By Lillie Coney
U.S. Election Assistance Commission
Hearing on Proposed Voluntary Guidance to the States on Implementing Statewide
Voter Registration Databases
April 26, 2005
I would like to thank the U.S. Election Assistance Commission (EAC) for the opportunity to participate in your deliberative process regarding the promulgation of voluntary guidelines to states on compliance with Section 303(a) of the Help American Vote Act (HAVA).
My name is Lillie Coney and I am the Associate Director of the Electronic Privacy Information Center (EPIC) located in Washington, DC. EPIC is a public interest research center established in 1994 to focus public attention on emerging civil liberties issues as they related to information technology and to protect privacy, the First Amendment, and constitutional values.
I also coordinate the work of the National Committee for Voting Integrity, an EPIC project, which promotes dialogues on voter-verified balloting with the intent of preserving privacy protections for elections in the United States. The Committee brings together experts on voting issues from across the country.
I am here today to offer comment on the EAC's recommendations to states on the centralization of voter registration databases. EPIC's view is that the implementation of this HAVA mandate should be transparent, private, and secure. HAVA requires that each state develop and maintain a single, uniform, official, centralized, interactive computerized statewide voter registration list. This list must contain the name and registration information of every legally registered voter in the state.
Although the details of implementation of these statewide lists were left to the states, Congress required the EAC to issue voluntary guidance to assist the States with interpreting and implementing the statewide-centralized voter registration database provision of HAVA.
It is EPIC's position that compliance with Section 303(a) of HAVA should include transparency, privacy, and security for voter registration information, while at the same time meeting the challenge of real-time authentication of voters during an election.
Transparency is a key component of a functioning healthy democracy. It can be translated into public policy decisions that allow citizens, policymakers, and the media to assure themselves that a local, state or federal government agency is functioning as intended. In this context, the process of providing transparency is referred to as "open government." Open government can be accomplished in a number of ways, that may include: public meetings, public rule making notices, reasonable public comment periods, access to rulemaking proceedings, and open records laws. The application of technology intended to provide a government service should not be excluded from open government objectives. In addition to the methods described the adoption of technology may require additional opportunities for public comment that facilitate the participation of those members of the public with relevant skills and training. In these cases special outreach should be done to professional technical associations, academic institutions, and special interest organizations to encourage their participation in the technology planning and implementation process.
Open government efforts should be maintained by each local, state, and federal agency engaged in election related work because it is a means for assuring democracy and public confidence in the administration of elections. We believe that the states should be required to make clear the information that is collected, to whom it will be disclosed, and the privacy and security procedures that are in place. The public should be given the opportunity to comment on these practices, and the states should take public comment into account before adopting a final rule.
Privacy is an important component of a democratic election system.1 In order to exercise their right to vote most states require voters to make information about themselves available in the public domain. There are approximately 215 million eligible voters in the United States with only 144 million of them registered to vote.2 It is common knowledge that voter registration rolls are used to select jury pools for local, state, and federal judicial proceedings. However, most voters do not know that in many states voter registration data is considered public information that is available to third parties for non-voting related purposes. In a limited number of states and under certain circumstances voters are provided the option of limiting the amount of information provided to a third party. Is it time to ask ourselves if the lack of opt-out privileges is the best policy for voter registration?
Some state practices regarding voter registration records limit the type of voter information shared with third parties. For example the full date of birth, place of birth, mothers maiden name, previous address, and whether a person routinely votes absentee may be withheld.
There were signs during the election of 2004 that identity thieves used social engineering attacks in attempts to obtain social security numbers from voters.3 In several states authorities reported that registered voters received unsolicited calls from individuals who said that they needed the voter's social security number to confirm their registration.4
A few states in an attempt to comply with HAVA are hiring private companies to build the state's centralized voter registration database.5 The use of private contractors raises concerns about the other possible uses of the personal information provided by the state. Also the move to create statewide voter registration databases may further erode the privacy of voters.
