Caltech 3

Paper ballots have served our democracy well. Paper is easy to use. It is easy to check and correct. Paper carries cultural significance. It is satisfying and final to put the ballot in a box. And there have been important improvements in paper ballots: optically scanned paper is more permanent, more secure, and more quickly counted.

But paper has important limitations. In an increasingly large and diverse society, with many languages spoken and many different ballots required, paper is increasingly difficult to administer. Paper is not always as secure and indelible as we would like. It is virtually impossible for a blind person to vote without assistance.
And, at the end of the day, voters may still lack confidence that their votes are counted.
Though these limitations apply to all existing technologies. Paper is merely the best of what is.

Our aim is to break through these limitations.
Explode the myth that you cannot see that your vote is counted. Developments in the field of cryptography now make it possible to submit information electronically and check that the information was not altered and was counted.
Explode the myth that electronics must be harder to use and less familiar. We should make equipment that is as easy to use as a paper clip—no instruction required.
Explode the myth that blind people cannot vote without assistance.

Explode the myth that we have to vote at an assigned polling place because of the limitations of the registration system, or that distance voting will be rife with fraud.

Electronics seems like a natural platform in which to tackle these problems. We see a promising future for electronic voting, despite its problems today. In all aspects of our society, we are still feeling our way with computers—making machines easier to use and more secure. As we come to understand computers better, electronic voting promises to break down limitations of our current voting systems. If done right, electronic voting can be friendly and familiar; it can be completely accessible; it can detect and even prevent fraud, and it can assure voters that their votes are counted.
Advances in encryption and interface design make new modes of voting possible.

Such developments are possible, but they are not within reach today. They must be the product of a long-term project of our society, a process of continual innovation and improvement in voting technology.

At the same time, we must not lose sight of what voting is about. Voting is not mainly technology.

Voting is a fundamental and special part of our society. Voting should feel like one of the most important acts that we perform, not one of the least important. If we make voting feel like another survey, it will become just that.

Voting is anonymous and private. Privacy of electronic data remains an enormous problem today; we are still figuring out the right way to provide for authentication of voters while protecting their privacy.

Voting is for everyone. We must avoid making equipment that serves as a test of computer literacy, or that makes some votes less likely to be counted. Voting is not a test. It is the way we communicate what we want our government and society to be like and to do.

Voting is administered by dedicated people, most of whom are volunteers, and at the local level.

Voting is a unique, public good. There are no other aspects of our economy or society that resemble voting. No goods or public services are analogous to the vote; no industries offer models for the voting technology industry. Because voting is a public good, there is too little money spent on administering elections and too little investment in research and development.

But, another social aspect to voting compels us to explore fully all means of voting, from paper to the Internet. The United States has long championed democracy throughout the world. The U.S. is a model of how to run a democracy—down to the details of how to administer elections. Many American voting machine companies now sell their equipment worldwide.

Other countries may not be able to sustain a challenged election such as that in Florida without damaging the health of their democracy or even without resorting to violence.

Here we present a framework for developing future voting technology, including concrete solutions for testing and standards, for research and development, and for design improvements. We begin by presenting a general framework within which to think about voting technology.

This section presents a new framework—a reference architecture—for voting that we feel has many attractive features. It is not a machine design, but rather a framework that will stimulate innovation and design. It is potentially the standard architecture for all future voting equipment. The ideas expressed here are subject to improvement and further research.

We call our framework A Modular Voting Architecture (AMVA). With AMVA votes are recorded on physical items we call “FROGs”—a term chosen specifically to convey no information about the physical form of the recording device. (FROG is not an acronym. A picture of a FROG was chosen as a convenient piece of clip art designed to get the reader’s mind off of a specific technology, such as paper, mechanical devices, computer screens, or voice
recorders.) A FROG is more than a ballot because it contains information besides the list of votes cast. It also contains information about the official who signed in the voter, about the precinct, and about the form of the ballot. A FROG should be a physical object. It is deposited and becomes part of the audit trail when the voter “casts his or her vote.”

A central design choice for this architecture is that we separate the processes of (1) recording a voter’s choices on a FROG (capture of preference), and (2) casting the vote using the FROG as input. This separation is familiar to voters using paper ballots or optical scan equipment, but not to those who use typical DRE (Direct Recording Electronic devices) machines.

This separation is crucial. It can help reduce or even eliminate a number of problems with existing voting technology discussed in this report. These problems include security threats posed by complex electronic voting machines, the decline in openness and public control, the need for improved ballot designs, the need for more voter feedback so voters can catch errors, and obstacles to creating independent audit trails, especially on electronic machinery.
The current voting process consists of several distinct steps:

Many systems combine steps two, three, and four. We think that both security and ballot design suffer as a consequence. Security suffers because too much is required of a single, increasingly complex machine.
Design and innovation suffer because the process for certifying equipment ties the ballot design to the approval of the entire machine. The design of ballots and user interfaces should evolve quickly, without being tied to certification of other parts. At the same time, we need strict standards for security of the casting device and reliability of counting mechanisms. Putting everything in one box significantly limits the ability to have the best ballot design along with high levels of security.

