Comments of the California Voter Foundation
on the FEC's Voluntary Standards for Computerized Voting Systems
Submitted to the Federal Election Commission via email,
September 7, 2001
In response to the FEC's Voting
System Standards draft
September 7, 2001
Ms. Penelope Bonsall, Director
Office of Election Administration
Federal Election Commission
999 E Street, NW
Washington, DC 20463
Dear Ms. Penelope Bonsall and Commissioners:
It is my pleasure to write to you on behalf of the California Voter Foundation and
provide you with our comments on the proposed Voluntary Standards for Computerized
We recognize that an update to the existing standards is long overdue and appreciate
the Commission's efforts to develop new and better standards that meet the challenges
of modern voting technology. Our comments make ten recommendations. Below
is a brief background about our organization, followed by a summary of our recommendations
and a discussion of each recommendation.
I. About the California Voter Foundation
The California Voter Foundation (CVF) is a nonprofit, nonpartisan organization, founded
in 1994, to model and advance the use of new technology to improve democracy.
CVF pioneered using the Internet to provide voters with timely, accurate, nonpartisan
election information. CVF has used the World Wide Web to shine "digital sunlight"
on money in politics, improving the public's ability to easily access campaign finance
data online. The CVF Web site, www.calvoter.org, is a free, noncommercial source
of reliable information on California elections and politics. CVF president,
Kim Alexander, and board member, David Jefferson, are active participants in the
voting technology debate. Under their leadership CVF has been studying Internet
voting since 1998, participated in several important studies of Internet voting and
voting technology standards, and provided information to the public, policy-makers
and the press on these issues.
II. Summary of the California Voter Foundation's Recommendations
1. The Commission should extend the deadline for this
comment period. read
2. The proposed standards do not reflect the current
state of knowledge and therefore the Commission should commence a new standards development
process immediately. read
3. The Commission should remove all standards specifically
for remote Internet Voting systems. read
4. The Commission should ensure that those responsible
for choosing voting systems are aware that remote Internet voting is not an alternative.
5. The Commission should clarify, in each instance, that
the general Internet Voting standards are for Poll Site Internet voting exclusively.
6. The Standards should reflect the current discussion
about the source code of voting technology. read
7. The standards should require routine re-certification
of voting systems that feature a software component. read
8. The standards should require systems to allow voters
to register a decision not to vote in a given contest. read
9. Design and usability standards must be included in the standards.
10. Voter privacy must be considered in standards for voter
registration databases. read
III. Discussion of the California Voter Foundation's
1. The Commission should extend the deadline
for this comment period.
The standards are long and complex, and have only been widely available for public
inspection for two months. The 2000 presidential election demonstrated the
importance of voting system design and reliability in determining election outcomes.
As a result, experts from diverse fields have participated in a national dialogue
about the election process, including the machinery of voting.1 Many individuals,
security experts, and organizations who have participated in this national discussion
do not traditionally participate in the setting of voting technology standards. By
extending the comment deadline the Commission will likely receive greater input from
2. The proposed standards do not reflect
the current state of knowledge and therefore the Commission should commence a new
standards development process immediately.
The "Florida Fiasco" of the 2000 presidential election focused unprecedented
levels of public attention and resources on the issue of voting technology and ballot
design. The draft standards were begun long before this intense national debate
began in late 2000. As the nation seeks answers to the problems of the 2000
election new insights into voting technology and design proliferate. In the
past ten months dozens of federal and state reports and studies have been undertaken.2
Many of the most important studies have only recently been released, providing new
and thoughtful recommendations about the future of voting standards and voting technology.
In particular, new questions are being raised about computerized voting systems and
whether a paper copy of computerized ballots is necessary to maintain the integrity
of the voting process.
The Commission must ensure that the VSS reflects the wealth of knowledge generated
by this surge in research. The standards process should include input from
computer security experts, design and usability experts, privacy experts, as well
as traditional participants in the VSS process. The standards for both old
and new technology will benefit from the advice and recommendations of experts in
3. The Commission should remove all standards
specifically for remote Internet Voting systems.
