<DOC> [110th Congress House Hearings] [From the U.S. Government Printing Office via GPO Access] [DOCID: f:35768.wais] ENSURING FAIRNESS AND ACCURACY IN ELECTIONS INVOLVING ELECTRONIC VOTING SYSTEMS ======================================================================= HEARING before the SUBCOMMITTEE ON INFORMATION POLICY, CENSUS, AND NATIONAL ARCHIVES of the COMMITTEE ON OVERSIGHT AND GOVERNMENT REFORM HOUSE OF REPRESENTATIVES ONE HUNDRED TENTH CONGRESS FIRST SESSION __________ APRIL 18, 2007 __________ Serial No. 110-5 __________ Printed for the use of the Committee on Oversight and Government Reform Available via the World Wide Web: http://www.gpoaccess.gov/congress/ index.html http://www.oversight.house.gov U.S. GOVERNMENT PRINTING OFFICE 35-768 PDF WASHINGTON : 2007 --------------------------------------------------------------------- For sale by the Superintendent of Documents, U.S. Government Printing Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC area (202) 512-1800 Fax: (202)512-2250 Mail: Stop SSOP, Washington, DC 20402-0001 COMMITTEE ON OVERSISGHT AND GOVERNMENT REFORM HENRY A. WAXMAN, California, Chairman TOM LANTOS, California TOM DAVIS, Virginia EDOLPHUS TOWNS, New York DAN BURTON, Indiana PAUL E. KANJORSKI, Pennsylvania CHRISTOPHER SHAYS, Connecticut CAROLYN B. MALONEY, New York JOHN M. McHUGH, New York ELIJAH E. CUMMINGS, Maryland JOHN L. MICA, Florida DENNIS J. KUCINICH, Ohio MARK E. SOUDER, Indiana DANNY K. DAVIS, Illinois TODD RUSSELL PLATTS, Pennsylvania JOHN F. TIERNEY, Massachusetts CHRIS CANNON, Utah WM. LACY CLAY, Missouri JOHN J. DUNCAN, Jr., Tennessee DIANE E. WATSON, California MICHAEL R. TURNER, Ohio STEPHEN F. LYNCH, Massachusetts DARRELL E. ISSA, California BRIAN HIGGINS, New York KENNY MARCHANT, Texas JOHN A. YARMUTH, Kentucky LYNN A. WESTMORELAND, Georgia BRUCE L. BRALEY, Iowa PATRICK T. McHENRY, North Carolina ELEANOR HOLMES NORTON, District of VIRGINIA FOXX, North Carolina Columbia BRIAN P. BILBRAY, California BETTY McCOLLUM, Minnesota BILL SALI, Idaho JIM COOPER, Tennessee ------ ------ CHRIS VAN HOLLEN, Maryland PAUL W. HODES, New Hampshire CHRISTOPHER S. MURPHY, Connecticut JOHN P. SARBANES, Maryland PETER WELCH, Vermont Phil Schiliro, Chief of Staff Phil Barnett, Staff Director Earley Green, Chief Clerk David Marin, Minority Staff Director Subcommittee on Information Policy, Census, and National Archives WM. LACY CLAY, Missouri, Chairman PAUL E. KANJORSKI, Pennsylvania MICHAEL R. TURNER, Ohio CAROLYN B. MALONEY, New York CHRIS CANNON, Utah JOHN A. YARMUTH, Kentucky BILL SALI, Idaho PAUL W. HODES, New Hampshire Tony Haywood, Staff Director C O N T E N T S ---------- Page Hearing held on April 18, 2007................................... 1 Statement of: Carnahan, Robin, Secretary of State, State of Missouri; Avi D. Rubin, technical director, Information Security Institute, Department of Computer Science, Johns Hopkins University; John S. Groh, vice president, Election Systems and Software International, and chairman, Election Technology Council; and Diane Golden, director, Missouri Assistive Technology Council, on behalf of the National Association of Assistive Technology Act Programs........... 83 Carnahan, Robin.......................................... 83 Golden, Diane............................................ 98 Groh, John S............................................. 93 Rubin, Avi D............................................. 89 Hillman, Gracia, Commissioner, U.S. Election Assistance Commission; and Randolph Hite, Director, Information Technology Architecture and Systems, U.S. Government Accountability Office...................................... 16 Hillman, Gracia.......................................... 16 Hite, Randolph........................................... 34 Letters, statements, etc., submitted for the record by: Carnahan, Robin, Secretary of State, State of Missouri, prepared statement of...................................... 85 Clay, Wm. Lacy, a Representative in Congress from the State of Missouri, prepared statement of......................... 4 Golden, Diane, director, Missouri Assistive Technology Council, on behalf of the National Association of Assistive Technology Act Programs, prepared statement of............. 100 Groh, John S., vice president, Election Systems and Software International, and chairman, Election Technology Council, prepared statement of...................................... 95 Hillman, Gracia, Commissioner, U.S. Election Assistance Commission, prepared statement of.......................... 18 Hite, Randolph, Director, Information Technology Architecture and Systems, U.S. Government Accountability Office, prepared statement of...................................... 36 Maloney, Hon. Carolyn B., a Representative in Congress from the State of New York, prepared statement of............... 12 Rubin, Avi D., technical director, Information Security Institute, Department of Computer Science, Johns Hopkins University, prepared statement of.......................... 91 Sali, Hon. Bill, a Representative in Congress from the State of Idaho, prepared statement of............................ 75 Turner, Hon. Michael R., a Representative in Congress from the State of Ohio, prepared statement of................... 9 Yarmuth, Hon. John A., a Representative in Congress from the State of Kentucky, prepared statement of................... 67 ENSURING FAIRNESS AND ACCURACY IN ELECTIONS INVOLVING ELECTRONIC VOTING SYSTEMS ---------- WEDNESDAY, APRIL 18, 2007 House of Representatives, Subcommittee on Information Policy, Census, and National Archives, Committee on Oversight and Government Reform, Washington, DC. The subcommittee met, pursuant to notice, at 2 p.m. in room 2154, Rayburn House Office Building, Hon. Wm. Lacy Clay (chairman of the subcommittee) presiding. Present: Representatives Clay, Hodes, Maloney, Sali, Turner, Yarmuth, and Watson. Staff present: Tony Haywood, staff director and counsel; Alissa Bonner and Adam C. Bordes, professional staff members; Jean Gosa, clerk; Nidia Salazar, staff assistant; Leneal Scott, information systems manager; Jacy Dardine, intern; Jay O'Callaghan, minority professional staff member; John Cuaderes, minority senior investigator and policy advisor; and Benjamin Chance, minority clerk. Mr. Clay. The Subcommittee on Information Policy, Census, and National Archives of the Committee on Oversight and Government Reform will now come to order. Today's hearing will examine issues relating to ensuring fairness and accuracy in elections involving electronic voting systems. Without objection, the Chair and ranking minority member will have 5 minutes to make opening statements, followed by opening statements not to exceed 3 minutes by any other Member who seeks recognition. Without objection, Members or witnesses may have 5 legislative days to submit a written statement or extraneous material for the record. Let me start off by saying good afternoon and welcome to today's hearing. As we enter the 2008 election season, it is essential that this subcommittee examine the use of modern electronic voting systems and the potential vulnerabilities associated with them. The principle of free and fair elections is the foundation of our democratic Government. The constitutional right to vote has enabled our Nation's citizens to be stakeholders in the greatest democratic experiment the world has ever known. The need for uniform standards to govern Federal elections became painfully clear in the weeks following the 2000 Presidential election in Florida. In response to news reports of hanging chads, invalid punch card ballots and insufficient controls over voter registration systems in Florida, Congress passed the Help America Vote Act of 2002. HAVA is the first comprehensive Federal law establishing requirements for the administration of Federal elections. These requirements cover voting system standards and voter information and registration requirements. HAVA created the Election Assistance Commission to serve as a national clearinghouse for election information, to develop standards for electronic voting systems, and to assist State and local governments in their HAVA compliance efforts. Research and development activities required by HAVA are carried out by the National Institute of Standards and Technology under the EAC's direction. To date, Congress has appropriated over $3 billion to the EAC for these activities. With grants from the EAC, many State and local jurisdictions have attempted to improve the reliability and accuracy of the voting process by replacing antiquated punch card or lever machine systems with electronic voting systems such as direct recording electronic or optical scan systems. Unfortunately, numerous State and local governments have reported significant problems with electronic systems. The still-contested House election in Florida's 13th District is a prominent example of how in some instances electronic voting systems have produced unreliable results, raising concerns among voting system experts, and causing distrust among voters. Accordingly, I believe we should pursue two major goals in moving forward with new electronic voting system requirements. First, we should utilize technology that provides an independent auditable voting record that can be verified by election officials, such as a paper audit trail for DREs. In addition, we should ensure that electronic voting system standards meet the need for adequate privacy safeguards and accessibility for the disabled. These efforts would help to ensure that every vote is accurately counted. Second, we must try to make the process for testing software code more transparent. This would enable both the EAC and election officials to determine which products are the most secure, reliable and available in the marketplace. To do this, I believe the EAC and the NIST should search for new opportunities to partner with our federally funded research community in order to improve our vulnerability testing and certification practices. Furthermore, the EAC should fully implement GAO's recommendations for strengthening the commission's efforts to become a true national clearinghouse for election administration. Unfortunately, the technological challenges we face are compounded by problems with the EAC itself. Recent news reports indicate that the EAC has failed to carry out certain responsibilities required by HAVA. During the past week, the New York Times and other publications have reported that the EAC edited the findings of a Government-funded report on voter fraud to support partisan efforts to mislead the public on the pervasiveness of fraud. Furthermore, we have learned that recent research on State voter ID standards conducted by Rutgers University for the EAC was rejected for questionable reasons. These developments suggest that the bipartisan EAC may be improperly politicizing their work. At the very least, it appears that the EAC has strayed from its mandate to develop and disseminate vital information on major election-related topics to the public in an objective manner. As a result, I have serious concerns about how the EAC is handling its stewardship role within our Federal election system. It is my hope that our witnesses today can address these issues and offer recommendations to remedy the challenges we face. Testifying on our first panel will be Commissioner Gracia Hillman of the Election Assistance Commission, and Mr. Randolph Hite of the Government Accountability Office. Our second panel includes four distinguished witnesses from both the public and private sector: The Honorable Robin Carnahan, Missouri Secretary of State; Professor Avi Rubin of Johns Hopkins University; Mr. John Groh, vice president of Election Systems and Software, and chairman of the Election Technology Council; and Dr. Diane Golden of the Missouri Assistive Technology Council. I welcome all of our witnesses and look forward to an informative and frank discussion on these issues. Now I recognize the ranking member from Ohio, Mr. Turner. [The prepared statement of Hon. Wm. Lacy Clay follows:] [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] Mr. Turner. Thank you, Mr. Chairman. I appreciate your holding this very important hearing. Since the 2000 Presidential race, the Federal Government has been actively involved in seeking a uniform, accessible solution that helps ensure better elections. While overall, voting systems may have improved, we should continue to investigate our voting systems and make improvements when the need arises. After Congress passed the bipartisan legislation Help America Vote Act in 2002, complaints arose regarding direct recording electronic voting machines, which are commonly known as touch screen voting machines used for elections in the majority of States. The security and accuracy in vote recording on these machines are of particular concern. Also, some accounts claim the operation of DRE machines may be confusing for some. To that end, we should address and resolve these issues. Mr. Chairman, this is one reason why today's hearing is so important. We need honest feedback and thorough analysis of any problems encountered in these new voting machines. Mr. Chairman, I want to thank you for inviting a balanced panel that will give us all sides of the story. I appreciate the witnesses' testimony and I yield back the balance of my time. [The prepared statement of Hon. Michael R. Turner follows:] [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] Mr. Clay. Thank you very much, Mr. Turner. Are there any other Members who would like to have an opening statement? Mrs. Maloney. Mrs. Maloney. Thank you, Mr. Chairman. I thank Chairman Clay and Ranking Member Turner for holding today's hearing about an issue that deeply concerns me, the accuracy of our Nation's voting systems. Our