Tag Archives: HR1

Critical improvements for 2021-S.1

Blog, , , , , , , , , , , ,

TO: Honorable Senator Schumer,
Honorable Senator Merkley,
Honorable Senator Klobuchar,
Senate Rules Committee

FROM: State Audit Working Group c/o Luther Weeks Luther ‘at’ CTVotersCount.org

RE:  H.R.1/S.1 Critical Suggested Improvements                                                            3/21/2021

We write as members of the “State Audit Working Group (SAWG), an ad hoc group of individuals concerned about election integrity issues in general and election audits in particular. The SAWG has been meeting regularly via teleconferences since 2008, and has worked on recommendations from time to time such as the Principles and Best Practices for Post-Election Tabulation Audits and the EAC’s Voluntary Voting Systems Guidelines.

We write to request critical changes to H.R.1, as passed by the House, along with suggested improvements. Without a few key changes, we believe the bill might degrade election integrity and miss opportunities for improvement, rather than meet its well-intended, laudable goals. Our comments are restricted to election administration and integrity issues pp78-407 of the bill.

Attached to this letter is a list of detailed comments. Here we summarize the most critical items:

  • Requirements for grants should be stronger, to help ensure effective Risk Limiting Audits (RLAs). We suggest specific improvements to the HR1 grant requirements. Grants should be available to audit compliance and eligibility which are crucial for valid RLAs.
  • Poll books should be part of the Federal certification program, as proposed. So should other systems used to determine the eligibility of voters or ballot packets. They however, should be tested and certified separately from the voting system. Competition will be stifled if pollbooks are only tested as part of an entire voting system. Election officials will end up with fewer and less innovative purchase choices.
  • Ballots cast by an in-person voter by hand marked paper ballots may be rejected later under the current text. When a voter appears in person they must be offered an opportunity to be authenticated and, upon authentication, vote on a hand marked paper ballot  without further eligibility checks.
  • Voter Privacy / Ballot Secrecy. Ballots should never be associated with voters, thus compromising ballot secrecy There should be no unique identification numbers on some ballots for voters with disabilities. Voters should not be able to waive ballot secrecy, a collective right.
  • Voting over the internet is not secure and does not protect the secrecy of the ballot. For security and integrity, votes should not be transmitted over the internet or by other electronic means such as email or fax.

Sincerely,

Note:  All affiliations are for reference only and do not constitute an endorsement

Luther G. Weeks, Moderator, State Audit Working Group, Computer Scientist and Executive Director, Connecticut Citizen Election Audit

Harvie Branscomb, Publisher, https://electionquality.com, Coloradans For Voting Integrity

John L. McCarthy, Computer Scientist (retired), Lawrence Berkeley National Laboratory

Paul Burke, VoteWell.net

Timothy White, Election Transparency advocate, WA

Philip B. Stark | Associate Dean, Division of Mathematical and Physical Sciences | Regional Associate Dean (Interim), College of Chemistry and Division of Mathematical and Physical Sciences (ChaMPS) | Professor, Department of Statistics | University of California

Ronald L. Rivest, MIT Institute Professor

Duncan Buell, Chair Emeritus — NCR Chair in Computer Science and Engineering, Dept. of Computer Science and E, University of South Carolina

Mark Halvorson, Citizens for Election Integrity Minnesota

Rebecca Wilson, Co-Director, SAVEourVotes.org

Candice Hoke, Founding Co-Director, Center for Cybersecurity & Privacy Protection, Cleveland, OH

Celeste Landry, MS in Operations Research, voting methods researcher

Donna Price and Donna Curling, Director, Georgians for Verified Voting

Debra McDonough, PhD. Election Security Advocate, Maine

Jan BenDor, Statewide Coordinator, Michigan Election Reform Alliance

Attachment-Comments on HR1 and SR1 by the State Audit Working Group

The format of this document is to give our concern about each topic, then dotted paragraphs show relevant sections of the bill. Proposed deletions are stricken out and additions are underlined.

CONCERN: Implementation deadlines in 2022. Deadlines written in HR1 are impractical, especially with so many changes all required by 2022. Time needs to be allowed after enactment for issuing regulations, designing and certifying equipment, local budgeting, soliciting vendors, negotiating contracts, manufacturing for thousands of customers, acceptance testing with possible rejection and re-delivery, training staff and educating voters. These will be very challenging especially for states without no-excuse absentee voting and early voting, with local election management, such as the New England States. Examples of the many deadlines in 2022:

  • 10/2022* Election Day Registration for elections and every day of early voting
  • 10/2022 Early voting 15 days prior and Election Day
  • 10/2022 Processing and scanning of early voting ballots and absentee ballots must start by 14 days prior to election day.
  • 10/2022 Previous two requirements all but mandate connected ePollbooks
  • 10/2022 Absentee changes to allow all to vote by mail, no ID but signature, prohibiting notarization/witness signature, due process of signature verification, permanent absentee registration, notice and opportunity to cure. Insuring delivery of ballots requested 5 days prior to election day.
  • 10/2022 Website and tracking program for mail-in ballots.
  • 10/2022 Absentee applications, absentee ballots, and related materials accessible to individuals with disabilities.
  • 11/2022 Accepting absentee ballot post-marked by election day, for at least 10 days after election day.
  • 10/2022 Online system for requesting absentee ballots

* H.R.1 says for 11/2022 Federal elections, yet that means many of these must be in use by 10/2022 or perhaps in some cases by 9/2022

Title I—Election Access, Subtitle B—Access to Voting for Individuals With Disabilities

CONCERN: Having a unique ID on a ballot endangers ballot secrecy, but having a unique ID on the ballot return envelope is appropriate. Ballot secrecy is a cornerstone of democracy. It impedes vote buying, vote selling and coercion.  The voter can be mailed a ballot envelope with a unique ID so that the voter can return the ballot in that envelope and the Election Officials can easily know who the envelope is from and log it in. Large efforts have been made to make sure voters with disabilities can vote privately and independently. Putting an ID on a ballot would be counter to this progress.

  • SUGGESTED REVISED HR1 LANGUAGE:
  • 1101(a)(2) creates HAVA 305(d)(3) APPLICATION OF METHODS TO TRACK DELIVERY TO AND RETURN OF BALLOT BY INDIVIDUAL REQUESTING BALLOT.—Under the procedures established under paragraph (1), the State shall apply such methods as the State considers appropriate, such as assigning a unique identifier to the oath or ballot envelope, to ensure that if an individual with a disability requests the State to transmit a blank absentee ballot to the individual in accordance with this subsection, the voted absentee ballot envelope which is returned by the individual is the same blank absentee ballot envelope which the State transmitted to the individual. (p.117)

Title I—Election Access, Subtitle I—Voting by Mail

CONCERN: Voting over the internet is not secure and does not protect the secrecy of the ballot.. For security and integrity, votes should not be transmitted over the internet or by other electronic means such as email or fax.

