Branscomb Comments on VVSG 2.0 Principles and Guidelines for EAC May 29 Deadline

Public Comment on the VVSG 2.0 Principles and Guidelines by Harvie Branscomb, http://electionquality.com

Major topics:

  1. Need for VVSG
  2. Transition strategy from 1.0 to 2.0
  3. Relationship of P&G to Requirements
  4. Relationship of requirements to test assertions or test procedures
  5. Need for balancing of Principles
  6. Scope of VVSG – need for clarity and eventual expansion of scope
  7. Role of Glossary
  8. Process to create P&G and Requirements
  9. Process to coordinate Glossary
  10. Process to create test plans
  11. Decentralization of testing
  12. Role of Commissioners in requirements and future P&G
  13. Need for broad based review and input for update of requirements
  14. Discovery, appeal methods for updating requirements
  15. Defects and strong points of principles
  16. Missed opportunities- effects of input from existing legacy vendors
  17. Need for realistic interpretation of Guidelines
  18. Relative need to support future v. existing technologies and methods
  19. Inconsistencies with usage of “cast”
  20. Inadequate and restrictive usage of the singular phrase “ballot”
  21. Potential risk of nebulous definition of E2E
  22. Potential risk of failure to fully support MMPB
  23. Huge benefit of election record transparency
  24. Claims that stand as obstacles to ballot transparency
  25. Need to define substantive, not absolute ballot anonymity
  26. Separation of systematic against self-identified risks to anonymity
  27. Value in reduction of styles
  28. Means to reduce styles
  29. Potential risk of failure to fully support public transparency of records
  30. Removing the fear of multiple sheet ballots
  31. Conclusion- will we achieve the evidence based public election?

1. Need for VVSG

Manufacturers have historically guided policymaking on voting systems with innovation prior to regulation. Particular jurisdictions such as in Colorado and California have chosen to pilot and then use these technical and procedural enhancements such as early voting, sometimes before all the integrity side effects have been explored. I live and regularly witness and verify elections using credentials in Colorado, one of these early adopter states. Colorado has worked with manufacturers to introduce new vote capture and tabulation methods. And at least since 2000 academics and activists and NGOs have coordinated to invent and gain regulatory support for integrity measures before manufacturers became involved, particularly the post election audit and then the risk limiting audit.

Meanwhile convenience-seeking partisans have introduced numerous voter-centric options that decrease obstacles to vote but rely more on technology rather than citizen oversight to maintain integrity – such as vote centers and mail-in ballot. The VVSG has provided a route for coordination of the many states with the few manufacturers to begin to achieve a semblance of pragmatic uniformity or at least a path towards it.  VVSG 2.0 stands to be substantially more effective at bringing a potential Pandora’s box of diverse innovation into a coordinated environment, perhaps without simultaneously presenting an obstacle to competition or innovation. The hope is that all of these goals will be achieved. In any case, self-regulation by voting manufacturers is highly unlikely to achieve adequate results, given the diverse characteristics of the various states and the vendors, as well as the potential for dramatic change in the way we vote and the way votes might be counted. Yes, the VVSG is crucial and it is crucial that it is formulated carefully to produce the desired result.

2. Transition strategy from 1.0 to 2.0

A clever strategy is needed to motivate vendors to design for not only a static VVSG 2.0 but a dynamic set of requirements that evolve over time. It is even more important that states will write laws to cause their certification requirements to track with the federal testing guidelines without diverging too much. Some ideas heard at the Silver Spring hearing seem strongly supportable. For example, the breaking up of requirements into chunks that can be tested and adopted at different times, with separate laboratories assigned to deal with categories of requirements. That seems sensible. Incremental progress towards full commitment to the latest standard could be allowed at the same time component testing and interoperability testing should replace the existing monolithic requirements and full system test scenarios now in place. The idea that component manufacturers might ask for pre-testing of select portions of the standards prior to asking for federal certification seems sensible and supportable. It is also key that the requirements not present an obstacle either to innovation or competition over the long term.

3. Relationship of P&G to Requirements

I favor the idea that Principles are more like constitutional provisions while Guidelines are like legislation and Requirements are like regulations. Test assertions if necessary or perhaps just test procedures should implement a means to measure success at fulfilling the requirements, as such Requirements must be sufficiently exact to be imminently achievable.

Clearly the Commissioners serve in the role of a constitutional convention to set the principles at the outset and to modify them as needed, presumably rarely.  Probably the Commissioners with strong support from staff can adequately take care of the “legislative” level of Guidelines as well, but these deserve a regular such as biannual review.

Finally, the Requirements require both experience and expertise and foresight to be able to achieve the necessary pragmatism, applicability and completeness. Update of Requirements will be needed on a regular basis, at least with annual opportunity for initiation of change including from unexpected sources. Something like a review board is needed to periodically assess the success or failure of the requirements to fulfill the Guidelines, and less frequently the same for the Guidelines to adequately represent the Principles.

