Position Paper and Directives of

Secretary of State Kevin Shelley Regarding

the Deployment of DRE Voting Systems in California

 

November 21, 2003

 

In February 2003, I formed the Secretary of State’s Ad Hoc Touch Screen Task Force in response to concerns over the security of Direct Recording Electronic (DRE) voting machines – commonly known as touch screen machines – and the issue of whether to require each machine to include a voter verified paper trail. 

The Task Force met numerous times over the next several months and submitted a report for my review.  I commend the members of the Ad Hoc Touch Screen Task Force for the many hours they committed to working through the nuances of this very important issue.  

On July 2, 2003, I posted their report on the Secretary of State’s Office website so that the public would have 30 days to review and comment on the recommendations in the report.  I received over 6,000 comments on this issue from members of the public who wished to express their views on the issue of touch screen security. 

 

At the same time, I sought clarification from the California Attorney General’s Office and the United States Department of Justice on the interpretation of relevant state and federal laws.  While I received guidance from the California Attorney General’s Office’s some time ago, I only received a response from the U.S. Department of Justice last week. 

 

I have reviewed these letters, the Task Force report and considered the public’s comments on these very complex, but important issues. 

 

Voter Verified Paper Audit Trail

 

Among these issues is whether to require a voter verified paper audit trail (“VVPAT”)—a contemporaneous paper record of a ballot printed for the voter to confirm before the voter casts his or her ballot.  This is the most controversial issue of those discussed by the Task Force, and the Task Force members essentially agreed to disagree on the issue.  While three members of the Task Force recommended that counties with DRE systems be mandated to include a VVPAT, the others felt it should not be required, but instead remain an option for counties that wished to purchase machines with a VVPAT, as long as the VVPAT function complied with state and federal laws.

 

Among the thousands of emails and letters I received, many urged me to immediately mandate that all DRE systems in use in California contain a VVPAT.  However, there are currently no certified systems marketed that contain a VVPAT.  While one manufacturer, Avante, had a system federally qualified under the 1990 FEC Voting System Standards, it has modified the system and their new system is currently under review by the federal testing authorities, and is being reviewed under the new 2002 FEC Voting System Standards.

 

On the other hand, I received considerable input from those who were concerned that a VVPAT would deny some individuals with disabilities and others with the right to participate fully in the voting process and might violate federal and state law.  The 2002 FEC Voting System Standards have new provisions ensuring voting access for individuals with disabilities.  In addition, recently enacted laws at the federal (the Help America Vote Act of 2002, P.L. 107-252) and state (AB 2525; Ch. 950, Stats. 2002) levels, have also included access for both disabled and alternative language voters as key concerns to consider in certifying voting systems.

 

Because of the legal questions posed, I requested guidance from the California Attorney General, the U.S. Department of Justice, and the Federal Election Commission[1] as to whether allowing a VVPAT is consistent with the access provisions in federal law, state law and the 2002 FEC Voting System Standards.

 

The U.S. Department of Justice opinion stated that “so long as DRE voting systems provide sight-impaired voters with audio equipment that enables them to verify their ballot before they are cast, we conclude that the provision of a contemporaneous paper record to assist sighted voters in verifying their ballots does not run afoul of HAVA.”[2]  The same opinion letter also states that such an action would not violate ADA.[3]  However, the California Attorney General’s Office has provided my office an opinion that “a requirement of a voter verified paper trail would likely violate one or more provisions [of state and federal law] prescribing equal treatment of sight-impaired voters.”[4] 

 

The California Attorney General’s opinion expressed the view that mandating a VVPAT would “likely violate the access requirements” contained in the Help America Vote Act of 2002, P.L. 107-252)[5] and California Election Code Sections 19225-19227 (adopted pursuant to AB 2525; Ch. 950, Stats. 2002).[6]  And it stated that a VVPAT might also violate the 2002 FEC Voting System Standards Vol. 1, Section 2.2.7.2 and the Americans with Disabilities Act.[7] 

 

After carefully considering the report of the Task Force, comments from the public and the legal opinion of the U.S. Department of Justice and the California Attorney General, I have reached the following conclusions.

 

First, I support including a VVPAT on DREs used in California.  I support a VVPAT not because DRE voting systems are inherently insecure, they are not, but rather because people understandably feel more confident when they can verify that their votes are being recorded as intended.  In addition, a VVPAT provides for an easily understood and implemented method of verifying the accuracy of the electronic tabulation of the votes as part of the Official Canvass 1% recount  (Elections Code section 15360) or other recount (Elections Code section 15600 et seq.).

 

Second, I am a strong supporter of increasing voting access to all Californians, especially those who have disabilities, are illiterate, or who are benefited by having alternative language access.  With the introduction of DRE systems, many of these voters can vote unassisted for the first time, and are finally able to cast a secret ballot that voters without disabilities take for granted.

