Protecting American Votes and Elections Act of 2019

Why do we need paper ballots?
DHS Secretary Nielsen, echoing the advice of experts, has called on “state and local election officials to make certain that by the 2020 presidential election, every American votes on a verifiable and auditable ballot.” In 2018, five states relied exclusively on insecure, paperless voting machines and 9 more states used paperless machines in at least some jurisdictions. Votes cast with paperless voting machines cannot be subjected to a manual recount, and so there is no way to determine the real election results if they are hacked. H.R. 1 also mandates paper ballots.

What are risk-limiting audits and why do we need them?
In order to detect hacks, this bill requires election bodies to conduct audits of all federal elections, regardless of how close the election, by employing statistically rigorous “risk-limiting audits.” These audits deliver nearly the same level of confidence in election results as a full manual recount, at a fraction of the cost. Colorado, Rhode Island, and Virginia currently mandate risk-limiting audits. In contrast, 16 states do not mandate any routine, post-election audits, while many others only require recounts in a few precincts. That is insufficient to detect election hacks

Why do we need mandatory election cybersecurity standards?
There are currently no mandatory standards for election cybersecurity, which has resulted in some states operating election infrastructure that is needlessly vulnerable to hacking. The Election Assistance Commission (EAC) sets voluntary standards for voting machines, but states can and do ignore these standards. There are no standards at all for voter registration websites or other parts of our election infrastructure. Not only do the existing voluntary standards not work, but it’s clear the EAC is the wrong agency to be in charge of election security. The EAC was established by Congress to distribute grant money. Commissioners are not chosen for their cybersecurity knowledge, and the Commission lacks in-house cybersecurity expertise. The Cybersecurity and Infrastructure Security Agency in DHS is far better suited to that task.

The security of Federal elections cannot be left to the states
State and local governments will never have the resources to defend against cyber attacks by foreign intelligence services. This is a national security issue, which requires federal action. The election clause in the Constitution clearly gives Congress the power to set standards for Federal elections. Consistent with the Constitution, none of the mandates apply to state or local elections.

Election security experts welcomed the bill.

Jacob Hoffman-Andrews, Senior Staff Technologist, Electronic Frontier Foundation, said: “The PAVE Act is a much-needed step forward in election security. For years now, security researchers have been raising concerns with outdated voting equipment used across the country. But paper records that can be verified by voters and hand-audited increase the integrity of our elections and ward off potential interference. Now is the time for Congress to act and secure the integrity of the ballot box before we head into the next national election.”

Gregory Miller, Chief Operating Officer, OSET Institute, said: “The PAVE Act offers the most innovative plan we’ve seen to improve the security of America’s election technology infrastructure. It’s clear that the cyber threats our country faces extend beyond ballot casting and counting machinery. PAVE addresses these serious threats by setting mandatory cybersecurity requirements for the whole election supply chain, beginning with voter registration databases and going all the way to the government websites that publish the results on election night.”

Ron Wasserstein, Executive Director, American Statistical Association, said: “PAVE includes several provisions that the American Statistical Association has endorsed, including voter-verifiable paper ballots and risk-limiting audits (RLAs). We are especially pleased to see PAVE requiring RLAs, which will make U.S. elections more trustworthy. Further, because well-designed RLAs often can confirm a correct electoral outcome after examining only a small fraction of the ballots cast, they use election officials’ time and taxpayers’ money efficiently. As an additional benefit, routinely-conducted risk-limiting audits provide a powerful tool for continuous quality improvement because they have the potential to identify the kinds of machines and ballot designs that lead to the fewest errors.”

Wenke Lee, Professor of computer science and cybersecurity researcher, Georgia Tech, said: “PAVE will prohibit barcode machines. As we had heard from meetings on voting security in Georgia, this is exactly what our voters have been demanding. I particularly appreciate that PAVE will require that BMD devices be tested by independent user experience research labs in simulated election scenarios to ensure that ordinary voters are able to verify their votes on the BMD printouts. This is the critical requirement to demonstrate that the BMD printouts are indeed voter-verifiable paper ballots.”

Andrew Appel, Eugene Higgins Professor of Computer Science, Princeton University, said: “The PAVE bill secures our elections so voters in every state can know that the computers are accurately counting our votes. PAVE prohibits machines that can print more votes on your ballot without your knowledge, and provides assistance to the states to print paper ballots that are clearly designed. PAVE reduces the risk of hacked voting machines by prohibiting machines that can connect themselves to the Internet, and by mandating state-of-the-art methods to prevent software hacks from being installed. PAVE ensures we can detect (and correct!) hacks, by mandating Risk-Limiting Audits of the paper ballots.”

Philip B. Stark, Associate Dean, Division of Mathematical and Physical Sciences, Professor of Statistics, University of California, Berkeley, said: “I strongly endorse the Protecting American Votes and Elections Act’s key election integrity requirements: paper ballots, rigorous ballot accounting, the creation of ballot manifests, and risk-limiting audits. Adopting these sensible standards and practices would greatly reduce the risk that errors or malicious hacking – even by well-resourced nation states – would lead to incorrect election outcomes. Using hand-marked paper ballots (with suitable accommodations to allow voters with disabilities to mark and verify their ballots independently), rigorously protecting the chain of custody of those ballots, and conducting risk-limiting audits using those ballots together provide inexpensive insurance against innocent errors, system flaws, bugs, procedural lapses, and even against advanced cyber-attacks on our democracy from within our outside our borders.”

Matt Blaze, McDevitt Professor of Computer Science and Law, Georgetown University, noting that he was speaking in his personal capacity, said: “The PAVE bill represents an important step toward making voting in the U.S. secure and reliable. As a recent National Academies study made clear, paper ballots and risk limiting audits are the only known viable approaches for ensuring that software and hardware attacks cannot alter election results. As the threats to our elections increasingly includes sophisticated foreign adversaries, it is especially important that these simple, proven safeguards be universally implemented.”