McPherson Announces Proposal at NASS Conference

Sun Jul 23 2006 00:00:00 GMT+0000 (Coordinated Universal Time)

elections

California Secretary of State Bruce McPherson outlined a three-part plan in a recent speech to the National Association of Secretaries of State (See: "California Secretary of State Bruce McPherson Outlines Proposals to Enhance the Security, Reliability and Accessibility of Voting Systems Nationwide"). He called for more cooperation between states and the EAC in federal certification, for the EAC to make progress in their HAVA-mandated R&D programs and for a new configuration in the process of paying federal testing laboratories that conduct the federal certification process:

Secretary McPherson outlined the following three proposals in an effort to engage his partners nationwide in the improvement of the voting system certification process:

First, Secretary McPherson outlined a proposal to enhance voting system security and reliability. The proposal would call on the states to join with the Election Assistance Commission (EAC) to develop a national program to conduct a comprehensive risk analysis of voting systems as part of the federal certification process. This would enhance the already rigorous security tests that are currently done, and create a program to conduct exhaustive examinations of all potential security risks and solutions prior to system certification.

Secondly, Secretary McPherson encouraged the EAC to move forward with the research and development program that is articulated in HAVA. This effort would examine voting systems and the issues of: Security; accuracy and reliability; and usability and accessibility. For this to come to fruition, Congress would need to fully fund the mandates of HAVA and the EAC would need to have the full support of the states.

Lastly, some have criticized the federal certification process as “vendor driven” in that, the vendors choose the Independent Testing Authority (ITA) that conducts the testing for their certification and provide payment directly to the ITA. One way to improve the process would be for the EAC to establish an escrow account for the vendors during testing and to place control of the account with a separate entity, like the EAC . This would put some distance between those performing the testing and the vendor and allow the EAC to select the specific testing authority as opposed to the vendor. This proposal would do on the federal level what is now being done in California, with the state certification process.

My thoughts: The Secretary knows very well that the "rigorous security tests" done at the federal level are far from rigorous. Even with the extent of the California process, we have a long way to go towards adequately evaluating the system security of our voting systems. I think a risk assessment for each voting system would be nice to have. This would mean that in addition to a system being certified, -- which does mean something if only a small something -- there would be an assessment of the level of risk involved with the system. That kind of assessment would allow jurisdictions to evaluate systems against each other based on risk. However, I'm unclear as to who is going to do these assessments, how they'll be funded and if they'll be publicly available (they should be).

Sections 241-247 of HAVA outline a number of research and development activities that the EAC has to oversee. There are a number of deadlines involved in these sections and it is not clear to me that all the deadlines are being met. I know that the usability study from NIST was delivered on time. Certainly, some of these reports have been authored and in some cases we see hints of other reports being authored. Although the Secretary's release mentions security, accuracy, reliability and accessibility as needing attention, the R&D sections of HAVA focus more on internet voting and registration, overseas voters, electoral holidays and free postage for absentee voters.

Finally, the Secretary's escrow proposal seems half-baked. This is probably because it is only one paragraph of a summary of a speech. I would love to see a more complete proposal on this issue. Right now, it sounds as if the Secretary is proposing that a vendor that would want to have their voting system federally certified would deposit some amount of money into an escrow account with the EAC and then the EAC would choose a Voting Systems Testing Laboratory (VSTL) to do the certification. However, poorly designed voting systems take more time, more communications between the lab and the vendor and more money to complete certification. It sounds like there should also be an FDA-like process where once you submit the package for approval, there is little to no subsequent communication between the lab and the vendor with the end result being that the voting system either passes or fails (and, like in the FDA process, a vendor could pay more for an expedited certification). McPherson is right to go in this direction, but I think any plan will have to be more nuanced than is possible in a single paragraph.