Teresa Hommel



Commentary on some provisions of the RECORD Act, S 2313

Aug 10, 2004


There are 3 sections:

Technical Considerations


Overall Commentary









RECORD Act, SECTION 2 (c), re paragraphs (9) through (11)






                 SYSTEMS- No voting system shall at any time contain or use any undisclosed

                 software. Any voting system containing or using software shall disclose the source

                 code, object code, and executable representation of that software to the

                 Commission, and the Commission shall make that source code, object code, and

                 executable representation available for inspection upon request to any citizen.



                   VOTING SYSTEMS- No voting system shall use any wireless communication



          `(11) CERTIFICATION OF SOFTWARE AND HARDWARE- All software and

                   hardware used in any electronic voting system shall be certified by laboratories

                   accredited by the Commission as meeting the requirements of paragraphs (9) and




Commentary on Section 2 (c), re paragraphs (9) through (11)



Sec.2(c) new paragraph (9) "available for inspection upon request to any citizen."


Where and how will the code be available? Only in the Commission office in Washington? Only for citizens to read it there in hard copy during restricted office hours? Will this Commission have the resources to manage the task of making the code available, or will citizens end up with a tiny room which is open for 2 hours a week to one person at a time, etc. Should this inspection allow citizens to have a computer-readable copy of the code that can be examined on a computer where scan and search tools are available? Will people have to bring proof of citizenship, such as a passport? Will they get a CD to take home? Must they bring their own laptop so they can view the software in the office? Why shouldn't the code be posted on the internet, where anyone can see it? Why are we limiting this to citizens? What if I want my graduate students to study the code, and they are not citizens?


If I request to see the code, will it take 6 months for my request to be honored? Given that it could take a long time for a citizen to study the software, for what period of time before its purchase by any state, or before its first use in an election, must the software be available for inspection? Should the law specify that time? Assuming that the Commission will not have the expertise to study the code, nor the resources to act as librarians or distributors, why are they given these roles in the disclosure of software?


Open source software is typically freely available, for example on the internet, and this provision seems very limiting and burdensome to administer. It is doubtful that this provision will give us the benefits of open-source software, which requires the software to be freely available to geeks of the world so they can examine and comment on it, leading to its timely improvement.


Sec.2(c) new paragraph (11), "certified by laboratories accredited by the Commission as meeting the requirements of paragraphs (9) and (10)."


Should all certification reports be available for public inspection? Since voters are being urged to "trust" the certification process, shouldn't the public be able to read the reports?


At this time vendors pay the laboratories (Independent Testing Authorities or ITAs) to certify their equipment. Once the ITA finishes the certification process they are no longer involved with the equipment. Do these provisions require the ITAs to be overseers or inspectors of the equipment on a continuing basis? If not, then who is responsible for watching over the equipment to make sure that no undisclosed software or wireless communications devices show up? Where are the ongoing responsibility, enforcement, penalties, and remedies?




RECORD Act, SECTION 2 (c), re paragraph (12)




                   USED IN FEDERAL ELECTIONS-


               `(A) IN GENERAL- No voting system may be used in an election for Federal office

                       unless the manufacturer of such system meets the requirements described in

                       subparagraph (B).


               `(B) REQUIREMENTS DESCRIBED- The requirements described in this

                       subparagraph are as follows:


                    `(i) The manufacturer shall document the chain of custody for the handling of

                          software used in connection with voting systems.


                    `(ii) The manufacturer shall ensure that any software used in connection with the

                            voting system is not transferred over the Internet.


                    `(iii) In the same manner and to the same extent described in paragraph (9), the

                            manufacturer shall provide the codes used in any software used in connection

                            with the voting system to the Commission and may not alter such codes once

                            certification has occurred unless such system is recertified.


                    `(iv) The manufacturer shall implement procedures to ensure internal security, as

                            required by the Director of the National Institute of  Standards and Technology.


                    `(v) The manufacturer shall meet such other requirements as may be established by

                            the Director of the National Institute of Standards and Technology.'.



Commentary on Section 2 (c), re paragraph (12)



Sec.2(c) new paragraph (12)(B)(i) and (ii)

"shall document the chain of custody", "not transferred over the internet"


These are "trust-me" requirements because they cannot be enforced.


