July 18, 2007, www.wheresthepaper.org/HR811markupCmt.htm
1.
Votes on ballots are not required to be counted. Cmt 1.
2.
Requirements are unclear for determining final results when paper ballots have
been compromised. Cmt 6.
3.a.
The bill would give vendors’ trade secret claims priority over citizens’ right
to know how elections are conducted. As a result, the bill puts unfair burdens
on citizens to request disclosure of software from ITAs, appeal denials of
disclosure and seek undefined remedies for denied or delayed disclosure by
undefined procedures. Citizens also bear the risk of lawsuits if vendors or ITAs assert improper use of disclosed
information. Cmt 12-23.
3.b.
Disclosure requirements make ballot definition files difficult to obtain and
subject to non-disclosure agreements, enlarge the functions of ITAs, require
privatization of the escrow of software, and create barriers that would prevent
anyone from detecting errors in version control. States must maintain a permanent
relationship with at least one ITA, the one that escrows the software of the
system they use. Unless states ALSO escrow the software they use, there will be
no way to detect errors in version control by ITAs and vendors. Cmt
12-23.
4.
Communications capability is allowed in voting systems, and internet connection
is allowed in Election Management Systems and central tabulators. Cmt
24-27.
5.
Trivial, unenforceable “security” requirements. Cmt 28-29.
6.
Weak requirements for emergency paper ballots when DREs fail. Cmt
30-31.
7.
ITA requirements shut out citizens as well as local jurisdictions and states. Cmt
33-42.
8.
Public money is authorized to develop voting system software, to the benefit of
private vendors one presumes, but no money is authorized to develop methods for
using and securing publicly understandable and observable voting methods such
as the use of voter-marked paper ballots. Cmt 44-46. Cmt 66.
9.
Increased duties and unlimited authorization of funds for EAC. Cmt
42.
10.
$1,000,000,000 for new equipment when no products meet 2005 VVSG. Cmt
47.
11.
Small audits triggered only by margin of victory. Cmt
49-52.
a.
Spot-check
audits of 10%, 5% and 3%. Cmt 52.
b.
When initial tallies show a candidate with 80% vote
share, no audit needs to be done. Cmt 50.
12.
No specific time requirement for how soon audits must begin after random
precincts are selected, which allows delays and defeat of the element of
“surprise.” Cmt 55.
13.
No requirement for public observation of all handling of voted ballots
from the time they are cast till election results are final. Cmt 59.
14.
Timely information not available to the public and candidates. Cmt 60-63.
To
amend the Help America Vote Act of 2002 to require a voter-verified permanent
paper ballot under title III of such Act, and for other purposes.
IN
THE HOUSE OF REPRESENTATIVES
Mr.
HOLT (for himself and [see ATTACHED LIST of cosponsors]) introduced the
following bill; which was referred to the Committee on Feb. 5, 2007
A
BILL
To
amend the Help America Vote Act of 2002 to require a voter-verified permanent
paper ballot under title III of such Act, and for other purposes.
Be
it enacted by the Senate and House of Representatives of the United States of
America in Congress assembled,
SECTION
1. SHORT TITLE.
This Act may be cited as the “Voter Confidence and
Increased Accessibility Act of 2007”.
SEC.
2. PROMOTING ACCURACY, INTEGRITY, AND SECURITY THROUGH VOTER-VERIFIED PERMANENT
PAPER BALLOT.
(a) BALLOT VERIFICATION AND AUDIT CAPACITY.—
(1) IN GENERAL.—Section
301(a)(2) of the Help America Vote Act of 2002 (42 U.S.C. 15481(a)(2)) is
amended to read as follows:
“(2) BALLOT
VERIFICATION AND AUDIT CAPACITY.—
|
“(A) VOTER-VERIFIED
PAPER BALLOTS.— “(i) VERIFICATION.— |
(I) The voting system shall require the use
of or produce an individual, durable, voter-verified paper ballot of the
voter’s vote that shall be created by or made available for inspection and
verification by the voter before the voter’s vote is cast and counted. For
purposes of this subclause, examples of such a ballot include a paper ballot
marked by the voter for the purpose of being counted by hand or read by an
optical scanner or other similar device, a paper ballot prepared by the voter
to be mailed to an election official (whether from a domestic or overseas
location), a paper ballot created through the use of a ballot marking device or
system, or a paper ballot produced by a touch screen or other electronic voting
machine, so long as in each case the voter is permitted to verify the ballot in
a paper form in accordance with this subparagraph.
Cmt 1. No public purpose is served by using one term for two different things, or for calling a paper trail a “ballot.” However, using the term “ballot” for a paper trail allows the public to be misled. The public expects that votes on “ballots” will be counted for all initial and final tallies. Under this bill, that expectation is false.
Different terms should be used for
· first-hand voter-marked paper ballots which will be cast and counted for initial tallies,
· second-hand, software-created, machine-printed voter-verified paper audit trails which require voter-verification as a separate step by each voter, which are “preserved” instead of “cast,” which will not be counted for initial tallies, and which will be used only for spot-checks of computer function after the election.
Using one term for both impairs appropriate discussion and handling of differences. One example is four paragraphs below under (ii) PRESERVATION, (I), which requires ballots to be preserved in the manner or method in which all other paper ballots are preserved… A paper trail would be preserved inside a DRE whereas paper emergency ballots would be preserved inside a ballot box.
By defining VVPAT as a "ballot," HR811 opens a
dangerous door in the law because such a "ballot" is not required to
be counted to produce any initial tallies or most final tallies. Under this
bill, DREs produce two ballots: an unverifiable electronic ballot used to
produce initial and most final tallies, and a voter-verifiable placebo used for
tiny spot-checks of the computers.
In order to compensate for use of the term “ballot” for
both VVPAT and voter-marked paper ballots, in paragraphs (II) and (III) below,
we now have to discuss what should happen before the “ballot” is “preserved”
versus when it is “cast” because the VVPATs are not “cast.”
The audit provisions below allow VVPAT-type "ballots” from 90% to 97% of precincts to remain permanently unexamined and uncounted.