representative democracy depends upon the integrity of the voting system, and it is imperative that the machines are secure and reliable. Questions have been raised about the security and reliability of electronic voting systems, including weak security controls and design flaws, among other concerns. In the 2004 election, millions of voters used electronic voting machines that lacked a voter-verified paper audit trail. Nationwide, the problems included broken voting machines and inaccurately recorded votes, where in a few jurisdictions the votes were switched from John Kerry to George Bush and vice versa. Maryland experienced so many problems with its electronic voting machines in the September 2006 primary that its Governor urged residents to vote with absentee ballots to ensure that their votes were counted. I support requiring voting machines to have a voter- verifiable paper audit trail, and I am a cosponsor of H.R. 811, the Voter Confidence and Increased Accessibility Act, which would require a voter-verified permanent paper record or hard copy. The American people also deserve to know who is manufacturing and controlling the voting machines they are using, and if these machines are at risk for outside manipulation. Last year, I raised the possibility in front of the Committee on Foreign Investment in the United States Review Board of Smartmatic's purchase in 2005 of Sequoia Voting Machines because of my concerns that a foreign government--in this case, Venezuela--was investing in or owning the company that supplies voting machines for U.S. elections. CFIUS looks at national security threats. I can't think of a larger national security threat than not having the total integrity of your voting machines. For a few years, questions surrounded Smartmatic about its ownership and its possible ties and control by the Venezuelan government. In December, Smartmatic announced that it would sell Sequoia voting machines. There clearly were doubts about this company, and as long as those doubts lingered, many people would have legitimate questions about the integrity of those voting machines. It is time to institute procedures that ensure that election results can be audited to ensure accuracy. If the American public does not have faith that their votes will be recorded accurately, they may decide to stay home on election day, which would undermine our democracy. I look forward to hearing the witnesses. Again, I can't think of a more important issue that we could be looking at than the integrity of our voting machines. Thank you. [The prepared statement of Hon. Carolyn B. Maloney follows:] [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] Mr. Clay. Thank you so much, Mrs. Maloney, for your opening statement. It is the policy of the committee to swear in all witnesses before they testify. I would like to ask you both to please stand and raise your right hands. [Witnesses sworn.] Mr. Clay. Thank you. Let the record reflect that the witnesses answered in the affirmative. Ms. Hillman, please proceed. STATEMENTS OF GRACIA HILLMAN, COMMISSIONER, U.S. ELECTION ASSISTANCE COMMISSION; AND RANDOLPH HITE, DIRECTOR, INFORMATION TECHNOLOGY ARCHITECTURE AND SYSTEMS, U.S. GOVERNMENT ACCOUNTABILITY OFFICE STATEMENT OF GRACIA HILLMAN Ms. Hillman. Thank you very much. Let me begin by saying that EAC has submitted for the record extensive testimony outlining the details of all of our programs that certify and test voting systems, including the hardware and software. My remarks will summarize some of the testimony. Good afternoon, Chairman Clay, Ranking Member Turner and all members of the subcommittee. My name is Gracia Hillman and I am a member of the U.S. Election Assistance Commission. Mr. Chairman, you asked me here today to discuss issues concerning fairness and accuracy in elections that use electronic voting systems. Today's hearing adds an important discussion to this issue. Fairness and accuracy are crucial components in every facet of elections. This applies to voter registration, casting ballots, and certifying election results. It is important to remember that whether we are discussing a ballot box, an optical scan machine, or an electronic touch screen voting system, people control fair and accurate elections. There are lots of discussions about whether we can or should trust electronic voting machines. States choose their voting systems and some are now switching to optical scan machines. However, we must remember that electronic technology is not exclusive to a touch screen voting system. The counting and casting of ballots on an optical scan machine is done electronically, so we must cast a critical eye on all voting technologies, and the system manufacturers and the testing laboratories must join us in that endeavor. Mr. Chairman, it is not enough to only examine the device that people use to vote. We must remember that voting is a human exercise. To that end, EAC focuses on the technical functions and testing of voting systems, and at the same time, we examine the human management of elections. America is in a period of major changes in the technology of our voting system. We know that electronic voting systems bring advantages. For example, they enable us to meet the language and disability access requirements of HAVA, and they prevent people from over- voting a ballot. However, if people do not trust these systems, if they believe the systems can be compromised, then the advantages do not mean very much. Nonetheless, it is important to point out that to compromise a voting system, and I am talking about any type of voting system, you must have two things: knowledge of the system and unsupervised access to the machine and software. Mr. Chairman, election officials follow security protocols to prevent that access. I mean, really, no voting system should be fully trusted unless election officials store them in a secure location, prevent tampering, conduct independent logic and accuracy testing, train its workers, audit the results, and let the public observe the entire process. EAC publishes guidelines on how to secure voting systems. We emphasize that details and training matter in every facet of elections. Just one person forgetting one detail, like forgetting to bring election day supplies to the polling place or not even showing up to open the polls, can make or break an election. Mr. Chairman, before closing I want to address the issue of paper trail printing devices for DRE machines. As you know, this device enables a voter to confirm his selections before casting the ballot and presumably the paper could be used in audits. I am not here to discuss whether Congress should mandate paper trail. I do want to point out that depending on what the particular requirements are, at least 180,000 DREs in this country would have to be replaced or upgraded. When you combine the introduction of new equipment, earlier primaries, and the enormous tasks of recruiting and training poll workers to meet a Presidential election year deadline, which is only a year and a half from now, you have all of the ingredients for a recipe for colossal confusion. That is why we cannot discuss voting system technology in a vacuum. We must also discuss and consider the human element. I have spent my entire career working to make sure all voters are treated fairly and that votes are counted accurately. It is useful to question the use of electronic voting systems. However, I urge you to not let electronic voting divert our attention from issues such as voter registration, participation and disenfranchisement. It is my understanding that the committee likely has questions for me about EAC matters, namely our research and study work. I am prepared to answer your questions about my testimony today and all of our other work. Thank you for this opportunity. [The prepared statement of Ms. Hillman follows:] [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] Mr. Clay. Thank you so much for your testimony, Ms. Hillman. Mr. Hite, you may proceed. Would you summarize your testimony for us within 5 minutes? STATEMENT OF RANDOLPH HITE Mr. Hite. Yes, sir. Thank you, Chairman Clay. In the wake of the 2000 and 2004 elections, GAO looked at the national election process end to end, focusing on all aspects of it, including the use of electronic voting systems. Our most recent reports cast considerable light on the challenges associated with these systems, so my testimony today draws from those reports and I will summarize it by making five points. Point one, although voting systems play a major role in elections, they are but one facet of a highly complex and decentralized election environment that depends on the effective interplay of people, processes and technology. As such, when I think of a ``voting system'' I think of not only the hardware and software, but also the persons who interact with them and the rules that govern this interaction. Point two, although security and reliability have arguably taken center stage in the debate surrounding electronic voting systems, other performance characteristics such as ease of use and cost should not be overlooked. For example, certain DREs have been found to have security vulnerabilities that can be exploited, such as unencrypted files and no or easily guessed passwords, and some lack a paper record. At the same time, DREs can be more accommodating to voters with disabilities, and they can protect against common voter errors such as over-voting. On the other hand, optical scan voting systems, particularly central count systems, have a lower capital cost than DREs and they offer a paper record. However, they can be more challenging for voters with certain types of disabilities, and they can create paper nightmares for jurisdictions that have to accommodate multiple languages. Point three, voting system security and reliability is a function of how well each phase in the voting system life cycle is managed at all levels of government. Simply stated, the system life cycle begins with defining the standards that a system is to meet. It is followed by vendor development and associated vendor and government testing to ensure that the standards are met. It ends with government acquisition and operation and maintenance of the vendor systems. How well each of these phases is executed will largely dictate how securely and reliably the system performs on election day. Since the 2004 elections, a range of concerns have been voiced about the extent to which the activities associated with each of these life cycle phases are being performed by all levels of government and the system manufacturers. Point four, given the highly decentralized nature of elections, States and local jurisdictions play huge roles in the life cycle management of voting systems. However, they have not always ensured that important voting system management practices are employed. Relative to the 2004 elections, we surveyed the 50 States and the District of Columbia, a sample of 788 local voting jurisdictions, and we visited 28 jurisdictions. According to the responses we received, outdated systems standards were sometimes being adopted and applied; certain types of testing were widely performed, while others were rarely performed; security management practices ranged from rigorous to ad hoc; and the nature and type of security controls ran the gamut. Point five, the challenges associated with ensuring that electronic voting systems operate securely and reliably during an election are many and profound, but they are not like the challenges related to relying on technology to support any mission-critical government operation. However, the highly diffused and decentralized nature of elections, in my opinion, makes these challenges more formidable, as it requires the combined efforts of all levels of government. HAVA established the EAC and assigned it certain responsibilities relative to these efforts. We have made recommendations to assist the EAC in this regard, which it agreed with. In general, these recommendations focused on introducing greater transparency and accountability into the EAC's activities by having them develop plans for each of its areas of responsibility, that is, plans that defined what actions will be done, when, at what cost, to what end, and what outcomes will be achieved. To the EAC's credit, it has continued taking important action since our recommendations aimed at meetings its HAVA responsibilities. However, we have yet to see the kind of strategic planning that our recommendations envisioned. This concludes my statement. I would be happy to answer any questions that you have. [The prepared statement of Mr. Hite follows:] [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] Mr. Clay. Thank you very much. Thank you both for your testimony. Let me start with Mr. Hite. Mr. Hite, GAO's past work on electronic voting systems highlights the need for vendors and election officials to better manage this equipment throughout the product life cycle. Have there been adequate best practices or requirements promulgated under the VVSG guidelines or under HAVA for stakeholders to follow? Mr. Hite. The voluntary voting system guidelines that you refer to in 2005, that take effect at the end of this year, is a vast improvement over the standards that were in place prior to this. Is it complete and comprehensive relative to the range of security provisions that need to be in the standards? No. It is a work in process in that regard, and it will need to evolve over time. Mr. Clay. Doesn't the lack of effective system standards hinder the implementation of stronger stewardship best practices? Mr. Hite. Yes, sir. It is a key variable in that equation. It is actually a double-edged sword. On the one hand, you want to have the most up to date, robust, comprehensive standards that you can