Who has ability and responsibility for overseeing and enforcing this kind of detail? If you ask a vendor for their documentation for the chain of custody, and they hand you some papers, then what? If you ask, "How did you transfer your software?" and they reply "Our technician flew from our main office to the customer site, and carried it on a CD in his pocket," then what?


It is impossible to enforce faithful implementation of computer security procedures from the outside of a private organization. It would be easier to implement paper ballots and count them by hand while standing on your head. That is why, when you go to your bank with your checks and statement, and say "Here's a mistake!" they look at the paperwork. They don't say, "Read our software, and examine our documentation of the chain of custody and how we avoided transfer of information over the internet."


The focus on process can be helpful, but it can distract us from focusing on the ballots created and cast during an election and counted immediately afterward. At the hearing held by the EAC on May 5, 2004, election directors expressed a desire for some way to ensure election integrity by procedures that could be accomplished prior to the election. Unfortunately, when you deal with computers, there is no substitute for examination (independent auditing) of the computer results. If procedure could replace audits, no one would perform audits.



Sec.2(c) new paragraph (12)(B)(iii) "may not alter such codes"


All large computer systems have software errors, many of which take years of daily use and correction to eliminate. This provision would prevent or delay the correction of errors that could meanwhile affect election after election.



Sec.2(c) new paragraph (12)(B)(iv) and (v) "procedures" and "other requirements"


Who at NIST, and with what funding, is going to produce a document with procedures and requirements?


Supposing such a document somehow gets created, it is impossible to enforce faithful implementation of computer security procedures from the outside of a private organization. A full-time observer-enforcer would have to be stationed at each person's desk in the vendor companies, or would have to follow each person involved during all their waking hours. These are "trust-me" requirements. What mechanisms of oversight, time limits, inspection, enforcement, penalties, remedies, and funding could make this work? This is why Information Technology professionals continuously audit the computer results of transaction-capturing and processing systems.


Will all manufactures have to recertify their systems if NIST produces a voluntary standard in the future?












           Section 102(a)(3) of the Help America Vote Act of 2002 (42 U.S.C. 15302(a)(3)) is

           amended by adding at the end the following new subparagraphs:


               `(C) If a State either requests the waiver described in subparagraph (B) or is unable to

                       comply with the requirements of section 301 that are due by November 2004 in

                       accordance with the deadline set forth in section 301(d), the State shall use a paper

                       ballot voting system in November 2004 and, so long as such inability continues, at

                       any time in 2005 that complies with such requirements of section 301,

                       based on paper ballot voting systems in use in the jurisdiction, if any, that shall be

                       deemed compliant with such requirements of section 301 by the Commission for use

                       in any Federal election between and including the general election in November

                       2004 and the last Federal election in 2005. The Commission shall reimburse the

                       State or jurisdiction for any costs incurred in using such interim paper ballot voting



               `(D) The Commission will certify voting equipment that meets the requirements of

                       section 301. States must use certified voting equipment, or the interim paper

                       ballot system described in subparagraph (C), or apply to the Commission for a

                       waiver which the Commission may grant if the State demonstrates that it is

                       technologically impossible to comply with such requirements. States receiving

                       such a waiver shall submit reports to the Commission demonstrating the steps the

                       State is taking to remedy the technological impossibility.'.



Commentary on RECORD Act, SECTION 4



Sec. 4 (b) new paragraph (D)

States must use certified voting equipment, or the interim paper ballot system described in subparagraph (C), or apply to the Commission for a waiver which the Commission may grant if the State demonstrates that it is technologically impossible to comply with such requirements.


Even though Senators Clinton and Graham announced at their March 10 press conference that their bill "requires a voter-verifiable paper record" the bill does not require it, nor the use of paper ballots. Instead the bill provides a back door for evading these requirements. Moreover, the approach encourages delay tactics, because the closer the November 2004 election gets, the less time there will be for anyone to comply with requirements to implement changes.


The bill delegates all authority to an understaffed, underfunded new Commission to determine whether states will get a waiver from these requirements by demonstrating that it is technologically impossible to comply. Yet the Commission's technical advisory bodies are only now being created, and the experts at NIST are no longer available due to defunding. Who exactly will be able to make the determination of "technologically impossible" for the Commission? What technological expertise will the person or group be required to have? What demonstration must the states make? What standards for evaluation will be used?


