Testimony by: Pamela Smith
On February 23, the Maryland State Board of Elections held meeting a proposed system for remote absentee voting was discussed. Verified Voting submitted testimony (see below) about the system, which includes the use of ballot marking wizard software. We maintain that such software — regardless of any other program it may be bundled or used with — meets the definition of a voting system in Section 301 of the Help America Vote Act and should therefore undergo testing and certification before use. Further, such online ballot marking software contains potentially severe hazards. We raise these in the testimony provided to the SBE.
Thanks to passage of a law requiring voter-marked paper ballots, Maryland is in a slow transition to using a fully voter-verifiable system one day. However, another concern raised in the remarks we provided was the use of a bar code on the remotely printed voted ballot, from which a new version of the voted ballot would be printed once it is received by mail back at the elections office. This version printed from information encoded in the barcode design is the one that would be officially counted. This runs counter to the concept of voter-verifiable ballots. Verified Voting’s testimony follows after the fold.
As Maryland seeks to serve its remote voters, Verified Voting commends the interest in maximizing the rapid availability of the ballot to voters who may have difficulty returning a ballot in time to be counted. This was one goal behind the passage of the 2009 Military and Overseas Voter Empowerment (MOVE) Act1 in Congress, which called for a 45 day window of time for voters to be able to receive, vote and return their ballot. Maryland already provided sufficient ballot transit time, as cited in the 2008 Pew report “No Time To Vote”.1 Unlike some other states, Maryland was already serving remote voters well.
MOVE also required that ballots be made available to UOCAVA voters electronically should they desire to receive them in that manner. Instead of having to wait for mail to bring a blank ballot, a voter can instead retrieve a blank ballot almost instantly by fax, email or in some cases by downloading a copy from a website. These requirements already have improved these UOCAVA voters’ ability to return ballots in time to be counted.
MOVE did NOT call for the electronic return of voted ballots. The online (via fax, email, website upload or other electronic means) delivery of voted ballots is insufficiently secure to be used in federal elections2 and the Act rightly avoided it. Further, the Act did not require the availability of online ballot marking. Though it may not seem intuitively obvious at first, marking ballots online brings about significant security and privacy hazards, due to some of the same underlying issues that make secure electronic return of voted ballots (i.e. Internet voting) unfeasible.
Before obtaining and deploying an online ballot marking system for all absentee voters, Maryland should determine the answers to the following questions and make those answers public for citizen comment.
1. Can Maryland use an online ballot marking system?
a. Is such a system legal under Maryland law?
It is not clear that such a system meets Maryland law. While a blank ballot printed out remotely by a voter for marking by hand and mailing in to county officials would meet the letter and spirit of the laws of the state, a voted ballot marked online and printed through a means that is not discernible and as such not verifiable by the voter would not meet the letter and spirit of the state’s laws.
Further, Maryland requires all voting systems to be certified by an independent testing authority accredited by the EAC to determine that the systems satisfy EAC-adopted standards.
b. Should it be tested and certified?
Any voting system used by Maryland voters should be tested and certified by an independent testing authority accredited by the EAC prior to its purchase and deployment. In order to determine if a component part such as a system that incorporates a ballot marking system (aka “wizard”) should be tested, one must first ask if it constitutes part of the voting system.
In the 2002 Help America Vote Act (HAVA), the definition of a voting system is provided. This is important because HAVA also governs how and by what entity voting systems (including hardware and software) are tested and certified. HAVA also provides for guidelines against which voting systems are to be tested. The definition says: “The total combination of mechanical, electromechanical or electronic equipment (including the software, firmware, and documentation required to program, control and support the equipment) that is used to define ballots; to cast and count votes; to report or display election results; and to maintain and produce any audit trail information.”
Based on this language, the Election Assistance Commission (EAC) determined ballot marking devices to be part of a “voting system.” A ballot marking device can be free-standing such as in the case of some polling place ballot marking devices, typically detached from a tabulating device (e.g. the Automark), or it can be made up of component elements including software, either detached from a tabulating device (such as a ballot marking wizard made up of software used to cast votes and to produce an audit trail) or attached to a tabulating device (such as ballot marking software in some new hybrid designs).
In all cases, the system for marking the ballot is actually part of a “voting system” and more than merely a fancy electronic pen, because of several factors. The ballot marking device or system–in being used by the voter to cast their choices onto a ballot, and in producing an audit trail of what should represent the voter’s intent–meets the HAVA definition of a voting system component.
In the proposed Maryland option, the software does more than merely render marks into appropriate places on a ballot format for printing; it also purports to encapsulate those choices in a bar-code representation. That representation then is used to produce a second version of the ballot through a ballot-on-demand printer at some remote location, and as such further comprises audit trail information. By HAVA’s definition the online ballot-marking software must constitute part of the voting system.
