EAC Guidelines for Overseas Voting Pilots
Gregory Miller
Last Friday was a busy day for the Federal Elections Assistance Commission. They issued their Report to Congress on efforts to establish guidelines for remote voting systems. And they closed their comment period at 4:00pm for the public to submit feedback on their draft Pilot Program Testing Requirements.
This is being driven by the MOVE Act implementation mandates, which we have covered previously here (and summarized again below). I want to offer a comment or two on the 300+ page report to Congress and the Pilot program guidelines for which we submitted some brief comments, most of which reflected the comments submitted by ACCURATE, friends and advisers of the OSDV Foundation.
To be sure, the size of the Congressional Report is due to the volume of content in the Appendices including the full text of the Pilot Program Testing Requirements, the NIST System Security Guidelines, a range of example EAC processing and compliance documents, and some other useful exhibits.
Why Do We Care?
The TrustTheVote Project’s open source elections and voting systems framework includes several components useful to configuring a remote ballot delivery service for overseas voters. And the MOVE Act, which updates existing federal regulations intended to ensure voters stationed or residing (not visiting) abroad can participate in elections at home.
A Quick Review of the Overseas Voting Issue
The Uniformed and Overseas Citizens Absentee Voting Act (UOCAVA) protects the absentee voting rights for U.S. Citizens, including active members of the uniformed services and the merchant marines, and their spouses and dependents who are away from their place of legal voting residence. It also protects the voting rights of U.S. civilians living overseas. Election administrators are charged with ensuring that each UOCAVA voter can exercise their right to cast a ballot. In order to fulfill this responsibility, election officials must provide a variety of means to obtain information about voter registration and voting procedures, and to receive and return their ballots. (As a side note, UOCAVA also establishes requirements for reporting statistics on the effectiveness these mechanisms to the EAC.)
What Motivated the Congressional Report?
The MOVE (Military and Overseas Voting Enhancement) Act, which became law last fall, is intended to bring UOCAVA into the digital age. Essentially it mandates a digital means to deliver a blank ballot.
Note: the law is silent on a digital means to return prepared ballots, although several jurisdictions are already asking the obvious question: “Why improve only half the round trip of an overseas ballot casting?”
And accordingly, some Pilot programs for MOVE Act implementation are contemplating the ability to return prepared ballots. Regardless, there are many considerations in deploying such systems, and given that the EAC is allocating supporting funds to help States implement the mandates of the MOVE Act, they are charged with ensuring that those monies are allocated for programs adhering to guidelines they promulgate. I see it as a “checks and balances” effort to ensure EAC funding is not spent on system failures that put UOCAVA voters participation at risk of disenfranchisement.
And this is reasonable given the MOVE Act intent. After all, in order to streamline the process of absentee voting and to ensure that UOCAVA voters are not adversely impacted by the transit delays involved due to the difficulty of mail delivery around the world, technology can be used to facilitate overseas absentee voting in many ways from managing voter registration to balloting, and notably for our purposes:
- Distributing blank ballots;
- Returning prepared ballots;
- Providing for tracking ballot progress or status; and
- Compiling statistics for UOCAVA-mandated reports.
The reality is, however, systems deployed to provide these capabilities face a variety of threats. If technology solutions are not developed or chosen so as to be configured and managed using guidelines commensurate with the importance of the services provided and the sensitivity of the data involved, a system compromise could carry severe consequences for the integrity of the election, or the confidentiality of sensitive voter information.
The EAC was therefore compelled to prepare Guidelines, report to Congress, and establish (at least) voluntary guidelines. And so we commented on those Guidelines, as did colleagues of ours from other organizations.
What We Said – In a Nutshell
Due to the very short comment period, we were unable to dive into the depth and breadth of the Testing Requirements. And that’s a matter for another commentary. Nevertheless, here are the highlights of the main points we offered.
Our comments were developed in consultation with ACCURATE; they consisted of (a) underlining a few of the ACCURATE comments that we believed were most important from our viewpoint; (b) the addition of a few suggestions for how Pilots should be designed or conducted. Among the ACCURATE comments, we underscored:
- The need for a Pilot’s voting method to include a robust paper record, as well as complementary data, that can be used to audit the results of the pilot.