“(II) The voting system shall provide the voter with an opportunity to correct any error made by the system in the voter-verified paper ballot before the permanent voter-verified paper ballot is preserved in accordance with clause (ii).
“(III) The voting system shall not preserve the voter-verified paper ballots in any manner that makes it possible, at any time after the ballot has been cast, to associate a voter with the record of the voter’s vote.
“(ii) PRESERVATION.—The individual, durable voter-verified paper ballot produced in accordance with clause (i) shall be used as the official ballot for purposes of any recount or audit conducted with respect to any election for Federal office in which the voting system is used, and shall be preserved—
Cmt 2.
Will the requirement “shall be used as the official ballot for purposes of any
recount or audit” be used as an exclusive list (in other words, to say that
this is the only purpose for which the paper ballot shall be used) and
thus prevent the hand-counting of voter-marked paper ballots to determine
initial election-night tallies by hand-counting?
“(I) in the
case of votes cast at the polling place on the date of the election, within the
polling place in the manner or method in which all other paper ballots are
preserved within such polling place on such date; or
“(II) in any other case, in a manner which is consistent with the manner employed by the jurisdiction for preserving such ballots in general.
|
“(iii) MANUAL AUDIT CAPACITY.— |
(I) Each paper ballot produced pursuant to
clause (i) shall be suitable for a manual audit equivalent to that of a paper
ballot voting system, and shall be counted by hand in any recount or audit
conducted with respect to any election for Federal office.
Cmt 3. “a manual audit equivalent to that of a paper
ballot voting system” is unclear. Perhaps this paragraph should be worded as: (I)
Each paper ballot produced pursuant to clause (i) shall be suitable for a manual
audit equivalent to a manual audit of a voting system that uses voter-marked
paper ballots, and shall be counted by hand in any recount or audit
conducted with respect to any election for Federal office.
“(II) In
the event of any inconsistencies or irregularities between any electronic vote
tallies and the vote tallies determined by counting by hand the individual,
durable voter-verified paper ballots produced pursuant to clause (i), and
subject to subparagraph (B), the individual, durable voter-verified paper
ballots shall be the true and correct record of the votes cast.
Cmt 4. When an inconsistency between the electronic
and paper tallies occurs, it is possible for either or both to have been
tampered with, and the law should require investigation and access to the
systems used for the purposes of investigation by voters, candidates, and
law-enforcement.
Cmt 5. Inconsistencies between
electronic and paper tallies will be detected only if votes on paper ballots
are recounted or audited, and compared to electronic counts. Under this bill,
90% to 97% of such inconsistencies will not be detected.
If DREs are used, election night tallies and almost all
certified final tallies will be the unrecounted and unaudited machine tallies
of voter-UNVERIFIED electronic votes.
For example, if 3% of paper “ballots” are hand-counted during a recount
or audit, then 97% of DRE tallies will be the unrecounted and unaudited tallies
of voter-unverified electronically-recorded votes.
|
“(B) SPECIAL RULE FOR
TREATMENT OF DISPUTES WHEN PAPER BALLOTS HAVE BEEN SHOWN TO BE COMPROMISED.— |
“(i) IN GENERAL.—In the event that—
“(I) there is any
inconsistency between any electronic vote tallies and the vote tallies
determined by counting by hand the individual, durable voter-verified paper
ballots produced pursuant to subparagraph (A)(i) with respect to any election
for Federal office; and
“(II) it is demonstrated by clear and convincing evidence (as determined in accordance with the applicable standards in the jurisdiction involved) in any recount, audit, or contest of the result of the election that the paper ballots have been compromised (by damage or mischief or otherwise) and that a sufficient number of the ballots have been so compromised that the result of the election could be changed, the determination of the appropriate remedy with respect to the election shall be made in accordance with applicable State law, except that the electronic tally shall not be used as the exclusive basis for determining the official certified vote tally.
Cmt
6. Inconsistencies should be an issue for law enforcement and the
courts. If there are inconsistencies, or if the paper is compromised, then
for the purposes of investigation we must assume that both the paper and
electronic records may have been compromised, and both must be aggressively
investigated.
It
is unclear what kind of enforcement is possible for this paragraph:
a.
“it is demonstrated” does not specify WHO is responsible for demonstrating,
b.
each state may have to pass legislation to specify the kind of evidence that
would be considered clear and convincing in this situation, and
c.
each state may have to pass legislation to specify a remedy to resolve the
situation where DREs are used but the VVPAT doesn’t match the electronic tally,
and the VVPAT has been compromised.
This provision may set up a conflict between voters
and candidates who try to prove something and local election boards who can
prevent investigation and collection of evidence by (1) preventing observation
of the handling of paper ballots or VVPAT from the time of casting or
preserving till the completion of counting, and (2) preventing immediate access
to the equipment used. Without the right to observe and investigate, law
enforcement, voters, and candidates will be unable to demonstrate anything
about the paper tally, electronic tally, and their relationship.
It
is unclear what is meant by “a sufficient number of the ballots have
been so compromised that the result of the election could be changed” – must the
entire winning margin be found during a 3% audit? Or may the flaws found in the
3% audit be extrapolated to the other 97%? See also Cmt 7.
It is unclear what is solution is contemplated by the
last lines “except that the electronic tally shall not be used as the exclusive
basis for determining the official certified vote tally.”
“(ii) RULE FOR
CONSIDERATION OF BALLOTS ASSOCIATED WITH EACH VOTING MACHINE.—For purposes of
clause (i), the paper ballots associated with each voting system shall be
considered on a voting-machine-by-voting-machine basis, and only the paper
ballots deemed compromised, if any, shall be considered in the calculation of
whether or not the result of the election could be changed due to the
compromised paper ballots.”.
Cmt 7. The purpose of this paragraph is unclear. Does
it mean that you cannot extrapolate from the presence of paper ballots deemed
compromised on one machine to the fact that paper ballots on other machines may
have been similarly compromised? The Yale students’ study, www.wheresthepaper.org/ACM.pdf
, showed that if one vote is switched per machine, many election outcomes can
be changed. So if you find one vote was switched on the one machine that was
subject to a recount or audit, can you say, “we used 10,000 machines and that's
10,000 votes switched?” Or are you limited to saying one vote was switched, and
the judge throws you out of court?
