Feinstein S. 1487 Letter

Download PDF

October 1, 2007

Senator Diane Feinstein
Senate Rules Committee
United States Senate
305 Russell Building
Washington, D.C. 20510

Dear Chairwoman Feinstein:

The Association for Computing Machinery (ACM) - a leading society for computing

professionals - and its U.S. public policy committee are leaders in educating the public

and policymakers about issues associated with electronic voting machines. We thank you

for your leadership on voting reform issues and for the opportunity to comment on S.

1487, the Ballot Reform Act of 2007.

This legislation takes several steps to improve the transparency of the voting process.

Two of them are particularly important: (1) voter-verified paper trails coupled with

manual audits and (2) controlled review of the technology by independent experts. We

are encouraged that the legislation contains these provisions, which are consistent with a

policy position on e-voting ACM members overwhelming supported in 20041. However,

we are concerned with some provisions of the legislation and make the following

recommendations, based on our technical expertise:

  • Require the audits be random, mandatory, and manual or software independent
    (not reliant on the machine that produced the vote for the audit)
  • Ensure that best practices for auditing elections are followed by state and local
  • Expand the scope of the software review provisions to include all elements of the
    system and clarify reviewers' responsibilities
  • Add more transparency to the emergency certification provisions
  • Charge the National Science Foundation with e-voting research
  • Provide further voter privacy protections

Attached is a detailed document discussing these recommendations. We would be happy

to discuss any of these issues in more detail with you or your staff.

Thank you for considering the computing community's views on this important

legislative effort. The community has recommended many of the provisions embodied in

your legislation for a number of years. We welcome your leadership on this important

issue and look forward to working with you as the process moves forward. If you have

any questions, please feel free to contact ACM's Office of Public Policy at (202) 659-

9711 if we can provide any assistance on this or related issues.


Eugene H. Spafford, Ph.D.
Chair, U.S. Public Policy Committee of ACM

Barbara Simons. Ph.D.
Chair, USACM Voting Subcommittee

About ACM and USACM

ACM is a non-profit educational and scientific computing society of more than 84,000

computer scientists, educators, senior managers, and other computer professionals in

government, industry, and academia, committed to the open interchange of information

concerning computing and related disciplines. The Committee on U.S. Public Policy acts

as the focal point for ACM's interaction with the U.S. Congress and government

organizations. It seeks to educate and assist policy-makers on legislative and regulatory

matters of concern to the computing community. (See http://www.acm.org and


USACM's Detailed Comments on S. 1487 - the Ballot Reform Act of 2007

Voter-verification and Audits

We support the provisions ensuring that voters have an independent way of verifying

their votes. Paper-based audit trails are currently the only transparent way for voting

systems to be auditable independent of the underlying software (software independent).

Recent reports from California and Florida have emphasized the vulnerabilities of the

software and firmware of both direct recording electronic (DRE) and optical scan


We are also encouraged to see the requirements that paper trails be durable, private,

clearly readable, and accessible. We note that optical scan voting systems, combined with

ballot marking systems and tactile ballots, do satisfy those requirements, and those

technologies are currently available. As a result, we disagree with the argument that no

voting system would currently meet those requirements. Further, once these standards are

established in law, still more technologies might be developed that satisfy those


Paper trails are only half of what is needed to ensure that systems are truly software

independent. One of the more disturbing aspects revealed in the California top-to-bottom

review was the ability to compromise the paper trail in some of the reviewed systems.2

We are concerned that the current auditing language could be interpreted to allow

completely electronic audits or audits that are not software or machine-independent

(meaning independent of all machine(s) used to cast, count, or audit the vote). A random,

mandatory, manual or machine-independent audit of elections will help to verify the

reliability and accuracy of the voting technology. Section 304 of the legislation requires

two of these elements - random and mandatory audits - but it does not require that the

audits be conducted manually or by a method that is machine-independent and as

statistically accurate as a manual audit of the votes. We recommend adding to the

requirements listed in section 304 that audits should be manual or machine-independent.

We also recommend requiring the National Institute of Standards and Technology to

determine whether the alternative methods are as statistically valid as manual audits.

We further recommend that states must use, rather than should consider, model

guidelines for their audits. A recently published report by the Brennan Center at NYU3

and the Samuelson Center at University of California at Berkeley has many best practices

and compares various audit methods. While we understand the reluctance to legislate in

an area that is traditionally a matter for state and local jurisdictions, this report

demonstrates the need for strong federal guidance. It indicates that at least 23 of the 38

states that require paper audit trails fail to require any sort of audit, and that none of the

states that do conduct audits have used models likely to capture errors, attacks or bugs

that could compromise an election.4

Certification and Disclosure

The current disclosure and review provisions balance between the interest of protecting

proprietary information and the interest of fully, independent analysis of voting systems.