have. At the same time, you have to consider the capacity to implement those standards, and the impact it is going to have on the States and the jurisdictions out there to adjust their systems environment to comply with those standards. It is not something that can be done overnight. So you are trying to balance the two from a practical standpoint in terms of the pace at which you are asking jurisdictions to improve, and their capacity to improve. Mr. Clay. Well, there is a problem that the standards were not put in place initially, and that people didn't have many guidelines to follow? Mr. Hite. Absolutely. The root cause of this is that the standards were pretty much stagnant for virtually a decade. So we are trying to play catch-up relative to putting in place the kind of quality standards that are needed. Mr. Clay. Has NIST begun to research the larger issues of electronic voting system architecture, as opposed to testing and evaluation of current products on the market, in order to address the inherent vulnerabilities in the systems currently in use? Has that started to occur? Mr. Hite. Sir, I don't have the answer to that because I don't know. It kind of relates to the point that we were making relative to creating more transparency around what is going to be done, when, relative to getting to the desired end with regard to standards in other areas. Mr. Clay. Thank you for that response. Ms. Hillman, it has been stated that individuals with expertise and experience in assistive technology have not been involved in discussions regarding voting security and in judging conformance to accessibility standards. I know that Dr. Diane Golden, who will testify on the following panel, has provided testimony to the EAC and the TGDC. Can you tell me, beyond this, to what extent has the EAC tried to involve experts from the assistive technology community in development of standards? Ms. Hillman. Yes. On the Technical Guidelines Development Committee, there are two members representing the Access Board, and certainly concerns from the disability community are brought to discussions of the voluntary guidelines through their participation. In addition, the EAC has met with members of the disability community. One of the members of our Board of Advisors represents the American Association of Persons with Disabilities. And we post all of our draft guidelines out for public comment. Of 6,000 comments we received, I know that several hundred came from members of the disability community. Mr. Clay. Thank you for that. GAO has offered the EAC a list of open recommendations from its 2005 report on the reliability of e-voting systems. Some of these recommendations address critical topics such as the NIST's work on software assurance and interim standards for the certification of e-voting products. Does the EAC intend to implement all of the GAO's recommendations? What is the status of the commission's implementation efforts? Ms. Hillman. As Mr. Hite indicated, we did agree with their recommendations and we are certainly working to make certain that our program to test and certify voting systems is done in a way that does two things. It provides the rigorous testing to assure election officials that the machines are compliant, and that the process is as open and understanding to the public so that we can get past some of the technicalities and the public can appreciate the benefits of the Federal Government testing and certifying machines. The process is new. I think, as you know, the Election Assistance Commission was set up in a way that we lost a good year of operation before we could really begin our work, due to lack of funding. But once that began, we have caught up. Our certification program is in place. We have accredited laboratories that are poised and ready to begin that testing. Mr. Clay. Thank you for that response. We have some additional Members that joined us. I will go to the gentleman from Kentucky, Mr. Yarmuth. I understand you have an opening statement. Mr. Yarmuth. Thank you, Mr. Chairman. I will just submit it for the record. That will be fine. I appreciate it. [The prepared statement of Hon. John A. Yarmuth follows:] [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] Mr. Clay. Would the gentleman care to ask questions? Mr. Yarmuth. I think I will pass at this time. Thank you. Mr. Clay. OK. The gentleman from New Hampshire, do you have an opening statement? Mr. Hodes. Thank you, Mr. Chairman. I do have a brief statement. Mr. Clay. You may proceed. Mr. Hodes. Thank you, Mr. Chairman. I want to thank you for holding this important hearing on fairness and accuracy in elections, with a focus on electronic voting systems. I also want to thank the panel for being here today. I look forward to hearing the rest of your testimony, and your testimony, sir. Nothing is more critical to our democracy than the integrity of our elections. After punch card ballots proved to be ineffective for recounting votes in the 2000 Presidential election, Congress took an important step toward ensuring the accuracy of election results with the Help America Vote Act of 2002. In 2004, more voters than ever before used the optical scan voting system that produces individual paper ballots, but other electronic systems were shown to be flawed. Today, the goal of effective standards for voting systems still faces serious obstacles. As we work to ensure the accuracy and security of Federal elections, we must be careful not to preempt State and local election systems. In my home State of New Hampshire, the optical scan systems, combined with hand counting procedures, have produced accurate election results. The Election Assistance Commission must ensure that new standards do not threaten existing voting systems that work. Congress must remain committed to its role of oversight over voting system standards and ensure that critical decisions are made after careful consideration of possible consequences. Finally, we must ensure that voting systems generate paper voting records that are not susceptible to hackers and electronic glitches. Again, thank you for being here today. I look forward to hearing your thoughts as we consider these important issues. Thank you, Mr. Chairman. Mr. Clay. Thank you very much. The gentleman from Kentucky, would you care to ask questions? The gentleman from New Hampshire, do you have questions for the witnesses? Mr. Hodes. You may proceed. Mr. Hodes. Thank you, Mr. Chairman. Commissioner Hillman, I serve on the House Financial Services Committee. When one of my constituents goes to a bank and makes a transaction, they get a paper receipt, in addition to the electronic records the bank keeps. However, when a voter casts a ballot in some States with a direct record electronic voting system, there is no individual paper ballots that can be used if a recount is needed. Isn't it true that some DRE systems only require one printout of all ballots cast, and not individual ballots that can be recounted? Ms. Hillman. Sir, it is true that all DREs require the system to be able to print out a paper record of all transactions that happened on that machine. That information is contained within the system. Some of those systems have a printer to produce a paper trail and many do not. Mr. Hodes. Don't you think there should be a similar individual paper record system for all individual ballots in the transaction, especially since this isn't just a financial transaction, but voting is the basis for our system of democracy? Ms. Hillman. EAC has made certain that our voting system standards include guidelines for the use of a printer to produce a paper trail. Many States through their legislative actions already require such a paper trail. HAVA allows the States to choose their own voting systems and to determine what type of machine they will use. So EAC accepts the responsibility to produce standards for all types of voting systems. Mr. Hodes. Has the EAC required individual paper records of each ballot cast? Ms. Hillman. No, we have not required that. Mr. Hodes. Do you think that ought to happen? Ms. Hillman. Congressman, I appreciate your question, but I am also respecting the role that HAVA prescribes to the EAC and to the States. It has left the decisionmaking of the manner in which voting systems will be used up to the States. So at this point, EAC has not seen it as its authority to tell States that it must use a paper trail. Mr. Hodes. So if the EAC doesn't have the authority and you have left it to the individual States, it is essentially up to Congress to legislate whether or not an individual paper record for each ballot cast needs to be produced for every voter. Ms. Hillman. With due respect, it was Congress who left it up to the States to make the decision in the first place. EAC doesn't have that authority, so we are not telling the States that it is their responsibility. We are simply following what the Help America Vote Act provides for. Mr. Hodes. So my question was, therefore if Congress wanted to change it and require an individual paper record for each vote cast, it would be up to Congress to legislative that. Ms. Hillman. It would, sir. Mr. Hodes. For Mr. Hite, a question for you, sir. It is my understanding that no one from the EAC has been asked to testify before Congress since 2004. In your opinion, has Congress done an effective job of providing oversight over the EAC and its critical work to improve Federal election accuracy in the last 5 years? Mr. Hite. For an organization that works for the Congress, that is really a loaded question for me to have to respond to. One point of clarification, the EAC has testified since 2004 before committees of Congress. I have sat beside the chairwoman here in doing that. I would say that there has been extensive oversight with respect to elections since 2004. There is a proliferation of legislation associated with making changes to HAVA and other aspects of the election process. So I would compliment the Congress for the extent of the oversight that it has provided to this area. Mr. Hodes. I have one further question. Currently, it is my understanding that the GAO recently reported that 44 States have laws requiring some form of compliance with Federal EAC VVSG guidelines or FEC voting system standards. What happens to States such as New York when voluntary guidelines become mandatory? Mr. Hite. Are you asking if they are made mandatory by the State? Mr. Hodes. Yes. Mr. Hite. Well, then the States have that prerogative to adopt the guidelines and to treat them by reference as mandatory requirements for their jurisdictions. Mr. Hodes. What are the consequences from a management perspective? It is my understanding that New York has not fully complied with HAVA with regard to accessible voting machines, but it doesn't have clear signals from the EAC as yet regarding what voting system would be appropriate. It is caught, at least as far as I understand it, between competing versions of the 2002 voting system standards, 2005 VVSG-1 and VVSG-2 in draft forms. Mr. Hite. I don't believe New York is in any different position than other States. States have adopted different versions of the standards. Not all States have adopted the 2005 standards. Some are using a combination. Some are using the 2002 standards. So they are all faced with this dilemma of which standards do we adopt, in light of the fact that standards are going to evolve. There is going to be a next version of the standards. So at what point do we adopt which version of the standard from a practical standpoint to implement the systems in that particular State or that particular jurisdiction? Ms. Hillman. Sir, might I clarify about the standards? Mr. Hodes. Please. Thank you. Ms. Hillman. Before the establishment of the Election Assistance Commission, the FEC had responsibility for adopting standards. The last set of standards adopted by FEC was in 2002, at the same time the Help America Vote Act was being debated by Congress. Those two things happened to come together at the same time, but they were complementary. What EAC has done since then, as required by HAVA, is to develop what are now called the voluntary guidelines. Because we had very limited resources and time, working with NIST, we updated the 2002 guidelines on certain critical sections such as security and accessibility for persons with disabilities. We also did make sure that the 2005 guidelines included all the HAVA requirements. Working with the States, it became important that the effective date of our 2005 standards be such that the States would have time to work with their suppliers to have systems that met the standards. So we made the standards fully effective December of this year. In the meantime, States could still have their systems certified to the 2002 standards, but that was not an EAC responsibility. That was being done by an outside organization. Beginning January of this year, EAC has fully implemented its testing and certification program. We are now accrediting laboratories to test against both the 2002 standards, as well as our newer 2005 standards. So it is true that for some States with laws that require the Federal standards, they are having to change their State law to accommodate that, but States have had 2 years to know what the requirements of our 2005 standards are before they become fully effective. Mr. Clay. Thank you, Mr. Hodes. I appreciate that. Mr. Hodes. Thank you, Mr. Chairman. Mr. Clay. Let me preface my next question, Ms. Hillman, by saying that I have the utmost regard for your lifetime history in protecting people's voting rights throughout this country. That is why the next question is rather troubling for me. As you know, the New York Times and other newspapers have reported on EAC efforts to alter the findings of a report solicited by the