December 5, 2020

Protect E-Voting — Support H.R. 811

After a long fight, we have reached the point where a major e-voting reform bill has a chance to become U.S. law. I’m referring to HR 811, sponsored by my Congressman, Rush Holt, and co-sponsored by many others. After reading the bill carefully, and discussing with students and colleagues the arguments of its supporters and critics, I am convinced that it is a very good bill that deserves our support.

The main provisions of the bill would require e-voting technologies to have a paper ballot that is (a) voter-verified, (b) privacy-preserving, and (c) durable. Paper ballots would be hand-recounted, and compared to the electronic count, at randomly-selected precincts after every election.

The most important decision in writing such a bill is which technologies should be categorically banned. The bill would allow (properly designed) optical scan systems, touch-screen systems with a suitable paper trail, and all-paper systems. Paperless touchscreens and lever machines would be banned.

Some activists have argued that the bill doesn’t go far enough. A few say that all use of computers in voting should be banned. I think that’s a mistake, because it sacrifices the security benefits computers can provide, if they’re used well.

Others argue that touch-screen voting machines should be banned even if they have good paper trails. I think that goes too far. Touchscreens can be a useful part of a good voting system, if they’re used in the right context and with a good paper trail. We shouldn’t let the worst of today’s insecure paperless touchscreens – machines that should never have been certified in the first place, and anyway would be banned by the Holt Bill for lacking a suitable paper ballot – sour us on the better uses of touchscreens that are possible.

One of the best parts of the bill is its random audit requirement, which selects 3% of precincts (or more in close races) at which the paper ballots will be hand counted and compared to the electronic records. This serves two useful purposes: detecting error or fraud that might have affected the election result, and providing a routine quality-control check on the vote-counting process. This part of the bill reflects a balance between the states’ freedom to run their own elections and the national interest in sound election management.

On the whole this is a good, strong bill. I support it, and I urge you to support it too.

Comments

  1. Ed,

    Unfortunately, the Holt bill currently prevents new technology, like open-audit voting systems with cryptography, from being considered, because the focus is placed on paper audits when cryptographic auditing could yield significantly more confidence in our election results. Why not simply use the NIST language of “software independence?” Why shut out a whole class of highly verifiable systems because of this focus on paper? I’ve written a more complete response on my blog.

  2. Ned Ulbricht says:

    H.R. 811 SEC 2. (a)(1) amends 42 U.S.C. 15481(a)(2) so that (A)(iii) reads:

    The voting system shall not preserve the voter-verifiable paper ballots in any manner that makes it possible, at any time after the ballot has been cast, to associate a voter with the record of the voter’s vote.

    The requirement of “impossibility” is itself impossible. As this blog has pointed out, “Paper ballots aren’t immune,” and “There’s no perfect defense.”

    Presumably, a court would read some kind of reasonability into this. But it’s poor legislative drafting. Compliance with the law should not be an intractible problem.

  3. Anonymous says:

    On the whole, HR 811 is not a good bill. In particular, its audit provisions do not give enough assurance of detecting fraud, and it specifically exempts the closest elections — those that trigger recounts (including machine recounts!) due to small margins of victory — from any auditing. Also it endorses the continued use of VVPT (“paper trail”) machines — which are subject to a host of attacks, including one in which the machine cancels the voter’s paper trail after she leaves, flips her electronic vote, and prints a matching paper trail. http://vote.nist.gov/threats/papers/papertrailhack2.pdf ; http://vote.nist.gov/threats/PaperTrailManipulationIII1.pdf .

    Readers interested in a much deeper exploration of HR 811’s faults, and in how they might be corrected, should read http://www.bbvforums.org/forums/messages/46591/46591.html .