4. Relationship of requirements to test assertions or test procedures

The transliteration of Requirements to Test Procedures can be undertaken by subject matter experts appointed by the Commission to include reasonable oversight and review by EAC staff. The categorization of the requirements and tests into separate domains that can be served by subject-specialist laboratories can also be done by this group. Further subsets of requirements/tests could be created to allow incremental adoption of the standard to ease the transition for manufacturers.

5. Need for balancing of Principles

Fifteen principles have been identified and are about to be adopted as the constitutional foundation for voting system testing that maintains the quality and credibility of tabulation for the national election ecosystem. It is crucial to recognize that these are not orthogonal or independent and they ought not be intended to be equally prioritized. Some elements of some principles act in opposition to elements of others. The EAC will be required to assess and promulgate as policy a means for the interacting principles to be balanced. This may be the most difficult of tasks for the Commission. Likely it is a continuing endeavor that requires assessment of the result of the balancing.

6. Scope of VVSG – need for clarity and eventual expansion of scope

The current understanding is that VVSG scope is limited to “voting system” and that is arguably limited to ballot design, ballot creation and contest option presentation, capture of selections by voters, interpretation and adjudication, recording of cast vote records, tabulation, reporting of results and auditing. It is a fact that this set of functions does not describe the election system. Nor does the quality achieved in these functions necessarily result in a credibly correct election. Remote voting options and central count scenarios have caused the above list to be sadly insufficient. Questions remain about the applicability of the VVSG to the presumably voting system functions of remote ballot delivery, electronic marking, verification and electronic return.  While the draft glossary contains terms to characterize these functions, the requirements as yet are silent with respect to them.

Moreover, there are whole portions of election process outside of vote capture and counting that are ignored by the current VVSG. For example the process of determination of eligibility of selections cast by remote voters is untouched. This process is increasingly implemented with unregulated complex programmed devices that both manage and perform signature verification. These devices are connected at east periodically by internet to voter registration databases. And there is increasing use of internet and similar mechanisms to register to vote and to collect signature samples for eligibility determination. These topics are ripe for inclusion in the VVSG voluntary standards and EAC certification testing in the future. The protocol for enhancement of the VVSG must come to include these topics.

7. Role of Glossary

The glossary is the substrate of the Principles, Guidelines and Requirements. It will glue together and make sensible the many diverse requirements and will avoid uncertainty as to meaning.  Much work has been done to create unique standalone phrases to distinguish the many phases, items and entities within elections. Effort has been made to avoid confusion about terms such as the multiple meanings of “contest.” In VVSG 2.0, contest means “a single decision or set of associated decisions being put before the voters” and does not refer to the legal challenge of an election outcome.

There remain however some words that are used in competing contexts that do yet need clarification. I have been studying this topic for months and communicating with our State Audit Working Group that meets weekly to arrive at suggestions to provide to the EAC working groups. Now that a complete draft document of about 270 pages has been released this has become possible. There are dozens of places where definitions can be tightened, and requirements can be updated to use the correct phrase from the Glossary. There are places where new phrases need to be added to avoid confusion of multiple meanings. For example the phrase “ballot image” was defined to be an electronic record of all votes cast by a single voter. This definition is contrary to the common usage that refers to a depiction of one or more sides of a paper ballot. It ought to be defined that way in recognition that a cast vote record is substantially different. However the phrase “ballot image” also isn’t yet used within VVSG requirements and that suggests that improvement to requirements is yet needed to address that topic.  There are numerous cases of important phrases in the Glossary not yet used in requirements that serve as a flag to remind us that additional work on Requirements is still needed.

8. Process to create P&G and Requirements

This brings up a need for brief discussion of the process by which the Requirements came about – the public working groups should be able to bring in both existing vendor experience and also the needs of future vendors and innovators and academics and election quality advocates who are seeking policy that will define and improve election integrity. The process used to reach the current VVSG draft was far superior to previous efforts. One problem with it is that it is slow to reach a draft and slow to share it beyond a few people on a single phone call.  If the drafts could be shared instantly and constantly between all stakeholders (in reality the public) then response to observed defects could be much faster. If there seem to be stakeholders advocating opposing positions who cannot find a compromise, then the issue needs to be escalated to a more refined process that will eventually reach the Commissioners for a policy decision. Above all, it is essential that the participants in the process of developing requirements not be curtailed beyond where it is today. If anything the process should be opened to more participants.

9. Process to coordinate Glossary

The Glossary is crucial to a well understood set of Requirements. At present there are several terms that are being used for entirely different meanings that are easily confused and must not be conflated. For an example, and perhaps the most important case is the use of the word “cast” that is already well defined in the Glossary as a voter action. But in the draft requirements ( yet to be finalized ) the word is also used for a clearly system related action that really ought to be known as “acceptance” rather than “cast.”  In this instance, the Glossary is fine but the phrase “accepted ballot” must be added to the Glossary and the word used for the system-centric contexts where “cast” is currently found.  