There are essentially three levels of electronic voting: computerized/DRE machines;
poll site Internet voting; and remote Internet voting. The California Voter
Foundation objects to the inclusion of standards for remote Internet Voting Systems
within the Proposed Standards because it dangerously implies that such systems are
ready for use in elections.
While the Overview's introductory text warns that current technology does not "address
the requirements and risks associated with voting over the Internet," and states
that the VSS therefore "does not promote Internet voting," it is a weak
counterweight to the detailed specifications for the design of such systems contained
in the standard. The VSS weaves standards for remote Internet voting systems
throughout, treating them just as it does standards for other kinds of voting systems.
The remote Internet Voting standards in no way indicate that they are intended merely
to guide product development. Because the standards as a whole drive product
choices in 37 states, it is extremely likely that the inclusion of remote
Internet voting standards will be taken as a signal that such systems are ready for
use in elections. The risks created by the incorporation of standards for remote
Internet voting technology are grave and cannot be mitigated by two lines of text
that are not part of the standard itself.
The draft standard assumes the inevitability and desirability of remote Internet
voting, and ignores the skepticism and criticism of its appropriateness reflected
in recent reports by the National Science Foundation, the National Commission on
Federal Election Reform, and the California Internet Voting Task Force.3 The
assumption of remote Internet voting inevitability, was popular in 1999, when
the VSS update progress began and there was less knowledge about the viability of
Internet voting systems. However, as people study Internet voting, many are
concluding that it is neither inevitable nor desirable.
Casting a secret ballot in a fair and democratic election is a unique event for individuals;
from a technical design perspective, it is a formidable challenge. Each person
must be authenticated, and able to vote only once, in a limited time frame.
Voters must be confident that their votes are recorded as cast. Votes may not
be associated with individual voters, but we must be able to audit the votes cast
in the case of a recount. Creating a system that allows individuals to vote
online-possibly from a remote location-introduces additional complexity and risk
to this already daunting technical task.
Due to the complexities of the voting process and the state of current technology
every group to study remote Internet Voting, with the exception of one, has rejected
it finding it to be premature and risky.4 While there are many technical reasons
for rejecting remote Internet voting, which will be well articulated by others, CVF
believes that it should be rejected because it:
- opens the door to widespread election fraud;
- introduces new opportunities for political coercion;
- undermines the secret ballot; and,
- creates new threats to voter privacy.
Furthermore, the inclusion of remote Internet Voting System Standards is inconsistent
with the purpose of the VSS and implies that such systems are appropriate for use
in elections. The VSS is intended for use by state and local election officials
in their testing certification and procurement of computer-based voting systems.
"(T)he standards define functional requirements and performance characteristics
to determine system suitability for election use." In other words, if
a system meets the applicable standards found in the VSS it is considered by the
Commission to be suitable for election use. Why then does the proposed VSS
provide standards for remote Internet voting technology-a system that the Commission,
and nearly every body that has studied it, agrees is not suitable for election use?
In issuing remote Internet Voting System Standards the VSS strays from its purpose
of assisting state and local officials in evaluating voting technologies. It
offers remote Internet standards "to guide, provide product development, and
assure that Internet Voting Systems when fully developed, are examined and tested
using standards that recognize the unique design and operating characteristics and
inherent risks of Internet voting systems." While it is quite possible
that those developing remote Internet voting systems need guidance and input, this
is not the role of the VSS. To use the VSS as the vehicle for such guidance
will inappropriately drive expectations about remote Internet voting, creating an
illusion that if such systems meet the VSS standards they are appropriate for election
4. The Commission should ensure that those
responsible for choosing voting systems are aware that remote Internet voting is
not an alternative.
In light of the risks identified with remote Internet voting systems the Commission
has an obligation to ensure that officials responsible for choosing voting technology
are clearly informed that remote Internet voting is not currently an option.
