Feds defend oversight of e-voting testing

Election Assistance Commission takes issue with reports about its oversight of sites charged with ensuring secure electronic voting systems.

Anne Broache
Anne Broache Staff Writer, CNET News.com
Anne Broache
covers Capitol Hill goings-on and technology policy from Washington, D.C.
4 min read
WASHINGTON--Federal election officials on Thursday defended their procedures for evaluating laboratories that test e-voting machines, which have attracted allegations of secrecy and slipshod management.

At the U.S. Election Assistance Commission's first public meeting of 2007 here, three commissioners emphasized what they characterized as efforts at transparency and rigorous oversight for laboratories that have sought federal certification.

"There seems to be some important information that gets lost in the translation," said Commissioner Gracia Hillman.

"The pressure is on us to perform like we've been doing this for 50 or more years."
--Gracia Hillman, EAC commissioner

EAC Chairwoman Donetta Davidson also made references to setting the record straight after reading perceived mischaracterizations of her agency's lab accreditation processes in the press and the blogosphere.

Although no direct mention was made, the panel appeared to be responding to a critical New York Times report from last month. That article revealed that the EAC had decided last July to temporarily ban Ciber, the largest tester of voting machine software, from conducting such reviews because of irregularities in its procedures. After the article appeared, EAC posted more information about the Ciber review to its Web site.

Computer scientists interviewed for the NYT story said they were disappointed the EAC didn't disclose the prominent lab's status sooner. The episode raised broader questions, they said, about the reliability of voting systems previously tested by Ciber and in use during past elections.

Chairwoman Davidson attempted to defuse concerns about the EAC's secrecy by asking Brian Hancock, director of the agency's voting systems certification arm, to confirm that the sequence of events wasn't out of the ordinary.

Hancock didn't specify whether a sub-par assessment by a voting machine test lab would normally be made public. But he said it was routine for a site to "be given a period of time in which they can correct those non-conformities, and that may go on for some time."

Steps to transparency
Davidson also pressed David Alderman of the National Institute of Standards and Technology, which evaluates the technical side of the labs and makes recommendations to the EAC, to describe the steps NIST has taken to make its process more transparent. Alderman said the agency has released much more information--including full on-site assessment reports, the lab's response to the report, and even the names of the labs that have applied for review--than for typical accreditations that don't deal with voting systems.

"Normally those things are not released and are kept confidential, mainly because labs have used them for marketing or antimarketing against other labs," he said.

Ciber has until March 5 to submit additional paperwork requested by the EAC that will allow the agency to decide whether to grant the test lab "interim" accreditation. The EAC also plans to stop accepting applications for the less rigorous "interim" stamp of approval on March 5. The agency launched the interim process last July to give NIST more time to start assessing the labs that had applied for accreditation.

In January, the relatively young commission, created by Congress in 2002 to oversee the transition to electronic voting, announced that it was ready to start, in conjunction with the NIST, granting formal accreditation to e-voting testing labs. States are not bound by law to use voting machines tested at sanctioned sites, although many are expected to enact such requirements.

Before June 2006, it was up to an organization called the National Association of State Election Directors (NASED) to make such decisions, and 39 states required that their voting machines be approved by labs that the association had accredited.

NIST last month recommended that two Colorado-based labs, iBeta Quality Assurance and SysTest Labs, receive full accreditation. EAC said it is currently reviewing those applications, requested additional information from the labs by February 15, and plans to make a final decision on their status within a week or two of that date.

If that pair of labs and the four additional sites that have applied for accreditation ultimately pass muster, "it seems to me that's going to be a big step forward," Commissioner Paul DeGregorio said, pointing to past gripes from state and local election officials about the limited number of accredited labs. "I think certainly it's more thorough than the NASED program in the past."

All labs that volunteer to be vetted for approval under the new federal system must undergo a two-step process. First, they must hold up to a review of their technical capabilities by NIST, which decides whether to recommend them to EAC. Second, EAC reviews NIST's recommended labs for non-technical concerns, such as conflicts of interest, organizational structure and record-keeping protocols.

One commissioner admitted that "limited" resources have posed a challenge. "The pressure is on us to perform like we've been doing this for 50 or more years," Hillman said. "The fact of the matter is that any industry that has been through what the EAC is going through with respect to new programs, testing certifications and so on has probably been through far worse than what we're going through, and probably had more resources."