Public Opinion's Influence on Voting System Technology

http://www.computer.org/computer/homepage/0305/standards/

Public Opinion's Influence on Voting System Technology
Herb Deutsch, IEEE P1583 Committee

The US general election in 2000 represents a turning point in elections history. A laborious count and analysis of what was statistically a tie vote in Florida decided the highly scrutinized contest for US president. Simultaneously, voting system standards continued evolving, spurred in part by the introduction of new, high-power technologies. These factors, coupled with an unprecedented level of public scrutiny, changed nearly all aspects of the election process.

With its recounts, interpretation of voter intent, and presumed problems related to punch-card voting, the 2000 presidential vote triggered the passage of the Help America Vote Act (HAVA) and the massive trend toward direct recording electronic voting systems (DREs). The election process, which had always been taken for granted, now faced intense scrutiny from the media, computer scientists, conspiracy theorists, advocacy groups, and the general public.
FEC STANDARDS

In the months prior to the 2002 election, the US Federal Election Commission approved new voting system standards designed to ensure that election equipment certified for purchase by participating states would be accurate, reliable, and dependable. Adoption of the FEC 2002 standards started a domino effect that changed election equipment certifications across the US. The 2002 standards, like the previous voting systems standards set in 1990, cover the election process from end to end. The standards encompass

* front-end software, including administrative databases, election specific definitions, ballot layouts, and tabulator setups;
* tabulators and their hardware and firmware, including both central-count and precinct-count versions of punch-card and mark-sense optical scan systems as well as DREs; and
* the back-end software for results accumulation and reporting.

The 2002 standards expanded on requirements for the front- and back-end portions of the overall election system and described in more detail usability features that DREs must provide. But two other changes have had the greatest impact on voting system vendors. The FEC 2002 standards require that an entire end-to-end system receive one overall certification. With previous standards, each subsystem could be tested and certified separately. In addition, the 2002 standards made all indicated software source code structure requirements mandatory; previous standards listed them as advisory.
State variations

In the 1990s, most states only certified tabulators, and most only required certification for newly introduced machines. Hardware and firmware versions were not usually recorded, and upgrades did not require certification. Some states did record new versions, but most only required notification of the update's improvements. Others also required certification of accumulation and reporting systems, and a rare few required a full system certification and recorded all subsystem versions.

This variation among state requirements, even those mandating qualification to the 1990 standards by an independent testing authority (ITA) as a prerequisite to state certification, dovetailed with the 1990-standards approach since each subsystem and tabulator was independently tested and approved.

When the 2002 standards was adopted in states that previously had only certified tabulators and subsystems, units and systems needing to be upgraded had difficulty complying with the system certification approach. Many officials in these states did not understand the requirements for receiving a certification number from the National Association of State Election Directors, which only added to the problem.

For a system to receive a NASED number identifying it as 2002 compliant, every subsystem had to be 2002 compliant. Officials had believed that 2002 "shingles" could be issued to tabulators alone. In many states, this whole-system certification requirement prevented upgrades to previously certified systems.
Implications

Virtually all the main election system vendors had systems deployed that were tested and certified to meet the 1990 standards. Although the source code in these systems had passed inspection, many systems did not meet all the format requirements that became mandatory when the 2002 standards went into effect.

Under the 1990 standards, systems were required to have correct functional structure, but the documentation conditions were advisory. In most instances, making the source code comply with the 2002 standards required a total rewrite. Doing so risked the loss of working functions without any end-user benefit.

In addition, the 2002 standards set new usability requirements on the interface the DREs present to voters who have vision limitations less severe than complete blindness. These related to screen display colors, contrast, and text size—also known as the zoom requirement.

Systems certified to meet the 1990 standards did not have this capability, which made incorporating these features nontrivial. Further, the 2002 standards did not clearly describe whether a voter must be allowed to select a color and change the contrast or whether text sizes had to be continuously adjustable.
TECHNOLOGY AND PERCEPTION

Voting machines of earlier design—both paper-based tabulators and DREs—use far less capable computer microprocessors than those available today, and they only support minimal memory capacity. For example, the commonly-used Zilog Z80 microprocessor has a memory limit of 64 Kbytes. These units have no operating system and use small firmware written in assembly language.

The limitations of the microprocessors and programs used in these machines made many of today's security concerns—viruses, surreptitious code, routines to subvert a percentage of votes from one candidate to another—inconceivable.

With the advance of the PC and Intel-based microprocessors from the original 8086 to the Pentium 4, available program memory increased beyond the largest industrial mass storage systems of the 1980s and 1990s. The use of these microprocessors in modern voting machines created the perception that voting machines could be susceptible to attack.

