Re: what would model legislation require?

From: Alan Dechert <alan_at_openvotingconsortium_dot_org>
Date: Wed May 19 2004 - 11:19:36 CDT


> Hi Everyone,
> I live in New York, and I have been going to Albany, our state
> capital, to observe our HAVA conference committee composed
> of members of our NY Assembly and NY Senate.
This is great, Teresa.

> They are about to address voting system standards.
> I have already provided them with a list of suggestions, and
> I was asked today for any other specific provisions I would
> like to suggest. Below are some questions, and the list of
> suggestions I already gave them.
> If anyone would like to help, please send me your ideas.
One word of caution: Be careful of what you ask for. You just might get
some of it! It's also possible that slight modifications will turn your
suggestions into something entirely different. Look out for possible
unintended consequences.

You should be prepared to shepherd this through the process. It's probably
best to stick with a fewer points and hammer those.

> Our Assembly bill is the Voting Systems Standards Act of 2004, A8847-A
> Our Senate bill is the Voting Machines Modernization Act of 2004, S6207
> The bills are quite different, but both require a voter-verified paper
> audit trail. Printing a ballot which the voter can verify is one thing,
> but counting the paper is another. To my thinking, a professional-
> quality independent audit of any election would require counting
> 100% of the ballots. I have spoken to many people, and very
> few like the idea of counting ballots.
Most people haven't seen our system for ballot reconciliation. While not
really finished, it is described here. Eron is the keeper of this document.
He's currently preparing for his wedding, which is only a week or so away.
I don't know we're going to have much more than we have right now so, if
necessary, this document could be used with the understanding that it's a
work in progress.

If the voter-verified paper audit trail is produced by and electronic voting
machine, then all of the paper "ballots" need to be verified against the
electronic record. This needs to be done at the precinct level before the
ballots are moved.

If there is a problem with an individual ballot, investigation is required.
You *don't* want to say something like, "in case of discrepancy, the paper
record is accepted over the electronic record." This could invite ballot
swapping or stuffing. For example, if someone somehow brought in a ballot
from home and got that into the ballot box in addition to his real ballot,
it would show up as an obvious forgery in the ballot reconciliation process.
But if the law says that the paper in the box is what we go by, we might be
forced to accept the obvious forgery.

Procedures should be in place for any voting system that spell out how to
reconcile any anomaly imagineable for that particular equipment.

> Teresa Hommel
> ==Here are my specific questions for anyone who can reply==
> 1. Is there anything else I should ask for? What would model legislation
> require?
> 2. Why is open source more secure than secret software? Is
> there an already-written plain-language explanation that I can
> distribute?
Laird Popkin provided some information on this recently:

I wound up using this chart as an attachment to our letter to the EAC.
While not specifically about security, it indicates a high level of
confidence in the security of open source since Apache is so dominant in the
web server marketplace.

> ====here are the suggestions I already made====
> A total ban on wireless communication devices in the voting and
> tabulating equipment.

> Specific provisions to require inclusion of independent computer
> professionals and computer scientists.

> A provision guaranteeing voters and/or candidates the right to petition
> for and obtain manual recounts before certification of the winner of an
> election.
Right. But the conditions have to be spelled out. Manual recounts are
expensive and someone has to pay for it.

> Legally binding guidelines for recount/audit standards:
> ---- If the recount of one machine shows inaccuracies, all machines of
> the same manufacturer and model with the same ballot must be recounted.
I don't know about this. It depends on the nature of the failure.

> ----A fixed percentage of precincts should be subject to random recount
> audits using primary voter-verified paper documents. (This is already
> in the bills passed by the Assembly and the Senate.)

> ----The selection of precincts will be made using random selection
> techniques comparable to those used in public state lotteries.
> ----The process of randomly selecting precincts will be conducted in
> open session, scheduled a specified number of days in advance, and
> announced publicly so that both interested public and press may attend.
> ----In addition to random audits, each political party on the ballot
> will be allowed to designate a pre-determined number of specific
> precincts for routine audit.
I don't think this is good. I'm not sure if random precincts should be
chosen in advance of Election Day. I'm pretty sure that party-designated
precincts should *not* be chosen in advance. It seems to me that
party-designated checks would be to look at precincts where the results look

If, before Election Day, you designate all the precincts that will be
checked, then you have also created a list of those that won't receive the
same scrutiny. This may invite funny business in those precincts.

> ----All recounts will be open to observation by the public and press.
> Vendors of computerized voting systems must be held accountable and
> penalties specified if:
> ----Vendors sell certified systems but deliver different, uncertified
> systems.
> ----Vendor technicians fail to report in advance any change to voting
> systems, including hardware, software, or other parts.
> ----Vendor technicians fail to get certification or evaluation for
> security purposes in advance of making changes.
Since, at present, the certification process is so thoroughly screwed up, I
would avoid leaning on "certification." Lots of crappy software and hardware
get "certified." We need to focus significant effort on improving the
certification process before putting much faith in "certification."

> ----Vendor's equipment fails or malfunctions during an election,
> placing an unanticipated financial burden on the Board of Elections
> and the State or community. This should include complete
> reimbursement of costs incurred, up to and including the
> cost of a complete restaging of the election.
I would avoid this. An unintended consequence of this may mean that only a
giant conglomerate could be an election vendor because no one else can cover
the cost of possible "equipment failure." A large vendor could exploit this
to rule out competition while knowing that they can always weasel out of
accusations of "malfunctions" claiming misuse by pollworkers, election
administrators etc.

> The following must be freely available for public examination in
> computer-readable form and posted on the state Board of Elections
> website for viewing and downloading:
> ----Certification reports from Independent Testing Authorities
> ----All software used in the voting systems
> Prior to initial use of computerized voting systems, local and county
> Board of Election staff must be trained to handle technical aspects of
> the computerized equipment and management of secure computer systems.
> Ongoing training must be required to handle new security risks, and for
> new staff.
> Specific provision to guarantee adequate funding for this training must
> be made.
Fine. But who does the training and who pays for it? I highly recommend
that you allow training to be done by equipment vendors, but also by
people/organizations that are not the voting equipment vendors.

Alan Dechert

= The content of this message, with the exception of any external
= quotations under fair use, are released to the Public Domain
Received on Mon May 31 23:17:53 2004

This archive was generated by hypermail 2.1.8 : Mon May 31 2004 - 23:18:16 CDT