FC: Request for help on Los Angeles e-voting system security

[Declan McCullagh <declan () well com>]

---

From: "Thomas Leavitt" <thomasleavitt () hotmail com>
To: "Declan McCullagh" <declan () well com>
Subject: Need politech folk's advice on securely implementing electronic 
voting systems without a paper trail.
Date: Tue, 29 Apr 2003 02:47:09 -0700
Organization: B40

Declan,

 I received the following *DRAFT* working paper from a participant in the
Los Angeles Voter Empowerment Circle, a group formed to shape the upcoming
development of California's plan to comply with the new mandates of the 2002
Federal Help America Vote Act (HAVA). Among the members of this group are
the ACLU, the League of Women Voters, Common Cause, the Asian-Pacific
American Legal Center, People for the American Way, the Green Party,
Neighbor to Neighbor and others (so they have a lot of heft). It was
produced by their Voting Technology subcommittee.

 The concern that precipitates this email, is recommendation #5: "Do Not
Require Contemporaneous Paper-Trail at This Time." The rationale behind this
recommendation is purely cost driven - the people who drafted this paper are
afraid that the additional costs and complications inherent in producing a
printed ballot for each vote cast will tip the scales in favor of less
flexible systems (such as optical scan systems) that are unlikely to permit
the implementation of alternative voting systems in multiple languages. This
concerns me greatly - a voting system without an audit trail invites abuse,
and even when no abuse occurs, endangers the integrity of the result when no
answer can be made to accusations about the accuracy and validity of the
ballot count.

 As it appears that the choice was framed purely as secure and expensive
(DRE with paper ballot) and insecure and inexpensive (DRE with no paper
ballot), I'd like to invite the input of politech readers on the following
subjects (as there is continuing internal debate within some of the
sponsoring organizations about the wisdom of recommending DRE without an
auditable paper trail):

a) what are the security risks inherent in not having a paper trail?

b) how can a DRE system be implemented, in a purely digital format, in such
a way as to provide a very very high level of confidence that the end result
has not been tampered with, and in fact, cannot be tampered with in a way
that is not easily detected? And what would the costs of such a system, vs.
a paper trail system, be in the long run?

 It seems to me that (b) is a known problem, which has already been
discussed in great detail, and that parallel solutions much have been
implemented in the private sector, and in the defense sector. The paper was
forwarded to me on the basis of my technical expertise - I'm forwarding it
to politech readers, in turn, because while I am generally aware of the
security issues inherent in an all digital system (and some of the
solutions, such as requiring binaries produced from open source that are
signed with authenticateable digital signatures, and recording votes to
multiple and independently managed and trusted hosts) and the set of
processes surrounding it, I'm sure that politech readers are vastly more
informed and knowledgeable on these issues and can make much more informed
and coherent recommendations (or point me to existing discussions and papers
on this issue) than I can formulate on my own.

 This is an opportunity for politech readers to have a direct impact on how
voting systems are implemented nationwide, as I'm sure many other states
will follow California's lead on this matter. I have strong connections to
the highest levels of leadership in both the Green Party of California and
the California League of Women Voters, so I can ensure that their concerns
and feedback are given significant weight when a final decision on these
matters is made by both organizations.

Regards,
Thomas Leavitt

***

Los Angeles Voter Empowerment Circle

Working Paper

Voting Technology

Legal Requirements

1.            Common Cause v. Jones.  Pursuant to the final order and
judgment issued in this case, the Secretary of State¹s office has
decertified Votomatic and Pollstar pre-scored punch card machines effective
March 1, 2004.  This means that the nine counties using these systems (Los
Angeles, San Diego, Alameda, San Bernardino, Santa Clara, Sacramento,
Mendocino, Shasta and Solano) must convert to another certified system by
this date.

2.            Proposition 41.   Enacted by California voters in March 2002,
Proposition 41 provides for a $200 million bond issue to purchase new voting
equipment.  These monies are administered by the  five-person Voting
Modernization Board (³VMB²) that Proposition 41 created. Proposition 41
requires any that do not require the voter to mark a ballot to ³produce, at
the time the voter votes his or her ballot or at the time the polls are
closed, a paper version or representation of the voted ballot or of all the
ballots cast on a unit of the voting system.²

3.         Help America Vote Act.

a.            System Requirements.  Section 301 (³Voting System Standards²)
requires the voting systems (1) permit the voter to verify his or her vote
privately before it is cast, (2) allow the voter to change his or her ballot
before it is cast, (3) notify the voter of overvotes, and (4) ³produce a
record with an audit capacity,² specifically a paper record, that is to be
available for any recount, (5) meeting ³error rate² standards in effect
October 29, 2002, and (6) have a uniform definition of what constitutes a
vote.   The deadline for meeting these requirements is January 1, 2006.