  4. Ned Ulbricht says:

    HR 822 SEC 2(c)(1) adds several new paragraphs to 42 U.S.C. § 15481(a). In particular:

    (9) PROHIBITION OF USE OF UNDISCLOSED SOFTWARE IN VOTING SYSTEMS- No voting system used in an election for Federal office shall at any time contain or use any software not certified by the State for use in the election or any software undisclosed to the State in the certification process. The appropriate election official shall disclose, in electronic form, the source code, object code, and executable representation of the voting system software and firmware to the Commission, including ballot programming files, and the Commission shall make that source code, object code, executable representation, and ballot programming files available for inspection promptly upon request to any person.

    This appears unworkable.

    I’m not seeing an existing definition of voting system software or firmware in HAVA. So it appears that —at best— these terms would take implicit definitions from 42 U.S.C. § 15481(b). But this still doesn’t seem to provide enough specificity to work out exactly what code would need disclosure.

    One key distinction might be made between special purpose code, and firmware for COTS components, such as peripheral controllers.

    It seems unlikely that any judge—no matter how technically educated—will require third parties to disclose their trade secrets just because a voting machine vendor used one of their components. The courts will probably just refuse to enforce this paragraph as written.

    On the whole, a better approach for the bill would be to require open architectures with complex system independence, and then to work down from there.

  5. I’m just to comment on the bizarreness of the fact that it’s taken the better part of a decade for a country that prides itself on being a democracy to fix an obvious, and obviously really big, problem.

  6. People jumped all over me on this blog when I commented last year:

    http://www.freedom-to-tinker.com/?p=1061#comment-144926

    “This disconnect is pointed out by a problem which I have never seen frankly discussed. Suppose we did have an electronic voting system with a paper trail; suppose there were a recount, and suppose the two systems disagreed. Which one should we believe?

    “Computer scientists would say to believe the paper version, but they have no grounds for this conclusion…”

    Everyone said no, that’s not how it would work, we wouldn’t automatically follow the paper version. And yet here is the text of this bill that Ed Felten asks us to support:

    Sec 2(a)(2)(B)(iii): “In the event of any inconsistencies or irregularities between any electronic vote tallies and the vote tallies determined by counting by hand the individual permanent paper ballots produced pursuant to subparagraph (A), and subject to subparagraph (D), the individual permanent paper ballots shall be the true and correct record of the votes cast and shall be used as the official ballots for purposes of any recount or audit conducted with respect to any election for Federal office in which the voting system is used.”

    As it says, in the event of a disagreement between the electronic vote totals and the paper ballots, it is the paper ballots which are the true and correct record. Ed Felten is endorsing the idea I fretted about last September, that in case of disagreement we should just believe the paper.

    I backed off on my commentary on e-voting last year after receiving so much criticism, I decided that I must be wrong. It’s discouraging to see that one of my main concerns, one that was widely disparaged, now threatens to come to pass.

  7. I agree with Hal: there is no reason that a paper ballot count should automatically be believed over an electronically tabulated count. In fact, in a properly designed system, the electronic count will always be at least as accurate as the paper count.

    There is one big thing missing from this bill: regulations covering ballots that have been confusing in the past. The recent situation in Florida where there were lots of undervotes is an example where a ballot that tried to cram too much stuff on one screen ended up with lots of people missing one of the contests they could vote for. I’m not sure how much regulation this would require, but an obvious start would be to require that each contest be shown on its own screen or page, unshared with other contests.

    I am overjoyed, though, at the open source requirement and the requirements preventing conflicts of interest at certification labs. It’s good to see people really thinking about this stuff and making an effort to fix it.

  8. Ronald Crane says:

    Note the “subject to subparagraph (D)” language. Then read subparagraph (D), which says:

    ‘‘(D) SPECIAL RULE FOR TREATMENT OF DISPUTES WHEN PAPER BALLOTS HAVE BEEN SHOWN TO BE COMPROMISED.—
    In the event of any inconsistency between any electronic vote tallies and the vote tallies determined by counting by hand the individual permanent paper ballots produced pursuant to subparagraph (A), any person seeking to show that the electronic vote tally should be given preference in determining the official count for the election shall be required to demonstrate, by clear and convincing evidence, that the paper ballots have been compromised (by damage or mischief or otherwise) and that a sufficient number of the ballots have been so compromised that the result of the election would be changed. For purposes of the previous sentence, the paper ballots associated with each voting machine shall be considered on a voting-machine-by-voting-machine basis, and only the sets of paper ballots deemed compromised, if any, shall be considered in the calculation of whether or not the election would be changed due to the compromised paper ballots.’’.

