Committee on House Administration and Committee on Science
Joint Hearing on Voting Machines:
Will New Standards and Guidelines Prevent Future Problems?
Statement of
LAWRENCE NORDEN
Chair, Task Force on Voting System Security
Brennan Center for Justice at NYU School of Law
July 19, 2006
The Brennan Center thanks the Committees on House Administration and Science for holding this joint hearing. We especially thank Chairman Ehlers for his leadership in taking steps to ensure that our elections are as fair and secure as possible.
The Voluntary Voting System Guidelines (“VVSG”) considered at the joint hearing today can, and should, be a cornerstone in the shared federal and state effort to ensure elections that are secure, accurate and accessible. However, in their current form, the VVSG fail to achieve that goal. After summarizing the recently completed work of the Brennan Center Task Force on Voting System Security (the “Brennan Center Security Task Force”), I will review the very serious gaps in the security, usability and accessibility of current systems that have gone unaddressed in the VVSG. Until these looming problems are confronted and remedied, the machinery of American elections will remain a legitimate concern for all of us who care about the health of our democracy.
I. Report of the Brennan Center Task Force: The Machinery of Democracy: Protecting Elections in an Electronic World
Over the past year-and-a-half, the Brennan Center has worked with leading technologists, election experts, security professionals, and usability and accessibility experts to review the current state of voting systems in the United States. Three weeks ago, we released the first study from this collaboration, The Machinery of Democracy: Protecting Elections in an Electronic World (the “Brennan Center Security Report”)[1] In the coming weeks, we will be releasing comprehensive reports on the usability and accessibility of voting systems.
The Brennan Center Security Report was a summary of the nation’s first systematic analysis of security vulnerabilities in the three most commonly purchased electronic voting systems. This threat analysis was conducted by the Brennan Center Task Force[2] and revealed that all three voting systems have significant security and reliability vulnerabilities; the most troubling vulnerabilities of each system cannot be substantially remedied; and few jurisdictions have implemented any of the key security measures that could make the least difficult attacks against voting systems substantially more secure.[3]
The Task Force surveyed hundreds of election officials around the country; categorized over 120 security threats; and evaluated countermeasures for repelling attacks. The report of the Task Force concluded:
- All of the most commonly purchased electronic voting systems have significant security and reliability vulnerabilities. All three systems are equally vulnerable to an attack involving the insertion of corrupt software or other software attack programs designed to take over a voting machine.
- Automatic audits, done randomly and transparently, are necessary if paper records are to enhance security. The report called into doubt basic assumptions of many election officials by finding that using voter-verified paper records without requiring automatic audits—as is done in twenty-four states— is of “questionable security value.”
- Wireless components on voting machines are particularly vulnerable to attack. The report finds that machines with wireless components could be attacked by “virtually any member of the public with some knowledge of software and a simple device with wireless capabilities, such as a PDA.”
- The vast majority of states have not implemented election procedures or countermeasures to detect a software attack even though the most troubling vulnerabilities of each system can be substantially remedied.
Among the countermeasures advocated by the Task Force are routine audits comparing voter verified paper trails to the electronic record; and bans on wireless components in voting machines. Currently only New York and Minnesota ban wireless components on all machines; California bans wireless components only on DRE machines. The Task Force also advocated the use of “parallel testing”: random, Election Day testing of machines under real world conditions. Parallel testing holds its greatest value for detecting software attacks in jurisdictions with paperless electronic machines, since, with those systems, meaningful audits of voter-verified paper records are not an option.
II. Scientific Threat Analyses Should be the Basis for Guidelines on Security and Reliability
The threat analysis performed by the Brennan Center Task Force on Voting Security involved (a) identifying and categorizing potential threats to voting systems, (b) prioritizing these threats based on level of difficulty, and (c) determining how much more difficult each of the catalogued attacks would become after various sets of security measures were implemented.[4]
To our knowledge, neither the Election Assistance Commission (the “EAC”), nor state election officials have undertaken similar comprehensive analyses before adopting voting system security and reliability guidelines. The Brennan Center Security Report shows that unless the EAC and the States commission such studies and use them to establish security guidelines for each VVSG-certified system, voting system security measures are likely to continue to fail to address important security and reliability concerns.
The Brennan Center Security Report and threat analysis demonstrate that merely assuming machines are programmed and configured correctly, without some independent form of verification such as a voter-verified paper record, is a significant security and reliability risk. Ultimately, if we are to have confidence in the accuracy of our voting systems, all voting machines must have some form of independent dual verification, in which the verification is audited against the official record.
III. Usability Testing Is the Key to Ensuring that Voter Intention Is Accurately Recorded
The performance of a voting system is measured in significant part by its success in allowing a voter to cast a valid ballot that accurately reflect her intended selections without undue delays or burdens. This system quality is known as “usability.”[5] Following several high profile controversies in the last few elections – including, most notoriously, the 2000 controversy over the “butterfly ballot” in Palm Beach County, Florida —voting system usability is a subject of utmost concern to voters and election officials.
