“Frozen” is my key word for what happens to the voting system certification process after EAC is dismantled. And in this case, frozen can be really harmful. Indeed, as I will explain, we’ve already seen how harmful.

Last time I wrote in this series on the EAC being dismantled (see the first and second posts), I said that EAC’s certification function is more important than ever. To re-cap:

  • Certification is the standards, requirements, testing, and seal-of-approval process by which local election officials gain access to new election tech.
  • The testing is more important than ever, because of the lessons learned in 2016:

1. The next gen of election technology needs to be not only safe and effective, but also …

2. … must be robust against whole new categories of national security threats, which the voting public only became broadly aware of in late 2016.

Today it’s time to explain just how ugly it could get if the EAC’s certification function gets derailed. Frozen is that starting point, because frozen is exactly where EAC certification has been for over a decade, and as a result, voting system certification is simply not working. That sounds harsh, so let me first explain the critical distinction between standards and process, and then give credit where credit is due for the hardworking EAC folks doing the certification process.

  • Standards comprise the critical part of the voting system certification program. Standards define what a voting system is required to do. They define a test lab’s job for determining whether a voting system meets these requirements.
  • Process the other part of the voting system certification program, composed of the set of activities that the players – mainly a voting system vendor, a test lab, and the EAC – must collectively step through to get to the Federal “seal of approval” that is the starting point for state election officials to make their decisions about voting system to allow in their state.

Years worth of EAC efforts have improved the process a great deal. But by contrast, the standards and requirements have been frozen for over a decade. During that time, here is what we got in the voting systems that passed the then-current and still-current certification program:

Black-box systems that election officials can’t validate, for voting that voters can’t verify, with software that despite passing testing, later turned out to have major security and reliability problems.

That’s what I mean by a certification program that didn’t work, based solely on today’s outcome – election tech that isn’t up to today’s job, as we now understand the job to be, post-2016. We are still stuck with the standards and requirements of the process that did not and does not work. While today’s voting systems vary a bit in terms of verifiability and insecurity, what’s described above is the least common denominator that the current certification program has allowed to get to market.

Wow! Maybe that actually is a good reason to dismantle the EAC – it was supposed to foster voting technology quality, and it didn’t work. Strange as it may sound, that assessment is actually backwards. The root problem is that as a Federal agency, the EAC had been frozen itself. It got thawed relatively recently, and has been taking steps to modernize the voting systems standards and certification. In other words, just when the EAC has thawed out and is starting to re-vitalize voting system standards and certification, it is getting dismantled – that at a time when we just recently understood how vulnerable our election systems are.

To understand the significance of what I am claiming here, I will have be much more specific in my next segment, about the characteristics of the certification that didn’t work, how the fix started over a decade ago, got frozen, and has been thawing. When we understand the transformational value of the thaw, we can better understand what we need in terms of a quality program for voting systems, and how we might get to such a quality program if the EAC is dismantled.

— EJS