Elections: Action Plans Needed to Fully Address Challenges in
Electronic Absentee Voting Initiatives for Military and Overseas
Citizens (14-JUN-07, GAO-07-774).
The Uniformed and Overseas Citizens Absentee Voting Act (UOCAVA)
protects the rights of military personnel, their dependents, and
overseas citizens to vote by absentee ballot. The Department of
Defense (DOD) and others have reported that absentee voting,
which relies primarily on mail, can be slow and may, in certain
circumstances, serve to disenfranchise these voters. In 2004,
Congress required DOD to develop an Internet-based absentee
voting demonstration project and required the Election Assistance
Commission--which reviews election procedures--to develop
guidelines for DOD's project. In 2006, Congress required DOD to
report, by May 15, 2007, on plans for expanding its use of
electronic voting technologies and required GAO to assess efforts
by (1) DOD to facilitate electronic absentee voting and (2) the
Commission to develop Internet voting guidelines and DOD to
develop an Internet-based demonstration project. GAO also
assessed DOD's efforts to develop plans to expand its use of
electronic voting technologies. GAO interviewed officials and
reviewed and analyzed documents related to these efforts.
-------------------------Indexing Terms-------------------------
REPORTNUM: GAO-07-774
ACCNO: A70748
TITLE: Elections: Action Plans Needed to Fully Address
Challenges in Electronic Absentee Voting Initiatives for Military
and Overseas Citizens
DATE: 06/14/2007
SUBJECT: Absentee voting
Americans abroad
Data transmission
E-mail
Elections
Information security
Internet
Internet privacy
Program evaluation
Voting
DOD Federal Voting Assistance Program
******************************************************************
** This file contains an ASCII representation of the text of a **
** GAO Product. **
** **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced. Tables are included, but **
** may not resemble those in the printed version. **
** **
** Please see the PDF (Portable Document Format) file, when **
** available, for a complete electronic file of the printed **
** document's contents. **
** **
******************************************************************
GAO-07-774
* [1]Results in Brief
* [2]Background
* [3]DOD Initiatives Assist UOCAVA Voters, but Certain Weaknesses
* [4]Electronic Transmission Service's E-mail to Fax Conversion C
* [5]DOD's Electronic Ballot Request and Receipt Initiatives Had
* [6]Online Voting Guidance Is Useful but Some Inconsistencies Ex
* [7]Online Voting Forms
* [8]Absence of Internet Absentee Voting Guidelines Has Hindered
* [9]The Commission Has Not Developed Internet Absentee Voting Gu
* [10]The Election Assistance Commission Has Started a Study as a
* [11]The Commission Does Not Have a Plan for Assessing Security I
* [12]DOD Has Not Developed a Secure, Internet-based, Absentee Vot
* [13]DOD Was Developing Plans to Expand the Use of Electronic Vot
* [14]Conclusions
* [15]Recommendations for DOD
* [16]Recommendations for the Election Assistance Commission
* [17]Agency Comments and Our Evaluation
* [18]GAO Contact
* [19]Acknowledgments
* [20]GAO's Mission
* [21]Obtaining Copies of GAO Reports and Testimony
* [22]Order by Mail or Phone
* [23]To Report Fraud, Waste, and Abuse in Federal Programs
* [24]Congressional Relations
* [25]Public Affairs
Report to Congressional Committees
United States Government Accountability Office
GAO
June 2007
ELECTIONS
Action Plans Needed to Fully Address Challenges in Electronic Absentee
Voting Initiatives for Military and Overseas Citizens
GAO-07-774
Contents
Letter 1
Results in Brief 3
Background 6
DOD Initiatives Assist UOCAVA Voters, but Certain Weaknesses May Limit
Their Effectiveness 12
Absence of Internet Absentee Voting Guidelines Has Hindered Development of
the Mandated Internet-Based Absentee Voting Demonstration Project 23
DOD Was Developing Plans to Expand the Use of Electronic Voting Technology
in the Future, but Sound Management Practices Are Key 28
Conclusions 30
Recommendations for DOD 31
Recommendations for the Election Assistance Commission 32
Agency Comments and Our Evaluation 32
Appendix I Scope and Methodology 34
Appendix II Examples of the Inconsistent Voting Assistance Guidance on
DOD's Web Site 37
Appendix III Comments from the Department of Defense 44
Appendix IV Comments from the Election Assistance Commission 47
Appendix V GAO Contact and Staff Acknowledgments 49
Related GAO Products 50
Tables
Table 1: Electronic Transmission Service E-mail to Fax Conversions for
2004 and 2006 13
Table 2: Comparison of Integrated Voting Alternative Site Tools 1 and 2
for Election Year 2006 18
Table 3: State Offices Contacted and Programs Where the States Were
Participants 35
Table 4: Inconsistencies Identified in Guidance on Electronic Alternatives
to Mail 37
Figures
Figure 1: Laws and Some DOD Programs Promoting Electronic Alternatives to
Mail for UOCAVA Voters, 2000 through 2007 9
Figure 2: DOD's 2006-2007 Voting Assistance Guide 20
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed in
its entirety without further permission from GAO. However, because this
work may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this material
separately.
Abbreviations
DOD Department of Defense
FVAP Federal Voting Assistance Program
HTML Hypertext Markup Language
IVAS Interim Voting Assistance System
IVAS Integrated Voting Alternative Site
NDAA National Defense Authorization Act
OMB Office of Management and Budget
PDF Portable Document Format
SERVE Secure Electronic Registration and Voting Experiment
UOCAVA Uniformed and Overseas Citizens Absentee Voting Act
VAG Voting Assistance Guide
United States Government Accountability Office
Washington, DC 20548
June 14, 2007
The Honorable Carl Levin
Chairman
The Honorable John McCain
Ranking Member
Committee on Armed Services
United States Senate
The Honorable Ike Skelton
Chairman
The Honorable Duncan Hunter
Ranking Member
Committee on Armed Services
House of Representatives
A citizen's right to vote is one of the hallmarks of a democratic society;
yet exercising this right can be a challenge for millions of military
personnel and their dependents of voting age who live away from their
legal residences (in or outside the United States) and for overseas
citizens. These individuals are eligible to vote by absentee ballots in
federal elections. This eligibility is established by the Uniformed and
Overseas Citizens Absentee Voting Act (UOCAVA),1 which is administered by
the Department of Defense's (DOD) Federal Voting Assistance Program
(FVAP). Through this program, DOD provides assistance to UOCAVA voters to
facilitate opportunities for them to exercise their right to vote. The
absentee voting process requires the potential voter to register to vote,
request an absentee ballot, receive the ballot, correctly complete the
ballot, and return it to the appropriate local election official. However,
DOD and groups that represent voters covered under the act have reported
that, because the multistep process of absentee voting relies primarily on
mail, in some instances it can take so long to complete that these voters
may, in effect, be disenfranchised.
