Comments of the California Voter Foundation on the FEC's Voluntary Standards for Computerized Voting Systems

Submitted to the Federal Election Commission via email, September 7, 2001

In response to the FEC's Voting System Standards draft



September 7, 2001

Ms. Penelope Bonsall, Director
Office of Election Administration
Federal Election Commission
999 E Street, NW
Washington, DC 20463

Dear Ms. Penelope Bonsall and Commissioners:

It is my pleasure to write to you on behalf of the California Voter Foundation and provide you with our comments on the proposed Voluntary Standards for Computerized Voting Systems.

We recognize that an update to the existing standards is long overdue and appreciate the Commission's efforts to develop new and better standards that meet the challenges of modern voting technology.  Our comments make ten recommendations.  Below is a brief background about our organization, followed by a summary of our recommendations and a discussion of each recommendation.

I.  About the California Voter Foundation

The California Voter Foundation (CVF) is a nonprofit, nonpartisan organization, founded in 1994, to model and advance the use of new technology to improve democracy.  CVF pioneered using the Internet to provide voters with timely, accurate, nonpartisan election information. CVF has used the World Wide Web to shine "digital sunlight" on money in politics, improving the public's ability to easily access campaign finance data online.  The CVF Web site, www.calvoter.org, is a free, noncommercial source of reliable information on California elections and politics.  CVF president, Kim Alexander, and board member, David Jefferson, are active participants in the voting technology debate.  Under their leadership CVF has been studying Internet voting since 1998, participated in several important studies of Internet voting and voting technology standards, and provided information to the public, policy-makers and the press on these issues.

II.  Summary of the California Voter Foundation's Recommendations

1.  The Commission should extend the deadline for this comment period. read

2.  The proposed standards do not reflect the current state of knowledge and therefore the Commission should commence a new standards development process immediately. read

3.  The Commission should remove all standards specifically for remote Internet Voting systems. read

4.  The Commission should ensure that those responsible for choosing voting systems are aware that remote Internet voting is not an alternative. read

5.  The Commission should clarify, in each instance, that the general Internet Voting standards are for Poll Site Internet voting exclusively. read

6.  The Standards should reflect the current discussion about the source code of voting technology. read

7.  The standards should require routine re-certification of voting systems that feature a software component. read

8.  The standards should require systems to allow voters to register a decision not to vote in a given contest. read

9. Design and usability standards must be included in the standards. read

10. Voter privacy must be considered in standards for voter registration databases. read
 

III.  Discussion of the California Voter Foundation's Recommendations

1. The Commission should extend the deadline for this comment period.

The standards are long and complex, and have only been widely available for public inspection for two months.  The 2000 presidential election demonstrated the importance of voting system design and reliability in determining election outcomes.  As a result, experts from diverse fields have participated in a national dialogue about the election process, including the machinery of voting.1  Many individuals, security experts, and organizations who have participated in this national discussion do not traditionally participate in the setting of voting technology standards. By extending the comment deadline the Commission will likely receive greater input from these sources.

2.  The proposed standards do not reflect the current state of knowledge and therefore the Commission should commence a new standards development process immediately.

The "Florida Fiasco" of the 2000 presidential election focused unprecedented levels of public attention and resources on the issue of voting technology and ballot design.  The draft standards were begun long before this intense national debate began in late 2000.  As the nation seeks answers to the problems of the 2000 election new insights into voting technology and design proliferate.  In the past ten months dozens of federal and state reports and studies have been undertaken.2  Many of the most important studies have only recently been released, providing new and thoughtful recommendations about the future of voting standards and voting technology.  In particular, new questions are being raised about computerized voting systems and whether a paper copy of computerized ballots is necessary to maintain the integrity of the voting process.

The Commission must ensure that the VSS reflects the wealth of knowledge generated by this surge in research.  The standards process should include input from computer security experts, design and usability experts, privacy experts, as well as traditional participants in the VSS process.  The standards for both old and new technology will benefit from the advice and recommendations of experts in these fields.