  • SUGGESTED REVISED HR1 LANGUAGE:
  • 1621(a)(2) creates HAVA 307(d) ACCESSIBILITY FOR INDIVIDUALS WITH DISABILITIES.—The State shall ensure that all absentee ballot applications, absentee ballots, and related voting materials in elections for Federal office are accessible to individuals with disabilities in a manner that provides the same opportunity for access and participation (including with privacy and independence) as for other voters. Nothing in this subsection prevents States from requiring physical return of voted ballots. (p.198)

Title I—Election Access, Subtitle F—Promoting Accuracy, Integrity, and Security Through Voter-Verified Permanent Paper Ballot

CONCERN: Ballots cast by an in-person voter by hand marked paper ballots may be rejected later under the current text. When a voter appears in person they must be offered an opportunity to be authenticated and, upon authentication, vote on a hand marked paper ballot without further eligibility checks.  Providing an absentee ballot package that may or may not pass signature review is not sufficient; it must be a regular ballot that is offered.

  • SUGGESTED REVISED HR1 LANGUAGE:
  • 1502(a) amends HAVA 301(a)(2)(A)(i)(1) For purposes of this subclause, the term ‘individual, durable, voter-verified paper ballot’ means a paper ballot marked by the voter by hand or a paper ballot marked through the use of a nontabulating ballot marking device or system, so long as the voter shall have the option to mark by hand a ballot pre-printed with the contests and candidates, and it shall be tallied like other in-person ballots. (p.163)

CONCERN: Voter Privacy / Ballot Secrecy. Ballots should never be associated with voters compromising ballot secrecy. This bill suggests voters can waive that right. Primaries of small parties have few voters. Ballots in some languages have few voters. Some small overlapping special districts have few voters. Ballots marked by machines or by hand can be rare, depending on local choices. The election system tracks all these factors, so it could identify some voters who were the only ones casting that ballot at a particular location on a particular early voting day. Some voters sign their ballots or write themselves in as a write-in candidate; which some election officials have taken as a reason to remove transparency from vote counting, at high cost, even though any voter can put any other voter’s name on a ballot (Pat can put Kim’s name on Pat’s ballot). Options for election officials to minimize association of ballots with individuals include:

  1. Ballots do not need to identify precinct, voting location or date or voting method (e.g. provisional or absentee).
  2. English can be on the same ballot with each of the less common languages and enough English-speakers can use these ballots so users of the less common language cannot be identified.
  3. Special districts which have different boundaries can be printed on separate sheets which are scanned separately to reduce the need for rare ballot styles.
  4. Machines can mark ballots so they look the same as hand-marked ballots.
  5. Ballots with a signature or unique write-in can be recognized as not necessarily from that voter, and handled according to local law.

The clause about voter consent is a separate issue. We do not see a reason to let voters consent to changes in normal procedures or to violate secret voting. We re-word it to refer to voter’s stray marks.

  • SUGGESTED REVISED HR1 LANGUAGE:
  • 1502(a) amends HAVA 301(a)(2)(A)(i)(III) The voting system shall not design, handle or preserve the voter-verified paper ballots in any manner that makes it possible, at any time after the ballot has been cast, to associate a voter with the record of the voter’s vote; without except this prohibition shall not apply to marks made by the voters consent. (pp.163-164)

CONCERN: Counting by hand. “Count” is an ambiguous term. It is used for the enumeration of ballot sheets as well as the tabulation of vote counts on those sheets.  To make it clear what is meant, we suggest ‘interpreting’ ballots or votes rather than ‘counting’ them when interpreting marks or votes on individual ballots is meant. The original wording required counting ballots in all audits, but some audits do not involve counting or interpreting ballots, such as process audits including security audits.

  • SUGGESTED REVISED HR1 LANGUAGE:
  • 1502(a) amends HAVA 301(a)(2)(A)(iii)(I) Each paper ballot used pursuant to clause (i) shall be suitable for a manual audit, and shall to be counted interpreted by hand in any recount or audit conducted with respect to any election for Federal office. (p.164)

Title I—Election Access, Subtitle I—Voting by Mail

CONCERN: Permanent absentee status, and online and phone requests, are convenient and can seem to remove barriers in getting ballots. However, they create other barriers and issues: Lack of a recent signature means either lax review when their VBM envelope arrives, or high initial rejections of these voters’ ballot envelopes. Old signatures disproportionately harm people who have changed names, developed a disability in their hand or eyes, normally use non-Roman characters or print. Options for permanent absentee status include 6-year status, to cover three federal general elections, with reminders sent before expiration; or obtaining a recent signature, required or optional; or dropping the proposed federal requirements so states continue to  experiment. Since signature matching is imperfect, exploration of other ways to check eligibility is important.

Changing “paragraph” to “section” in HAVA 307(a) conforms with Sec. 1101(a) (p.31) which skips signature at registration, if it is obtained before voting. The original word paragraph allows signature requirements for 307(a)(2)(A), while changing it to section allows signature requirements also in the subsequent wording so 307(a)(3) and 307(c), which are all in the same section, though not the same paragraph.

When an application produces access to absentee ballots for all future elections, states should not be prevented from having a means to regularly update and authenticate the reference material used to authenticate the identity of the voter in each election, such as a stored image of a signature.

Besides creating barriers to actual voters, permanent VBM status lets ballots of the recently deceased pile up at nursing homes and assisted living, where unscrupulous people can harvest them anonymously. States need to remove dead voters promptly, such as by using the Social Security Death Index, though with due process.