A second issue is that when computer vote-switching is
done, the number of votes switched per machine would most likely be
“randomized” so that a different number of votes would be switched per machine.
For example, if tamperers want to shift an average of 5 votes per
machine, the number of votes switched on six machines might be 10 , 0, 6, 0, 3
and 11, respectively. Randomizing creates the illusion that there is no
systematic tampering being done. The intended effect of paragraph (ii) is
unclear in this situation. To be realistic, when computers are used and
discrepancies are found on any machine, for the purposes of investigation all
machines in that election should be assumed to be subject to similar
discrepancies and all machines must be investigated to discover the
election-wide pattern of discrepancy.
(2) CONFORMING AMENDMENT
CLARIFYING APPLICABILITY OF ALTERNATIVE LANGUAGE ACCESSIBILITY.—Section
301(a)(4) of such Act (42 U.S.C. 15481(a)(4)) is amended by inserting
“(including the paper ballots required to be produced under paragraph (2) and
the notices required under paragraphs (7) and (13)(B))” after “voting system”.
(3) OTHER CONFORMING
AMENDMENTS.—Section 301(a)(1) of such Act (42 U.S.C. 15481(a)(1)) is amended—
(A) in subparagraph
(A)(i), by striking “counted” and inserting “counted, in accordance with
paragraphs (2) and (3)”;
(B) in subparagraph
(A)(ii), by striking “counted” and inserting “counted, in accordance with
paragraphs (2) and (3)”;
(C) in subparagraph
(A)(iii), by striking “counted” each place it appears and inserting “counted,
in accordance with paragraphs (2) and (3)”; and
(D) in subparagraph
(B)(ii), by striking “counted” and inserting “counted, in accordance with
paragraphs (2) and (3)”.
|
(b) ACCESSIBILITY AND BALLOT
VERIFICATION FOR INDIVIDUALS WITH DISABILITIES.— |
(1) IN GENERAL.—Section
301(a)(3)(B) of such Act (42 U.S.C. 15481(a)(3)(B)) is amended to read as
follows:
“(B)(i) satisfy the
requirement of subparagraph (A) through the use of at least one voting system
equipped for individuals with disabilities at each polling place; and
“(ii) meet the
requirements of subparagraph (A) and paragraph (2)(A) by using a system that—
“(I) allows the voter
to privately and independently verify the individual, durable paper ballot
through the conversion of the human-readable printed or marked vote selections
into accessible form,
“(II) ensures that the
entire process of ballot verification and vote casting is equipped for
individuals with disabilities, and
“(III) does not
preclude the supplementary use of Braille or tactile ballots.”.
Cmt 8. At this time no DRE converts printed
content, but rather produces a read-out from internal information from the
computer.
(2) SPECIFIC
REQUIREMENT OF STUDY, TESTING, AND DEVELOPMENT OF ACCESSIBLE BALLOT
VERIFICATION MECHANISMS.—
(A) STUDY AND REPORTING.—Subtitle
C of title II of such Act (42 U.S.C. 15381 et seq.) is amended—
(i) by redesignating
section 247 as section 248; and
(ii) by inserting after
section 246 the following new section:
|
“SEC.
247. STUDY AND REPORT ON ACCESSIBLE BALLOT VERIFICATION MECHANISMS. |
“(a) STUDY AND REPORT.—The Director of the National
Institute of Standards and Technology shall study, test, and develop best
practices to enhance the accessibility of ballot verification mechanisms for
individuals with disabilities, for voters whose primary language is not
English, and for voters with difficulties in literacy, including best practices
for the mechanisms themselves and the processes through which the mechanisms
are used. In carrying out this section, the Director shall specifically
investigate existing and potential methods or devices, including nonelectronic
devices, that will assist such individuals and voters in creating
voter-verified paper ballots and presenting or transmitting the information
printed or marked on such ballots back to such individuals and voters.
Cmt
9. Only software-independent methods
should be researched.
Who
will own and use the results of this research and development? Will the results
be used by private vendors and claimed as proprietary trade secret by them? Why
is taxpayer money being spent to perform research and development for the
products of private vendors?
In
this bill the word “ballot” refers both to voter-marked paper ballots (the
votes on which will be used to create initial and final tallies) and VVPAT (the
votes on which will not be used to create initial and 90% to 97% of final
tallies). To the extent that these funds are spent for study of VVPAT, the
expenditure should be recognized as paying for busy-work on a placebo.
“(b) COORDINATION WITH GRANTS FOR TECHNOLOGY
IMPROVEMENTS.—The Director shall coordinate the activities carried out under
subsection (a) with the research conducted under the grant program carried out
by the Commission under section 271, to the extent that the Director and
Commission determine necessary to provide for the advancement of accessible
voting technology.
“(c) DEADLINE.—The Director shall complete the
requirements of subsection (a) not later than December 31, 2008.
“(d) AUTHORIZATION OF APPROPRIATIONS.—There are
authorized to be appropriated to carry out subsection (a) $3,000,000, to remain
available until expended.”.
(B) CLERICAL
AMENDMENT.—The table of contents of such Act is amended—
(i) by redesignating
the item relating to section 247 as relating to section 248; and
(ii) by inserting after
the item relating to section 246 the following new item:
“Sec.
247. Study and report on accessible voter verification mechanisms.”.
(3) CLARIFICATION OF
ACCESSIBILITY STANDARDS UNDER VOLUNTARY VOTING SYSTEM GUIDANCE.—In adopting any
voluntary guidance under subtitle B of title III of the Help America Vote Act
with respect to the accessibility of the paper ballot verification requirements
for individuals with disabilities, the Election Assistance Commission shall include
and apply the same accessibility standards applicable under the voluntary
guidance adopted for accessible voting systems under such subtitle.