AMVA captures what we consider to be the strengths of both the optical scanning and direct recording electronic
systems.

Though optical scan is perhaps today’s “dominant voting technology,” optical scan has its own problems, including the high cost of printing ballots, the inflexibility of the user interface, and the inaccuracy of the scanners. A good feature of optical scan is that the ballot is directly filled out by the voter and becomes part of the audit trail.

Electronic DRE machines have no printing costs and offer flexible user interfaces. When issues such as rotating candidate positions on the ballot and supporting multiple languages on a ballot are considered, it seems clear that some form of electronic vote entry is likely to become the dominant voting technology at some point. Furthermore, the cost of all forms of electronic equipment continues to drop rapidly; a machine costing $5,000 today might cost $500 in a decade.

However, electronic voting systems are likely to be complex, and complexity is the enemy of security.
Such voting systems are likely to be software-based.
Ensuring that software is bug-free and secure is notoriously difficult. There may be little that an election official can do beyond accepting a vendor’s “trust us” statement, an unacceptable situation.
By separating vote generation from vote casting, and having the voter transport his or her ballot on a FROG
from one operation to the other, we achieve several security-related objectives:

We imagine that the election office purchases FROGs in bulk in blank, uninitialized form. Thus, FROGs may be considerably cheaper than printed paper or optical scan ballots. A blank FROG may be a blank piece of paper, a blank memory card costing twenty cents or less, or some other medium with suitable properties. We expect that some form of electronic memory will eventually be the favored representation of a FROG.

First, when a voter arrives at a poll site to vote, he or she identifies him or herself (and authenticates him or herself as necessary) to an election official. The election official takes a blank FROG, “initializes” it, and gives it to the voter. Alternatively, the voter arrives with a FROG.

Second, the voter places his or her FROG in the appropriate “vote-capture” equipment and makes his or her choices, which are recorded on the FROG.

Third, the voter then takes his or her FROG from the vote-capture equipment to the “vote-casting” equipment, and casts his or her vote. His or her FROG is taken hostage and retained as part of the audit trail.

Steps 2 and 3 above should take place privately, so that the voter’s vote cannot be observed.

Initializing a FROG records on the FROG the identity of the authorizing election official. It also specifies the election and precinct, the corresponding ballot style (that is, which races and candidates are to be presented to the voter), the language to use, and what candidate rotation parameters (if any) are to be used.

The identity of the voter is not recorded. We imagine that the election official has a small device for initializing FROG's as necessary. Each election official may have a unique “key” that must be inserted in order to operate the device, which specifies the official’s identity, and which counts the number of FROGs initialized by each official that utilizes that device.

In short, initializing a FROG is similar to having ballots “printed on demand.”

When a voter puts an initialized FROG into the vote entry equipment, it presents the voter with the appropriate ballot choices, and allows the voter to enter his or her selections. The voter is given generous feedback at all stages, and may change his or her vote easily.
In a paper-based system, the FROG may be a scannable paper ballot. Marking the paper ballot is the generation stage.
In an electronic system, the generation stage consists of a session at an electronic panel or with a personal computer (PC). When the voter is satisfied with his or her choices, he or she pushes a “vote-entry finished” button that causes the voter’s choices to be recorded on the FROG. The voter removes the FROG so that he or she may place it in the vote-casting equipment.

The vote-casting equipment has five functions when the voter casts his or her vote.

When the election is closed, the vote-casting equipment transmits the electronic copies of the votes, including initialization data and digital signature, to the recording system. Each vote-casting machine displays the number of votes it has signed and transmitted, which is recorded by the election officials. The FROG-initialization machines also display the number of FROGs they have initialized; these numbers are also recorded.

The recording system makes all votes and associated counts publicly available. The votes might, for example, be posted on the Web. Anyone can check the consistency of the counts, verify the digital signatures on the votes, and add up the totals to see who has won each race. We believe that this form of “universal verifiability” greatly enhances security and improves confidence in the result. Universal verifiability of all votes is possible today on all systems except lever machines and several models of DREs.

Until recently, Los Angeles County, California created an electronic copy of all ballots cast—the actual image of the punch cards. The ballots could be publicly inspected.

The separation between vote generation and vote casting creates incredible flexibility in the system. FROG's can be created and cast at the polling places as is currently done. FROG's might also be created remotely and then recorded at a recording or polling place.

Hand-counted paper ballots most closely approximate the system we envision. When a voter checks in, he or she is provided with a blank, official ballot. The voter goes to a privacy booth and marks the ballot to correspond with his or her preferences (vote generation).
The voter can inspect and change the ballot if needed.
When the voter is satisfied with the ballot, he or she deposits the paper ballot in the ballot box. Some ballot boxes date, time, and precinct stamp the ballot (vote casting).
This system lacks the authorization by the election official on the ballot itself.