Commission concerning the incidence of voter fraud. In fact, a New York Times editorial on Sunday, April 15th, points out that only 86 people were convicted of voter fraud since the Department of Justice began placing significant resources into investigating voter fraud more than 5 years ago. While I recognize that you are only one member of the board, I think hearing your perspective on insight on how the EAC made these decisions would be helpful to us as an oversight body. The original draft report findings said that among experts, ``There is widespread, but not unanimous agreement that there is little polling place fraud.'' While the final version stated that there is a great deal of debate on the pervasiveness of fraud. Why were the original findings altered? Ms. Hillman. Thank you for the question. Before I answer, let me just say that I have provided each member of the committee with a copy of a statement that I issued yesterday on this issue. To put it in context, Mr. Chairman, the EAC commissioned two individuals to work as special government employees, to conduct research for us. We asked them to help define voter fraud and voter intimidation, so that in a future study everybody would know what we were studying; and second, to compile research that would inform EAC on a future study and to make recommendations from that research. We did not have the time or the money to commission the kind of study that would have allowed conclusions to be presented. The consultants did provide a summary of conclusions. Quite frankly, what would have been helpful if that summary had said based on an interview with this person, it is documented that there are concerns about intimidation of minority voters in a particular State, and we think that is an issue the EAC should look into; or several of the people interviewed believe the following to be true and we think the EAC should study that. And so some of the conclusions they presented, which were based on interviews with people, did not have data to support the conclusion. As much as I would like to sit here and say today that there is conclusionary evidence with respect to fraud and voter intimidation, that particular report does not provide us with that data. Mr. Clay. Were there anomalies or flawed research identified? Ms. Hillman. The conclusions that you are referring to were based on interviews with people. In addition to those interviews, the researchers compiled several hundred court cases. They did extensive review of news clips and other articles. The conclusions were not tied to those clips and articles. And so at the time that EAC adopted its report in December, what I believe we were saying was, this is information that helps us define what we will study and flags for us the issues we need to look into. I do not believe that the EAC could have reached agreement on the conclusions that were offered by the researchers without being able to validate those conclusions. And so as a result of the very serious allegations that have been made, EAC has asked its Inspector General to look into this matter on both the voter fraud and intimidation study, as well as the voter ID study so that Congress and the public and the commissioners can know what the circumstances were. Mr. Clay. I really find all of that peculiar that you all are going to an internal investigation about the actions that the Commission voted on. The Commission authorized the study by Rutgers University, and then rejected its findings on voter ID laws, citing flawed methodology. Perhaps there is something wrong in the process there as far as how you go out and get these studies? Ms. Hillman. That would be a fair observation. With respect to the Rutgers study, I know that some of my colleagues believe that the methodology was flawed. I personally do not believe I could pass judgment on the methodology used by Rutgers. What I know is Rutgers didn't give me comparative data. For example, I will just use your State, and I am making this up. If Missouri had implemented new voter identification requirements in 2002 and there was an analysis of what those requirements were and turnout in 2004, it doesn't tell me if those requirements alone contributed to a rise or fall in voter participation unless I can look at it, compared to 2000. Mr. Clay. OK. I am not going to prolong this much further, but you know what the effects are. Ms. Hillman. I absolutely do, sir. Mr. Clay. Are there intimidating effects of voter ID laws. I mean, it takes us back to reconstruction. It takes us back to figuring out how many jelly beans are in the jar, a literacy test. And that is the impact of voter ID laws. I am just surprised at the actions of the EAC when they are here to protect America's voter. I will recognize Mr. Sali for 5 minutes, sir. Mr. Sali. Thank you, Mr. Chairman. Ms. Hillman, are the States going to be able to meet the requirements of the bill that is proposed by Mr. Holt before the 2008 elections? Ms. Hillman. In my testimony, I did indicate that there will be at least 180,000 DRE voting systems in the country that would have to be upgraded or replaced, depending on the requirements of any legislation requiring VVPAT. And many States have expressed to us concern that they would be able to meet that requirement by the 2008 deadline. Mr. Sali. Can you tell me what the major problems were that the election officials and poll workers had in the 2000 elections in transitioning to the new electronic voting devices and the requirements of the Help America Vote Act? Ms. Hillman. Well, I think the overriding problem was one of time, and that is when the systems were received by the election officials using a brand new systems for the first time in an election, the training of the people who would use the system, the knowledge and experience to conduct the required independent logic and accuracy testing, the capacity to be able to test every machine. So a lot of what was experienced were human resource and financial resource limitations. Mr. Sali. And we will be repeating those again for 2008 if we pass this bill. Is that correct? Ms. Hillman. I certainly can't speak on behalf of the States, but I can say I have heard loudly and clearly from States a concern that unless such a requirement is phased in, States would have a major resource challenge to be able to meet any mandate. Mr. Sali. Is it more expensive to meet language requirements for ballots on an optical scanner or on a DRE? Ms. Hillman. It would be more expensive to do it on an optical scan because of the design and printing of the ballots. Whereas on the DRE, it is programming. Mr. Sali. Mr. Hite, has the GAO looked at the fiscal impact on State and local governments if Congress passes this bill? Mr. Hite. No, sir, we have not. Mr. Sali. For either of you, are either of you aware of an instance where a case has been found and confirmed of an electronic voting machine that has been hacked into, if you will, during an election? Ms. Hillman. I have not any information that would suggest that a DRE has been hacked into during an election while it was in the custody of an election official. There have been such experiments in controlled environments, which informs that the key to that would be knowledge of the system and access to the system. Mr. Sali. Let me ask the question a little different way. Are either of you aware of a situation where an electronic voting machine was hacked and it changed the outcome of an election or was raised as an issue in an election? Mr. Hite. No, sir. Ms. Hillman. No. Mr. Sali. That is all I have, Mr. Chairman. [The prepared statement of Hon. Bill Sali follows:] [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] Mr. Clay. Thank you so much, Mr. Sali. Now, we will go to the gentleman from Kentucky, Mr. Yarmuth. Mr. Yarmuth. Thank you, Mr. Chairman. Could you, Ms. Hillman, offer us an opinion on how the EAC could alter the current accreditation and certification process in order for it to become more transparent and reliable? Ms. Hillman. Are you talking about the accreditation of the laboratories and the certifying of the systems? We are in discussions with NIST about that. When we established our certification process, we were in fact following the standard protocols used by, for one example, NIST's Laboratory Accreditation Program. What we realized is that it will be useful to be able to provide updated information along the way before a laboratory is accredited, if people are interested in the status of that. I am not sure what mechanism. We are looking at the posting of information on the Web site, but what mechanism would be useful and informative to be able to keep people informed because the process takes several months to accredit a laboratory. And then similarly with the certification of the systems, the laboratories conduct the testing and then they provide a report to us. That report will be reviewed by technical reviewers at EAC before the recommendation comes for any certification. If there is concern that the machine go back for testing, that will be done. So we are looking at the process to see what is appropriate within those stages to make information available to the public about what the laboratory recommendation is at the time that it is made. Mr. Yarmuth. When you talk about 180,000 machines requiring updating to bring them into compliance with the requirements, and I guess part of it would depend on how extensive these 180,000 are or where they are, but would it make any sense to try to focus on the concentration of voting machines? Or are the electronic voting machines concentrated in, say, heavily populated areas? I understand the problem of requiring a lot of new technology and updated technology in relatively small communities, and maybe in some rural States. Is that a factor in trying to get implementation of these requirements rolled out faster? Is that something that we should be interested in? Ms. Hillman. One way to respond to your question, sir, would be to point out that the States of Maryland and Georgia currently use statewide DREs without a paper trail, and both of those States I think would be considered fairly heavily populated with major urban areas. In addition to that, the other large system without the paper trail would be in the State of Florida. Beyond that, there are jurisdictions all across the country. What is important to look at would be the process a State would have to go through to be able to acquire the equipment that would be needed to produce the paper trail. And so when I speak of the 180,000, depending on the technical requirements would determine whether a system would have to be upgraded or fully replaced, because some DRE systems do not have right now a printer that could be attached to produce the paper trail. So I think the timing and the requirements of it are important. My own personal opinion is that the ultimate requirement should be in place with recognition if Congress were to pass the law, with recognition of how long should be allowed for States to meet that requirement. Mr. Yarmuth. I yield back my time. Thank you. Mr. Clay. Thank you, Mr. Yarmuth. Mr. Hodes. Mr. Hodes. Thank you, Mr. Chairman. Commissioner Hillman, I am trying to understand as a new Member some of the political dynamics at work around the issues that you are dealing with. I would like your perspective. I got a letter from my New Hampshire Secretary of State, Bill Gardner. He indicated to me that the National Association of Secretaries of State in 2005 passed a resolution calling on Congress not to reauthorize the EAC after the 2006 general election. He supported that resolution and supported sunsetting the EAC, as was apparently called for in the original HAVA Act. My sense is that he is concerned that the EAC will usurp his right to control New Hampshire's successful paper ballot system. Can you offer me any of your thoughts on what relations have been between the EAC and the Secretaries of State, and how you have responded to the concerns of the Secretaries of State about ultimately who will control the integrity of the voting system and how it has worked? Ms. Hillman. Thank you for the question. Let me begin by saying that the relationships with the National Association of Secretaries of State is a very healthy one. We were there the day that NASS adopted the resolution, and in fact we were testifying the same day that they made the information available to the House Committee on Administration. What I will say from those discussions is that it was less about the role of EAC, because HAVA has been very, very clear about the delegation of responsibility for the administration of elections to the States; that the Election Assistance Commission was set up to assist the States in meeting the requirements of HAVA. Along the line, we have to gather information to do that. We do have full responsibility for the testing and certification of voting systems, but again, voluntary compliance on the part of the States. We have a fiduciary responsibility to how States are expending the funds, and we do receive annual reports from the States, and our Inspector General is required to audit the States. But that is with respect to making certain that States have spent their money both in compliance with HAVA, as well as in compliance with their own State HAVA plan. I do believe that I am not mis-stating this, that the States were more concerned about whether Congress would invest more authority in EAC, than to the authority that EAC has now, because we do not have the authority and we do not tell the States what types of systems they should use. We cannot even tell them what we think should be statewide standards for provisional voting. Again, that is left to the States. They determine the kind of testing and certification that will be done on