(c) ADDITIONAL VOTING SYSTEM REQUIREMENTS.—
(1) REQUIREMENTS
DESCRIBED.—Section 301(a) of such Act (42 U.S.C. 15481(a)) is amended by adding
at the end the following new paragraphs:
|
“(7)
INSTRUCTION REMINDING VOTERS OF IMPORTANCE OF VERIFYING PAPER BALLOT.— |
“(A) IN GENERAL.—The appropriate election
official at each polling place shall cause to be placed in a prominent location
in the polling place which is clearly visible from the voting booths a notice,
in large font print accessible to the visually impaired, advising voters that
the paper ballots representing their votes shall serve as the vote of record in
all audits and recounts in elections for Federal office, and that they should
not leave the voting booth until confirming that such paper ballots accurately
record their vote.
Cmt
10. Such notice should also be required to be posted in the multiple languages
required for ballots by the Voting Rights Act in these locations:
a.
inside
each DRE voting booth,
b.
at
each sign-in table
c.
at
locations adjacent to each voting booth or wherever voters wait for their turn
in the DRE, and
d. along with any model,
diagram, or other instructional material or display that explains to voters how
to use the voting equipment.
“(B) SYSTEMS FOR INDIVIDUALS WITH DISABILITIES.—All voting systems equipped for individuals with disabilities shall present or transmit in accessible form the statement referred to in subparagraph (A), as well as an explanation of the verification process described in paragraph (3)(B)(ii).
Cmt 11. This requirement should apply to “all voting
systems” regardless of equipped for individuals with disabilities or not, and
required to be displayed immediately prior to the time when the voter is asked
to confirm his/her ballot selections and cast his/her votes.
|
“(8) PROHIBITING USE OF UNCERTIFIED
ELECTION-DEDICATED VOTING SYSTEM TECHNOLOGIES; DISCLOSURE REQUIREMENTS.— |
“(A) IN GENERAL.—A
voting system used in an election for Federal office in a State may not at any
time during the election contain or use any election-dedicated voting system
technology which has not been certified by the State for use in the election
and which has not been deposited with an accredited laboratory described in
section 231 to be held in escrow and disclosed in accordance with this section.
Cmt
12.1 The phrase “to be held in escrow
and disclosed” appears to mean that the accredited laboratory has authority and
responsibility to handle disclosure of software, including the administration
of non-disclosure agreements and evaluation of persons requesting disclosure. If
an accredited laboratory improperly denies or delays disclosure to a citizen,
it is unclear what appeal procedure or remedy a citizen would have. It is
unclear what public benefit is served by requiring private entities, rather
than NIST or another qualified public agency, to handle escrow and disclosure.
Cmt 12.2 The term “election-dedicated voting system
technology” is defined in paragraph (E) below as “ 'voting system software' as
defined under the 2005 voluntary voting system guidelines … but excludes
'commercial off-the-shelf' software and hardware defined under those
guidelines.“
The
2005 VVSG glossary definition is “voting system software: All the
executable code and associated configuration files needed for the proper
operation of the voting system. This includes third party software such as
operating systems, drivers, and database management tools. See also dynamic
voting system software, semi-static voting system software, and static voting
system software.”
In other words, this provision includes ballot definition files, which are the files that define which races and candidates are on the ballot. These files are prepared for each election, often at the last minute due to last minute legal challenges by candidates and court decisions.
Also, in some electronic voting systems, the voting
system software must be recompiled prior to each election in order to
incorporate the ballot programming for that election.
This section of HR811 means that, prior to each
election, each jurisdiction must transmit its ballot programming files and
possibly additional recompiled software to their state which must “certify”
these files and software, and that these files and software must be sent to an
accredited laboratory. This requirement will be impossible to comply with, due
to the short time frames and the vast amount of files and software to be dealt
with.
This requirement will also prevent the files and software
from being available prior to the election for inspection by candidates and the
public:
a. Ballot definition files need to be freely available to candidates and the public during pre-election logic and accuracy tests.
b. Ballot definition files need to be freely and immediately available to any investigator looking for errors (whether intentional or innocent) that result in wrong handling of votes. This section of HR811 would make ballot definition files difficult to obtain because they would be subject to non-disclosure agreements, and this would prevent timely investigation of errors.
This section needs to say explicitly that ballot
definition files are not included, and that they must be available to
candidates and the public without delay or restrictions both before and after
elections.
Cmt 13. It is unclear who must cause technology
to be deposited and disclosed. The vendor? The state?
Cmt 14. Paragraph (A) not only requires all states to
“certify” equipment but to maintain a continuing relationship with at least one
ITA.
It is unwise to require privatization of any part of our elections. Escrow should be handled by a governmental agency, not a private laboratory whether or not “accredited.” The EAC does not have staff, expertise or resources to act as an archive. NIST should serve this purpose.
Cmt
14.5 Unless states ALSO escrow the software they use at a second facility
selected by the state, there will be no way for states and local jurisdictions
to detect errors in version control by ITAs. In the past, there have been
discrepancies in the versions certified, sold, delivered, installed during
“maintenance,” and used in elections. Control and verification of versions must
be based on verification, not trust.
Citizens
and watchdog groups must have some way of obtaining and verifying version
information.
“(B) REQUIREMENT FOR
AND RESTRICTIONS ON DISCLOSURE.—An accredited laboratory under section 231 with
whom an election-dedicated voting system technology has been deposited shall—
“(i) hold the
technology in escrow; and
“(ii) disclose
technology and information regarding the technology to another person if—
Cmt 15. What “information” is to be disclosed? Is
there an assumption that the laboratory that escrows “technology” is the same
laboratory that tested it for certification?
How will the process be managed if the laboratory
becomes unaccredited?
Cmt 16. This paragraph should specify the time, such
as 24 hours, within which the laboratory must disclose the “technology and
information” so that it is not improperly delayed.
“(I) the person is a
qualified person described in subparagraph (C) who has entered into a
nondisclosure agreement with respect to the technology which meets the
requirements of subparagraph (D); or
Cmt
16.5 With whom will the “qualified person” enter into a nondisclosure
agreement—the laboratory? The vendor of the system? Who will administer the
paperwork and enforce the non-disclosure agreements? To whom will “persons”
appeal if they are told that they are not “qualified”, and what procedure or
remedy is available for improper delays and denials? See also Cmt 12.1.
