This written testimony was submitted by VoteTrustUSA for the Joint Committee of the House Administration and Science Committee on July 19, 2006.
Before this question can be answered, we must first ask if there actually are standards in any real sense of the word. Former Election Assistance Commission (EAC) Chair DeForest Soaries has opined that there are not, and we believe there is considerable support for his argument.1 While voting system standards do have the potential to solve election problems, it’s clear that to date they have not. Legislation has a much better chance of achieving this goal.
In Sections 221 and 222 of the Help America Vote Act (42 USC 15361 and 15362 respectively), Congress gave the EAC the authority to develop, adopt, publish and modify the Voluntary Voting System Guidelines (VVSG). HAVA also created the EAC’s Technical Guidelines Development Committee (TGDC) and officially adopted as its first set of guidelines, the most recent standards developed by the Federal Election Commission prior to the date of HAVA’s enactment. Voting systems in use today are purported to comply with these 2002 standards, but unfortunately “compliance” is a relative term.
While the term “voluntary” as used in the guidelines refers to their adoption by the States, those States that choose to adopt the VVSG constitute a large market for the vendors’ products. Market forces being what they are, buyers must set standards for sellers and sellers must meet those standards; otherwise the buyers can take their business elsewhere. The standards are therefore voluntary for the states but effectively mandatory for any vendors who wish to compete in over 39 States that require federal certification. But the VVSG contains a giant loophole that allows any of the standards therein to be waived by the EAC itself or by its predecessor, the National Association of State Election Directors (NASED).2 This has resulted in the certification of non-compliant voting systems.
Some of the standards with which vendors may not have to comply include those that allow the states to verify the authenticity of the software running on their voting machines; those that determine how easy the machines are to use; accessibility requirements for disabled voters; security requirements to prevent unauthorized access to voting systems or the corruption of election data; and even the already lax hardware reliability requirement of only a 163-hour mean time between failures.
The loophole language, which was expanded to include all of the guidelines in the 2005 version, means that at the sole discretion of the EAC, any or all of the standards can be waived to allow approval of non-compliant voting systems. So not only is adoption of the VVSG by the States voluntary, but so is compliance with the VVSG by the vendors. Not even the authors of the guidelines -- the Election Assistance Commission -- are bound to comply with them. The only “standards” that cannot be waived by the EAC are those in the HAVA statute, which can be found in Section 301 (42 USC 15481).
What is even more disturbing is that neither HAVA nor the VVSG contain any requirement for the ability to independently verify the election results generated by voting systems. This allows vendors to offer systems lacking this capability, and they have been doing so eagerly for years, thereby removing any notion of checks and balances from the electoral process.
HAVA guarantees voters the opportunity to vote privately and independently and also requires a system error rate of not more than one in 500,000 ballot positions (derived from the VVSG). One of the keys to achieving this in our present "high-tech" election system is reliable voting systems hardware.
The VVSG defines Hardware Reliability as the Mean Time Between Failures (MTBF), but a more meaningful metric, as far as voters and election officials are concerned, is the allowable failure rate, i.e., the percentage of voting systems permitted to fail on Election Day. The latter can be derived from the MTBF algebraically simply by dividing the time the product is in operation by its MTBF.
We were appalled to learn that the failure rate allowed under the VVSG, approved by the EAC in December 2005, is almost 10% in any 15-hour period (9.2% to be exact). To put it another way, one out of every 11 direct recording electronic (DRE) and optical scan (mark-sense) voting systems in the United States are allowed to fail either partially or completely on Election Day, and a much higher proportion during the extended Early Voting periods currently in effect in many states. This is due to the absurdly lax VVSG Reliability requirement of only 163 hours MTBF in Vol. I, Section 4.3.3 of the 2005 VVSG, as well as the even weaker certification testing guidelines in Vol. II, Appendix C.4, which allow up to six failures in only 466 hours -- a MTBF of only 78 hours or a failure rate of 19.3% in 15 hours – nearly one of every five voting systems on Election Day.
Clearly such high failure rates, which have been known to occur in actual elections and during volume testing of certified voting systems3,4, can disenfranchise voters, impede their access to electronic ballots, erode voter confidence in the system, and possibly even affect the outcome of elections. Certainly they also violate the spirit if not the letter of any law designed to ensure that voters be given the ability to vote privately and independently. In the event of a system failure, poll worker or even vendor intervention would inevitably be required. Such intervention results in the loss of voter privacy, voter independence, or both.
Equally appalling is the fact that the VVSG contains an ambiguous requirement at best for the fail-safe retention of previously cast ballots (Volume I, Section 2.1.3), and no requirement for any means of independent verification of the tallies produced by the voting system. It is therefore difficult to imagine how the Accuracy requirement of one in 500,000 ballot positions in the VVSG, which by reference is also a statutory requirement of HAVA Section 301 (42 USC 15481), can be realized.
