November 3, 2020
Oregon Secretary of State Bev Clarno (via email: firstname.lastname@example.org)
Public Service Building
255 Capitol St. NE
Salem, OR 97310
RE: Proposed rule 165-004-0450
I write on behalf of Verified Voting to express our grave concerns about proposed rule 165-004-0450, which addresses ORS §254.532 on risk-limiting audits (RLAs). In brief, the proposed rule:
- Does not establish audit procedures as required by §254.532
- Creates counterproductive requirements for software used in these audits
- Contains other provisions that needlessly hamper these audits
We recommend extensively redrafting the rule to address these concerns.
Absence of procedures
ORS §254.532 explicitly requires the Secretary of State to establish rules “[e]stablishing the procedures to be used for conducting a risk-limiting audit.” The 300-odd words of the proposed rule establish few if any procedures. An election official who turned to this rule for guidance on how to conduct a risk-limiting audit would not find it. A few provisions obliquely address statutory requirements under §254.532, but most requirements go unmentioned and unimplemented.
In adopting procedural rules for risk-limiting audits, Oregon should consult Colorado’s Rule 25, which is detailed and comprehensive. Although much of Rule 25 is highly tailored to Colorado’s statewide RLAs, it nonetheless provides a useful model. California’s RLA regulations are similarly detailed, and they support limited county pilots as per California state law. Both states consulted extensively with county clerks and subject matter experts in drafting these rules.
Misdirected software testing requirement
ORS §254.532 appropriately requires that risk-limiting audits “[e]nsure that no change or error in technology used to assist with the audit could result in an undetected change in the results of the audit.” The proposed rule attempts to meet this criterion through testing. Specifically, it requires that any software used in an RLA be examined by a federal Voting System Testing Laboratory (VSTL) and certified by the Secretary of State. This approach cannot succeed — but it could prevent RLAs from occurring at all, or compromise their conduct.
The statutory requirement leverages the concept of software independence. A voting system is software-independent if an undetected change or error in its software cannot cause an undetectable change or error in an election outcome. Software testing cannot provide software independence! Computer scientists know that errors often evade even intensive software testing. Voter-verified paper ballots provide software independence. Similarly, no examination of risk-limiting audit software can assure the correctness of audit results. That must be done procedurally, by providing all information needed to verify every step of the audit without relying on the software. Our report Checking the Paper Record provides details on how to meet this standard.
Requiring VSTL examination seems especially misdirected. As the name implies, Voting System Testing Laboratories have no expertise in risk-limiting audits. The nation’s leading RLA experts already contribute to and review open-source software tools. Open-source software itself provides an additional measure of transparency. This requirement would probably prevent Oregon counties from using the best known, best tested RLA software. Most likely, to proceed at all, they would have to use RLA software (if any) bundled with their voting systems — software that outside experts cannot review for accuracy.
Two other provisions raise concern. First, the risk limit of 0.1% is far more stringent than we have seen any U.S. jurisdiction impose or any expert recommend. It would require Oregon counties to audit more than twice as many ballots as counties in Colorado (where the risk limit for comparison audits presently is 4%). We see no public policy rationale for imposing this burden. Second, provision (5) addresses possible conflicts between recounts and RLAs, but is worded so broadly that it actually allows recounts to sabotage RLAs. For instance, a candidate or elector could prevent an RLA of a local contest by demanding, under §258.161, a recount of one precinct anywhere in the same county, in any contest.
Oregon has an opportunity to create robust and comprehensive risk-limiting audit procedures. Unfortunately, the issues addressed above — especially the lack of procedures — go beyond simple line edits. We recommend that the rule be extensively rewritten, preferably in close consultation with county clerks and audit experts as contemplated in statute.
Thank you for the opportunity to submit these comments.
Verified Voting is a national non-partisan organization whose mission is to strengthen democracy for all voters by promoting the responsible use of technology in elections. Our staff, Board, and Board of Advisors consist of nationally recognized subject matter experts on election technology, security, and verification, including risk-limiting audits.