costly then paper-based verification systems. Any requirement must
be valued and measured against the real-world application and use. The
goal should be to make the voting process easier for all voters and to
encourage them to come out and vote not to add additional complexities
that may have the opposite affect.
Questions submitted by Democratic Members
Q1. Mr. Groh, do vendors currently provide election officials with
documentation that explains the security features of their systems that
they sell and the procedures required for an election to be secure. If
not, is this something they should provide to election officials?
A1. Yes, vendors do provide election officials with documentation that
explains the security features of their systems. Vendors also provide
best practices on using the equipment securely, however it is up to the
State and the Local Election jurisdiction to establish and perform
those processes as they establish as a best practices.
Q2. Mr. Groh, do you have any concerns about how to interpret the 2005
standards/guidelines? Are you satisfied with mechanisms for addressing
questions and issues arising from the guidelines during the two-year
transition period?
A2. Yes, the ETC members do have concerns on the interpretation of the
2005 VVSG. First, there is some ambiguity in the standards that will
require interpretation, and certain clarifying answers will be
profound. Second, some requirements conflict with one another and will
have to be resolved. Third, some requirements are not yet
technologically feasible and/or will likely to impact overall cost of
the newly enhanced equipment. Finally, currently there are requirements
that do not have well defined tests if they have any tests defined at
all. Some of the tests are very subjective in their measurement and
could depend on who performs the test as to whether a voting system
will pass or fail. The pre-established tests for each requirement
should be objective and repeatable so that it does not matter which ITA
performs the test.
The mechanisms for addressing questions and issues are still being
defined by the EAC. Those mechanisms will likely not be implemented
until the EAC adopts a Full Certification Process in December 2006.
Currently, the EAC has only adopted an Interim Certification Process
which only allows modifications to existing certified voting systems to
be tested and does not allow a vendor to submit a new product or
accessory for federal certification under the 2005 VVSG.
Prior to the date when those mechanisms are implemented for 2005
VVSG certification, the ETC is working with NIST (the authors of the
2005 VVSG) to better understand the intent of the new requirements so
that voting systems can be developed to comply. However, as there will
likely be a learning curve in applying the new standard to evaluations
of voting systems, and a learning curve in applying the new
interpretation mechanisms, there will likely be delay in the
certification of voting systems to the VVSG 2005 standard.
The ETC members have been in contact with the EAC, formally asking
for more clarity on the new certification process and procedures they
are rolling out. We have received feedback, but there are still open
questions we are working with the EAC to reach full clarification.
Regarding opportunities to address questions and issues about
pertaining to implementation of the 2005 guidelines, the ETC and its
members are still awaiting clarification of the actual mechanisms for
doing so. We do, as described above, have concerns and would welcome
the opportunity to engage in direct discussion and deliberation about
the challenges we and election administrators could face. At this
point, our input has been limited to working with NIST (the authors of
the 2005 VVSG) to better understand the intent of the new requirements
so that voting systems can be developed to comply.
Q3. Mr. Groh, does ITAA or its Election Technology Council specify or
endorse any testing or product quality standards or processes for its
members that supplement the Election Assistance Commission's voting
system standards? If so, what are they?
A3. The Election Technology Council does not specify or endorse testing
or product quality standards or processes. Rather, we contribute to the
guideline and standards development process by providing our expertise
as developers and Subject Matter Experts (SMEs) of voting technology.
The current federal standards process is thorough and rigorous, but
also on-going and regularly updated to reflect emerging needs or
technical opportunities. This process has worked well to incent
continually updated and enhanced voting system options.
At the same time, the federal standards provide a minimum
benchmark. States and jurisdictions are able to expand and mandate
higher standards than the EAC's standard. In fact, many states do have
laws and rules which require testing and product quality above the EAC
standard.
Q4. Mr. Groh, reports of problems in Indiana, West Virginia, Michigan
and Texas elections--among others--indicate that voting systems are
being delivered to jurisdictions for the 2006 election with reliability
and accuracy problems that could affect election results. What steps
are your organization and its membership taking to respond to actual
and potential voting system problems that have surfaced during recent
primaries?
A4. The ETC is a trade association and cannot comment on the specific
issues of individual member companies. A vendor member company would
have to provide information to specific reported issues with their
systems and the state or local election jurisdiction they serve.
However, in general, it is important to keep in mind that
implementation of the Help America Vote Act has created the greatest
transformation in the way elections are run since the Voting Rights Act
of the 1960s. This is a time of tremendous change and that change has
presented challenges to not only election vendors, but election
officials and voters, as well. In each case, it is important to keep in
mind the human element in carrying out elections, and that vendors and
election officials have a shared responsibility in the process. Though
reliability of the voting equipment is critically important, so too are
processes, procedures, and training.
Q5. Mr. Groh, you warn that election officials must exercise caution
against taking shortcuts in important areas such as training, testing
and preparation. Could you provide some examples of what you are
talking about and are there cases where this is taking place?
A5. The observation was a general one related to the importance of
thorough training, testing, and election preparation. With the
compressed timeline against nationwide implementation of the Help
America Vote Act, it is important to emphasize that these areas must
not be compromised and, in fact, must be enhanced given the greater
complexities around newer voting technology. Specific examples would
include training on ADA sensitivity; voter outreach; poll worker
training; and total system pre-election testing of equipment.
Q6. Mr. Groh, you mention that increasing complexity required of
voting systems by the standards/guidelines is creating a need for more
using training and that the vast majority of problems experienced with
voting systems are attributable to insufficient training and
preparedness in the polling place. Would you describe the training and
operation manuals your membership provides to local election officials?
A6. The Election Technology Council does not develop or provide
training and operation manuals to local election jurisdictions. Each
vendor company develops training and operation documentation relevant
to their own specific voting systems. In addition, most have developed
materials specifically geared toward educating voters about the use of
new voting systems for use by the local election jurisdictions. From
the ETC perspective, it is important to point out that even with the
detail of the manuals provided to local jurisdictions, to be effective,
these materials must be read, they must be used, and, they must be
localized to include jurisdiction-specific processes, procedures,
policies, and documentation.
In addition, the Election Assistance Commission (EAC) has developed
material providing best practices-based guidance to elections officials
and is in the process of developing and releasing by end of September
2006 a newly revised edition of ``Best Practices Guidelines'' which
will compliment the ``Quick Start Guide'' they released in June 2006.
Q7. Mr. Groh, Dr. Wagner made a number of short-term recommendations
based on the Brennan Center report that he believes could improve the
security and reliability of voting equipment that will be used this
November. These recommendations include routine audits of voter-
verified paper records, performing parallel testing of voting machines,
adopting procedures for investigating and responding to evidence of
fraud or error, and banning voting machines with wireless capabilities.
Would you please comment on these suggestions?
A7. First, it is important to state that the ETC members takes strong
exception to much of Dr. Wagner's testimony. In our response to other
questions from the committee, we provide comment on some of the general
concepts contained in Dr. Wagner's recommendations. Overall, in
response to his testimony, it is important to point out that The ETC
endorses recommendations to enhance the security and integrity of
elections by using the voting systems security features which were
designed to be used in concert with security procedures and personnel.
For more perspective on the Brennan Center Task Force report on
voting system security, please read the Election Technology Council
response. It is available for review and download at:
http://www.electiontech.org/downloads/ETC-BRENNANCENTER%20RESPONSE-
FINAL.pdf
Q8. Mr. Groh, Dr. Wagner's testimony outlines problems that we
frequently see reported in news articles about problems with voting
equipment. In addition to his comments on the current status of voting
equipment, he makes a number of longer-term recommendations, many which
focus on conformance criteria and testing of voting machines. Would you
please comment on these recommendations?
A8. Please see response to question 7 above and responses to other
questions from the Committee.
Appendix 2:
----------
Additional Material for the Record
Statement of the U.S. Public Policy Committee of the Association for
Computing Machinery
The U.S. Public Policy Committee for the Association for Computing
Machinery (USACM), commends Congress for reviewing issues related to
voting machines, testing practices and standards. Ensuring that voting
is accurate, error-free, secure and accessible to all registered voters
is of great importance. However, as experts in computing, we have grave
reservations about the safeguards in place with many of the
computerized voting technologies being used. New federal standards and
a certification process hold promise for addressing some of these
problems, but more must be done ensure the integrity of our elections.
We recommend that Congress and the Election Assistance Commission
(EAC):
Create a formal feedback process that will ensure
that lessons learned from independent testing and Election Day
incidents are translated into best practices and future
standards.
Make the testing process more transparent by making
the testing scope, methodologies and results available to the
public.
Ensure that the guidance for usability and security
standards provides performance-based requirements and is clear
so as to minimize the variance of human interface designs from
jurisdiction to jurisdiction.
Create a mechanism for interim updates to the
standards to reflect emerging threats, such as newly discovered
security defects or attacks.
Require voter-verified paper trails and audits to
mitigate the risk associated with software and hardware flaws.
Testing, Certification and Reporting
Thirty-nine states require federal certification of their voting
systems, which is currently handled by independent testing authorities
(ITA). They test the systems against the 2002 Voting System Standards
(VSS). Ideally this testing would discover any flaws in the system and
allow for corrections before subsequent elections. However, in May
2006, a new report\1\ was issued outlining several security
vulnerabilities in one brand of certified electronic voting machines.
Many computer scientists were stunned by the fundamental nature of
these defects, and noted that the reported defects were the most
egregious security vulnerabilities known to date. This was not,
however, the first time serious security vulnerabilities were
revealed.\2\,\3\,\4\
---------------------------------------------------------------------------
\1\ Harri Hursti, May 11, 2004, ``Diebold TSx Evaluation Black Box
Voting,'' Black Box Voting, http://www.blackboxvoting.org/
BBVtsxstudy.pdf
\2\ Tadayoshi Ohno, Adam Stubblefield, Aviel Rubin, Dan Wallach,
May 2004, ``Analysis of an Electronic Voting System, IEEE Symposium on
Security and Privacy 2004.'' IEEE Computer Society Press, http://
avirubin.com/vote.pdf
\3\ RABA Technologies LLC, January 20, 2004. ``Trusted Agent Report
Diebold AccuVote-TS Voting System,'' http://www.raba.com/press/
TA-Report-AccuVote.pdf
\4\ David Wagner, David Jefferson, Matt Bishop, February 14, 2006,
``Security Analysis of the Diebold AccuBasic Interpreter,'' California
Voting Systems Technology Assessment Advisory Board, http://
www.ss.ca.gov/elections/voting-systems/
security-analysis-of-the-die
bold- accubasic-interpreter.pdf
---------------------------------------------------------------------------
There are several gaps in our testing and certification system that
need to be addressed even if we have more robust standards for voting
systems. First, there is no corrective mechanism to ensure that flaws
found during testing are fixed before subsequent elections. Second, the
guidelines are being construed quite narrowly; if a flaw is found that
is not explicitly prohibited by the guidelines, a system is still
certified. It is unclear how such flaws can be successfully addressed
under the current certification process. Finally, there is a clear need
to create a formal system for reporting problems in the field and
improving the standards based on these reports. This step will allow
election officials throughout the country to be informed of potential
problems and that experiences can inform the federal standards.
Under the Help America Vote Act (HAVA) the EAC is responsible for
certifying voting systems through accredited laboratories. The National
Institute of Standards and Technology (NIST) is taking over the
accreditation process of ITAs from the National Association of State
Election Officials. Federal involvement may make the testing and
certification process more independent, but not necessarily more
transparent.
Currently, voting machine vendors are the clients of the ITAs.
Typically, they are the only recipients of the testing results, which
are considered to be proprietary. This is not unusual. Certification
testing of other products that the public relies on, such as aviation
software and medical devices, is also proprietary. A key difference is
that if an aviation system fails, the failure is reported to the FAA
and investigated. If a medical device fails, the FDA investigates.
Where the investigation demonstrates flaws in the management,
manufacture, design, or testing of the aviation system or medical
device, these flaws become public record and the operating rules and or
equipment standards are adjusted accordingly. Investigation reports are
public records.
Our country is far from having any such formal system for voting.
We should have a system to ensure that lessons learned from multiple
jurisdictions are feedback to vendors, states and federal officials,
and then incorporated into standards and best practices. Often the
real-world conditions of an election reveal errors that have not been
detected by testing. The only organized incident reporting system for
voting equipment that has been employed recently is a limited, all-
volunteer project sponsored by several non-profit groups.
Further, Congress should seek to make the certification process and
testing results more transparent, and, like incident reporting, have a
formalized system for incorporating the results into federal standards.
The public should know the results of voting system tests and the
certification tests of ITAs. California and New York State are taking
steps to make their processes more transparent. Federal incentives also
could strengthen the independence and transparency of the testing
process. Incident reporting and transparent testing results would make
it much more likely that vendors and elections officials would
implement the lessons learned both from their own practices and from
other jurisdictions.
Voting Guidelines
The new 2005 Voluntary Voting System Guidelines (VVSG) improve on
the 2002 VSS, but they are not sufficient for ensuring that electronic
voting systems are secure, reliable, usable and verifiable. It is
unclear whether the level of guidance in the 2005 VVSG is adequate to
guarantee that all eligible voters will be able to understand and use
the new voting systems. In the area of human factors, the 2005
standards still leave too much to the discretion of local jurisdictions
and are based on functional requirements instead of performance-based
requirements. This is also a general problem with the security
standards. While the EAC recognizes the problem, it is not in a
position to act quickly.
The guidelines process is far from timely. The 2005 VVSG will take
effect in December 2007--two years after the standards were approved.
In that timeframe it is difficult to refine the guidelines to handle
problems not already covered. NIST is helping develop the next VVSG,
but that will likely not be implemented before elections in 2010.
Viruses and other security attacks operate in minutes and days, not
months or years. A new method of developing and implementing interim
guidelines quickly is necessary to respond to new problems.
Paper Trails and Audits
Even with improved standards and a process more responsive to
emerging threats, the best designed and tested systems will continue to
have flaws. We've seen numerous examples of security threats in
software for commercial systems and critical infrastructures. Flaws,
unfortunately, are inherent in any complex software system. There are
formal mathematical proofs that testing is incapable of finding all
accidental software flaws, and finding purposely concealed flaws is
even more difficult. It is also possible to have unanticipated hardware
or operational failures as well as accidents that can corrupt or lose
vote totals held in memory of some voting machines.
To mitigate these risks we recommend paper trails and audits.
Voting systems should enable each voter to inspect a physical record to
verify that his or her vote has been accurately cast, and to serve as
an independent check on the result produced and stored by the system.
Making those records permanent--not based solely in computer memory--
allows for an accurate recount. We are encouraged by the actions of 36
states that have either established voter-verified paper trails as law
or purchased equipment capable of providing voter-verified paper
trails.
Thank you for taking the time to consider this important issue.
Ensuring that computer based systems are secure, reliable, usable, and
ultimately trustworthy will require ongoing involvement of technical
experts, usability professionals, voting rights advocates, and
dedicated election officials in the U.S. and other countries. We stand
ready to provide technical guidance to Congress on this and other
issues. Please contact ACM's Office of Public Policy should you have
any questions at (202) 659-9712.