The EAC cannot claim ignorance of the above omissions and inconsistencies, as they were brought to the attention of the Commission in some of the more than 6,000 public comments on the draft VVSG received during the months leading up to its adoption in December 2005 and prior to that by members of the Institute of Electrical and Electronics Engineers (IEEE) P1583 Voting System Standards Committee, some of whom now serve on the EAC’s Technical Guidelines Development Committee.
Why no action was ever taken to correct these oversights should be thoroughly investigated. Reliability proposals by bona fide experts in the field ranging from 5,000 hours5 to over 50,000 hours6 MTBF were submitted to both the IEEE and the EAC and were apparently summarily dismissed in favor of keeping the status quo of only 163 hours, possibly disenfranchising thousands of voters and raising due process/equal protection arguments that will reverberate through the courts.
It should be noted that jurisdictions holding elections on Direct Recording Electronic (DRE) voting systems are particularly susceptible to the hardware failures allowed by the VVSG since voters are denied access to the electronic ballot when DRE machines fail. Fraud, involving false claims of machine failure, with the goal of taking machines out of service is even a possibility since the standards allow failure rates so high that failures are not at all unusual.
You will likely hear a lot of testimony today about voting system security problems, but the fact is, a failure rate as high as 9.2% per Election Day is the equivalent of a denial of service attack on our entire election system. It doesn’t take a computer scientist to realize that the system failures permitted by these standards can readily have the same effect as sabotage. Frankly, to many in the engineering community, this particular standard is seen as a national disgrace.
At a TGDC meeting on March 29, 2006, Dr. Alan Goldfine of NIST's Information Technology Lab stated the following regarding the lax Reliability standard in a presentation on the 2007 VVSG currently being drafted: "We're not totally sure of the history of this, where the number 163 came from. The feeling - the consensus that we've got - is that it's probably too small a number."7 But there is no hope of correcting this before the 2010 elections at the earliest, unless the 2005 VVSG is amended immediately to require vendors to build and to test to a higher Reliability standard.
Waiting for a 2007 VVSG, which would not take effect until 2009, to finally hold the vendors accountable for producing reliable voting systems is unacceptable. The EAC should immediately adopt a higher Hardware Reliability standard under the guidance of NIST, including more stringent testing requirements to ensure that said standard shall be met by the current generation of voting systems. As Representative Jerrold Nadler (D-NY) asked America on CNN recently, “Do we care less about our voting machines than [we do] about our ATM machines?”8
While voting system standards do have the potential to help solve the problems with our elections, it’s clear that to date they have not. Legislation to require independent verification such as a voter-verified paper audit record or ballot, routine random audits, disclosure of all software and banning of wireless and Internet communications has a much better chance of achieving that goal. Legislation to require standards to actually be met by voting systems vendors under the penalty of federal disqualification would also be helpful as would legislation to remove the current shroud of secrecy from the certification process.
1 Rev. DeForest Soaries, CNN, Lou Dobbs Tonight, July 10, 2006, “[W]hat's wrong with the standards is they are not standards, they are recommendations at best. I'm worried about electronic voting because we've done such inadequate research that we don't know what we don't know.”
2 Election Assistance Commission, 2002 Voting Systems Standards/Guidelines, Volume II, Appendix B.5, Qualification Test Results and Recommendation, "[A]ny uncorrected deficiency that does not involve the loss or corruption of voting data shall not necessarily be cause for rejection. Deficiencies of this type may include failure to fully achieve the levels of performance specified in Volume I, Sections 3 and 4 of the Standards [those are the Hardware and Software Performance specs], or failure to fully implement formal programs for qualify [sic] assurance and configuration management described in Volume I, Sections 7 and 8."
3 Howard Stanislevic, “DRE Reliability: Failure by Design?”, March 15, 2006.
4 John Gideon and Stanislevic, “Voting Systems Batch Test Results – Reliability”, March 15, 2006.
5 Dr. Stanley A. Klein, Public Comments on the 2005 VVSG, Sept. 30, 2005.
6 Alfred DuPlessis, Voting System Reliability Draft to the IEEE, Dec. 2, 2002.
7 NIST, Alan Goldfine and David Flater, “Core Requirements and Testing (CRT) Subcommittee preliminary reports for next VVSG iterations”, TGDC Meeting, March 29, 2006.
8 The Hon. Jerrold Nadler, CNN, Lou Dobbs Tonight, July 11, 2006.
Comment on This Article
You must login to leave comments...
Other Visitors Comments
You must login to see comments...