September 26, 2018

Paper Trail Standard Advances

On Tuesday, the Technical Guidelines Development Committee (TGDC), the group drafting the next-generation Federal voting-machine standards, voted unanimously to have the standards require that new voting machines be software-independent, which in practice requires them to have some kind of paper trail.

(Officially, TGDC is drafting “guidelines”, but the states generally require compliance with the guidelines, so they are de facto standards. For brevity, I’ll call them standards.)

The first attempt to pass such a requirement failed on Monday, on a 6-6 vote; but a modified version passed unanimously on Tuesday. The most interesting modification was an exception for existing machines: new machines will have to be software-independent but already existing machines won’t. There’s no scientific or security rationale for treating new and old machines differently, so this is clearly a political compromise designed to lower the cost of compliance by sacrificing some security.

If you believe, as almost all computer scientists do, that paper trails are necessary today for security, you’ll be happy to see the requirement for new machines, but disappointed that existing paperless voting machines will be allowed to persist.

Whether you see the glass as half full or half empty depends on whether you see the quest for paper trails as mainly legal or mainly political, that is, whether you look to courts or legislatures for progress.

In court, the exception for existing machines will be strong, assuming it’s written clearly into the standard. It will be hard to get rid of the old machines by filing lawsuits, or at least the new standards won’t be useful in court. If anything, the new standards may be seen as ratifying the decision to stick with old, insecure machines.

In legislatures, on the other hand, the standard will be an official ratification of the fact that paper trails are preferable. The latest, greatest technology will use paper trails, and paperless designs will look old-fashioned. The exception for old machines will look like a money-saving compromise, and few legislators will want to be seen as risking democracy to save money.

As for me, I see legislatures more than courts, and politics more than lawyering, as driving the trend toward paper trails. Thirty-five states either have a paper trail statewide or require one to be adopted by 2008. The glass is already 70% full, and the new standards will help fill it the rest of the way.

Comments

  1. At the end of the day, the question is whether states will require compliance with the newest standards or not. I don’t believe any states are yet requiring compliance to the 2005 VVSG standards.

  2. Govt Skeptic says:

    IANAL, so I’m genuinely looking for a Constitutional law answer to this:
    How does the new/old machine requirement discrepancy fit with the 14th amendment’s equal protection clause? It seems to me that any state application of this recommendation that fails to mandate the upgrading of non-paper-trail machines to paper-trail machines would likely violate EP. This would be especially true if there were fewer paper-trail machines in poorer districts. Of course, the state’s action would have to be challenged in court, but presumably the courts would apply the “strict scrutiny test”, as voting is without a doubt a fundamental right.
    If I were a man who mixed metaphors, I’d say that the TGDC just set the ball rolling, but passed the buck to the courts.

  3. Prof. Felten, the addition was really more of a clarification than any substantive change. The point of the addition was to clarify that the 2007 VVSG can’t possibly be a vehicle for affecting systems certified under 2005 VVSG. That’s clearly spelled out in the NIST SI paper. Those systems will remain certified under the 2005 VVSG… unless changes are made to them that require recertification past the start day for 2007 VVSG certifications. The nature of the VVSG being voluntary, it is up to states to say that their voting systems must be certified to the standard currently in effect.

  4. Re: 14th amendment. As I see it (but IANAL either)
    The standard is not that everyone have the same technique but that everyone have the same opportunity to vote. Thus you would have to prove that paperless machines actually deprive you of your right to have your vote counted. Since paper trails only provide a record of your ballot choices but no definitive record that the vote was actually tabulated, it’s hard to see that voters on paper-equipped machines are more “equal” than voters on paperless machines.

    Further, it’s hard to see the courts dictating what machines states have to buy, in the absence of overwhelming evidence that their machines are unreliable.

  5. Ned Ulbricht says:

    Since paper trails only provide a record of your ballot choices but no definitive record that the vote was actually tabulated, it’s hard to see that voters on paper-equipped machines are more “equal” than voters on paperless machines.

    Richard,

    That’s a clever argument.

    Boiled down, you’re saying that there’s no problem with an inherently defective subsystem design along the critical path, because the failure of a subsystem farther down the line may cause a fault in the higher-level system.