HAVA does not specify that the software/hardware or some combination thereof should produce or maintain certain specific types of audit trail information and not others. It says “any audit trail information.” The most ideal audit trail for conducting a post-election audit to ascertain that the intent of voters was counted accurately is a voter-verified ballot produced independently of the software used to count the votes. Using this particular type of audit capability is the only way to affirm whether the counting mechanisms are capturing the intent of the voters accurately. Thus such audit trail information – most particularly the information about the votes marked by a voter as affirmed by that voter – qualifies. HAVA deemed it critical to the quality control of a voting system to test and certify not only the tabulation system but also components that produce and maintain any audit trail information.3
In computing, a wizard is a utility program that guides a user through a series of steps to more easily complete a complex task. An online ballot-marking wizard is a software program that enables a voter to mark a ballot online, and is therefore a software-based ballot marking system. This type of program may be bundled together with other separate programs, but is distinct from those other programs. For example, the ballot-marking wizard may be preceded by a separate program enabling voters to confirm their registration status. The ability to check if one is registered is a separate task from casting a vote choice and is a separate task from producing an audit trail. The Ballot Marking Wizard itself, whether bundled with such programs or not, qualifies as part of the voting system because it meets at least two of the parts of the definition in HAVA and in the VVSG.
2. Should Maryland use an online ballot marking system?
a. What are the hazards and pitfalls of such a system?
i. Secrecy violation – automated
If, as we understand to be the case in a system contemplated by Maryland, the voter choices are rendered on a server and not on the client machine, the voter is transmitting the vote choices over the Internet where the marks and the barcode are rendered by a remote server and then sent back to the voter for printing out. The potential for a massive privacy violation exists, and it can be automated with such a system. Voters likely will not understand these risks. Even if they do understand them they should not be presented with a choice to waive their right to a secret ballot, because the benefits of a secret ballot election accrue to all, not to each individual voter.4
ii. Ballot modification risk – marking software
Ballot marking software can fail to correctly render the choices made by a voter, and can do so in ways that may be difficult to impossible for the voter to detect. While a voter can review the printed hard copy of their vote before sending it back to satisfy themselves the marks indicate their candidate choices, they cannot review a printed barcode on that ballot. If a problem has occurred with the barcode rendering, the voter will be unable to confirm or reject it.
The idea behind the barcode is that it will enable the automated “remake” of voted ballots arriving from remote voters, which would otherwise be manually remade or manually counted without being remade. In order to prevent problems caused by buggy or malicious software, or with the voter adding a mark manually after having printed out a ballot with barcode encoding only the prior choices, one would have to compare each ballot choice with the printed ballot carefully and with witnesses. We understand Maryland has committed to a 100% check of each choice on each remade ballot, were such a system to be implemented. In the absence of a genuine risk-limiting audit5, this process would have to continue each election, for each ballot, to provide a mitigating effect.
iii. Authentication risk
How such a system is deployed mandates in-depth examination of the distinct challenge of authentication of remote voters. In other states, as far as we know, voter authentication of absentee ballots through a process of signature verification is the absolute norm. It is our understanding, and we would be delighted to be proven incorrect on this score, that Maryland does not routinely carry out such authentication. It is unclear how the state can prevent voter-impersonation based tampering. Impersonation – known more popularly as identity theft in cases involving monetary transactions, for example – is a challenging problem. In elections with components conducted over the public Internet, such as the emailing of voter’s PIN numbers or access information for the online ballot marking wizard site, an impersonation attack could result in absentee ballots being cast by someone other than the unknowing legitimate voter, who then may attempt to vote at a polling place, with resultant problems. Unlike polling place impersonation, this can be done on a large scale, is hard to detect and hard to trace.
b. Do the perceived benefits of such a system outweigh the risks?
It is not clear that the use of a ballot marking system like that contemplated in Maryland would provide sufficient improvement to voters to warrant the risk to their votes identified above, and the consequent risks to the state’s elections. Maryland already stands in good stead on services to remote voters, and should not take on additional unnecessary risk in this area.
It may help to provide some context from a distant state. I personally reside in California, where after we adopted no-excuse absentee voting, the proportion of absentee votes to polling place votes has risen to where it is now often more than 50% of the votes in a given election. In some jurisdictions, absentee voting is now upward of 75%, and it continues to rise. If we were to use a system like that contemplated by Maryland, and local election jurisdictions had to carry out a 100% check of each choice on each remade ballot for each election as would be necessary with this method, it would mean incrementally greater demand on local resources forever.
California’s chief election official has correctly determined that such ballot-marking software is part of a voting system and would have to be federally tested and certified prior to applying to the State of California for state certification. Thirteen of 58 California counties will use an online blank ballot delivery system in which any program for online ballot marking is removed – not merely disabled.
- Because Maryland’s use of ballot-on-demand printers incorporates the production of a version of a voter’s choices derived from a barcode, those printers are equivalent to a type of audit-trail printer and as such should also be tested and certified. Where such printers are used only for producing blank ballots, testing and certification may be less critical, but if printers are an inextricable part of the audit trail information chain, they are part of the voting system.
- It should be noted that Maryland has previously acknowledged the risks of connecting any component of the voting system to the Internet as far back as 2004, when the State Board wrote “no Internet ‘types of attacks’ can occur since none of the voting system components are connected to an insecure network”.