1Pub. L. No. 99-410 (1986), 42 U.S.C. SS 1973ff et seq.
To address concerns about mail-based absentee voting, Congress has enacted
several laws to promote electronic means for voters to register, request
and receive ballots, and transmit voted ballots to local election
officials. These laws include (1) the Help America Vote Act of 2002, which
established the Election Assistance Commission to serve as a national
clearinghouse for election information and to review election procedures;
develop voluntary voting system guidelines;2 and study, among other
things, electronic voting--particularly Internet voting technology; (2)
section 1604 of the National Defense Authorization Act (NDAA) for Fiscal
Year 2002, which required DOD to carry out a secure3 Internet-based
electronic demonstration project4 in the general election for federal
office in 2002 or 2004; and (3) section 567 of the Ronald W. Reagan NDAA
for Fiscal Year 2005, which amended Congress's mandate for DOD to develop
a secure, Internet-based, absentee voting demonstration project--by
requiring DOD to implement the project during the first general election
for federal office that occurs after the Election Assistance Commission
establishes Internet voting guidelines for the absentee voting process.5
Section 596 of the John Warner NDAA for Fiscal Year 2007 required DOD to
submit, not later than May 15, 2007, a detailed plan to expand the use of
electronic voting technology.
Section 596 of the John Warner NDAA for Fiscal Year 2007 also required GAO
to review DOD's electronic and Internet-based voting initiatives. This
report assesses (1) DOD's efforts to facilitate registration, ballot
transmittal, and voting by electronic means, such as e-mail and fax, for
UOCAVA voters and (2) the Election Assistance Commission's efforts to
develop Internet absentee voting guidelines and DOD's efforts to develop a
secure, Internet-based, absentee voting demonstration project. The report
also discusses DOD's efforts to develop plans to expand the use of
electronic voting technology in the future.
2Voluntary voting system guidelines are to provide a set of specifications
and requirements to be used in the certification of computer-assisted
voting systems, both paper-based and fully electronic; states are free to
adopt these guidelines in whole or in part or reject them entirely.
3In 1998, DOD had voluntarily initiated a proof of concept called "Voting
Over the Internet," which was a small-scale Internet-based project used in
the 2000 elections. DOD's report on this proof of concept acknowledged
that a larger-scale pilot would result in more visibility and potentially
attract those with malicious intent to harm the system, but suggested ways
to mitigate such future attacks. To address these security concerns and
other issues, Congress asked DOD, in 2002, to develop a large-scale,
Internet-based demonstration project to ensure a methodical progression
from the current mail-based process to a secure, easy-to-use Internet
registration and voting system.
4One of the primary objectives of the electronic demonstration project was
to assess the use of such technologies to improve UOCAVA participation in
elections.
5The conference report for the bill noted that DOD's prototype for
electronic voting was important and should not be abandoned and encouraged
the Secretary of Defense to provide funding to the Commission to advance
electronic absentee voting by UOCAVA voters. H.R. Rep. No. 108-767, at 680
(2004) (Conf. Rep.).
To address our objectives, we reviewed and analyzed laws, directives,
reports, and plans related to DOD's efforts to provide electronic voting
capabilities for UOCAVA voters. We also examined the Election Assistance
Commission's efforts to develop Internet absentee voting guidelines. We
reviewed and analyzed information regarding any benefits and challenges
that we, DOD, and others had identified related to DOD's Internet-based
electronic demonstration project and new electronic voting initiatives,
along with the steps DOD had taken to mitigate those challenges.
Additionally, we interviewed and obtained documentation from officials in
several offices within DOD, the Election Assistance Commission, selected
state and local election jurisdictions, and some independent groups
concerned with the interests of UOCAVA voters. We performed our work in
accordance with generally accepted government auditing standards, from
August 2006 through April 2007. Appendix I provides detailed information
about our scope and methodology.
Results in Brief
Since the 2000 federal election, DOD has developed several initiatives to
facilitate voting by electronic means such as fax or e-mail; however, some
of these initiatives exhibited weaknesses or garnered low participation
rates that could limit their effectiveness. DOD introduced the first of
three initiatives, an e-mail to fax conversion enhancement to its
Electronic Transmission Service, in 2003. This feature allows UOCAVA
voters who do not have access to a facsimile machine to send ballot
requests, via e-mail, to DOD's Electronic Transmission Service, which
converts e-mail messages to faxes and sends them to local election
officials.6 In return, local election officials can send ballots to the
Electronic Transmission Service conversion feature by fax; the conversion
feature then converts the fax to an e-mail and sends it to the voter. DOD
officials told us, however, that this feature is not in compliance with
certain DOD information security requirements,7 which include performing
and documenting risk assessments and security certification testing.
Without such compliance, DOD cannot certify that it has employed the basic
practices necessary to apply security measures. DOD officials said that
they plan to award a contract to meet the requirements. Also, DOD
voluntarily launched a second initiative--the Interim Voting Assistance
System (IVAS)--in September 2004, to enable, as DOD reported, absentee
voters to request and receive state or territory ballots securely for use
in the November 2004 election. DOD spent $576,000 on this project, but
only 17 citizens received ballots through this system--in part, because it
was implemented just 2 months before the election. Further, in September
2006, DOD developed, in response to a legislative mandate,8 a third
initiative--the Integrated Voting Alternative Site (also called IVAS).
This site included (1) a ballot request only tool--called Tool 1--that
enabled voters to request their state or territory ballots from election
officials by fax, regular mail, or unsecured e-mail and (2) a ballot
request and receipt tool--called Tool 2--that enabled voters to request
and receive their state or territory ballots through a secured server.