About ACM
ACM, the Association for Computing Machinery, is an educational and
scientific society uniting the world's computing educators, researchers
and professionals to inspire dialogue, share resources and address the
field's challenges. ACM strengthens the profession's collective voice
through strong leadership, promotion of the highest standards, and
recognition of technical excellence. ACM supports the professional
growth of its members by providing opportunities for life-long
learning, career development, and professional networking.
ABOUT USACM
The ACM U.S. Public Policy Committee (USACM) serves as the focal
point for ACM's interaction with U.S. Government organizations, the
computing community, and the U.S. public in all matters of U.S. public
policy related to information technology. Supported by ACM's
Washington, D.C., Office of Public Policy, USACM responds to requests
for information and technical expertise from U.S. Government agencies
and departments, seeks to influence relevant U.S. Government policies
on behalf of the computing community and the public, and provides
information to ACM on relevant U.S. Government activities.
Statement of Lawrence Norden
Chair, Task Force on Voting System Security
Brennan Center for Justice
New York University School of Law
The Brennan Center thanks the Committees on House Administration
and Science for holding this joint hearing. We especially thank
Chairman Ehlers for his leadership in taking steps to ensure that our
elections are as fair and secure as possible.
The Voluntary Voting System Guidelines (``VVSG'') considered at the
joint hearing today can, and should, be a cornerstone in the shared
federal and state effort to ensure elections that are secure, accurate
and accessible. However, in their current form, the VVSG fail to
achieve that goal. After summarizing the recently completed work of the
Brennan Center Task Force on Voting System Security (the ``Brennan
Center Security Task Force''), I will review the very serious gaps in
the security, usability and accessibility of current systems that have
gone unaddressed in the VVSG. Until these looming problems are
confronted and remedied, the machinery of American elections will
remain a legitimate concern for all of us who care about the health of
our democracy.
I. Report of the Brennan Center Task Force: The Machinery of
Democracy: Protecting Elections in an Electronic
World
Over the past year-and-a-half, the Brennan Center has worked with
leading technologists, election experts, security professionals, and
usability and accessibility experts to review the current state of
voting systems in the United States. Three weeks ago, we released the
first study from this collaboration, The Machinery of Democracy:
Protecting Elections in an Electronic World (the ``Brennan Center
Security Report'') \1\ In the coming weeks, we will be releasing
comprehensive reports on the usability and accessibility of voting
systems.
---------------------------------------------------------------------------
\1\ Lawrence Norden et al., The Machinery of Democracy: Protecting
Elections in an Electronic World (Brennan Center for Justice ed.,
2006), available at http://www.brennancenter.org/programs/downloads/
SecurityFull7-3Reduced.pdf.
---------------------------------------------------------------------------
The Brennan Center Security Report was a summary of the Nation's
first systematic analysis of security vulnerabilities in the three most
commonly purchased electronic voting systems. This threat analysis was
conducted by the Brennan Center Task Force\2\ and revealed that all
three voting systems have significant security and reliability
vulnerabilities; the most troubling vulnerabilities of each system
cannot be substantially remedied; and few jurisdictions have
implemented any of the key security measures that could make the least
difficult attacks against voting systems substantially more secure.\3\
---------------------------------------------------------------------------
\2\ For a complete list of the Task Force Members, see The
Machinery of Democracy at i.
\3\ Id. at 3.
---------------------------------------------------------------------------
The Task Force surveyed hundreds of election officials around the
country; categorized over 120 security threats; and evaluated
countermeasures for repelling attacks. The report of the Task Force
concluded:
All of the most commonly purchased electronic voting
systems have significant security and reliability
vulnerabilities. All three systems are equally vulnerable to an
attack involving the insertion of corrupt software or other
software attack programs designed to take over a voting
machine.
Automatic audits, done randomly and transparently,
are necessary if paper records are to enhance security. The
report called into doubt basic assumptions of many election
officials by finding that using voter-verified paper records
without requiring automatic audits--as is done in twenty-four
states--is of ``questionable security value.''
Wireless components on voting machines are
particularly vulnerable to attack. The report finds that
machines with wireless components could be attacked by
``virtually any member of the public with some knowledge of
software and a simple device with wireless capabilities, such
as a PDA.''
The vast majority of states have not implemented
election procedures or countermeasures to detect a software
attack even though the most troubling vulnerabilities of each
system can be substantially remedied.
Among the countermeasures advocated by the Task Force are routine
audits comparing voter-verified paper trails to the electronic record;
and bans on wireless components in voting machines. Currently only New
York and Minnesota ban wireless components on all machines; California
bans wireless components only on DRE machines. The Task Force also
advocated the use of ``parallel testing": random, Election Day testing
of machines under real world conditions. Parallel testing holds its
greatest value for detecting software attacks in jurisdictions with
paperless electronic machines, since, with those systems, meaningful
audits of voter-verified paper records are not an option.
II. Scientific Threat Analyses Should be the Basis for Guidelines on
Security and Reliability
The threat analysis performed by the Brennan Center Task Force on
Voting Security involved (a) identifying and categorizing potential
threats to voting systems, (b) prioritizing these threats based on
level of difficulty, and (c) determining how much more difficult each
of the catalogued attacks would become after various sets of security
measures were implemented.\4\
---------------------------------------------------------------------------
\4\ Id. at 8.
---------------------------------------------------------------------------
To our knowledge, neither the Election Assistance Commission (the
``EAC''), nor state election officials have undertaken similar
comprehensive analyses before adopting voting system security and
reliability guidelines. The Brennan Center Security Report shows that
unless the EAC and the States commission such studies and use them to
establish security guidelines for each VVSG-certified system, voting
system security measures are likely to continue to fail to address
important security and reliability concerns.
The Brennan Center Security Report and threat analysis demonstrate
that merely assuming machines are programmed and configured correctly,
without some independent form of verification such as a voter-verified
paper record, is a significant security and reliability risk.
Ultimately, if we are to have confidence in the accuracy of our voting
systems, all voting machines must have some form of independent dual
verification, in which the verification is audited against the official
record.
III. Usability Testing Is the Key to Ensuring that Voter Intention Is
Accurately Recorded
The performance of a voting system is measured in significant part
by its success in allowing a voter to cast a valid ballot that
accurately reflect her intended selections without undue delays or
burdens. This system quality is known as ``usability.'' \5\ Following
several high profile controversies in the last few elections--
including, most notoriously, the 2000 controversy over the ``butterfly
ballot'' in Palm Beach County, Florida--voting system usability is a
subject of utmost concern to voters and election officials.
---------------------------------------------------------------------------
\5\ Although there is no firm consensus on precise benchmarks to
measure the usability of voting systems, academics and industry
researchers have developed design guidelines in other areas, most
importantly in web-browser design, that can increase usability. See
Sanjay J. Koyanl et al., U.S. Dept. of Health and Human Resources,
Research-Based Web Design and Usability Guidelines (Sept. 2003),
available at http://usability.gov/pdfs/guidelines---book.pdf
---------------------------------------------------------------------------
The current VVSG requires that the ``voting process shall provide a
high level of usability for voters.'' \6\ It includes many valuable
guidelines for vendors and election officials. Unfortunately, it does
not require the kind of usability testing by users and experts that is
necessary to ensure that voter intentions are recorded as accurately as
possible. To date, only a few studies have compared different ballots
directly or definitively determined what makes one form of ballot more
usable than another--i.e., less prone to producing errors, more
efficient, and more confidence-inspiring.\7\ Without such information,
it is impossible to create systems and procedures that will reduce
voter error.
---------------------------------------------------------------------------
\6\ Election Assistance Commission, Voluntary Voting System
Guidelines, Volume I Version 1.0 at 3.1 (2005), available at http://
www.eac.gov/VVSG%20Volume-I.pdf, [hereinafter EAC VVSG].
\7\ See Jonathan Goler, Ted Selker, and Lorin Wilde, Augmenting
Voting Interfaces to Improve Accessibility and Performance (2006),
available at http://vote.caltech.edu/reports/chi-abstract-
golerselker.pdf; Ted Selker, Matt Hockenberry, Jonathan Goler, and
Shawn Sullivan, Orienting Graphical User Interfaces Reduces Errors: the
Low Error Voting Machine, available at http://vote.caltech.edu/media/
documents/wps/vtp-wp23.pdf
---------------------------------------------------------------------------
As it contemplates future drafts of the VVSG, the Brennan Center
strongly urges the EAC to commission further study of usability issues,
such as ``incidental under-voting, over-voting, or any other
inaccuracies that are products of the human/system interaction.'' \8\
Moreover, regardless of the voting system used, election officials
should conduct usability testing in their local communities on proposed
ballots before finalizing their design.
---------------------------------------------------------------------------
\8\ Accurate, Public Comment on the 2005 Voluntary Voting System
Guidelines at 26 (Sept. 30, 2005), available at http://accurate-
voting.org/accurate/docs/2005-wsg-comment.pdf.
---------------------------------------------------------------------------
IV. Assessments of System Accessibility Must Include Full Range of
Disabilities and Entirety of Voting Process
Traditionally, many voters with disabilities have been unable to
cast their ballots without assistance from personal aides or poll
workers. Those voters do not possess the range of visual, motor, and
cognitive facilities typically required to operate common voting
systems.
The Help America Vote Act of 2002 (``HAVA'') took a step forward in
addressing this longstanding inequity. According to HAVA, new voting
systems must allow voters with disabilities to complete and cast their
ballots ``in a manner that provides the same opportunity for access and
participation (including privacy and independence) as for other
voters.'' \9\ For voting systems to become truly accessible to all
voters, members of disabled populations should be included in empirical
research to ensure that vendors have satisfied VVSG requirements.\10\
In particular, assessments of such systems should:
---------------------------------------------------------------------------
\9\ Help America Vote Act 42 U.S.C. 15481(a)(3)(A) (2002).
\10\ See also Accurate Public Comment at 29.
Examine each step a voter must perform, starting with
ballot marking and ending with ballot submission. Systems that
may provide enhanced accessibility features at one stage of the
voting process may be inaccessible to the same voters at
---------------------------------------------------------------------------
another stage in that process.
Take into account a full range of disabilities and
ensure that accessible features are fully usable by people with
disabilities. When selecting participants for system tests,
officials should include people with sensory disabilities
(e.g., vision and hearing impairments), people with physical
disabilities (e.g., spinal cord injuries and coordination
difficulties), and people with cognitive disabilities (e.g.,
learning disabilities and developmental disabilities). Given
the rising number of older voters, officials should take pains
to include older voters in their participant sample. Ensuring
that the entire process is as easy to use as possible for
voters with disabilities is the only way of creating real
accessibility.
Use full ballots that reflect the complexity of a
real election. A simplified ballot with only a few races or
candidates may produce misleading results.
V. Conclusion
The VVSG is a piece of a larger effort occurring on many fronts to
improve the machinery of our elections. Given the leadership
responsibilities of the EAC, the VVSG must set a high standard. The
guidelines should be informed by the scientific testing methods used
successfully to assess the risks of other widely-deployed technologies;
and by the real-world experiences of the voting populations likely to
be thwarted by voting systems that fall short on accessibility and
usability.
Refinements to the VVSG that I've recommended would, if adopted,
move us several steps closer to the goal of fair, accessible and secure
elections.
Statement of the National Committee for Voting Integrity (NCVI)
``Elections require an end-to-end concern for a wide variety
of integrity requirements, beginning with the registration
process and ballot construction, and continuing through vote
tabulation and reporting.''--Peter Neumann
Our thanks go to the Committees for holding this joint hearing,
``Voting Machines: Will New Standards and Guidelines Help Prevent
Future Problems?'' We would like to offer a special thanks to Chairman
Ehlers for his leadership on these important issues, which are
challenging to our nation's public election's process.
General Comments
The Voluntary Voting System Guidelines (VVSG) is an improvement in
some respects over the standards created by the Federal Election
Commission process for 1990 and 2002: the increased attention to
accessibility for voters with disabilities and language minorities is a
step forward over previous voting technology standards. However, the
document's treatment of security, transparency, and auditability
reflects no improvement over previous standards. In fact some sections
of the VVSG pose serious challenges to election integrity and voter
privacy.
Current State of Voting System Certification
We are very troubled by the decision of the EAC to keep in place
the existing voting technology certification process beyond the period
designated by HAVA. On August 18, 2005, the EAC announced that the
current voting technology certification process will be in place until
the spring of 2007, with only one change: instead of the National
Association of State Elections Directors (NASED) providing oversight of
the three NASED approved laboratories the EAC will perform that
function.
``Provide for interim accreditation of National Association of
State Election Directors (NASED) accredited Independent Test
Authorities (ITA). The EAC will develop a process to
temporarily accredit current NASED ITAs. This temporary EAC
accreditation is needed to ensure that certified test
laboratories are available in the near term. It has been
determined that the EAC will not receive a recommended list of
testing laboratories from the NIST National Voluntary
Laboratory Accreditation Program (NVLAP) until the spring of
2007.'' \1\
---------------------------------------------------------------------------
\1\ U.S. Election Assistance Commission, Staff Recommendation: EAC
Voting System Certification & Laboratory Accreditation Programs Adopted
August 23, 2005: EAC Public Meeting, Denver, CO, available at http://
www.eac.gov/VSCP-082305.htm
Allowing the current three certification laboratories to remain
until the spring of 2007, as the only accredited laboratories that can
certify voting systems intended for use in public elections, will not
have a temporary effect. This decision will negatively affect those
laboratories that have shown an interest in being accredited to certify
voting technology. It may also diminish the intended results of the
promulgation of new voting technology standards, and undermine public
confidence in the accreditation and certification process. We strongly
object to the continuation of the NASED ITA established voting
technology laboratory accreditation and certification process because
it allows failed voting technology to pass certification, is in
violation of HAVA Section 231(b)(1), ignores the work already begun by
NIST to replace the NASED ITA process, and hinders transparency.\2\
---------------------------------------------------------------------------
\2\ Lillie Coney, Testimony, U.S. Election Assistance Commission,
Denver, Colorado, August 23, 2005, available at http://www.epic.org/
privacy/voting/eac-8-23.pdf
---------------------------------------------------------------------------
The widely reported failures of voting systems, which have passed
NASED ITA certification, cannot be ignored. The failures are too
numerous to summarize in this letter, but a few of the more notable
ones are worth recounting:\3\
---------------------------------------------------------------------------
\3\ National Committee for Voting Integrity, Election News, 2004,
available at http://votingintegrity.org/archive/news/e-voting.html
Sarpy County Recount (Nebraska): As many as 10,000 phantom
votes were added in 32 of 80 precincts when a machine error
doubled the votes during counting. Source: Channel Six Omaha NE
WOWT, available at http://www.wowt.com/news/headlines/
---------------------------------------------------------------------------
1164496.html (Nov. 5, 2004).