“(II) the laboratory is
required to disclose the technology to the person under State law, in
accordance with the terms and conditions applicable under such law.
Cmt 17. The same “technology” might be disclosed to a
particular person in one state and not another, depending on the law of the
different states.
|
“(C) QUALIFIED PERSONS DESCRIBED.— With
respect to the |
disclosure of
election-dedicated voting system technology by a laboratory under
subparagraph (B)(ii)(I), a ‘qualified person’ is any
of the following:
“(i) A governmental
entity with responsibility for the administration of voting and
election-related matters for purposes of reviewing, analyzing, or reporting on
the technology.
Cmt
17.5 Governmental entities with law enforcement or investigatory responsibilities
should also be “qualified persons.”
“(ii) A party to pre-
or post-election litigation challenging the result of an election or the
administration or use of the technology used in an election, including but not
limited to election contests or challenges to the certification of the
technology, or an expert for a party to such litigation, for purposes of
reviewing or analyzing the technology to support or oppose the litigation, and
all parties to the litigation shall have access to the technology for such
purposes.
Cmt 18. In the course of litigation, will the
information become public, or will judges, jurors, litigants, other witnesses,
and the public who observes the litigation be sworn to non-disclose -- or will
we have only the conclusions of parties and their experts revealed in court?
Notwithstanding the term “party to pre- … election
litigation”, the term “used in an election” appears to mean that challenges
cannot be made until after the use of the “technology,” so that at least one
election must be spoiled by a known problem before the problem can be
litigated. To avoid this interpretation, the language should say “used or to be
used in an election.”
“(iii) A person not
described in clause (i) or (ii) who reviews, analyzes, or reports on the
technology solely for an academic, scientific, technological, or other
investigation or inquiry concerning the accuracy or integrity of the
technology.
Cmt 19. A person who reports on the “technology” has a
right to have the “technology” disclosed to him or herself after he/she signs a
non-disclosure agreement. Can any citizen declare that he or she is making a
“technological, or other investigation or inquiry” and sign a non-disclosure
agreement and have the “technology” disclosed?
|
“(D) REQUIREMENTS FOR NONDISCLOSURE
AGREEMENTS.—A |
nondisclosure agreement entered into with respect to
an election-dedicated voting system technology meets the requirements of this
subparagraph if the agreement—
“(i) is limited in scope to coverage of the technology disclosed under subparagraph (B) and any trade secrets and intellectual property rights related thereto;
Cmt 20. Trade secret and intellectual property claims
of vendors must be evaluated before they are accepted, so that such claims are
not used to prevent public knowledge of shoddy quality and other aspects of
equipment that vendors may wish to conceal. NIST could perform examination of
any material for which vendors make trade secret claims.
Unless claims of “trade secrets and intellectual property
rights” are validated prior to disclosure of the technology under
non-disclosure agreements, the citizens to whom such technology is disclosed
bear unfair legal burdens. If the citizens’ evaluations convince them that some
aspect of the technology is not a trade secret, nor intellectual property of
the vendor, they must defend this in court if sued for breach of the
agreement. Subparagraph (iii) immediately below exempts any
information in the public domain, but citizens to whom the information is disclosed
bear the burden to asserting that the information is in the public domain.
“(ii) does not prohibit a signatory from entering into other nondisclosure agreements to review other technologies under this paragraph;
“(iii) exempts from
coverage any information the signatory lawfully obtained from another source or
any information in the public domain;
“(iv) remains in effect
for not longer than the life of any trade secret or other intellectual property
right related thereto;
“(v) prohibits the use
of injunctions barring a signatory from carrying out any activity authorized
under subparagraph (C), including injunctions limited to the period prior to a
trial involving the technology;
“(vi) is silent as to
damages awarded for breach of the agreement, other than a reference to damages
available under applicable law;
“(vii) allows disclosure
of evidence of crime, including in response to a subpoena or warrant;
“(viii) allows the
signatory to perform analyses on the technology (including by executing the
technology), disclose reports and analyses that describe operational issues
pertaining to the technology (including vulnerabilities to tampering, errors,
risks associated with use, failures as a result of use, and other problems),
and describe or explain why or how a voting system failed or otherwise did not
perform as intended; and
Cmt 21. Courts would have to decide on a case-by-case
basis whether a specific report or analysis that describes operational issues
and failures has crossed the bounds of violating the non-disclosure agreement.
This places an unfair burden on citizens who perform analyses and disclose
reports, etc.
“(ix) provides that the
agreement shall be governed by the trade secret laws of the applicable State.
Cmt
22. Is the applicable state the state in which the “qualified person” lives, or
where the vendor has their home office, or where the laboratory is?
Conflicts
will arise if different states have different trade secret laws.
|
“(E)
ELECTION-DEDICATED VOTING SYSTEM TECHNOLOGY DEFINED.—For purposes
of this paragraph, ‘election-dedicated voting system |
technology’ means ‘voting system software’ as defined
under the 2005 voluntary voting system guidelines adopted by the Commission
under section 222, but excludes ‘commercial off-the-shelf’ software and
hardware defined under those guidelines.
Cmt
23. See Cmt 12. The 2005 voluntary voting system guidelines adopted by the EAC
has a glossary definition of “voting system software,” www.eac.gov/VVSG%20Volume_I.pdf
page A-19, pdf page 192:
voting system software: All the executable code and associated
configuration files needed for the proper operation of the voting system. This
includes third party software such as operating systems, drivers, and database
management tools. See also dynamic voting system software, semi-static voting
system software, and static voting system software.
|
“(9) PROHIBITION OF USE OF
WIRELESS COMMUNICATIONS DEVICES IN VOTING SYSTEMS.—No voting system
shall contain, use, or be accessible by any |
wireless, power-line, or concealed communication
device, except that enclosed infrared communications devices which are
certified for use in the voting system by the State and which cannot be used
for any remote or wide area communications or used without the knowledge of
poll workers shall be permitted.