b.            Disability Access.  Section 301 also requires that voting
systems be accessible to people with disabilities, including those with
visual impairments, and ³at least 1 direct record electronic voting system
or other voting system equipped for individuals with disabilities at each
polling place.² The deadline for meeting these requirements is January 1,
2006.

c.            Punch Card Replacement.  Section 102 (³Replacement of Punch
Card and Lever Voting Machines²)  provides funding to be used for the
replacement of punch card and lever voting systems, for those states that
³ensure that all of the punch card voting systems or lever voting systems in
the qualifying precincts within the State have been replaced in time for the
regularly scheduled general election for Federal office to be held in
November 2004.²

Current Status

Many California counties have already made substantial progress toward
converting to new systems.  The VMB has had eight meetings since June 2002.
The Board approved an allocation formula at its July 2002 meeting, and has
now approved allocation amounts for almost all California counties planning
to purchase new voting systems, including all nine of the counties required
to convert to new systems under the Common Cause v. Jones decertification
order.  Payments have been made to five counties as of this date, including
Alameda.

Considerable attention has been devoted to the question of whether Direct
Record Electronic (³DRE²) systems acquired by counties should be required to
have a contemporaneously generated ³voter-verifiable² paper trail ­ i.e., a
piece of paper that the machine prints out prior to the vote being cast,
that each voter can check to make sure it accurately reflects his or her
choices and that would be retained as a backup for any necessary recount.

Those advocating a contemporaneously generated paper trail urge that is
necessary both for security and to ensure public confidence.  They have
raised the spectre of foul play or human errors that might go undetected
without a paper trail verified by the voter.  Others argue that such a paper
trail would cause more problems than it creates, and that it may create a
disincentive for counties to convert to DRE systems, which have significant
advantages for people with disabilities, linguistic minorities, and people
of color.  Opponents of a contemporaneously generated paper trail question
whether it will appreciably increase security, and note the likelihood of
printers breaking down and slowing down the voting process.

At present, only one contemporaneously generated paper trail system has been
certified for use in California.  Those who support a contemporaneously
generated paper trail have succeeded in urging Santa Clara County to adopt
such a system   Sacramento County is also planning to convert to such a
system, and tested it during 2002 elections.  A task force appointed by the
Secretary of State is currently considering this issue, and is expected to
issue a report and recommendations by late April.

Recommendations

1.            Convert to DRE Systems.  DRE systems offer many advantages for
voters, especially people with disabilities, linguistic minorities, and
people of color.  DRE systems are also better able to accommodate
alternative voting methods such as Instant Runoff Voting.  We therefore
believe that DRE systems are preferable to paper-based systems, such as
punch cards or optical scans.  Accordingly, the State of California should
take steps to promote conversion to DRE systems as expeditiously as
practicable, and counties upgrading their voting technology should move to
DRE systems.

2.         Certify New DRE Systems.  The State should act promptly to
consider and act on the certification applications for new DRE systems that
meet the requirements of state and federal law, to ensure the widest
possible choice of systems to counties in the process of converting.

3.            Consider Decertification of Other Systems. In the long term,
the Secretary of State should consider decertifying systems other than
DRE¹s.  Such a decision, however, should not be made until at least the
conclusion of the 2004 election cycle, through which the benefits of DRE
systems may be more clearly established.

4.            Educate Voters and Train Poll Workers. Those counties that are
converting to DRE¹s or other new voting systems should undertake extensive
voter education and poll worker training.

5.         Do Not Require Contemporaneous Paper-Trail at This Time.  The
State of California should not at this time require that DRE systems have a
contemporaneously generated paper trail. While such a paper trail may have
some benefits in terms of security and confidence, it goes beyond the
requirements of state and federal law.  They may also result in mechanical
problems, complicating the voting process and resulting in longer lines at
the polls.  Mandating a contemporaneously generated paper trail for all
DRE¹s could deter counties from moving to this technology, and that they
might instead choose optical scan systems which are less desirable.

     ___________________________________________________
     Kevin McKeown            |  Santa Monica, CA  (USA)
     email: kevin () mckeown net |  310 393-3639 /-3609 FAX
     http://www.mckeown.net   | "Choose to be conscious"
     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




-------------------------------------------------------------------------
POLITECH -- Declan McCullagh's politics and technology mailing list
You may redistribute this message freely if you include this notice.
-------------------------------------------------------------------------
To subscribe to Politech: http://www.politechbot.com/info/subscribe.html
This message is archived at http://www.politechbot.com/
Declan McCullagh's photographs are at http://www.mccullagh.org/
Like Politech? Make a donation here: http://www.politechbot.com/donate/
-------------------------------------------------------------------------