3.  The Commission should remove all standards specifically for remote Internet Voting systems.

There are essentially three levels of electronic voting:  computerized/DRE machines; poll site Internet voting; and remote Internet voting.  The California Voter Foundation objects to the inclusion of standards for remote Internet Voting Systems within the Proposed Standards because it dangerously implies that such systems are ready for use in elections.

While the Overview's introductory text warns that current technology does not "address the requirements and risks associated with voting over the Internet," and states that the VSS therefore "does not promote Internet voting," it is a weak counterweight to the detailed specifications for the design of such systems contained in the standard.  The VSS weaves standards for remote Internet voting systems throughout, treating them just as it does standards for other kinds of voting systems.  The remote Internet Voting standards in no way indicate that they are intended merely to guide product development.  Because the standards as a whole drive product choices in 37 states, it is extremely likely that the inclusion of remote
Internet voting standards will be taken as a signal that such systems are ready for use in elections. The risks created by the incorporation of standards for remote Internet voting technology are grave and cannot be mitigated by two lines of text that are not part of the standard itself.

The draft standard assumes the inevitability and desirability of remote Internet voting, and ignores the skepticism and criticism of its appropriateness reflected in recent reports by the National Science Foundation, the National Commission on Federal Election Reform, and the California Internet Voting Task Force.3  The assumption of remote Internet voting inevitability, was popular  in 1999, when the VSS update progress began and there was less knowledge about the viability of Internet voting systems.  However, as people study Internet voting, many are concluding that it is neither inevitable nor desirable.

Casting a secret ballot in a fair and democratic election is a unique event for individuals; from a technical design perspective, it is a formidable challenge.  Each person must be authenticated, and able to vote only once, in a limited time frame.  Voters must be confident that their votes are recorded as cast.  Votes may not be associated with individual voters, but we must be able to audit the votes cast in the case of a recount.  Creating a system that allows individuals to vote online-possibly from a remote location-introduces additional complexity and risk to this already daunting technical task.

Due to the complexities of the voting process and the state of current technology every group to study remote Internet Voting, with the exception of one, has rejected it finding it to be premature and risky.4  While there are many technical reasons for rejecting remote Internet voting, which will be well articulated by others, CVF believes that it should be rejected because it:

- opens the door to widespread election fraud;
- introduces new opportunities for political coercion;
- undermines the secret ballot; and,
- creates new threats to voter privacy.

Furthermore, the inclusion of remote Internet Voting System Standards is inconsistent with the purpose of the VSS and implies that such systems are appropriate for use in elections.  The VSS is intended for use by state and local election officials in their testing certification and procurement of computer-based voting systems.  "(T)he standards define functional requirements and performance characteristics to determine system suitability for election use."  In other words, if a system meets the applicable standards found in the VSS it is considered by the Commission to be suitable for election use.  Why then does the proposed VSS provide standards for remote Internet voting technology-a system that the Commission, and nearly every body that has studied it, agrees is not suitable for election use?

In issuing remote Internet Voting System Standards the VSS strays from its purpose of assisting state and local officials in evaluating voting technologies.  It offers remote Internet standards "to guide, provide product development, and assure that Internet Voting Systems when fully developed, are examined and tested using standards that recognize the unique design and operating characteristics and inherent risks of Internet voting systems."  While it is quite possible that those developing remote Internet voting systems need guidance and input, this is not the role of the VSS.  To use the VSS as the vehicle for such guidance will inappropriately drive expectations about remote Internet voting, creating an illusion that if such systems meet the VSS standards they are appropriate for election use.

4. The Commission should ensure that those responsible for choosing voting systems are aware that remote Internet voting is not an alternative.

In light of the risks identified with remote Internet voting systems the Commission has an obligation to ensure that officials responsible for choosing voting technology are clearly informed that remote Internet voting is not currently an option.  The country cannot afford to risk confusion on this point.  As written the VSS creates ample opportunity for confusion. In the hands of unscrupulous vendors this document provides a platform for misleading the public and those responsible for selecting voting technology for public and private elections in this country and elsewhere in the world.

