ttbr announcement

Debra Bowen: I don't want to wait any longer. It's been a long evening as it is. So, good afternoon or evening or whatever it is. It reminds me a little bit of our old budget negotiation days. Apologies for the delay. Believe me, it was not by design. Before I announce the actions that I have taken this evening, I want to talk briefly about the decisions and something about the rationale behind them.

The systems that we use to cast and tally votes in this state are the most fundamental tools of our democracy. And if, in this great nation, we do not have confidence, our citizens do not have confidence that elections have been correctly decided because they do not have faith in the integrity of the tools used in the conduct of elections, then elections officials have a duty to investigate the source of citizens concerns and a duty to take remedial action.

A democracy cannot long remain a democracy if a substantial number of its citizens have lost faith in the electoral process itself. I take my responsibilities as this state's chief elections officer very seriously. I am mindful of the impacts that my decisions will have on voters, on county and local elections officials, poll workers, voting system vendors, and on others in California and across the nation.

Every county's election results have consequences for the citizens of every other county. Every state's election results have consequences for the citizens of every other state. And every nation's election results have consequences for all of the people of the world. That's the nature of our independent world in the twenty-first millennium.

My first duty was to investigate, and that is what the independent researchers in the teams led by the University of California's principal investigators did under contract with this agency. The reports found security vulnerabilities in all of the voting systems tested in varying degrees. Some of those vulnerabilities have already been mitigated by local elections procedures. Some were mitigated in certain jurisdictions.

For example, Placer County has been very creative in controlling the risks inherent in early distribution of voting equipment through the use of a very simple and relatively inexpensive rolling bag that can secure all potential points of access on a voting machine with a single security seal. Some of the vulnerabilities that were uncovered were not previously known. And some of those risks can be reduced through the addition of additional procedures and mitigation.

But, the reports also found some vulnerabilities that while they might be prevented in a perfect world in which only angels inhabit the Earth, could be carried out in this world with little likelihood of detection and with dire consequences. Paper trails, audit logs, and security seals were bypassed in some of the penetration testing the Red teams conducted. And their exploits included things that could be accomplished with no knowledge of the secret computer source code.

To make matters worse, viral propagation and multi-election cycle attacks were possible, as well as exploits that might open an avenue into a system, with the avenue in and of itself being harmless, but opening a place that could be used later for nefarious purposes.

My decisions today have a bias toward the use of voting systems that, among the voting systems that are federally certified, and therefore available for use in California, score the highest on two very important measuring sticks: transparency and auditability. If we have transparency and auditability, voters do not have to trust either equipment or individuals. With proper auditing procedures using systems that voters can observe, understand, and be part of the audit of, we can begin to rebuild voter confidence in the systems that we use to conduct elections.

Before I walk through the decisions I've made, let me provide you with a few facts that should put the decisions in some perspective. First, of California's 58 counties, fewer than half rely solely on direct recording electronic or DRE machines for election day voting. Second, in last November's election, at least two thirds of the people who voted in California did so using a paper ballot.

Many used an absentee paper ballot, and voters in that category are rapidly increasing, as we all know. And many used a polling place optical scan ballot. I certainly don't want to minimize the impact or the importance of tonight's announcement, but when you look at how people actually vote in this state, more than two thirds, and probably closer to three quarters of the 8.9 million people who voted in California last November will not be affected by the DRE related decisions that I am announcing today.

One piece of technical information: Each of the systems that went through the top to bottom review has been legally de-certified and then each has been recertified, subject to a number of conditions. The primary reason for doing this is clarity. It is more straightforward under section 1922 of the elections code, and instead of bootstrapping conditions onto the old certification documents, everything is in one place, in one single recertification document that is easy for the public, elections officials, and anyone who is interested to follow and understand.

Now, my decisions. First, Diebold. Diebold's AccuVote Optical Scan System is the polling place and absentee ballot tally system that is used by a number of counties. A small number of counties use it to tally their absentee ballots. I am decertifying and recertifying that system today, subject to conditions that increase both the security and the post election auditing procedures that counties will be required to implement.

