19250. (a) On and after January 1, 2005, the Secretary of State may not approve a direct recording electronic voting system unless the system has received federal qualification and includes an accessible voter verified paper audit trail.and:
19251. For purposes of this article, the following terms shall have the following meanings:These systems have audio components for casting the vote, but not for reading back the paper trail as required by California law. There is no AVVPAT audio component, only an audio component of the DRE which is present whether there is an AVVPAT or not.
(a) "Accessible" means that the information provided on the paper record copy from the voter verified paper audit trail mechanism is provided or conveyed to voters via both a visual and a nonvisual method, such as through an audio component.
Also, the California AVVPAT standards, http://ss.ca.gov/elections/ks_dre_papers/avvpat_standards_1_21_05.pdf, require an audio component as part of the Paper Record Display Unit.
2. Design Requirements.
2.4 Paper Record Display Unit
2.4.3 Accessibility: The AVVPAT components must conform to federal
and state accessibilty requirements.
2.4.3.1. This shall include, but is not limited to an audio component.
2.4.3.1.1 The audio component must accurately relay the information printed
on the paper record copy to the voter as verified through state testing.
Thus the continuous roll AVVPATs do not conform to the standard.
Problem 1: The AVVPAT on these systems is a continuous roll of paper which preserves the order of ballots cast, leading to a loss of secrecy during the 1% manual tally and any recounts, violating the secrecy of the ballot.
Since:
- anyone can observe at the polls (EC 2300 and EC 19362),
- each voter must audibly state their name before voting (EC 14216),
- anyone can request a recount of a precinct (EC 15620 and 15621),
- anyone can watch the recount of the precinct (EC 15629),
the secrecy of the vote is compromised.
The continuous roll AVVPAT allows these privileges to be used to determine how people vote.
Pennsylvania has prohibited the TSx AVVPAT for just that reason, saying it violates the Pennsylvania Elections Code and Pennsylvania State Constitution. (http://www.hava.state.pa.us/hava/lib/hava/votingsystemexamination/diebold_report _122205.pdf, page 5)
See also "Secretary of State Standards for AVVPATs - Continuous Reel-Reel AVVPATS - All Vendors" below.
Problem 2: Opening the canister of the AVVPAT to diagnose or fix a problem may expose the ballots on the AVVPAT, violating the secrecy of the ballot.
In early voting, each AVVPAT roll will contain copies of ballots for voters in many different precincts. There is no way to isolate ballot copies for voters in specified precincts. The continuous roll design makes this unsuitable for the mandatory one percent tally or for recounts of selected precincts from early voting.
4.2 Software Design and Coding Standards
4.2.2 Software Integrity
Self modifying, dynamically loaded, or interpreted code is prohibited,
except under the security provisions outlined in section 6.4.e. ...
There is no section 6.4.e. Using a strict reading, this would mean there are no exceptions. A more liberal reading could assume a typo and that section 6.4.1.e was meant:
6.4 Software Security
6.4.1 Software and Firmware Installation
6.4.1.e. After initiation of election day testing, no source code
or compilers or assemblers shall be resident or accessible.
However, 6.4.1.e does not mention interpreters and implies only precompiled and linked code be allowed.
A further analysis of this is available at http://votetrustusa.org/index.php?option=com_content&task=view&id=645&Itemid=913. Look for John Washburn's comments at the end.
Problem 1: According to Secretary of State McPherson in his San Jose Mercury News article, AVVPATs "might not retain their quality during the often-lengthy recount and legal challenge periods." That means they are unsuitable.
Problem 2: The small type of the AVVPAT is unsuitable for tallying by hand, e.g. in the manual tally of 1% of the precincts and in recounts, during which several people must be able to read it simultaneously. The small type also makes it difficult to read for people with limited vision.
Problem 3: The Diebold AVVPAT can not be used with curbside voting, reducing accessibility. (If the TSx is used for curbside voting, curbside voters can not verify their votes, there will be discrepancies in the 1% tally and recounts, these discrepancies will tell you how the curbside voters voted, and recounts using the AVVPAT would be inaccurate.)
