Teresa Hommel
www.WheresThePaper.org
Commentary on some provisions of the RECORD
Act, S 2313
Aug 10, 2004
There are 3 sections:
Technical Considerations
Accessibility
Overall Commentary
1. RECORD'S TECHNICAL CONSIDERATIONS
RECORD Act, SECTION 2 (c), re paragraphs (9) through
(11)
Sec. 2 (c) ADDITIONAL VOTING SYSTEM REQUIREMENTS
...
`(9)
PROHIBITION OF USE OF UNDISCLOSED SOFTWARE IN VOTING
SYSTEMS- No voting system shall at any time
contain or use any undisclosed
software.
Any voting system containing or using software shall disclose the source
code, object code,
and executable representation of that software to the
Commission, and the Commission
shall make that source code, object code, and
executable
representation available for inspection
upon request to any citizen.
`(10)
PROHIBITION OF USE OF WIRELESS COMMUNICATIONS DEVICES IN
VOTING SYSTEMS- No voting system shall use any
wireless communication
device.
`(11)
CERTIFICATION OF SOFTWARE AND HARDWARE- All software and
hardware
used in any electronic voting system shall be certified by laboratories
accredited by the Commission as meeting the
requirements of paragraphs (9) and
(10).
Commentary on Section 2 (c), re
paragraphs (9) through (11)
Sec.2(c) new paragraph (9) "available
for inspection upon request to any citizen."
Where
and how will the code be available? Only in the Commission
office in Washington? Only for citizens to read it there in hard copy
during restricted office hours? Will this Commission have the resources to
manage the task of making the code available, or will citizens end up with a
tiny room which is open for 2 hours a week to one person at a time, etc. Should
this inspection allow citizens to have a computer-readable copy of the code
that can be examined on a computer where scan and search tools are available?
Will people have to bring proof of citizenship, such as a passport? Will they
get a CD to take home? Must they bring their own laptop so they can view the
software in the office? Why shouldn't the code be posted on the internet, where
anyone can see it? Why are we limiting this to citizens? What if I want my
graduate students to study the code, and they are not citizens?
If I
request to see the code, will it take 6 months for my request to be honored?
Given that it could take a long time for a citizen to study the software, for
what period of time before its purchase by any state, or before its first use
in an election, must the software be available for inspection? Should the law
specify that time? Assuming that the Commission will not have the expertise to
study the code, nor the resources to act as librarians or distributors, why are
they given these roles in the disclosure of software?
Open
source software is typically freely available, for example on the internet, and
this provision seems very limiting and burdensome to administer. It is doubtful
that this provision will give us the benefits of open-source software, which
requires the software to be freely available to geeks of the world so they can
examine and comment on it, leading to its timely improvement.
Sec.2(c) new paragraph (11), "certified by laboratories accredited by the
Commission as meeting the requirements of paragraphs (9) and (10)."
Should
all certification reports be available for public inspection? Since voters are
being urged to "trust" the certification process, shouldn't the
public be able to read the reports?
At this
time vendors pay the laboratories (Independent Testing Authorities or ITAs) to certify their equipment. Once the ITA finishes the
certification process they are no longer involved with the equipment. Do these
provisions require the ITAs to be overseers or
inspectors of the equipment on a continuing basis? If not, then who is
responsible for watching over the equipment to make sure that no undisclosed
software or wireless communications devices show up? Where are the ongoing responsibility,
enforcement, penalties, and remedies?
RECORD Act, SECTION 2 (c), re paragraph (12)
`(12)
SECURITY STANDARDS FOR MANUFACTURERS OF VOTING SYSTEMS
USED IN FEDERAL ELECTIONS-
`(A) IN
GENERAL- No voting system may be used in an election for Federal office
unless the manufacturer
of such system meets the requirements described in
subparagraph
(B).