  • SUGGESTED REVISED HR1 LANGUAGE:
  • 1621(a)(2) creates HAVA 307(a)(2)(A) A State may not require an individual to provide any form of identification as a condition of obtaining an absentee ballot, except that nothing in this paragraph section may be construed to prevent a State from requiring a signature of the individual or similar affirmation as a condition of obtaining an absentee ballot. (p.186)
  • 1621(a)(2) creates HAVA 307(a)(3) APPLICATION FOR ALL FUTURE ELECTIONS.—At the option of an individual, a State shall treat the individual’s application to vote by absentee ballot by mail in an election for Federal office as an application for an absentee ballot by mail in all subsequent Federal elections held in the State, and shall promptly remove deceased voters. (p.199)
  • 1621(a)(2) creates HAVA 307(c)(1)(A) State shall permit an individual— (i) to submit a request for an absentee ballot online; and (ii) to submit a request for an absentee ballot through the use of an automated telephone-based system (p.196)

 

CONCERN: Time frames before and after general elections need to be changed and/or the safe harbor day postponed. Mail service is not fast enough to ensure ballot delivery within five days. Eight or nine days would be safer. Allowing 10 days to accept mailed ballots, then 10 days to cure means audits, certifications and recounts could start after 21 days, or November 29 when election day is November 8. Furthermore these long periods put high burdens on public observers who try to monitor compliance, postmarks are not always present or readable, and dates on signatures are not always correct. Options include accepting ballots for a shorter period after election day, and providing a shorter cure period for the last ballots.

  • SUGGESTED REVISED HR1 LANGUAGE:
  • (C) ENSURING DELIVERY PRIOR TO ELECTION.—If  an  individual  who  is  eligible  to  vote  in  an  election  for  Federal  office  submits  an  application  for  an  absentee  ballot  in  the  election,  the  appropriate  State  or  local  election  official  shall  ensure  that  the  ballot  and  relating  voting  materials  are  sent to received by the  individual  at least 14 days before the election or within 48 hours of receipt, whichever is later prior to the date of the election so  long  as  the  individual’s  application  is  received  by  the  official  not  later  than  5  days  (excluding  Saturdays,  Sundays,  and  legal  public  holidays)  before  the  date  of  the  election,  except  that  nothing  in  this  paragraph  shall  preclude  a  State  or  local  jurisdiction  from  allowing  for  the  acceptance  and  processing  of  absentee  ballot  applications  submitted or received after such required period. (p.197)
  • 1621(a)(2) creates HAVA 307(e)(1)(A) the ballot  is  postmarked  or  otherwise indicated  by  the  United  States  Postal  Service  to have  been  mailed  on  or  before  the  date  of  the election,  or  has  been  signed  by  the  voter  on  or  before the date of the election; (p.198)
  • 1621(a)(2) creates HAVA 307(e)(1)(B) the ballot is received by the appropriate election official prior to the expiration of the 10-day period which begins on the date of the election. (p.197)
  • 1621(a)(2) creates HAVA 307(b)(2)(B)(i)(II) provide the missing signature or cure the other defect prior to the expiration of the 10-day period which begins on the date the official notifies the individual, or 14 days after the date of the election, whichever is first. (pp.190-191)

Title I—Election Access, Subtitle N—Promoting Voter Access Through Election Administration Improvements

CONCERN: Hotline will be a good way to collect actionable reports of fraud, machine problems and other errors as well as voter suppression.

  • SUGGESTED REVISED HR1 LANGUAGE:
  • 1905(a)(2)(C) may report information to the Attorney General on problems encountered in registering to vote or voting, including incidences of fraud, illegal or improper actions, ballot and machine issues, voter intimidation or suppression. (p.260)
  • 1905(d)(2) a compilation and description of the reports made to the service by individuals citing instances of voter intimidation or suppression, together with a description of any actions taken in response to such instances of voter intimidation or suppression; (p.264)

 

CONCERN: 30-minute waiting period is a good maximum. Officials cannot control how long people wait before polls open, but they need to open on time and have enough staff and equipment to handle those lines within 30 minutes of opening. People often come early because they have other deadlines like work.

  • SUGGESTED REVISED HR1 LANGUAGE:
  • 1906(a)(2) creates HAVA 310(a)(1) IN GENERAL.—Each State shall provide, and shall report publicly within 3 months how well it succeeded in providing, a sufficient number of voting systems, poll workers, and other election resources (including physical resources) at a polling place used in any election for Federal office, including a polling place at which individuals may cast ballots prior to the date of the election, to ensure, by written capacity plans, aside from extraordinary situations

(A) a fair and equitable waiting time for all voters in the State; and

(B) that no individual will be required to wait longer than 30 minutes to cast a ballot at the polling place while the polling place is scheduled to be open. (p.266)

CONCERN: Drop Boxes have numerous failure modes. Examples are fake drop boxes, overflowing drop boxes, failed pickup, vandalism, picked locks, misplaced ballots, missing envelopes etc.

Security video is helpful though not sufficient to provide integrity. Ideally eligibility could be determined as ballots are dropped in the drop boxes if they are attended by election officials or if the drop boxes are intelligent. The law could be improved by grants to study improvements for smarter drop boxes that can report casting of ballot packets.

  • SUGGESTED REVISED HR1 LANGUAGE:
  • 1907(a)(2) creates HAVA 311(a) REQUIRING USE OF DROP BOXES.—In each county in the State, each State shall provide in-person, secured, and clearly labeled drop boxes at which individuals may, at least 12 hours per day any time during the period described in subsection (b), drop off voted absentee ballots in an election for Federal office, and report issues with them, and the number and types of items dropped including those that are accepted and those not eligible or not properly formatted for counting. (p.271)
  • 1907(a)(2) creates HAVA 311(g) TIMING OF SCANNING AND PROCESSING OF BALLOTS. __For purposes of section 306(e) (relating to the timing of the processing and scanning of ballots for tabulation), a vote cast using a drop box provided under this section shall be treated in the same manner as mailed in ballots received by election day any other vote cast during early voting. (p.253) Accounting of the casting of the ballot packet dropped in a drop box shall be performed at least as timely a manner as for ballot packets received from the USPS. (p.275)

 

Title III—Election Security, Subtitle A—Financial Support for Election Infrastructure

CONCERN: Vendor requirements. HR1 3001(a) adds HAVA 298A(b)(2) which assigns new equipment review roles to the Technical Guidelines Development Committee. The committee does not have enough cybersecurity and infrastructure expertise to do a thorough job. Traditionally the EAC has focused on HAVA-defined voting systems, but there are many election technologies outside of the traditionally defined voting systems. These systems are critical to the delivery of our elections and also create significant vulnerabilities to U.S. elections. The new functions in 298A(b)(2) should be assigned to CISA or NIST, which have the expertise, rather than the TGDC and EAC.

CONCERN: Grants for audits. We believe requirements for grants should be stronger, to help ensure effective RLAs.  Election compliance, and decisions on voter eligibility, are necessary for effective Risk Limiting Audits (RLAs), grants should cover them. Well-designed RLAs can determine if there are significant flaws, and convince the public that these flaws exist or don’t, as the case may be.

