May 29, 2019
Chairwoman Christy McCormick
U.S. Election Assistance Commission
1335 East-West Highway, Suite 4300
Silver Spring, Maryland 20910
Dear Chair McCormick,
Since their establishment in the Help America Vote Act (HAVA) of 2002, the Voluntary Voting System Guidelines (VVSG) have played a crucial role in shaping the voting equipment used in the U.S. by addressing aspects of functionality, accessibility, accuracy, auditability and security. Though voluntary, the VVSG influence the voting system market and impact State certification, even in States that do not formally require certification of voting equipment by the U.S. Election Assistance Commission (EAC). We thank you for the opportunity to comment on the VVSG 2.0.
New VVSG Format
With the development of VVSG 2.0 the EAC and the Technical Guidelines Development Committee reimagined the VVSG to be a set of high-level, plain language principles and guidelines that is intended to be accompanied by a separate document defining the requirements voting systems must meet to comply with those principles and guidelines. This is a radical departure from the previous structure of the VVSG which included voting system requirements with the guidelines. The new structure allows the guidelines to be accessible to and easily understood by a greater number of stakeholders and may prove advantageous in other ways. However, under the new structure, with the requirements no longer included in the VVSG, the path for adoption of the requirements is no longer specifically dictated by HAVA. By separating the requirements from the VVSG the EAC has created a new article which lacks a defined policy for development, comment and adoption. Furthermore, the new structure puts an immoderate amount of importance on the voting system requirements which must provide a high level of detail and specificity to determine if a system complies with the VVSG. The lack of published policy regarding the Commission’s handling of the requirements introduces opacity and uncertainty to this very important component of the VVSG. We urge the Commission to define and publish the policy for the development and adoption of the voting system requirements as soon as possible.
The Importance of Prioritizing Robust Security Provisions in the VVSG and its Requirements
As the U.S. faces an unprecedented threat to the integrity of our election systems and grapples with strategies to protect election infrastructure, there is increased reliance and expectation that the VVSG will provide that voting machines are resilient and secure. It is important that the VVSG deliver meaningful and effective guidance and requirements that will improve the security of voting systems and lessen exposure to manipulation, tampering or hacking. In some cases, this will mean States may need to implement new administrative procedures or practices in order to adopt voting equipment with more robust security profiles that comply with the VVSG 2.0 – this is not a bad thing. The VVSG should aim to provide a framework States can adopt to improve their security and fortify their devices against potential cyber attacks, which may require abandoning less secure practices. In developing the VVSG and the VVSG requirements there may a temptation to omit an important and necessary security provision that may conflict with some States’ current administration practice, essentially diluting provisions in order to accommodate an existing, perhaps outdated, protocol. We think this would be a mistake – the VVSG and requirements must provide ambitious and meaningful security provisions and should not be weakened to accommodate existing protocols and practices which may not be safe. Moreover, the VVSG are voluntary; States can opt out in whole or in part according to their needs. It would be ill-advised to weaken the VVSG and its requirements as a whole in order to accommodate individual State’s administrative practices.
The VVSG 2.0 reflects a careful, thoughtful, sensible and thorough set of guidelines for voting systems and we commend the EAC and Technical Guidelines Development Committee for their efforts. Overall, we strongly support the VVSG as drafted and urge inclusion of one critical additional Guideline to prohibit the use of wireless modems and internet connectivity in voting system.
We respectfully offer the following comments on specific provisions for your consideration.
Principle 3: TRANSPARENT The voting system and voting processes are designed to provide transparency.
We support this Principle and its Guidelines but we believe it could be strengthened and clarified to add to Guideline 3.2 “and election records” and “and in a form.” [Additions below in bold.]
3.2 - The processes, and transactions and election records, both physical and digital, associated with the voting system are readily available and in a form suitable for inspection.
In order to achieve meaningful transparency, not only the processes and transactions should be available for inspection, but also the various reports and ballot records.