A different instance is the case where the definition is nebulous but the meaning of the usage is consistent and clear.  In this case the Glossary definition needs to be updated to be more clear. The phrase “ballot image” is of this type. The current definition of “ballot image” includes all digital representations of voter intent including visual and cast vote records. It ought to be clarified. The EAC should take care to be sure that these types of instances are take care of. To do this each word in the Glossary needs to be checked to see if it is properly used in the requirements and in the Principles and Guidelines.  In many cases I have found the words in the Glossary are not yet used in the draft at all. For a number of these, it seems likely that the requirements should include reference to very important concepts. In other cases, the Glossary can be trimmed to remove the words and phrases. The appropriate process for this improvement of the Glossary is to take each word and locate its usage in the drafts and then decide if any action needs to be taken.  Those of us who are looking at the Glossary are attempting to conduct this research for key words that matter to our area of expertise.  The results of that work can be made available to the NIST coordinators and the working groups as appropriate and we shall endeavor to do so.

10. Process to create test plans

One of the less discussed topics is how the test plans will be created – but this discussion did take place in Silver Spring.  It seems clear that “test assertions” may not be a needed as an intermediary step between requirements and test procedures. If enough care is taken in writing the requirements, the test procedures can be created in a direct relationship with each requirement. This will however require enough specificity and clarity of each requirement- and that means they should be written in a direction and with an intention to be turned into quantitative metrics.

11. Decentralization of testing

A correlate to the decoupling of the standards to allow for component testing is a decoupling of test procedures into specializations. As made clear in Silver Spring, it does not make sense to expect a test lab to be proficient at testing all modalities of voting system function. Please do explore ways to separate different proficiencies into separate labs. Also it makes sense as suggested in Silver Spring to have a pre-test opportunity that is entirely optional to the vendor and can be accomplished at any time prior to the onset of final certification test. Also the results of these pre-tests should be applicable to the future certification decisions if appropriate.

12. Role of Commissioners in requirements and future P&G

I believe it is a mistake to remove the Commissioners entirely from the path to decide the requirements and the test plans. This is because inevitably policy decisions must be made – even decisions that appear to be substantially technical in nature. Without a stable administrative decision-making capability, some requirements may end up crippled by excess influence by some faction of stakeholders such as the vendors who have existing investments and may exert pressure for retaining the status quo.

13. Need for broad based review and input for update of requirements

What is obvious in the requirements that are in the draft today is that they are already inadequate to test devices and processes already being sold to election jurisdictions. And there are limitations built into the requirements that will cause problems for jurisdictions that are faced with the need to use multiple sheet ballots and who are moving toward remote voting and central count. These topics will be discussed separately. But the net result of the observation is that the requirements will need frequent review and improvement and a broad spectrum of influences will be needed to prevent the requirements from just reiterating existing designs and procedures familiar to the vendors and to officials with more simple election environments than others. We in Colorado have been at the edge of the state of the art now for a few years and are seeing side effects of innovations that need to be accommodated in the requirements. The EAC must prepare a system to evaluate the quality and fit of key requirements and subject these to excellent, frequent, broad-based oversight.

14. Discovery, appeal methods for updating requirements

It makes sense to have a periodic review of the pragmatic effect of existing requirements, both those recently put in place and previous versions of VVSG that may still be the target of testing. Obviously any deprecation of previous requirements will be resisted by manufacturers at least until they decide to end of life the last system that depends on it. This will present serious policy concerns that the Commissioners will have to administrate. On the other hand, requirements that as written stand in the way of innovation or simply are seen as obstacles to more efficient or better implementation of the principles and guidelines must be identified and treated to a reasonable process for updating that will not interfere with existing designs for a reasonable period of time. None of this seems simple to implement, yet it is important to have such a process and it must not be dominated by any specific group.

Obviously the politics of this topic are not aligned along traditional partisan lines, but rather have pockets of entrenched support by groups such as those who place disability accommodation above all other goals as compared to pragmatists who look for solutions that satisfy 95% of the population best, compared to those who seek least common denominator solutions that attempt to serve 100% and may not succeed in doing so. Commissioners will need to resolve a means to address these real differences in a way that is both sensible and reasonably equitable. And where the rubber meets the road is in the writing of the requirements. At present the principles and guidelines will not serve to provide this administration because prioritization of the principles as they become requirements will be needed. It will serve the best interests of the public if the process of balancing principles is done in public with full attention to the side effects of decisions made.

