Statement of Lawrence Norden Before the House Administration Committee at a Hearing on Voting Machin

July 19, 2006

 Download Testimony

Committee on House
Administration and Committee on Science

Joint Hearing on
Voting Machines:

Will New Standards
and Guidelines Prevent Future Problems?

Statement of

LAWRENCE NORDEN

Chair, Task Force on
Voting System Security

Brennan Center for Justice at NYU School
of Law

July 19, 2006

The Brennan Center
thanks the Committees on House Administration and Science for holding this
joint hearing.  We especially thank
Chairman Ehlers for his leadership in taking steps to ensure that our elections
are as fair and secure as possible.

The
Voluntary Voting System Guidelines ("VVSG") considered at the joint hearing today
can, and should, be a cornerstone in the shared federal and state effort to
ensure elections that are secure, accurate and accessible.  However, in their current form, the VVSG fail
to achieve that goal.  After summarizing
the recently completed work of the Brennan Center Task Force on Voting System
Security (the "Brennan Center Security Task Force"), I will review the very
serious gaps in the security, usability and accessibility of current systems
that have gone unaddressed in the VVSG. 
Until these looming problems are confronted and remedied, the machinery
of American elections will remain a legitimate concern for all of us who care
about the health of our democracy.

I.     
Report of the Brennan Center
Task Force:  The Machinery of Democracy: Protecting Elections in an Electronic World

Over the past year-and-a-half, the Brennan
Center has worked with leading
technologists, election experts, security professionals, and usability and
accessibility experts to review the current state of voting systems in the United States.  Three weeks ago, we released the first study
from this collaboration, The Machinery of
Democracy: Protecting Elections in an Electronic World
(the "Brennan Center
Security Report")[1]  In the coming weeks, we will be releasing
comprehensive reports on the usability and accessibility of voting systems.

The Brennan Center Security Report was a summary of the
nation's first systematic analysis of security vulnerabilities in the three
most commonly purchased electronic voting systems.  This threat analysis was conducted by the
Brennan Center Task Force[2]
and revealed that all three voting systems have significant security and
reliability vulnerabilities; the most troubling vulnerabilities of each system
cannot be substantially remedied; and few jurisdictions have implemented any of
the key security measures that could make the least difficult attacks against
voting systems substantially more secure.[3]

The Task Force surveyed hundreds of election officials
around the country; categorized over 120 security threats; and evaluated
countermeasures for repelling attacks.  The
report of the Task Force concluded:

  • All of the most commonly purchased electronic voting
    systems have significant security and reliability vulnerabilities.
    All three systems are equally
    vulnerable to an attack involving the insertion of corrupt software or
    other software attack programs designed to take over a voting machine.
  • Automatic audits, done randomly and transparently,
    are necessary if paper records are to enhance security. 
    The report called into doubt basic assumptions of
    many election officials by finding that using voter-verified paper records
    without requiring automatic audits -- as is done in twenty-four states --
    is of "questionable security value." 
  • Wireless components on voting machines are
    particularly vulnerable to attack.
      The report
    finds that machines with wireless components could be attacked by "virtually
    any member of the public with some knowledge of software and a simple
    device with wireless capabilities, such as a PDA."
  • The vast majority of states have not implemented
    election procedures or countermeasures to detect a software attack
    even though the most
    troubling vulnerabilities of each system can be substantially remedied.

Among the countermeasures advocated by the Task Force are
routine audits comparing voter verified paper trails to the electronic record;
and bans on wireless components in voting machines.  Currently only New York
and Minnesota ban wireless components on all
machines; California
bans wireless components only on DRE machines. 
The Task Force also advocated the use of "parallel testing": random,
Election Day testing of machines under real world conditions.  Parallel testing holds its greatest value for
detecting software attacks in jurisdictions with paperless electronic machines,
since, with those systems, meaningful audits of voter-verified paper records
are not an option. 

II.     
Scientific Threat Analyses Should be
the Basis for Guidelines on Security and Reliability

The threat analysis performed by the Brennan Center Task
Force on Voting Security involved (a) identifying and categorizing potential
threats to voting systems, (b) prioritizing these threats based on level of
difficulty, and (c) determining how much more difficult each of the catalogued
attacks would become after various sets of security measures were implemented.[4] 

To our knowledge, neither the Election Assistance Commission
(the "EAC"), nor state election officials have undertaken similar comprehensive
analyses before adopting voting system security and reliability
guidelines.  The Brennan Center Security Report shows that unless the EAC and the States
commission such studies and use them to establish security guidelines for each
VVSG-certified system, voting system security measures are likely to continue
to fail to address important security and reliability concerns.

The Brennan Center Security Report and threat analysis demonstrate
that merely assuming machines are programmed and configured correctly, without some independent form of
verification such as a voter-verified paper record, is a significant security and
reliability risk.
  Ultimately, if we
are to have confidence in the accuracy of our voting systems, all voting
machines must have some form of independent dual verification, in which the
verification is audited against the official record.

III.     
Usability Testing Is the Key to
Ensuring that Voter Intention Is Accurately Recorded

The performance of a voting system is measured in
significant part by its success in allowing a voter to cast a valid ballot that
accurately reflect her intended selections without undue delays or
burdens.  This system quality is known as
"usability."[5]  Following several high profile controversies
in the last few elections - including, most notoriously, the 2000 controversy
over the "butterfly ballot" in Palm
Beach County, Florida
-- voting system usability is a subject of utmost concern to voters and election
officials.