When the voter checks in he or she is given a memory card, containing the appropriate information about the ballot, the precinct, and the election administrator.

The card is inserted into a slot in a PC. The PC’s screen then displays the alternatives, and the voter makes the choices. The machine records the choices on the memory card (vote generation). The voter then takes the memory card to a station with a simple card reading device and screen. This is a completely separate device. The screen displays the choices made by the voter. If the voter wishes to change the ballot, he or she takes the memory card back to the vote generation PC. If the voter wishes to cast the ballot, he or she pushes the “VOTE” button. The memory card is then locked and kept as a physical audit trail. The vote-casting machine records the votes electronically to be counted (vote casting).

Electronic voting today lacks a separate, physical audit trail, and the generation and casting stages are in a single box, which can be both less secure and more expensive.

The FROG could also be a paper ballot that is printed from any computer, such as a home PC. The paper shows a list of candidates chosen, the precinct number, and other information such as the vendor’s name. The paper FROG also contains a two-dimensional bar code (like in grocery stores) that contains the same information as is printed, but in a format that is readily counted. The FROG is sealed and brought to the polling place, verified, and submitted. The polling place would be equipped with FROGs and with computers for generating votes in case the voter wanted to change the

One interesting aspect of this particular version of AMVA is, if we record the vendor name on the FROG, then vendors could be compensated on a per ballot basis. This would ensure that there was adequate money to stimulate innovation in the development of software.

We imagine that each county could purchase the votecasting equipment. It would consist of a very simple, very inexpensive box.
An independent research laboratory working under the supervision of a panel of security and voting experts would develop the specifications of the votecounting box. These specifications would be public information, and the box could be built by anyone.
The vote-casting equipment would not be divided into “test” mode and “real” mode. The only difference between a “test” and a “real” election would be the cryptographic keys inserted into the device.

The vote-casting device does not need to understand the races being run and the candidates running for each race. The device merely displays the choices recorded on the FROG, which would be recorded and displayed in a standard text format, such as in the accompanying box. The voter would be able to scroll up and down if necessary to see everything.
We feel that such standardization of electronic formats for ballots will be a major step forward in the evolution of voting systems. It enables the separation of vote entry and vote casting. It provides a path towards remote voting, when and if the security of remote voting systems can be sufficiently ensured. It is both human and machine-readable, and so forms a bridge between these worlds. It enables different vendors to produce interoperable equipment for a voting system.

We repeat our previous concern that systems that do not produce a separate (preferably physical) audit trail are prone to security problems.

Similarly, we feel that monolithic systems that try to incorporate everything compromise security.
So, our design places most of the complicated user interface software in the vote-entry system, which is considered to be somewhat less “security-critical.” It does need to be reviewed, but it might be acceptable to have such a device contain proprietary code. The vote-entry system might even be run on newly purchased computers or laptops which could then be sold after the election as used equipment.

On the other hand, the security of vote-casting equipment is absolutely critical. This is the last chance for a voter to see his or her vote before it becomes a truly anonymous element in the list of votes cast. The election officials and voters must have strong reason to believe that the vote-casting equipment does not, at the last instant, change the voter’s vote just before it is cast.

For this reason, we feel that the vote-casting equipment should be totally “open source”—the software for such a machine should be publicly available. The procedures for ensuring that the equipment actually contains the published software should be public and followed by the election officials. Such machines should be very carefully certified. A county may buy several such machines for each precinct, from different manufacturers.

This division of equipment into two parts may thus solve a problem in the industry: allowing manufacturers to protect some intellectual property (the code for the voteentry systems) while ensuring that the most security-critical portions are open-source, heavily reviewed, and highly trustworthy.

Note that the vote-casting equipment does exactly the same thing for each election: it merely displays the contents of the FROG, gets the voter’s final approval, digitally signs the contents of the FROG, and makes a copy of everything. It does not need to know anything about the particular election being run; the voter is himself taking responsibility for final approval. It does not even have the ability to change a user’s vote, if the user does not approve it; that is the function of vote entry. (Of course, we expect that some voters may not bother to read the final confirmation screen carefully; that is their choice. Indeed, we do not expect there are likely to be problems at this stage, although some voters may change their minds at the last instant or they may realize that they forgot to vote in some contest.)

The election officials can take the vote-casting equipment out of the closet, initialize it with the cryptographic signing key it is to use, and then power it on.
Of course, a voter should not be allowed to use the votecasting equipment unless he or she has been identified as an eligible voter who has not previously voted. Some physical control of the voters at the polling place is necessary. Conceivably one could authenticate the voters at the vote-casting station, but then the issues of ballotstyle, language, etc. may not get handled properly, and it seems more awkward to have problems arise at this late stage if there have been problems with the voter’s registration from the beginning of the process.