15. Defects and strong points of principles

One strong point of the principles and guidelines as written is that they probably adequately span the range of issues raised by the needs of voting systems where voting systems are confined to vote capture and tabulation. Ironically a weak point is that the scope under consideration does not include eligibility determination meaning the process and equipment involved in determining the set of ballots to be tabulated. It is essential that a future version of VVSG or an equivalent will pay attention to systems for voter check-in, eligibility determination by signature verification, etc. These are already highly computerized systems that have the potential to degrade election accuracy by poor quality design or implementation including lack of sufficient security and auditing mechanisms.

Another potential weak point is possible excess attention to security where security means primarily the blocking of access. The voting system credibility depends substantially on excellent transparency. Transparency is a major principle, but the guidelines associated with it are deficient. They seem to attend largely to the documentation of the voting system rather than the potential for public access to election records including ballots and their correlates as well as reports. This may be a reflection of the extra attention to potential Russian interference, but regardless of the reason, the effect of over-attention to security was seen in Colorado in the aftermath of the Conroy v. Dennis case and since then much more attention has been paid to accuracy and auditability of the systems as well as the potential for beneficial public access. Security provisions initially introduced after the Conroy v. Dennis decision have been moderated to account for the realities of election process. The VVSG should not go overboard in a similar manner in the aftermath of accusations of Russian interference. Commission policymaking may be needed to ensure that meaningful transparency retains its crucial place in the operation of the election ecosystem.

16. Missed opportunities- effects of input from existing legacy vendors

A read through the requirements suggests to me that there is already an embedded bias towards electronic voter intent capture in place of pre-printed ballots that are intended to be hand marked. This seems odd considering that preprinted hand marked ballots are the standard voting method in many if not most states and all mail ballot states. Vendors who sell ballot marking devices have recently been effectively marketing their electronic capture devices as a substitute for hand marked paper (e.g. Georgia) and this direction seems to be already perhaps too much reflected in the writing of many of the guidelines and the requirements as well. An example is

7.1 – The default voting system settings for displaying the ballot work for the widest range of voters, and voters can adjust settings and preferences to meet their needs. 

The original text of guideline 7.1 is obviously focused entirely on an electronic vote capture method, ignoring the comparable needs of a preprinted paper ballot. The State Audit Working Group proposes to improve Guideline 7.1 to add “ballot design and any” to “default system settings for displaying the ballot” to correct for this apparent bias against hand marked paper. There are comparable omissions found in the requirements as well. It is essential that the Guidelines not be written with a profit motivated bias, and important that the requirements to follow also do not contain a preference for electronic capture over hand marked paper.

Another problematic trend in the Guidelines and Requirements is an apparent preference for absolute and perfect solutions to the very imperfect and unpredictable variations in voter ability to operate the voting system. This is represented in the phrases such as

Principle 7: Ballots and vote selections are presented in a perceivable, operable, and understandable way and can be marked, verified, and cast by all voters.

This sentence is idealistic, as perhaps a principle should be, but it is in reality unachievable – meaning that not “all voters” will be able to mark verify and cast a ballot that is perceivable, operable and understandable, and certainly not all will be able to do that independently of any assistance. So to be realistic, as the pragmatism requires, I join others in suggesting that the phrase “widest range of voters” be substituted, as is already present in the Guideline 7.1 that immediately follows.

Lastly the Guidelines and related requirements seem to treat transparency as if it is satisfied simply by rigorous pre-printed documentation, when the greatest benefits of transparency can be obtained by public access to election evidence that substantiates an evidence-based-election.  For this reason I support others in adding the phrase “and election records” to “processes and transactions” in Guideline 3.2:

3.2 – The processes and transactions, both physical and digital, associated with the voting system are readily available and in a form suitable for inspection.

This suggested improvement to add “election records” will allow for requirements that cause ballot designs and cast vote record formats to be conveniently and inexpensively redactable to protect ballot secrecy when needed- thus allowing for maximum transparency of the fundamental records of the election to the public who own them as public records in many states. Requirements should cause voting systems to be ready to copy and export election records suitable for public consumption for situations where state law allows.

Please ensure that the process by which requirements are finalized does overcome potential bias that exists because of the most frequent and steadfast participants in the working groups are members with a special interest.

17. Need for realistic interpretation of Guidelines

Guidelines that express ideals can be extrapolated into requirements that are impractical or are unrealistic. There are several of these that I can recognize but there may be others. As previously addressed, the ideal that all voters can vote both in privacy and with independence is very difficult to implement because of the diverse nature of the persons who will be wishing to vote. In some cases it may be easier for verification to be assisted by the voting system technology than for marking to be assisted.  The Commissioners might find it reasonable to opine that independent verification is more important than privacy during marking. This kind of subtlety will assist manufacturers in serving the diverse public.

