Dear Vote Protectors,
As POVPhilly reported earlier, on July 16 Citizens for Better Elections and POVPhilly, backed by Free Speech for People and the National Election Defense Coalition, submitted a petition that required the state to re-examine the ExpressVote XL and asked for it to be decertified.
Acting Secretary of State Kathy Boockvar released the results of the re-examination on September 3 after six weeks of secrecy and silence.
Although the state maintained the certification of the ExpressVote XL, it added several requirements for using the machine. These new procedures are confusing and unworkable — especially given Philadelphia’s plan to use this system in the next election.
The need for these corrective actions shows that these machines should never be used in any Pennsylvania election. If Philadelphia uses them two months from now, the validity of the election will be wide open to legal challenges.
These so-called solutions to inherent problems with the ExpressVote XL endanger every election that we have, from this November to November 2020 and beyond.
The petition detailed ten legal flaws with the ExpressVote XL:
1. Cast ballot cards pass the printer again, allowing undetectable tampering
2. Storing ballot cards chronologically violates ballot secrecy
3. Ballot cards must be colored by party
4. Ballot cards must have serially-numbered, perforated stubs to prevent fraud
5. Barcodes are not marks allowed by the PA election code
6. Voting positions on a ballot must be indicated
7. Poll workers entering the booth is a misdemeanor offense
8. Poll workers assisting to spoil a ballot violates ballot secrecy
9. Voters with disabilities had many problems and could not verify their ballots
10. The Stein Settlement requires paper ballots, not just ballot cards
Although the Department of State (DoS) only considered three of the ten flaws, it admitted that we are right: The ExpressVote XL would violate PA election law if it is used as designed. That means that the DoS was wrong to certify it last November.
The “fix” is in
Instead of simply de-certifying the ExpressVoteXL, the DoS came up with new procedures in a complicated scheme to maintain its certification. So the ExpressVote XL is still certified, but only on the condition that counties using the machine follow cumbersome and confusing election day procedures.
Fix for flaw 2: Chronological Storage of Ballot Cards
The ExpressVote XL stores the ballot cards in chronological order. Poll workers or election officials can cross-reference the order of the ballots with the ordered list of voters at check-in and may be able to identify how those voters voted. That’s a violation of Election Code §1107-A(1) requiring that a voting machine provide for voting in absolute secrecy and prevent anyone from seeing or knowing how anyone else voted.
The DoS solution: To protect voter anonymity, the ballot cards will have to be “commingled” before storage. After a long election day, election board staff would have to unseal and open some 3700 ballot storage cartridges (one per machine) and “commingle” them with cards from other cartridges — or maybe just shuffle them within each cartridge? We can’t tell which, and we’re not sure if anyone can. This all has to happen “in the presence of board of election members,” so just three people are responsible for watching all that shuffling or commingling and ensuring there’s no funny business.
If the ExpressVote XL were well-designed, there would be no need for this time-consuming task. But it’s not just a new burden for poll workers and election officials. The state is slowly introducing requirements that election results be audited. These audits will compare the ballot cards with the machine tallies. If the ballot cards are “commingled” into different boxes, it will be impossible to compare the paper results from a machine with its election night results. Even if they are only shuffled, unsealing the cartridges and handling the records inside weakens the evidence needed for an audit.
And since this complicated yet vaguely described procedure is a condition for certification, election officials will be violating election code—a possible criminal offense—if they don’t conduct this procedure correctly. It is their job to conduct a valid election, and since the system is certified only if these ill-defined procedures are followed, they could be responsible for invalidating an election.
Fix for flaw 8: Poll Workers in the Booth and Ballot Secrecy
If a voter rejects a ballot card in order to start again, the ExpressVote XL sounds a chime. A poll worker must remove the rejected card, take it away, mark it spoiled, and place it in a special envelope for spoiled ballots. To do that, they have to enter the booth where they can easily see the voter’s intentions. This is another violation of §1107-A(1).
The DoS solution: To prevent poll workers from seeing your ballot card, poll workers should be instructed to take care not to look at the card, and voters should be told not to let them see it. Seriously, that’s their solution.
But the fact is any poll worker who wants to look can and will look. No one can tell if they look — and it would be hard not to look, since they’re required to take the card away and write the word “spoiled” across its face.
DoS may think this new procedure is a valid way to keep our votes private. POVPhilly does not.
It’s beyond repair
These newly required procedures are so ill-conceived, impractical and vaguely written that the validity of every Philadelphia election would be subject to challenge. If the procedures are not properly followed, then the conditions of certification are not met, and the election has been illegally conducted on uncertified equipment.
The proper solution is not to invent ridiculous work-arounds. It is to decertify the ExpressVote XL immediately so that counties like Philadelphia can move ahead and select secure systems that provide for voting in absolute secrecy as the law requires.
What about the other flaws?
The re-examination covered flaws 1, 2 and 8 only. We’ve discussed 2 and 8.