Broward Vote-Counting Blunder (Florida): Vote tabulation
software changes amendment results when the maximum capacity of
32,000 is reached, and the software begins to subtract votes.
Source: Channel 4 WJXT Florida, available at http://
www.news4jax.com/politics/3890292/detail.html (Nov. 4, 2004).
Carteret County (North Carolina): A voting machine loses more
than 4,000 votes leaving three races including the
Superintendent of Public Instruction and the state Agriculture
Commissioner's race in doubt. Source: WRAL.com available at
http://www.wral.com/news/3891488/detail.html (Nov. 4, 2004).
San Joaquin County (California): The Secretary of State's test
of Diebold's TSx voting system recorded that almost 20 percent
of the touchscreen machines crashed during the election
simulation. Based on the voting systems performance California
refused to certify the use of Diebold's TSx voting system in
public elections. Source: Oakland Tribune available at http://
www.votersunite.org/article.asp?id=5818 (Aug. 3, 2005).
HAVA Section 231(b)(1) states that ``not later than six months
after the Commission first adopts voluntary voting system guidelines
under part 3 of subtitle A, the Director of NIST shall conduct an
evaluation of independent, non-federal laboratories and shall submit to
the Commission a list of those laboratories the Director proposes to be
accredited to carry out the testing, certification, decertification,
and recertification provided for under this section.'' \4\ Further, the
law requires the EAC Commissioners to vote to approve the list of
accredited laboratories, once submitted by the Director of NIST, for
the certification of voting technology used in public elections. The
Commission is also directed by HAVA to publish an explanation for the
accreditation of any laboratory not included on the list submitted by
the Director of NIST.
---------------------------------------------------------------------------
\4\ Help America Vote Act Law, Public Law 107-252, available at
http://www.fec.gov/hava/law-ext.txt
---------------------------------------------------------------------------
NIST began work two years ago to produce a list of accredited
laboratories for the certification of voting systems. On June 23, 2004,
NIST announced in the Federal Register that it was establishing an
accreditation program for laboratories that perform testing of voting
systems, including hardware and software components. On August 17,
2004, NIST's National Voluntary Laboratory Accreditation Program
(NVLAP) hosted a public workshop to exchange information among NVLAP
laboratories interested in seeking accreditation for the testing of
voting systems under HAVA. NIST has also published the National
Voluntary Laboratory Accreditation Program's Voting System Testing
Handbook 150-22. The handbook outlined the technical requirements and
guidance for the accreditation of laboratories under the NVLAP Voting
System Testing laboratory accreditation program. Finally, on June 17,
2005, NIST published a solicitation for applications and fees from
those laboratories interested in being considered in the initial group
of applicant laboratories. The notice stated that accreditation would
begin on or about September 15, 2005.
In light of the work already done by NIST to provide for a new list
of laboratories to be certified by the EAC to conduct certification of
voting technology, why is the process being delayed until 2007? The
consequences for this delay may be a reduction in the number of new
qualified laboratories seeking work in this area, further erosion of
public trust in the election system, and more failed voting technology
being deployed by states.
Transparency
Transparency is a key component of a functioning, healthy
democracy. Transparency or open government is any effort by agencies to
impart information to the public on the work of the government. Open
government can be accomplished in a number of ways, which may include:
public meetings, public rule-making notices, reasonable public comment
periods, access to rule-making proceedings, official reports, and open
records laws. The application of technology intended to provide a
government service should not be excluded from open government
objectives. In addition to the methods described, the adoption of
technology should include efforts to involve the participation of those
members of the public with relevant skills and training.
The guidance to states on the administration of elections should
include strong support of open government procedures that allow public
access to the election administration process. Historically, the
election administration community, voting rights community, media, and
partisan efforts looked closely at how elections were managed. Today,
that list of constituencies has grown to include technologists,
election reform advocates, and concerned citizens.
Transparency is not part of the current laboratory testing and
certification process for voting technology. The NASED process did not
and would not provide information on the testing process for any voting
system.\5\ Further, NASED would not answer specific questions regarding
a voting technology manufacturer or a specific voting system.\6\ In
California, Diebold was found to have used uncertified software on
voting systems operated during public elections.\7\ When asked by
California election officials about their certification of Diebold's
AccuVote-TSx voting system, Wyle Laboratories refused to discuss the
status of the testing.\8\ It was reported that Wyle Laboratory told the
state that the information was proprietary. These conditions should not
be tolerated, especially in light of the need to provide proof to the
American public that the promise of HAVA will be fulfilled.
---------------------------------------------------------------------------
\5\ House Science Committee's Subcommittee on Environment,
Technology, and Standards, Hearing: ``Testing and Certification for
Voting Equipment: How Can the Process be Improved?'' 108th Congress
Second Session, June 24, 2004.
\6\ id.
\7\ Thomas Peele, ``State allows unapproved machines for March
election'' Contra Costa Times, January 16, 2004. Ian Hoffman, ``E-
voting software problems worsens,'' Alameda Times-Star, May 15, 2004.
\8\ Elise Ackerman, ``Vote-machine labs' oversight called lax,''
Costra Costa Times, May 31, 2004.
---------------------------------------------------------------------------
Audit
In the final version of voting system guidelines, too little focus
is placed on the importance of conducting audits of election results.
Post-election evaluation of the results is fundamental to election
integrity. For audits to be credible, the same vendor that supplied the
voting system being audited should not perform the audit. It is
important to know when election systems perform as expected, and when
they do not. For this reason, independent, verifiable, and transparent
audits of election results should be routine.\9\ California, Colorado,
Connecticut, Hawaii, Illinois, Minnesota, New Mexico, New York, North
Carolina, Washington, and West Virginia all have laws addressing
election audits.\10\ For example, California's audit law requires a one
percent manual recount of voted ballots.
---------------------------------------------------------------------------
\9\ David Dill, Testimony, Election Assistance Commission, July 28,
2005.
\10\ Verified Voting, Manual Audit Requirements, August 20, 2005,
available at http://verifiedvoting.org/article.php?id=5816
---------------------------------------------------------------------------
Audits should include a representative hand count of ballots or
ballot images; examining documentation of the chain of custody of all
voting technology; and the chain of custody on all unmarked, and marked
ballots. States are well within their prerogative to determine how the
results of audits will be treated, however, they should be strongly
encouraged to incorporate audits into every aspect of election
administration, and make the results public. States should be
encouraged to engage the technology community in the decision-making
process to help meet the unique needs of State or local governments to
routinely audit their elections.
Today it is not enough that vendors assure states that paperless
voting systems record and retain accurate vote information, those
systems must be proven to do so. The record of systems failures that
resulted in lost votes cannot be ignored. Ballots lost from electronic
voting systems used in North Carolina and Florida in 2004 attest to the
need for more rigorous voting technology standards.\11\ There is also a
need to ensure routine access to ballot images for recount and election
audit purposes. In 2004 the California Primary election resulted in a
legal challenge, Soubirous vs. County of Riverside, when a candidate
lost an election contest by 45 votes. The candidate was denied access
to the memory and audit logs of the Sequoia electronic voting machines
purchased the Riverside County Board of Supervisors, which resulted in
a court challenge.\12\
---------------------------------------------------------------------------
\11\ Voters Unite, Report, Myth Breakers: Facts About Electronic
Elections, available at http://www.votersunite.org/MB2.pdf
``Electronic Voting Machines Lose Ballots Carteret County, North
Carolina. November, 2004. Unilect Patriot DRE A memory limitation on
the DRE caused 4,438 votes to be permanently lost. Unilect claimed
their paperless voting machines would store 10,500 votes, but they only
store 3,005. After the first 3,005 voters, the machines accepted--but
did not store--the ballots of 4,438 people in the 2004 Presidential
election. Jack Gerbel, President and owner of Dublin-Calif.-based
UniLect, told The Associated Press that there is no way to retrieve the
missing data. Since the agriculture commissioner's race was decided by
a 2,287-vote margin, there was no way to determine the winner. The
State Board of Elections ordered a new election, but that decision is
---------------------------------------------------------------------------
being challenged in the court.
Palm Beach County, Florida. November 2004. Sequoia DRE Battery failure
causes DREs to lose about 37 votes. Nine voting machines ran out of
battery power and nearly 40 votes may have been lost.. . .The nine
machines at a Boynton Beach precinct weren't plugged in properly, and
their batteries wore down around 9:30 a.m., said Marty Rogol, spokesman
for Palm Beach County Supervisor of Elections Theresa LePore. Poll
clerk Joyce Gold said 37 votes appeared to be missing after she
compared the computer records to the sign-in sheet. Elections officials
won't know exactly how many votes were lost until after polls close.''
---------------------------------------------------------------------------
\12\ Soubirous vs. County of Riverside, No. E036733, 2006 Cal. App.
Unpsb. Lexis 1218 (Cal. App. Feb 8, 2006) available at http://
www.verifiedvoting.org/downloads/legal/california/soubirous-v-
countyofriverside/
---------------------------------------------------------------------------
Security
Security can be defined as a series of tradeoffs.\13\ For example,
automobile manufacturers initially opposed interior airbags in cars
because they were thought to be too costly. The government made the
decision that their inclusion in cars would save lives and that the
increased cost for the purchase of an automobile was worth the
tradeoff.
---------------------------------------------------------------------------
\13\ Bruce Schneier, ``Beyond Fear: Thinking Sensibly About
Security in an Uncertain World'' pg. 7.
---------------------------------------------------------------------------
The voter is the only person who should know how they voted. That
person should not be able to prove to anyone how they voted, nor should
a ballot be associated with that voter.\14\ The votes cast by voters
should be recorded and retained free from error or manipulation. The
ballots and votes cast should be secured from tampering, damage,
machine failure, or loss.
---------------------------------------------------------------------------
\14\ Coney, Hall, Vora, and Wagner, ``Towards a Privacy Measurement
Criterion for Voting Systems.''
---------------------------------------------------------------------------
Voters should be able to cast votes and verify vote choices
unassisted. Accuracy should be maintained and authenticated through a
post-election audit process. State and local election contingency
planning should detail what should be done in the event of a natural
disaster or if a polling location unexpectedly becomes unavailable.
Once an election has begun, contingency plans should cover what should
take place to complete the election. For example, what should be done
if a power outage occurs that exceed battery life of voting or ballot
tabulation technology, voter turnout exceeds expectations, or
unexpected shortages of Election Day poll workers occur, which threaten
the conclusion of an election once begun.\15\
---------------------------------------------------------------------------
\15\ Ace Project, Voting Operation: Contingency Plans, available at
http://www.aceproject.org/main/english/po/pohO1d.htm
---------------------------------------------------------------------------
Reliability
Another technical threat to voting systems, which receives too
little attention, is Electrostatic Disruption (ESD). This can be
devastating to the operation of electrical equipment. Humidity and
other conditions in which voting systems will operate can contribute to
ESD. It is our view that more study should be done to better understand
the threats that ESD poses to voting systems and develop means to
mediate them. States should be directed to use a sliding scale for
conditions, where machines will be used and ESD is a high probability.
Comments on Voluntary Voting System Guidelines
The Election Assistance Commission has demonstrated problems with
version control of the final recommendations on voting system
standards.\16\ The problem has continued with the publication in the
Federal Register the final guidance submitted to the EAC by the
Technical Guideline Development Committee (TGDC) on their
recommendations for voluntary voting system guidelines.\17\ The TGDC
recommendations sent to the EAC are available online.\18\ The TGDC's
online document representing their final recommendations to the EAC and
the EAC's reprint of those recommendations in the Federal Register in
April 2006 do not agree. Specifically the TGDC's final recommendations
dated May 9, 2005 includes Sections 6.0.4.2.1.1.6 through 6.0.4.3.2.2,
and the EAC document identified as the TGDC's recommendations document
does not include these sections. The missing sections addressed the
role of the NIST National Software Reference Library.
---------------------------------------------------------------------------
\16\ National Committee for Voting Integrity, Letter (April 28,
2006).
\17\ Election Assistance Commission, Technical Guidelines
Development Committee's Final Recommendations on Voluntary Voting
System Guidelines, Federal Register (April 12, 2006) available at
http://a257.g.akamaitech.net/7/257/2422/01jan20061800/
edocket.access.gpo.gov/2006/pdf/06-3101pdf
\18\ TGDC final VVSG Document Delivered to the EAC May 6, 2006
available at http://vote.nist.gov/VVSGVol1&2--pdf
---------------------------------------------------------------------------
If this had been the only incident of version control problem it
might not be noteworthy other than a correction be published in the
Federal Register, but another earlier incident makes this appear to be
a pattern of inefficient management of documents. For example in
another incident the EAC voted on the final of the VVSG on December 13,
2005, the document was made public on January 12, 2006.\19\ However, at
some point between the public posting and mid-February the EAC final
VVSG document was replaced by another version.\20\
---------------------------------------------------------------------------
\19\ EAC, Final VVSG Document January 13, 2006 available at http://
votingintegrity.org/pdf/vvsg-%20vol-I-1.pdf
\20\ EAC, Current Final VVSG Document, July 14, 2006 available at
http://www.eac.gov/VVSG%20Volume-I.pdf
---------------------------------------------------------------------------
Barring a thorough investigation of this issue--a solution may not
be easy to achieve, however it is worth noting that the chief expertise
of the National Institute of Standards and Technology (NIST) is the
development of standards, and a key component of this work is version
control. Therefore, we strongly recommend that the following action be
taken, the correct TGDC VVSG document be printed in the Federal
Register in its entirety, and that NIST be directed to manage version
control for the EAC of all document development required under the Help
America Vote Act (HAVA).
VVSG creates new threats to voting system security by recommending
the use of telecommunication systems to transmit the election
information over public telecommunication networks. Public
telecommunication networks, especially the Internet, are insecure.\21\
It is important to note that HAVA Section 245 directs that the EAC
conduct a study and report on Electronic Voting and Electoral Process
in federal elections.\22\ The study, when completed, would assess the
safe use of the Internet and other communication technology's use in
voting.
---------------------------------------------------------------------------
\21\ David Jefferson, Aviel D. Rubin, Barbara Simons, David Wagner,
Report, ``A Security Analysis of the Secure Electronic Registration and
Voting Experiment (SERVE),'' January 2004.
\22\ Help America Vote Act of 2002 (HAVA), Public Law 107-252,
October 29, 2002. SEC. 245. 42 USC 15385, available at http://
www.fec.gov/hava/law-ext.txt
---------------------------------------------------------------------------
It is our strong recommendation that future guidance issued by the
agency to states direct them to prepare realistic contingency plans in
the event of electronic voting system failures that jeopardize the
completion of the election process.\23\ Future Voluntary Voting System
Guidelines should encourage State and local election administrators not
to limit their thinking to what can be done, but to consider what can
be done safely to establish reliable, secure, accessible, transparent,
accurate, and auditable public elections.