 

My goal is to balance these interests by maintaining voter confidence in our voting systems and providing for a reliable verification of the accuracy of the electronic tabulation while also ensuring accessibility at the polls for all voters. 

 

Therefore, I am requiring the following:

 

·        Accessible VVPAT Required - As of July 1, 2005, all local jurisdictions purchasing new DRE voting systems may only purchase certified DRE voting systems that contain a VVPAT feature which is fully accessible and allows every voter—including individuals with disabilities and those who benefit from having alternative language access—to vote privately and independently.

 

·        Current Systems Retrofit or Replaced - As of July 1, 2006, DRE systems already in use on that date will have to be replaced or modified to incorporate an accessible VVPAT feature, if they do not already contain one.

 

In the context of a voter verified paper audit trail, accessible means that the information provided on the paper printout from the VVPAT mechanism is provided or conveyed to voters via a non-visual method, such as through an audio component. 

 

I recognize that some persons want me to impose a VVPAT requirement on DREs used in California immediately or sooner than set forth above.  I do not believe that expediting the implementation schedule is feasible and that a transition period is necessary in order to assure the fair and efficient conduct of elections in California.  First, there are currently no voting systems certified in California that comply with the requirements set forth above.  I am committed to following a certification process that assures full compliance with state and federal law and that takes time.  Second, the procurement process followed by local jurisdictions is designed to ensure that the acquisition of new voting systems results in the best deal for the voters and the taxpayers and that also takes time.  Third, the successful introduction of a new voting system requires considerable time to educate elections officials, pollworkers and voters. 

 

I believe that the implementation schedule I have provided for the purchase and use of a fully accessible VVPAT by all DREs in California is realistic.   However, I encourage vendors of voting systems and jurisdictions to include a certified fully accessible VVPAT with respect to DREs used in California prior to the deadlines I have set forth, to the extent they can safely do so.

 

Electronic Verification

 

When I directed the Task Force to examine paper verification and attempt to arrive at a consensus, I was impressed that they tried to look at the issue from other perspectives.  Instead of seeing paper as the only possible solution, the Task Force looked for other ways to approach the verification issue to see if any other solutions are possible to address the confidence and security concerns of touch screen systems.  The consensus recommendation to implement electronic verification is a creative approach to pursue a long-term solution to this issue

 

I am therefore requiring:

 

·        Electronic Verification Required to Assure Accessibility- All DREs must include electronic verification, as described by in the Task Force’s report, in order to assure that the information provided for verification to disabled voters through some form of non-visual method accurately reflects what is recorded by the machine and what is printed on the VVPAT paper record.  Any electronic verification method must have open source code in order to be certified for use in a voting system in California.  The timeline for implementation is the same timeline for implementation of accessible VVPAT.

 

Security

 

I am convinced that the voting systems certified for use in California are secure, and that California’s standards are among (if not) the strongest in the nation, but I recognize that security can always be improved.  Therefore, in order to augment current standards and provide greater assurance to voters, I am adopting all of the consensus recommendations in the Task Force report related to security. 

 

Among these recommendations, are the following:

 

·        Parallel Monitoring – Until VVPAT or electronic verification are perfected and included in California’s voting systems, my office will implement Parallel Monitoring as a way to assure that DREs are recording votes properly.  Parallel Monitoring involves taking a random selection of machines of each model of DRE system out of service on Election Day.  State testers will then input votes on them using a script to simulate a true election. The process will be videotaped so it will be clear how the testers’ votes were cast and this will allow the testers to determine if the votes tabulated match the votes cast.  This will achieve many of the same goals of a VVPAT or electronic verification by assuring that the system is accurately recording votes as they are entered – and will enable us to determine if any system’s software is faulty.   The Voting Systems and Procedures Panel (VSP) is directed to create standards and procedures by January 1, 2004 to fully implement Parallel Monitoring in all DRE jurisdictions for the March 2, 2004 Primary Election. 

 

·        Technical Oversight Committee - I will soon appoint a Technical Oversight Committee comprised of technical experts who can improve current testing and code-review standards, provide expert guidance throughout the certification process, and serve as a panel to review software and hardware issues that might arise.  The panel members will be independent experts in computer science and computer security who have no financial or other conflicts of interest with voting equipment vendors.   This committee will be constituted within 60 days.   

 

·        Strengthening State Testing Requirements - State testing requirements will be strengthened by requiring financial statements from applicants when they apply for certification, and by requiring that all materials submitted by an applicant to the federal Independent Testing Authorities (ITAs) and all materials produced by the ITAs during their qualification testing, including source code and a “threat analysis,” must be received by the state before we will begin state testing of an applicant’s system.  Further, state testers will include a security analysis and a software analysis in the state certification.  The VSP is directed to create new standards and procedures by December 31, 2003 to strengthen state testing requirements in these ways.     