Officials within Congress, and others, expressed concerns that using the
Tool 1 with unsecured e-mail could expose voters to the risk of identity
theft. DOD displayed a warning on the site--which voters had to read to
continue processing their request--that explained the risks associated
with e-mailing ballot requests. While the warning addressed the risks of
transmitting personal identification information by e-mail, it did not
inform voters of the risks involved in leaving such personal information
on the computers they used--especially public computers or those shared by
others. DOD officials said they would incorporate lessons learned, such as
adding a cautionary statement to future systems to warn UOCAVA voters to
remove personal information from the computers they use. DOD spent about
$1.1 million on the 2006 IVAS, but local election officials could link
only eight ballots to IVAS Tool 2.9 In addition to these initiatives, DOD
has established a Web site with links to guidance that provides UOCAVA
voters with, among other things, information on electronic alternatives to
mail for each of the 55 states and territories. These links lead to DOD's
2006 IVAS, the Voting Assistance Guide, news releases, and guidance
updates. Our analysis of information on DOD's Web site, however, showed
that for 14 of the 55 states and territories, some of the information
about the alternatives was inconsistent and could be misleading. For
example, for one state, information on three links correctly stated that
only overseas military and overseas civilian voters were eligible to
receive or return a ballot by fax; however, a fourth link did not include
this restriction. As a result, military personnel stationed in the United
States, but away from their state of residence, may have incorrectly
concluded that they were eligible to vote by fax. While these
inconsistencies were not widespread, their mere existence could lead
UOCAVA voters to rely on incorrect information and therefore adversely
affect the citizens' ability to vote. Agency officials acknowledged these
discrepancies and addressed them during the course of our review. We are
recommending that DOD improve the security and accuracy of its systems by
(1) complying with information security requirements, (2) incorporating
lessons learned, such as adding a cautionary statement to future systems
to warn UOCAVA voters to remove personal information from the computers
they use, and (3) institutionalizing a review process for its online
guidance to ensure that information for absentee voters is accurate and
consistent. DOD concurred with these recommendations.
6The Federal Voting Assistance Program reported that some states, by law,
allow voting materials to be sent by fax but not by e-mail.
7DOD, Interim Department of Defense (DOD) Certification and Accreditation
(C&A) Process Guidance, July 6, 2006.
8Emergency Supplemental Appropriations Act for Defense, the Global War on
Terror, and Hurricane Recovery, 2006. Pub. L. No. 109-234 (2006).
9FVAP reported that, since ballot requests could be printed and returned
through the mail or by fax instead of the secured server, an accurate
reporting could not be obtained through Tool 2. FVAP also reported that
ballot requests submitted using Tool 1 could not be tracked and reported
because voters sent the requests directly to local election officials
using their personal e-mail accounts, mail, or fax.
The Election Assistance Commission has not yet developed guidelines for
Internet absentee voting for DOD's use, and, thus, DOD has not proceeded
with developing its secure, Internet-based, absentee voting demonstration
project. Specifically, Commission officials stated that they had not yet
developed the guidelines because they had been devoting constrained
resources to meeting the challenges associated with current electronic
voting machines. Furthermore, the Commission has not yet established--in
conjunction with major stakeholders, like DOD--tasks, including addressing
security and privacy risks; time frames; or milestones for completing the
guidelines. Similarly, DOD has not developed the secure, Internet-based,
absentee voting demonstration project because, DOD officials said, by law,
the Commission must develop Internet absentee voting guidelines for DOD to
follow before it can proceed. To support the Commission in developing
these guidelines, DOD officials said they gave the Commission a report and
an internal DOD document that provides the framework for a system, along
with challenges DOD found in its earlier Internet voting projects. These
challenges included security threats such as computer viruses, malicious
insider attacks, and inadvertent errors that could disrupt system
performance. DOD officials stated that, even if the Internet absentee
voting guidelines had been available at the time of our review, the time
remaining before the 2008 federal election would be inadequate for
developing the secure, Internet-based, demonstration project. We are
recommending that the Election Assistance Commission, in conjunction with
major stakeholders such as DOD, create an action plan with tasks including
actions to address the security and privacy risks associated with Internet
voting processes and time frames for developing the Internet absentee
voting guidelines. The Election Assistance Commission concurred with our
recommendation.
We observed that DOD was developing, but had not yet completed, plans for
expanding the use of electronic voting technology for military personnel
and overseas citizens, as required by the John Warner NDAA for Fiscal Year
2007. The act requires DOD to submit these plans to Congress, not later
than May 15, 2007. Our analysis of existing DOD and Commission documents
and our interviews with agency officials show that DOD has not
sufficiently involved stakeholders in recent electronic voting
efforts--such as its 2006 IVAS. In addition, it has not established
interim tasks that address issues such as security and privacy,
milestones, time frames, or contingency plans, following the sound
management practices used by leading organizations. Implementation of new
electronic voting initiatives requires careful planning, particularly in
light of the large number of stakeholders, the application of new
technology, the remote location of troops, and the lead time required for
implementation. Without an integrated, results-oriented plan that involves
all stakeholders and identifies, among other things, goals, tasks, time
frames, and contingency plans, DOD is not in a position to address
congressional expectations to establish secure and private electronic and
Internet-based voting initiatives. We are recommending that DOD, in
conjunction with major stakeholders such as the Election Assistance
Commission and local election officials, develop a comprehensive,
results-oriented plan for future efforts that specifies, among other
things, tasks including identifying safeguards for security and privacy of
all DOD's voting systems--both electronic and Internet-based. DOD
concurred with this recommendation.
DOD's and the Commission's written comments are contained in appendixes
III and IV, respectively. DOD also provided technical comments, which we
incorporated in the final report, as appropriate.
Background
The U.S. election system is highly decentralized and relies on a complex
interaction of people, processes, and technology. Voters, local election
jurisdictions (which number over 10,000), states and territories, and the
federal government all play important roles in the election process. The
process, however, is primarily the responsibility of the individual states
and territories and their election jurisdictions. As we reported in our
2006 testimony,10 states and territories have considerable discretion in
how they organize the elections process; this is reflected in the
diversity of procedures and deadlines that states and jurisdictions
establish for voter registration and absentee voting. Furthermore, these
states and jurisdictions use a variety of voting techniques, from paper
ballots to faxes and e-mails. We also reported that the voter is
ultimately responsible for being aware of and understanding the absentee
voting process and taking the actions necessary to participate in it.