---------------------------------------------------------------------------
\23\ Ace Project, Report on Physical Security, available at http://
www.aceproject.org/main/english/et/ete01a.htm
---------------------------------------------------------------------------
In VVSG Volume 1, Section 7 Security, recommends the incorporation
of wireless technology in voting systems. We strongly recommend that
wireless technology not be allowed in voting systems. Although wireless
technology is commonplace in remote control systems for televisions,
DVDs, VHS, computer networks, and other consumer products that does not
mean it should be trusted in voting systems. States considering
wireless technology as an option should be strongly encouraged to
enumerate the need for it, and evaluate the potential risks.
Manufacturers of voting systems should not incorporate wireless
technology as a standard offering in voting systems used in public
elections because it poses serious security risks. The only way to be
sure that the risk is not present is not to include the wireless
capability. If states insist on having wireless capability on voting
systems, the next best security option is the ability to physically
remove the device from voting systems before their use in public
elections.
In closing, future recommendations to election administration
should include a directive to test all ballot marking devices to be
sure that they meet specifications of the precinct tabulating facility
and central tabulating technology. The precinct tabulator and central
tabulator technology should be calibrated to read reasonable marks,
which should include a dark stroke crossing the voting target on its
long dimension and half the width of the target should register as a
vote. Finally, all ballot tabulators should be tested and/or calibrated
to ignore erasures made by a new gum eraser of a thoroughly blackened
pencil mark.
Guidance to states regarding the use of paperless direct recording
electronic voting systems should include strong recommendations that at
least one poll worker at each polling location should be trained to
check the calibration of DRE voting machines and if necessary
recalibrate them. Guidance to manufacturers should include criterion
that these systems memory capacity is exceeded or a malfunction that
threatens vote capture and retention is detected the voting system
shall disallow the reinsertion of voter cards to disallow the
appearance of continuing to record votes.
The United States is a society of equal rights. On Election Day,
this nation must function as a society of equal rights, where a single
vote is treated as important as the majority of votes cast.
Thank you,
MEMBERS
Peter G. Neumann, Chair * David Burnham * David Chaum * Cindy Cohn
* Lillie Coney David L. Dill * Joe Hall * David Jefferson * Jackie Kane
* Douglas W. Jones * Stanley A. Klein * Vincent J. Lipsio * Justin
Moore * Jamin Raskin * Marc Rotenberg * Avi Rubin * Bruce Schneier *
Paul M. Schwartz * Sam Smith
NCVI Intern, Richard Rasmussen
Statement of VerifiedVoting.org
There is a crisis of confidence today in electronic voting systems
that are widely used across our nation. It grows each day as the public
gains awareness of the inadequacies and vulnerabilities of those
systems. The concern is perhaps greatest among those who have the most
technical understanding of the computing systems that form the basis
for the voting equipment.
The concerns that led to this crisis are not new, but no set of
standards alone has been or will be sufficient to erase them.
There will be those who say the crisis is not the fault of
inadequate systems but rather the fault of those who shed light on the
inadequacies--a ``shoot the messenger'' approach to restoring the
public's sense that they can be sure their votes will count. They are
wrong. They might be able to bury their own heads in the sand, but
asking the public to take it on faith that there's no such thing as a
machine malfunction or someone who might want to tamper with an
election is simply not good enough, and a simple review of historical
fact belies that belief.
There will be those who say that system problems can be solved with
a set of procedures. This too is a false fix, akin to directing the
public to watch while we attach a big lock on the front door of the
bank, while leaving the back door unlocked and the safe wide open. Good
procedures are necessary, as are technical features that support system
security, reliability and usability. However, sometimes one needs
mechanisms to prevent specific acts that doesn't depend on humans to
follow rules. A procedural fix cannot alone solve a system problem.
Guidelines, regardless of how well written, do not matter at all if
they are not enforced. At present, mechanisms are not in place to halt
the electoral process or address the problem if the Guidelines are
violated or circumvented, nor even to scrutinize the process to ensure
Guidelines are not violated nor circumvented. The Guidelines instead
become mere fig leaves strategically draped over the never-ending
problem of voting systems that cannot be made secure without the
essential safeguard of a voter-verified paper record (VVPR) of every
vote, and mandatory random checks of the paper records to ensure
accuracy of the vote count.
Seventy percent of the states believe--regardless of the existence
of any Guidelines--that voter-verified paper records are necessary.\1\
Over half of the members of the U.S. House of Representatives have
reflected that majority position by sponsoring legislation that would
make VVPR mandatory in all states. While only 13 states currently
require random manual audits of the voter-verified paper records,\2\
many more have the tools to conduct those audits today.
---------------------------------------------------------------------------
\1\ 28 states have enacted rules or legislation requiring voter-
verified paper records: AZ, AK, AR (partial req.), CA, CT, CO, HI, ID,
IL, ME, MI, MN, MO, MT, NC, NV, NH, NY, NJ, NM, OH, OR, SD, UT, VT, WI,
WV, WA. Another eight states are deploying voter-verifiable equipment
statewide even without a requirement: AL, MA, MS, NE, ND, OK, RI, WY.
For details see http://verifiedvoting,org
\2\ AK, AZ, CA, CT, CO, HI, IL, MN, NM, NY, NC, WA, WV--for
details, see http://www.verifiedvoting.org/article.php?id=5816
---------------------------------------------------------------------------
Unless and until these practices (the use of voter-verified paper
records and mandatory manual audits of those records) are adopted
nationwide, the crisis of confidence will continue to grow. The current
set of Guidelines, despite the efforts of those who worked on them, do
not resolve this current crisis, for several reasons.
--First, they are inadequate: the current process for voting system
certification is wholly insufficient for security, and resolutions of
the Technical Guidelines Development Committee to include open-ended
research on possible attacks were omitted from the guidelines.
--Second, they will never be adequate for security, if separate and
apart from a voter-verifiable voting system and robust random manual
audits. This is not to say the VVSG on security shouldn't exist, but
rather that it must be understood they can only serve as a potential
enhancement to mitigate risks, and cannot ever be strong enough alone.
--Third, the most significant thing the current VVSG could have
done to help bolster the public's confidence was not done: On January
18, 2005, Professor Ron Rivest introduced a resolution (#13-05) to
require voter-verified paper records at the TGDC meeting. Professor
Rivest is the member of the TGDC with by far the greatest expertise in
computer security. That resolution was voted down, by members of the
committee who know less about computer security than the person who
introduced the measure. Just as the Food and Drug Administration would
not approve of a pharmaceutical based on a vote where accountants out-
voted physicians, it is important that decisions affecting technical
requirements are made by people that are technical experts.
--Finally, as the lion's share of HAVA equipment funding has been
spent on systems that were not designed to those standards, the current
VVSG can serve only as a theoretical or philosophical guideline for
what you would want in a voting system, if one were going to buy a new
one today. . .but almost no one is buying now. As safeguards for the
systems we use today and for the foreseeable future, or as insurance
that those systems are accessible and usable as possible--the VVSG are
the horse lagging behind its voting-system cart.
Concerns and Recommendations
Analysis of the VVSG process to date makes clear the Guidelines are
inadequate to address the current (justified) crisis of confidence in
electronic voting systems. Recommendations for improvement follow.
1. Prevent Unrecoverable Lost Votes; Mandate VVPR. During the November
2004 election in Carteret County, North Carolina, a paperless DRE
voting machine completely failed to record over 4,400 ballots cast on
that machine; this failure occurred because those ballots exceeded the
configured size of that machine's electronic memories. The machine
failed to warn the affected voters that their ballots were not being
recorded, the votes from those ballots were irretrievably lost, and
several statewide races were thrown into limbo because the margin of
victory in those races was less than the number of lost votes. While
this was apparently the largest number of votes irretrievably lost on a
single DRE, it was not the first or only documented instance of such a
loss. Two years earlier, 436 ballots failed to be recorded on a
different vendor's DRE used for early voting in Wake County, North
Carolina. And just last year, in Pennsylvania, cast ballots were
inadvertently erased at the end of the voting day due to a set-up
error.
In each case, had those DRE voting machines been equipped with a
voter-verifiable paper audit trail (VVPAT) (or had those jurisdictions
been using an inherently voter-verified paper ballot system, such as
optical scan ballots), those votes would not have been lost. Yet
despite these problems, the revised VVSG do not adequately protect
against these types of problems and lack any requirement for VVPAT,
despite thousands of comments submitted by the public in support of
adding such a requirement.
To prevent future losses of votes due to malfunction,
programming error, set-up error, or tampering, the VVSG must
require voter-verified paper records. This step will also serve
as an interim measure to regain some of the lost confidence in
our voting system, although only in those jurisdictions that
adopt the voluntary guidelines. For real impact, legislation
requiring voter-verified paper records and mandatory random
manual audits must be passed so that votes in all jurisdictions
are protected.
2. Accelerate VVSG Update Process. The VVSG do not take effect until
December 2007, and even then, not all states are obligated to follow
them because the guidelines are voluntary. Hence, in terms of
addressing the current crisis, they offer too little, too late. The lag
between their development and their effective date almost ensures that
they will be obsolete by the time they are in effect. The capabilities
and state-of-the-art in computerized systems changes vastly over the
24-month adoption period, and the pace of voting standards development
, while slightly accelerated over what it has been, still seems glacial
when seen in the light of security concerns.
Given the rate of change of technology, security-related and
other standards in the VVSG should be reviewed annually, and
the adoption window should be shorter than it is (e.g., 12
months rather than 24). When gravely serious security or
performance problems with voting systems are uncovered as has
happened in recent months, standards should be upgraded in
response, and if need be, voting machines in the field re-
tested for modification.\3\ No new elections should have to be
run on equipment demonstrated to be faulty or insecure.
---------------------------------------------------------------------------
\3\ These recommendations echo those of Dr. Michael Shamos,
Distinguished Professor of Computer Science at Carnegie Mellon
University, who testified in 2004 to the Environment, Technology, and
Standards Subcommittee of the House Science Committee on the subject of
voting system testing and certification. Cf. http://www.house.gov/
science/hearings/ets04/jun24/shamos.pdf
3. Certification Process Should Not Be Cloaked in Secrecy. Despite some
minor changes to the scheme for certifying voting systems (i.e.,
``qualification'' has been renamed ``certification,'' ITAs have been
renamed ``voting system testing laboratories,'' and the EAC, through
NIST, will assume oversight and accreditation of the testing
laboratories), the overall scheme still remains one in which private
voting system vendors contract with (and pay for) private testing
laboratories to carry out certification testing in secret. Public
confidence in the integrity of this certification scheme will not be
achieved if this testing process continues to remain cloaked behind a
---------------------------------------------------------------------------
veil of secrecy.
``To keep vendors and [the VSTLs] accountable for their work,
the EAC should require that, as a condition of certification,
the report produced by the ITA be publicly released, along with
the technical data package.'' \4\
---------------------------------------------------------------------------
\4\ Testimony of Dr. David Dill, Professor of Computer Science,
Stanford University and Founder of Verified Voting, before the Election
Assistance Commission, July 28, 2005 hearing, Pasadena, CA http://
www.eac.gov/docs/Dill.pdf
4. Stronger Security Testing Needed. The VVSG scheduled to take effect
in 2007 do not mandate the type of vigorous security examination needed
to uncover security weaknesses (e.g., the several Hursti hacks,\5\ plus
additional vulnerabilities discovered by California's Voting Systems
Technology Assessment Advisory Board [VSTAAB]) of the sort discovered
due to the inquisitiveness and concern of local election officials
(e.g., Ion Sancho, Supervisor of Elections, Leon County, Florida; Bruce
Funk, Emery County Clerk, Utah). These vulnerabilities could be
successfully exploited without leaving any trace. Any certification
system that subjects voting systems to hundreds of hours of ``testing''
and which takes many months and hundreds of thousands of dollars to
complete and yet fails to discover grave security vulnerabilities which
can be successfully exploited in a manner of minutes is completely
ineffective.
---------------------------------------------------------------------------
\5\ Finnish computer security expert Harri Hursti discovered two
distinct classes of vulnerabilities in the Diebold AccuVote voting
systems: a) Vulnerabilities associated with the use of interpreted
AccuBasic code on the removable memory card used to store vote totals
and/or ballot images (for details see http://www.ss.ca.gov/elections/
voting-systems/
security-analysis-of-the-die
bold-accubasic-interpreter.pdf); and b)
vulnerabilities associated with boot loader software and flash memory
(http://www.blackboxvoting.org/BBVreport.pdf).
``Security evaluations should be conducted by experts not
chosen by the vendors, and those experts should be allowed to
do open-ended research on possible attacks (such groups are
sometimes called ``Tiger teams''). Any new iteration of the
VVSG should incorporate the TGDC Resolution #17-05 which called
for such an approach.'' \6\
---------------------------------------------------------------------------
\6\ Testimony of Dr. Dill July 28, 2005, ibid.
5. Proprietary Interests Should Not Outweigh Security and Performance
Requirements. The current (and future) certification scheme based on
the current (and future) VVSG appears to be biased in favor of
maintaining the proprietary interests of voting machine vendors rather
than ensuring the integrity of the voting systems being evaluated.
An example is the inclusion of wireless networking, which opens up
security threats while facilitating vendor interests. The inevitable
consequence of allowing wireless, even with special guidelines about
its use, is that machines with wireless capability will be certified,
even though they will not and cannot be secure. Worse, even if a
jurisdiction wanted to ban wireless capabilities locally, it is
possible under the current certification scheme that they would be
unable to determine whether such capability was already ``on-board'' in
their existing systems. First, they'd need the technical ability to
check their hardware (and if a wireless component was found, to examine
the software to ensure that the software will not support it). Second,
warranty and maintenance agreements often consider things like
``unauthorized'' opening of the case of a voting system to violate or
void the warranty. So, more than likely, a jurisdiction would have to
ask the vendor if there was wireless capability and take their word for
it or ask permission to examine the system to assess whether or not
wireless functionality was shipped and armed.
Wireless networking is unnecessary and inherently unsafe, and
should be banned outright. Further, The VVSG should define
procedures under which local election jurisdictions can
reliably verify the absence of such wireless capability in any
voting systems equipment that they purchase or lease.
6. Encourage (Secure) Usability Advances. The current practice of
certifying whole voting systems has the potential to stifle the
independent development of add-ons to existing voting systems that can
greatly enhance usability and especially accessibility. For example,
this practice has impeded deployment of accessible ballot-marking
devices which are designed for, and capable of, working with any legacy
optical scan voting system, because those devices must be re-submitted
for testing with each such voting system, a process in which vendors
have yet to cooperate. Accessibility advocates describe a wish for
systems with a broad spectrum of capabilities and features, yet
typically no one system currently addresses all those needs.
Jurisdictions lack the resources to obtain more than one system for
accessibility, but even if they had the resources, inter-operability
between competing systems is lacking.
There is a need to provide for inter-operability between such
existing and potential modular devices made by different vendors. Yet
it is important not to sacrifice the performance and security benefits
that end-to-end system testing brings.