Principle 4: INTEROPERABLE The voting system is designed to support interoperability in its interfaces to external systems, its interfaces to internal components, its data, and its peripherals.
We strongly support this Principle and its Guidelines in current form. Lack of interoperability has limited election administrators’ options for voting equipment. If a jurisdiction currently uses one vendor’s system, administrators are unable to purchase elements of the election system from another vendor, even if that vendor’s product may better meet the jurisdiction’s needs. Additionally, in order to implement effective, efficient audits it may be necessary for the audit software to parse exported results and cast vote records.
Principle 9: AUDITABLE The voting system is auditable and enables evidence-based elections.
9.1 - An error or fault in the voting system software or hardware cannot cause an undetectable change in election results
We vigorously support Principle 9, Guideline 9.1 and the associated Guidelines requiring Software Independence and auditability in voting systems and applaud the Commission and Development Committee for including this vital security provision.
Principle 10: BALLOT SECRECY The voting system protects the secrecy of voters’ ballot selections. 10.1 - Ballot secrecy is maintained throughout the voting process. 10.2 - The voting system does not contain nor produce records, notifications, information about the voter or other election artifacts that can be used to associate the voter’s identity with the voter’s intent, choices, or selections.
Again, we strongly support Principle 10 and Guidelines 10.1 and 10.2 and commend the Commission and the Development Committee for its foresight to provide robust protections for ballot secrecy in voting equipment. As the Development Committee considered this Principle carefully, it noted that some States’ practices run contrary to this Guideline, however, it also decided the need for strong protections for ballot secrecy outweighed the possible conflict with that small number of States. We strongly agree and urge the Commission to ensure this Principle is maintained and supported by effective requirements.
Principle 13: DATA PROTECTION
Given that our election systems are being targeted for interference through cyber attacks, we believe it is imperative the VVSG also include a prohibition on connectivity to the public Internet through wireless modems or other means. Therefore, we strongly urge the Commission to include as Guideline 13.5 under Principle 13: DATA PROTECTION:
“Guideline 13.5: The voting system does not use wireless technology or connect to any public telecommunications infrastructure."
Though it is widely held and frequently repeated that voting equipment is not connected to the Internet, many voting devices employ wireless modems which use IP addresses and IP packets that transmit over the public Internet. Wireless modems introduce a host of security risks that were outlined in a letter to the EAC in 2018 signed by over 30 noted computer security and election integrity experts.
Some election management systems are hosted on devices that are used for multiple tasks that require Internet connectivity. Some vendors have installed remote access software on the election management systems to enable them to remotely management election procedures and data.
There are many States that already incorporate provisions in their election system requirements and administrative rules that ban wireless modems and internet connectivity, this is not universal and many States don’t ban connections to the Internet or the use of wireless modems. These dangerous practices greatly increase the exposure of these voting systems to cyber attacks and should be explicitly proscribed by the VVSG even if they will conflict with some States’ existing practices. This is an opportunity for the VVSG to compel better safeguards and security and should not be weakened to tolerate poor election security practices.
Principle 14: SYSTEM INTEGRITY The voting system performs its intended function in an unimpaired manner, free from unauthorized manipulation of the system, whether intentional or accidental.
To further strengthen the provisions for System Integrity, we urge the inclusion of the following Guideline 14.5 under Principle 14: SYSTEM INTEGRITY:
“14.5 The voting system will detect, and will not permit access by or connection to, any digital storage device that incorporates or contains executable code.”
Election administrators, stakeholders, elected officials, lawmakers and the public hold expectations that the federal VVSG provide a strong, effective framework for secure, accessible, trustworthy voting equipment. We support the VVSG with the inclusion of a prohibition on wireless modems and internet connectivity.
Thank you for the opportunity to comment on Guidelines.
James A. Hendler
U.S. Technology Policy Committee of The Association for Computing Machinery
National Election Defense Coalition
cc. Brian Newby
U.S. Election Assistance Commission