5.  The Commission should clarify, in each instance, that the general Internet Voting standards are for Poll Site Internet voting exclusively.

As the Internet voting debate has developed, there has been a clear and important distinction made between poll site Internet voting, where the voting machine and online connections are maintained by election agencies, and remote Internet voting, where voters could use any personal computer and any Internet connection to vote.

Like the remote Internet voting standards, the California Voter Foundation views the inclusion of poll site Internet voting standards as premature. However, we and others who have studied poll site Internet voting  believe it may be viable in the near future, unlike remote Internet voting.  If the poll site Internet voting standards are to be included in the new standard, it is crucial that the Commission be extremely clear and specific about which of the two Internet voting systems the standards are designed to evaluate. As written, the standards do not distinguish between poll site and remote Internet voting, except where they establish additional standards for remote Internet voting.  To clarify, the Commission should change the headings and all references to specifically say "Poll Site Internet Voting."

6.  The Standards should reflect the current discussion about voting technology source code.

Throughout the technical and computer policy community there is growing agreement that "open source" and "public source" code is favorable in many settings for reasons of security, transparency, and accountability purposes. In no place are these values more important than the election process. Simply put, there is growing sentiment that we cannot have free, open, trustworthy elections with closed, proprietary, "black box" software. One possible way to remedy this problem is to require that the code that runs voting systems be open to public inspection.

It may be counterintuitive, but there is consensus in the computer security field that software that is open is safer than software that is closed.  In fact, the Pentagon, our number one military agency, decided last year to no longer purchase closed source, commercial software programs from companies such as Microsoft, Netscape and Lotus to use in its most sensitive systems. The reason given by one anonymous Pentagon official to the Washington Post, is because the Pentagon found that these closed source programs had too many holes, backdoors and trapdoors that place the department in greater danger of a computer attack than using public and open source software would.

People in the election community are similarly recognizing the benefits of public source voting software.  There are vendors who, while shying away from the "open source" approach to software development, have stated that they would make their source code public if it were required of all election system vendors.  There is also growing interest in developing "open source" code voting systems.  As the Commission revises the VSS we believe that a robust discussion about the merits of "public source" and "open source" voting systems needs to take place and the loss of transparency in computerized voting systems must be addressed.

7.  The standards should require routine re-certification of voting systems that feature a software component.

The Internet voting section of the standards recognizes the importance of re-certification.  We believe that re-certification is important for any voting system that uses software in any part of the voting process.  Voting technology is increasingly software based; systems should be designed to be easily upgradable so they keep pace with current technology.  A requirement for re-certification will ensure that they can be.

8.  New Voting System Standards should require systems to allow voters to register a decision not to vote in a given contest.

Voters routinely decide not to cast votes in specific contests presented on the ballot.5  Regardless of the reasons for this, it occurs and its occurrence should be captured by voting systems.  Without an option to affirmatively register a decision not to vote, confusion and concerns about undervoting will remain even if all ballots cast are being accurately recorded.

Adding mechanisms that allow voters to register their decision not to vote will increase our ability to judge the performance of voting systems. Voting system performance is based on the number of "residual votes." Residual votes include both intentional and unintentional undervotes, and unintentional overvotes. Intentional undervotes are inappropriately viewed as a system failure.  The number of intentional undervotes are small in contests at the "top of the ticket", such as a Presidential election, where experts estimate the rate of intentional nonvotes to be between .5 and .75 percent of all votes cast.6  However, as one goes down the ballot, the number of intentional undervotes increases.  With the incorporation of mechanisms that allow voters to affirmatively record a decision to not vote in a contest (an intentional undervote) we will improve our ability to assess voting systems' performance.  In addition, by reducing the number of ballots left blank due to intentional undervotes, we will reduce the opportunities for election fraud via back-end vote tampering.

9.  Design and usability standards must be included in the standards.

In light of the central role that ballot design plays in facilitating or undermining voter decisions, thorough design and usability standards must be included in the standards.7  Ballot design played an inauspicious role in the 2000 presidential election.  The reports from Florida and other jurisdictions of confusingly designed ballots and distraught voters uncertain whether their ballot reflected their true intent brought ballot design to the forefront of public discussion.  The VSS should require that professional information designers are consulted when developing or testing a voting system.  Voting technology should also undergo usability testing with panels of actual voters as part of the certification process.