The VVSG should look to develop a better solution for inter-
operability such as testing a proposed subsystem, and having
well-defined, standard interfaces between sub-systems that
comprise a voting system. For example, a standardized schema
for defining the layout of optical scan paper ballots should be
developed to enable the interchange of ballot layouts between
voting systems developed by different vendors, so that an
optical scan ballot printed by vendor X could be marked by a
ballot marking device manufactured by vendor Y and scanned by
an optical scanner built by vendor Z. Each vendor would be
responsible for providing conversion software to translate
between their proprietary ballot layout definition files and
the standardized schema.
7. Scrutiny and the Need to Address Defects Discovered After
Deployment. At present, the revised VVSG and proposed certification
process lack any clear mechanism for suspending or revoking the federal
certification status of deployed voting systems found to contain
serious defects, including security vulnerabilities, that put the
public's votes and the integrity of our elections at risk. When such
critical security defects are discovered in already-deployed voting
systems, some fraction of impacted states issue some sort of warning or
advisory, while other states take no action at all. Even when warnings
or advisories are issued, most states typically take no further action
to ensure that local jurisdictions comply or act on those notices, in
part because the costs for implementing interim mitigation procedures
fall on local election jurisdictions that lack the resources to
effectively carry them out.
When defects in other types of products affect public safety,
product recalls are initiated and product defects corrected at vendor
expense. But when similarly serious defects or vulnerabilities are
found in voting systems, we do not see federal certification revoked or
products recalled. (Nor have we seen any requirement that vendors
notify all their existing markets about the problem, with
recommendations for mitigation or replacement. This means the same
problem can occur election after election, in county after county,
despite having been likely preventable in all but the first instance.)
To help prevent voting machine problems, new Guidelines must
provide a mechanism for scrutiny to ensure that its standards
are maintained and enforced, especially when problems with the
design of a voting machine are discovered after it has
completed federal qualification and been deployed for use in
elections.
The revised VVSG should include mechanisms for suspending or
revoking federal qualifications when serious defects in voting
machines are discovered after initial qualification, and should
require notification and mitigation by the vendor involved to
all jurisdictions where the voting system is deployed.
Need for Prompt Action
Slightly over two years ago, on June 24, 2004, the Environment,
Technology, and Standards Subcommittee of the House Science Committee
held hearings on the subject: ``Testing and Certification of Voting
Equipment: How can the process be improved.''\7\ In his testimony\8\
before that committee, Dr. Michael Shamos stated in part:
---------------------------------------------------------------------------
\7\ http://www.house.gov/science/hearings/ets04/index.htm
\8\ http://www.house.gov/science/hearings/ets04/jun24/shamos.pdf
I am here today to offer my opinion that the system we have
for testing and certifying voting equipment in this country is
not only broken, but is virtually nonexistent. It must be re-
created from scratch or we will never restore public confidence
---------------------------------------------------------------------------
in elections.. . .
. . .We need a coherent, up-to-date, rolling set of voting
system standards combined with a transparent, easily-understood
process for testing to them that is viewable by the public. We
don't have that or anything resembling that right now, and the
proposal I have heard are (sic) not calculated to install them.
. . .I propose that standards for the process of voting be
developed on a completely open and public participatory basis
to be supervised by the EAC, with input from NIST in the areas
of its demonstrated expertise, such as cryptography and
computer access control. Members of the public should be free
to contribute ideas and criticism at any time and be assured
that the standards body will evaluate and respond to them. When
a problem arises that appears to require attention, the
standards should be upgraded at the earliest opportunity
consistent with sound practice. If this means that voting
machines in the field need to be modified or re-tested, so be
it. But the glacial pace of prior development of voting
standards is no longer acceptable to the public.
Unfortunately, two years after the Subcommittee heard these
concerns in testimony, little has changed. Instead of recreating the
testing and certification system ``from scratch'' and making that
process ``transparent, easily-understood'' and ``viewable'' by the
public, the revised VVSG does little to address any of these concerns.
Rather, the revised VVSG makes some tweaks to the ``arcane technical
standards'' (Guidelines) and the accreditation of the testing labs, but
otherwise leaves intact the existing opaque and secretive system which
Professor Shamos describes as ``grotesque.'' That system can continue
no longer, and must be made transparent.
Beyond accepting public input to the revised VVSG, the ``standards
body'' must show greater evidence that it has heard the overwhelming
majority of that public input and must provide a meaningful response to
key concerns raised by the public (e.g., concerns regarding the urgent
need for VVPR and for the elimination of wireless technology from
voting systems).
When gravely serious security problems with DREs are uncovered as
they were during this past year, standards must be upgraded in
response, voting machines in the field modified and retested, and the
pace of voting standards development must accelerate to address
usability, performance and especially security concerns.
It is time for Congress to act to safeguard our elections. Tweaking
the voluntary Guidelines (not even yet in effect) will not address the
public's urgent concerns about the integrity of our voting system.
Immediate passage of a requirement for voter-verified paper records and
mandatory random manual audits will.
A Study of Vote Verification Technologies for the
Maryland State Board of Elections
Executive Summary
This Executive Summary presents the principal findings of two
studies of vote verification technologies that were commissioned in
2005 by the Maryland State Board of Elections (SBE). The first, or the
technical study, was conducted by researchers at the University of
Maryland, Baltimore County (UMBC). The second, or the usability study,
was conducted by researchers at the University of Maryland, College
Park.
We note that while these studies were commissioned by the SBE, they
were conducted independently of the SBE and, independently of one
another. This should provide the citizens and decision-makers in the
State of Maryland with a high degree of confidence that the studies are
impartial and scientifically sound.
Part I: Technical Study Executive Summary
Scholars at UMBC, working through the National Center for the Study
of Elections of the Maryland Institute for Policy Analysis and
Research, conducted a technical review of vote verification systems for
the Maryland State Board of Elections (SBE). Initially, the review was
supposed to include up to seven systems from the following
organizations and individuals: VoteHere (Sentinel); SCYTL (Pnyx.DRE);
Prof. Ted Selker, MIT (VVAATT); Diebold's VVPAT; Democracy Systems,
Inc. (VoteGuard); IP.Com; and Avante. We determined that IP.Com did not
represent a true vote verification technology, and Avante and Democracy
Systems, Inc., declined to participate in the study. We also examined
the SBE's procedures for ``parallel testing'' of the Diebold AccuVote-
TS (touchscreen) voting system in use in Maryland and used this as a
baseline against which to evaluate the vote verification systems.
In conducting our analysis, we received demonstrations from the
vendors, and we examined the vendors' hardware, software, and
documentation to determine if their products did what their vendors
claim that they do. That is, do they enable voters who use the
touchscreen voting system in use in the State of Maryland to verify
that their votes were cast as intended, recorded as cast, and reported
as recorded, and do they permit post-election auditing? We examined
such issues as:
implementation
impact on current state voting processes and
procedures
impact on voting
functional completeness
security against fraud, attack and failure
privacy
reliability
accessibility
We also compared these systems to one another and to the state's
current voting system and procedures, which includes the SBE's use of
parallel testing around that system.
We note several specific concerns about these products, including
the following:
1. Only one of these products, the Diebold VVPAT, provides for
a pure paper solution.
2. All of these products would impose significant one-time
implementation and on-going management burdens (cost, effort,
security, etc.) on the SBE and the state's 24 Local Boards of
Elections.
3. All would increase the complexity of the act of voting.
4. All would increase the amount of time required to vote.
5. All would at least double the amount of effort required to
administer elections.
6. All would adversely affect voter privacy.
7. These products would have both potentially positive and
potentially negative impacts on security and election
integrity.
8. None can be considered as fully accessible to persons with
disabilities and none of them fully meets the accessibility
standards of Section 508 of the Rehabilitation Act.
9. Integration of these systems will require the cooperation
of Diebold to develop and/or ensure the viability of a working
interface between the vendors' products and the Diebold system.
Our principal findings are, first, that each of the systems we
examined may at some point provide a degree of vote verification beyond
what is available through the Diebold System as currently implemented.
But this is true only if the system were fully developed, fully
integrated with the Diebold DREs and effectively implemented.
Our second principal finding is that none of these systems is yet a
fully developed, commercially ready product. None of these products had
been used in an election in the U.S. (SCYTL has been used outside the
U.S. and a different version of the Diebold VVPAT has been used in the
U.S.).
Were the State of Maryland to decide to acquire any of these
products, the vendor would have to invest additional money and effort
to produce an actual product and make the product ready for use in
actual elections. Indeed, nearly all of these vendors are looking for
some level of external support to fully develop and commercialize their
products.
In our expert opinion, it is a bad idea for governments to buy
products that are not functionally complete and that either do not have
positive records in the market place or that cannot be fully and
effectively tested in simulated elections to ascertain their
performance characteristics.
Therefore, based on the evidence from this study, we cannot
recommend that the State of Maryland adopt any of the vote verification
products that we examined at this time.
We would note that no election system--regardless of the technology
involved--is foolproof nor is any election system completely immune or
secure from fraud and attack. Indeed, there is a long and inglorious
history of election fraud in the U.S. that involves nearly all methods
and technologies of voting, especially paper voting systems. Moreover,
it would be prohibitively costly to make any election totally secure.
Finally, regardless of what the State of Maryland does in the near
term with regard to vote verification and vote verification systems, in
future elections, it should expand the use of parallel testing. The
state should also undertake a full-scale assessment of the security
procedures and practices around its current voting system. We say this
even with the knowledge that current security procedures are reasonable
and prudent and that the SBE's system of parallel testing, as currently
implemented, reduces considerably the possibility of fraud and attack
on the system.
Part 11: Usability Study Executive Summary
The University of Maryland's Center for American Politics and
Citizenship, along with the Human-Computer Interaction Lab, conducted a
usability study of four vote verification systems and a voting system
with no verification unit for the Maryland State Board of Elections.
The major findings from the expert review by human-computer
interaction experts are:
There was a perceived trade-off between usability and
security. In all cases, the verification system appeared to
reduce the usability of the voting process compared to the
Diebold AccuVote-TS, which had no verification unit.
The Diebold AccuVote-TSx with the AccuView Printer
Module (paper printout, referred to as AccuView Printer) was
rated most favorably. However, suggestions were made for
improvement and questions were raised about the paper record's
utility when used for a long ballot.
Privacy concerns were raised about each of the four
vote verification systems.
The major findings from the field test involving more than 800
Marylanders are:
All of the systems were viewed favorably, including
the Diebold AccuVote-TS with no verification unit.
The Diebold with AccuView Printer was rated the most
favorably in terms of voter satisfaction, but not substantially
better than the AccuVote-TS with no verification unit or the
VoteHere Sentinel.
The MIT (audio) system was found to be distracting
and it failed to generate as much confidence as other systems.
It also was criticized by some users because of sanitary
concerns related to the repeated use of the same headset.
Participants needed the least amount of help when
using the Diebold AccuVote-TS system (no verification unit).
The Diebold with AccuView Printer system (paper trail) came
next. Voters received more help using the VoteHere (Internet or
telephone), MIT (audio), and Scytl (monitor) systems.
The major findings concerned with election administration are:
Adding any of the four verification systems greatly
increased the complexity of administering an election.
The paper spool in the Diebold AccuView Printer had
to be changed frequently, and changing it was fairly complex.
It was difficult and time consuming to set up the
Scytl system.
The Scytl, MIT, and Diebold AccuVote-TS with no
verification unit were out of commission for some portions of
the study (but not enough to affect the results).
Diebold provided outstanding response to service
calls. Scytl (based in Spain) provided poor service. No service
calls were made to MIT or VoteHere.
Recommendations
On the basis of usability and some administrative
considerations, we cannot recommend that the State of Maryland
purchase any one of the vote verification systems (or system
prototypes) that were reviewed. There are some important
tradeoffs between usability and other considerations, including
the security of the vote.
We recommend that the voter interface of AccuVote-TS
(with no printer unit) be modified to incorporate some of the
improvements made to the interface of the AccuVote-TSx with the
AccuView Printer system.
The AccuVote-TS with no verification unit became
inoperative while an individual was voting under normal
circumstances. This had a direct impact on the usability of the
system and caused concern among voters. An explanation was
provided but it was beyond the scope of this study to confirm
it. We recommend this situation be addressed.
Statement of the U.S. Election Assistance Commission
INTRODUCTION
EAC is a bipartisan commission consisting of four members: Paul
DeGregorio, Chairman; Ray Martinez III, Vice Chairman; Donetta
Davidson; and Gracia Hillman. EAC's mission is to guide, assist, and
direct the effective administration of federal elections through
funding, innovation, guidance, information and regulation. In doing so,
EAC has focused on fulfilling its obligations under HAVA and the
National Voter Registration Act (NVRA). EAC has employed four strategic
objectives to meet these statutory requirements: Distribution and
Management of HAVA Funds, Aiding in the Improvement of Voting Systems,
National Clearinghouse of Election Information, and Guidance and
Information to the States. Each program will be discussed more fully
below. The topic at hand involves our strategic efforts to aid in the
improvement of voting systems.
AIDING IN THE IMPROVEMENT OF VOTING SYSTEMS
One of the most enduring effects of HAVA will be the change in
voting systems used throughout the country. All major HAVA funding
programs can be used by states to replace outdated voting equipment.
HAVA established minimum requirements for voting systems used in
federal elections. Each voting system must:
Permit the voter to verify the selections made prior
to casting the ballot;
Permit the voter to change a selection prior to
casting the ballot;
Notify the voter when an over-vote occurs (making
more than the permissible number of selections in a single
contest);
Notify the voter of the ramifications of an over-
vote;
Produce a permanent paper record that can be used in
a recount or audit of an election;
Provide accessibility to voters with disabilities;
Provide foreign language accessibility in
jurisdictions covered by Section 203 of the Voting Rights Act;
and
Meet the error rate standard established in the 2002
Voting System Standards.
According to HAVA, the requirement for access for voters with
disabilities can be satisfied by having one accessible voting machine
in each polling place. In addition to these requirements, Congress
provided an incentive for states that were using punch card or lever
voting systems by providing additional funding on a per precinct basis
to replace those outdated systems with a voting system that complies
with the requirements set out above.
HAVA also provides for the development and maintenance of testable
standards against which voting systems can be evaluated. It further
requires federal certification according to these standards. EAC is
responsible for and committed to improving voting systems through these
vital programs.
Voluntary Voting System Guidelines
One of EAC's most important mandates is the testing, certification,
decertification and recertification of voting system hardware and
software. Fundamental to implementing this key function is the
development of updated voting system guidelines, which prescribe the
technical requirements for voting system performance and identify
testing protocols to determine how well systems meet these
requirements. EAC along with its federal advisory committee, the
Technical Guidelines Development Committee (TGDC), and the National
Institute of Standards and Technology (NIST), work together to research
and develop voluntary testing standards.
