12/17/03
Why we support Senator
Bob Graham's "Voter Confidence and Increased Accessibility Act of
2003" and do NOT support Senator Hillary Clinton’s "Protecting
American Democracy Act of 2003" in its present form.
By Bo Lipari, Senior
Software Engineer, Autodesk, Inc., and
Teresa Hommel, Computer
Consultant; Chair, Task Force on HAVA Implementation, Community Church of New
York
The
bill introduced by US Senator Hilary Clinton (D-NY), the "Protecting
American Democracy Act of 2003" (PADA), bill number S 1986, is not
explicit enough in its requirements, and as written will not protect Americans
from the danger of electronic voting systems.
The primary danger is that these systems have no capacity for independent
audit, and thus force voters to accept election results for which there is
no independent means for recount or confirmation of the accuracy of the final
tallies.
We
note that all other computer systems designed for use in commerce, industry, or
government have the capacity for independent audit. Its purpose is to detect and
enable correction of both innocent and intentional errors in a computer system,
as well as hacking attacks. Independent audit must be able to prove the
accuracy of both:
the recording of input data (in
voting systems, the ballot cast)
the processing results (in voting
systems, the final tallies).
Advocates
of voter-verifiable paper ballots and other measures designed to ensure the
integrity of electronic voting systems should support HR 2239, Congressman Rush
Holt's "Voter Confidence and Increased Accessibility Act of 2003,"
and its companion in the US Senate, S 1980, introduced by Senator Bob Graham
(D-FL). We urge Senator Clinton make her
bill the same as those, or to co-sponsor Senator Bob Graham's bill.
DISCUSSION OF PADA
Voter Verification,
Section 2(a)(C)(i)
PADA
Section 2(a)(C)(i) amends HAVA as follows.
(C) VOTER VERIFICATION.—
(i) The voting system
shall provide a means by which each individual voter must be able to verify his
or her vote at the time the vote is cast, and shall preserve each vote within
the polling place on the day of the election in a manner that ensures the
security of the votes as verified for later use in any audit."
Problem: Fully electronic voting systems claim that
they already do this. They claim to do
it by allowing the voter to view computer screens where their ballot choices
are displayed, and when the voter approves these screens, the ballot is
electronically stored in the computer. This forces the voter to "trust the
computer" and prevents detection of computer errors that occur when the
information on the computer screen is incorrectly recorded internally in the
computer. (We note that the redundancy
used in many electronic voting systems increases the likelihood of errors due
to programming mistakes--in other words, one copy of the ballot may be stored
correctly and another copy may be stored incorrectly. For this reason, current professional practices
discourage the keeping of redundant copies of data.)
Solution:
To provide for independent auditability, PADA must explicitly state that a
physical, permanent, unalterable paper ballot must be produced by electronic
voting systems, which then can be verified by the voter. After the voter approves the physical,
permanent, unalterable paper ballot, the ballot is then placed in a secure
ballot box and treated as the official record.
Voter Verification,
Section 2(a)(C)(ii)
PADA
Section 2(a)(C)(ii) amends HAVA as follows.
(ii) The voting system
shall provide the voter with an opportunity to correct any error made by the
system before the permanent record is preserved for use in any audit.
Problem: Fully electronic voting systems claim that
they already do this. They claim to do
it by allowing the voter to return to the computer screens where their ballot
choices were entered, to change their choices, and then to view again the
computer screens where their new current ballot choices are displayed. When the
voter approves these screens, the ballot is electronically stored in the computer.
Solution:
To provide for independent auditability, PADA must explicitly state that a
physical, permanent, unalterable paper ballot
must produced by electronic voting systems, which then can be verified by the
voter. If this paper ballot is incorrect,
the voter must be able to re-enter his or her choices and request them to be
printed again.
The
correction and reprinting of a physical, permanent, unalterable paper ballot is
critically important because of the nature of some electronic voting machine failures
in recent years. There have been
instances where the computers refused to accept a vote for one or more
candidates. There have also been
instances where observant voters saw their ballot choice on the computer screen
shift from their selected candidate to different candidate after a few seconds.
Voter Verification,
Section 2(a)(C)(iii)
PADA
Section 2(a)(C)(iii) amends HAVA as follows.
(iii) The verified vote
produced under this subparagraph shall be available as an official record.