10.  Voter privacy must be considered in standards for voter registration databases.

In the overview, the Commission notes several issues that the standards do not address.  The integration of voter registration databases is among these issues.  Several of the major reports on the issue of election and voting reform recommend the development and/or integration of statewide voter registration databases and systems to facilitate better access to the data for election administration purposes.  However, voter registration data is used for other purposes.  It is routinely gathered and used by political campaigns to market their message to voters.  The computerization and increased public access to voter registration data greatly increases the magnitude of exposure of these records which in turn is undermining voter privacy.

Just last month, a non-profit group came under fire for making voter registration data - including home addresses, birth dates, and party affiliations - of hundreds of thousands of New York city residents available on the World Wide Web.8  The group acquired the database from the city's election board on a CD Rom,  as one can in many jurisdictions around the county.  While the group's stated goal was to increase voter access to polling place information, the result was that anyone with an individual's name and birth date could easily find their home address and party affiliation. Many individuals wrote in to the Web site requesting to have their information removed and indicating that this kind of exposure would make them disinclined to register to vote.

This event illustrates how centralizing and computerizing voter registration  information raises new privacy challenges.  While voter registration data is, and historically has been, legally available to the public, it has been "practically obscure."  As technology erases the de facto privacy protections of time and distance - making access instantaneous from anywhere on the globe - the public is left feeling vulnerable and exposed.  The magnitude of exposure faced by the individual who's voter registration form is stored in a filing cabinet in the basement of a county building is far less than the New York city resident who's record is on a Web site for anyone in the world to find.  Privacy standards must be an integral part of Commission standards for voter registration databases.

Thank you for your consideration of our recommendations.  If you have any questions or need additional information, please feel free to contact me at (530) 750-7650, or via email at kimalex@calvoter.org.

Sincerely,
 

Kim Alexander, President
California Voter Foundation
www.calvoter.org

street address:  222 D Street, Suite 6B
Davis, CA 95616
 

End Notes

1 For example:  Report of the National Commission on Federal Election Reform, "To Assure Pride and Confidence in the Electoral Process", August 2001, www.reformelections.org (herein National Commission Report); Report of the National Workshop on Internet Voting:  Issues and Research Agenda, National Science Foundation, March 2001, www.nsf.gov (herein NSF Report); The Report of the Constitution Poject's Forum on Election Reform, August 2001;  Report of the California Internet Voting Task Force, January 2000, http://www.ss.ca.gov/executive/ivote/ (herein California Report).  For a longer list of studies and reports see, http://www.calvoter.org/votingtechnology.html#publications
2 Id.
3 National Commission Report at page 44; NSF Report, at section 5; and, California Report.
4 A report by the Pentagon on its Federal Voting Assistance Program reported that its Internet voting project was a success.  http://www.fvap.ncr.gov/voireport.pdf   However, the Center for Public Integrity published a report analyzing the Pentagon's Internet Voting pilot project.  The CPI report raised questions about the security of the military's experiment and estimated its cost at $73,809 per Vote. http://www.public-i.org/story_01_080901.htm.
5 See, "Roll Off at the Top of the Ballot:  Intentional Undervoting in American Presidential Elections", Stephen Knack and Martha Kropf, April 2001.
6 Id. at 12.
7 "Disenfranchised by design:  voting systems and the election process", Susan King Roth, The Information Deisgn Journal, vol. 9 no. 1, 1998. archived at, http://www.calvoter.org/votingtechnology.html#publications
8 "As Public Records Go Online, Some Say They're Too Public",  Amy Harmon, New York Times, August 24, 2001, A1.







Main Page

What's New

CVF-NEWS

Links

Search

Contact Us

Support CVF

This page was first published on September 19, 2001 | Last updated on September 21, 2001
copyright 1994 - 2001, California Voter Foundation. All rights reserved.