    Isn’t that what you’re advocating? Not that it’s good, mind you. Why not? Imagine an election decided by a 50.1%-49.9% margin according to the initial electronic count, and that state law required a full hand recount. Now imagine that, during the recount, someone produces “clear and convincing evidence” that 0.3% of the paper “ballots” [1] were “so compromised that the result of the election would be changed.” In consequence, subsection (D) requires the election to be decided using the electronic count. Assuming you believe in any electronic count, this is OK so far. But now imagine that the hand recount also indicates that 1.2% of the electronic “ballots” had been corrupted, and that the corresponding paper “ballots” showed no signs of corruption. Subsection (D) would still require the election to be decided using the electronic count, since “only the sets of paper ballots deemed compromised, if any, shall be considered in the calculation of whether or not the election would be changed due to the compromised paper ballots.” This is plainly incorrect.

    [1] I quote “ballots” because a VVPT is not a ballot.

  9. Ronald Crane says:

    I’d also note that the conflict provisions create the opportunity for attacks that effectively turn VVPT machines into naked DREs. In one such this attack, the attacker falsifies the electronic count to make her candidate “win,” then makes the machines stop printing VVPTs entirely. As with most e-voting attacks, this one could be waged by only a few well-placed attackers (see the Brennan Center’s report on voting system security).

    Electronic voting is not ready for prime time, even assuming that it ever will be.

  10. Good point Ron.

    There are numerous fatal flaws in HR811, not the least of which is that its manual audit amounts are insufficient in close races and over-audit in races with large margins. I.e. For the same cost, the manual audits could be more effective.

    Here is a correct scientific analysis of HR811’s audit which shows for any race with a particular margin, what the probabilities are for the HR811 audit to detect the amount of vote miscount that could wrongly alter the outcome for various number of total vote counts.

    My numbers agree perfectly with the incomplete and misleading analysis of the HR811 audit that was done by a group of academecians including Dill, Mebane, Norden, Walace, Hall, and others.

    http://electionarchive.org/ucvAnalysis/US/paper-audits/TierElectionAuditEval.pdf

    Here is an explanation of why HR811 would make another HAVA-like mess due to its unreasonable time frames for implementing new publicly disclosed equipment for voters with disabilities (written by dozens of technologists and computer scientists).

    http://electionarchive.net/docs_other/dopp/VotingSystemSoftwareDisclosure.pdf

    I predict that HR811 will be opposed by expert election activists, by NASS and NASED due to its unreasonable time frames, and also will be opposed by the experts in the disabled community.

    HR811 needs to be pulled apart into managable chunks and entirely rewritten so that it would be doable and make sense.

    Here are a list of some of HR811′ major flaws:

    http://electionarchive.org/ucvInfo/US/ChangesNeeded2HR811.pdf

  11. the_zapkitty says:

    Ah, poor Ed… how shall he respond?…. 🙂

  12. Ronald Crane says:

    As with most e-voting attacks, this one could be waged by only a few well-placed attackers (see the Brennan Center’s report on voting system security).

    I sure phrased that badly. What I meant to say was that the attack I described could be waged without requiring more than a few participants. I did not mean to say that there are only a few people in existence who could wage it. On the contrary, any small subset of a vendor’s development team, a vendor’s OEM’s development team, or possibly an ITA (depending upon how software is distributed) could wage the attack — or most other e-voting attacks.

  13. Ronald Crane says:

    I agree with Hal: there is no reason that a paper ballot count should automatically be believed over an electronically tabulated count. In fact, in a properly designed system, the electronic count will always be at least as accurate as the paper count.