Problem:
This can easily be interpreted to mean that the official record of the ballot
is the electronic recording stored in computer memory and/or on computer media
that is not directly readable by people.
Solution:
PADA should explicitly state that the physical, permanent, unalterable paper ballot
is the official record.
Voter Verification and
use of Other Technologies, Section 2(a)(C)(iv)
PADA
Section 2(a)(C)(iv) amends HAVA as follows.
(iv) Any method used to
permit the individual voter to verify his or her vote at the time the vote is
cast and before a permanent record is created—
(I) shall use the most
accurate technology, which may include voter-verifiable paper ballots,
votemeters, modular voting architecture, and encrypted votes, in a uniform and
nondiscriminatory manner;
Problem: Arguments about which technology is the most
accurate could take years to resolve. Meanwhile, in fact, the problem is
independent auditability.
Votemeters,
modular voting architecture, and encrypted votes are purely electronic
technologies. They create only an electronic recording of the ballots, and thus
do not allow for independent audit. They
do not create a physical, permanent, unalterable paper ballot for the voter to
verify that can be stored external to the computer and serve as the
independently auditable official record of the ballot.
There
has been much talk about encryption and other technologies, but the fact
remains that if the ballot is not accurately recorded, encrypting it or the use
of other technologies will not make it correct.
These
fully electronic technologies force voters to "trust the computer"
and prevent detection of computer errors in the recording and counting of
ballots.
Solution:
PADA should explicitly require an independently auditable method of recording
and tallying the ballots. At this time,
independent auditability requires a physical, permanent, unalterable paper ballot
which serves as the official record of the ballot.
Voting System Security
Requirement, Section 3(a)(7)(A)
PADA
Section 3(a)(7)(A) amends HAVA as follows.
The voting system shall
adhere to security requirements for Federal computer systems or more stringent
requirements adopted by the Election Assistance Commission....
Problem:
There are several different sets of security requirements for federal computer
systems, and PADA does not specify which security requirements must be adhered
to.
Moreover,
if the security requirements for voting system technology are not explicitly
incorporated into PADA and HAVA, but are only incorporated by reference to
other laws or regulations, when those regulations or laws are changed, voting
system security standards will also change.
Solution: Make security standards explicit and part of
PADA and HAVA. Also, require
independent
auditability as well as audits of all computer systems used in elections.
Open Source code:
PADA
makes no provision for open source code and inspection by citizens.
Manual Recounts:
PADA
makes no provision for manual recounts. Perhaps that is not surprising, as the
bill contains no requirement that a paper ballot be produced.
Outside
the sphere of elections, it is common practice for new computer systems to run
in parallel with older systems for at least one complete accounting cycle. In some cases this may be a year or
more. This is done in order for all
results of both systems to be compared.
It is unheard of to install new systems and rely on them with no
independent audit or lengthy parallel processing.
With
this reality in mind, many people prefer manual ballot counts or the use of
optical scanners when electronic voting systems are used to create and mark the
ballots. When a computer counts the
ballots, we regard it as essential to require at least some minimum number of
random manual counts of the permanent, unalterable, physical paper ballots that
were verifiable by the voters, and comparison of these counts to the electronically-produced
tallies. HR 2239 calls for .5%, but 2%
would be better.
Conclusion:
Citizens
are concerned with the effect of unauditable electronic voting systems on American
elections. Senator Clinton’s bill does not give the specifics needed about what
constitutes voter verification, and makes no provision for open source code or
mandatory manual recounts. It does not require that the voter be able to verify
a physical, permanent, unalterable paper ballot when voting on electronic voting
systems, and consequently fails to require that this paper ballot be the
official record of the vote and the one used when discrepancies arise between tally
of the electronic and the paper ballots.
The
"Voter Confidence and Increased Accessibility Act of 2003",
introduced in the House of Representatives as HR 2239 by Rush Holt and in the
US Senate as S 1980 by Bob Graham, raise a much higher bar for acceptable
electronic systems, and are rich in specifics in all the areas that Senator
Clinton’s bill is not.
We
urge Senator Clinton to co-sponsor Senator Graham’s bill. PADA, well
intentioned though it is, would leave us in a worse position than we are with
HAVA today. Vendors and supporters of unauditable electronic voting systems would
be able to point to the bill as the necessary reform, while it actually
provides no protection from the dangers associated with electronic voting.