If the bill passed tomorrow, the Commission would have to start from scratch to set up some way to deal with this. When must states apply for the waiver? What procedures must the states and the Commission use? What appeal procedure? Would the waiver deliberations be conducted in public and observable by the public? Will the public be able to intervene and must public input be allowed, invited, or considered? Who will be able to read and comment on the application for waiver in advance, or observe if an in-person meeting occurs during which the state makes its application for a waiver? Who can observe the deliberations and determination by the Commission of whether to approve an application for waiver? Must there be a public statement like a published court decision afterward to explain what facts and what criteria were used to make a decision? Who is allowed to argue against the claims made by their state?


We are seeing that the State Implementation Plans required by HAVA have not been critically evaluated, but have merely been published and will be funded. In the same way, perhaps, any application by a state that claims that it cannot comply due to technological impossibility will be granted.









     Beginning with the regularly scheduled election for Federal office to be held in November

     2004, the Election Assistance Commission shall conduct random unannounced manual

     mandatory recounts of the voter-verified records of each election for Federal office (and, at

     the option of the State or jurisdiction involved, of elections for State and local office held at

     the same time as such an election for Federal office) in 2 percent of the jurisdictions in each

     State and with respect to 2 percent of the ballots cast by uniformed and overseas voters

     immediately following the election and shall promptly publish the results of those recounts in

     the Federal Register. In addition, the verification system used by the Election Assistance

     Commission shall meet the error rate standards described in section 301(a)(5) of the Help

     America Vote Act of 2002.






Is it feasible for the EAC to conduct recounts, given their resources? Or will very few of these recounts need to be done because there will be very few states with computer generated voter-verified records or interim paper ballots--because the states got waivers?


The bill says "immediately following the election" but there is no specific time-frame. These recounts are not required to be finished before the winner of the election is certified, nor to be considered before determining the winner of the election. What if the recount tallies are so different from the electronic tallies that the outcome of the election would be different?


If these recounts will not be timely enough to affect the outcome of an election, then they are merely academic information-gathering for the purpose of "study" and not useful for ensuring the integrity of the election. In Florida after the 2000 election, all kinds of irregularities were proved, and there was a lot of wrist-slapping, but it didn't change the outcome because the winner had already been certified and inaugurated.


To have impact on the integrity of elections, recounts must be timely and there must be a legal requirement for consideration of the recount before certifying the results of the election.









     Subtitle C of title II of the Help America Vote Act of 2002 (42 U.S.C. 15381 et seq.), as

     amended by section 8, is amended by--


          (1) redesignating section 248 as section 249; and


          (2) by inserting after section 247 the following new section:




     `(a) REPORT TO CONGRESS ON SECURITY REVIEW- Not later than 6 months after the

            date of the enactment of the Restore Elector Confidence in Our Representative

            Democracy Act of 2004, the Commission, in consultation with the Director of the

            National Institute of Standards and Technology, shall submit to Congress a report on a

            proposed security review and certification process for all voting systems used in

            elections for Federal office, including a description of the certification process to be

            implemented under section 231.



            Not later than 3 months after the date of the enactment of the Restore Elector Confidence

            in Our Representative Democracy Act of 2004, the Commission shall submit to Congress

            a report on operational and management systems applicable with respect to elections

            for Federal office, including the security standards for manufacturers described in

            section 301(a)(7), that should be employed to safeguard the security of voting systems,

            together with a proposed schedule for the implementation of each such system.




          `(1) IN GENERAL- On and after the date of the enactment of the Restore Elector

                Confidence in Our Representative Democracy Act of 2004, the Director of the

                National Institute of Standards and Technology shall provide security consultation

                services to States and local jurisdictions with respect to the administration of

                elections for Federal office.


          `(2) APPROPRIATION- To carry out the purposes of paragraph (1), $2,000,000 is

                 appropriated for each of fiscal years 2004 through 2006.'.






Can we achieve computer security through the use of reports, procedures, requirements, etc. that are developed in haste and may be unenforceable?