    And the evidence for this is?

  14. Hmm, no one has brought up the idea that federal laws about elections are (arguably) unconstitutional. It’s up to the several states to regulate their elections.

  15. the_zapkitty says:

    Publius Says:

    “Hmm, no one has brought up the idea that federal laws about elections are (arguably) unconstitutional. It’s up to the several states to regulate their elections.”

    Which causes one to wonder why, when the “Election Assistance Commision” (hear that hollow laughter) was scheduled to be sunsetted out of existance the Democratic sponsored election reform bills will instead permanently enable it and give it authority over all states and their elections…

    … and the EAC members are EXECUTIVE appointments… as in the “Unitary Executive”…

    … you would think that the Democrats would have learned better by now… wouldn’t you?

  16. Ned Ulbricht says:

    [No one has brought up the idea that federal laws about elections are (arguably) unconstitutional.

    Please see Article I, Sec. 4.

  17. originalgeek says:

    I think you have failed to consider the calibration problems inherent with touch-screen technology, which frequently results in the machine registering a different vote than intended by the user. Banning the technology altogether is one way to deal with the problem, and probably the only way to make “clean” legislation. A muddier approach would be to require that all touch-screen voting devices present each voter with a calibration screen at the start of each voting session.

  18. Ronald Crane says:

    [No one has brought up the idea that federal laws about elections are (arguably) unconstitutional.

    Please see Article I, Sec. 4.

    And Art.5 of the 14th Amendment, which permits Congress to legislate to enforce the guarantees of, among other things, the equal-protection clause.

  19. Santa Claus says:

    I think that any e-voting related software used by the government should be open source, so that it could be thoroughly examined for bugs and security risks by people.

  20. the_zapkitty says:

    “I think that any e-voting related software used by the government should be open source,”

    Open Source is not a panacea for e-voting’s fatal flaws.

    Open source code can be and has been exploited… daily.

    Open source code can be better and more secure than commercial proprietary code… but “can be better” is not good enough when something this vital is at stake.

    Open source can not, in and of itself, fix e-voting.

  21. the_zapkitty says:

    OK… Ed’s had his fun putting the best face possible on “Holt II”… and it still failed miserably of course…
    … 😉
    … but what about the errr- “less-than-good” points of the bill?… (of which there are quite a few more than is mentioned in the responses above)…. could that be next up? 🙂

  22. I see lots of people pointing out problems with the bill, which seems to indicate that it is good politics, ie a compromise. It’s unlikely either side will ever get exactly what they want, but this bill seems to make things much better than before. From that position, we can lobby for even stronger measures, but let’s fix the big problems first!

  23. Open source code can be and has been exploited… daily.

    Open source code can be better and more secure than commercial proprietary code… but “can be better” is not good enough when something this vital is at stake.

    Open source can not, in and of itself, fix e-voting.

    If e-voting uses open source then we can guarantee that for all members of the public, the cost of finding bugs in that software is greater than the cost of dodgy election results. This does not guarantee that the software is bug-free by any means, but it does guarantee at least a basic level of acceptance amongst all knowledgable stakeholders.

    That’s a huge step ahead of what any proprietary system can offer.

    Of course, publication two days before the election on some hard-to-find page might be considered less than “open”… I’m presuming that “open source” includes good faith here.

  24. Um, C. Scott – DRE touch-screen technology *is* “the big problem” and HR811 doesn’t make it better, it makes it worse!

    It institutionalizes the DRE and propagates the deceptive notion that “paper trails” are paper ballots and that they will actually be counted by anyone. Ever. They won’t. In usually 97% of the case in fact, and *never* on Election Night when it actually matters.

    On Election Night, what will be counted is the unverified (and, indeed unverifiable) internal machine count which is wholly secret and wholly proprietary.

    American democracy demands nothing less than a paper ballot — one that is actually tabulated — for every vote cast. Period.

