Why we support Senator Bob Graham's "Voter Confidence and Increased Accessibility Act of 2003" and do NOT support Senator Hillary Clinton’s "Protecting American Democracy Act of 2003" in its present form.
By Bo Lipari, Senior Software Engineer, Autodesk, Inc., and
Teresa Hommel, Computer Consultant; Chair, Task Force on HAVA Implementation, Community Church of New York
The bill introduced by US Senator Hilary Clinton (D-NY), the "Protecting American Democracy Act of 2003" (PADA), bill number S 1986, is not explicit enough in its requirements, and as written will not protect Americans from the danger of electronic voting systems. The primary danger is that these systems have no capacity for independent audit, and thus force voters to accept election results for which there is no independent means for recount or confirmation of the accuracy of the final tallies.
We note that all other computer systems designed for use in commerce, industry, or government have the capacity for independent audit. Its purpose is to detect and enable correction of both innocent and intentional errors in a computer system, as well as hacking attacks. Independent audit must be able to prove the accuracy of both:
the recording of input data (in voting systems, the ballot cast)
the processing results (in voting systems, the final tallies).
Advocates of voter-verifiable paper ballots and other measures designed to ensure the integrity of electronic voting systems should support HR 2239, Congressman Rush Holt's "Voter Confidence and Increased Accessibility Act of 2003," and its companion in the US Senate, S 1980, introduced by Senator Bob Graham (D-FL). We urge Senator Clinton make her bill the same as those, or to co-sponsor Senator Bob Graham's bill.
DISCUSSION OF PADA
Voter Verification, Section 2(a)(C)(i)
PADA Section 2(a)(C)(i) amends HAVA as follows.
(C) VOTER VERIFICATION.—
(i) The voting system shall provide a means by which each individual voter must be able to verify his or her vote at the time the vote is cast, and shall preserve each vote within the polling place on the day of the election in a manner that ensures the security of the votes as verified for later use in any audit."
Problem: Fully electronic voting systems claim that they already do this. They claim to do it by allowing the voter to view computer screens where their ballot choices are displayed, and when the voter approves these screens, the ballot is electronically stored in the computer. This forces the voter to "trust the computer" and prevents detection of computer errors that occur when the information on the computer screen is incorrectly recorded internally in the computer. (We note that the redundancy used in many electronic voting systems increases the likelihood of errors due to programming mistakes--in other words, one copy of the ballot may be stored correctly and another copy may be stored incorrectly. For this reason, current professional practices discourage the keeping of redundant copies of data.)
Solution: To provide for independent auditability, PADA must explicitly state that a physical, permanent, unalterable paper ballot must be produced by electronic voting systems, which then can be verified by the voter. After the voter approves the physical, permanent, unalterable paper ballot, the ballot is then placed in a secure ballot box and treated as the official record.
Voter Verification, Section 2(a)(C)(ii)
PADA Section 2(a)(C)(ii) amends HAVA as follows.
(ii) The voting system shall provide the voter with an opportunity to correct any error made by the system before the permanent record is preserved for use in any audit.
Problem: Fully electronic voting systems claim that they already do this. They claim to do it by allowing the voter to return to the computer screens where their ballot choices were entered, to change their choices, and then to view again the computer screens where their new current ballot choices are displayed. When the voter approves these screens, the ballot is electronically stored in the computer.
Solution: To provide for independent auditability, PADA must explicitly state that a physical, permanent, unalterable paper ballot must produced by electronic voting systems, which then can be verified by the voter. If this paper ballot is incorrect, the voter must be able to re-enter his or her choices and request them to be printed again.
The correction and reprinting of a physical, permanent, unalterable paper ballot is critically important because of the nature of some electronic voting machine failures in recent years. There have been instances where the computers refused to accept a vote for one or more candidates. There have also been instances where observant voters saw their ballot choice on the computer screen shift from their selected candidate to different candidate after a few seconds.
Voter Verification, Section 2(a)(C)(iii)
PADA Section 2(a)(C)(iii) amends HAVA as follows.
(iii) The verified vote produced under this subparagraph shall be available as an official record.