the voting systems used in their States. So I am hopeful. I do believe, based on the ongoing relations that we have with NASS, that issue is behind us. Although I will say that I know that election officials, State and local, are very concerned about what might be the next wave of election reform and what the requirements will be on those States. Mr. Hodes. So if I understand what you have said, from your perspective, the States' concern is that we in Congress would give more power to the EAC and that is what the Secretaries of State are concerned about. Ms. Hillman. At that time. I do not believe that is a continued concern, but that was in February 2005. That was 2 years ago. Mr. Hodes. Have you heard any expressions of concern that the EAC is a creature, if you will, of the executive branch, with the President having the authority to appoint four commissioners with essentially de facto regulatory authority over the voting systems, although I hear your testimony that it is voluntary and you are providing assistance and guidance. But in essence, it seems you really are de facto having regulatory authority over the voting system. Have you heard any concerns that there are four Presidential appointees, and that the Commission resides in the executive branch, say, as opposed to in Congress? Ms. Hillman. I have heard those concerns, nothing that the EAC has been called upon to talk about necessarily. I think a review of HAVA would show that while the commissioners are Presidentially appointed, each commissioner candidate is recommended to the President by the leadership of both the House and the Senate. Mr. Hodes. Do you see any downside in moving the EAC to Congress in terms of where it resides, as opposed to the executive branch? Ms. Hillman. I can't say that I am an expert in government operations, but it would seem to me that it might be difficult for some of the work assigned to EAC to be done outside of the Federal Government administration, for example, the issuance of requirements payments or any funds to the States and the monitoring of those funds, or the whole process of setting up the voting guidelines and doing the testing and the accreditation. I just don't know if a body of Congress should be responsible for accrediting laboratories, testing voting systems, and issuing the certifications. I don't know of anything that has existed like that. Generally, those functions are within Federal Government agencies. Mr. Hodes. Thank you. Ms. Hillman. Sure. Mr. Hodes. Thank you, Mr. Chairman. I yield back. Mr. Clay. Thank you, Mr. Hodes. Mrs. Maloney. Mrs. Maloney. Thank you, Mr. Chairman. I would like to ask Commissioner Hillman, the CIBER assessment report submitted to the EAC last summer documented the entirely inadequate testing performed by CIBER and Wyle, for that matter, on software used in over 70 percent of the voting systems last November. These systems had been sold to counties as having been tested and certified to Federal voting system standards. Once they learned that the software testing was woefully inadequate, did the EAC inform elected officials, not to mention the public, that would be using the equipment to count the votes? Ms. Hillman. Thank you, Congresswoman. I am just going to glance at my counsel while I answer this question because what I understand is that the certification was to assess the capacity of CIBER to perform testing under our program. We did not in that process assess or evaluate work they had done previously, work that CIBER had done before EAC, what was done for the National Association of State Election Directors. So the report to us did not include evaluation of work they had done previously, but rather whether or not they were capable to perform under our certification program. Mrs. Maloney. But didn't the report show that it was inadequately tested? That is the point. The point was that it showed it was inadequately tested. The question is, did you inform anybody that it was inadequately tested? Ms. Hillman. Again, Congresswoman, I don't believe the report addressed prior work. It looked at their existing procedures against our requirements. So I don't believe the report that we received on CIBER informed us of inappropriate or inadequate things they had done prior to our program. Mrs. Maloney. I believe that it did, but we need to look at it further. Let me just ask Richard Hite, in 2005 the GAO recommended that the EAC, ``improved management support to State and local election officials by collaborating with the Technical Guidelines Development Committee and the National Institute of Standards and Technology to develop a process and associated timeframes for sharing information on the problems and vulnerabilities of voting systems.'' This is a GAO recommendation. I would like to ask you, Mr. Hite, do you feel it is the role of the EAC to inform elected officials and the public of problems encountered with voting machines, even if those voting systems were not directly certified by the EAC? So should the EAC, if they are aware of problems, inform the public and elected officials? Mr. Hite. As my written statement brings out, we believe that any information that the EAC becomes aware of that would be deemed credible and useful to election officials, regardless of the source, whether it is from a vendor, whether it from an independent authority, or whether it is from State and local jurisdictions, that information should be disseminated under their clearinghouse role. Mrs. Maloney. So particularly problems encountered with the machines should be definitely covered. Mr. Hite. Yes. Mrs. Maloney. Absolutely, probably more than any other reason. So therefore, going back to my first question to Commissioner Hillman, it was my understanding the CIBER assessment report documented inadequate testing, so therefore shouldn't that then have been given to the counties and to the people with the voting machines? Maybe I will ask Mr. Hite the same question. Do you think they should have informed election officials and the public that would be using these machines that the CIBER assessment report said they were inadequately tested? Mr. Hite. For me to answer the question, I would have to have some knowledge into the particular reports that are being talked about. I have not seen those and I don't know the time line. Mrs. Maloney. OK, we will get them to you, then, and maybe you can get the answer back to us. OK? Thank you. Mr. Clay. Thank you very much, Mrs. Maloney. Mrs. Maloney. We have been called for a vote, Mr. Chairman. Are you aware? Mr. Clay. Yes, I am. That will conclude the testimony from panel one. Thank you, Ms. Hillman and thank you, Mr. Hite, for your testimony. You may be excused. Ms. Hillman. Thank you. Mr. Clay. I would like to now invite our second panel of witnesses to come forward. We have a series of six votes that follow. I would like to swear in the witnesses and possibly get their opening statements going. And then we will recess the hearing and reconvene. With six votes, it is going to take about an hour. Mrs. Maloney. An hour? Mr. Clay. An hour, I would bet you. So let's see what we can get in now. If the next panel could come forward and make some brief opening statements, and then we will recess and make our votes. Our second panel is here with us today to address issues relating to electronic voting. Our first witness is the Honorable Robin Carnahan, who is Missouri's Secretary of State. Our second witness is Avi Rubin, Ph.D, technical director of Information Security Institute, Department of Computer Science, Johns Hopkins University; and Mr. John S. Groh, vice president, Election Systems and Software International, and chairman, Election Technology Council. Our fourth and final witness is Ms. Diane Golden, Ph.D, director of the Missouri Assistive Technology Council, on behalf of the National Association of Assistive Technology Act Programs. Welcome to all of you. It is the policy of the Committee on Oversight and Government Reform to swear in all witnesses before they testify. At this time, I would like to ask you to stand and raise your right hands. [Witnesses sworn.] Mr. Clay. Thank you. Let the record reflect that all the witnesses answered in the affirmative. We will start with Ms. Carnahan, if you could please give us a brief summary of your testimony. STATEMENTS OF ROBIN CARNAHAN, SECRETARY OF STATE, STATE OF MISSOURI; AVI D. RUBIN, TECHNICAL DIRECTOR, INFORMATION SECURITY INSTITUTE, DEPARTMENT OF COMPUTER SCIENCE, JOHNS HOPKINS UNIVERSITY; JOHN S. GROH, VICE PRESIDENT, ELECTION SYSTEMS AND SOFTWARE INTERNATIONAL, AND CHAIRMAN, ELECTION TECHNOLOGY COUNCIL; AND DIANE GOLDEN, DIRECTOR, MISSOURI ASSISTIVE TECHNOLOGY COUNCIL, ON BEHALF OF THE NATIONAL ASSOCIATION OF ASSISTIVE TECHNOLOGY ACT PROGRAMS STATEMENT OF ROBIN CARNAHAN Ms. Carnahan. Thank you, Mr. Chairman. It is an honor to be here with you today. As one of your constituents, I am pleased to see you up in the Chair. I am Secretary of State Robin Carnahan of Missouri. It is my job as the chief elections officials in my State to ensure that elections are run in a fair, secure, and accurate way. I want to share with you today some of the things that happened in the 2006 election. By all accounts, the election in Missouri was one that was fair and accurate and secure. Over 2 million people voted. That was 53 percent of the vote. In most instances, it went efficiently and smoothly. This was particularly noteworthy because of all the changes that were required after the Help America Vote Act and the new machinery that was put in place. I will be clear: elections in Missouri are run locally. They probably are that way in your State as well. Locally elected public officials run those elections in most places. In the larger metropolitan areas, there are appointed election boards. What we have done is documented the instances of problems that happened in the election, but also the successes. We put out a report about that, and we have a copy that we have submitted for the record. It is called Voters First: An Examination of the 2006 Mid-Term Election in Missouri. The successes were clear. We were able to implement the HAVA changes in a way that was fair and accurate. We got rid of punch card ballots. We got the new optical scan and DRE equipment. This new equipment was accessible for people with disabilities. We had the most accurate voter lists we have ever had in the State of Missouri. So there were significant improvements. But there were also some issues, and I want to identify what a couple of those were. The first and clearest and most obvious was that there were long lines at the polls. It took people a long time to vote. It stemmed from a number of things, in part because of the new machinery, in part because of a need for more training of poll workers, in part because there were some places that ran out of ballots. We have a number of recommendations that we have put forward about how we can deal with those issues, including having early voting in our State, as well as ensuring that there are adequate numbers of paper ballots for every person that can go and vote there. There were also some issues surrounding some of the new voting equipment. We have 116 election jurisdictions in Missouri. The primary voting system is an optical scan paper ballot. There is a DRE in every voting precinct, as required by HAVA. But unlike other States, we have paper trails for every vote that is cast in Missouri. In the main, that equipment worked well. There were some problems, but in the main the equipment worked well. I will also tell you that we did a statewide recount already, using those paper trails, including the paper trail on the DRE machine in our August primary election. It did not change any results. My recommendations on this front are that we need to have people obviously more familiar with the new machines and the poll workers in particular who are familiar. Another common theme that we saw was that there was some misinformation. There were issues surrounding this in our State because there were changes in what the voting requirements were going to be and what kind of ID was required. One out of five complaints that we got in our office were about the wrong ID requirements being asked for at the polls. There were a couple of registration issues that we saw, but there are a number of ways I think we can address those. Congressman, we have talked about those, some being automatic voter registration when you get a driver's license with the DMV, or also same day registration, which is being looked at in a number of States. I know that you all are looking at a number of changes, the Holt bill and others, that will affect elections and how they are run. I would just stress to you to keep in mind the principles that the National Association of Secretaries of State have put forward. Let me just quickly go over those. The first is to avoid preemption of State authority. Obviously, elections are run locally. If you all are going to take over the election process, that is a big change in our country and it will take money to do that. The second is provide reasonable timeframes for implementation, and don't do things that raise expectations that can't actually be met by the local election officials. Third is to gather in put from people who actually run the elections on the ground before you make any of these changes. And of course, guarantee full funding for any mandates that come down. And finally, to encourage the use of maximum flexibility once you set the goal, let the States figure out how to meet those goals. That is all I have to say today. I know that you all need to get away. [The prepared statement of Ms. Carnahan follows:] [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] Mr. Clay. Thank you so much, Madam Secretary, for that