The UOCAVA established that members of the military and their dependents
of voting age living away from their legal residences (in or outside the
United States) and American citizens who no longer maintain a permanent
residence in the United States are eligible to participate by absentee
ballot in all federal elections. According to DOD, the act covers more
than 6 million people. Executive Order and DOD guidance related to the act
include the following:
o Executive Order 12642, dated June 8, 1988, made the Secretary of
Defense, or his designee, responsible for carrying out the federal
functions under UOCAVA, including (1) compiling and distributing
information on state absentee voting procedures, (2) designing
absentee registration and voting materials, (3) working with state
and local election officials, and (4) reporting to Congress and
the President after each presidential election on the
effectiveness of the program's activities (including a statistical
analysis of UOCAVA voters' participation).
o DOD Directive 1000.4, updated April 14, 2004, assigned the
Office of the Under Secretary of Defense for Personnel and
Readiness responsibility for administering and overseeing the
program, and it established the FVAP to manage the program. In
2006, FVAP officials told us that they were authorized a full-time
staff of 13 and had a fiscal year budget of approximately $3.8
million.
FVAP facilitates the absentee voting process for UOCAVA voters;
its mission is to (1) inform and educate U.S. citizens worldwide
about their right to vote, (2) foster voter participation, and (3)
enhance and protect the integrity of the electoral process at the
federal, state, and local levels. FVAP also, among other things,
provides training opportunities for Voting Assistance Officers
(service, State Department, and overseas citizen organization
officials who carry out the implementation of their respective
voting assistance programs); prescribes, coordinates, and
distributes voting materials, such as the Federal Post Card
Application (the registration and absentee ballot request form for
UOCAVA voters); and provides for alternatives to regular mail,
including Express Mail and the use of electronic solutions.
10GAO, Elections: DOD Expands Voting Assistance to Military Absentee
Voters, but Challenges Remain, GAO-06-1134T (Washington, D.C.: Sept. 28,
2006).
The Election Assistance Commission, which was established by the
Help America Vote Act of 2002, also contributes to the absentee
voting process. The act specifically established the Commission as
a national clearinghouse for election information and procedures
and assigned it responsibility for developing voting system
guidelines for the entire election process. The act also specifies
that the development of voluntary voting system guidelines should
be informed by research and development in remote access voting,
including voting through the Internet, and the security of
computers, networks and data storage. In 2005, the Commission
issued guidelines that, among other things, addressed gaps in the
security measures of prior standards. However, these guidelines do
not comprehensively address telecommunications and networking
services or their related security weaknesses, such as those
related to the Internet. The act also amended UOCAVA to require
states to report to the Commission, after each regularly scheduled
general election for federal office, on the aggregate number of
(1) absentee ballots transmitted to absentee uniformed services
voters and overseas voters for the election and (2) ballots
returned by those voters and cast in the election. The Commission
collects this information through its biennial state surveys of
election data.
DOD, the Commission, and organizations representing UOCAVA voters
have noted that these voters may effectively become
disenfranchised because the multistep process for voting by
absentee ballot--which relies primarily on mail--can take too
long, especially for mobile servicemembers and overseas citizens
or those deployed to or living in remote areas. Congress and DOD
have taken action to facilitate the use of alternatives to mail,
including electronic means such as fax, e-mail, and the Internet.
Figure 1 shows (1) the laws designed to facilitate the use of
electronic capabilities for UOCAVA voters and (2) some of DOD's
efforts, either voluntary or in response to a statute, to provide
electronic capabilities to these voters during fiscal years 2000
through 2007.
Figure 1: Laws and Some DOD Programs Promoting Electronic Alternatives to
Mail for UOCAVA Voters, 2000 through 2007
FVAP stated that it implemented the Voting Over the Internet project in
2000 as a small-scale pilot project to provide military personnel and
their dependents and overseas citizens covered under UOCAVA the ability to
securely register to vote, request and receive ballots from local election
officials, and vote via the Internet. DOD voluntarily developed the
project as a small-scale proof-of-concept Internet voting project. This
project enabled 84 voters to vote over the Internet--the first time that
binding votes were cast in this manner.11 While the project demonstrated
that it was possible for a limited number of voters to cast ballots
online, DOD's report concluded that security concerns needed to be
addressed before it could expand remote (i.e., Internet) voting to a
larger population.
11UOCAVA voters in Florida, South Carolina, Texas, and Utah, who were away
from their legal residences, cast a total of 84 votes from their homes,
workplaces, or duty stations on personal computers.
In 2001, Congress noted that the Voting Over the Internet project had
demonstrated that the Internet could be used to enhance absentee voting.12
To continue the examination of a secure, easy-to-use Internet voting
system as an alternative to the regular mail process, Congress mandated,
in the NDAA for Fiscal Year 2002, that DOD conduct a large-scale
Internet-based absentee voting demonstration project to be used for the
2002 or 2004 federal election. DOD responded to this mandate by creating
the Secure Electronic Registration and Voting Experiment (SERVE) for
Internet-based absentee registration and voting; SERVE used a system
architecture similar to the one used for the Voting Over the Internet
project. However, as we previously reported,13 a minority report published
by four members of the Security Peer Review Group--a group of 10 computer
election security experts that FVAP assembled to evaluate SERVE--publicly
raised concerns about the security of the system because of its use of the
Internet.14 The four members suggested that SERVE be terminated because
potential security problems left the information in the system vulnerable
to cyber attacks that could disclose votes or personal voter information.
Furthermore, they cautioned against the development of future electronic
voting systems until the security of both the Internet and the world's
home computer infrastructure had been improved. Because DOD did not want
to call into question the integrity of votes that would have been cast via
SERVE, the Deputy Secretary of Defense terminated the project in early
2004, and DOD did not use it in the November 2004 election.
12The U.S. Senate Committee on Armed Services report on Senate bill 1416
regarding the NDAA for Fiscal Year 2002 noted that the Voting Over the
Internet project was an important first step in assessing how to use the
Internet to enhance absentee voting; reducing traditional barriers to
participation in elections by absentee voters; and providing insight into
issues that must be considered for broader use of remote registration and
voting through the Internet. (S. Rep. No. 107-62, at 307 [2001]).
13GAO, Elections: Absentee Voting Assistance to Military and Overseas
Citizens Increased for the 2004 General Election, but Challenges Remain,
[26]GAO-06-521 (Washington, D.C.: Apr. 7, 2006).