Likewise, election officials find it very challenging to determine what constitutes an identifiable ballot sheet. A realistic interpretation of privacy will distinguish between systematic impingement on privacy as opposed to voter-induced risks to privacy. Once again, policy can be expressed by the Commission that will assist in the creation of pragmatic requirements from the Guidelines. While such policies could be left up to the states and some perhaps will step up to address these finer points, it will immeasurably help the voting system industry to serve the public if the EAC Commission will provide consistency and sensibility to address implementation of idealistic goals expressed in the Principles and Guidelines.

18. Relative need to support future versus existing technologies and methods

There is a considerable time delay (mot likely measured in months if not years) present in the decision-making process that results in new or changed requirements and finally the test procedures. Then a product intended to fulfill the new VVSG would require perhaps a full product design cycle and then prototyping, internal vendor testing and manufacturing. Then finally an actual certification testing cycle. Because this is a long time, vendors inevitably have a strong influence over what the requirements may look like as they will likely begin these innovation steps before the requirements are written. This isn’t an ideal situation because policy follows practice and that is opposite to the ideal order of things.  There is also a natural danger that the requirements will tend to cause implementation of future voting systems to resemble what is currently experienced as a voting system by those in the working groups. An alternative that is much needed is to allow requirements to exist that are broad enough to encourage development of innovative components for voting systems as some group of advocates have envisioned them. Both of these do make some sense, but there may be a need for encouragement of manufacturers and non-manufacturer innovators to bring better ideas to the EAC for inclusion in the requirements as early as possible for possible future components and systems.

Meanwhile there are already inconsistencies and obstacles to efficient and accountable and accurate systems already embedded in the draft requirements. In the following paragraphs I will address a couple of the most significant.

19. Inconsistencies with usage of “cast”

Inconsistent usage of the key word “cast” creates ambiguity. “Cast” according to the Glossary is voter – centric, an action taken by voter. This is very sensible and should be retained. But usage in the VVSG 2.0 draft requirements in probably twenty other places refers instead to a system-centric action that ought to be referred to as “accepted”  e.g. “accepted ballot” in place of “cast ballot.” Other possible words to use to replace the system-centric meanings of the verb cast are: to “read” or to “count” or to “tabulate”. In some places “cast” is clearly used to refer to the step that creates the CVR. This step is definitely not a voter action and not consistent with the Glossary definition. The appearance of “cast” within the three word phrase “CVR” is also sadly inconsistent, but by now unavoidable.

I recommend to use the word “cast” (noun and adjective) to refer to the voter centric event as currently defined. Then introduce a different defined word such as “accept” and ”accepted” to differentiate the system-centric usage from the voter-centric. In some places, the word “counted” or “tabulated” is more appropriate than “accepted.” After casting, these system-centric actions deserve unambiguous labels. “Cast” doesn’t belong in a requirement related to system functions after the voter is no longer involved.  The provisional ballot presents a particular challenge. The current draft requirements use “cast” to refer to a decision taken after the system determines the eligibility of the already voter-cast ballot that is retained under identifiable cover. The challenge is solved by adding a concept of “pending acceptance” and then “accepted” status for a ballot pursuant to research performed well after casting of the anonymous ballot in an identifiable container.

20. Inadequate and restrictive usage of the singular phrase “ballot.”

The use of the singular word “ballot” is compatible with the election phase that takes place before and during the voter act of casting. Shortly after casting, an electronic ballot might likely remain as a single unit but a paper “ballot” may separate into separate sheets of which each are individually processed in scanning, interpretation, possible adjudication, recording as a sheet-specific entry in the cast vote record, and then subject to sampling for audit. These post casting events take place typically per ballot sheet, not per ballot. Reference to “ballot” as a unit during the post-casting tabulation phase is harmful because it implies that multiple sheets remain as a unit -even though this is very difficult for election officials to accomplish.

If the tabulator must report “cast ballots” (as current requirement drafts do specify) then the ballot must appear to the scanner as a unit even if the voter didn’t cast the complete set of sheets comprising the “cast ballot.” Remember that the scanner may not be facing the voter and will have no way to know what the voter “cast.” That situation then requires officials to fabricate missing evidence so that the full “cast ballot” is created by the time tabulation takes place. This is typically done by inserting “placeholder” sheets into any incomplete “sets of ballot sheets” prior to scanning. Treatment of a multi sheet ballot as a unit also may require draconian care in filling batches such as by increasing or reducing the length of batches to keep sheets together. Costly workload implications often pressure EOs to squeeze the contest options into a single and very long double sided sheet, creating high Ballot On Demand equipment costs and other disadvantages. Almost all references to “ballots” in tabulation ought to refer instead to “ballot sheets.”

21. Potential risk of nebulous definition of E2E

End to End is a concept that is already rolled into the VVSG draft as a separate track of requirements. This is likely to turn out to be a mistake, given so little experience with the concept at this date. Its current definition seems incomplete and unsuited to implementation:

cryptographic end-to-end voting system: A voting system that supports both voter verification and election verification.