Another challenge faced by administration of centralized voter registration lists are the problems presented when attempts are made to purge voter roles by using data obtained from non-voting related sources. In 2000, a data broker acquired by ChoicePoint before the election provided the state of Florida with a list of 8,000 names that incorrectly identified legal voters as having felony convictions in the state of Texas.6 This error lead to the denial of voting rights for legally registered voters in that state.
Before the adoption of centralized voter registration rolls, policymakers, the public, and the media should carefully investigate the risks associated with this proposal. The observations on how states and local governments adopted e-voting technology may indicate that the statewide centralization of voter registration lists may involve contracts with private companies. To date there is evidence that some states are in fact taking this route as a means of meeting the HAVA's 2006 deadline for voter registration databases.7 One information management company, Accenture, is making progress in winning contracts. The States of Florida, Pennsylvania, Colorado, Wisconsin, and Wyoming have hired Accenture to manage or assist them in developing their statewide-centralized voter registration databases.8 Accenture is the company responsible for creating the Florida 2004 error prone felon purge list, which was discard after a court order forced its disclosure prior to the election.9 The Miami Herald discovered that Accenture wrongly included 2,119 names among those listed for removal from Florida's voter registration roles for the November 2, 2004 election.10
Another consideration that voters, public policymakers, the Election Assistance Commission, and others should consider is how these centralized lists are used and who will have access to them. It was reported that former Attorney General John Ashcroft following the attacks on September 11, 2001 ordered that all government records including voter registration lists be checked for links to terrorism, but he specifically prohibited the FBI, from examining background checks on gun purchasers.11 In the past there has been little resistance to voter registration lists being used for non-voting related purposes.
However, today some states are already looking at the threat posed by identity theft because of public access to voting records. A task force formed by California's former Secretary of State urged the state legislature to strengthen the laws that protect voter privacy.12 Senator Hugh Farley of New York introduced legislation that would direct state election officials not to share access to voter registration records.13
The start of good privacy practices for the purpose of voter registration systems begins with the collection of voter registration information. First and foremost, caution should be taken when using information that was not collected specifically for voter registration purposes. In this context, states should limit the amount of information collected and retained to only that, which is necessary for the purpose of voter registration. The core principles of privacy protection in our current communication age are associated with fair information practices (FIPs). The Fair Credit Reporting Act (FCRA) enacted in 1970 contains many of the principles outlined by FIPs. FCRA was intended to promote accuracy, and privacy of personal information collected by Credit Reporting Agencies (CRAs).14 Another early prescription of FIPs appears in the Federal Privacy Act of 1974 and later amendments of that law.15 The Privacy Act is intended to protect citizens from the misuse or abuse of personally identifiable information that federal agencies maintain as a means of providing government services.
Personally identifiable information managed or accessed by statewide-centralized voter registration systems should rely upon FIPs principles to guide the collection, retention, and use of information. FIPs are intended to ensure the accuracy, relevance, timeliness and completeness of information retained on individuals to guarantee fairness.
FIPs would dictate that the best source of information for the purpose of voter registration is the person applying to register to vote. Voter registration applications should clearly state the purpose for which the information is being collected, and what statue or authority is directing the collection of information. Voters should be provided with contact information for the system that will maintain the voter registration information being collected. Voters should have access to information regarding the security and maintenance of the computer system(s), which will manage the voter registration data. Voters should be provided contact information for the person or office responsible for complaints and questions regarding their voter registration record. Voter should know which state or federal government agencies and for what purposes were they contacted regarding the accuracy or reliability of the information provided during the voter registration process. Voters should have access to a list of those third parties who have been given or purchased access to their voter registration data. Voters should receive notice when their voter registration record or their voter registration status is changed. Voters should have a right to see what information is retained about them, they should have the right to correct incorrect information, and they should have due process when information provided by the voter is challenged by the state or a third party, as well as a right of redress.
Implementation of FIPs principles in the voter registration and voter authentication process could greatly reduce the errors associated with voter role purges, felon voter role purges, and disparate treatment of voters during elections, which may result in disenfranchisement of legally registered voters.