 

·        Random Audits of DRE Software - Software code will be audited in order to ensure that the code approved at the state and federal levels is identical to the code used at the local level.  My office will require that the federal ITAs provide us with the executable code of each system to be tested.  And we will conduct random audits of machines throughout the state to assure that the software code provided by the ITAs is the same code in use on each machine, and that the software has not been altered or tampered with.  Procedures and standards regarding random audits shall also be developed by the VSP by December 31, 2003.

 

·        Internal Manufacturer Security - Voting is the bedrock of our democracy, and we must be guaranteed that those who develop our systems are doing so with the highest regard for the security of the systems.  Therefore, my office will establish strict internal security standards that voting machine manufacturers must comply with in order to obtain certification of their systems in California.  Among these will be the requirement of manufacturers to conduct background checks of programmers and developers before theycan work on election system software. I will also prohibit voting system manufacturers from altering object code without retesting and re-certification, require them to document a clear chain of custody for the handling of software, and introduce legislation to impose civil liability and stiff criminal penalties if any malicious software code is found before, during, or after certification, regardless of whether the malicious code actually interferes with an election or not.   The new internal security standards will also be developed by December 31, 2003, and I will seek passage of the legislation in 2004.

 

·        Local Testing  - I am also strengthening local testing procedures by requiring that only local elections officials, not a voting system manufacturer or their representative, can conduct pre-election Logic & Accuracy tests of a system.  My staff and I will work with county elections officials to ensure that systems are never connected to the Internet, and are on an isolated network during voting, in order to prevent anyone from intruding on the system.   

 

·        Federal Standards - Finally, I am urging the federal government to improve its testing procedures and standards in accordance with the numerous recommendations made by the Task Force. 

 

In addition, a recent report by Science Applications International Corporation (SAIC) for the State of Maryland’s Department of Budget and Management, Office of Information Technology analyzed the Diebold system currently in use in two California counties.  Based on a review of the report by my office’s independent voting systems expert, I am urging several additional steps beyond what the Task Force has recommended:

 

·        Training on Access Cards - As part of poll worker training, poll workers in counties using DRE systems with voter access cards must be trained to be alert for the type of activity indicating someone is potentially tampering with the access cards, and know how to respond. 

 

·        Local Procedures  - Local election procedures will be reviewed to ensure that appropriate procedures are in place should a voting system device stop or fail before polls close or the election count is completed for that device.  This is already done for initial certification of systems, but it will also be considered in reviewing new procedures or updates. 

 

Printing a Paper Record after the Polls Close

 

I have always believed that a permanent paper record of the vote is necessary to produce, and one should be printed up at the end of the Election Day.  When I co-authored Proposition 41, I intended for a paper record to be produced by local election officials.  Unfortunately, this law has been interpreted otherwise.  However, the recommendation of the Task Force makes Proposition 41 conform to its legislative intent, and require a paper audit trail be printed for each election soon after the polls close.   This will not be necessary for systems with a VVPAT, since the VVPAT would serve as the permanent paper record of the vote. 

 

Therefore I am requiring:

         

·        Paper Record Required – As of January 1, 2004, all DRE systems to print out a permanent paper record of the ballots cast at the close of the polls unless the system contains a fully accessible VVPAT.

 

With regard to the status of the paper record, on all DRE systems, the electronic vote will be the legally valid vote unless there is some sort of discrepancy between it and the permanent paper record.   The paper record, whether voter verified or not, would be used for the 1% manual recount mandated by California law.  Then, if there were a full recount or a challenge, there would be a 100% recount of the paper record.  For the 1% manual recount and a full recount, the paper record should be presumed to be more reliable than the electronic vote unless there is evidence it has been corrupted or is incomplete.  This would be true of any paper audit record produced, whether voter verified or not.

 

 

Next Steps

 

I have informed the local elections officials, the voting machine manufacturers, and the state’s Voting Systems and Procedures Panel of these positions, and directed them to achieve quick and successful implementation of these plans.  I have also directed my staff to begin working to implement many of these new procedures and requirements.

 

In addition, I am urging federal government officials to adopt the Task Force’s recommendations on improving the testing and qualification procedures at the federal level and to invest the $20 million that Congress has allocated for research into voting systems into the development of electronic verification and fully accessible voter verification technology.  

 

I want to thank all the members of the Task Force for their time and effort in putting together their report, which has led to much debate and discussion on this important issue.   Their work will help ensure greater security and confidence in our state’s voting systems.

 

 

 

_____________________________

KEVIN SHELLEY
Secretary of State