The use of digital signatures is an important and critical part of this design. Anyone who could forge digital signatures could forge votes. The cryptographic digital signature keys need to be carefully managed. A reasonable extension of the basic AMVA design would allow the vote-casting machinery to simultaneously use several signature modules (e.g., each on its own memory card), so that each cast vote is signed by all modules.

In addition to the basic signature module supplied by an election official, there may be signature modules supplied by each political party. Requiring several signatures on a vote makes it much harder for a single individual to surreptitiously “borrow” the equipment and forge signed votes. The parties would keep a careful eye on their signature modules, not supplying them until just before the election and retrieving them as soon as the election was over.

Of course, signatures work with paper systems also. The election officer might stamp all of the relevant information on the top of the ballot. When the vote is cast, the ballot is placed in a paper sleeve that only shows the top part. The election administrator would then sign the top of the ballot without observing the votes to certify that everything about the ballot (precinct, etc.) is correct.

The voter’s anonymity is nonetheless protected. His or her ballot is identified only by the name (or identification number) of the election official who authorized him or her to vote, and the identity of the vote-casting machine that digitally signed his or her vote. As long as a reasonable number of voters fall into each such bin, anonymity is ensured.

Some care needs to be taken with write-in votes; this issue will be addressed in a longer description of this system. The problem is that a voter might tag his or her vote by his or her choice of a write-in. This, of course, can happen today.

Brazil faces problems with the administration of elections that dwarf those experienced in the 2000 election in the U.S. Low literacy and poor local election management has undercut public confidence in Brazilian elections, and has produced several highly controversial elections. In the 1990s, the Brazilian government responded by creating an engineering consortium devoted to the development of new voting equipment for the country. The consortium consists of engineers and designers employed in two separate activities: equipment development and equipment testing. The development group creates references platforms. Any vendor can bring its machines to be tested and to bid for the national election
contract. The degree of testing minimizes the need to set standards.

Although the system in Brazil is not flawless, that country has made enormous improvements in its electoral system, thanks in large part to public investment in research into voting systems. We envision a similar investment in the United States.
To our thinking, there are three problems that public investment should tackle.

Past history has shown that the introduction of new technologies takes place rather slowly, giving them time to evolve true best practices that then become benchmarks. Recent history has shown that electronic and software technologies evolve so rapidly that standards must be developed in parallel. So should it be with voting systems.

We propose a process for enabling the voting system to evolve more rapidly than it might otherwise.

AMVA is, we believe, a significant step in the right direction. By separating vote casting from vote generation, we can significantly enhance the security of electronic voting. By separating vote generation from vote casting, we can allow user interfaces and ballot designs to evolve under a separate process designed to maximize ease-of-use and accessibility. But even within this system innovation must occur.

There are three key elements to a process of innovation: laboratory research, field tests, and standards. The discussion that follows focuses on voting equipment. All we say can equally apply to systems and software for voter registration or to systems for Internet voting.

The federal government should establish a National Elections Research Lab or program, along the lines of that in Brazil.
The goal of this program is to foster the development of better voting equipment and voting systems. This is
not a certification laboratory.

An important enterprise of this lab is to try to “break the systems” and to suggest improvements to machine developers. Knowing how a system can be broken is a key to its evolution. Companies need to know the weaknesses of specific designs so they can improve on those designs. Election officers need to know the weaknesses of equipment so they can watch for problems and administer equipment properly.

First, it will develop reference platforms for equipment and software. For example, the program may set up grants for the development of ballot toolboxes, which could be used by administrators to format ballots for all electronic devices, or grants for devices designed to allow blind people to
vote without assistance.

Second, the program will work with industry to develop equipment and software for specific purposes. For example, the program might enlist an independent lab to assist a company in optimizing the user interface design on a new electronic voting machine.

Third, the program will test equipment to give feedback to the industry about the performance of its equipment, prior to any certification. The labs associated with the program will conduct human testing of all new voting equipment, as they would be used during a real election. All information from these tests will be conveyed to the firm that developed the equipment.
Information from these tests will be publicly available.
The lab will make suggested improvements for problems detected during tests.

Fourth, drawing on its experience the lab will consult with the relevant standards setting agencies about appropriate guidelines for equipment, ballot designs, and software.
There are many ways to structure such a program. It may, for example, be a single industrial or university laboratory dedicated to voting systems.

We envision a program involving several labs, coordinated by a single, public agency, such as the National Institute of Standards and Technology (NIST), and that relies on existing research organizations. There are several key components to a national program.

First, a group of existing laboratories (say three-to-five) will be involved. These are existing organizations, such as industrial labs and universities, that already have expertise and administrative structures for equipment design and testing. Large land grant universities seem like natural places to locate such activities.

Second, a coordinating agency, such as NIST, will
develop designs and oversee tests, to ensure quality,
fairness and openness.

Third, a coordinating committee, consisting of the labs and the agency, will develop protocols for testing.