Flaw 1, the opportunity-to-mark flaw, was a key reason for the petition. The ExpressVote XL passes the ballot card through the printer again after the voter’s last opportunity to review it. This means that buggy or malicious software could cause the system to print on the reviewed ballot card and irreparably change or void it.
The DoS admitted that we are right about the problem. Incredibly, they still rejected the complaint, saying that there are safeguards to protect the software; that its examiners attempted and failed to modify the bar codes the machine counts; and that besides, the printer is “audible and thus detectable.” So they acknowledge this tampering is possible and then put the burden on the average voter to detect a printing sound (over polling place background noise), to realize what it means, and to convince poll workers that they’re not crazy for complaining about it.
The DoS dismissed the other seven flaws, claiming that the Election Code only tells it to certify compliance with the 17 requirements listed in §1107-A and that the other complaints "constitute legal arguments which do not apply to reexamination or certification of an electronic voting system.”
That leaves the ExpressVote XL in a vulnerable position. Seven serious flaws were not even considered. Any of them could result in legal challenges that put these costly machines on the scrapheap.
Voting should be secret. Certification shouldn’t.
For decades, these examinations and re-examinations have taken place in public. But this time, the examination took place without prior notice to the public and without the petitioners present. We can only wonder what the DoS was trying to hide.
Furthermore, the DoS assigned the very same people who missed the above violations and certified the ExpressVote XL
last November to lead this re-examination. They worked with the same consultants, SLI Compliance, which in May expressed concern to the EAC
about proposals to have specialized cybersecurity firms test voting equipment, saying that SLI would be less expensive.
Conducting the examination in secret and using the same reviewers and the same consulting firm, DoS came to the same conclusion as it did last year. It looks as if the DoS was more interested in protecting the machine than protecting the vote.
Failing the Real World Test
The reexamination report
demonstrates a major flaw in the state certification process itself: It assumes that every procedure, election law and regulation is followed perfectly: "The XL was set up following all the physical security measures described in the relevant system documentation" and “used in the context of proper statutory and recommended procedures for polling place setup and poll worker training.”
Since certification is conditional on the rules being followed, when SLI tests a voting system, it follows all the rules to the letter.
That’s not the real world.
People make mistakes. Overworked staff take shortcuts. Insiders may be used to break rules on purpose, in an effort to change election results or destroy confidence in them. A thorough and meaningful examination would test to see if a voting system could still preserve the integrity of the vote in the real world where things sometimes go wrong and where attacks can be expected.
Indeed, we now have proof that election systems are under attack. In 2016, systems in at least two counties in Florida
were penetrated. In 2020, Pennsylvania will be a target and Philadelphia will be the bullseye.
The big picture
Philadelphia officials claim that the Expressvote XL is simple and easy to use. But used as designed, it would violate Pennsylvania law. So clumsy workarounds are required. These workarounds are variously nonsensical, ineffective, risky, costly, and difficult to implement. Every county considering this system should be fully informed of these new conditions
before moving forward with its selection process. Not after, as in the case of Philadelphia.
Pennsylvania has now proven that its certification process is a sham. The DoS is using the absolute minimum standards that can be found in state law. State certification doesn’t prove that a system is secure.
Now we know PA certification doesn’t even prove that a system meets legal requirements.
This sham recertification shows that the ExpressVote XL should not be used. The next election is two months away. Poll worker training on the ExpressVote XL is underway. So what will happen if Philadelphia continues down the the ExpressVote XL path? Will our November 5 election even be valid?
With all that is at risk in our elections, we will not stand by and allow our elections to be put at risk when there is ample time to start over and select one of the safer, less expensive voting systems that are available.
Let Acting Secretary of State Kathy Boockvar and Governor Tom Wolf know that you aren’t happy with the secrecy of the recertification process and its outcome. The new procedures are confusing, unworkable, and an unfair burden on our poll workers and election officials. They endanger our elections! The ExpressVote XL should just be decertified so we can move on.
Acting Secretary Kathy Boockvar: 717-787-6458 / Facebook
Governor Tom Wolf: Phone & email info / Facebook
Thank you for everything you do to Protect Our Vote!
Protect Our Vote Philly is a coalition working to bring accurate, accessible, and secure voting systems at a fair cost to Philadelphia. We believe the gold standard for election integrity is:
Protect Our Vote Philly is a watchdog over the Office of the City Commissioners, which operates elections in the City of Philadelphia. Because we believe Philadelphians have a right to the most secure voting system possible, we strongly oppose the system that the Commissioners selected, the ES&S ExpressVote XL, as well as the rushed and secretive process used to select it. The ExpressVote XL falls far short of the gold standard. It endangers our votes and wastes our resources. We are dedicated to stopping it.
- hand-marked paper ballots
so we know our votes are cast as intended
- the best possible accessibility devices
so every voter can vote with maximum privacy and independence
- mandatory risk-limiting audits after every election
so we can be confident that every vote was counted as cast.