This definition obviously relies entirely upon interpretations of “voter verification” and “election verification” and those in turn would rely upon a definition of “verification” none of which currently exist in the VVSG draft Glossary. Meanwhile, without further definition of E2E the label will be interpreted variously from time to time by various readers of the standards. E2E as an alternate voting method now exists within the VVSG as a route to avoid all the otherwise standard requirements.  This suggests to me that the EAC is largely giving up responsibility for use of methods that could be labeled E2E. If so, then I hope the magic of encryption as implemented by the manufacturers does solve the many problems inherent in making and delivering a quality voting system. On the other hand, I doubt it. This alternate path through the future requirements seems unwise, while opportunities for smaller innovations might be blocked unnecessarily.

9.1.1-B – Paper-based or cryptographic E2E system Voting systems must meet the requirements within the Paper-based System Architectures or Cryptographic E2E System Architectures section, or both.

Note here the voting system may be entirely certified under “Cryptographic E2E System Architectures” and not at all under “Paper-based System Architectures.” Apparently VVSG anticipates a new generation of paper-less voting systems certified under this separate route. At this point in time it seems premature to allow this much leeway under a federal voluntary standard. Permission to use supplementary encryption within a paper-based system to achieve better “voter verification” or better “election verification” makes more sense, but definitions and standards for voter and election verification must be set first.

Here is one more example that clarifies that the E2E route is intended as an alternative to paper (from the discussion of requirement 9.1.1-A – Software independent):

There are currently two methods specified in the VVSG for achieving independence:
* through the use of independent voter-verifiable paper records, and
* E2E cryptographic voting systems.

The introduction of “E2E” as a separate path through the requirements as opposed to a supplemental path should be revisited.

22. Potential risk of failure to fully support MMPB

There are indications that well over 50 percent of voters today are voting by hand marking on pre-printed paper – referred to in the draft Glossary as Manually Marked Paper Ballot. I have observed that in multiple locations in the VVSG draft the applicability to hand marking of paper is missing in favor of attention to electronic vote capture interfaces. One example actually in the Guidelines is here:

7.1 – The default voting system settings for displaying the ballot work for the widest range of voters, and voters can adjust settings and preferences to meet their needs. 

This Guideline clearly focuses on an electronic vote capture interface without applying the same intention to pre-printed paper as an interface. For that reason I and others have recommended to add the phrase “ballot design and” after “default” in Guideline 7.1.

There are apparently substantial differences of opinion about the relative benefits of electronic vote capture compared to paper. Without fully reiterating the arguments here, it might suffice to say that the Commissioners may have to intervene with a policy decision in order to be sure that manually marked paper remains a viable vote capture mechanism for future voting systems designed to meet the VVSG. The hand marked / machine marked argument represents another of the balancing acts that must be performed by the VVSG. In my opinion it is the success of meaningful verification of machine printed marks on paper to be tabulated that matters most in this very controversial division of perspectives. The large practical benefits of pre-printed, and if necessary printed-on-demand paper, argue strongly for keeping this vote capture method alive and well. And a well designed and implemented manual audit suffices to remedy the contribution to potential error in election outcomes that result from marginal marks that software cannot recognize. This has always been one of the biggest arguments against MMPB but the RLA or other well designed manual post election audit of paper solves that problem handily.

23. Huge benefit of election record transparency

Another sometimes overlooked potential value to be obtained from future voting systems is a fabulous opportunity recent scanner technology is already delivering but some state laws have yet to catch up. Modern tabulation devices produce both scanned copies of ballots and the associated cast vote records for purposes of review and comparison. Risk limiting audits conducted by officials require comparison directly to the physical paper ballot for very good reasons. In addition to election judges required to do the auditing, a few members of the public may be able to attend to verify the audit quality. But with current technology now being sold, after appropriate ballot secrecy safeguards are in place, and subject to local laws about access to records, any interested party could perform a virtual manual post election review to their own satisfaction at home – recognizing that there may be some misrepresentation of the paper by the images. This use of the ballot image is highly beneficial and can result in even higher accuracy of tabulation if the protocol for interaction of public with officials is well designed.

Unfortunately the Guidelines supporting the Transparency Principle do not yet refer to election records:

3.2 – The processes and transactions, both physical and digital, associated with the voting system are readily available and in a form suitable for inspection.

I and others from the State Audit Working Group have proposed to add the phrase “and election records” to the above Guideline in order to enable requirements that will facilitate public access to records in a form that is inexpensive, efficient, and non-interfering and involving appropriate but minimal redaction to satisfy any local ballot secrecy provisions of law.