`(B)
REQUIREMENTS DESCRIBED- The requirements described in this
subparagraph
are as follows:
`(i) The manufacturer shall document the chain of custody for the handling of
software
used in connection with voting systems.
`(ii)
The manufacturer shall ensure that any software used in connection with the
voting system is not transferred over the Internet.
`(iii)
In the same manner and to the same extent described in paragraph (9), the
manufacturer
shall provide the codes used in any software used in connection
with the voting system to the Commission and may not alter such codes once
certification
has occurred unless such system is recertified.
`(iv)
The manufacturer shall implement procedures
to ensure internal security, as
required
by the Director of the National Institute of
Standards and Technology.
`(v)
The manufacturer shall meet such other
requirements as may be established by
the Director of the National
Institute of Standards and Technology.'.
Commentary on Section 2 (c), re
paragraph (12)
Sec.2(c) new paragraph (12)(B)(i) and (ii)
"shall
document the chain of custody", "not transferred over the
internet"
These
are "trust-me" requirements because they cannot be enforced.
Who has ability
and responsibility for overseeing and enforcing this kind of detail? If you ask a vendor for their documentation for the chain of
custody, and they hand you some papers, then what? If you ask, "How
did you transfer your software?" and they reply "Our technician flew
from our main office to the customer site, and carried it on a CD in his
pocket," then what?
It is
impossible to enforce faithful implementation of computer security procedures
from the outside of a private organization. It would be easier to implement
paper ballots and count them by hand while standing on your head. That is why,
when you go to your bank with your checks and statement, and say "Here's a
mistake!" they look at the paperwork. They don't say, "Read our
software, and examine our documentation of the chain of custody and how we avoided
transfer of information over the internet."
The
focus on process can be helpful, but it can distract us from focusing on the
ballots created and cast during an election and counted immediately afterward.
At the hearing held by the EAC on May 5, 2004, election directors expressed a
desire for some way to ensure election integrity by procedures that could be
accomplished prior to the election. Unfortunately, when you deal with
computers, there is no substitute for examination (independent auditing) of the
computer results. If procedure could replace audits, no one would perform
audits.
Sec.2(c) new paragraph (12)(B)(iii) "may not alter such codes"
All large
computer systems have software errors, many of which take years of daily use
and correction to eliminate. This provision would prevent or delay the
correction of errors that could meanwhile affect election after election.
Sec.2(c) new paragraph (12)(B)(iv) and (v) "procedures" and "other requirements"
Who at
NIST, and with what funding, is going to produce a document with procedures and
requirements?
Supposing
such a document somehow gets created, it is impossible to enforce faithful
implementation of computer security procedures from the outside of a private
organization. A full-time observer-enforcer would have to be stationed at each
person's desk in the vendor companies, or would have to follow each person
involved during all their waking hours. These are "trust-me"
requirements. What mechanisms of oversight, time limits, inspection,
enforcement, penalties, remedies, and funding could make this work? This is why
Information Technology professionals continuously audit the computer results of
transaction-capturing and processing systems.
Will all
manufactures have to recertify their systems if NIST produces a voluntary
standard in the future?
RECORD Act, SECTION 4
SEC. 4. EXTENSION OF HELP AMERICA VOTE ACT WAIVER REQUEST
DEADLINE;
REQUIREMENT TO DEPLOY
INTERIM PAPER BALLOT VOTING SYSTEM.
...
(b) REQUIREMENT
TO DEPLOY INTERIM PAPER BALLOT VOTING SYSTEM-
Section 102(a)(3)
of the Help America Vote Act of 2002 (42 U.S.C. 15302(a)(3)) is
amended by
adding at the end the following new subparagraphs:
`(C) If a State either requests
the waiver described in subparagraph (B) or is unable to
comply with the requirements of section 301 that are
due by November 2004 in
accordance with the
deadline set forth in section 301(d), the State shall use a paper
ballot voting system in November 2004 and, so long as such inability
continues, at
any time in 2005 that
complies with such requirements of section 301,
based on paper ballot
voting systems in use in the jurisdiction, if any, that shall be
deemed compliant with such requirements of section 301 by
the Commission for use
in any Federal election between and including the general
election in November
2004
and the last Federal election in 2005. The Commission shall reimburse
the
State
or jurisdiction for any costs incurred in using such interim paper ballot
voting
system.