The average person's experiences with viruses, worms, program crashes, file corruption, frequent forced reboots, and even ease of program downloads have reinforced the opinion that voting machines must harbor the same vulnerabilities. That many voting machines use Microsoft Windows and other OSs people run on their home PCs also fed this perception.

Because DREs did not produce physical ballots for human review and all audits of DRE performance were electronic, these systems are especially suspect. Many believed that because vendors pay testing authorities and because the proprietary program source code is unavailable for public inspection, ITA testing and certification could not be trusted.

When a surreptitiously acquired copy of Diebold's DRE source code was found to be flawed in function and to contain many security risks, some concluded that DREs in general could not be trusted and required a paper trail to make them usable.

In the wake of the Diebold source code exposure and other occurrences, many states that previously had not done so chose to adopt the FEC standards and the ITA process. Other states that had only certified tabulators now required that the full system be certified and the version identification of the approved components recorded. States that accepted the NASED approval now used that as a prerequisite to certification and added their own testing to the approval process.

In addition, states that had previously certified DREs chose to add a mandatory voter-verified paper audit trail (VVPAT) to the DRE certification requirement. Some even required that this paper trail be electronically readable.

Finally, public scrutiny on all aspects of elections caused many states to start performing full audits. These audits covered all installed voting equipment and software versions without regard to the process by which the installed equipment was certified.

As the election climate changed, interpretations of the FEC 2002 standards became more stringent. At the same time, new state certification rules prevented vendors from providing upgrades that would correct bugs and provide enhancements to existing systems. Yet these enhanced systems were built from the same source code as the previously certified systems and had the same overall characteristics in all other aspects. To vendors, certifications went from a tangential effort to a main development focus.
IEEE P1583 STANDARDS

Although the FEC 2002 standards were hailed as an improvement over the 1990 document, many still criticize the 2002 requirements as inadequate. In the fall of 2001, in reaction to the 2000 US election, the IEEE P1583 Voting System Standards committee was formed. Over time, the P1583 committee began to build upon the FEC 2002 standards, expanding on usability and security, considered the weakest areas in the FEC 2002 standards. Not as extensive as the FEC 2002 standards, P1583's scope encompassed only the voting equipment used in polling places—mainly DREs.

Spurred by increased public scrutiny of voting, others joined the committee, presenting new opinions and challenges. The committee began to confront issues such as how to treat COTS hardware and software and handle VVPATs, what constitutes a secure DRE system, whether to permit the use of wireless technology in voting systems, and how to handle the new accessible ballot-printing voting devices that do not tabulate.

Unless a vendor modified the code, the FEC 2002 standards essentially exempted COTS from evaluation other than as part of the system's functional testing. However, one group within the P1583 committee viewed COTS components—and especially their exemption from source code analysis—as the biggest security risk for voting systems. Some believed that a VVPAT should be required for any DRE, while others felt that it was a disadvantage in terms of cost, usability, and reliability.

The committee's compromise was to include VVPAT specifications as an option and, because its requirement is a matter of policy, to support states that require them as well as ones that don't.

Similarly, some within the committee perceived wireless connectivity as a major security risk. But some systems currently use wireless technologies for unofficial results transmission after the polls close. After considering all these issues, the P1583 committee will make a new version of the draft available for committee ballot and approval.

HAVA led to the creation of the Election Assistance Commission and mandated that this group, in conjunction with NIST, should create new voting system standards by July 2005. The EAC's newly established Technical Guidelines Development Committee has a very short timetable within which to create recommendations for the new standards. Members of the P1583 committee hope that, after the three-year effort, the NIST and EAC will adopt the standard. Meanwhile, the vendor community is scrambling to upgrade their systems to comply with the FEC 2002 standards while providing enhancements to DREs that will meet some new state-specific VVPAT requirements.

Even with new standards, persistent concerns may prevent DREs from becoming the preferred voting systems throughout the US. For example, HAVA requires that every polling place have voting units for the visually handicapped and that voters be protected from incorrect vote selections either by notification or prevention. Modern DREs satisfy both of these requirements but may still be seen as undesirable due to security and confidence issues.

Many now view systems without VVPATs as security deficient. But the growing requirement for VVPATs imposes administrative, reliability, and secrecy limitations. Using VVPATs might cause some of the new accessible ballot-printing voting devices, combined with paper-ballot tabulators, to become the systems of choice.

By the 2006 elections, HAVA should be in full effect. Compliance with the new certification requirements might be so costly then that it might hinder DRE use nationwide. Technology, certification, and public opinion will decide the preferred election systems for US voters.

Herb Deutsch is a software product manager at Election Systems & Software. He is a member of the IEEE and the IEEE Standards Association and chair of the P1583 committee. Contact him at hdeutsch@ieee.org.
March cover image From the March 2005 issue of Computer.