  • SUGGESTED REVISED HR1 LANGUAGE:
  • 3011(a) creates HAVA 299(a) AVAILABILITY OF GRANTS.—The Commission shall make a grant to each eligible State to conduct risk-limiting audits as described in subsection (b) with respect to the regularly scheduled general elections for Federal office held in November 2022 and each succeeding election for Federal office. Grants for related audits, such as compliance audits and eligibility audits, are also available. (p.421)
  • 3011(a) creates HAVA 299(c) REQUIREMENTS FOR RULES AND PROCEDURES.—The rules and procedures established for conducting a risk-limiting audit shall include the following elements:

(1) Rules for setting the predetermined percentage chance of replacing an incorrect outcome, ensuring the security of ballots, publishing initial results, publishing digital signatures that authenticate electronic records and documenting that prescribed procedures were followed and observable by the public and records used are published prior to certification.

(2) Rules and procedures governing the format for and ensuring the accuracy and security of chain of custody records, ballot manifests, and ballot images and cast vote records, produced by election agencies, and for authenticating true copies, such as by digital signatures, of subsets of this data as they are produced and before data release.

(3) Rules and procedures for governing the format of ballot manifests, cast vote records, and other data involved in the audit.[merged into 2 above]

(3) Methods to ensure that any cast vote records or other subtallies subject to selection usedby the voting system to tally the election results sent to the chief State election official and they in the audit, must be made public before sample selection.

(4) Procedures for the publicly observable random selection of ballot sheets to be inspected manually during each audit. The sample of paper ballots shall be drawn from and represent all ballots lawfully cast in the election. (p.441)

(5) Rules for the calculations and other methods to be used in the audit and to determine whether and when the audit of an election is complete and when and how to transition the audit to a full hand-to-eye tabulation.

(6) Procedures to conduct full, hand-to-eye tabulation when needed, and measuring and reporting its accuracy.

(7) Procedures and requirements for testing the public to independently replicate results from any software used to conduct risk-limiting audits  including to aggregate the cast vote records or other applicable subtallies to check the correctness of the reported outcome. (p,441)

(8) Separation of Responsibilities: Neither the policy and regulation setting for the audit, nor the authority to judge whether an audit has satisfied those regulations, shall be solely in the hands of any entity directly involved with the tabulation of the ballots or the examination of ballots during the audit. 

RELATED AUDITS:

(9) Compliance audits: Procedures and documents to evaluate security, authenticity and accuracy of ballot management including a reconciliation of numbers of voters, ballot sheets and contest tallies, by ballot style if applicable. The evaluation and electronic copies of the documents used shall be published before certification of the election.

(10) Eligibility audits: Procedures to review random samples of accepted and rejected ballot envelopes, and report publicly on accuracy rates of eligibility processing. These reviews may include contacting voters.

(11) Voter registration audits: Procedures to review random samples of voters registered as of this election and voters removed from voter rolls since the last federal election, and report publicly on their accuracy rates. These reviews may include contacting voters.

  • 3011(a) creates HAVA 299(d). Add: (5) The term ‘full hand-to-eye tabulation’means hands and eyes are used to interpret paper ballots, but machines can be used for addition.

 

CONCERN: Coverage of RLAs. It would not be helpful to audit only a few higher margin federal races with wide margins. When a state gets a federal grant, it needs to audit all Federal contests within 5 years, though in the interim, they may start small.

Requiring State rules within a year of enactment is unnecessarily fast, since even federal implementing rules will take time. It is enough to have  rules within a year of getting a grant.

  • SUGGESTED REVISED HR1 LANGUAGE:
  • 3011(a) creates HAVA 299A(1) a certification that, not later than 5 years after receiving the grant, the State will conduct risk-limiting audits of the results of elections for all Federal offices contests held in the State as described in section 299;
  • (2) a certification that, not later than one year after grant approval the date of the enactment of this section, the chief State election official of the State has established or will establish the rules and procedures for conducting the audits which meet the requirements of section 299(c); (p.443)

Title III—Election Security, Subtitle D—Promoting Cybersecurity Through Improvements in Election Administration

CONCERN: In addition to poll books, other systems used to determine the eligibility of voters or ballot packets should be tested and separately certified.  Signature verification systems deal with personally identifiable information (PII), so certification may have an important role. These systems have very different issues than voting systems and need to be handled separately. It is often appropriate for eligibility systems to be connected to the internet, sometimes with wireless connectivity, unlike certified voting systems, which should not be connected to the internet nor have wireless connectivity.

To reduce barriers to entry and enhance competition, poll books and other extensions to the voting system should not be considered part of the “voting system” and should each be tested and certified separately.  Currently, voting systems are tested as a whole; in other words the EAC tests the ballot marking devices, scanners and election management systems as one integrated package, rather by component. This prevents small companies from entering the market – – they cannot enter with only one component, like a ballot marking device, so the barriers to entry are huge. This reduces competition in the industry and purchase choices for election officials. Election officials seeking a federally certified system currently can only replace a component of a voting system with a component from the same manufacturer that has been certified with that same voting system. (For those over a certain age – – imagine having a stereo system and only being able to replace the turntable with a turntable from the manufacturer that made the receiver and speakers.)  Including poll books as part of the voting system would preclude smaller, innovative companies just selling poll books, precluded from their pollbooks from being certified and, thereby, from entering the market.

Some states have requirements related to EAC certified voting systems, which should not automatically apply to these extensions, and vendors should be able to sell these extensions separately.

  • SUGGESTED REVISED HR1 LANGUAGE:
  • 3302(a)(4) creates HAVA 301(b)(2) any electronic poll book and other systems used to determine the eligibility of  voters or ballot packets, including signature verification systems, used with respect to the election. All such  components should be considered extensions of the voting system. The EAC will test and certify such extensions separately, not as part of a voting system (as originally defined in HAVA).  Such extensions are to be tested and certified separately and can be selected by States separately. The EAC shall separately test and certify components of voting systems (such as ballot marking devices, scanners and election management systems) as well as entire voting systems and shall require that components are interoperable. and (p.468)

Title III—Election Security, Subtitle E—Preventing Election Hacking

CONCERN: Bug Bounties are crucial for election security, since no company can find all its own bugs. Therefore election system manufacturers need to participate. The Defense Department’s bug bounty programs have found thousands of bugs, including “more than a hundred highly critical flaws”, so the bugs could be patched. Bug bounties have been widely used by computer companies for at least a decade, while election system manufacturers have had slow and uneven efforts.

