With many states already deploying a form of Internet voting, email return of voted ballots (see map), it is important that requirements for remote voting systems and the pilot programs that test them reflect the highest standards for security. On April 30, 2010, Verified Voting submitted comments to the EAC on proposed testing requirements for military and overseas voting pilot programs that use remote technologies such as Internet Voting. In a letter to the EAC, president Pam Smith said that the comments focused on “the broad outlines of the pilot program and core precepts to which we believe any pilots should adhere.” Sending voted ballots over the public Internet “is in a security class by itself,” the letter noted, and these ballots are vulnerable to attacks from a wide range of individuals, organizations, and even governments. “Voting systems for UOCAVA voters should not be held to a higher security standard than domestic absentee voting,” the letter said, “nor should UOCAVA voters be required to use a system that is less secure than those used by voters back home.”
Verified Voting’s comments stressed that while the EAC document is “an equipment standard, we strongly believe that what is needed is a security standard,” and that the EAC is empowered by the Military and Overseas Voter (MOVE) Act to promote best standards and practices, “going beyond merely defining rules for how equipment should be manufactured, to how it should or should not be deployed.” Noting that a certification process alone cannot provide assurance that pilot systems will operate securely, the comments urge that “It is necessary to require those deploying these systems to undertake certain minimum security practices as well.”
Smith emphasized that audits are an absolute necessity. “We believe that actually conducting an audit is an essential part of any election process, and that includes all remote voting systems.” She noted that a requirement for audits could be made part of the security standard that supplements the equipment and certification standards, and would not supersede state regulations since it applies only to overseas voting pilots.
The letter also called attention to an omission about required paper records, noting that it’s insufficient to have a requirement for voter-verified paper records with a entirely new class of voting systems and then not require that it be used for its intended purpose. Suggested improvements include incorporating best practices for deploying paper records, and that changes to the proposed requirements “should delineate procedures for chain of custody and best practices for safeguarding the documents for both voter privacy and auditing/technological assessment purposes”
Earlier last week, the ACCURATE Center, whose principal investigators include Verified Voting founder David Dill, also submitted important comments on the EAC’s pilot certification manual, a separate but related document. That manual specifies requirements for pilot system certification, including but not limited to voting system pilots for overseas and military voters. See the ACCURATE blog for more details.