abbreviated presentation. We will try Dr. Rubin, and see how far we can go. You may proceed. STATEMENT OF AVI D. RUBIN Mr. Rubin. Thank you very much, Mr. Chairman and members of the committee. My name is Avi Rubin. I am a computer science professor at Johns Hopkins University. My background and training are in the area of computer security. In 2003, I made electronic voting my primary research focus. After reviewing the source code of the Diebold DRE voting machine and finding serious security problems there, I also published a report outlining the risks of these machines. After that, I became an election judge and worked two primaries and two general elections in Baltimore County to get a feeling for the process, and understand exactly how it works from a non- academic perspective. I found that there were many other computer science professors around the country like myself who were working on electronic voting and for whom electronic voting was very important. We decided rather than duplicating effort and working everyone in their little island, to join forces and try to create a center to study electronic voting. We made a proposal to the National Science Foundation to establish the ACCURATE Center. The Center was funded to the tune of $7.5 million over 5 years. I am the director of ACCURATE. Our main focus is to explore the design space of voting machines to better understand how the next generation of voting machines can be designed. We also perform outreach into the community by working on things like post-election audits like we had in Sarasota County that we were involved with, and working as election judges and poll workers and poll watchers. Finally, we educate students by teaching courses that focus on issues related to electronic voting. The discussion of voting machines has focused primarily on three types of technologies these days. Those are DREs, optical scan paper ballots, and DREs with a voter-verified paper record or paper trail. The primary difference between DREs and other voting systems is that a DRE is a software application running on a computer. It is typically running over the Windows operating system, although not all do. There are no ballots. The votes are kept on memory cards like the ones you might have in a digital camera, and there is another copy usually kept in the internal flash memory. Now, optical scanners use software as well. DREs are not the only ones that use software. They use software to read the scanned images, to process the images, and to tally the votes. But there are two important differences between the software in a DRE and the software in an optical scanner. The first difference is the amount of software. A DRE utilizes tens of thousands of lines of code, and the DRE operating systems that these DRE applications run on top of are typically millions of lines of code. An optical scanner can be written on hundreds of lines of code, so it is much simpler and easier to analyze. The second difference is that DREs produce no ballots, so they cannot be independently audited. Optical scanners can be audited and the ballots can be recounted. Let me take these two differences one at a time. First, the amount of software. If you haven't programmed a computer, it is hard to appreciate how different software is from anything else. It is highly complex and they are hidden in our actions between components and software. This is why some of the problems you may run into in a software system might not be replicable. You might have one section of software in a particular State, and then another section of software in an another State, and that combination of States creates an unexpected output. So you can find, and we often do see, that software systems can misbehave in surprising ways that cannot be reproduced and we cannot really understand exactly what happened. We can never know that a software system is free of bugs. In the discipline of software engineering, the No. 1 metric for how many bugs there in a program is the number of lines of code. More software means more bugs. So voting machines that have a lot of software are going to have a lot more bugs. I run short contests in my class where I have the students write very small programs. I am talking five or six lines. And then I have other students in the class try to evaluate these programs and find any bugs that are inserted there on purpose. I overwhelmingly find that it is much easier to create software bugs and to hide bugs than it is to find them. Finding software bugs is not something that can be done scientifically. It is an art right now and it is an imperfect art. I see that I am running out of time. I know you have somewhere to be, so I am going to leave a lot of what I had to say for the question and answer. But let me just wrap up by pointing out that NIST defines the concept of software independence, which is that a previously undetected change or error in the software cannot cause an undetectable change or error in election outcome. I think that is the right standard. I think that there are going to be undetectable bugs in software systems and we cannot have them affect the outcome. The only way that I know of right now to actually achieve software independence is with paper. [The prepared statement of Mr. Rubin follows:] [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] Mr. Clay. Thank you so much, Dr. Rubin, for that testimony. Mr. Groh and Dr. Golden, the committee will recess now. We will reconvene very shortly after the final vote. If you could just bear with us, we will come back to you. The committee stands in recess. [Recess.] Mr. Clay. The Committee on Oversight and Government Reform will come to order. We left off with Mr. Rubin. We will go to Mr. Groh. You may present your testimony. STATEMENT OF JOHN S. GROH Mr. Groh. Thank you, and welcome back. I will dispense with a little bit of my background and who I am, but I do represent the Election Technology Council as the chairman. The member companies of the Election Technology Council, we account for over 98 percent of the ballot tabulation in the United States. So this is made up of the people who are the stakeholders in supplying the technology to the election community. The other point I would make is my voice today is also a voice of over 1,000 individuals that are citizens, voters and employees of these vendor companies, who live in over 33 States. So we have a large constituency of individuals that work in the voting industry and we are proud to have done that. We all know that historically the 2000 election launched for the first time a national debate on elections. I think everybody was ready and it was well overdue that it happened. This was not a surprise at what happened in 2000 to any of the voting officials because they had been dealing with this for years. But I want to remind the subcommittee of a couple of key dates, because I think we need to recognize that there were two events going on. One is there was an old system that all of us were operating under that was run by the National Association of State Election Directors. This was then propagated by the 2000 election. We had some changes. So I would remind you that in October 2002 is when HAVA passed, but it wasn't until March 2004 that the EAC first came into formation, a brand new agency. It was very, very difficult to get traction and get themselves going. So there is a little bit of a reminder that the EAC has done a lot. Have they done everything they could do? Absolutely not, but they are on path to do all of it. It is just that they have a lot to do. We as the vendor community, we believe that there was one single goal of HAVA. Actually, I would like to recant that and say I think there were two. One was to ensure that every vote counted, but I think a bigger one was to assure that every voter is able to vote unassisted. That has been one of the mantras of the vendor community, was to come up with methodologies to allow everybody to vote. The ETC is open to all companies that wish to be in this, so we are a pretty broad group of individuals that are in this. I want to talk a little bit about a few areas that the committee has asked to hear about, and a couple that you haven't. We do know that one of them is time. Time is a very important element, and HAVA did not allow enough time. We would recommend that anything that Congress does going forward, please allow enough time for local and State jurisdictions to implement that. The second one would be the cost factor that goes into anything that is being mandated or required of State and local jurisdictions that in fact can happen. And the third is to not give up and remove the accessible voting strides that we have made in the last 2 or 3 years with new technology that is out there. Now, I will talk a little bit about some subjects that you had asked for a little more detail. One of them was the area of security. I am also going to talk about voting system certification, and then also I want to divert a little bit into source code and the area of the openness of source code. One of the things around security that everybody is focused on is trying to make the technology be something that handles everything in the security. It can't. One must recognize that security is an end to end process and you account for the totality of circumstances that can impact the security element. Prior speakers have all addressed that, and I think it is something that we, as election vendors, also understand that you have to have good practices. We have submitted along with our testimony, the testimony of Donetta Davidson, Chair of the EAC, that she provided I believe on March 15th. That is attached to my testimony as a supplement to it. To quote what she had put in hers, that the fundamental election administration process is to protect the entire voting process will always be important, even as voting technology evolves. Focusing solely on the reliability of voting systems is not enough, and Federal certification for the system cannot take the place of solid, thorough management procedures at the State and local levels to enure the system is managed and tested properly. That is one of the things that we will continue to talk about in our dialog with different committees. If I move over to the certification process, one of the things that certification is, they are on a path to launch a new certification program. They just haven't had enough time to get it implemented. All of us were working under the old certification process run by NASED. I have provided for you two diagrams, one pre-January 1, 2007, when EAC took over and has implemented a new certification process. I wanted you to have a view of what it was like before and what it is like as we look into the future. Please give the EAC enough time to implement that. And the final one was on voting system source code. The ETC members are in agreement that we think there needs to be best practices put out there, and some type of an oversight of how source code is to be looked at. I have submitted, along with my testimony, from the ETC members that of Britain Williams, Kennesaw State University professor, with over 20 years of election experience. He has put together some recommendations. We embrace those as a good process to start that, and would ask the Chair and the committee to look at those. With that, I am open to any questions you would have. [The prepared statement of Mr. Groh follows:] [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] Mr. Clay. Thank you very much for that testimony. And last, but not least, Dr. Golden. Thank you for your patience and thank you for being here. Ms. Golden. Not a problem at all. You just saved the best for last, right? I assumed that. STATEMENT OF DIANE GOLDEN Ms. Golden. I am here to talk about accessibility for people with disabilities. I am not here to support or oppose paper, electronic, combinations. It doesn't really matter to me as long as the system delivers accessibility for people with a broad range of disabilities. A couple of principles. If indeed you are going to use a paper ballot for security reasons, and it is a determinant ballot of record that can be counted as an official ballot, then it has to be accessible. I can't emphasize that enough. There are actually, most recently a report by NIST to the Technical Guidelines Development Committee of the EAC that suggested that perhaps it wasn't important for people with disabilities to verify their paper ballot; that it would be enough for people without disabilities to verify ballots and that should be sufficient. I can just tell you in no uncertain terms that is not going to be sufficient. If a paper ballot is going to be used, it needs to be able to deliver the same access features as one can get from an electronic ballot. Unfortunately, if I am the wet blanket in the room, electronic information is very, very easy to make accessible. Paper is much more challenging to be made accessible. In order to manipulate the information on paper, you pretty much have to convert it into an electronic form so that you can deliver accessible media and formats. So what we are faced with right now are, as people have talked about previously, two primary voting systems: DRE electronic voting systems, with paper added in a printer form; or ballot marking devices where the vote starts and ends as paper. The person with a disability interacts with both of those electronically, so there is a wide range of access features. Blind people can use the tactile audio ballot. People with low vision can use enlarged print. People with motor disabilities can use switch input, large tactile input, and mark the ballot with very little motor skills involved. Unfortunately, both of those current systems have glaring accessibility problems. If you start