On December 13, 2005, EAC adopted the first iteration of the
Voluntary Voting System Guidelines (VVSG). The final adoption of the
VVSG capped off nine months of diligent work by NIST and the TGDC. In
May of 2005, the TGDC delivered its draft of the VVSG. EAC then engaged
in a comprehensive comment gathering process, which included comments
from the general public as well as from members of its Board of
Advisors and Standards Board. Interested persons were able to submit
comments on-line through an interactive web-based program, via mail or
fax, and at three public hearings (New York, NY; Pasedena, CA; Denver,
CO). EAC received more than 6,000 individual comments. EAC teamed up
with NIST to assess and consider every one of the comments, many of
which were incorporated into the final version.
The VVSG is an initial update to the 2002 Voting System Standards
focusing primarily on improving the standards for accessibility,
usability and security. The 2005 VVSG significantly enhances the
measures that must be taken to make voting systems accessible to
persons with disabilities and more usable for all voters. For example,
the 2002 VSS contained 29 accessibility requirements, focusing
primarily on accommodating persons with visual disabilities. The 2005
VVSG contains 120 requirements that establish testing measures to
assure that voting systems accommodate all persons with disabilities,
including physical and manual dexterity disabilities. In addition to
ensuring accessibility requirements were increased and strengthened,
the 2005 VVSG includes for the first time a usability section, which
addresses the needs of all voters, empowering them to adjust voting
systems to improve interaction. Those testing measures include allowing
adjustment of brightness, contrast, and volume by the voter to suit
his/her needs.
The 2005 VVSG also incorporated standards for reviewing voting
systems equipped with voter-verifiable paper audit trails (VVPAT)\1\ in
recognition of the many states that now require this technology. In
accordance with HAVA and to assure that persons with disabilities had
the same access to review their ballots as non-disabled voters, the
2005 VVSG required VVPATs to be accessible when the paper record would
be used as the official ballot or as definitive evidence in a recount.
In addition, the VVSG addressed new technologies that emerged on the
market since the 2002 VSS, such as wireless technology. Standards were
established to require the wireless mechanism to be disabled during
voting and to provide a clear, visual indicator showing when the
wireless capability is activated. VVSG also establishes testing methods
for assessing whether a voting system meets the guidelines. A complete
listing of the changes and enhancements included in the 2005 VVSG can
be found on the EAC web site, http://www.eac.gov/Summary%20of%20Changes
%20to%20VVSG.pdf.
---------------------------------------------------------------------------
\1\ VVPAT is an independent verification method that allows the
voter to review his/her selections prior to casting his/her ballot
through the use of a paper print out. VVPAT is merely one form of
independent verification. EAC is currently working with NIST to develop
standards for additional methods such as witness systems, cryptographic
systems, and split process systems.
---------------------------------------------------------------------------
The 2005 VVSG, like the 1990 and 2002 VSS, is a voluntary set of
voting system testing standards. States choose to make these standards
mandatory for equipment purchased in those states by requiring national
certification according to those standards in their statutes and/or
rules and regulations. Currently, approximately 40 states require
certification to either the 2005 VVSG or the 1990 or 2002 VSS. When EAC
adopted the 2005 VVSG, it did so with an effective date of December 13,
2007. This two-year period was designed to allow states the time needed
to make changes to their laws, rules and regulations to require
certification to the new standards, as is standard practice when
introducing new industry guidelines. New York has already legislatively
mandated certification to the 2005 VVSG, and EAC expects over the next
several years that the vast majority of the states will make changes to
their legislation requiring certification to the 2005 VVSG. Prior to
December 13, 2007, voting systems, components, upgrades and
modifications can be tested against either the 2002 VSS or the 2005
VVSG, depending on the requirements of the states and manufacturers'
requests. After December 13, 2007, EAC will no longer test systems to
the 2002 VSS; systems and upgrades will only be tested to the 2005
VVSG.
Significant work remains to be done to fully develop a
comprehensive set of standards and testing methods for assessing voting
systems and to ensure that they keep pace with technological advances.
In FY 2007, EAC along with TGDC and NIST, will revise sections of the
VVSG dealing with software, functional requirements, independent
verification, and security and will develop a comprehensive set of test
suites or methods that can be used by testing laboratories to review
any piece of voting equipment on the market. Much like the roll out of
the 2005 VVSG, these future iterations will be adopted with an
effective date provision and a procedure for when new voting systems,
components, upgrades and modifications will be required to be tested
against the new iteration of the VVSG.
Accreditation of Voting System Testing Laboratories
HAVA Section 231 requires EAC and NIST to develop a national
program for accrediting voting system testing laboratories. NIST's
National Voluntary Laboratory Accreditation Program (NVLAP) will
initially screen and evaluate testing laboratories and will perform
periodic reevaluation to verify that the labs continue to meet the
accreditation criteria. When NVLAP has determined that a lab is
competent to test systems, the NIST director will recommend to EAC that
a lab be accredited. EAC will then make the determination to accredit
the lab. EAC will issue an accreditation certificate to the approved
labs, maintain a register of accredited labs and post this information
on its web site to fully inform the public about this important
process.
In June 2005, NVLAP advertised for the first class of testing
laboratories to be reviewed under the NVLAP program and accredited by
EAC. Three applications were received in the initial phase, with two
additional applications following in late 2005. Pre-assessments of
these laboratories began in April 2006 and formal review is proceeding.
NVLAP will conduct full evaluations of at least two initial applicants
this fall and, depending on the outcome of the evaluations, will make
initial recommendations to the EAC before the end of the year. All
qualified candidates from among the pool of five applicants will be
sent to the EAC by spring 2007.
In late 2005, EAC invited laboratories that were accredited through
the National Association of State Election Directors (NASED) program as
Independent Testing Authorities (ITAs) to apply for interim
accreditation to avoid a disruption or delay in the testing process.
All three ITAs have applied for interim accreditation. Interim
accreditation reviews by EAC contractors are under way and are expected
to be completed by September 2006. ITAs will be accredited on an
interim basis until the first class of laboratories is accredited
through the NVLAP process. After that time, all testing labs must be
accredited through the NVLAP evaluation process.
The National Voting System Certification Program
In 2006, EAC is assuming the duty as prescribed by HAVA to certify
voting systems according to national testing standards. Previously,
NASED qualified voting systems to both the 1990 and 2002 Voting System
Standards. Historically, voting system qualification has been a labor
intensive process to ensure the integrity and reliability of voting
system hardware, software and related components. In six months, NASED
received 38 separate voting system test reports for review and
qualification. All requests were received, processed and monitored
while the testing laboratory assessed compliance. Once a test report
was produced, technical reviewers analyzed the reports prior to
certification.
EAC's certification process will constitute the Federal
Government's first efforts to standardize the voting system industry.
EAC's program will encompass an expanded review of voting systems, and
it will utilize testing laboratories accredited by EAC and experts
hired by EAC to assure that the tested systems adequately met the
standards.
The EAC will implement the Testing and Certification Program
required by Section 231(a)(1) of HAVA in two distinct phases (pre-
election phase and full program). Both phases will be rolled out in
2006. The first phase of the program will begin on July 24, 2006 and
terminate upon the EAC's implementation of the program's second phase.
The second phase (full program) will begin on December 7, 2006.
The pre-election phase of the program focuses on providing
manufacturers a means to obtain federal certification for modifications
required by State and local election officials administering the 2006
General Election. This pre-election phase will ensure a smooth and
seamless transition from the NASED program (which has qualified voting
systems at the national level for more than a decade) to the more
rigorous and detailed EAC program. This will be done by delaying
implementation of some the procedural requirements found in the full
program until after the critical pre-election period. This will allow
the EAC to diligently review voting system modifications while, at the
same time, ensuring a smooth transition and avoiding the unacceptable
delays often associated with rolling out a new program.
The full program will begin in December by requiring every voting
system manufacturer that desires to have a product certified to
register and disclose information about the company and its owners,
board members and decision-makers. Manufacturers will be subject to a
conflict of interest analysis including reviewing whether any owners or
board members are barred from doing business in the United States. EAC
will test complete voting systems including new components and how they
integrate with the entire voting system. This process will be achieved
by having technical experts review the reports provided by accredited
testing laboratories to assure that the tests performed and the results
are consistent with a system that conforms to the VVSG. These experts
will recommend conforming systems for certification. Another new
feature of the EAC certification program will be the quality assurance
program. Through site visits to manufacturing facilities and field
inspections, EAC will confirm that the systems that are being
manufactured, sold to and used by election jurisdictions throughout the
country are the same as those certified by EAC. Last, EAC will
introduce a decertification process that will allow involved persons to
file complaints of non-conformance, provide for the investigation of
those complaints, and if warranted decertify systems because of a
failure to conform to the VVSG.
Election Management Guidelines
To complement the VVSG, the EAC is creating a set of election
management guidelines. These guidelines are being developed by a group
of experienced state and local election officials who provide subject
matter expertise. The project will focus on developing procedures
related to the use of voting equipment and procedures for all other
aspects of the election administration process. The election management
guidelines will be available to all election officials if they wish to
incorporate these procedures at the State and local levels. These
guidelines cover the following topics:
Storage of equipment
Equipment set up
Acceptance testing
Procurement
Use
Logic and accuracy (validation) testing
Tabulation
Security protocols (all phases--storage, set up,
transport and Election Day)
Training of employees/poll workers
Education for voters
The first of these management guidelines was issued by EAC in June
2006 in the form of a Quick Start Guide for election officials. This
guide focused on the issues and challenges faced by election officials
as they accept and implement new voting systems. The guide gave tips to
the election officials on how to avoid common pitfalls associated with
bringing new voting systems on-line.
2006: A YEAR OF CHANGE, CHALLENGE AND PROGRESS
The federal elections in 2006 have and will mark a significant
change in the administration of elections. In compliance with HAVA,
states have purchased and implemented new voting systems. There is a
strong shift to electronic voting, although optical scan voting is
still popular. In addition, states have imposed new requirements on
their voting systems, and they have implemented their own testing
programs for voting systems they purchase. And, in at least 25 states,
voter-verified paper audit trails (VVPAT) have been required for all
electronic voting. Due to the introduction of new voting systems
throughout the Nation, the voter's experience at the polls will be
quite different in 2006 than it was in 2000. It is estimated that one
in three voters will use different voting equipment to cast their
ballots in 2006 than in 2004.
Voters with disabilities will likely experience the most dramatic
changes. For the first time, every polling place must be equipped with
voting machines that allow them to vote privately and independently.
For many voters with disabilities, this may be the first time that they
will cast ballots without the assistance of another person.
Voting systems do not represent the only changes in election
administration that will be apparent in 2006. States have also
developed statewide voter registration lists, which will provide the
ability to verify voters' identity by comparing information with other
state and federal databases. This will result in cleaner voter
registration lists and fewer opportunities for fraud. Another
anticipated benefit of the statewide lists will be a significantly
reduced need for provisional ballots, as was the case in states that
had statewide voter registration lists in 2004.
This year is one of transition, which is difficult to overcome in
any business; elections are no different. The introduction of new
equipment will present some challenges and hurdles to overcome. For
State and local governments, there are also a host of new obligations.
They must receive and test a fleet of new voting equipment. Training
for staff and poll workers must be organized and conducted. And,
extensive education programs must be implemented to inform the public
about the new voting equipment.
Although EAC cannot be on the ground in every jurisdiction to lend
a hand in these tasks, we have issued a Quick Start Guide to assist
election officials as they implement new voting systems. We also
encourage states to take proactive measures to test their voting
systems and voter registration lists prior to the federal elections.
Such activities have proven to be an excellent tool to identify
problems and solutions prior to the stresses and unpredictability of a
live election.
CONCLUSION
Over the past four years, significant changes have been made to our
election administration system. New voting systems have been purchased
and implemented. Each state has adopted a single list of registered
voters to better identify those persons who are eligible to vote.
Provisional voting has been applied across all 50 states, the District
of Columbia and four territories. However, one thing has not changed.
Elections are a human function. There are people involved at every
level of the election process, from creating the ballots, to training
the poll workers, to casting the votes.
With these changes will come unexpected situations, even mistakes.
We cannot anticipate in a process that involves so many people that it
will work flawlessly the first time. What we can embrace, however, is
that the process has been irrevocably changed for the better. There is
a heightened awareness of the electoral process in the general public.
There have been significant improvements to the election administration
process. And, more people have the ability to vote now than ever
before.
Security Analysis of the
Diebold AccuBasic Interpreter
David Wagner, David Jefferson, and Matt Bishop
Voting Systems Technology Assessment Advisory Board (VSTAAB)
with the assistance of:
Chris Karlof and Naveen Sastry
University of California, Berkeley
February 14, 2006
1. Summary
This report summarizes the results of our review of some of the
source code for the Diebold AV-OS optical scan (version 1.96.6) and the
Diebold AV-TSx touchscreen (version 4.6.4) voting machines. The study
was prompted by two issues: (1) the fact that AccuBasic scripts
associated with the AV-OS and AV-TSx had not been subjected to thorough
testing and review by the Independent Testing Authorities when they
reviewed the rest of the code for those systems, and (2) concern over
vulnerabilities demonstrated in the AV-OS optical scan system by
Finnish investigator Harri Hursti in Leon County, FL. Mr. Hursti showed
that it is possible for someone with access to a removable memory card
used with the AV-OS system to modify scripts (small programs written in
Diebold's proprietary AccuBasic language) that are stored on the card,
and also to modify the vote counts stored on the card, in such a way
that the tampering would affect the outcome of the election and not be
detected by the subsequent canvass procedures.
The questions we addressed are these:
What kinds of damage can a malicious person do to
undermine an election if he can arbitrarily modify the contents
of a memory card?
How can the possibility of such attacks be
neutralized or ameliorated?
The scope of our investigation was basically limited to the above
questions. We did not do a comprehensive code review of the whole code
base, nor look at a very broad range of potential security issues.
Instead, we concentrated attention to the AccuBasic scripting language,
its compiler, its interpreter, and other code related to potential
security vulnerabilities associated with the memory cards.
We found a number of security vulnerabilities, detailed below.
Although the vulnerabilities are serious, they are all easily fixable.
Moreover, until the bugs are fixed, the risks can be mitigated through
appropriate use procedures. Therefore, we believe the problems as a
whole are manageable.
Our findings regarding the scope of possible attacks on the AV-OS
optical scan and AV-TSx touchscreen systems can be summarized as
follows:
AccuBasic is a limited language: The AccuBasic
language itself is not a powerful programming language, but a
very restricted one, narrowly tailored to one task: calculating
and printing reports before and after an election. From a
security point of view this is very desirable; minimal
functionality generally means fewer opportunities for error or
security vulnerability. In particular, when its interpreter is
properly implemented (see below) an AccuBasic program cannot
modify votes or ballot images; it can read vote counters (AV-
OS) or ballot images (AV-TSx), but it cannot modify them.
The AccuBasic interpreter is well-structured: The
code in the AccuBasic interpreters for both machines is clean,
well-structured, and internally documented. We were able to
understand it with little difficulty despite the lack of
external documentation.