Diebold's TSX-DRE, or direct recording electronic voting system, is used in three counties as their sole voting system. Several others use it solely to provide voters with an early voting option, and additional counties use it to meet the disability access requirements of the Help America Vote Act. I am decertifying that system today and recertifying it, subject to a number of security and auditing conditions. The most significant condition is that only one machine can be used per polling place.

This will protect the progress that has been made in enabling disabled voters to cast their votes independently, which is an important goal of the Help America Vote Act. It will also significantly reduce the risks, including the risk of a type of viral attack that could move from precinct based equipment to more central equipment and from there potentially back out more broadly to precinct based equipment, with the possibility of affecting more than one election cycle. Sequoia...

Man 1: [inaudible 08:29] Now, are you saying that this one machine can only be used for accessibility [inaudible 08:35] ?
Debra: One per polling place; there is actually going to be a requirement for privacy purposes that at least five people cast a vote on that machine.
Man 1: But it is only supposed to be for accessibility purposes, or...
Debra: It is one machine, and anybody who wants to use it, may. That is currently how the equipment is used in those jurisdictions that use hand-marked optical scan paper ballots with one DRE in a polling place for accessibility. Anyone who comes in may use it. That is up to the county, but they can't discriminate.

Sequoia. Sequoia's Optech Insight Optical Scan System is the polling place system used by a number of counties.

I am decertifying and recertifying that system today, subject to conditions to increase both security and the post-election auditing procedures that counties will be required to implement.

Sequoia's AVC Edge I and AVC Edge II are the DRE systems used in more than a dozen counties as their sole polling place voting system.

Those systems are also used in a few other counties for the purpose of early voting, and in other jurisdictions for the purpose of complying with the disability access requirements of the Help America Vote act.

I am decertifying that system today, and recertifying it with a number of security and auditing conditions. The most significant is that, like the Diebold TSX, only one machine may be used per polling location.

Again, in order to maintain the gains that have been made in providing independent access to disabled voters as required by the Help America Vote Act.

As with the Diebold DRE, this reduces the most dangerous risk, corruption of software that persists across election cycles, and can affect multiple components of a voting system with access to only one point of introduction, and no knowledge of the source code underlying the workings of the voting system.

That leaves Hart InterCivic. According to information provided by the counties, Hart's Ballot Now optical scan system is a polling place that is used by one county. I can't vouch for the accuracy of that, but that is the information I have.

I am decertifying and recertifying that system, again, subject to the conditions to increase both security and post-election auditing procedures that counties will be required to implement.

Hart's eSlate, as their DRE, is used in a couple of counties as the sole polling place voting system. It is also used in some counties for early voting purposes, and in some counties for disability access.

I am decertifying that system today, and recertifying it with a number of security and auditing conditions. Unlike the conditions that I am applying to the Diebold and Sequoia DRE systems, there is no one machine per polling place limitation attached to the Hart eSlate DRE.

That is because the architecture of the Hart system makes it less susceptible to multi-election cycle attacks or multi-component attacks.

For example, the central tally component of that system is less vulnerable to viral corruption through the introduction of malicious code at a single polling place or through a single piece of equipment.

Let me move to the security conditions, which will be applied to each system, and they are laid out in the security documents. My office will also begin the process of creating regulations that put these security conditions and some of the auditing practices into regulation.

Security conditions include items that will apply across the board, such as re-flashing or re-installation of the firmware or the software in all voting system components.

This is necessary, because there is no way for us to assure - particularly given some of the security practices surrounding some of this equipment - that there has not already been contamination or an attack that would be viral in nature.

Security conditions include: Removing, blocking, or disabling access to unneeded ports on machines, hardening servers to improve security, following vendor recommended or required security protocols, banning all modem or wireless connections regardless of their purpose in order to prevent connection to an unauthorized computer network or the Internet, all of which would pose significant additional security risks, and security seal and chain-of-custody provisions, some of which already exist. Some of which will be new, based on additional vulnerabilities that were discovered in this review.

