This week the Elections Assistance Commission (EAC) released public comments submitted on their draft UOCAVA Pilot Program Testing Requirements. The EAC document spell outs testing and certification requirements for Internet voting pilot programs for military and overseas voters, partly in response to the requirements of the Military and Overseas Voter Empowerment (MOVE) Act passed in 2009. The MOVE Act required many excellent improvements that increase opportunities for voters overseas to be able to cast their ballots in time to be counted. These changes include the electronic delivery of blank ballots and information, but not the electronic return of voted ballots. The Act also included a provision for experimental programs involving voting via the Internet. At least three states (AZ, CO, WV, and possibly GA and FL) are planning to carry out voluntary pilot programs this year. Despite the short time available for comment, many substantive comments were submitted, including from Verified Voting. While we do not mention them all here, there were many insightful comments and we urge you to read through them. Many of the comments expressed recurring themes:
Audits, Security Standards and Procedures: Verified Voting noted that an equipment manufacturing standard alone is insufficient to provide anything resembling “reasonable assurance that the pilot systems will operate correctly and securely”, as stated in Section 1.1.3 of the EAC Draft. We assert that a comprehensive security plan is required, not merely an equipment testing plan. Robust post-election audits are essential to demonstrating correct and secure operation of any voting system, be it remote or local.
Commenters Joe Hall and Aaron Burstein (ACCURATE) note the need for the EAC Requirements to do more with respect to auditing, saying that the Draft should close the loop between voter-verified paper records and post-election audits. ACCURATE also joined other commenters in critiquing the Draft for “scant attention to usability requirements and entirely [omitting] accessibility testing and requirements.”
University of Miami School of Law Professor Martha Mahoney recommended examining the costs of conducting such pilots as part of post-election review, citing a pilot conducted in Florida’s Okaloosa County in 2008.
Experimenting with Real Votes in Live Elections: Several commenters noted that even though the EAC Regulations are for pilot projects, actual votes will be cast using trial systems, so the highest standards must be met. According to Professor Candice Hoke, Founding Director of the Center for Election Integrity:
“At base, we should not be experimenting with election technologies in real elections until their systems and software have been studied and approved as reaching minimum standards for accuracy, reliability, security, and voter privacy. Real votes in real elections warrant more than mere belief in the vendor’s representations .”
A recurring recommendation was that initial trials be mock elections , rather than real elections with real votes. The Open Source Digital Voting Foundation noted:
“Testing in a mock election, in which members of the public can gain understanding of the mechanisms of the pilot, and perform experimentation and testing (including security testing), without impacting an actual election.”
Not Strong Enough to Secure Votes Against Current Threats: Many comments reflected concern that the EAC Requirements were inadequate. Joel Rothschild, Chief of Staff of the Federal Voting Assistance Program (FVAP), noted:
“In March 2010, the Election Assistance Commission issued proposed requirements for the testing of pilot voting systems to serve UOCAVA voters. I have reviewed the proposed requirements and do not feel they provide sufficiently robust guidelines to ensure adequate protection from the existing electronic threat environment or national level threats.
Jeremy Epstein agreed, saying that it is critical that the threat model for any pilot programs be at the “nation state” (or highly determined, well skilled, and well funded) adversary level” and recommending that “security testing for UOCAVA pilots be done by companies or individuals who are not part of the VSTL lab system. The labs have skill sets in understanding the voting system requirements, but they are not experts in emulating the behavior of an adversary breaking into a system.”
Voter Action Legal Director John Bonifaz observed that “Respected computer security experts across the country agree that the security problems associated with Internet voting would be exponentially greater than the current problems associated with electronic voting machines.”
California Secretary of State Debra Bowen submitted extensive comments, the only state election official to do so. In her response, Secretary Bowen cited expert analyses which show the risk of compromise of voted ballots cast using the Internet is extremely high, noting recent security breaches of government and corporate computer systems. The Secretary also noted her concern about the rushed timeline for implementation and how it could impact the security of votes for overseas and military voters:
“ However, as California’s chief elections officer, I am very concerned that this pilot problem does not, given the state of the currently available technology, serve the interests of overseas and military voters or of the nation. This fundamental change in how votes are cast and transmitted is based on hastily drafted standards that have been subject to a truncated review period. Furthermore, the timetable for implementation is inappropriately short given the magnitude and impact of the proposal…
…This timetable is not appropriate for a program that creates an entirely new method of voting without any assurance that the people the program is ostensibly being designed to assist will have their votes counted in the event the pilot program is a failure.”
The full set of comments on the EAC Requirements are available here.