CDT Letter on the Secure Elections Act Mark-Up
Hon. Roy Blunt (via email)
U.S. Senate
260 Russell Senate Office Building Washington, DC 20510
Hon. Amy Klobuchar (via email)
U.S. Senate
302 Hart Senate Office Building Washington, DC 20510
Re: Secure Elections Act
Dear Senator Blunt and Senator Klobuchar:
We write today to let you know that while CDT continues to support the Secure Elections Act (SEA), S. 2593, that will be subject to Rules Committee markup tomorrow, we are very concerned about the audit provision in the bill and believe it should be addressed before the SEA is passed into law.
Over the past two years, CDT has been heavily involved in election cybersecurity education and outreach to election officials at all levels of government. We applaud the hard work that has gone into getting the SEA into the state it is in before markup; there are many laudable and positive provisions that we’d like to see as regular features of the US election ecosystem. Notably, the current revision includes provisions that would: streamline and mandate information sharing about election cybersecurity incidents from election offices and manufacturers; require voting equipment purchased with HAVA funds in the future have a paper audit trail; establish and regularly update recommendations for election cybersecurity and auditing; require the DHS to report annually to Congress on election security incidents; and, ensure that the EAC can better collect information.
All this being said, we remained concerned about the audit provision in the bill. Revisions to the current version remove a necessary parenthetical, “(by hand and not by device)”, that would have made it crystal clear that audits under this legislation must be end-to-end, examining the voter-verifiable paper audit trail and comparing it to the digital records that were counted to achieve the unofficial results on election day. We would like to see the parenthetical statement, “(by hand and not by device)”, added back into the audit section as an amendment during markup. Without this provision, jurisdictions can choose to do audits that are less than end-to-end, meaning they can potentially satisfy this provision by not examining the paper record itself (i.e., images of the cast ballots) or by using a device to count those paper records instead of human auditors examining those ballots. If enacted without this measure, we feel that many jurisdictions would choose to do these lesser audits, and as we saw with the paper mandate in the Help America Vote Act of 2002 which resulted in most jurisdictions purchasing paperless voting systems, such provisions are likely to be misinterpreted.
If adding the end-to-end audit provision back is not possible or practical, we would recommend the entire audit section (Section 6) be removed from the bill. This is not a suggestion we make lightly. We believe that a federal audit mandate that cements in inferior forms of election auditing will on balance be a net negative. Both election officials and vendors will have license to perform auditing activities that are fundamentally insufficient in terms of catching errors or malicious activity that could affect the unofficial vote count.
We once again thank the committee for its time and attention to the important issue of election cybersecurity and hope the provision of the bill regarding secure audits can be resolved as we describe above in order to assure that the American people can have the utmost confidence in our election system.
Sincerely,
Joseph Lorenzo Hall
Chief Technologist, CDT
Maurice Turner
Senior Technologist, CDT