The recertification conditions require the county registrars working with their vendors to submit a security plan to my office within 45 days from now, detailing how they propose to meet the requirements laid out in the recertification documents.

In order to use the systems that are being recertified tonight, counties will need to have a security plan that is approved by my office. I intend to provide assistance to counties that work collectively in vendor system user groups to encourage the sharing of best practices.

This is one in a number of places where, rather than specifying a list of detailed conditions in the recertification, I will make it subject to future approval, and I will rely on the experience of local elections officials to develop the security plans.

I also expect to make accommodation for the varying needs of small counties and large counties in this context. I have also referred to new auditing conditions. The basic auditing conditions to which each system will now be subject are also laid out in the recertification documents.

And the audit plans, like the security plans, will draw on the experience of county user groups. There is one specific enhanced audit requirement that is called out in the recertification.

And it is intended to compensate for the fact that I have allowed the use of certain DRE equipment that has certain security vulnerabilities that I have spoken of earlier. There will be a 100 percent manual count for all ballots cast on a Diebold or Sequoia DRE used in an early voting or polling place setting.

In a polling place setting, since jurisdictions may only use one machine per polling place, this should be a fairly simple matter.

Even in the early voting setting, when I reviewed the number of ballots cast in early voting in Los Angeles in the November election of last year, it was just under 25,000, or a little over one percent of the two million ballots cast over all of Los Angeles County.

In line with the report of the post election audit standards working group that I established a while ago, I will establish escalation procedures to ensure that more auditing is done in close races. What this means is that the closer the election, the tighter the scrutiny will be. This is already the practice in some places, where the number of ballots that are counted manually is increased for a particular contest when it falls within previously specified parameters. For example, within 50 votes, or within one half of a percent.

I have not yet set those thresholds; I will do that after consulting with county registrars and other election jurisdictions.

Again, the goal is to focus the additional work of increased audits on the races where there is the greatest likelihood that the discovery of errors would lead to a correct result.

I look forward to working with the counties to develop the details of these auditing procedures, as well as the security plans. Before I open this for questions, let me address one other voting system issue. And that is the ES&S InkaVote Plus.

There has been some discussion about the ES&S InkaVote Plus system, which is used in Los Angeles County in particular, to comply with the disability access requirements of the Help America Vote Act.

As many of you know, ES&S ignored my March demand, repeated in April, May, and June, that it submit its system, which it does intend to have Los Angeles County use in 2008, to the top-to-bottom review. ES&S eventually submitted the InkaVote Plus system to the review, more than three months late. By that time, it was too late for the UC teams to include it in the first round of the top-to-bottom review.

Therefore, based on ES&S's failure to submit the InkaVote Plus system, to provide information, equipment, and funding in a timely fashion, as required by the previous administration's certification of the system, as well as on Elections Codes section 19222, which allows me to withdraw approval of any voting system, or any part of a voting system that is defective or proved otherwise unacceptable, I am decertifying the InkaVote Plus system, without recertification at this time.

ES&S did finally submit the source code, the required funding, and the relevant disclosure documents necessary for the InkaVote Plus to go a review, and I will begin that review as soon as possible. Assuming that it passes the review, the InkaVote Plus system can be recertified, potentially subject to new use conditions dealing with security and auditing, in time to be used in Los Angeles County by the February primary election.

In closing, I want to reiterate what I began with, which is, I don't take any of these decisions lightly. That is the main reason it took this long to come down. We have had a compressed time frame in which to evaluate a great deal of comment that came in on Monday that has come in at the public hearing, and that has come in through the website, and in the mail everyday since then.

My decisions do reflect a bias towards optical scan systems. These systems are not perfect, as the source code and Red Team reports demonstrated. The software suffers from many of the same flaws as the software in the DRE machines. However, they have two fundamental things in their favor. They are more transparent, and they are significantly easier to audit.