14Security Peer Review Group, A Security Analysis of the Secure Electronic
Registration and Voting Experiment (SERVE), January 21, 2004. The Security
Peer Review Group consisted of 10 experts on computer security and voting
systems drawn from academia and the private sector. As stated above, the
report was written by 4 of the 10 experts.
The points raised in these security reviews are consistent with concerns
we raised in our 2001 reports.15 We found that broad application of
Internet voting presented formidable social and technological challenges.
In particular, we noted that challenges to remote Internet voting16
involve securing voter identification information and ensuring that voters
secure the computer on which they vote. We also reported that because
voting requires more stringent controls than other electronic
transactions, such as online banking, Internet voting systems face greater
security challenges than other Internet systems. Furthermore, we found
that remote Internet voting was recognized as the least protective of
ballot secrecy17 and voter privacy18 and was most at risk from denial of
service and malicious software, such as computer viruses. While opinions
of groups considering the pros and cons of Internet voting were not
unanimous, we found that they agreed in principle on major issues,
including considering security to be the primary technical challenge for
Internet voting.19 Because of serious concerns about protecting the
security and privacy of the voted ballot, we concluded that Internet-based
registration and voting would not likely be implemented on a large scale
in the near future.
In the Ronald W. Reagan NDAA for Fiscal Year 2005, Congress amended the
requirement for the Internet-based absentee voting demonstration project
by permitting DOD to delay its implementation until the first federal
election after the Election Assistance Commission developed guidelines for
the project. The conference report for the act20 stated that, although
Congress recognized the technical challenges of Internet voting, SERVE was
an important prototype that should not be abandoned.
15GAO, Elections: Voting Assistance to Military and Overseas Citizens
Should be Improved, [27]GAO-01-1026 (Washington, D.C.: Sept. 28, 2001) and
Elections: Perspectives on Activities and Challenges Across the Nation,
[28]GAO-02-3 (Washington, D.C.: Oct. 15, 2001).
16Various approaches to Internet voting are possible, ranging from the use
of Internet connections at traditional polling stations to the ability to
remotely vote from anywhere (remote Internet voting). An intermediate step
along this range is an option referred to as "kiosk voting," which uses
conveniently located voting terminals provided and controlled by election
officials.
17Ballot secrecy refers to protecting the content of the vote.
18Voter privacy refers to protecting the voters' ability to cast votes
without being observed. In poll-site voting, voter privacy is generally
ensured by election officials and observers. However, we reported that
remote Internet voting would not protect voters' physical privacy, leaving
them open to the risk that they might be coerced (through threats,
bribery, or other forms of pressure).
19Other challenges that affect implementation of Internet voting include
the costs of the voting method versus its benefits and the availability of
Internet technology to voters.
20H.R. Rep No. 108-767, at 680 (2004) (Conf. Rep.).
DOD Initiatives Assist UOCAVA Voters, but Certain Weaknesses May Limit Their
Effectiveness
Since the 2000 federal election, DOD has established several initiatives
as alternatives to the by-mail process to facilitate voter registration
and ballot request, receipt of a ballot, and submission of a voted ballot
by electronic means--such as fax and e-mail--for UOCAVA voters. These
include the Electronic Transmission Service's fax to e-mail and e-mail to
fax conversion enhancement (hereafter referred to as the e-mail to fax
conversion feature); the 2004 Interim Voting Assistance System (IVAS); the
2006 Integrated Voting Alternative Site (also called IVAS); DOD's online
voting assistance guidance; and online forms to register, request,
receive, or submit ballots. While these efforts provide valuable guidance,
services, and information to UOCAVA voters, some of them had limited
participation rates or exhibited weaknesses in security, consistency, and
accuracy that might hinder their use and effectiveness. DOD officials have
acknowledged these weaknesses and they began taking action to address them
during the course of our review.
Electronic Transmission Service's E-mail to Fax Conversion Capability
Facilitates Transmission of Voting Materials but Does Not Fully Comply with
Information Security Requirements
The electronic transmission service is a fax forwarding system,
established by FVAP in 1990, that allows UOCAVA voters and state and local
election officials, where permitted by law, to fax election materials to
each other. These voters and election officials can use this service and
do not have to pay long distance fees for faxing out of state, because DOD
provides the service through a toll-free line. In 2003, after discussions
with Mississippi state officials and a Mississippi National Guard unit,
FVAP added the e-mail to fax conversion capability to its electronic
transmission service. These officials asked FVAP for help in transmitting
voting materials because, by state law, Mississippi allowed only faxing as
an electronic means of transmission--a capability that the Guard unit
would not have while it was deployed to Iraq.21 The e-mail to fax
conversion feature allows UOCAVA voters who do not have access to a
facsimile machine to send ballot requests, via e-mail, to DOD's Electronic
Transmission Service, which converts e-mail attachments to faxes and sends
them to local election officials. In return, local election officials can
send ballots to the Electronic Transmission Service conversion feature by
fax; the conversion feature then converts the fax to an e-mail attachment
and sends it to the voter.
21The FVAP reported that some states, by law, allow voting materials to be
sent by fax but not by e-mail.
FVAP stated that it notifies states and territories whenever it converts
an e-mail containing voting materials to a fax, or vice versa, so that the
state or territory can decide whether or not to accept it. Table 1 shows
Electronic Transmission Service activity for the conversion feature for
2004 and 2006.
Table 1: Electronic Transmission Service E-mail to Fax Conversions for
2004 and 2006
Years
2004 2006
E-mails converted to fax--sent from citizens to local election
officials
Voted ballots 67 53
Federal post card applications and remaining ballot materials 389 190
Subtotal 456 243
E-mails converted to fax--sent from local election officials to
citizensa
Federal post card applications and remaining ballot materials 153b 182
Subtotal 153b 182
Total 609 425
Source: DOD.
aFVAP officials stated that the local election officials who send e-mails
to the Electronic Transmission Service conversion feature use it to store
ballots that will be sent to UOCAVA voters, through DOD, at some future
date.
bFVAP noted that for the 2004 elections the Electronic Transmission
Service conversion feature received 61 e-mails from local election
officials which they converted to 153 faxes to citizens covered under
UOCAVA. FVAP explained that this allowed one local election official to
send one e-mail with a PDF attachment to the Electronic Transmission
Service, which would then get converted to a fax and sent to multiple
UOCAVA voters per the local election official's instructions. PDF means
Portable Document Format; it is a file format that is used to view
electronic copies of paper documents, which allows an exact copy of the
paper document.