Memory card attacks are a real threat: We determined
that anyone who has access to a memory card of the AV-OS, and
can tamper it (i.e., modify its contents), and can have the
modified cards used in a voting machine during election, can
indeed modify the election results from that machine in a
number of ways. The fact that the results are incorrect cannot
be detected except by a recount of the original paper ballots.
Harri Hursti's attack does work: Mr. Hursti's attack
on the AV-OS is definitely real. He was indeed able to change
the election results by doing nothing more than modifying the
contents of a memory card. He needed no passwords, no
cryptographic keys, and no access to any other part of the
voting system, including the GEMS election management server.
Interpreter bugs lead to another, more dangerous
family of vulnerabilities: However, there is another category
of more serious vulnerabilities we discovered that go well
beyond what Mr. Hursti demonstrated, and yet require no more
access to the voting system than he had. These vulnerabilities
are consequences of bugs--16 in all--in the implementation of
the AccuBasic interpreter for the AV-OS. These bugs would have
no effect at all in the absence of deliberate tampering, and
would not be discovered by any amount of functionality testing;
but they could allow an attacker to completely control the
behavior of the AV-OS. An attacker could change vote totals,
modify reports, change the names of candidates, change the
races being voted on, or insert his own code into the running
firmware of the machine.
Successful attacks can only be detected by examining
the paper ballots: There would be no way to know that any of
these attacks occurred; the canvass procedure would not detect
any anomalies, and would just produce incorrect results. The
only way to detect and correct the problem would be by recount
of the original paper ballots, e.g., during the one percent
manual recount.
The bugs are classic, and can only be found by source
code review: Finding these bugs was only possible through close
study of the source code. All of them are classic security
flaws, including buffer overruns, array bounds violations,
double-free errors, format string vulnerabilities, and several
others. There may, of course, be additional bugs, or kinds of
bugs, that we did not find.
AV-TSx has potential cryptographic protection against
memory card attacks: A majority of the bugs in the AV-OS
AccuBasic interpreter are also present in the interpreter for
the AV-TSx touchscreen system. However, the AV-TSx touchscreen
has an important protection that the AV-OS optical scan does
not: the key contents of its removable memory card, including
the AccuBasic scripts, are digitally signed. Hence, if the
cryptographic keys are managed properly (see next bullet), any
tampering would be quickly detected and the attack would be
unsuccessful. All of the attacks we describe, and Hursti's
attack as well, would be foiled, because the memory card by
itself would in effect be cryptographically tamper proof.
But the implementation of cryptographic protection is
flawed: There is a serious flaw in the key management of the
crypto code that otherwise should protect the AV-TSx from
memory card attacks. Unless election officials avail themselves
of the option to create new cryptographic keys, the AV-TSx uses
a default key. This key is hard-coded into the source code for
the AV-TSx, which is poor security practice because, among
other things, it means the same key is used in every such
machine in the U.S. Worse, the particular default key in
question was openly published two and a half years ago in a
famous research paper, and is now known by anyone who follows
election security, and can be found through Google. The result
is that in any jurisdiction that uses the default keys rather
than creating new ones, the digital signatures provide no
protection at all.
All the bugs are easy to fix: In spite of the fact
that the bugs we have identified are very serious, all of them
are very local and very easy to fix. In each case only a couple
of lines of code need to be changed. It should take only a few
hours to do the whole job for both the AV-OS and AV-TSx.
No use of high assurance development methods: The
AccuBasic interpreter does not appear to have been written
using high-assurance development methodologies. It seems to
have been written according to ordinary commercial practices.
In the long run, if the interpreter remains part of the code
base, it and the rest of the code base should be revised
according to a more rigorous methodology that would, among
other things, likely have prevented the bugs we found.
Interpreted code is contrary to standards:
Interpreted code in general is prohibited by the 2002 FEC
Voluntary Voting System Standards, and also by the successor
standard, the EAC's Voluntary Voting System Guidelines due to
take effect in two years. In order for the Diebold software
architecture to be in compliance, it would appear that either
the AccuBasic language and interpreter have to be removed, or
the standard will have to be changed.
Bugs detailed in confidential companion report: In a
companion report we have listed in great detail all of the bugs
we identified, the lines at which they occur, and the threats
they pose. Because that report contains Diebold proprietary
information, and because it details exactly how to exploit the
vulnerabilities we discovered, that report must be
confidential.
Clearly there are serious security flaws in current state of the
AV-OS and AV-TSx software. However, despite these serious
vulnerabilities, we believe that the security issues are manageable by
a reasonably careful combination of short- and long-term approaches.
Here are our recommendations with regard to mitigation strategies.
In the short-term, especially for local elections, the security
problems related to AccuBasic and the memory cards might be managed
according to guidelines such as these:
Strong control over access to memory cards for the
AV-OS: The AV-OS optical scan is vulnerable to both the Hursti
attack and attacks based on the AccuBasic interpreter bugs we
found. It would be safest if it is not widely used until these
bugs are fixed, and until a modification is made to ensure that
the Hursti attack is eliminated. But if the AV-OS is used,
strong procedural safeguards should be implemented that prevent
anyone from gaining unsupervised or undocumented access to a
memory card, and these procedures should be maintained for the
life of all cards. Such controls might include a dual-person
rule (i.e., no one can be alone with a memory card); permanent
serial numbers on memory cards along with chain-of custody
documentation, so there is a paper trail to record who has
access to which cards; numbered, tamper evident seals
protecting access to the cards whenever they are out of control
of county staff; and training of all personnel, including poll
workers, regarding proper treatment of cards, and how to check
for problems with the seals and record a problem. Any breach of
control over a card should require that its contents be zeroed
(in the presence of two people) before it is used again.
Require generation of new crypto keys for the AV-TSx:
The AV-TSx is not vulnerable to any of these memory card
attacks provided that the default cryptographic key used for
signing the contents of the memory card is changed to a new,
unguessable key and kept secure. If the key is changed then
these threats are all eliminated, at least for the short-term.
If this is not done, however, then the AV-TSx is no more secure
than the AV-OS.
Control access to GEMS: Access to GEMS should be
tightly controlled. This is a good idea for many reasons, since
a malicious person with access to GEMS can undermine the
integrity of an election in many ways. In addition, in a TSx
system, GEMS holds a copy of the cryptographic key used for
signing the contents of the memory cards, and in both systems
the GEMS server may hold master copies of the AccuBasic scripts
loaded onto the memory cards.
In the longer-term, one would want to consider a number of
additional measures:
Fix bugs: Certainly the bugs in the source code of
the interpreters for both the AV-OS and AV-TSx should be
corrected with all deliberate speed, the Hursti vulnerability
should be fixed, and the code re-examined by independent
experts to verify that it was properly done.
Defensive and high assurance programming methodology:
The source code of the interpreters should be revised to
introduce systematic defensive programming practices and high
assurance development methods. In particular, eliminate in the
firmware, insofar as possible, any trust of the contents of the
memory card.
Protect AccuBasic code from tampering: The AccuBasic
object code could be protected from tampering and modification,
either by (a) storing AccuBasic object code on non-removable
storage and treating it like firmware, or by (b) protecting
AccuBasic object code from modification through the use of
strong cryptography (particularly public-key signatures).
Don't store code on memory cards: The architecture of
the AV-OS and the AV-TSx could be changed so they do not store
code on removable memory cards.
Remove interpreters and interpreted code: The
architecture of the AV-OS and the AV-TSx could be changed so
they do not contain any interpreter or use any kind of
interpreted code, in order to bring the code base into
compliance with standards.
2. Introduction
Scope of the study. This report summarizes the results of our review of
the source code for the Diebold AV-OS optical scan (version 1.96.6) and
the Diebold AV-TSx touchscreen (version 4.6.4) voting machines. This
investigation, requested by the office of the California Secretary of
State, was to evaluate security concerns raised by the use of AccuBasic
scripts (programs) stored on removable memory cards in the two systems
and offer options for their amelioration. The study was prompted by
vulnerabilities demonstrated in the optical scan system by Finnish
investigator Harri Hursti in Leon County, FL. Mr. Hursti showed that
under certain circumstances it is possible for someone with access to a
memory card to modify the scripts and modify the vote counts in a way
that would not be detected by the subsequent canvass procedure, and
would normally only be detectable by a recount of the paper ballots.
Our study does not constitute a comprehensive code review of the
entire Diebold code base. We had access to the full code bases for the
AV-OS and AV-TSx, but we did not even attempt a comprehensive review of
the entire code base. Our attention was focused fairly narrowly on
Diebold's proprietary AccuBasic scripting language, the compiler for
that language, the interpreter for its object code, the AccuBasic
scripts themselves, and the related protocols and procedures, both for
the AV-OS (optical scan) and AV-TSx (touchscreen) voting systems.
In particular, we did not have the source code for the Diebold GEMS
election management system, and our security evaluation does not cover
GEMS at all. It is widely acknowledged that a malicious person with
unsupervised access to GEMS, even without knowing the passwords, can
compromise GEMS and the election it controls. This report does not
address those threats, however.
Our analysis was based only on reading the source code we were
given. We did not have access to a real running system (although we
were able to compile and execute modified versions of the compiler and
interpreter on a PC). Nor did we have any manuals or other
documentation beyond that present in comments in the code itself. We
had access to the source code for a period of approximately four weeks
for this review.
The threat model. Different jurisdictions around the country have
somewhat different procedures for conducting an election with the
Diebold AV-OS and AV-TSx systems, but all include the following steps:
1. Before the election, the removable memory cards are
initialized though the GEMS election management system with the
appropriate election description information for the precinct
the machine will be used in, and with the AccuBasic object code
scripts to be used, and with other information detailed below.
2. The initialized cards are then inserted into the voting
machines (optical scan or touchscreen); the compartment in
which the card sits is locked and sealed with a tamper-evident
seal of some kind.
3. The voting machine with its enclosed card is transported to
the precinct poll site where it is stored over night (or
longer) until the start of the election.
4. At the start of the election, a script on the card is used
to print initial reports, including the Zero Report, which
should indicate that all the vote counters are zero (in the AV-
OS) and file of voted ballots is empty (in the AV-TSx).
5. All during election day, voted paper ballots are scanned
and the appropriate counters on the removable memory card are
incremented (AV-OS), or the voted ballots themselves are stored
electronically on the memory card (AV-TSx), and electronic
audit log records are appended to a file on the card.
6. At the end of election day, a script from the card is used
to print final reports for the day, including vote totals.
7. Finally, one of two steps is taken, depending on the
jurisdiction: either (a) the seal is broken and the memory card
is removed and transported back to a central location for
canvass using GEMS; or, (b) the entire voting machine is
transported to the central location, where election officials
break the seal, remove the memory card, and read its contents
during the canvass.
The threats we are concerned about specifically involve
modification of the contents of the memory card, especially the
AccuBasic object code. In other words, somewhere along the line, in the
procedure above, the attacker is able to get a memory card, arbitrarily
modify its contents, and surreptitiously place it in a voting machine
for use in an election, and do so without being immediately detected.
We assume the attacker's goal is either to change the election
results undetected, or perhaps simply to disrupt the election (e.g. by
causing voting machine crashes). We also assume that the attacker knows
every detail of how the system works, and the procedural safeguards,
and even has access to the manuals, documentation, and source code of
the system. The attacker, therefore, is able to take advantage of bugs
and vulnerabilities in the code. (It is standard to make these last
assumptions, since it is almost impossible to keep code and related
information secret from a determined attacker.)
We do not, however, assume that the attacker has any inside
confederates, or has access to any passwords or cryptographic keys, or
access to GEMS. We do not assume that the attacker has any access to
paper ballots (AV-OS) or VVPAT (AV-TSx), nor even that he has any
access to the voting system beyond the ability to insert a memory card
undetected.
The process we followed. We were asked to perform a security review of
the Diebold source code. As part of the review, we were provided access
to the source code for the AV-OS and the AV-TSx machines. This included
the source code for the AccuBasic compiler, for the AccuBasic
interpreter in the AV-OS and the AccuBasic interpreter in the AV-TSx,
for some AccuBasic scripts, and all other source code for the AV-OS and
AV-TSx. There are two separate versions of the interpreter, one in the
AV-OS and one in the AV-TSx; however, the two implementations are very
similar.
We undertook a line-by-line analysis of the source code for the AV-
OS AccuBasic interpreter. Three team members (Karlof, Sastry, and
Wagner) read every line of source code carefully and checked for all
types of security and reliability defects known to us. When we found a
vulnerability in the AV-OS interpreter, we examined the corresponding
portion of the AV-TSx interpreter to check whether the AV-TSx shared
that same vulnerability.
After completing the line-by-line source code analysis, we applied
a commercial static source code analysis tool to the AV-OS interpreter
code. Code analysis tools perform an automated scan of the source code
to identify potentially dangerous constructs. We obtained a copy of the
Source Code Analyzer (SCA) tool, made by Fortify Software, Inc.;
Fortify generously donated the tool to us for our use in this project
at no cost, and we gratefully acknowledge their contribution. Two of us
(Bishop and Wagner) are members of Fortify Software's Technical
Advisory Board, and thus were already familiar with this tool. We
manually inspected each of the warnings generated by the tool.
While our analysis uncovered several potential attacks on the
system, we have not attempted to attack any working system. We
performed our analysis mostly ``on paper;'' we did not have access to a
genuine running system. We did, however, get a stubbed-out version of
the code running on a PC, and were able to confirm that one of the
attacks we discovered (the only one we tried) actually works.
In the end, we wrote our report in two parts. The public part is
this document, which contains background, our findings and
recommendations, and all of the explanatory information we have found
to support them. The confidential part contains a detailed description
of all of the bugs we found, the file names and line numbers where they
occur, how they can be exploited, and what the consequences are. It is
confidential because it contains both proprietary material and specific
information about potential attacks on voting systems.
3. Background
3.1 Contents of the memory card
Both the AV-OS and AV-TSx systems use removable memory cards as key
parts of their architectures. In both systems, the memory cards contain
several kinds of information:
the election description (a small database describing
the races, candidates, parties, propositions, and ballot layout
information for the current election);
vote counters for every candidate and proposition on
the ballot that store a count of the number of votes for that
candidate (in the case of the AV-OS), or data records
containing the cast ballot images (AV-TSx), along with various
summary counters;
byte-coded object programs (.abo files), which are
normally created by writing scripts (programs) in the AccuBasic
language and running them through the AccuBasic compiler;\1\
---------------------------------------------------------------------------
\1\ AccuBasic object files (.abo files) are normally created by
running AccuBasic programs through the compiler, i.e., that is the
intent. But nothing prevents a programmer from directly writing .abo
files, or modifying them, bypassing the AccuBasic language and the
compiler entirely. Indeed, this is a route to several potential
attacks. The AccuBasic interpreter makes no effort to verify that the
AccuBasic object code has indeed been produced by the compiler.
---------------------------------------------------------------------------
the internal electronic audit log;
an election mode field indicating whether the system
containing the card is currently being used in a real election
or not;
a large number of other significant variables
including strings, flags (for selecting options), various event
counters, and other data describing the state of the election.