This is a technology that has been long-used in many contexts, and there are well-known protocols for dealing with auditing, errors, and so forth. So, it makes our task, and the task of elections officials much easier.

The other distinction drawn is between the Hart DRE, and the Sequoia and Diebold DREs. As I stated, this comes down to the architectural features of the Hart system that reduce its vulnerabilities to a viral attack introduced by a person who has access solely to the eSlate DRE while the polls are open. Plus, those architectural features significantly reduce its vulnerability to viral corruption of the voting system's central tally component through the introduction of malicious code at a polling place.

The central tally, of course, is of central importance because all of the votes cast in a particular jurisdiction go through that system at the precinct level. Tampering or errors could result in very disturbing errors in the election, but the damage, as you might imagine, at the central tally level is much more serious.

In many ways, I think that voters and counties are the victims of a federal certification process that has not done an adequate job of assuring that the systems that have been made available are secure, accurate, reliable, and accessible. The studies that have been done since certification by the independent testing authorities of some of these systems have found a significant number of flaws, and particularly security vulnerabilities in the systems.

These systems simply shouldn't have been certified in the first place. Counties relied on that certification, as did the state, for the purchase of the equipment. But, the Help America Vote Act pushed many counties into buying electronic systems that as we have seen, once again in the UC review, were not properly reviewed or tested to ensure that they protect the integrity of the vote. That is what my decisions are about tonight - protecting the integrity of the vote.

I'm sure you will ask, some of you, about the changes that counties will have to make and the cost of those changes. Fortunately, some of our California counties still have HAVA and Voting Modernization Board money that they have not yet spent.

However, I reject the notion that I should not require significant changes to be made to California's voting system, solely because we already own them. When the National Transportation Safety Board determines that a car is unsafe, it orders a recall. It doesn't wait until the car maker has sold enough cars to earn a return on its investment before ordering the recall.

Similarly, when NASA discovers a flaw or a potentially safety concern in the space shuttle, it doesn't continue launching missions until it has amortized the cost of building the shuttle. It scrubs the mission and fixes the problem.

My view is that this is the standard we should apply for voting system reliability, security, accuracy, and accessibility. We have to assure that our voting systems are secure, accurate, and reliable; and they shouldn't be used solely because we've already funded them.

Much of what we know now was not known when that first round of HAVA purchasing took place, and I'd like to see counties held harmless for what they could not have known.

As voting system vendors take a look at what to do next, not just in California, but across the nation, they would do well to take some cues from the auto industry. And it's not just because I grew up in Illinois and Michigan that I keep referring back to the auto industry, but it is a lifetime of experience.

Today's auto industry winners are those who looked ahead, and worked to meet people's desire for vehicles that are reliable, and have a lighter environmental footprint. In the voting system industry, it is my belief that long-term winners are going to be those companies that look ahead, and see what more and more voters want: systems that are transparent and auditable.

It is interesting, with each passing election in California, that we see more and more voters choosing to vote by absentee ballot, yet many voting system vendors seem focused on continuing to manufacture polling place DRE systems that are more expensive, less transparent than optical scan systems, and that overall, have a shrinking place in the California electorate.

I believe that using optical scan systems the polling place will always be more acceptable to the public because the ballots they produce are on tangible paper and are easier to understand, to recount, and to audit. The technology is simply better developed. Most vote-by-mail ballots are also tallied by optical scan machines, which means that a jurisdiction can use the same counting mechanism for all ballots, regardless of whether cast at the polling place, or mailed in.

Further down the road, the public's clearly expressed desire for transparency will lead to more and more voters who demand to see and review the source code used in these systems. That kind of review, in addition to better federal testing, would have led to a very different result, with regard to the initial purchase of these systems.

It is my hope that voting system vendors will, starting tomorrow, begin to evaluate the competitive advantage that could accrue from moving to open source software, which takes openness and transparency to a new level, as well as providing a built-in mechanism for discovering problems with the software, and correcting them at an early stage.

That's it. I'd be happy to answer any questions...



Transcription by CastingWords