out with a base DRE and add a printer, the print on the paper needs to be accessible some way. The only way to do that is to scan it back in and reproduce it electronically so that someone with low vision can see it in large print, and someone who is blind can get it auditorily. Right now, we don't have any DREs with VVPATs that have that capacity. So for all of the jurisdictions that currently provide DREs with VVPATs, and Missouri is one of them, people with disabilities can't verify the print on that paper. If that becomes a determinative vote of record, then the person with the disability never was able to verify the actual vote. Ballot marking devices have their own problem. The vote starts and ends paper, so I take my paper ballot, insert it into the ballot marking device. I interact with it electronically. It marks my ballot for me, but then it spits it back out to me and I have to physically handle it. I have to reinsert it in that machine or insert it in a precinct counter to verify. I may have to insert it in a ballot box to finally cast it. All of that takes motor skills that if I am a quadriplegic I don't have. So for both of the systems that we have out there that have paper, we have access problems. The situation facing people with disabilities who have voted on paperless systems is they have had pretty much complete accessibility available. By adding paper back into the voting process, we have reintroduced access barriers. Are they solvable? Yes. We can solve these. People have been doing assistive technology for years, and we have ways of solving these problems. As was pointed out, it is going to take time and money to do that. So in terms of any kind of paper mandate, whether it is at a State level, and Missouri is one of the States where we pretty much have a paper mandate, we need to address this and we need to address it quickly, and we need to make sure it gets done so that we have not again disenfranchised people with disabilities by deciding that paper is the way we need to go for security purposes. With that, I will close and I am more than willing to answer questions. [The prepared statement of Ms. Golden follows:] [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] Mr. Clay. Thank you very much, Dr. Golden. Now, we will move to the question period. My first question is for both Dr. Rubin and Mr. Groh. Let me ask you, would you agree that a major flaw in the EAC's voting system guidelines is the lack of prescribed standards or guidance for testing or maintaining commercial off the shelf software or products in e- voting systems? And have you and your colleagues at the ACCURATE Center sought to offer recommendations for establishing such a requirement. I know Mr. Groh pointed to some documentation he was going to leave with the committee. Mr. Rubin, first. Mr. Rubin. Thank you. Sir, that is outside of the charter of what ACCURATE does. We have been funded by the National Science Foundation to do research, outreach and education. We did provide I believe a 40 page document of feedback to the EAC on their proposed VVSG. I don't think that software, whether COTS or whether a specific voting application software, can be tested for security the way you would test it for humidity or for dropping or for any other things like that. I think voting machines need to be red team tested and I don't feel that the VVSG offers the kind of standards that would need to be prescribed to properly test a system like this for security. Mr. Clay. Mr. Groh. Mr. Groh. Again, I will not claim to be a computer scientist or expert, so I acquiesce a little bit to what Dr. Rubin would bring up. But I would like to answer from a different perspective. That is that the EAC was working as hard as they could, as fast as they could, trying to develop the 2005 voluntary voting system guidelines to replace the 2002. They almost had a challenge that was not going to be met. Part of that is when you begin to dig into this, there are many, many moving parts, and many, many individuals or stakeholders in this from voters to local election officials, Secretaries of State, the disability community, the vendors. When that process took place, what they did is they had to rush that. So if you look at the time line that the NIST and the Technical Guidelines Development Committee worked under, they had to shortcut and come up with something to deliver in May 2005, so that they could get something implemented. They were racing to the finish line. They now have started on the second round of that, and they are going through the next iteration. I believe it is in that they will do a much better job of coming up with standards around it. So a lot of the standards that you see were left off, were left off knowingly because they were going to be out of time, or they would have still not had them released. Mr. Clay. Thank you so much for that response. Dr. Golden, can you specify how current and available technology can provide a verifiable audit trail for those needing assistance? Wouldn't the use of barcoded information from a paper ballot machine provide accessibility, while also ensuring the privacy of the voter's ballot? Are there other e- voting system options that can be employed in order to provide both accessibility and reliability in the voting process? Ms. Golden. Thanks for the question about barcoding, because that always seems to come up. The interesting scenario with barcoding is again, you have the DRE that has an electronic vote, and then there is a secondary or parallel paper printed vote over here. If there is a barcode printed on that paper ballot, then yes, a scanner can either read human readable text, OCR scanning, or it can read a barcode. If indeed a person with a disability is verifying what is in the barcode, and that is actually what is being counted, then yes, it works beautifully. However, it the barcode isn't really the determinative ballot of record, if it is the human readable text, then the person with a disability needs to verify that human readable text. It could be that if the barcode is printed on the VVPAT specifically for the purpose of counting ballots, which is kind of I think why it was originally going to be placed there, it wasn't for accessibility purposes, if that is what is actually going to be counted by a scanner, then the person with a disability technically is the only one verifying what is going to be counted, because they are verifying what is in the barcode and all the sighted people are verifying the human readable print, and yet that is not what is being counted. So I guess the answer is barcodes would be a great idea if that is what is being counted, then I actually think people with disabilities come out way ahead, because they are probably the only people verifying what is going to be the actual countable record. So it all boils down to what is being counted, what really is the ballot, and what is going to be counted. Mr. Clay. Would you say that the most acceptable equipment now in the polling places would be the optical scan with the audible component on it? I mean, that is the one that election officials have demonstrated to me. They say that is the one that is widely accepted in the disabled community. Is that accurate? Ms. Golden. The two ``types'' of accessible machines most commonly used are the ballot marking device, which is what you are talking about, an electronic interface with an optical scan marked ballot; or a DRE with or without paper. They are probably about split even. I wouldn't have the data, but they are widely used, both of them, as accessible machines. The problem is with a ballot marking device you are disenfranchising people with motor disabilities, because they cannot physically handle that paper ballot through the process. DRE with a VVPAT, you are disenfranchising people with vision loss because they can't see the print on that paper. So in essence, your choices of accessible machines right now are which disability constituency group would you rather disenfranchise. Mr. Clay. That is a tough choice. [Laughter.] Ms. Golden. It is a great choice. Mr. Clay. Thank you for that response. Dr. Rubin, in your testimony, you discuss various vulnerabilities identified in the DRE machines used in Maryland since 2002. Can you offer us some detailed examples of the types of vulnerabilities identified or malfunctions that occurred in Maryland? Mr. Rubin. Sure. I also want to take this opportunity to comment on something that came up earlier today, where Maryland was used as an example of a place that would have to switch from DREs, part of that 180,000. The Maryland House and Senate have passed a bill to move by 2010 to all paper optical scan, so they would be going anyway, although the Governor has not signed that bill yet. I just wanted to mention that. Working as a poll worker in Maryland, I encountered in the September 2006 primary a lot of issues that had to do with the reliability of the electronic poll books. That is what received a lot of press. That is separate from the DREs. That is what is used to sign people in. There have been some problems of machine freezes, etc., but I don't know of any tangible, viewable security problem that has occurred. That said, I think that the kind of security problems that I worry about don't always manifest themselves in something noticeable. So the thought that if one of these machines accidentally had the wrong vote tally, there would be no way to know it. I think this is what we are seeing that happened when something actually visible occurred in Sarasota County. What I ask myself is, how do we know that in Maryland there wasn't a problem that just didn't occur in a way that was visible? If 5 percent of the votes were recorded for the wrong candidate, and everything falls within statistical exit polls, we wouldn't know. Mr. Clay. That is troubling, what you just said. So do you believe that there is a rate of error as far as miscounting votes? Mr. Rubin. I don't actually believe that. My concern is that whenever there is an election, there is often a dispute. You have a loser. You have everyone except one usually loses. And so there is often a challenge to the election. There are a lot of people in the community that don't feel that the right answer was obtained. We have a tradition of having recounts. With the DREs as we use them in Maryland right now, there is no way to perform these recounts, and there is no way to gain any assurance. That is a different question from, do I believe these mistakes have been occurring. I actually don't have any reason to believe that they have or have not been occurring, but I am concerned with the fact that we can never resolve an issue if a situation occurs where there is reason to doubt the outcome. Mr. Clay. And Maryland has attempted to correct this how? Mr. Rubin. So Maryland has had several times bills have come before the House and Senate. The most recent one calls for all paper ballots with ballot marking devices for accessibility, and optical scan for counting, and random audits. This bill, like I said, has passed the two houses in Maryland and is awaiting the Governor's signature. Mr. Clay. Thank you for that response. Mr. Groh, to what extent have voting system manufacturers assessed their capacity to modify and upgrade voting systems for the 2008 election? And furthermore, what are manufacturers doing now to project future demands on their resources and address their needs? Mr. Groh. I think the first thing that we have done is we have had a lot of sleepless nights. Part of it is when you don't know what you are going to be doing because there is not clear direction. You then continue to worry about it. All of us, though, are trying to come up with scenarios and try and second guess what those scenarios are, but until we know for a fact what things are going to be implemented, it is hard for us to hit a target that will move. In fact, that has been a lot of the issues that we were all challenged with during the implementation of the HAVA, of where people needed to get the products purchased and installed by January 1, 2006. That created a tremendous amount of a time constraint, and so many of us were rushing to the goal line when we would have liked to have had more time to have made corrections that we knew about, but we didn't have the time to do those things. So today, many of us are trying to address issues we saw in the 2006 election to make sure that they are ready for 2008. We are trying to address that. You need to understand, to do anything for 2008, I need to be ready to implement from my company's perspective in about November or October of this year. The first elections are in February 2008. We will be doing early balloting and voting on that will happen 45 days in advance. If you back up ballot layout, ballot proof, logic and accuracy, public testing and so forth in there, you run yourself out of time. So getting through a certification process on new technology between now and 2008, it is going to be impossible to do. Mr. Clay. In light of the dysfunctional processes identified in the current lab certification process for systems, what are your views on the EAC's current voting system certification process? Mr. Groh. The process the EAC is implementing is a much more rigorous level. It is like, to use an analogy, it is like stepping from high school basketball to professional basketball. It has that kind of a differential. To implement that, you can't implement it overnight. So they are going through a process right now of certifying the labs under a NIST program called NAVLAB, which is a national laboratory certification program that they put them through. That is the piece that you were challenging Commissioner Hillman to earlier about what they found out in their evaluation of CIBER to meet that