The country cannot afford to risk confusion on this point. As written the VSS
creates ample opportunity for confusion. In the hands of unscrupulous vendors this
document provides a platform for misleading the public and those responsible for
selecting voting technology for public and private elections in this country and
elsewhere in the world.
5. The Commission should clarify, in
each instance, that the general Internet Voting standards are for Poll Site Internet
As the Internet voting debate has developed, there has been a clear and important
distinction made between poll site Internet voting, where the voting machine and
online connections are maintained by election agencies, and remote Internet voting,
where voters could use any personal computer and any Internet connection to vote.
Like the remote Internet voting standards, the California Voter Foundation views
the inclusion of poll site Internet voting standards as premature. However, we and
others who have studied poll site Internet voting believe it may be viable
in the near future, unlike remote Internet voting. If the poll site Internet
voting standards are to be included in the new standard, it is crucial that the Commission
be extremely clear and specific about which of the two Internet voting systems the
standards are designed to evaluate. As written, the standards do not distinguish
between poll site and remote Internet voting, except where they establish additional
standards for remote Internet voting. To clarify, the Commission should change
the headings and all references to specifically say "Poll Site Internet Voting."
6. The Standards should reflect the current
discussion about voting technology source code.
Throughout the technical and computer policy community there is growing agreement
that "open source" and "public source" code is favorable in many
settings for reasons of security, transparency, and accountability purposes. In no
place are these values more important than the election process. Simply put, there
is growing sentiment that we cannot have free, open, trustworthy elections with closed,
proprietary, "black box" software. One possible way to remedy this problem
is to require that the code that runs voting systems be open to public inspection.
It may be counterintuitive, but there is consensus in the computer security field
that software that is open is safer than software that is closed. In fact,
the Pentagon, our number one military agency, decided last year to no longer purchase
closed source, commercial software programs from companies such as Microsoft, Netscape
and Lotus to use in its most sensitive systems. The reason given by one anonymous
Pentagon official to the Washington Post, is because the Pentagon found that these
closed source programs had too many holes, backdoors and trapdoors that place the
department in greater danger of a computer attack than using public and open source
People in the election community are similarly recognizing the benefits of public
source voting software. There are vendors who, while shying away from the "open
source" approach to software development, have stated that they would make their
source code public if it were required of all election system vendors. There
is also growing interest in developing "open source" code voting systems.
As the Commission revises the VSS we believe that a robust discussion about the merits
of "public source" and "open source" voting systems needs to
take place and the loss of transparency in computerized voting systems must be addressed.
7. The standards should require routine
re-certification of voting systems that feature a software component.
The Internet voting section of the standards recognizes the importance of re-certification.
We believe that re-certification is important for any voting system that uses software
in any part of the voting process. Voting technology is increasingly software
based; systems should be designed to be easily upgradable so they keep pace with
current technology. A requirement for re-certification will ensure that they
8. New Voting System Standards should
require systems to allow voters to register a decision not to vote in a given contest.
Voters routinely decide not to cast votes in specific contests presented on the ballot.5
Regardless of the reasons for this, it occurs and its occurrence should be captured
by voting systems. Without an option to affirmatively register a decision not
to vote, confusion and concerns about undervoting will remain even if all ballots
cast are being accurately recorded.
Adding mechanisms that allow voters to register their decision not to vote will increase
our ability to judge the performance of voting systems. Voting system performance
is based on the number of "residual votes." Residual votes include both
intentional and unintentional undervotes, and unintentional overvotes. Intentional
undervotes are inappropriately viewed as a system failure. The number of intentional
undervotes are small in contests at the "top of the ticket", such as a
Presidential election, where experts estimate the rate of intentional nonvotes to
be between .5 and .75 percent of all votes cast.6 However, as one goes down
the ballot, the number of intentional undervotes increases. With the incorporation
of mechanisms that allow voters to affirmatively record a decision to not vote in
a contest (an intentional undervote) we will improve our ability to assess voting
systems' performance. In addition, by reducing the number of ballots left blank
due to intentional undervotes, we will reduce the opportunities for election fraud
via back-end vote tampering.