Cmt 24. All forms of communications are easy
entry-points for tampering. All communications capability must be banned in all
voting and vote-tabulating equipment.
The focus on specific types of communications (such as
wireless) betrays an unhistorical and superficial understanding of computers,
which were subject to break-ins via the older telephone line/modem technology
long before wireless became common. Thus, this section needs to ban “dial-up
modem networking” or "telecommunications"
or "connections to the public switched telecommunications network."
The bill does not need a list of prohibited devices, but if it contains one, the list should also include ultra- or sub- sonic audio transmission, as well as the phrase “and all other communications devices and technologies that may be developed”.
Cmt
25. Very few poll workers would have knowledge of communications being used,
even when they themselves were using it.
“(10) PROHIBITING CONNECTION OF SYSTEM OR TRANSMISSION
OF SYSTEM INFORMATION OVER THE INTERNET.—No component of any voting device upon
which ballots are programmed or votes are cast or tabulated shall be connected
to the Internet at any time.
Cmt
26. This paragraph speaks of “voting device” while the previous paragraph
speaks of “voting system.” The Election Management System (“EMS”) and central
tabulator are part of a “voting system” but are not part of a “voting device.”
Both DREs and optical scanners are voting devices upon which ballots are
programmed (meaning, they contain ballot programming), votes are cast, and
votes are tabulated for their end-of-election-day tally printouts.
This
section must ban internet and communications capability in the entire voting
system, including the EMS and central tabulator.
Many
jurisdictions do not require poll workers to print and post tally reports PRIOR
TO connecting their DREs or optical
scanners via telephone line or internet to their central tabulator (or EMS
system if it functions as the central tabulator) to send in the day’s tallies.
This enables a tamperer to connect via communications capability to the central
tabulator and put in malicious code so that when individual DREs or optical
scanners connect to the central tabulator to send in their tallies, the central
tabulator ALTERS their tallies first, then lets them send in the altered
tallies. Then the poll workers print the tally reports in the poll site—but the
tallies have already been altered.
This
may have been what Clint Curtis was talking about when he testified before a
Congressional panel a few years back; he was asked, if tallies in the central
tabulator are altered, won’t people notice that the tallies in the poll sites
are different from those in the central tabulator? He said, "Not if I did
it!"
Given
that the bill does not ban all communications capability in all parts of the
voting system, it would be wise to require poll workers to print and post all
precinct tally reports from all DREs and optical scanners before connecting any
of these machines via any method of communications to the central tabulator.
Cmt 27. Prohibition of communications capability needs to be supported by inspection and enforcement. If a jurisdiction is incapable of inspection (for example, due to trade secret provisions in its purchase contract), the jurisdiction should be prohibited from using the equipment.
|
“(11) SECURITY STANDARDS FOR
VOTING SYSTEMS USED IN FEDERAL ELECTIONS.— |
“(A) IN GENERAL.—No
voting system may be used in an election for Federal office unless the
manufacturer of such system and the election officials using such system meet
the applicable requirements described in subparagraph (B).
“(B) REQUIREMENTS
DESCRIBED.—The requirements described in this subparagraph are as follows:
“(i) The manufacturer
and the election officials shall document the secure chain of custody for the
handling of all software, hardware, vote storage media, ballots, and
voter-verified ballots used in connection with voting systems, and shall make
the information available upon request to the Commission.
“(ii) The manufacturer shall disclose to the
Commission and to the appropriate election official any information required to
be disclosed under paragraph (8).
“(iii) After the
appropriate election official has certified the election-dedicated and other
voting system software for use in an election, the manufacturer may not—
“(I) alter such
software; or
“(II) insert or use in
the voting system any software not certified by the State for use in the
election.
“(iv) At the request of
the Commission, the appropriate election official shall submit information to
the Commission regarding the State’s compliance with this subparagraph.
Cmt 28. Anyone can fabricate a false chain of custody
report.
Security standards cannot rest on the EAC requesting
information from manufacturers and election officials. The information must be
submitted on a regular, routine basis, and posted for public inspection.
Otherwise, citizens can expect delays and difficulties obtaining the
information, since only the EAC has the power to request it, and citizens must
request it from the EAC (see (D) two paragraphs below).
This bill needs to designate a watchdog to regularly
inspect and verify the reports, and enforce these requirements.
“(C) DEVELOPMENT AND
PUBLICATION OF BEST PRACTICES ON DOCUMENTATION OF SECURE CHAIN OF CUSTODY.—Not
later than August 1, 2008, the Commission shall develop and make publicly
available best practices regarding the requirement of subparagraph (B)(i).
“(D) DISCLOSURE OF
SECURE CHAIN OF CUSTODY.—The Commission shall make information provided to the
Commission under subparagraph (B)(i) available to any person upon request.
Cmt 29. A time-limit, such as “within 24 hours,”
should be specified to clarify what “upon request” means. It would be easier to
simply post the information on the EAC’s web site.
|
“(12) DURABILITY AND READABILITY
REQUIREMENTS FOR BALLOTS.— |
“(A) DURABILITY
REQUIREMENTS FOR PAPER BALLOTS.—
“(i) IN GENERAL.—All
voter-verified paper ballots required to be used under this Act (including the
paper ballots used under paragraph (13) and the paper ballots provided to
voters under paragraph (14)) shall be marked, printed, or recorded on durable
paper.
“(ii) DEFINITION.— For
purposes of this Act, paper is ‘durable’ if it is capable of withstanding
multiple counts and recounts by hand without compromising the fundamental
integrity of the ballots, and capable of retaining the information marked,
printed, or recorded on them for the full duration of a retention and preservation
period of 22 months.