Fourth, the program will draw on a wide range of expertise. The labs should draw on their resident expertise in engineering, psychology, design, and testing. They should also involve election administrators and industry in the development of equipment.
Industrial laboratories and universities offer a particularly fruitful ground for this sort of research. They provide an administrative structure for laboratory research at relatively low cost. They can draw on the creativity of researchers working on related subjects. Voting technology, after all, draws on a wide range of expertise—mechanical engineering, political science, operations research, computer science, and cognitive psychology.

Research conducted in independent laboratories is ideal for exploding myths about voting and exploring entirely new ways of voting. An example is research begun by Ted Selker and a team of students at the MIT Media Lab to develop new equipment. They have devised a scheme for converting existing computers to voting machines. That is described in the inset box.

Industrial labs and universities are classic incubation sites. Research laboratories can help to create uniform functional requirements. These can be used to develop new equipment guidelines and standards, and to inform the certification process generally. If uniform function requirements can be found, there is a better chance that new technologies and companies will be created to hasten the evolution of the voting process.

THE MULTI-PURPOSE VOTING MACHINE

Currently, the business of voting companies is to sell to local governments computers that are devoted exclusively to voting. These computers are used two or three times a year, at most, and then warehoused. Because of the costs of acquiring these voting computers, local governments tend to keep voting equipment for a long time—too long to take advantage of technological innovations.

At the same time, local governments are struggling to maintain the newest computer technology in the public schools.
Perhaps an innovative model of voter technology could address two problems at once—providing the latest technologies to both voting officials and the public schools.

Suppose every four years a county purchased a voting system whose computing power came from personal computers? For instance, a vote generation station could include a box that contained all the innards necessary to be used as a personal computer. The only difference would be that, as delivered to the voting officials, the box would be connected only to peripheral devices that are associated with a voting station, such as a touchscreen to display ballots and a memory card reader/writer (to accept “FROGs”). The box would come loaded only with an operating system and software associated with the function of the system as a vote generation station.

After the election, the computers could be configured to function as conventional school PCs. The vendor would install the necessary connectors, peripherals, operating systems, and software, as part of a comprehensive service contract.
Such a scheme would require funding from state and federal sources. It would require a degree of coordination between school and voting officials.

Still, a model such as this addresses several current difficulties in the voting technology industry. It provides a mechanism to encourage a steady stream of income to the voting equipment industry and smoothes out costs over time. It would encourage the much larger educational software and computer industry to invest in voting technology innovations. It delivers to voting officials a physical and software system that can be certified as “clean” before the election season, yet allowing sharing with other public functions. It provides an attractive alternative use of the computing equipment outside the election season. And it would encourage everyone associated with a large segment of the public sector—the K–12 educational system—to take an active interest in improving voting technology.

The federal government should establish a program for field testing all voting equipment and standard ballot formats.
Equipment vendors face two big problems getting their equipment from the development stage into the field.

First, it is difficult to demonstrate the performance of new equipment; there does not exist a system for testing equipment on real voters. Some vendors now try to do their own pilot or demonstration tests.

Second, most counties are skeptical about new machines and reluctant to upgrade. It takes years of “selling” to convince
counties that they should use a vendor’s machines. As a result, vendors have less incentive to invest in ballot design and user interface equipment.

We are particularly concerned about the future of voting equipment. There is a strong push to upgrade equipment today, from the older systems of punch cards and lever machines, to scanners and existing DREs. Massive purchases today could kill innovation five years out, because counties will have recently purchased equipment. The purchasing of equipment is very lumpy (like other durables), and in five years there may be so little demand for new equipment that
innovation withers. We might, then, be left with, perhaps, the best of what is available today. But we will have lost out on the incredible promise of technologies on the threshold of development.

We envision a system of testing that happens each time a vote is cast. Right now, the equipment is tested each time a voter casts a vote. Unfortunately, little use is made of this information, unless there is a sensational election, as in Florida, that provokes a call for new equipment.

How can we exploit the fact that each vote is a test to develop a true testing program, a program of use to machine developers and county officials alike?
We envision three equal partners in the testing program: the federal government, the local governments, and the industry.

The federal agency overseeing the FEEPP will prepare a report on each election’s experiments and on each equipment model used. The report will include measures of machine performance and exit surveys of voters. In addition, the agency will post all “ballots” cast so that they can be studied by the industry and election officials to learn about the performance of equipment. An appropriate federal agency to oversee this project may be the NIST.

Most importantly, we feel that this program will force developers to design equipment with voters and polling place operations in mind. The bottom line is that the equipment must work for the voters, and this program puts that objective in the fore.

Third, the federal government should create and operate of a National Election Standards Commission to use historically proven methods to develop standards.
Standards commissions, such as those run by the American National Standards Institute, have unparalleled experience in the area of getting often disparate groups to come together and develop a standard that still gives much room for technological innovation and differentiation.