NIST used to be staffed with people who could have produced such reports, but as of the beginning of May, 2004, has only one employee in the voting systems area. The new Commission has neither the personnel nor the expertise to create such reports. These provisions of RECORD would require some very fast hiring, expansion, and report writing.


Is the bill saying, "we can require reports and they can tell us everything we need to know about the operation, management, and security of computerized voting systems. By following the advice in these reports, state and local Boards of Election can manage an arms-length relationship with vendors and oversee their service contracts with them, even though the Boards of Election still might not know anything about secure computer systems."


We might achieve more if we required and funded training for state and local Boards of Election to develop inhouse expertise in computer systems and management of secure systems.









           Section 301(a)(3) of the Help America Vote Act of 2002 (42 U.S.C. 15481(a)(3)) is

           amended to read as follows:





               `(A) IN GENERAL- Subject to subparagraph (B), the voting system shall--


                    `(i) be accessible for individuals with disabilities, including nonvisual accessibility

                          for the blind and visually impaired, in a manner that provides the same

                          opportunity for access and participation (including privacy and independence) as

                          for other voters;


                    `(ii) satisfy the requirement of subparagraph (A) through the use of at least one

                           direct recording electronic voting system or other voting system equipped for

                           individuals with disabilities at each polling place, and such voting system shall

                           meet the requirements of paragraph (2)(A) by using a mechanism that separates

                           the function of vote generation from the function of vote casting without

                           requiring the voter to view or handle paper; and



The law should require and enforce reasonable accommodation for voters with disabilities. If a person is disabled to the extent that they require assistance in every other area of their life, then it is unreasonable to require voting to be unassisted.


The requirement that the voter not have to handle paper will unreasonably restrict the types of DREs that can be used, and will unreasonably prevent the use of computerized ballot-marking machines.  This is not in the interest of any voter, whether disabled or not.


The concept of a "private and independent vote" has been interpreted in a political way to mean "entering ballot choices via a DRE." This is political because it ignores what happens to the ballot choices once entered. In fact, some leaders of the disabled have published contemptuous derision and condemnation of those who ask, "what happens to the ballot choices once the voter thinks they have cast their ballot?"


In fact, a ballot cast via DRE is handed over to unknown numbers of unknown technologists and others who have been responsible for the DRE from its initial design, programming, testing, maintenance, programming of the ballot, and installation in the polling site. The disabled community has been misled to look only at the act of entering ballot choices -- the ritual of casting the ballot -- and to ignore that fact that the computer is only an instrument created by people.


All voters using DREs are being assisted by, and entrusting their ballot to, many unknown people, so it is not unassisted, private or independent. Moreover, we cannot observe the actions of the assistants represented by the DRE. We don't know if they are recording our ballot choices or counting our votes honestly and without mistakes.


A completely computerized voting solution for the disabled can easily falsify the ballot and mislead the voter. Therefore, I recommend that the requirement that the voter not have to handle the ballot be omitted, because of the limitations it places on the design of voting systems.







One purpose of law is to give clear notice of what is required.


If Sen. Bob Graham's S1980 and Rep. Rush Holt's HR 2239, the Voter Confidence and Increased Accessibility Act, became law today, verifiable voting systems would be clearly required, and we could expect them to be made to work by November 2004 through the use of American ingenuity, know-how, and can-do attitudes.


The RECORD Act does not give clear notice. Instead it delegates authority. RECORD allows states to apply to the EAC for a waiver for the 2004 election. Can we expect the EAC to deny those applications?


Enormous resources are currently being spent to defend the use of unverifiable computer systems in elections. It is regrettable that the same resources are not being devoted to developing and preparing for the use of verifiable systems, or the use of paper ballots that can be counted by hand or optical scanner. Two DRE voting systems with voter-verified paper audit trails are already certified (Avante and Accupoll). Another, Populex, expects certification soon. Many others are in development.


Many of the issues raised here are political, not technical.


In November 2004, we should require the use of interim paper ballots for federal races. 


Even if all DRE voting systems produced a voter-verified paper audit trail in November, no jurisdiction is willing to perform a full audit of their paper ballots. A surprise random recount of a tiny percentage of jurisdictions is not an audit.