The current VVSG requires that the "voting process shall
provide a high level of usability for voters."[6]  It includes many valuable guidelines for
vendors and election officials. Unfortunately, it does not require the kind of
usability testing by users and experts that is necessary to ensure that voter
intentions are recorded as accurately as possible.  To date, only a few studies have compared
different ballots directly or definitively determined what makes one form of ballot
more usable than another - i.e., less
prone to producing errors, more efficient, and more confidence-inspiring.[7]  Without such information, it is impossible to
create systems and procedures that will reduce voter error.

As it contemplates future drafts of the VVSG, the Brennan Center strongly urges the EAC to
commission further study of usability issues, such as "incidental under-voting,
over-voting, or any other inaccuracies that are products of the human/system
interaction."[8]  Moreover, regardless of the voting system
used, election officials should conduct usability testing in their local
communities on proposed ballots before
finalizing their design.

IV.     
Assessments of System
Accessibility Must Include Full
Range of Disabilities and
Entirety of Voting Process

Traditionally,
many voters with disabilities have been unable to cast their ballots without
assistance from personal aides or poll workers. 
Those voters do not possess the range of visual, motor, and cognitive
facilities typically required to operate common voting systems.

The Help America Vote Act of 2002
("HAVA") took a step forward in addressing this longstanding inequity.  According to HAVA, new voting systems must
allow voters with disabilities to complete and cast their ballots "in a manner
that provides the same opportunity for access and participation (including
privacy and independence) as for other voters."[9]  For voting systems to become truly accessible
to all voters, members of disabled populations should be included in empirical
research to ensure that vendors have satisfied VVSG requirements.[10]  In particular, assessments of such systems should:

  • Examine each
    step a voter must perform, starting with ballot marking and ending with
    ballot submission.
      Systems that may provide
    enhanced accessibility features at one stage of the voting process may be
    inaccessible to the same voters at another stage in that process.
  • Take
    into account a full range of disabilities and ensure that accessible
    features are fully usable by people with disabilities
    .  When selecting participants for system
    tests, officials should include people with sensory disabilities (e.g., vision and hearing
    impairments), people with physical disabilities (e.g., spinal cord injuries and coordination difficulties), and
    people with cognitive disabilities (e.g.,
    learning disabilities and developmental disabilities).  Given the rising number of older voters,
    officials should take pains to include older voters in their participant
    sample.  Ensuring that the entire
    process is as easy to use as possible for voters with disabilities is the
    only way of creating real accessibility.
  • Use full
    ballots that reflect the complexity of a real election
    .  A simplified ballot with only a few
    races or candidates may produce misleading results. 

V.     
Conclusion

The VVSG is a piece of a larger
effort occurring on many fronts to improve the machinery of our elections.  Given the leadership responsibilities of the
EAC, the VVSG must set a high standard. 
The guidelines should be informed by the scientific testing methods used
successfully to assess the risks of other widely-deployed technologies; and by
the real-world experiences of the voting populations likely to be thwarted by
voting systems that fall short on accessibility and usability.

Refinements to the VVSG that I've
recommended would, if adopted, move us several steps closer to the goal of fair,
accessible and secure elections.


[1] Lawrence Norden et al., The
Machinery of Democracy: Protecting Elections in an Electronic World (Brennan Center for Justice ed., 2006), available at
http://www.brennancenter.org/programs/downloads/SecurityFull7-3Reduced.pdf.

[2] For a
complete list of the Task Force Members, see The
Machinery of Democracy at i.

[3] Id.
at 3.

[4] Id.
at 8.

[5] Although there is no firm
consensus on precise benchmarks to measure the usability of voting systems,
academics and industry researchers have developed design guidelines in other
areas, most importantly in web-browser design, that can increase usability. See Sanjay J. Koyanl et al., U.S. Dept of Health and Human
Resources, Research-Based Web
Design and Usability Guidelines
(Sept. 2003), available at http://usability.gov/pdfs/guidelines_book.pdf.

[6] Election Assistance Commission, Voluntary Voting System Guidelines,
Volume I Version 1.0 at § 3.1 (2005), available
at
http://www.eac.gov/VVSG%20Volume_I.pdf, [hereinafter EAC VVSG].

[7] See Jonathan Goler, Ted Selker, and Lorin Wilde, Augmenting Voting Interfaces to Improve
Accessibility and Performance
(2006), available
at
http://vote.caltech.edu/reports/chi-abstract-golerselker.pdf;
Ted Selker, Matt Hockenberry, Jonathan Goler, and Shawn Sullivan, Orienting Graphical User Interfaces Reduces
Errors: the Low Error Voting Machine
, available
at
http://vote.caltech.edu/media/documents/wps/vtp_wp23.pdf

[8] Accurate, Public Comment on the 2005 Voluntary Voting System Guidelines at 26
(Sept. 30, 2005),
available at
http://accurate-voting.org/accurate/docs/2005_wsg_comment.pdf.

[9] Help America Vote
Act 42 U.S.C. § 15481(a)(3)(A) (2002).

[10] See also Accurate Public Comment at 29.