This commission should draw on expertise in industries outside of voting, such as banking, that face similar problems making millions of secure and reliable transactions as well as expertise within the voting area, especially that of local election administrators.
The commission should continually review both existing systems and the performance of the standards themselves.
We consider the content of such standards in the next section.

Standards are guidelines that voting systems must meet to be acceptable for use in elections, to insure accuracy and security. Voting system standards are documented protocols that set the minimum requirements for the functional, hardware, and software specifications of these systems. Voluntary voting system standards currently exist at the federal
level, and over half the states have adopted these standards.

Standards also establish a testing regime for voting systems.
The functional specifications of the existing standards cover the basic tasks that a voting system must perform: preparation of the system for an election, the conduct of the election, tabulation and auditing of an election, preservation of records of the election.

Security, accuracy, and integrity of the electoral process are the goals for functional specifications.

Hardware specifications cover the basic physical parameters of voting systems. Generally speaking, hardware specifications cover issues like the physical characteristics; the overall design, construction, and maintenance requirements for a voting system; and the ability of the system to withstand various physical stresses associated with use and storage.

Goals for hardware specifications include durability, reliability, maintainability, availability, and transportability.

Software specifications cover the components of the voting system that make the hardware work—ranging from ballot construction to storage of ballot data.
Software requirements typically specify software design and coding requirements (including both the types of languages that software should be written in and various types of desirable attributes for proper coding practices), documentation of the software, storage requirements for data, and auditability.
Given these functional, hardware, and software standards, there are three levels to the existing testing regime.

Current standards request re-testing of voting systems if modifications are made to hardware or software, but are not clear as to what constitutes a sufficient “modification” to require re-testing.

Until 1990, there were no national standards for voting systems. There was no systematic process of testing, and no guidelines that states or local election officials could use when deciding to purchase and to deploy new voting systems. Voting systems have become increasingly complex and expensive, thus necessitating the development and implementation of standards and testing protocols.

In 1975, a joint effort between the National Bureau of Standards and the General Accounting Office’s Office of Federal Elections, produced the first national effort at developing and implementing national standards. This joint effort focused on the accuracy and security of computerized voting systems, and the report that was issued in March 1975 (“Effective Use of Computing Technology in Vote-Tallying”) articulated that one of the basic problems with this technology was the lack of evaluative standards and testing procedures for election systems.

This 1975 report led Congress to task the Federal Election Commission (the agency that the General Accounting Office’s Office of Federal Elections turned into) and the National Institute of Standards and Technology (NIST) to produce a study about the feasibility of developing voluntary standards and testing procedures for voting systems. These agencies produced their report in 1984, titled “Voting System Standards: A Report on the Feasibility of Developing Voluntary Standards for Voting Equipment.” Based on the recommendations in this 1984 report, the Federal Election Commission immediately began to devise national standards and testing procedures.

In 1990, the Federal Election Commission published their standards and testing protocols for punch card, optical scan, and DRE (Direct Recording Electronic) voting systems, in a report titled “Performance and Test Standards for Punchcard, Marksense, and Direct Recording Electronic Voting Systems.” These standards and testing procedures have become the basis for state certification of voting systems in most states.

The current process, established by the National Association of State Election Directors (NASED), seeks to facilitate the evaluation of voting systems by independent testing authorities. Wyle Laboratories is the one independent testing authority certified by NASED to test voting system hardware. NASED has a voting system committee that oversees the voting systems testing process. Currently the Federal Election Commission standards and testing procedures are being rewritten and a revision is expected in January 2002.

The existing standards process is a step in the right direction, but it does not cover many of the problems that we have detected.

The existing testing protocols all focus on hardware and software testing in a laboratory environment. The testing is of votes that machines generate, not of votes generated by people. For example, a machine scores the punch cards or the optically scanned ballot. Then, the counting device processes the machine scored cards. Similarly, touchscreen computers are run in a “test” mode in which the machine generates the choices. This practice tests the counting device under ideal circumstances; it is a good first level performance test.

Hardware and software must be tested on samples of human subjects—likely voters—in scientifically controlled settings. For example, people may not darken optically scan ballots as cleanly as machines do, and as a result the performance of the counter will be significantly worse than the test performance. We recommend human testing and reporting of the human test results alongside the machine test mode.

At one public demonstration, we witnessed a set of daisy chained DRE machines fail because of lose cables connecting the equipment to a central server. When someone shook the cables all of the counters on the machines reset to zero.
Events such as this one should never happen, and equipment susceptible to such problems should never be certified. The problem is that the equipment is not tested as it is set up in the polling place.

All non-interface software must be open source, for the security reasons discussed earlier.

Systems must be re-evaluated after use in the field.
How does a typical voting device from a vendor’s system perform after a certain number of uses by voters or local election officials? Is there a degradation in performance, and is it acceptable? We do not know, for example, how long electronic equipment lasts.

End-users of voting systems must randomly select some set of units from their voting system to be disassembled and closely inspected after each election. This machine audit would be conducted to insure the integrity of the voting system.
These are changes that can be made within the existing framework. Over the long-run, we believe that a new process for developing standards is needed.