- Development of, and publication of security specifications that are testable.
In addition, we recommended:
- Development of a semi-formal threat model, and comparison of it to threats of one or more existing voting methods.
- Testing in a mock election, in which members of the public can gain understanding of the mechanisms of the pilot, and perform experimentation and testing (including security testing), without impacting an actual election.
- Auditing of the technical operations of the Pilot (including data center operations), publication of audit results, and development of a means of cost accounting for the cost of operating the pilot.
- Publication of ballots data, cast vote records, and results of auditing them, but without compromising the anonymity of the voter and the ballot.
- Post-facto reporting on means and limits of scaling the size of the pilot.
You can bet this won’t be the last we’ll hear about MOVE Act Pilots issues; I think its just the 2nd inning of an interesting ball game…
GAM|out
Once again, insightful analysis by OSDV. I really enjoy reading your postings, and learn from almost every one of them.
However, need to clarify something regarding the EAC report and what the totality of legislative mandates are regarding electronic absentee voting for UOCAVA voters.
Although the MOVE Act does not itself mandate the examination of the electronic casting of voted ballots in the authorized pilot programs, the 2002 and 2005 National Defense Authorization Acts do require EAC to develop guidelines for the electronic return of voted ballots. Specifically, 42 USC 1973ff (note) states:
“(a) Establishment of Demonstration Project.—
“(1) In general.—Subject to paragraph (2), the Secretary of Defense shall carry out a demonstration project under which absent uniformed services voters are permitted to cast ballots in the regularly scheduled general election for Federal office for November 2002 through an electronic voting system. The project shall be carried out with participation of sufficient numbers of absent uniformed services voters so that the results are statistically relevant.
“(2) Authority to delay implementation.—…the Secretary [of Defense] may delay the implementation of such demonstration project until the first regularly scheduled general election for Federal office which occurs after the Election Assistance Commission notifies the Secretary that the Commission has established electronic absentee voting guidelines and certifies that it will assist the Secretary in carrying out the project. …”
That’s where we are now – EAC and NIST, supported by FVAP, are in the process of developing those guidelines. And the Pilot Program Testing Guidelines are one of the first steps in developing testable systems (in this case a kiosk-based system) that will help this process advance to full, remote PC-based electronic absentee voting guidelines.
MOVE Act then expanded on that electronic absentee voting guideline development requirement saying in Section 589(e)(1) that EAC and NIST were required to support FVAP’s MOVE Act authorized pilot programs by issuing the guidelines directed above by the 2002 and 2005 laws. The MOVE Act then goes on to say in Section 589(e)(2):
“In the case in which the Election Assistance Commission has not established electronic absentee voting guidelines … by not later than 180 days after enactment of this Act [April 26, 2010], the Election Assistance Commission shall submit to the relevant committees of Congress a report containing the following information:
“(A) The reasons such guidelines have not been established
as of such date.
“(B) A detailed timeline for the establishment of such
guidelines.”
So, it was not the MOVE Act Pilot programs that drove this EAC report, per se, but the mandate in the 2002 and 2005 National Defense Authorization Acts on EAC and NIST to provide FVAP with the electronic absentee voting guidelines for casting voted ballots by the military electronically. Finally, if one goes back and looks at the Senate and House Armed Services Committee reports as well as the Conference Committee reports, for the 2002 and 2005 National Defense Authorization Acts, the Congressional intent is clear that such electronic absentee voting systems are to be remote, PC-based electronic voting systems.
Regardless of what you think of that law mandating the development of remote PC-based systems for the electronic casting of voted ballots by military voters, that is the law, and EAC, NIST, and FVAP are obligated as federal agencies to pursue its execution.
The question is, as you well know, how?
Bob Carey
Director, FVAP
Kudos to Verified Voting’s Pam Smith and Bo Lipari for a blog posting that summarizes the comments of many of the organizations and people that provided comments.
http://blog.verifiedvoting.org/2010/05/13/531#more-531