In fact, as far as we can tell, the entire election-specific state
of the voting machine (the part that is retained between voting
transactions) is stored on the memory card. It would take a much more
comprehensive review of the software than we were able to conduct in
order to verify this, but it appears to be the case.
All of this information on the memory cards is critical election
information. If it is not properly managed, or if it is modified in any
unauthorized way, the integrity of the entire election is possibly
compromised. It is therefore vital, as everyone acknowledges, to
maintain proper procedural control over the memory cards to prevent
unauthorized tampering, and to treat them at all times during the
election with at least the same level of security as ballot boxes
containing voted ballots.
From one point of view, such an architecture makes good sense. In
principle, it allows a memory card to be removed from a machine at
almost any time (except during a short critical time window at the
final completion of each vote transaction) without losing any votes or
audit records, or any of the other context that has been accumulated.
(Removal of a memory card during an election is procedurally forbidden
under normal circumstances.) And it guarantees that when the memory
card is removed at the end of the day, it contains all of the data
needed for canvass, and for the resolution of most disputes, excepting
only those that might depend on detailed forensic analysis.
Having all of the state on a removable memory card has a downside,
however. It means an attacker with access to the card has potentially
many other avenues of attack besides direct modification of the vote
counts or the AccuBasic scripts; he can modify any other part of the
election configuration or state as well. In our investigation, we did
not attempt to enumerate all of these possibilities since it was clear
that the only strong way to protect against all such attacks is to
prevent any possibility of undetected tampering with the memory card in
the first place.
When the AV-OS memory card is inserted into the AV-OS, it acts like
an extension of main memory, and can be directly read and written via
ordinary memory addressing, e.g., via variables and pointers. (Whether
it actually is RAM, or is instead some other kind of memory-mapped
storage device is not clear to us, but from a software point of view
there is no difference.)
On the AV-TSx, however, the election state data is stored in a file
system on the removable card. This means that the firmware cannot
access it directly as main memory, but must use open/close/read/write
calls to move data between files on the card and main memory. From a
reliability and security point of view this is preferable to the
architecture used on the AV-OS, since many kinds of common bugs (e.g.
index or pointer bugs) can corrupt the data on a card that acts as main
memory, whereas that is less likely for data packaged in a file system.
In the AV-OS, once the memory card is inserted into the voting
machine, the byte-coded object programs become immediately executable
by the AccuBasic interpreter in the firmware of the machine. However,
on the AV-TSx the byte-coded object programs are cryptographically
protected by the GEMS election management system. In effect, the GEMS
server writes a sort of checksum\2\ that depends on both the data and a
secret cryptographic key to the memory card. When the memory card is
inserted in an AV-TSx machine, the correctness of the checksum is
validated and the machine refuses to enter election mode if the check
fails.\3\
---------------------------------------------------------------------------
\2\ To be precise, it uses a cryptographic message authentication
code (MAC).
\3\ If the cryptographic message authentication code is invalid, a
dialog box appears on the screen with the warning ``Unable to load the
election: the digital data base signature does not match the expected
value,'' and the machine does not enter election mode.
---------------------------------------------------------------------------
The cryptographic protection for the object code on the AV-TSx
touchscreen machine is a significant improvement. It means that even if
an attacker can get access to a memory card and modify the object code,
unless he also has the cryptographic key to allow him to create a
matching checksum for the modified object code, the checksum will not
match when the card is inserted and the attack would be foiled. The
integrity of the object code then boils down, for all practical
purposes, to the secrecy of the cryptographic key (which we will
discuss later).
3.2 AccuBasic
The AccuBasic programming language is a Diebold-proprietary,
limited-functionality scripting language (a kind of programming
language). The scripts (programs) written in AccuBasic are intended to
be used only for creating and printing reports on the printer units
attached to the AV-OS or AV-TSx.
Once a script is written in AccuBasic (the source code version of
the script), it is run through the AccuBasic compiler, which translates
it into a form of object code. The object code is represented in
another Diebold-proprietary language that seems to be unnamed but is
generally referred to as byte code or an .abo file. It is the object
code form of the scripts that is stored on the memory card, not the
source form.
Normally all .abo files are produced in this way, i.e. by running
AccuBasic source through the compiler. But it is important to
understand that nothing prevents a programmer from bypassing the
compiler and constructing a valid .abo file directly, or by editing an
.abo file produced by the compiler. (Mr. Hursti did just that,
modifying the portion of the script responsible for printing the zero
report.) A .abo file produced in either of these nonstandard ways might
not be producible by the compiler at all from any AccuBasic source
file. However, they will still be executable by the interpreter without
any error, and this fact can be the basis for powerful attacks that can
take advantage of bugs in the interpreter. The AccuBasic interpreter
makes no attempt to validate the .abo files, i.e., to ascertain that
they were in fact produced using the compiler.
The AccuBasic software for the AV-TSx is slightly different from
that on the AV-OS. This is due primarily to the differences in the
environment on the two systems. For example, the AV-TSx gets yes/no
user input through the touchscreen, whereas the AV-OS gets it from
physical buttons. Also, AV-OS memory cards contain vote counters only,
whereas the AV-TSx cards store full ballot records. The memory card on
the AV-OS is memory-mapped, whereas the same information is stored in a
file system on the AV-TSx memory card. The AccuBasic interpreter for
the AV-TSx is implemented in C++, whereas the interpreter in the AV-OS
is written in C. The AV-OS interpreter contains 1,838 lines of C code
(not counting blank lines, comments, or global declarations), while the
AV-TSx contains 2,614 lines of C++ code (again, excluding blank lines,
comments, and declarations). However, it is clear that the AccuBasic
interpreter in the AV-TSx was originally just a translation from C to
C++ of the one in the AV-OS, and they have subsequently diverged only
slightly. The differences between the two AccuBasic interpreters are
generally small enough that, except where noted, our generalizations
about AccuBasic and its implementation apply equally to both versions.
AccuBasic is in one sense a general purpose language, in that it is
able to do arbitrary numerical and string calculations.\4\ But in
another sense, when its interpreter is properly implemented, it is a
very restricted language in that, while it can calculate anything, it
can only control a very limited part of the functionality of the voting
machine. For example, an AccuBasic script can read the vote counters
(or ballot images) and the election description from the memory card,
and it can read a few other internal values as well (such as the date
and time); but it cannot modify any of them. And it can invoke only a
few functions from the rest of the code base outside the interpreter,
specifically, those needed for assembling information for, and for the
printing of, reports on the machine's screen and printer. It is not
possible (again, when the AccuBasic interpreter is properly
implemented) for AccuBasic object code to:
---------------------------------------------------------------------------
\4\ The language uses integer and string data types, and permits
assignments, sub-string extraction and assignment, conditionals, loops,
a limited number of defined subroutines, subroutine calls (without
arguments), and recursion. It is theoretically capable of computing any
computable function.
modify the vote counts (AV-OS) or the ballot images
---------------------------------------------------------------------------
(AV-TSx);
forge any votes or fail to record any votes;
modify the election description information; or
modify any paper ballots.
On the other hand, even when perfectly implemented, it is always
possible for an erroneous or malicious AccuBasic script to:
print false reports, or
crash the voting machine (e.g., by going into an
infinite loop).
These latter points are not flaws in the design of AccuBasic
language or interpreter. Any other software, e.g., the machine's
firmware, could have similar bugs. However, the fact that the scripts
are on removable memory cards--and thus potentially exposed to
tampering--makes these possibilities important. Mr. Hursti's attack on
the AV-OS depended critically on his ability to modify the Zero Report
script so that it falsely indicated that all counters were zero when in
fact they were not. And in some jurisdictions, e.g., Florida, the
reports printed by the AV-OS are the legal results of the election, so
printing a false report amounts to falsifying the results of the
election.
The intent of the AccuBasic language, compiler, and interpreter is
that AccuBasic scripts should be usable exclusively for creating and
printing reports on the voting machine's printer, without modifying the
voting machine's behavior in any other way. With the exception of some
serious bugs (described in our findings below) we found that this is
indeed the case. In spite of its name, which is reminiscent of the
powerful scripting language Visual Basic, we found that AccuBasic is a
very limited, special purpose language; this is the right approach if
one is to use an interpreted language at all.
Aside from the bugs (described below) the AccuBasic interpreters
for both the AV-OS and AV-TSx are very well written and documented. We
had no difficulty understanding the code and reviewing it.
4. Findings
Finding 1 There are serious vulnerabilities in the AV-OS and AV-TSx
interpreter that go beyond what was previously known. If a malicious
individual gets unsupervised access to a memory card, he or she could
potentially exploit these vulnerabilities to modify the electronic
tallies at wild, change the running code on these systems, and
compromise the integrity of the election arbitrarily. (The original
paper ballots for the AV-OS, of course, cannot be affected by tampering
with the memory cards.)
The AccuBasic interpreters, in both the AV-OS and AV-TSx, have a
number of serious bugs--defects in the source code--that render the
machines vulnerable to various attacks. (This goes well beyond what Mr.
Hursti demonstrated; his attacks did not exploit any of these
vulnerabilities.) These vulnerabilities would not affect the normal
behavior of the machine, and would not be discovered during testing.
But they could be exploited by an attacker with unsupervised access to
a memory card. Many of these vulnerabilities are present in both the
AV-OS and AV-TSx; the AV-TSx code is basically a translation of the AV-
OS code from C to C++, and most of the vulnerabilities were preserved
in the translation.
The vulnerabilities arise because the AccuBasic interpreter
``trusts'' the contents of the AccuBasic object code (.abo files)
stored on the memory card, and implicitly assumes that this AccuBasic
object code has been produced by a legitimate Diebold AccuBasic
compiler. As discussed earlier, this assumption is not necessarily
justified. Anyone with unsupervised access to the AV-OS memory card
could freely modify its contents, including the .abo file stored on the
memory card. The same is true of the AV-TSx memory card, if the
cryptographic keys are not updated from their default values (see
Finding 4 below).
Types of vulnerabilities. The vulnerabilities include several instances
of the classic buffer overrun vulnerability, as well as vulnerabilities
with a similar effect. This kind of vulnerability would allow someone
who could edit the AccuBasic object code on the memory card to
completely control the behavior of the voting machine. The instant that
the AccuBasic interpreter on the AV-OS or AV-TSx attempts to execute
the malicious AccuBasic object code, the machine will be compromised.
Table 1 contains an overview of the 16 vulnerabilities we found in
the AV-OS, and their impact. Also, Table 2 contains a similar overview
of the 10 vulnerabilities we found in the AV-TSx. Note that we have
excised any information that might help to exploit these
vulnerabilities from those tables. We have relegated all such
information to a separate Appendix, which contains additional detail:
for each vulnerability, the Appendix lists the source code line number
where the vulnerability appears, along with information about how the
vulnerability might be exploited in the field.
These vulnerabilities were found primarily by line-by-line review
of the source code, performed by three of us reading every line of the
interpreter code together as a team. After we had completed a careful
line-by-line security analysis, we then applied the Fortify Source Code
Analyzer (SCA) tool and examined the warnings it produced. Given the
care with which we performed the manual code review, we had not
expected a static bug-finding tool to find any further bugs. Consistent
with our expectations, the first warning we inspected from the tool
referred to an exploitable security vulnerability we had already found.
However, to our considerable surprise, the second warning from the tool
turned out to reveal a vulnerability that we had missed as part of our
manual code inspection (namely, Vulnerability V2). (The remainder of
warnings we examined pointed to bugs and vulnerabilities that we had
already found.)
In all cases the specific bugs we found are local and easy to fix.
One concern, however, is that these are just the bugs vie were able to
find; there are quite possibly others we did not notice, and that
automated bug-finding tools (which are always imperfect) would not
notice either. Code review is difficult. It is hard to be confident
that one has found all bugs (and indeed, our experience with the
Fortify SCA tool highlighted this fact), and if we used another tool or
if another person were to examine the code, they might find other
vulnerabilities.
None of the vulnerabilities we found would have been found through
standard testing, so testing is not the answer. This is a long-term
problem with the use of interpreted code on removable memory cards, and
with the failure to use defensive programming and other good security
practices when implementing the interpreter.
These vulnerabilities have not been confirmed by verifying that
they work against a full working system. (We did not have access to a
running system.) We have used our best judgment to assess which bugs
are likely to be exploitable, but it is possible that some bugs we
classified as vulnerabilities may in fact not be exploitable.
Conversely, there may be other vulnerabilities that we failed to
identify because of the lack of a working system.
To double-check our analysis, we chose one vulnerability more or
less at random and verified that we were able to exploit it in a
simulated test environment. We were able to compile and execute a
slightly modified version of the AV-OS AccuBasic interpreter, as well
as the AccuBasic compiler, on a PC. We then developed an example of
AccuBasic object code (an .abo file) that would exploit this
vulnerability. We verified that, when using the interpreter to
interpret this object code on our PC, we were able to trigger a buffer
overrun and successfully exploit the vulnerability. This provides
partial confirmation of our analysis, but it is certainly not an
authoritative test. We did not attempt to perform an exhaustive test of
all 16 vulnerabilities.
Impact. The consequence of these vulnerabilities is that any person
with unsupervised access to a memory card for sufficient time to modify
it, or who is in a position to switch a malicious memory card for a
good one, has the opportunity to completely compromise the integrity of
the electronic tallies from the machine using that card.
Many of these vulnerabilities allow the attacker to seize control
of the machine. In particular, they can be used to replace some of the
software and the firmware on the machine with code of the attacker's
choosing. At that point, the voting system is no longer running the
code from the vendor, but is instead running illegitimate code from the
attacker. Once the attacker can replace the running code of the
machine, the attacker has full control over all operation of the
machine. Some of the consequences of this kind of compromise could
include:
The attack could manipulate the electronic tallies in
any way desired. These manipulations could be performed at any
point during the day. They could be performed selectively,
based on knowledge about running tallies during the day. For
instance, the attack code could wait until the end of the day,
look at the electronic tallies accumulated so far, and choose
to modify them only if they are not consistent with the
attacker's desired outcome.
The attack could print fraudulent zero reports and
summary reports to prevent detection.
The attack could modify the contents of the memory
card in any way, including tampering with the electronic vote
counts and electronic ballot images stored on the card.
The attack could erase all traces of the attack to
prevent anyone from detecting the attack after the fact. For
instance, once the attack code has gained control, it could
overwrite the malicious AccuBasic object code (.abo file)
stored on the memory card with legitimate AccuBasic object
code, so that no amount of subsequent forensic investigation
will uncover any evidence of the compromise.
It is even conceivable that there is a way to exploit
these vulnerabilities so that changes could persist from one
election to another. For instance, if the firmware or software
resident on the machine can be modified or updated by running
code, then the attack might be able to modify the firmware or
software in a permanent way, affecting future elections as well
as the current election. In other words, these vulnerabilities
mean that a procedural lapse in one election could potentially
affect the integrity of a subsequent election. However, we
would not be able to verify or refute this possibility without
experimentation with real systems.