Testing of a single box that is used to generate votes and cast them is suboptimal. Desired changes in the user interface may be slowed by the prospect of subjecting the entire machine to certification again.
Uncoupling these two standards steps will speed up the certification process. It will allow user interfaces to evolve quickly. It will allow developers to maximize the security surrounding the casting and counting of votes.
Separating the certification for different aspects of voting will also encourage interoperable equipment, with one vendor providing certified user interfaces and another vendor providing certified votecasting devices.

Develop New Testing Protocols and Guidelines for Ease of Use of Ballots and User Interfaces

Clear and consistent guidelines for ballot design and user interface design are needed.
Interface designs must be tested on human subjects in scientifically controlled settings.
In general, we think guidelines are more appropriate than standard specifications for user interface and ballot design. Graphical design and ease-of-use are complicated areas. Guidelines would help manufacturers and counties. In the case of A Modular Voting Architecture (AMVA) system, the standardized ballot interface is that seen by the voter when he or she confirms and casts the vote. The clarity of that interface must be tested and then standardized.

We feel the review of ballots and user interfaces could be done most effectively at the state level.
We recommend the following criteria:

In addition, every effort should be made to make all precincts accessible. This may mean developing specific equipment designed to make it easy for blind people to vote. It might also mean developing a secure absentee voting process for people with disabilities.

Specification of the vote-casting components will allow for greater security. All software used for casting and counting votes must be open source.

All voting systems should implement multiple technological means of recording votes. For example, DRE/touchscreen systems should also produce optical scan ballots. This recount redundancy insures that independent audit trails exist post-election, and it helps insure that if fraud or errors are detected in one technology there exists an independent way to count the vote without running another election.

The materials used to instruct voters how to vote should be tested for clarity and effectiveness.
These tests should be used to develop standard instructional materials.

The federal government should create a National Elections Standards Commission along the lines of those run by the American National Standards Institute to use historically proven methods to develop new standards for voting equipment.

Standards and testing procedures must be flexible and adaptable. The standards and testing process should not slow or stifle technological innovation. Standards commissions, such as those run by the American National Standards Institute, have unparalleled experience in the area of getting often disparate groups to come together and develop a standard that still gives much room for technological innovation and differentiation.

Open information helps to ensure the integrity of the electoral system. Registration rolls are public documents, subject to public scrutiny. Voters present themselves to the check-in desk at a precinct by announcing their name publicly to be recorded by official poll workers and party “poll watchers.” At the end of the day the precinct is secured and those present, including rank-and-file voters if they wish, witness the counting of the ballots. Preliminary counts are reported
to local government offices where they are reported almost immediately to the public and the press.
Precinct tallies are kept by local governments and available for inspection by citizens.

When viewed from the most local of perspectives, the precinct, information concerning the conduct of elections is exceptionally open. Yet as we have studied the electoral system from a national perspective, we have also experienced how short a distance information about the local conduct of elections travels. Precinct tallies are filed in boxes, accessible only to people who can physically travel to court houses and town halls. Information about machine malfunctions is trapped in internal memos and the local election office oral tradition. Reports of administrative innovations in the conduct of elections are contained in courthouse chatter.

The conduct of elections would be significantly improved in the United States if the amount of locally produced information about election administration were more broadly and systematically collected and reported to the public, to the press, and to election administrators nationwide. Broad dissemination to the public would help reassure voters about the integrity of the system and help expose those areas where the system has broken down or could be improved. A
broader dissemination to the national election administration community would help them gather together the best practices of their colleagues. Information about equipment acquisitions and performance will lead to better informed decision making about equipment turnover and replacement. Better information of this kind will give counties, especially small counties, more equal footing in bargaining with vendors about equipment and services.

What information needs to be more widely available?
The following information is generated—or in principle could be generated—at the local level in the regular conduct of elections. All of it is valuable in assessing the performance of the system.

Vote outcomes should be reported by individual precincts, for all contests. Total votes cast by all methods should be reported. Also, precincts should produce detailed reports of the votes cast by method—absentee, early, and in precinct.

Each precinct should report the total number of voters who cast a ballot in each precinct, not simply the number of people who cast a legal ballot for individual offices. Blank ballots, overvoted ballots, and otherwise spoiled ballots should be reported as separate categories for each contest. These totals should be balanced at the end of the day, at the precinct, county, and state levels. For each precinct and for each race the total number of voters who cast a ballot should equal the valid ballots plus the overvoted ballots, plus the otherwise spoiled ballots for that race. These “balance sheets” should be reported separately for onsite, early, and absentee categories. They should also report the number of people who were turned away from each precinct, and the reasons why. Jurisdictions that rely on provisional ballots should report the number of such ballots that were eventually allowed and the reasons why provisional ballots were rejected.