  • SUGGESTED REVISED HR1 LANGUAGE: 3402(b) Voluntary participation by election officials and election service providers and mandatory for election system manufacturers
  • (3) Participation in the Program shall be mandatory for election system manufacturers (p.472)

 

 

HR1 deserves improvement

Blog, , , , , , , ,

2/26/2021

TO: Honorable Representative Sarbanes, 2370 Rayburn House Office Building, Washington, DC 20515

FROM: State Audit Working Group c/o Luther Weeks Luther ‘at’ CTVotersCount.org

RE:  H.R.1 Critical Suggested Improvements

We write as members of the “State Audit Working Group (SAWG), an ad hoc group of individuals concerned about election integrity issues in general and election audits in particular. The SAWG has been meeting regularly via teleconferences since 2008, and has worked on recommendations from time to time such as the Principles and Best Practices for Post-Election Tabulation Audits and the EAC’s Voluntary Voting Systems Guidelines.

We write to request critical changes to H.R.1, along with suggested improvements. Without a few key changes, we believe the bill might degrade election integrity and miss opportunities for improvement, rather than meet its well-intended, laudable goals. Our comments are restricted to election administration and integrity issues pp78-407 of the bill.

Attached to this letter is a list of detailed comments. Here we summarize the most critical items:

  • Requirements for grants should be stronger, to help ensure effective Risk Limiting Audits (RLAs). We suggest specific improvements to the HR1 grant requirements. Grants should be available to audit compliance and eligibility which are crucial for valid RLAs.
  • Poll books should be part of the Federal certification program, as proposed. So should other systems used to determine the eligibility of voters or ballot packets. They however, should be tested and certified separately from the voting system. Competition will be stifled if pollbooks are only tested as part of an entire voting system. Election officials will end up with fewer and less innovative purchase choices.
  • Ballots cast by an in-person voter by hand marked paper ballots may be rejected later under the current text. When a voter appears in person they must be offered an opportunity to be authenticated and, upon authentication, vote on a hand marked paper ballot  without further eligibility checks.
  • Voter Privacy / Ballot Secrecy. Ballots should never be associated with voters, thus compromising ballot secrecy There should be no unique identification numbers on some ballots for voters with disabilities. Voters should not be able to waive their ballot secrecy, a collective right.
  • Voting over the internet is not secure and does not protect the secrecy of the ballot. For security and integrity, votes should not be transmitted over the internet or by other electronic means such as email or fax.

Sincerely,

Note:  All affiliations are for reference only and do not constitute an endorsement

Luther G. Weeks, Moderator, State Audit Working Group, Computer Scientist and Executive Director, Connecticut Citizen Election Audit

Harvie Branscomb, Publisher, https://electionquality.com, Coloradans For Voting Integrity

Philip B. Stark | Associate Dean, Division of Mathematical and Physical Sciences | Regional Associate, Dean (Interim), College of Chemistry and Division of Mathematical and Physical Sciences (ChaMPS) | Professor, Department of Statistics | University of California

Celeste Landry, MS in Operations Research, Voting Methods Researcher since 2012, LWV of Boulder County, CO, Voting Methods Team Co-leader

Jan BenDor, State Coordinator, Michigan Election Reform Alliance

Ronald L. Rivest, MIT

Marilyn Marks, Executive Director, Coalition for Good Governance

Duncan Buell, Chair Emeritus — NCR Chair in Computer Science and Engineering, Dept. of Computer Science and E, University of South Carolina

John L. McCarthy, Computer Scientist (retired), Lawrence Berkeley National Laboratory

Paul Burke, VoteWell.net

Donna Price, Director, Georgians for Verified Voting

Neal McBurnett, Security and Election Integrity consultant, Boulder CO

Dr. Stephanie F. Singer, Hatfield School of Government, Portland State University, Former Chair, Philadelphia County Board of Elections

Debra McDonough, PhD., Election Integrity Advocate, Maine

Ray Lutz, Citizens’ Oversight Projects

Tim White, independent elections watchdog, WA state

 —

Attachment-Comments on HR1 and SR1 by the State Audit Working Group

The format of this document is to give our concern about each topic, then dotted paragraphs show relevant sections of the bill. Proposed deletions are stricken out and additions are underlined.

CONCERN: Implementation deadlines in 2022. Deadlines written in HR1 are be impractical, especially with so many changes all required by 2022.. Time needs to be allowed after enactment for issuing regulations, designing and certifying equipment, local budgeting, soliciting vendors, negotiating contracts, manufacturing for thousands of customers, acceptance testing with possible rejection and re-delivery, training staff and educating voters. These will be very challenging especially for states without no-excuse absentee voting and early voting, with local election management, such as the New England States. Examples of the many deadlines in 2022:

  • 10/2022* Election Day Registration for elections and every day of early voting
  • 10/2022 Early voting 15 days prior and Election Day
  • 10/2022 Processing and scanning of early voting ballots and absentee ballots must start by 14 days prior to election day.
  • 10/2022 Previous two requirements all but mandate connected ePollbooks
  • 10/2022 Absentee changes to allow all to vote by mail, no ID but signature, prohibiting notarization/witness signature, due process of signature verification, permanent absentee registration, notice and opportunity to cure. Insuring delivery of ballots requested 5 days prior to election day.
  • 10/2022 Website and tracking program for mail-in ballots.
  • 10/2022 Absentee applications, absentee ballots, and related materials accessible to individuals with disabilities.
  • 11/2022 Accepting absentee ballot post-marked by election day, for at least 10 days after election day.
  • 10/2022 Online system for requesting absentee ballots

* H.R.1 says for 11/2022 Federal elections, yet that means many of these must be in use by 10/2022 or perhaps in some cases by 9/2022

Title I—Election Access, Subtitle B—Access to Voting for Individuals With Disabilities

CONCERN: Having a unique ID on a ballot endangers ballot secrecy, but having a unique ID on the ballot return envelope is appropriate. Ballot secrecy is a cornerstone of democracy. It impedes vote buying, vote selling and coercion.  The voter can be mailed a ballot envelope with a unique ID so that the voter can return the ballot in that envelope and the Election Officials can easily know who the envelope is from and log it in. Large efforts have been made to make sure voters with disabilities can vote privately and independently. Putting an ID on a ballot would be counter to this progress.