`(D)
The Commission will certify voting equipment that meets the requirements of
section 301. States must use certified voting equipment, or the interim paper
ballot
system described in subparagraph (C), or apply to the Commission for a
waiver which
the Commission may grant if the State demonstrates that it is
technologically impossible to comply with such
requirements. States receiving
such a waiver shall submit
reports to the Commission demonstrating the steps the
State
is taking to remedy the technological impossibility.'.
Commentary on RECORD Act, SECTION 4
Sec. 4 (b)
new paragraph (D)
States must use certified voting
equipment, or the interim paper ballot system described in subparagraph (C), or
apply to the Commission for a waiver which the Commission may grant if the
State demonstrates that it is technologically impossible to comply with such
requirements.
Even
though Senators Clinton and Graham announced at their March 10 press conference
that their bill "requires a voter-verifiable paper record" the bill
does not require it, nor the use of paper ballots.
Instead the bill provides a back door for evading these requirements. Moreover,
the approach encourages delay tactics, because the closer the November 2004
election gets, the less time there will be for anyone to comply with
requirements to implement changes.
The bill
delegates all authority to an understaffed, underfunded
new Commission to determine whether states will get a waiver from these
requirements by demonstrating that it is technologically impossible to comply. Yet
the Commission's technical advisory bodies are only now being created, and the
experts at NIST are no longer available due to defunding.
Who exactly will be able to make the determination of "technologically
impossible" for the Commission? What technological expertise will the person
or group be required to have? What demonstration must the states make? What
standards for evaluation will be used?
If the bill
passed tomorrow, the Commission would have to start from scratch to set up some
way to deal with this. When must states apply for the waiver? What procedures
must the states and the Commission use? What appeal procedure? Would the waiver
deliberations be conducted in public and observable by the public? Will the
public be able to intervene and must public input be allowed, invited, or
considered? Who will be able to read and comment on the application for waiver
in advance, or observe if an in-person meeting occurs during which the state
makes its application for a waiver? Who can observe the deliberations and
determination by the Commission of whether to approve an application for
waiver? Must there be a public statement like a published court decision
afterward to explain what facts and what criteria were used to make a decision?
Who is allowed to argue against the claims made by their state?
We are
seeing that the State Implementation Plans required by HAVA have not been
critically evaluated, but have merely been published and will be funded. In the
same way, perhaps, any application by a state that claims that it cannot comply
due to technological impossibility will be granted.
RECORD Act, SECTION 7. REQURIEMENT
FOR MANDATORY RECOUNTS.
SEC. 7. REQUIREMENT FOR MANDATORY RECOUNTS.
Beginning with the regularly scheduled
election for Federal office to be held in November
2004, the Election Assistance Commission shall conduct random unannounced manual
mandatory recounts of the voter-verified records of each election for Federal office (and, at
the option of the
State or jurisdiction involved, of elections for State and local office held at
the same time as such an election for Federal office) in 2 percent of the jurisdictions in each
State and with respect to 2 percent of the ballots cast by
uniformed and overseas voters
immediately following
the election and shall promptly publish the results of those recounts in
the Federal Register. In addition, the verification system
used by the Election Assistance
Commission shall meet the error rate standards
described in section 301(a)(5) of the Help
America Vote Act of 2002.
Commentary on RECORD Act, SECTION 7. REQURIEMENT FOR MANDATORY RECOUNTS.
Is it
feasible for the EAC to conduct recounts, given their resources? Or will very
few of these recounts need to be done because there will be very few states with
computer generated voter-verified records or interim paper ballots--because the
states got waivers?