Problem 4: There is no effective logging or tracking of who performed changes to the central tabulator data because everyone uses the same account name and password, due to a limitation of the Diebold system.
Problem 5: In the September 2005 volume test (the second volume test), there were seven AVVPAT problems on a test of 96 machines. Given the limited training of poll workers, it is unreasonable to expect them to diagnose and fix AVVPAT problems. This makes the TSx unsuitable.
Problem 6: The Spyrus vote card encoder is limited to 8 political parties, and thus is unsuitable for California primary elections in which there need to be 11 party choices.
Problem 7: Thermal paper is generally not advised for record keeping. It may be exposed to direct bright sunlight or very hot temperatures during the day or during transportation and lose information.
Problem 1: Vote counts in the central tabulator may be altered by anyone with local or remote access to the central tabulator. This is publicly documented in a US CERT vulnerability report in September, 2004 (http://www.us-cert.gov/cas/bulletins/SB04-252.html#diebold), but has not been fixed.
Problem 2: The optical scanner prints no summary result tape for absentee votes, so there you can't tell if the numbers are changed after the fact, short of a full recount. In many counties, 40-50% of the ballots are absentee, and these aren't being included in the required 1% manual tally, leading to a large potential for fraud.
Problem 3: The TSx and optical scan units use removable memory cards for electronic ballot boxes. These memory cards contain executable code. The code on the memory cards is executed, without being checked to see if it is malicious. Anyone with access to the memory cards can alter the results of the entire election. This means thousands of poll workers can change the outcome for the precinct they worked in, and possibly others.
Problem 5: The Johns Hopkins, RABA, SAIC, and CompuWare reports have found Diebold voting systems security to be poor. Black Box Voting a few months ago managed to penetrate security on both the Diebold precinct optical scanner and central tabulator.
Problem 6: Diebold apparently is relying on what is know as "security through obscurity". Computer security experts view this as a bad approach, especially as the source code was published on the Internet. Security must be designed into software from the beginning; not just patched in after the fact.
Problem 7: The Secretary of State's VSTAAB report states on page 7:
"In the worst case, vote files could be corrupted or truncated when software failures happen. We believe that this issue warrants further investigation before any modified versions of the TSx are certified."
We have seen no evidence that this has been done. (Diebold reduced the number of software errors in the second volume testing, but there has been no statement with respect to the VSTAAB question).
Problem 1: There is no sip and puff capability.
Problem 2: There is no way for the blind to verify their vote on the AVVPAT, violating Elections Code Sections 19225 (d) and (f), 19226, 19250, and 19251. (See section on continuous roll AVVPATs above).
Problem 3: The AVVPAT print is too small to be read by many.
Problem 4: The Diebold AVVPAT can not be used with curbside voting.
Elections Code Section 19103 requires exact copies of all code used to be placed in escrow before use.
Problem 1: As the code on the memory cards varies by election and county and even part of a county, it is probably not in escrow. It may also be dynamic, in which case it could not possibly be in escrow.
2.1.3 Secrecy: "procedural safeguards to ensure secrecy of votes so that it is not possible to determine which voter cast which paper record copy"
Being on a continuous roll means if you watch the order of the voters, you can match them to the ballots, violating the secrecy of the votes. This is also a problem when AVVPAT problems are addressed by opening up the AVVPAT to fix them. This applies to paper jams, false low paper warnings, and other AVVPAT problems.
2.2.3 "The same standards shall apply to paper record copies as for paper ballots as defined under federal and state requirements."
To satisfy this, the AVVPAT must follow the specification in sections 13200-13220 of the Elections Code, with respect to fonts, type size, watermarks, quality of paper, stubs, etc. The TSx does not; Secretary of State McPherson acknowledged this in his Opinion Piece in the San Jose Mercury News on September 9: "They are designed for the voter's review and are not printed on ballot-quality paper".
2.4.2 Readability: "A paper record copy shall be readable from the same position and posture used for voting on the DRE".
The TSx AVVPAT uses small type and no magnification. Thus it is doubtful that everyone can read it while in voting position/posture.
JB: Nov. 27, 2005
Revised: Jan. 22, 2006
Revised: Feb 4, 2006