  • SUGGESTED REVISED HR1 LANGUAGE: 1101(a)(2) creates HAVA 305(d)(3) APPLICATION OF METHODS TO TRACK DELIVERY TO AND RETURN OF BALLOT BY INDIVIDUAL REQUESTING BALLOT.—Under the procedures established under paragraph (1), the State shall apply such methods as the State considers appropriate, such as assigning a unique identifier to the oath or ballot envelope, to ensure that if an individual with a disability requests the State to transmit a blank absentee ballot to the individual in accordance with this subsection, the voted absentee ballot envelope which is returned by the individual is the same blank absentee ballot envelope which the State transmitted to the individual. (p.103)

Title I—Election Access, Subtitle I—Voting by Mail

CONCERN: Voting over the internet is not secure and does not protect the secrecy of the ballot.. For security and integrity, votes should not be transmitted over the internet or by other electronic means such as email or fax.

  • SUGGESTED REVISED HR1 LANGUAGE:1621(a)(2) creates HAVA 307(d) ACCESSIBILITY FOR INDIVIDUALS WITH DISABILITIES.—The State shall ensure that all absentee ballot applications, absentee ballots, and related voting materials in elections for Federal office are accessible to individuals with disabilities in a manner that provides the same opportunity for access and participation (including with privacy and independence) as for other voters. Nothing in this subsection prevents States from requiring physical return of voted ballots. (p.181)

Title I—Election Access, Subtitle F—Promoting Accuracy, Integrity, and Security Through Voter-Verified Permanent Paper Ballot

CONCERN: Ballots cast by an in-person voter by hand marked paper ballots may be rejected later under the current text.. When a voter appears in person they must be offered an opportunity to be authenticated and, upon authentication, vote on a  hand marked paper ballot  without further eligibility checks.  Providing an absentee ballot package that may or may not pass signature review is not sufficient; it must be a regular ballot that  is offered.

  • SUGGESTED REVISED HR1 LANGUAGE:1502(a) amends HAVA 301(a)(2)(A)(i)(1) For purposes of this subclause, the term ‘individual, durable, voter-verified paper ballot’ means a paper ballot marked by the voter by hand or a paper ballot marked through the use of a nontabulating ballot marking device or system, so long as the voter shall have the option to mark by hand a ballot pre-printed with the contests and candidates, and it shall be tallied like other in-person ballots. (p.149)

CONCERN: Voter Privacy / Ballot Secrecy. Ballots should never be associated with voters compromising ballot secrecy. This bill suggests voters can waive that right. Primaries of small parties have few voters. Ballots in some languages have few voters. Some small overlapping special districts have few voters. Ballots marked by machines or by hand can be rare, depending on local choices. The election system tracks all these factors, so it could identify some voters who were the only ones casting that ballot at a particular location on a particular early voting day. Some voters sign their ballots or write themselves in as a write-in candidate; which some election officials have taken as a reason to remove transparency from vote counting, at high cost, even though any voter can put any other voter’s name on a ballot (Pat can put Kim’s name on Pat’s ballot). Options for election officials to minimize association of ballots with individuals include:

  1. Ballots do not need to identify precinct, voting location or date or voting method (e.g. provisional or absentee).
  2. English can be on the same ballot with each of the less common languages and enough English-speakers can use these ballots so users of the less common language cannot be identified.
  3. Special districts which have different boundaries can be printed on separate sheets which are scanned separately to reduce the need for rare ballot styles.
  4. Machines can mark ballots so they look the same as hand-marked ballots.
  5. Ballots with a signature or unique write-in can be recognized as not necessarily from that voter, and handled according to local law.

The clause about voter consent is a separate issue. We do not see a reason to let voters consent to changes in normal procedures or to violate secret voting. We re-word it to refer to voter’s stray marks.

SUGGESTED REVISED HR1 LANGUAGE: 1502(a) amends HAVA 301(a)(2)(A)(i)(III)

  • The voting system shall not design, handle or preserve the voter-verified paper ballots in any manner that makes it possible, at any time after the ballot has been cast, to associate a voter with the record of the voter’s vote; without except this prohibition shall not apply to marks made by the voters consent. (p.149)

CONCERN: Counting by hand. “Count” is an ambiguous term. It is used for the enumeration of ballot sheets as well as the tabulation of vote counts on those sheets.  To make it clear what is meant, we suggest ‘interpreting’ ballots or votes rather than ‘counting’ them when interpreting marks or votes on individual ballots is meant. The original wording required counting ballots in all audits, but some audits do not involve counting or interpreting ballots, such as process audits including security audits.

  • SUGGESTED REVISED HR1 LANGUAGE:1502(a) amends HAVA 301(a)(2)(A)(iii)(I) Each paper ballot used pursuant to clause (i) shall be suitable for a manual audit, and shall to be counted interpreted by hand in any recount or audit conducted with respect to any election for Federal office. (p.150)

Title I—Election Access, Subtitle I—Voting by Mail

CONCERN: Permanent ballots by mail, and online and phone requests, are convenient and can seem to remove barriers in getting ballots. However, they create other barriers and issues: Lack of a recent signature means either lax review when their VBM envelope arrives, or high initial rejections of these voters’ ballot envelopes. Old signatures disproportionately harm people who have changed names, developed a disability in their hand or eyes, normally use non-Roman characters or print. Options for permanent voting by mail include 6-year status, to cover three federal general elections, with reminders sent before expiration, or obtaining a recent signature, required or optional, or dropping the proposed federal requirements so states continue to  experiment. Since signature matching is imperfect, exploration of other ways to check eligibility is important.

Changing “paragraph” to “section” in HAVA 307(a) conforms with Sec. 1101(a) (p.31) which skips signature at registration, if it is obtained before voting. The original word paragraph allows signature requirements for 307(a)(2)(A), while changing it to section allows signature requirements also in the subsequent wording so 307(a)(3) and 307(c), which are all in the same section, though not the same paragraph.

When an application produces access to absentee ballots for all future elections, states should not be prevented from having a means to regularly update and authenticate the reference material used to authenticate the identity of the voter in each election, such as a stored image of a signature.

Besides creating barriers to actual voters, permanent VBM status lets ballots of the recently deceased pile up at nursing homes and assisted living, where unscrupulous people can harvest them anonymously. States need to remove dead voters promptly, such as by using the Social Security Death Index, though with due process.