Problem: This can easily be interpreted to mean that the official record of the ballot is the electronic recording stored in computer memory and/or on computer media that is not directly readable by people.
Solution: PADA should explicitly state that the physical, permanent, unalterable paper ballot is the official record.
Voter Verification and use of Other Technologies, Section 2(a)(C)(iv)
PADA Section 2(a)(C)(iv) amends HAVA as follows.
(iv) Any method used to permit the individual voter to verify his or her vote at the time the vote is cast and before a permanent record is created—
(I) shall use the most accurate technology, which may include voter-verifiable paper ballots, votemeters, modular voting architecture, and encrypted votes, in a uniform and nondiscriminatory manner;
Problem: Arguments about which technology is the most accurate could take years to resolve. Meanwhile, in fact, the problem is independent auditability.
Votemeters, modular voting architecture, and encrypted votes are purely electronic technologies. They create only an electronic recording of the ballots, and thus do not allow for independent audit. They do not create a physical, permanent, unalterable paper ballot for the voter to verify that can be stored external to the computer and serve as the independently auditable official record of the ballot.
There has been much talk about encryption and other technologies, but the fact remains that if the ballot is not accurately recorded, encrypting it or the use of other technologies will not make it correct.
These fully electronic technologies force voters to "trust the computer" and prevent detection of computer errors in the recording and counting of ballots.
Solution: PADA should explicitly require an independently auditable method of recording and tallying the ballots. At this time, independent auditability requires a physical, permanent, unalterable paper ballot which serves as the official record of the ballot.
Voting System Security Requirement, Section 3(a)(7)(A)
PADA Section 3(a)(7)(A) amends HAVA as follows.
The voting system shall adhere to security requirements for Federal computer systems or more stringent requirements adopted by the Election Assistance Commission....
Problem: There are several different sets of security requirements for federal computer systems, and PADA does not specify which security requirements must be adhered to.
Moreover, if the security requirements for voting system technology are not explicitly incorporated into PADA and HAVA, but are only incorporated by reference to other laws or regulations, when those regulations or laws are changed, voting system security standards will also change.
Solution: Make security standards explicit and part of PADA and HAVA. Also, require
independent auditability as well as audits of all computer systems used in elections.
Open Source code:
PADA makes no provision for open source code and inspection by citizens.
PADA makes no provision for manual recounts. Perhaps that is not surprising, as the bill contains no requirement that a paper ballot be produced.
Outside the sphere of elections, it is common practice for new computer systems to run in parallel with older systems for at least one complete accounting cycle. In some cases this may be a year or more. This is done in order for all results of both systems to be compared. It is unheard of to install new systems and rely on them with no independent audit or lengthy parallel processing.
With this reality in mind, many people prefer manual ballot counts or the use of optical scanners when electronic voting systems are used to create and mark the ballots. When a computer counts the ballots, we regard it as essential to require at least some minimum number of random manual counts of the permanent, unalterable, physical paper ballots that were verifiable by the voters, and comparison of these counts to the electronically-produced tallies. HR 2239 calls for .5%, but 2% would be better.
Citizens are concerned with the effect of unauditable electronic voting systems on American elections. Senator Clinton’s bill does not give the specifics needed about what constitutes voter verification, and makes no provision for open source code or mandatory manual recounts. It does not require that the voter be able to verify a physical, permanent, unalterable paper ballot when voting on electronic voting systems, and consequently fails to require that this paper ballot be the official record of the vote and the one used when discrepancies arise between tally of the electronic and the paper ballots.
The "Voter Confidence and Increased Accessibility Act of 2003", introduced in the House of Representatives as HR 2239 by Rush Holt and in the US Senate as S 1980 by Bob Graham, raise a much higher bar for acceptable electronic systems, and are rich in specifics in all the areas that Senator Clinton’s bill is not.
We urge Senator Clinton to co-sponsor Senator Graham’s bill. PADA, well intentioned though it is, would leave us in a worse position than we are with HAVA today. Vendors and supporters of unauditable electronic voting systems would be able to point to the bill as the necessary reform, while it actually provides no protection from the dangers associated with electronic voting.