The bill
says "immediately following the election" but there is no specific
time-frame. These recounts are not required to be finished before the winner of
the election is certified, nor to be considered before
determining the winner of the election. What if the recount tallies are so
different from the electronic tallies that the outcome of the election would be
different?
If these
recounts will not be timely enough to affect the outcome of an election, then
they are merely academic information-gathering for the purpose of
"study" and not useful for ensuring the integrity of the election. In
Florida after the 2000 election, all kinds of irregularities were proved, and
there was a lot of wrist-slapping, but it didn't change the outcome because the
winner had already been certified and inaugurated.
To have
impact on the integrity of elections, recounts must be timely and there must be
a legal requirement for consideration of the recount before certifying the
results of the election.
RECORD Act, SEC. 10. REPORTS AND
PROVISION OF SECURITY CONSULTATION SERVICES.
SEC. 10. REPORTS AND PROVISION OF SECURITY
CONSULTATION SERVICES.
Subtitle C of title II of the Help America Vote Act of 2002 (42 U.S.C.
15381 et seq.), as
amended by section 8, is amended by--
(1) redesignating section 248 as section 249; and
(2) by
inserting after section 247 the following new section:
`SEC. 248. REPORTS AND PROVISION OF SECURITY
CONSULTATION SERVICES.
`(a) REPORT TO
CONGRESS ON SECURITY REVIEW- Not later than 6 months after the
date of the enactment
of the Restore Elector Confidence in Our Representative
Democracy Act of 2004, the
Commission, in consultation with the Director of the
National Institute of Standards and
Technology, shall submit to Congress a report
on a
proposed security review and certification process for all voting systems used in
elections
for Federal office, including a description of the certification process to be
implemented under section 231.
`(b) REPORT TO CONGRESS ON OPERATIONAL AND MANAGEMENT
SYSTEMS-
Not later than 3 months after the date of the enactment of the Restore Elector
Confidence
in Our
Representative Democracy Act of 2004, the Commission shall submit to Congress
a report on operational and management
systems applicable with respect to elections
for Federal office,
including the security standards for manufacturers described in
section
301(a)(7), that should be employed to safeguard the security of voting systems,
together
with a proposed schedule for the implementation of each such system.
`(c) PROVISION OF SECURITY CONSULTATION
SERVICES-
`(1) IN
GENERAL- On and after the date of the enactment of the Restore Elector
Confidence in Our
Representative Democracy Act of 2004, the Director of the
National Institute of Standards and Technology shall provide security
consultation
services
to States and local jurisdictions with respect to the administration of
elections
for Federal office.
`(2)
APPROPRIATION- To carry out the purposes of paragraph (1), $2,000,000 is
appropriated
for each of fiscal years 2004 through 2006.'.
Commentary on RECORD Act, SEC. 10. REPORTS AND PROVISION OF SECURITY CONSULTATION SERVICES.
Can we
achieve computer security through the use of reports, procedures, requirements,
etc. that are developed in haste and may be unenforceable?
NIST
used to be staffed with people who could have produced such reports, but as of
the beginning of May, 2004, has only one employee in the voting systems area.
The new Commission has neither the personnel nor the expertise to create such
reports. These provisions of RECORD would require some very fast hiring,
expansion, and report writing.
Is the
bill saying, "we can require reports and they can tell us everything we
need to know about the operation, management, and security of computerized
voting systems. By following the advice in these
reports, state and local Boards of Election can manage an arms-length
relationship with vendors and oversee their service contracts with them, even
though the Boards of Election still might not know anything about secure
computer systems."
We might
achieve more if we required and funded training for state and local Boards of
Election to develop inhouse expertise in computer
systems and management of secure systems.