  • SUGGESTED REVISED HR1 LANGUAGE:
  • 1621(a)(2) creates HAVA 307(a)(2)(A) A State may not require an individual to provide any form of identification as a condition of obtaining an absentee ballot, except that nothing in this paragraph section may be construed to prevent a State from requiring a signature of the individual or similar affirmation as a condition of obtaining an absentee ballot. (p.172)
  • 1621(a)(2) creates HAVA 307(a)(3) APPLICATION FOR ALL FUTURE ELECTIONS.—At the option of an individual, a State shall treat the individual’s application to vote by absentee ballot by mail in an election for Federal office as an application for an absentee ballot by mail in all subsequent Federal elections held in the State, and shall promptly remove deceased voters. (p.173)
  • 1621(a)(2) creates HAVA 307(c)(1)(A) State shall permit an individual— (i) to submit a request for an absentee ballot online; and (ii) to submit a request for an absentee ballot through the use of an automated telephone-based system (pp.179-180)

 

CONCERN: Time frames before and after general elections need to be changed and/or the safe harbor day postponed. Mail service is not fast enough to ensure ballot delivery within five days. Eight or nine days would be safer. Allowing 10 days to accept mailed ballots, then 10 days to cure means audits, certifications and recounts could start after 21 days, or November 29 when election day is November 8. Furthermore these long periods put high burdens on public observers who try to monitor compliance, postmarks are not always present or readable, and dates on signatures are not always correct. Options include accepting ballots for a shorter period after election day, and providing a shorter cure period for the last ballots.

  • SUGGESTED REVISED HR1 LANGUAGE:
  • 1621(a)(2) creates HAVA 307(c)(2) State or local election official shall ensure that the ballot and relating voting materials are sent to received by the individual at least 14 days before the election or within 48 hours of receipt, whichever is later prior to the date of the election so long as the individual’s request is received by the official not later than 5 days (excluding Saturdays, Sundays, and legal public holidays) before the date of the election (pp.180-181)
  • 1621(a)(2) creates HAVA 307(e)(1)(A) the ballot is postmarked, signed, or otherwise indicated by the United States Postal Service to have been mailed on or before the date of the election; and (pp.181-182)
  • 1621(a)(2) creates HAVA 307(e)(1)(B) the ballot is received by the appropriate election official prior to the expiration of the 10-day period which begins on the date of the election. (p.182)
  • 1621(a)(2) creates HAVA 307(b)(2)(B)(i)(II) provide the missing signature or cure the other defect prior to the expiration of the 10-day period which begins on the date the official notifies the individual, or 14 days after the date of the election, whichever is first. (pp.176-177)

Title I—Election Access, Subtitle N—Promoting Voter Access Through Election Administration Improvements

CONCERN: Hotline will be a good way to collect actionable reports of fraud, machine problems and other errors as well as voter suppression.

  • SUGGESTED REVISED HR1 LANGUAGE:
  • 1905(a)(2)(C) may report information to the Attorney General on problems encountered in registering to vote or voting, including incidences of fraud, illegal or improper actions, ballot and machine issues, voter intimidation or suppression. (p.239)
  • 1905(d)(2) a compilation and description of the reports made to the service by individuals citing instances of voter intimidation or suppression, together with a description of any actions taken in response to such instances of voter intimidation or suppression; (p.243)

 

CONCERN: 30-minute waiting period is a good maximum. Officials cannot control how long people wait before polls open, but they need to open on time and have enough staff and equipment to handle those lines within 30 minutes of opening. People often come early because they have other deadlines like work.

  • SUGGESTED REVISED HR1 LANGUAGE: 1906(a)(2) creates HAVA 310(a)(1) IN GENERAL.—Each State shall provide, and shall report publicly within 3 months how well it succeeded in providing, a sufficient number of voting systems, poll workers, and other election resources (including physical resources) at a polling place used in any election for Federal office, including a polling place at which individuals may cast ballots prior to the date of the election, to ensure, by written capacity plans, aside from extraordinary situations

(A) a fair and equitable waiting time for all voters in the State; and

(B) that no individual will be required to wait longer than 30 minutes to cast a ballot at the polling place while the polling place is scheduled to be open. (p.245)

CONCERN: Drop Boxes have numerous failure modes. Examples are fake drop boxes, overflowing drop boxes, failed pickup, vandalism, picked locks, misplaced ballots, missing envelopes etc.

Security video is helpful though not sufficient to provide integrity. Ideally eligibility could be determined as ballots are dropped in the drop boxes if they are attended by election officials or if the drop boxes are intelligent. The law could be improved by grants to study improvements for smarter drop boxes that can report casting of ballot packets.

SUGGESTED REVISED HR1 LANGUAGE:

  • 1907(a)(2) creates HAVA 311(a) REQUIRING USE OF DROP BOXES.—In each county in the State, each State shall provide in-person, secured, and clearly labeled drop boxes at which individuals may, at least 12 hours per day any time during the period described in subsection (b), drop off voted absentee ballots in an election for Federal office, and report issues with them, and the number and types of items dropped including those that are accepted and those not eligible or not properly formatted for counting. (p.249)
  • 1907(a)(2) creates HAVA 311(g) Timing of scanning and processing of ballots. For purposes of section 306(e) (relating to the timing of the processing and scanning of ballots for tabulation), a vote cast using a drop box provided under this section shall be treated in the same manner as mailed in ballots received by election day any other vote cast during early voting. (p.253) Accounting of the casting of the ballot packet dropped in a drop box shall be performed at least as timely a manner as for ballot packets received from the USPS.

 

Title III—Election Security, Subtitle A—Financial Support for Election Infrastructure

CONCERN: Vendor requirements. HR1 3001(a) adds HAVA 298A(b)(2) which assigns new equipment review roles to the Technical Guidelines Development Committee. The committee does not have enough cybersecurity and infrastructure expertise to do a thorough job. Traditionally the EAC has focused on HAVA-defined voting systems, but there are many election technologies outside of the traditionally defined voting systems. These systems are critical to the delivery of our elections and also create significant vulnerabilities to U.S. elections. The new functions in 298A(b)(2) should be assigned to CISA or NIST, which have the expertise, rather than the TGDC and EAC. (p.355)

CONCERN: Grants for audits. We believe requirements for grants should be stronger, to help ensure effective RLAs.  Election compliance, and decisions on voter eligibility, are necessary for effective Risk Limiting Audits (RLAs), grants should cover them. Well-designed RLAs can determine if there are significant flaws, and convince the public that these flaws exist or don’t, as the case may be.