    But given a (semi-)durable(*) ballot, stored under tamper-resistant conditions, a tabulating-system failure can be detected and recovered from.

    So while your argument may be very clever, there’s also just a little whiff of skunk emanating from it, too.

    (*) (semi-)durable: If “durable” data storage lasts for about a century or so, then we obviously don’t need “durable” ballots.

  6. Anonymous says:

    A clarification: The substantive difference between the two resolutions was less than it might at first appear. The only authority the TGDC has is to draft the 2007 VVSG. The 2007 VVSG will likely only affect new voting systems that are submitted for certification after 2010 or so. The TGDC does not have the power to decertify existing, deployed systems.

    Therefore, there was nothing the TGDC could have done to require existing machines to be software-independent: that is outside the power and authority of the TGDC. The second resolution made this distinction clearer, for those who aren’t familiar with the details of TGDC’s charter.

    The rest of your comments look accurate to me.

  7. Re: 14th amendment. As I see it (but IANAL either)
    The standard is not that everyone have the same technique but that everyone have the same opportunity to vote. Thus you would have to prove that paperless machines actually deprive you of your right to have your vote counted. Since paper trails only provide a record of your ballot choices but no definitive record that the vote was actually tabulated, it’s hard to see that voters on paper-equipped machines are more “equal” than voters on paperless machines.

    IANAL, but I don’t think this is so. The reasoning in several cases has been that if a particular class of voters rights were violated, without having to prove each individual case, than that law/provision/administrative rule violated EP clause. So, if the defective voting machines were sent to many majority African-American districts, for example, that should be enough to trigger EP concerns.

  8. OK,
    The paper-trail requirement is the 1st step. A very important 1st step, but if there’s going to be any federal legislation, it really needs to go on to the next step.

    A statistically relevant random percentage of these machines must be audited EVERY election by actually counting the paper record.

    If the paper-trail is never audited, or even if it is only audited when someone protests (such as in a close election) we’re very little better off than if there were no paper-trail at all.

  9. Ned Ulbricht says:

    Statistical sampling may possibly be the best way to assure precinct-count optical scan (PCOS) systems.

    But for central count optical scan systems, we can probably afford a much higher level of assurance.

    Imagine an assembly-line style method of copying ballots.

    Start with a long table. On one side of the table, place election workers. On the other side of the table, place party/candidate representatives and other poll-watchers.

    At one end of the table, ballots are removed, one-by-one, from the ballot box. Each ballot is immediately stamped with a lot number and serial number, in a reserved area on the ballot. The poll-watchers verify the lot and serial number.

    Next an election worker moves the ballot to the official scanning station, and scans it. Then an election worker moves the ballot to the next scanning station–similar to the official scanning station, but the machine is owned by one of the parties/candidates. And then an election worker moves the ballot down the line to next scanning station–owned by another party/candidate.

    After the ballot has moved through all of the scanning stations, the ballot is placed in secure storage.

    Conceptually, the scanning machines could be as simple as a Xerox machine, although in practice they would most likely copy to a digital ballot image file. The machines would be subject to inspection and approval by election officials, and might require completely manual feed mechanisms. Iow, no trick feed paths! Only election workers would handle the ballots, but the party/candidate owning the machine would have an “operator” who might be allowed to push the “scan” button.

    The scanned images could then be counted away from the assembly line. In fact, with network connections to each scanner, the counting could proceed in parallel with the scanning.

    Any discrepancy in the count could be reconciled by referring to the lot and serial number of the disputed ballot, which could then be individually pulled from secure storage and inspected.

  10. Ned Ulbricht says:

    According to the South Florida Sun-Sentinel, Broward County is considering a $6 million dollar estimate for 1,100 PCOS machines, serving 750 precincts. Broward County has less than 1 million registered voters, so that averages less than 1000 (potential) votes / machine, and better than $6 / registered voter.

    Of course, these fancy PCOS machines do probably come with an impressive metal box on wheels, and some super-duper top-secret special software.

    But just for the fun of it, l looked at some prices and specs this afternoon, and quite a few office grade scanners capable of handling 1000 scans per day (both with and without ADF) are priced under $500 retail.