Although FVAP has made progress in assisting servicemembers to transmit
voting materials with the e-mail to fax conversion enhancement, FVAP
officials told us they have not fully complied with certain information
security requirements in the Interim DOD Information Assurance
Certification and Accreditation Process.22 This guidance requires DOD
components, among other things, to implement controls and to certify and
accredit such e-mail systems.
22DOD, Interim Department of Defense (DOD) Certification and Accreditation
(C&A) Process Guidance, July 6, 2006.
FVAP officials initially stated that the information security guidance did
not apply to the conversion feature; they saw it as an enhancement to the
original Electronic Transmission Service's fax system. During the course
of our review, however, FVAP officials said they consulted with officials
responsible for DOD's information assurance certification and
accreditation and concluded that the requirements did, in fact, apply.
These officials stated that, by the end of fiscal year 2007, they plan to
award a contract to obtain services to meet the information security
requirements. The FVAP officials further stated that, while they do not
have the required documentation--such as risk assessments or certification
tests and accreditations--they have taken some measures to ensure
security. We note that the statement of work for FVAP's April 29, 2005,
contract for the Electronic Transmission Service recognizes the
sensitivity of the data associated with election materials and includes
provisions for certain security functions, such as ensuring that adequate
steps are taken to prevent unauthorized access or manipulation of the
data. Until FVAP performs and documents the security assessments and
certifications, however, it has not taken all the necessary measures to
secure its system and comply with DOD's information security requirements.
Federal law includes a number of separate statutes that provide privacy
protections for certain information. The major requirements for the
protection of personal privacy by federal agencies come from two laws: the
Privacy Act of 197423 and the privacy provisions of the E-Government Act
of 2002. Section 208 of the E-Government Act of 200224 requires agencies,
among other things, to conduct privacy impact assessments before
developing, upgrading, or procuring information technology that collects,
maintains, or disseminates personally identifiable information. DOD
developed departmentwide guidance--the DOD Privacy Impact Assessment
Guidance--for implementing the privacy impact assessment requirements
mandated in the E-Government Act of 2002. In this guidance, DOD directs
the components to adhere to the requirements prescribed by the Office of
Management and Budget (OMB)--Guidance for Implementing the Privacy
Provisions of the E-Government Act of 2002.25 FVAP officials stated that
they had not conducted a privacy impact assessment for the Electronic
Transmission Service's e-mail to fax conversion enhancement, but they told
us that a privacy impact assessment will be done as part of the previously
mentioned contract to meet information security requirements. A privacy
impact assessment would identify specific privacy risks to help determine
what controls are needed to mitigate those risks associated with the
Electronic Transmission Service. Furthermore, building in controls to
mitigate risks could ensure that personal information that is transmitted
is only used for a specified purpose. FVAP noted that when information is
sent by e-mail, the conversion feature retains the following information:
full name, fax number, city, state, zip code, and e-mail addresses. FVAP's
Electronic Transmission Service retains this personally identifiable
information both to provide transmission verification or confirmation to
users and to comply with election document retention requirements under
the Civil Rights Act of 1960.26
235 U.S.C. S 552a.
24Pub. L. No. 107-347 (2002).
DOD's Electronic Ballot Request and Receipt Initiatives Had Limitations in
Participation and Security
In September 2004, just 2 months prior to the election, DOD voluntarily
implemented what it reported as a secure electronic system for voters to
request and receive ballots--the Interim Voting Assistance System
(IVAS)--as an alternative to the traditional mail process. IVAS was open
to active duty servicemembers, their voting age dependents, and DOD
overseas personnel who were registered in a state or territory
participating in the project27 and enrolled in the Defense Enrollment
Eligibility Reporting System--a DOD-managed database that includes over 23
million records pertaining to active duty and reserve military and their
family members, retired military, DOD civil service personnel, and DOD
contractors. DOD had limited IVAS participation to UOCAVA voters who were
affiliated with DOD because their identities could be verified in the
Defense Enrollment Eligibility Reporting System. Voters obtained their
state or territory ballots through IVAS by logging on to a special Web
site and then requesting ballots from their participating local election
jurisdictions. After the local election officials approved the requests
and the ballots were finalized, IVAS notified voters via e-mail that the
ballots were available to download and print. DOD reported that 108
counties in eight states and one territory agreed to participate in this
2004 IVAS; however, only 17 citizens downloaded their ballots from the
site during the 2004 election. FVAP officials noted that participation was
low, in part because this IVAS was implemented just 2 months before the
election. FVAP further reported that many states did not participate--for
a variety of reasons, including state legislative restrictions, workload
surrounding regular election responsibilities, and lack of Internet
access. FVAP officials noted that this system, which was maintained
through the conclusion of the election, cost $576,000.
25OMB, Guidance for Implementing the Privacy Provisions of the
E-Government Act of 2002, September 26, 2003. (M-03-22).
26Every officer of election must retain and preserve all election records
and papers for certain federal elections for a period of 22 months from
the date of the election. Civil Rights Act of 1960, S 301, 42 U.S.C. S
1974.
27States and territories participating in the 2004 IVAS included Kansas,
Kentucky, Maryland, Mississippi, Montana, New Mexico, South Carolina, the
Virgin Islands, and Wisconsin.
In September 2006--again, just 2 months before the next general
election--FVAP launched a follow-on Integrated Voting Alternative Site,
also called IVAS, in response to a June 2006 legislative mandate to
reestablish the 2004 IVAS. This 2006 IVAS expanded on the 2004 effort, by
providing information on electronic ballot request and receipt options for
all UOCAVA citizens in all 55 states and territories. It also provided two
tools that registered voters could access through the FVAP Web site, using
DOD or military identification, to request or receive ballots from local
election officials. As with the 2004 IVAS, local election officials used
information in these tools to verify the identity of UOCAVA voters who
used them.28 The first tool--called Tool 1--contained a ballot request
form only, accessed through DOD's Web site, which voters could fill out
and download to their computers. Voters could then send the downloaded
form to the local election officials either by regular mail, fax, or
unsecured e-mail, per state or territory requirements. FVAP officials
reported to Congress that no information on the number of users was
available on the use of Tool 1 because the department was no longer
involved in the process once the voter downloaded the ballot request and
they, essentially, had no visibility into what transpired directly between
the voter and the election officials.