  • SUGGESTED REVISED HR1 LANGUAGE:
  • 3011(a) creates HAVA 299(a) AVAILABILITY OF GRANTS.—The Commission shall make a grant to each eligible State to conduct risk-limiting audits as described in subsection (b) with respect to the regularly scheduled general elections for Federal office held in November 2022 and each succeeding election for Federal office. Grants for related audits, such as compliance audits and eligibility audits, are also available. (p.367)
  • 3011(a) creates HAVA 299(c) REQUIREMENTS FOR RULES AND PROCEDURES.—The rules and procedures established for conducting a risk-limiting audit shall include the following elements:

(1) Rules for setting the predetermined percentage chance of replacing an incorrect outcome, ensuring the security of ballots, publishing initial results, publishing digital signatures that authenticate electronic records and documenting that prescribed procedures were followed and observable by the public and records used are published prior to certification.

(2) Rules and procedures governing the format for and ensuring the accuracy and security of chain of custody records, ballot manifests, and ballot images and cast vote records, produced by election agencies, and for authenticating true copies, such as by digital signatures, of subsets of this data as they are produced and before data release.

(3) Rules and procedures for governing the format of ballot manifests, cast vote records, and other data involved in the audit.[merged into 2 above]

(3) Methods to ensure that any cast vote records or other subtallies subject to selection usedby the voting system to tally the election results sent to the chief State election official and they in the audit, must be made public before sample selection.

(4) Procedures for the publicly observable random selection of ballot sheets to be inspected manually during each audit. The sample of paper ballots shall be drawn from and represent all ballots lawfully cast in the election. (p.367)

(5) Rules for the calculations and other methods to be used in the audit and to determine whether and when the audit of an election is complete and when and how to transition the audit to a full hand-to-eye tabulation.

(6) Procedures to conduct full, hand-to-eye tabulation when needed, and measuring and reporting its accuracy.

(7) Procedures and requirements for testing the public to independently replicate results from any software used to conduct risk-limiting audits  including to aggregate the cast vote records or other applicable subtallies to check the correctness of the reported outcome. (p,368)

(8) Separation of Responsibilities: Neither the policy and regulation setting for the audit, nor the authority to judge whether an audit has satisfied those regulations, shall be solely in the hands of any entity directly involved with the tabulation of the ballots or the examination of ballots during the audit. 

RELATED AUDITS:

(9) Compliance audits: Procedures and documents to evaluate security, authenticity and accuracy of ballot management including a reconciliation of numbers of voters, ballot sheets and contest tallies, by ballot style if applicable. The evaluation and electronic copies of the documents used shall be published before certification of the election.

(10) Eligibility audits: Procedures to review random samples of accepted and rejected ballot envelopes, and report publicly on accuracy rates of eligibility processing. These reviews may include contacting voters.

(11) Voter registration audits: Procedures to review random samples of voters registered as of this election and voters removed from voter rolls since the last federal election, and report publicly on their accuracy rates. These reviews may include contacting voters.

 

  • 3011(a) creates HAVA 299(d). Add: (5) The term ‘full hand-to-eye tabulation’means hands and eyes are used to interpret paper ballots, but machines can be used for addition.

 

CONCERN: Coverage of RLAs. It would not be helpful to audit only a few Higher-margin  federal races with wide margins. When a state gets a federal grant, it needs to audit all Federal contests within 5 years, though in the interim, they may start small.

Requiring State rules within a year of enactment is unnecessarily fast, since even federal implementing rules will take time. It is enough to have  rules within a year of getting a grant.

  • SUGGESTED REVISED HR1 LANGUAGE:3011(a) creates HAVA 299A(1) a certification that, not later than 5 years after receiving the grant, the State will conduct risk-limiting audits of the results of elections for all Federal offices contests held in the State as described in section 299;

(2) a certification that, not later than one year after grant approval the date of the enactment of this section, the chief State election official of the State has established or will establish the rules and procedures for conducting the audits which meet the requirements of section 299(c); (p.370)

Title III—Election Security, Subtitle D—Promoting Cybersecurity Through Improvements in Election Administration

 

CONCERN: In addition to poll books, other systems used to determine the eligibility of voters or ballot packets should be tested and separately certified.  Signature verification systems deal with personally identifiable information (PII), so certification may have an important role. These systems have very different issues than voting systems and need to be handled separately. It is often appropriate for eligibility systems to be connected to the internet, sometimes with wireless connectivity, unlike certified voting systems, which should not be connected to the internet nor have wireless connectivity.

To reduce barriers to entry and enhance competition, poll books and other extensions to the voting system should not be considered part of the “voting system” and should each be tested and certified separately.  Currently, voting systems are tested as a whole; in other words the EAC tests the ballot marking devices, scanners and election management systems as one integrated package, rather by component. This prevents small companies from entering the market – – they cannot enter with only one component, like a ballot marking device, so the barriers to entry are huge. This reduces competition in the industry and purchase choices for election officials. Election officials seeking a federally certified system currently can only replace a component of a voting system with a component from the same manufacturer that has been certified with that same voting system. (For those over a certain age – – imagine having a stereo system and only being able to replace the turntable with a turntable from the manufacturer that made the receiver and speakers.)  Including poll books as part of the voting system would preclude smaller,  innovative companies just selling poll books from being certified and, thereby, from entering the market.

Some states have requirements related to EAC certified voting systems, which should not automatically apply to these extensions, and vendors should be able to sell these extensions separately.

  • SUGGESTED REVISED HR1 LANGUAGE:3302(a)(4) creates HAVA 301(b)(2) any electronic poll book and other systems used to determine the eligibility of voters or ballot packets, including signature verification systems, used with respect to the election, and all such  components should be considered extensions of the voting system. The EAC will test and certify such components separately, not as part of a voting system (as originally defined in HAVA.)  from the voting system, with such extensions to be tested and certified separately and which can be selected separately from other voting system components;  The EAC shall separately test and certify components of voting systems (such as ballot marking devices, scanners and election management systems) as well as entire voting systems and shall require that components are interoperable. and (p.394)

 

Title III—Election Security, Subtitle E—Preventing Election Hacking

 

CONCERN: Bug Bounties are crucial for election security, since no company can find all its own bugs. Therefore election system manufacturers need to participate. The Defense Department’s bug bounty programs have found thousands of bugs, including “more than a hundred highly critical flaws”, so the bugs could be patched. Bug bounties have been widely used by computer companies for at least a decade, while election system manufacturers have had slow and uneven efforts.

  • SUGGESTED REVISED HR1 LANGUAGE:3402(b) Voluntary participation by election officials and election service providers and mandatory for election system manufacturers
  • (3) Participation in the Program shall be mandatory for election system manufacturers (p.397)