National Academies: Jurisdictions May Not Be Ready for Election Day, Certification Process Generates Skepticism

By Cameron
July 29, 2006

July has seen a lot of attention focused on e-voting issues. First, the Brennan Center releases a major report on threats to e-voting systems. Then Congress holds a much-needed hearing on e-voting (USACM offered testimony). And this week the National Academies released an interesting new report discussing emerging problems with e-voting systems and making recommendations for the upcoming election.

According to the Election Assistance Commission, an estimated one-third of voters will be using different equipment in 2006 than 2004. The academies’ report stated that some jurisdictions, possibly many, are not prepared to use this new equipment for the November election. Several factors are contributing to this (although not uniformly across jurisdictions):

  • State and localities either not meeting or rushing to meet deadlines for new equipment mandated by the Help America Vote Act
  • New state requirements on e-voting systems, such as Voter Verified Paper Trails
  • On going security threats, such as those outlined in the Hursti report
  • Poor vendor performance
  • Training poll workers on how the new equipment works
  • Educating first-time voters about using the machines

The report also pointed to several notable trends:

  • More jurisdictions are becoming aware that the long-term (life-cycle) costs of e-voting equipment can be substantial.
  • The relationship between jurisdictions and vendors is becoming more adversarial.
  • Jurisdictions are realizing that software flaws can be found at any time and patches or upgrades may have unintended consequences, which may not be discovered before election day.
  • Growing skepticism about the current testing and certification process for e-voting systems (I’ll come back to this one.)
  • Technical knowledge and skills vary widely among jurisdictions, which can increase the influence of politics and personal relationships in the procurement process.
  • Advocacy groups are bringing increased attention to issues, such as security problems.

Finally the report made a few recommendations:

  • Jurisdictions should have backup mechanisms and procedures in place for e-voting systems.
  • Jurisdictions should band together in their interactions with vendors.
  • Election Officials should get information from each other about vendor problems, contracts, backup procedures and legal and regulatory options.
  • Jurisdictions should conduct parallel testing on Election Day.

The recommendations seem fairly prudent for the upcoming election and beyond, but the Academies could have made even more based on their analysis. Just on the testing and certification issue, they reported that:

“Workshop participants [local, state and federal election officials] expressed considerable skepticism about current certification processes for electronic voting systems, given the lack of an arms-length relationship between the independent testing authorities (ITAs) and the vendors. Rightly or wrongly, these concerns originate in the fact that vendors pay the ITAs for undertaking certification. In addition, vendors have opportunities to tune their software specifically for the tests in question, a practice somewhat akin to studying for a test rather than learning the material in a course. Lack of certification reform has also contributed to such skepticism.”

This was the same issue that USACM raised in its testimony to Congress last week. In fact, USACM made some recommendation to address this issue:

  • Create a formal feedback process that will ensure that lessons learned from independent testing and Election Day incidents are translated into best practices and future standards.
  • Make the testing process more transparent by making the testing scope, methodologies and results available to the public.
  • Create a mechanism for interim updates to the standards to reflect emerging threats, such as newly discovered security defects or attacks.

We’ve now seen numerous security defects appear on equipment that has already been tested and certified. It seems clear that there are some pretty big gaps here that need to be addressed. It is good to see that the National Academies is also pointing out these issues.