States have problems with the administration of voter registration and these problems are not limited to computers. Many problems are created by the limited resources for voter registration administration, poll worker training, poor design of voter registration applications, the challenges associated with third party registration efforts, limiting the number of years for voting inactivity to less than four to invalidate a registration, and state service agency voter registration efforts.
The lesson that should be clearly understood is that it matters how each step of the voter registration process is managed. It is important for voters, voting advocacy efforts, campaigns, and the media to know the rules for voter registration. The value of transparency, privacy, and security to the implementation of a voter registration system in the pre-election, election and post-election phase cannot be over stated.
Security is vital with any computerized system, which also include those containing personally identifiable information such as the ones proposed for voter registration management. In any computer system, whether centralized or distributed, there are security threats. There are also threats to a decentralized computer systems, called distributed networks, which require periodic connection to a centralized system. Computer security should be approached as an end-to-end task that must include all parts of the system's hardware, software, computer disks, tapes, personnel, etc.
The EAC's preliminary statewide-centralized voter registration database proposal designates that both centralized systems and distributed systems are compliant with HAVA. This decision, when viewing distributed database system management, should take into consideration good county voter registration practices that can be found within states.
HAVA proposes the use of state drivers license bureaus to assist with the management of statewide-centralized voter registration systems. However, there may be requests to also use public assistance records, tax records, birth records or death records as a means of managing voter registration records, which may present problems for legally registered voters. The maintenance of other state systems of personal information, including statewide drivers license systems in many cases are poor examples. In particular, state motor vehicle registration systems can be used to illustrate what NOT to do.
The computer systems managed by state departments of motor vehicles are vulnerable to insider threats, computer viruses, programming errors, and system failures. In 2003, the Maryland Motor Vehicle Administration (MVA) offices were vulnerable to a computer worm on their Windows based system.16 This one attack disrupted operations in all 23 MVA offices located throughout the entire state. The worm took down the MVA's computers and telecommunication systems effectively shutting them down and cutting them off from all forms of remote communication. On January 20, 2004, the MVA could not process work on their mainframe computer for about an hour after opening because of a problem characterized only as a computer "glitch."17 Either of these events occurring on an Election Day would be devastating to voters and severely undermine confidence in the outcome of the election. In a recent incident in the state of Maryland a MVA employee was charged with conspiring with others to sell more than 150 state identification cards.18
If databases are linked i.e. voter registration and driver license databases, public assistance registries, death notices, or tax records security threats or risks in one system can affect the other system. Care should be taken to ensure that records are not altered, deleted, or amended solely on the basis of what a computer record on one system might imply about a record maintained on another system. Further, the process that allows the comparing of information on non-voter registration systems when found to be of some benefit should not use automated protocols that make changes, deletions, or additions to voter registration records without human authorization.
The security threats to statewide-centralized voter registration systems include denial of service attacks, hacking, insider threats, which could include unauthorized access, authorized access for unauthorized changes, data integrity, and social engineering threats. While some risks can be eliminated those risks that cannot be eliminated should be effectively managed. A perfectly done computer security system can be compromised, most likely, by lack of training or inappropriate human action. The training of employees and mundane real-world procedures, such as locking of doors may be as important as expensive software.
The goal of system management should be to detect potential security problems before they occur and address them effectively. However, another goal of system management is to conduct effective evaluation of a post security failure that might allow the reconstruction of the circumstances that lead to the incident. Even in cases where a problem was not prevented it is always valuable to know how something happened even if it is in the post event phase, this is how computer security improves and system integrity is strengthened. In the event of a security or system failure transparency will be critical in rebuilding public confidence, understanding the problem, pursuing technology solutions, improving protocols, and when appropriate the effective pursuit of criminal investigations.
Other areas, which I will not address, but should be mentioned involve natural disasters, failures of telecommunication or routing systems, which may each jeopardize the smooth running of an election. Further, some states are attempting to use mandatory photo identification, which would undermine if not violate the 24th Amendment to the Constitution of the United States, which guarantees that no person can be denied the right to vote due to an inability to pay a tax prior to voting. Ensuring that people who are entitled to vote are able to vote must remain a central concern as the work of the EAC goes forward.