The current VVSG requires that the “voting process shall provide a high level of usability for voters.”[6] It includes many valuable guidelines for vendors and election officials. Unfortunately, it does not require the kind of usability testing by users and experts that is necessary to ensure that voter intentions are recorded as accurately as possible. To date, only a few studies have compared different ballots directly or definitively determined what makes one form of ballot more usable than another – i.e., less prone to producing errors, more efficient, and more confidence-inspiring.[7] Without such information, it is impossible to create systems and procedures that will reduce voter error.
As it contemplates future drafts of the VVSG, the Brennan Center strongly urges the EAC to commission further study of usability issues, such as “incidental under-voting, over-voting, or any other inaccuracies that are products of the human/system interaction.”[8] Moreover, regardless of the voting system used, election officials should conduct usability testing in their local communities on proposed ballots before finalizing their design.
IV. Assessments of System Accessibility Must Include Full Range of Disabilities and Entirety of Voting Process
Traditionally, many voters with disabilities have been unable to cast their ballots without assistance from personal aides or poll workers. Those voters do not possess the range of visual, motor, and cognitive facilities typically required to operate common voting systems.
The Help America Vote Act of 2002 (“HAVA”) took a step forward in addressing this longstanding inequity. According to HAVA, new voting systems must allow voters with disabilities to complete and cast their ballots “in a manner that provides the same opportunity for access and participation (including privacy and independence) as for other voters.”[9] For voting systems to become truly accessible to all voters, members of disabled populations should be included in empirical research to ensure that vendors have satisfied VVSG requirements.[10] In particular, assessments of such systems should:
- Examine each step a voter must perform, starting with ballot marking and ending with ballot submission. Systems that may provide enhanced accessibility features at one stage of the voting process may be inaccessible to the same voters at another stage in that process.
- Take into account a full range of disabilities and ensure that accessible features are fully usable by people with disabilities. When selecting participants for system tests, officials should include people with sensory disabilities (e.g., vision and hearing impairments), people with physical disabilities (e.g., spinal cord injuries and coordination difficulties), and people with cognitive disabilities (e.g., learning disabilities and developmental disabilities). Given the rising number of older voters, officials should take pains to include older voters in their participant sample. Ensuring that the entire process is as easy to use as possible for voters with disabilities is the only way of creating real accessibility.
- Use full ballots that reflect the complexity of a real election. A simplified ballot with only a few races or candidates may produce misleading results.
V. Conclusion
The VVSG is a piece of a larger effort occurring on many fronts to improve the machinery of our elections. Given the leadership responsibilities of the EAC, the VVSG must set a high standard. The guidelines should be informed by the scientific testing methods used successfully to assess the risks of other widely-deployed technologies; and by the real-world experiences of the voting populations likely to be thwarted by voting systems that fall short on accessibility and usability.
Refinements to the VVSG that I’ve recommended would, if adopted, move us several steps closer to the goal of fair, accessible and secure elections.
[1] Lawrence Norden et al., The Machinery of Democracy: Protecting Elections in an Electronic World (Brennan Center for Justice ed., 2006), available at http://www.brennancenter.org/programs/downloads/SecurityFull7–3Reduced.pdf.
[2] For a complete list of the Task Force Members, see The Machinery of Democracy at i.
[3] Id. at 3.
[4] Id. at 8.
[5] Although there is no firm consensus on precise benchmarks to measure the usability of voting systems, academics and industry researchers have developed design guidelines in other areas, most importantly in web-browser design, that can increase usability. See Sanjay J. Koyanl et al., U.S. Dept of Health and Human Resources, Research-Based Web Design and Usability Guidelines (Sept. 2003), available at http://usability.gov/pdfs/guidelines_book.pdf.
[6] Election Assistance Commission, Voluntary Voting System Guidelines, Volume I Version 1.0 at § 3.1 (2005), available at http://www.eac.gov/VVSG%20Volume_I.pdf, [hereinafter EAC VVSG].
[7] See Jonathan Goler, Ted Selker, and Lorin Wilde, Augmenting Voting Interfaces to Improve Accessibility and Performance (2006), available at http://vote.caltech.edu/reports/chi-abstract-golerselker.pdf; Ted Selker, Matt Hockenberry, Jonathan Goler, and Shawn Sullivan, Orienting Graphical User Interfaces Reduces Errors: the Low Error Voting Machine, available at http://vote.caltech.edu/media/documents/wps/vtp_wp23.pdf
[8] Accurate, Public Comment on the 2005 Voluntary Voting System Guidelines at 26 (Sept. 30, 2005), available at http://accurate-voting.org/accurate/docs/2005_wsg_comment.pdf.
[9] Help America Vote Act 42 U.S.C. § 15481(a)(3)(A) (2002).
[10] See also Accurate Public Comment at 29.