9. Design and usability standards must
be included in the standards.
In light of the central role that ballot design plays in facilitating or undermining
voter decisions, thorough design and usability standards must be included in the
standards.7 Ballot design played an inauspicious role in the 2000 presidential
election. The reports from Florida and other jurisdictions of confusingly designed
ballots and distraught voters uncertain whether their ballot reflected their true
intent brought ballot design to the forefront of public discussion. The VSS
should require that professional information designers are consulted when developing
or testing a voting system. Voting technology should also undergo usability
testing with panels of actual voters as part of the certification process.
10. Voter privacy must be considered
in standards for voter registration databases.
In the overview, the Commission notes several issues that the standards do not address.
The integration of voter registration databases is among these issues. Several
of the major reports on the issue of election and voting reform recommend the development
and/or integration of statewide voter registration databases and systems to facilitate
better access to the data for election administration purposes. However, voter
registration data is used for other purposes. It is routinely gathered and
used by political campaigns to market their message to voters. The computerization
and increased public access to voter registration data greatly increases the magnitude
of exposure of these records which in turn is undermining voter privacy.
Just last month, a non-profit group came under fire for making voter registration
data - including home addresses, birth dates, and party affiliations - of hundreds
of thousands of New York city residents available on the World Wide Web.8 The
group acquired the database from the city's election board on a CD Rom, as
one can in many jurisdictions around the county. While the group's stated goal
was to increase voter access to polling place information, the result was that anyone
with an individual's name and birth date could easily find their home address and
party affiliation. Many individuals wrote in to the Web site requesting to have their
information removed and indicating that this kind of exposure would make them disinclined
to register to vote.
This event illustrates how centralizing and computerizing voter registration
information raises new privacy challenges. While voter registration data is,
and historically has been, legally available to the public, it has been "practically
obscure." As technology erases the de facto privacy protections of time
and distance - making access instantaneous from anywhere on the globe - the public
is left feeling vulnerable and exposed. The magnitude of exposure faced by
the individual who's voter registration form is stored in a filing cabinet in the
basement of a county building is far less than the New York city resident who's record
is on a Web site for anyone in the world to find. Privacy standards must be
an integral part of Commission standards for voter registration databases.
Thank you for your consideration of our recommendations. If you have any questions
or need additional information, please feel free to contact me at (530) 750-7650,
or via email at firstname.lastname@example.org.
Kim Alexander, President
California Voter Foundation
street address: 222 D Street, Suite 6B
Davis, CA 95616
1 For example: Report of the National Commission
on Federal Election Reform, "To Assure Pride and Confidence in the Electoral
Process", August 2001, www.reformelections.org
(herein National Commission Report); Report of the National Workshop on Internet
Voting: Issues and Research Agenda, National Science Foundation, March 2001,
www.nsf.gov (herein NSF Report); The Report of the
Constitution Poject's Forum on Election Reform, August 2001; Report of the
California Internet Voting Task Force, January 2000, http://www.ss.ca.gov/executive/ivote/
(herein California Report). For a longer list of studies and reports
3 National Commission Report at page 44; NSF
Report, at section 5; and, California Report.
4 A report by the Pentagon on its Federal Voting
Assistance Program reported that its Internet voting project was a success.
However, the Center for Public Integrity published a report analyzing the Pentagon's
Internet Voting pilot project. The CPI report raised questions about the security
of the military's experiment and estimated its cost at $73,809 per Vote. http://www.public-i.org/story_01_080901.htm.
5 See, "Roll Off at the Top of the Ballot:
Intentional Undervoting in American Presidential Elections", Stephen Knack and
Martha Kropf, April 2001.
6 Id. at 12.
7 "Disenfranchised by design: voting
systems and the election process", Susan King Roth, The Information Deisgn Journal,
vol. 9 no. 1, 1998. archived at, http://www.calvoter.org/votingtechnology.html#publications
8 "As Public Records Go Online, Some Say
They're Too Public", Amy Harmon, New York Times, August 24, 2001, A1.