24. Claims that stand as obstacles to ballot transparency

In a paper system of vote capture there are three classes of voter intent records potentially available for some form of release such as publication online – the simplest is the cast vote record, then the ballot images and finally the paper itself. Claims have been made that a major risk to voter privacy in the general sense and ballot anonymity most specifically is publication of these election records. The argument goes that voters need proof to show the buyer or coercer to complete the transaction and the publication of the record satisfies this need. Even the cast vote record that contains no physical space to place an extraneous mark can, it is argued, be used to message to the coercer that the service has been performed. The most often voiced concern is called “pattern voting” and the method involves a guess by the coercer that a particular pattern of votes will not exist for a given style in the election. Then if this turns out to be true and the coerced voter does vote this pattern, then the coercer learns that the coercion has been successful. It is argued that this connection between proof and success at coercion amounts to enablement.

I question the validity of this assertion as speculation. The risk of deliberately lost privacy pales in comparison to other more systematic risks to voter privacy that result from poorly designed or poorly executed election process. The mail ballot voting method itself offers ample opportunity for coercion of various types without the need for proof to be provided. A removal of the speculative channel to communicate with a coercer through the CVR doesn’t remove the same channel on paper and ballot image – and election verification by human understandable media requires access from paper to image to CVR with adequate protection for voter privacy. I suggest removal of the definition of the unused phrase “pattern voting” from VVSG because other risks are larger and more damaging because they can be exploited by many more people. The bulk of the systematic risks can be resolved through well designed systems and practices guided in part through the VVSG.

25. Need to define substantive, not absolute ballot anonymity

The quest to achieve voter privacy takes two directions – one at the moment of voting and casting the ballot. In this case physical security is the primary tool to prevent access other than by the voter to the ballot being voted. The Principle of Voter Privacy is established to address this concern.

The provision of voter privacy with respect to the evidence of the vote is treated by the Principle of Ballot Secrecy. The medium for recording the vote (e.g. the preprinted paper) may exist prior to voting and must be designed to remain anonymous, and after voting it must remain anonymous regardless of its further marking and its handling, meaning it cannot be associated with the identity of a voter other than for unavoidable reasons. “Unavoidable” is why I use the phrase “substantive identification” to describe a potent risk. After casting, the “ballot” may separate into separate sheets and each deserves separate treatment to ensure adequate anonymity. What constitutes “adequate” may be a controversial topic that requires policymaking by the Commissioners.

Absolute ballot anonymity (aka Ballot Secrecy) would if taken literally mean that the ballot may not contain DNA of the voter, fingerprints of the voter, or a recognizable tear pattern on the edge of the paper where the identifiable stub has been removed. These are mechanisms for associating a voter with a piece of paper that can be deemed unreasonable to implement and not worthy of systematic prevention. Other privacy risks involve intentional self-identification by the voter such as cryptic patterns either within the contest option target or outside of it, and the previously mentioned pattern voting channel. These are methods under the control of the voter, would only be effective if deliberately used, and leave behind evidence of their use. These should not be considered “substantive” or “significant” forms of self-identification because their effectiveness is speculative and under personal control of the voter and are harmless if used only by the voter.

Substantive forms of self-identification are names printed on the ballot outside of a write-in region, signatures and initials – the type of self-identification that could be used by any observer to associate the ballot sheet with a voter. Substantive self-identification merits a systematic remedy in the form of a reasonable means of redaction at the time the risk is discovered. Voting systems could be better designed to detect substantive self-identification and as well to perform the necessary redaction -with copious opportunities for human oversight to prevent systematic obfuscation of voter intent that might occur at the same time.

26. Separation of systematic against self-identified risks to anonymity

Requirements related to Ballot Secrecy should distinguish between means of substantive self-identification as opposed to any means of self-identification that is unreasonable to expect the voting system to remedy. At the same time the requirements should differentiate between risks of self-identification from systematic risks to anonymity that are entirely the responsibility of the election system and its designers and operators.

Systematic forms of association of voter with a ballot sheet (out of control of the voter) deserve to be remedied in the design of the voting system as well as in its operation.  Systematic risks to anonymity are applicable to solution via the VVSG requirements even though much of the risk is added by decisions to add special district elections to ballots. Rare styles are created when the added districts have borders that do not coincide with precincts and legislative districts already required to be on the ballot.  Rare styles also result from voter options to choose vote capture methods that result in separate formats such as selections-only formats when full choice formats are prevalent or vice versa.

27. Value in reduction of styles

Rare styles result as unintended consequences of various recent enhancements to voting methods and in particular from voter convenience measures that involve options. Risks to ballot anonymity are aggravated by voter options about place and day to vote and also method of vote capture and medium of ballot return. These choices often affect both the format of the physical ballot sheet and the context in which that sheet enters the tabulation process. The decision to include on the ballot sheet districts that have ignored precinct boundaries generates as a side effect extra ballot styles often known as precinct splits.  Some of these may easily become rare depending upon turnout with or without the voter options. Rare ballot styles in an election are a primary mechanism for loss of ballot anonymity and the VVSG should promote voting system designs that minimize both the number and rarity of ballot styles.  One way for future systems is to implement better ballot secrecy is by implementing ballot sheet styles for multi-sheet elections.