“(B) READABILITY
REQUIREMENTS FOR MACHINE-MARKED OR PRINTED PAPER BALLOTS.—All voter-verified
paper ballots completed by the voter through the use of a marking or printing
device shall be clearly readable by the voter without assistance (other than
eyeglasses or other personal vision enhancing devices) and by a scanner or
other device equipped for individuals with disabilities.
|
“(13) USE OF PAPER BALLOTS IN CASE OF SYSTEM OR
EQUIPMENT FAILURE.— |
“(A) IN GENERAL.—In the event of the failure
of voting equipment at a polling place that causes a delay, any individual who
is waiting at the polling place to cast a ballot in an election for Federal
office shall be provided with a paper ballot for the election and the supplies
necessary to mark the ballot. Any paper ballot which is cast by an individual
under this subparagraph shall be counted and otherwise treated as a regular
ballot in the final unofficial vote count and certified count and not as a
provisional ballot, unless the individual casting the ballot otherwise would
have been required to cast a provisional ballot if the voting equipment had not
failed.
Cmt 30. “Failure” needs to be defined and examples listed. The list should include but not be limited to vote-switching on a touchscreen or other form of DRE display, and the display of wrong votes on a final review screen or paper printout.
Feasible remedies must be specified to prevent voters from being disenfranchised when jurisdictions do not in fact have sufficient paper emergency ballots on hand.
If a DRE voting machine fails, it must be removed from
service for the duration of the election.
“(B) POSTING OF
NOTICE.—The appropriate election official shall ensure that at each polling
place a notice is displayed prominently which describes the right of an
individual under this paragraph to be provided with a paper ballot for voting
in the election.
Cmt 31. The notice must be posted in the multiple languages required for ballots by the Voting Rights Act, and must be posted at each sign-in table in the precinct. In addition to the right to a paper emergency ballot, the notice must describe:
a. failures of DRE voting systems that should cause equipment to be taken out of service, and
b. remedies for voters when paper emergency ballots are not available for use when needed.
“(C) TRAINING OF
ELECTION OFFICIALS.—The chief State election official shall ensure that
election officials at polling places in the State are aware of the requirements
of this paragraph, including the requirement to display a notice under
subparagraph (B).”.
|
“(14) MANDATORY AVAILABILITY OF PAPER BALLOTS AT
POLLING PLACE.— |
“(A) REQUIRING BALLOTS TO BE OFFERED AND PROVIDED.—The appropriate
election official at each polling place in an election for Federal office shall
offer each individual who is eligible to cast a vote in the election at the
polling place the opportunity to cast the vote using a pre-printed paper ballot
which the individual may mark by hand and which is not produced by a direct recording
electronic voting machine. If the individual accepts the offer to cast the vote
using such a ballot, the official shall provide the individual with the ballot
and the supplies necessary to mark the ballot, and shall ensure (to the
greatest extent practicable) that the waiting period for the individual to cast
a vote is not greater than the waiting period for an individual who does not
agree to cast the vote using such a paper ballot under this paragraph.
“(B) TREATMENT OF
BALLOT.—Any paper ballot which is cast by an individual under this paragraph
shall be counted and otherwise treated as a regular ballot for all purposes
(including, to the greatest extent practicable, the deadline for counting the
ballot) and not as a provisional ballot, unless the individual casting the
ballot would have otherwise been required to cast a provisional ballot if the
individual had not accepted the offer to cast the vote using a paper ballot
under this paragraph.
Cmt
31.5 “to the greatest extent practicable” opens a large loophole for delay in
counting the votes on such ballots.
“(C) POSTING OF
NOTICE.—The appropriate election official shall ensure that at each polling
place a notice is displayed prominently which describes the obligation of the
official to offer individuals the opportunity to cast votes using a pre-printed
paper ballot under this paragraph.
“(D) TRAINING OF
ELECTION OFFICIALS.—The chief State election official shall ensure that
election officials at polling places in the State are aware of the requirements
of this paragraph, including the requirement to display a notice under
subparagraph (C), and are aware that it is a violation of the requirements of
this title for an election official to fail to offer an individual the
opportunity to cast a vote using a pre-printed paper ballot under this
paragraph.
“(E) EXCEPTIONS.—This
paragraph does not apply with respect to—
“(i) a polling place at
which each voting system used in the administration of an election for Federal
office uses only preprinted paper ballots which are marked by hand and which
are not produced by a direct recording electronic voting machine (other than a
system used to meet the disability access requirements of paragraph (3)); or
“(ii) a polling place
in operation prior to the date of the election, but only with respect to days
prior to the date of the election.
“(F) EFFECTIVE
DATE.—This paragraph shall apply with respect to the regularly scheduled
general election for Federal office in November 2010 and each succeeding
election for Federal office.”.
Cmt 32. Paper or plastic? In 2010 all voters in DRE
poll sites on election day will have the choice of voting on a preprinted
voter-marked paper ballot. This choice is not required to be available
in early voting.
HR811 should require the votes on these ballots to be
counted at the polls and reported on election night along with the tallies of
votes cast on DREs. Otherwise two unequal classes of voters are created. The
unofficial vote tallies announced on election night do prejudice all media
reporting and public opinion, and give an advantage in subsequent recounts,
audits, and legal disputes to the announced winner, for example Bush v. Gore,
Jennings v. Buchanan.
Rights
that cannot be enforced are meaningless. This provision needs some penalties
for officials who do not comply and remedies for the voters who do not receive
a paper ballot, and for all voters and candidates affected if the votes are not
tallied and announced on election night.
|
(2) REQUIRING LABORATORIES
TO MEET STANDARDS PROHIBITING CONFLICTS OF INTEREST AS CONDITION
OF ACCREDITATION FOR TESTING OF VOTING SYSTEM HARDWARE AND
SOFTWARE.— |
(A) IN GENERAL.—Section
231(b) of such Act (42 U.S.C. 15371(b)) is amended by adding at the end the
following new paragraphs:
“(3) PROHIBITING
CONFLICTS OF INTEREST; ENSURING AVAILABILITY OF RESULTS.—
“(A) IN GENERAL.—A
laboratory may not be accredited by the Commission for purposes of this section
unless—
“(i) the laboratory
certifies that the only compensation it receives for the testing carried out in
connection with the certification, decertification, and recertification of the
manufacturer’s voting system hardware and software is the payment made from the
Testing Escrow Account under paragraph (4);
“(ii) the laboratory
meets such standards as the Commission shall establish (after notice and
opportunity for public comment) to prevent the existence or appearance of any
conflict of interest in the testing carried out by the laboratory under this
section, including standards to ensure that the laboratory does not have a
financial interest in the manufacture, sale, and distribution of voting system
hardware and software, and is sufficiently independent from other persons with
such an interest;
“(iii) the laboratory
certifies that it will permit an expert designated by the Commission to observe
any testing the laboratory carries out under this section; and
Cmt 33. Given the EAC’s past unresponsiveness to the
public and failure to comply with HAVA requirements, such experts should be
designated by NIST.