    Paper trails would help America no more than they would have helped folks in Florida 13 (which is to say, not at all, they’d have made things far worse!)

    I’m sorry to see Prof. Felten so horribly wrong on this issue.

  25. Nathanael Nerode says:

    What about
    (a) The *loophole* in HR811 which allows the paper ballots to be ignored (no audit) if there’s a state-mandated recount? This is an unacceptable loophole, and we’ve already watched an election get stolen in California when a judge refused to order a paper recount (instead just letting DREs spit out the same old numbers). State-mandated recounts occur in most close races, and this guts the audit provisions.
    (b) The sheer uselessness of “voter verified” paper trails where the voter *must* rely on the DRE computer to print them. If it prints it wrong (maybe three times in a row…), what can you do? Do you get the right to submit a paper ballot?

    Sure, HR 811 is an improvement over the current ‘wild west’, but it needs some solid improvement. If the loophole isn’t closed, the bill is going to be next to useless in practice. With the loophole closed, it will be an improvement over the current situation — but if DREs aren’t banned, we’ll just have to ban them later.

  26. Thanks for your support of HR 811. Sadly, BBV is moving themselves into irrelevancy through their lack of support for the only genuine reform bill on the table.

    It’s not a perfect bill. No bill ever IS.

    And DREs are not the problem. Computer tabulation is. And audits are the best possible safeguard against that, not just for DREs, but for all the various computers used in elections.

    I’ve been distressed and depressed at some of the statements from BBV that have been accepted as ‘fact’ that are misleading, and in some cases inaccurate.

    In addition – as we all know, what’s put on the Web lives ‘forever’, and the bill has changed, but the objections have not been updated.

    I encourage anyone who cares about this issue to stop reading what other people say on this subject and go read the bill and consult your inner temple of wisdom. Don’t be a lemming. This is too serious an issue not to investigate oneself.

  27. Phil N. D'Oval says:

    HR.811 is nothing more than a bully pulpit for the Dems who’ve felt (justifiably so) that their concerns about voting machine have fallen on deaf Rep ears. Despite “hacks” like the Hursti hacks and the Princeton hack, there is nothing more than anecdotal evidence that a single vote anywhere has ever been flipped. Bev Harris can’t produce any evidence, Hari Hursti can’t either. All they can tell you is that it’s possible.

    Well, take away everyone’s car keys! They could be used to drive drunk some time in the future! Take away everyone’s guns! They might be used to commit murder at some point! I’m so glad you had the opportunity to discuss this all-important issue with your students, as they represent the least-voting group in America.

    Leave Academia and come into the unbearable light of reality!

  28. This is a terrible bill. You say, of computers and computer security, “if they’re used well”. However, they are NOT used well and they never will be. I have designed computer technology for over 35 years, including high security hardware and software mechanisms. There IS NO SUCH THING as absolute computer security, either via hardware or software techniques or any combination thereof. Your own statements which hope to further the “cause” of this bill contain all manner of qualifying phrases.

  29. KEITH CRAWFORD says:

    Paper Ballots, the democratic process is on the chopping blocks. Paper ballots, hand counted, like always, or we are going to lose our democracy altogether!

    Keith

  30. As stated by Keith Crawford, what we really need is hand marked-hand-counted ballots.

    A useful forward step, representing a perhaps reasonable compromise, would have been to eliminate the worst (and most costly) systems, namely DRE’s-with or without printers. It has been shown that the computer generated paper ballots are virtually worthless for verifying votes.
    http://www1.cs.columbia.edu/~unger/articles/e-voting2.html
    Apart from other defects, effectively endorsing DRE’s is a killer. It is important to understand that, if this defective bill becomes law, it will be used to give the impression that e-voting has been fixed, and the likelihood of further legislation being passed will be greatly reduced. More communities are likely to order DRE’s, further entrenching this terrible technology. Compromise is necessary in politics, but HR 811 represents surrender, not compromise.

    Steve