Further, the legislation rightly defines the scope of the review by stating that electiondedicated

software includes existing software that has been modified as well as software

specifically designed for the system. However, the legislation currently allows the

Election Assistance Commission to determine whether commercial off-the-shelf (COTS)

software will be subject to certification and review. Currently, all of the components of a

voting system must be certified. We recommend that all of the technology (including all

appropriate documentation) should be subject to certification and review. This would

include unmodified COTS, existing software that has been modified for the voting

system and any software that has been custom-designed for the voting system. The

review should also include ballot definition files. These elements interact with one

another: restricting technical experts to reviewing parts of an entire system reduces the

chances that they will discover flaws that should be addressed.

The legislation also places requirements on recipients of disclosed information. We agree

that individuals reviewing these systems should not disclose trade secrets. However, the

current provisions state that individuals "may not compromise the integrity of the

software" or disclose "other confidential commercial information" are vague and

undefined concepts. We recommend removing this language so the restrictions are

transparent and based on established and understood legal concepts (i.e. trade secrets).

and so that the law cannot be used to shield the use of unsound systems for voting.

We also have some concerns about the legislation's emergency certification provisions.

While we understand the need to patch serious flaws before an election, allowing

uncertified software is a loophole that could introduce new risks to a voting system. We

would be troubled if patches were introduced right before an election and were never

subject to review or disclosure. We recommend strengthening the review provisions to

ensure that officials publicly disclose that they are using the emergency certification

provisions afforded by the legislation, that they digitally sign patches before installation,

that they provide justification for why the authority was being exercised, and allow a

fixed time after a patch is installed for disclosure review and certification. If the patch has

not been certified within a reasonable period of time, then it should be removed from the


Accessibility Research Provisions

We welcome the provisions encouraging research into voting technologies, particularly

research with an emphasis on accessible voting systems. While it has been argued that

paper-based audit trails should not be used because they are not accessible, the recent

top-to-bottom review of voting systems in California noted several barriers to

accessibility in many aspects of DRE systems.5 We also note that there are paper-based

systems that are in use today that are accessible to voters with a variety of disabilities,

including lack of sight. Vendors have yet to address accessibility issues related to the

voting machine interfaces as well as the readability of audit trails and other voting system

output. For example, in many DRE systems what is read back to a voter is not from the

VVPAT, but from what is on the screen. Such work can go a long way in improving the

voting system for all voters, able-bodied and otherwise.

The legislation currently charges the Election Assistance Commission with carrying out

research established under the Help America Vote Act. We note that the EAC's resources

have been limited and that the agency does not have a research mission. We recommend

shifting the research programs to the National Science Foundation. NSF works closely

with the scientific community on numerous issues and has experience in e-voting

research. We stress that appropriations need to be made to support this research,

wherever it is situated.

Furthermore, the language that deems eligibility for grantees developing systems that are

"completely accessible for all individuals" could stifle applications for this program. No

system is completely accessible; if grantees were required to stipulate that a system was

completely accessible as a condition of receiving the grant few would apply. Instead, the

program should strive to improve voter accessibility for all individuals. Multiple

approaches may be necessary to achieve full accessibility.

Voter Privacy

The legislation currently does much to protect voter privacy by requiring that voterverified

paper records remain private. This would likely end the sequential printing of

ballots by some systems. However, as the recent California top-to-bottom review found,

several systems also maintain sequential electronic recording of votes. This could allow

for relatively easy reconstruction of how a person voted by comparing the voter

registration list to the order of votes in voting booths. The same privacy problem arises

with audit logs that have timestamps for all voting activities. As recently demonstrated in

Ohio, these records, along with the poll book information, can reconstruct how voters

cast their ballots. If these records are subject to public records law, a reconstruction

becomes even easier. We recommend extending the privacy provisions to the entire

voting system.

1 See http://usacm.acm.org/weblog/index.php?p=73 for ACM's adopted position

2 Bishop, Matt. July 2007. Overview of Red Team Reports. http://sos.ca.gov/elections/voting_systems  /ttbr/red_overview.pdf

3 Norden, Lawrence, Aaron Burstein, Joseph Lorenzo Hall and Margaret Chen. 2007. Post-Election Audits: Restoring Trust inElections http://brennancenter.org/dynamic/subpages/download_file_50197.pdf


4 Ibid, page 3-4.  

5 Runyan, Noel and Jim Tobias. July 2007. Accessibility Review Report for California Top-to-Bottom Voting Systems Review

Related Articles