28Verification was made by the use of WebGuard, which determines the
status of an individual enrolled in the Defense Manpower Data Center's
Defense Enrollment Eligibility Reporting System database using that
individual's name, Social Security number, and date of birth. Ballot
requests saved and downloaded to the voter's computer for voters who used
Tool 1 and those requests sent to the election officials using Tool 2 both
include text indicating the forms were generated via IVAS.
The second tool--called Tool 2--provided a ballot request and receipt
capability for voters, similar to the 2004 IVAS, which also allowed voters
to fill out ballot request forms online, send them to local election
officials through a secure line, and receive their state or territory
ballots from the local election officials through a secured server. Again,
no voted ballots were transmitted through this IVAS system given that it
was not designed for that purpose. Absentee voters, instead, would return
voted ballots, outside of IVAS, in accordance with state law. Tool 2 had a
tracking feature which showed that 63 voters had requested ballots through
the system. Of these, local election officials approved and made their
state or territory ballots available to 35 UOCAVA voters. However, of the
35 sent out, local election officials reported that only 8 voted ballots29
were traced back to the IVAS Tool 2, in part because this IVAS was
implemented just 2 months before the election. DOD reported that the total
cost for the 2006 IVAS was about $1.1 million, and given that the tools
were used only to request or receive ballots for the November 2006
elections,30 DOD removed the tools from FVAP's Web site in January 2007.
Table 2 compares and provides additional details on the two tools.
29FVAP reported that, since ballot requests could be printed and returned
through the mail or by fax instead of the secured server, an accurate
reporting could not be obtained through Tool 2. FVAP also reported that
ballot requests submitted using Tool 1 could not be tracked and reported
because voters sent the requests directly to local election officials
using their personal e-mail accounts, mail, or fax.
30Congress directed DOD, in June 2006, to reestablish the 2004 IVAS
program. Congress also directed, in October 2006, that DOD continue IVAS
for the general election and all elections through December 31, 2006.
Table 2: Comparison of Integrated Voting Alternative Site Tools 1 and 2
for Election Year 2006
Tool 1 Tool 2
Developer/ Defense Manpower Data Center Merlin International,
contractor Incorporated's PostX
User(s) o Uniformed servicemembers o Uniformed
o Servicemembers' dependents servicemembers
o Overseas DOD employees and o Servicemembers'
contractors dependents
o Overseas DOD
employees and
contractors
o Local election
officials
Tracking o System is not able to track o System is able to
ballot request forms sent to track ballot request
local election officials because forms sent to local
users submitted their Federal election officials;
Post Card Applications directly local election
to local election officials using officials reported
their personal e-mail accounts. that they received 8
o System can provide only how voted ballots.a
many times it was accessed. o PostX reported 63
ballot requests were
submitted to the
system; 35 were
approved--29 out of
35 blank ballots were
viewed by voters on
the system.
Step-by-step o Registered voters use a unique o Registered voters
process DOD identifier or credential to use unique DOD
log in to the IVAS tool. identifier or
o Voters complete the automated credential to log in
Federal Post Card Applications, to the IVAS tool.
without their signature, to o Voters complete the
request a ballot. automated Federal
o Voters save the Federal Post Post Card
Card Applications to their Applications, without
computers as PDF files. their signature, to
o Voters e-mail the Federal Post request a ballot.
Card Applications over an o Voters save the
unsecured Internet line to local Federal Post Card
election officials; voters may Applications to the
also fax or mail the Federal Post secure server and the
Card Applications to local system sends a
election officials--depending on notification to the
state or territory procedures. local election
officials of
completed ballot
requests.
o Local election
officials receive
automated e-mails
with notification of
new ballot requests
and log onto the
secure server to
access the Federal
Post Card
Applications.
o Local election
officials approve
applications and
upload blank ballots
onto the secure
server.
o Voters log onto the
secure server and
fill out ballots.
o Voters print
completed ballots.
o Voters submit voted
ballot directly to
local election
officials, in
accordance with state
law.
o Local election
officials confirm
voted ballot
receipts.
o Voters log on to
check confirmation of
voted ballot
receipts.
Source: DOD information.
aFVAP reported that, since ballot requests could be printed and returned
through the mail or by fax instead of the secured server, an accurate
reporting could not be obtained through Tool 2. FVAP also reported that
ballot requests submitted using Tool 1 could not be tracked and reported
because voters sent the requests directly to local election officials
using their personal e-mail accounts, mail, or fax.
Officials within Congress, and others, have expressed concerns that voters
could be exposed to a heightened risk of identity theft if they used Tool
1 to send voting materials that contain personally identifiable
information (including Social Security number, date of birth, and
address), by unsecured e-mail. FVAP officials acknowledged in their
December 2006 report to Congress31 that Tool 1 was less secure, but said
(1) DOD was providing access to a capability that states already
provide,32 (2) most states and territories only required the last four
digits of the Social Security number on the ballot requests,33 and (3)
Tool 1 displayed a cautionary statement that voters had to read to go on
with the request process; this cautionary statement explained the risk
associated with e-mailing ballot requests and that the government assumed
no liability if voters did so. While we confirmed a cautionary statement
related to the transmission of personal data did exist for Tool 1, it did
not advise voters, after submitting their ballot request, to remove voting
materials that they have stored on their computers. For example, voters
using Internet cafes overseas could have been subject to identity theft if
they did not delete their personal information from the computer and a
subsequent user gained access to the stored file. FVAP officials
acknowledged that users were not advised of the risks of storing personal
voting information on their computers, and these officials stated that
they will incorporate lessons learned, such as adding a cautionary
statement in any future ballot request system.
Online Voting Guidance Is Useful but Some Inconsistencies Exist in the Links
In addition to these initiatives, DOD also has established the FVAP Web
site,34 which contains information on FVAP programs and links to assist
UOCAVA voters in the voting process. Specifically, these links access
FVAP's online guidance, including several versions of FVAP's biennial
Voting Assistance Guide, shown in figure 2.
31DOD, Report on IVAS 2006, As Required by Section 596 of the National
Defense Authorization Act for Fiscal Year 2007, December 2006.