Following each election, local governments should report the cost of conducting the election, accounting for costs associated with different modes of conducting the election (in precincts, absentee, etc.). Counties should also report annual election administration costs, broken down by several categories—voter registration, equipment purchases and payments, equipment storage and service, polling place operations, and administrative overhead. Annual state-level expenditures by the secretary-of-state offices at the state level should be reported separately from the county expenditures.

Local officials should report the types of machines used in their jurisdiction to record and count ballots. This should include the vendor, machine vintage, and machine brand name.
Local officials should report performance-related issues that impede the smooth administration of elections, such as levers that jam on lever machines or optical sensors that malfunction on optical scan devices. They should also report the results of election audits they conduct, to ensure the proper functioning of the equipment.

As local governments enter into contracts with vendors to purchase or lease election equipment, requests for proposals (RFPs) and actual contracts should be reported.

Local governments currently vary significantly in the degree to which this information is made available to the public. Even such basic information as voter turnout is not uniformly available nationwide. In 2000, for instance, a dozen states did not require their local governments to report the number of voters who cast a ballot on Election Day, making it impossible to assess how many ballots went uncounted in those states. The other information listed above is generally available,
for the asking. But, to gain a nationwide perspective on the performance of the electoral system, it is oftentimes necessary to ask the same question more than 3,000 times.

Therefore, the states and the federal government have important roles to play in the collection and dissemination of information about the performance of the electoral system. Because the conduct of elections is mostly a state responsibility, states can act now to improve the availability of election information from their local governments. This is the most critical—but also easy to achieve— function in the realm of reporting vote returns and machine information.

The federal government has an important role to play in the reporting and disseminating of information about the election system. The federal government can, first, help to develop uniform reporting standards, which would benefit state and local governments seeking to achieve uniformity themselves, as well as benefit national voting equipment vendors, who are in need of consistent information in order to develop and improve their products. Second, the federal government can help establish a more efficient market in information about the performance of election equipment and the fiscal administration of elections, by helping to establish a national clearinghouse of information about machine performance and vendor contracting.

Developing reporting standards and a clearinghouse for information about voting systems is a task for a federal agency dedicated to the efficient conduct of national elections. For many years, the Office of Election Administration within the Federal Election Commission has performed a similar task, but on a more limited scale than is necessary to inform counties and the public about what works and what does not. The federal government should expand the Office of Election Administration or develop a separate agency dedicated to performing the function of collecting and disseminating information about election administration.

We must spend what is needed to implement these changes. Equipment upgrades would cost about $2 per voter per year. It is harder to set a price tag on voter registration reforms. We estimate that it would cost about $2 per voter to lease lap tops for election day equipped with voter registration lists and to provide for someone to operate that equipment. Total costs of these improvements come to $4 per voter per year, or $400 million per year. That is almost a fifty percent increase in election administration expenditures in the United States.
We view the price of these reforms—$4 per voter per year—as insurance: insurance against problematic elections in the future; insurance that each vote will be counted. It cuts the risk in half of a vote being lost.

Real, long-term reform is not just about choosing among existing technologies and systems. It is about capturing the great potential coming out of the current computing and communication revolution and harnessing that potential to break fundamental myths about voting.

Some day each voter will be able to verify that his or her vote was counted without compromising the security
of the ballot.

Some day voting equipment will be familiar and easy, rather than unique and cumbersome.

Some day voting will be very convenient for voters and administrators—long lines and chaotic Election Day
management problems will be history.

Some day the awkward problems of voter registration will be solved, and election officials can authenticate
voters without a separate pre-registration.

Today, many creative people are working to develop new voting technologies. Many new machine designs
are in development and many new firms are working on the problems highlighted by the 2000 election. In
their promise, there are also risks. There is the real risk that machines might have many desirable features, but
not really improve on what is. There is the real risk that Internet voting is compromised by a denial of service attack, invalidating elections throughout a state or the nation. But, we must not be deterred by these risks, because there is an even greater risk that inertia might leave us in our current dilemma. We should not tolerate things as they are; the inadequacies of our voting system threaten our democracy.

A system for design and evaluation will allow the U.S. to harness the energy from the explosion of new ideas for how we can vote.

We have developed a new framework for voting—a reference architecture—that will allow us to ensure high levels of security and stimulate the evolution of familiar and friendly ballots.
We envision a research program aimed at developing ballot designs and equipment that are easy to use and accessible to all.

We call for a process of continual evaluation of equipment, both in the laboratory and in the field, to allow for true assessments of competing technologies, but also for improvements in these technologies.
And, we see the need for the federal government to collect and disseminate information about voting equipment, systems, and contracts, to empower counties and states to make the best choices possible.

Any component of this process would likely stimulate significant improvements for the future of voting. Taken as a whole, it is a process for perfecting elections and for restoring confidence in elections in the United States.

In many ways the U.S. has been working toward such a process, through the efforts and the activities of many election officials and firms. Leadership from the Congress and the President can make this vision a reality.