The following is a comment on the certification process for Los Angeles County’s VSAP 2.0 system. To view a pdf, click here.
Los Angeles County Voting Systems for All People (VSAP) 2.0 Certification
Comment of Pamela Smith, Senior Advisor, Verified Voting
January 20, 2020 Verified Voting commends Los Angeles County for the decade-long process of reimagining a voting system that must effectively serve the nation’s most populous and most diverse voting jurisdiction, as that system approaches certification and use in California’s upcoming elections. We have appreciated the opportunity to participate on the County’s Technical Advisory Committee since it was established and provide vigorous comment through the development process. We also appreciate the changes brought about by California’s lawmakers and Secretary of State Padilla to establish a more rigorous set of requirements for testing and examination of voting systems prior to approval for use. We believe, however, that there is a gap in the certification process that must be addressed for it to be fully transparent and to enable the public to more fully understand voting system compliance with California’s requirements.
The California Voting System Standards (CVSS)[1. https://www.sos.ca.gov/administration/regulations/currentregulations/elections/voting-system-certification-regulations/] framework is supported by a set of regulations1 which govern a sequence of events for certification of a system, from application and provision of documentation and system/s for test, to a series of tests by qualified testing entities on security, software, functionality and more, to a set of reports to be published prior to a public hearing and comment period, and to eventual approval or denial of certification.
The required publications include test reports from the involved testing authorities, and a staff report from the Office of Voting Systems Technology Assessment (OVSTA). Reviewing these reports show test results that are characterized as failing or not complying with requirements in some instances, while the subsequent Staff report indicates that the system is in compliance, which seems contradictory at best, and it is not clear to the public how to reconcile those reports.
The staff report states in its very first section regarding “scope” that it “presents the test results for all phases of the certification test” of the system. They note that the purpose of the testing is to ensure compliance of the tested system with all relevant laws, and that the testing “uncovers other findings, which do not constitute non-compliance, and those findings are reported… to address the issues procedurally. The procedures for mitigating any additional findings are made to the documentation[…]”, referencing the system’s Use Procedures documentation specifically.
This paragraph encapsulates a critically important but invisible phase of the process: that between the conduct and reporting of tests and the publication of the Staff Report, the State and the vendor interact extensively. Through these interactions, the vendor may correct or mitigate issues identified in the testing process, or may establish that they are less severe than the test reports indicated. How these issues were resolved is not made adequately clear.
While California’s certification process is arguably one of the most rigorous in the country, concerns remain as to how to reconcile issues highlighted in test reports without more substantive clarification regarding what happened to address those issues. What transpires between the county/vendor and OVSTA in that intervening period? What changes, improvements, alterations, or explanations are made to address issues raised in testing? Knowing what–if any–use requirements might be imposed would also be useful. There is insufficient insight available to the public about the process between testing and issuance of staff report, and at a time of heightened awareness and concern about election security, those insights are necessary.[2. This gap is exacerbated by the significant vagueness in the test reports as to how those issues are presented. For example, a test finding that the Los Angeles County VSAP system allowed “boot from USB” could have but did not explain that this did not refer to the ballot marking device component of the system, and provided no further insight about how benign this finding might be.]
For the public to make informed responses and provide relevant comment, substantially more information should be provided on these matters. While a vendor (and, in the case of the Los Angeles VSAP system, a county) can certainly document its own response to test findings, it is our view that the State must take steps to help the voting public understand the security and viability of the voting systems it examines. While the State does post a significant amount of information, it should document what is arguably the the most important — but opaque — phase of the certification process going forward.
Upon initial inquiry, OVSTA has given us reason to believe it is amenable to taking steps to improve this situation going forward. Given the stated interest of this Secretary of State in election security, it seems likely that OVSTA will act on this commitment. The State should document and publicize the process it undertakes with the vendor/county to ensure appropriate mitigations, in a transparent, adequate way in order to provide legitimate reassurance about the system’s full compliance with both the letter and the spirit of California’s election security requirements.
Thank you for the opportunity to comment on this process.