new test lab process. We right now are seeing from a manufacturer's standpoint there is a constraint or there is a keyhole that we are trying to go through in the test labs. There are only two of them available. We can't get all of our product, that is stacked up there like airplanes waiting to land, through those two. We know that NAVLAB will free that up, but you have to give them enough time to get the NAVLAB program in place to get enough laboratories available. Mr. Clay. Has the ETC developed its own recommendations for improving the system? Mr. Groh. Yes, we have. We submitted from the May timeframe of 2005, when NIST and TGDC presented their recommendations on the VVSG, we were part of helping them develop and answer questions. We were allowed to provide comments, and we are continuing to work in the process of the new programs that they are looking at, the new VVSG standards and the certification process. Mr. Clay. As a final question for you, are the threats to voting system security changing? And what more needs to be done to understand and address the threats? Mr. Groh. Dr. Rubin's ACCURATE organization is doing some of that because they are looking at how voting systems and the voter interface and interact. There are probably four or five other organizations that are doing the same thing. From the vendors perspective, we do think this is an end to end process. So from the time that we develop a product, Q/A it, run it through certification, there are a whole group of other activities that happen that are all part of certification, such as the State level. There are 36 States that do their own State-level certification on that is an enhanced version of it over the EAC's process. Additionally, there is acceptance testing done by the local election officials. There is chain of custody programs that they are implementing and putting into place under the EAC's guidance and direction. But to me, the biggest security principle that we have in this is the fact that these voting systems are used widely across the United States. They are not all one uniform, unique system. It is impossible to get access to all of these systems, to get in there and do something with them, because they are all different from each other. So that alone creates a layer of security in here that people don't recognize or see that is there. And then you have the citizenry that oversees it. The poll workers are voters and are citizens that are voting and using that. Hundreds of thousands of them work on this. You have local oversight into that through them. Mr. Clay. Thank you for that response. Dr. Rubin, in yesterday's PC World, there was an article about research being conducted at University College Dublin in order to develop a more secure e-voting software architecture through the use of open source software. Can you offer us an opinion on how the EAC could alter the current accreditation and certification process in order for it to become more transparent and reliable? Mr. Rubin. Sure. I am familiar with that article. I think that a lot of the attention that has been placed by people who are described in that article on open source in my opinion are somewhat misguided. You can have all kinds of bugs and security flaws in software that is open source, just as you can in software that is not open source. It is my belief that you are not necessarily much more likely to expect to find these problems in open source as you are in things that are not open source, because bugs are that difficult to find. In terms of what the EAC can do, I think following NIST's advice and striving for software independence. If we had a software independence system as defined by NIST, then it wouldn't really matter if the software was that secure, and it wouldn't really matter if the software was open or not, because software independence means that you are not depending on the software for security. So I don't want to sound like a broken record with respect to paper, but right now I can't think of a system that provides software independence that is not based on paper. I do think there are such systems in the works, and I am a big fan of the cryptographic systems that are being developed. I don't think that they are ready to be deployed in any precincts right now, but someday they will be. Mr. Clay. Can you offer us an opinion on how the EAC could alter the current accreditation and certification process in order for it to become more transparent and reliable? Mr. Rubin. I think that several things could happen. The EAC could require what is known as red team testing of the machines, which is different from the kind of testing them to a standard, where you get security experts and software experts to have a field day with these things in the lab and try to break them and find out where the weaknesses are. I think that is the best way to test security these days. Mr. Clay. Thank you for that response. Ms. Golden, as a final question, has the voting system vendor community been receptive to the needs of the disabled community? Are there adequate systems development efforts underway to improve the accessibility of voting systems under the new guidelines? Ms. Golden. Since I am sitting right next to Mr. Groh, I would never say no to that question, and in all fairness, the vendor community has I think worked very, very hard on accessibility. I will say the progress has kind of been in fits and starts, but some of that was very legitimate. First off, we didn't have good accessibility standards until the VVSG came out, which does provide a robust set of access standards that they could actually build to. In terms of accessibility, this is similar at least to architectural access. Until we had good architectural access standards that said door widths need to be X wide and slopes need to be this kind of slope, and grab rails need to go here, people didn't know how to build something accessible, so part of it had to do with standards. Part of it, too, quite frankly, is the vendor community did what seemed logical, which was they went to constituency groups of people with disabilities and asked them what they wanted. The classic example that I always give is a vendor who went to a bunch of blind folks who were very competent technology users. What they wanted is going to be very different from what older blind people who are not very technology savvy are going to want and need. So they built the system, and it did work very, very well for blind people who were technology savvy. The older blind population had a heck of a time figuring out a 10 key pad and a this and a that. So some of it, too, was just not being familiar with the disability community as a very diverse group of people. Someone with ALS is very different from someone who is blind, who is very different from someone with cerebral palsy. Knowing that whole population, I think it has been a bit of a learning curve for the vendor industry. But yes, I would say they are very committed to it. I don't think anybody doesn't want people with disabilities to have a completely private independent vote. Mr. Clay. So the issues relevant to the disabled community are solvable by the industry, as long as they work together with the disabled community? Ms. Golden. Yes. And I think technologically, the solutions are there. It is just going to take us some time and money to get there, and a clear vision. Part of this has been too, we are going to do electronic votes; no, we are going to go back to paper. If we had been focused on paper all along, we might have been a little further ahead in this game, but we have gone back and forth. If paper is the game, then we just need to make it accessible. We have a couple of big issues to solve, and somebody just needs to get down to it, and solve it and be done with it. Mr. Clay. Thank you. Thank you for your response. Let me thank the panel for their response. I will allow anyone on the panel to make a closing statement, if you have any. Dr. Rubin, you may proceed. Mr. Rubin. OK. There is one thing I didn't get to in my opening remarks. I wanted to point out that DREs did break ground in accessibility, but that the accessibility features are not particular to DRE, and some of this has come out. I think the same accessibility features can be obtained with op scan using ballot marking machines and accessible verification technologies. I agree that a lot of work needs to be done to make that happen so it is usable in a precinct. I want to point out that the security community is not advocating compromising on accessibility, but rather preserving accessibility, but adding security and audit. Mr. Clay. Thank you for that. Mr. Groh. Mr. Groh. Yes. I would like to just close with a couple of things. The Election Technology member companies, we believe we are a stakeholder in this. The companies and all the employees that are involved in this, our aim has been always in the products that we build and the development we work with and the interfaces we have, whether it is with Secretaries of State or with the accessibility community, and that is a broad community. There are many, many organizations, but it has been to be responsive to all voters, the local election officials, State and Federal Government, and kind of in that order. We are also committed to providing safe, accurate, secure and reliable, accessible voting systems, but we need to know what that target is and we will build it. People are saying, if you build this, we will buy it or we will come. So that is what we want, and we need those definable solutions. The closing pieces would be you need to allow the time to do this. That has been, if I can say there is one root cause of many of the issues that we are dealing with today, we have never given it enough time to allow everybody to get to the table and hash and debate this out. There are many good ideas that can come out of that discussion, but we have always tried to do that in about a 2 month or 3 month window of time. It is not enough time. The other one is to encourage you to make sure you consider funding responsiveness on this, because the No. 1 competitor that I have experience being in this business since 1995, was not another competitor. It was the local election official saying, I don't have enough money. They knew they wanted better election equipment, but they had a school or a library or a road that needed to be done. HAVA allowed us to make a huge leap forward. Let's not throw that all away, but if we are going to spend the next round of money, let's do it very, very appropriately. We don't need to rush to the finish line on this one. Mr. Clay. Thank you so much, Mr. Groh. Dr. Golden. Ms. Golden. Since everybody else did something, of course I can't be outdone. I might as well. Mr. Clay. You might as well. Please do. Ms. Golden. Just a couple of quick points. One is to followup on a question you asked earlier about the Technical Guidelines Development Committee, and representation of accessibility interests. I talked with Commissioner Hillman a little bit after the closing of the first round. The disability community I think as a whole does have a bit of a concern with the degree to which accessibility interests are being discussed as part of the Technical Guidelines Development Committee. They are working on the next iteration of the VVSG, and yet again we are finding that security interests are trampling accessibility, for lack of a better way of describing it, and no one is at the table saying, wait a minute; I am not telling you not to do this, but if you do ``A,'' you have again diminished accessibility. The accessibility community just seems to always be playing catch-up behind the game. The train seems to be driven by the security issues, and it is always the afterthought, oh, oops, you mean if we require not only software independence, but hardware independence, then we also have caused another accessibility problem. Yes. So that continues to be a concern. And the second issue has to do with the testing facilities and labs. The EAC has a new process, much more rigorous. We have not seen the outputs of that process yet, but in terms of accessibility, I guess I am fearful again that we are not going to be adequately represented in terms of the skills and expertise in those labs. What I saw in the first round of conformance to the FEC 2002 access standards, I would get a report, worked with Secretary of State Carnahan and our group. Missouri does certify equipment, in addition to national certification. When we looked at the equipment, I would see the testing lab report and it would say this piece of equipment conformed to this access standard, and yet I could tell it didn't. The vendor could tell it didn't. And yet, the certification statement said, yes, it conformed. So I am fearful, or at least I would like to hope that we have more expertise involved in judging conformance and evaluating conformance to the access standards. They are highly technical. You have to know something about people with disabilities and accessibility if you are going to judge conformance to those standards. I don't know enough about those labs to know if they have that kind of expertise or not, quite frankly. Mr. Clay. Thank you for that. Let me thank this panel, and the previous panel, for their expert testimony today on such an important subject to this committee, to this Congress, and to the American public, so that they can have confidence in their vote and ensure that it is counted accurately, and that they can have a better understanding of the electronic voting systems that each State administers. So I want to say thank you to this panel and the previous panel for their testimony. Without objection, the committee stands adjourned. Thank you. [Whereupon, at 5:55 p.m. the subcommittee was adjourned.] <all>