2. RECORD'S ACCESSIBILITY CONSIDERATIONS
(b) VOTER
VERIFICATION OF RESULTS FOR INDIVIDUALS WITH DISABILITIES-
Section
301(a)(3) of the Help America Vote Act of 2002 (42
U.S.C. 15481(a)(3)) is
amended to
read as follows:
`(3)
ACCESSIBILITY AND VOTER-VERIFICATION OF RESULTS FOR
INDIVIDUALS WITH DISABILITIES-
`(A) IN GENERAL-
Subject to subparagraph (B), the voting system shall--
`(i) be accessible for individuals with disabilities,
including nonvisual accessibility
for the blind and visually
impaired, in a manner that provides the same
opportunity
for access and participation (including privacy and independence) as
for other voters;
`(ii)
satisfy the requirement of subparagraph (A) through the use of at least one
direct recording electronic
voting system or other voting system equipped for
individuals
with disabilities at each polling place, and such voting system shall
meet the requirements of paragraph (2)(A) by using a mechanism
that separates
the function of vote
generation from the function of vote casting without
requiring
the voter to view or handle paper; and
The law
should require and enforce reasonable accommodation for voters with
disabilities. If a person is disabled to the extent that they require
assistance in every other area of their life, then it is unreasonable to
require voting to be unassisted.
The requirement that the voter not have to handle paper will unreasonably
restrict the types of DREs that can be used,
and will unreasonably prevent the use of computerized ballot-marking machines. This is not in the interest of any voter,
whether disabled or not.
The concept
of a "private and independent vote" has been interpreted in a
political way to mean "entering ballot choices via a DRE." This is
political because it ignores what happens to the ballot choices once entered.
In fact, some leaders of the disabled have published contemptuous derision and
condemnation of those who ask, "what happens to
the ballot choices once the voter thinks they have cast their ballot?"
In fact,
a ballot cast via DRE is handed over to unknown numbers of unknown
technologists and others who have been responsible for the DRE from its initial
design, programming, testing, maintenance, programming of the ballot, and
installation in the polling site. The disabled community has been misled to
look only at the act of entering ballot choices -- the ritual of casting the
ballot -- and to ignore that fact that the computer is only an instrument
created by people.
All voters
using DREs are being assisted by, and entrusting
their ballot to, many unknown people, so it is not unassisted, private or
independent. Moreover, we cannot observe the actions of the assistants
represented by the DRE. We don't know if they are recording our ballot choices or
counting our votes honestly and without mistakes.
A
completely computerized voting solution for the disabled can easily falsify the
ballot and mislead the voter. Therefore, I recommend that the requirement that
the voter not have to handle the ballot be omitted, because of the limitations
it places on the design of voting systems.
3. OVERALL COMMENTARY
One
purpose of law is to give clear notice of what is required.
If Sen.
Bob Graham's S1980 and Rep. Rush Holt's HR 2239, the Voter Confidence and
Increased Accessibility Act, became law today, verifiable voting systems would
be clearly required, and we could expect them to be made to work by November
2004 through the use of American ingenuity, know-how, and can-do attitudes.
The
RECORD Act does not give clear notice. Instead it delegates authority. RECORD
allows states to apply to the EAC for a waiver for the 2004 election. Can we
expect the EAC to deny those applications?
Enormous
resources are currently being spent to defend the use of unverifiable computer
systems in elections. It is regrettable that the same resources are not being
devoted to developing and preparing for the use of verifiable systems, or the
use of paper ballots that can be counted by hand or optical scanner. Two DRE
voting systems with voter-verified paper audit trails are already certified (Avante and Accupoll). Another, Populex, expects certification soon. Many others are in
development.
Many of
the issues raised here are political, not technical.
In
November 2004, we should require the use of interim paper ballots for federal
races.
Even if
all DRE voting systems produced a voter-verified paper audit trail in November,
no jurisdiction is willing to perform a full audit of their paper ballots. A
surprise random recount of a tiny percentage of jurisdictions is not an audit.