In conclusion, the most important lesson to take from these comments is that contingency planning is important in the context of elections because there may not be a next day to make right what may have gone wrong. For this reason, policymakers and election administrators should be prepared in advance of an election in the event of an unforeseen problem. The contingencies should be realistic, well planned, and local election officials briefed on what should be done in the event of a computerized voter registration system failure to ensure an election takes place.
EPIC is available to work more closely with the EAC in its work to draft voluntary guidance to states on statewide-centralized voter registration databases. In addition, the members of the National Committee for Voting Integrity (NCVI), which has endorsed this statement, is available to assist the EAC.
Peter G. Neumann, Chair * David Burnham * David Chaum * Cindy Cohn * Lillie Coney * David L. Dill * David Jefferson * Jackie Kane * Douglas W. Jones * Stanley A. Klein * Vincent J. Lipsio * Justin Moore * Jamin Raskin * Marc Rotenberg * Avi Rubin * Bruce Schneier * Paul M. Schwartz * Barbara Simons * Sam Smith
For more information on EPIC see: http://www.epic.org
For more information on NCVI see: http://www.votingintegrity.org
Dr. Hochheiser, Computer Science from the University of Maryland, made contributions to this statement.
1 , Testimony, Technical Guidelines Development Committee, Hearing on Human Factors and Privacy, available at http://www.vote.nist.gov/voting_statement.pdf September 22, 2004
2 Kim Alexander and Keith Mills, Voter Privacy in the Digital Age, California Voter Foundation, May 2004, at http://www.calvoter.org/issues/votprivacy/pub/voterprivacy/introduction.html.
3 Marcia Savage, pg. 57, "Former Hacker Mitnick Details the Threat of Social Engineering,' Computer Reseller News, April 28, 2003
4 Voters, Beware of Scammers' Election-Year Scheme, KANSAS CITY STAR, October 14, 2004, at 3.
5 Dara Kam, Voter-Tracking System Faces Hurdles After Thousands Say they were Purged from Rolls, FLORIDA TODAY, October 4, 2001, at 1.
6 "Florida's flawed "voter-cleansing" program Salon.com's politics story of the year," SALON.COM, December 4, 2000.
7 Judith Davidoff, Accenture Work Behind Schedule, Capital Times, March 2, 2005, at 8A.
8 Judith Davidoff, Accenture Work Behind Schedule, THE CAPITOL TIMES (Madison Wisconsin), March 2, 2005, at 8A.
9 Chris Davis and Matthew Doig, pg. A1, "Shining light on company behind felon voter list," Sarasota Herald-Tribune, July 14, 2004
10 The Miami Herald, pg. 1, "Florida cash keeps Bermuda tax haven green," July 15, 2004
11 Paul Krugman, Editorial, Sun Doesn't Shine on Noonday Discovery, SEATTLE POST-INTELLIGNECER, June 23, 2004, at B6.
12 Rachel Konrad, Task Force Urges State to Protect Voter Privacy, CONTRA COSTA TIMES, June 18, 2004, at 4.
13 Elizabeth Benjamin, Shield Proposed For Voter Records, TIMES UNION, June 10, 2004, at B3.
14 The Fair Credit Reporting Act (FCRA) and the Privacy of Your Credit Report, Electronic Privacy Information Center, at http://www.epic.org/privacy/choicepoint/ (last modified Mar. 2, 2005)
15 Federal Privacy Act of 1974 available at http://www.epic.org/privacy/laws/privacy_act.html
16 Christian Davenport and Hamil R. Harris, pg. A09, "Md's MVA Offices Forced to Shut Down," Washington Post, August 13, 2003
17 Staff Writer, pg. 6B, "Glitch at MVA branch offices delays some transactions for an hour, The Baltimore Sun, January 21, 2004
18 Eric Rich, pg. B03, "Md, MVA Employee Charged in ID Card Sales, available at http://www.washingtonpost.com/wp-dyn/articles/A10710-2005Apr22.html, April 23, 2005.