28. Means to reduce styles

Ballot sheet styles, meaning a separate ballot style per each sheet of a ballot (or corresponding portion of an electronic ballot) are not new, they are just hidden – every scanning tabulator that handles paper treats each sheet as a separate entity, and perhaps each side of each sheet as a separate entity. It is the EMS that typically assumes that each voter receives only one style in an election regardless of the number of sheets. This is actually a restriction that prevents solutions to ballot secrecy challenges and ballot style inventory challenges via intelligent pagination of elections onto multiple sheets that are allowed to be tabulated independent of one another.  Even the highly speculative pattern voting risk is reduced with independent tabulation of ballot sheets. It would be wise for VVSG 2.0 to allow election jurisdictions to take advantage of this opportunity.

The division of district contests into two separate independent ballot sheets can resolve some systematic risks to voter privacy.  Rare styles resulting from precinct splits sometimes produce a single unique ballot in an election. Contests for districts with inconveniently located borders placed on the same sheet may involve narrow intersections with few voters. Separation of incompatible contests onto a separate style sheet tabulated independently can provide a solution. This could be addressed in future VVSG drafts, including for VVSG 2.0.

A comparable means to reduce the number of styles and the number of rare styles is to make pre-election decisions about the contents of the ballot according to information to be provided by the voting system about risks to ballot secrecy based on the number of voters to be issued a given proposed style in an upcoming election. This is a service not unlike the intelligent pagination envisioned above that could resolve anonymity problems before the ballot sheets are printed.

Finally, the same information could advise legislation that creates special districts about the consequences of making their borders intersect inconveniently with already legislated borders for districts that are likely to share the same ballot sheet.

29. Potential risk of failure to fully support public transparency of records

If the VVSG serves its communities well, it will provide for means to achieve adequate anonymity to reasonably fulfill the principle of Ballot Secrecy. If so, the generic goal of voter privacy will be reached. And this achievement can and will happen in the context of an election system that provides for public access to election records such that there is little or no room for uncertainty about the outcome as determined by the process of interpreting and tabulating ballot sheets. And if successful, these published records will be human readable and understandable and not the product of clever encryption schemes meant to hide any route to discovery of identity, and schemes that when they fail, may reveal far too much.  Encryption serves well the purpose of providing what has recently been called “defensibility” of the administration of the election and its records – a way to prove that a record is identical to one that was originally subjected to a digital signature or the equivalent. This use of encryption is highly beneficial and will not stand in the way of public awareness of details of an evidence-based election.

30. Removing the fear of multiple sheet ballots

This version or another future VVSG revision could endeavor to protect election officials from the unnecessary extra costs and resulting fear of a two plus sheet ballot. Early steps to achieve multi-sheet benefits can be obtained by replacing the existing VVSG requirements on the “voting system” to report “cast ballots” with a requirement to report “tabulated” or “counted” “sheets” (assuming the ballot is on paper).

If that substitution is not made, a hidden side effect of VVSG is to favor the DRE, and the electronic ballot, and the selections-only printed electronic ballot image. In effect the VVSG will, perhaps unaware of the consequences, disadvantage a moderately sized inexpensive pre-printed hand marked full choice paper ballot sheet that many election officials now use and much appreciate. All of the above electronic examples, in contrast, naturally accommodate many contests in a single unit that could still be called a ballot in tabulation but paper is different. Multiple sheets of paper independently scanned and tabulated can provide real advantages. If the VVSG makes clear that the ballot (singular) is an identifiable item during eligibility determination and until casting, but beyond that, during all tabulation phases the ballot consists of sheets and what is to be measured and reported is how many sheets are accepted, read, interpreted, recorded, tabulated, etc. by sheet style. Of course if the ballot is a single sheet, you have a simple case still well covered by terminology.

31. Conclusion- VVSG 2.0 can help us achieve the evidence based public election

When the Commissioners and EAC staff acknowledge the many benefits of manually marked paper ballots and weigh in to make sure that they receive the attention they deserve –

 and when transparency of election records is recognized as an essential goal, not uncompromisable but of equal importance to ballot accessibility to benefit the disability community and other principles-

-and when ideals in the principles- for example ballot secrecy- are not treated as absolute requirements that must be met even at the risk of public accessibility to election records for verification-

-and when Commissioners do carefully resolve other existing technical disputes with deliberate policymaking in the interests of the public at large-balancing one principle with prioritization with respect to another-

-and when states adopt these upcoming VVSG standards and manufacturers start building to the test specifications- in either order-

-then we can expect to see evidence-based elections beginning to happen in all conforming states plus a few more in jurisdictions.

Thank you for the opportunity to provide public comment on this most important topic.

Leave a Reply

Your email address will not be published. Required fields are marked *