Additionally, there should be a way for the public to
observe. Also, any state or local jurisdiction should be able to designate
observers.
“(iv) the laboratory,
upon completion of any testing carried out under this section, discloses the
test protocols, results, and all communication between the laboratory and the
manufacturer to the Commission.
Cmt 34. NIST -- not the EAC -- should receive and
immediately publish this information.
“(B) AVAILABILITY OF
RESULTS.—Upon receipt of information under subparagraph (A), the Commission
shall make the information available promptly to election officials and the
public.
Cmt 35. “Promptly” should be replaced by a specific
time limit such as 24 hours.
“(4) PROCEDURES FOR
CONDUCTING TESTING; PAYMENT OF USER FEES FOR COMPENSATION OF ACCREDITED
LABORATORIES.—
“(A) ESTABLISHMENT OF
ESCROW ACCOUNT.—The Commission shall establish an escrow account (to be known
as the ‘Testing Escrow Account’) for making payments to accredited laboratories
for the costs of the testing carried out in connection with the certification,
decertification, and recertification of voting system hardware and software.
“(B) SCHEDULE OF
FEES.—In consultation with the accredited laboratories, the Commission shall
establish and regularly update a schedule of fees for the testing carried out
in connection with the certification, decertification, and recertification of
voting system hardware and software, based on the reasonable costs expected to
be incurred by the accredited laboratories in carrying out the testing for
various types of hardware and software.
“(C) REQUESTS AND
PAYMENTS BY MANUFACTURERS.—A manufacturer of voting system hardware and
software may not have the hardware or software tested by an accredited
laboratory under this section unless—
“(i) the manufacturer
submits a detailed request for the testing to the Commission; and
Cmt
36. What details are contemplated?
“(ii) the manufacturer
pays to the Commission, for deposit into the Testing Escrow Account established
under subparagraph (A), the applicable fee under the schedule established and
in effect under subparagraph (B).
“(D) SELECTION OF
LABORATORY.—Upon receiving a request for testing and the payment from a
manufacturer required under subparagraph (C), the Commission shall select at
random (to the greatest extent practicable), from all laboratories which are
accredited under this section to carry out the specific testing requested by
the manufacturer, an accredited laboratory to carry out the testing.
“(E) PAYMENTS TO
LABORATORIES.— Upon receiving a certification from a laboratory selected to
carry out testing pursuant to subparagraph (D) that the testing is completed,
along with a copy of the results of the test as required under paragraph
(3)(A)(iv), the Commission shall make a payment to the laboratory from the
Testing Escrow Account established under subparagraph (A) in an amount equal to
the applicable fee paid by the manufacturer under subparagraph (C)(ii).
Cmt
37. Only large companies could do this work, since they don’t get paid till
after the work is done which could take many months.
Cmt 38. This is a trust-based system. Reports of “test
protocols, results, and all communication between the laboratory and the manufacturer”
are easily fabricated. There is a need for observers who represent states,
local jurisdictions, and the public to be able to observe certification work.
“(5) DISSEMINATION OF
ADDITIONAL INFORMATION ON ACCREDITED LABORATORIES.—
“(A) INFORMATION ON
TESTING.—Upon completion of the testing of a voting system under this section,
the Commission shall promptly disseminate to the public the identification of
the laboratory which carried out the testing.
Cmt 39. The need for this paragraph is unclear.
Systems being tested, and the specific lab doing the testing for each one,
should be published on the EAC web site. Moreover, the identification of the
lab would be revealed when the EAC publishes, in accordance with paragraph (B),
the information provided by the lab to the EAC under paragraph (A)(iv).
“(B) INFORMATION ON
STATUS OF LABORATORIES.—The Commission shall promptly notify Congress, the
chief State election official of each State, and the public whenever—
“(i) the Commission
revokes, terminates, or suspends the accreditation of a laboratory under this
section;
“(ii) the Commission
restores the accreditation of a laboratory under this section which has been
revoked, terminated, or suspended; or
“(iii) the Commission has credible evidence of significant security failure at an accredited laboratory.”.
Cmt
40. Information about all alleged security failures should be published, along
with the results of investigations to confirm or discredit them, and evaluation
of their “significance.”
The
meaning of “credible” evidence and “significant” security failure are unclear,
but suggest that evidence of security failures will remain concealed as a
result of arbitrary and capricious determinations.
(B) CONFORMING
AMENDMENTS.—Section 231 of such Act (42 U.S.C. 15371) is further amended—
(i) in subsection
(a)(1), by striking “testing, certification,” and all that follows and
inserting the following: “testing of voting system hardware and software by
accredited laboratories in connection with the certification, decertification,
and recertification of the hardware and software for purposes of this Act.”;
(ii) in subsection
(a)(2), by striking “testing, certification,” and all that follows and
inserting the following: “testing of its voting system hardware and software by
the laboratories accredited by the Commission under this section in connection
with certifying, decertifying, and recertifying the hardware and software.”;
(iii) in subsection
(b)(1), by striking “testing, certification, decertification, and
recertification” and inserting “testing”; and
(iv) in subsection (d),
by striking “testing, certification, decertification, and recertification” each
place it appears and inserting “testing”.
|
(C)
DEADLINE FOR ESTABLISHMENT OF STANDARDS, ESCROW ACCOUNT, AND SCHEDULE
OF FEES.—The Election Assistance |
Commission shall establish the standards described in section 231(b)(3) of the Help America Vote Act of 2002 and the Testing Escrow Account and schedule of fees described in sec