32FVAP reported that states and territories allowing e-mail of the ballot
request include Alaska, Colorado, Illinois, Indiana, Iowa (2006 only),
Minnesota, Mississippi, Montana, North Carolina, North Dakota, Oregon,
Puerto Rico, South Dakota, Virginia, Washington, and Wisconsin.
33As reported by FVAP, 7 states require the full Social Security number,
41 require the last 4 digits or driver's license, and 7 do not require the
Social Security number.
34DOD established this Web site in 1995.
Figure 2: DOD's 2006-2007 Voting Assistance Guide
This guide tells the UOCAVA voter how to register, request a ballot,
receive a ballot, and vote the ballot electronically--including by e-mail
or fax--where state or territory law allows this. One link on FVAP's Web
site had a full-text version of the guide, so that a Voting Action
Officer35 or other user could download and print the entire guide and use
it to provide assistance to absentee voters from various states and
jurisdictions. Another link goes to a Web page containing "State-by-State
Instructions," where two additional links--one a PDF guide, the other an
HTML version36--are provided for each state or territory. This allows
voters to read or print off only their own state's or territory's
instructions and to have a choice of formats.37 Another link goes to the
Integrated Voting Alternative Site--this site provides information for the
55 states and territories regarding the electronic ballot request and
receipt options available to UOCAVA voters. FVAP's Web site also has
another link to News Releases, which contains updates on changes to the
guidance, including changes to state laws that affect UOCAVA voters.
Finally, a link goes to FVAP's Voting Assistance Guide Errata Sheets--this
contains changes that have been made to the archived Voting Assistance
Guide since its last printing.
35Service Voting Action Officers, for example, are responsible for voting
assistance operations within their service.
36PDF means Portable Document Format; it is a file that is used to view
electronic copies of paper documents, which allow an exact copy of the
paper document. HTML means Hypertext Markup Language and is used to
structure and format documents to be displayed on the World Wide Web.
Our review of the FVAP Web site, however, revealed inconsistencies in some
of the information about electronic transmission options that the voters
could access through different links on the site. Our analysis
specifically showed that, while not widespread, for 14 of the 55 states or
territories, some of the guidance regarding requirements for electronic
transmission was inconsistent and could be misleading, as the following
examples illustrate:
o For the state of California, we found that three of the FVAP
links correctly stated that only overseas military and overseas
civilian voters were eligible to receive or return a ballot by
fax; a fourth link, however, did not include this restriction. As
a result, military personnel stationed in the United States, but
away from their state of residence, might
conclude--incorrectly--that they were eligible to vote by fax.
FVAP officials acknowledged this discrepancy and updated the
information reached from the fourth link on January 25, 2007, to
reflect the fact that uniformed servicemembers must be residing or
deployed overseas to be able to receive and send ballots by fax.
o For the state of Colorado, we identified a news release that was
issued on October 18, 2006, announcing a new initiative to allow
uniformed servicemembers deployed outside the United States to
request, receive, and return absentee ballots via e-mail. One
other FVAP link reflected this change; however, four other links
did not capture this change. FVAP officials acknowledged this
discrepancy, updated two of the links, and issued an errata sheet
on January 22, 2007. FVAP officials did not update the third
link--the 2006-2007 Voting Assistance Guide accessed through the
publications link on their Web site--stating that it was
considered an archive document and was not intended for update.
However, DOD did not clearly identify this link as an archived
document; as a result, this link could mislead voters who relied
on it. FVAP officials later acknowledged that the archived version
of the 2006-2007 Voting Assistance Guide could have been labeled
better, and eventually deleted this version from their Web site.
37The Executive Branch's "Access Board," which consists of cabinet-level
officials from twelve federal agencies, among others, developed standards
to implement section 508 of the Rehabilitation Act, which required federal
agencies to have electronic information that is accessible to people with
disabilities on government Web sites. FVAP stated that they provide access
to an HTML version of their Voting Assistance Guide on their Web site to
comply with this act. They also provide a PDF format of the Voting
Assistance Guide for UOCAVA voters.
Appendix II provides details on the inconsistencies we found on
FVAP's Web sites for 14 states and identifies the links, along
with DOD's responses regarding each. Under internal control
guidance, organizations are to apply policies and procedures
consistently.38 As noted previously, while the inconsistencies
were not widespread, the fact that inconsistencies exist at all
could lead UOCAVA voters-- especially busy voters residing or
deployed in remote locations--to rely on incorrect information and
therefore adversely affect their ability to vote. Agency officials
acknowledged these discrepancies and addressed them during the
course of our review.
Online Voting Forms
In addition, FVAP administers two online forms, (1) the Federal
Post Card Application, which allows absentee voters to register to
vote or request ballots; and (2) the Federal Write-in Absentee
Ballot, which allows absentee voters to vote even if they have not
yet received the absentee ballot they requested from their state
or territory. The Federal Post Card Application has been online
since 1999, in PDF format, and is postage-free within the U.S.
mail system when appropriate markings, provided on FVAP's web
site, are used. The online Federal Post Card Application allows
voters to download a PDF version to their computers to complete,
e-mail, print, sign, and send to their local election official via
mail. Some state and local election officials we spoke with
indicated that the online version of the Federal Post Card
Application has many benefits because it is easy to fill out and
read, and it provides sufficient space for the voter to write in.
38GAO, Assessing Internal Controls in Performance Audits, [30]GAO/OP-4.1.4
(Washington, D.C.: September 1990) and Standards for Internal Control in
the Federal Government (Exposure Draft), GAO/AIMD-98-21 .3.1 (Washington,
D.C.: December 1997).
A UOCAVA voter can also use the Federal Write-in Absentee Ballot
as a backup ballot when the state or territory has not sent a
regular absentee ballot in time for the voter to participate in
the election. On October 21, 2004, just a few weeks before the
national election, FVAP issued a news release announcing the
electronic version of the ballot as an emergency ballot. The
Ronald W. Reagan NDAA for Fiscal Year 2005 amended the eligibility
criteria in UOCAVA39 to allow states and territories to accept the
Federal Write-in Absentee Ballot under a broader range of
circumstances. Prior to the change, a UOCAVA citizen had to be
outside of the United States, have applied for a regular absentee
ballot early enough to meet state election deadlines, and not have
received it from the state. Under the new criteria, the Federal
Write-in Absentee Ballot can be used by military servicemembers
and their dependents stationed in the United States, as well as by
military personnel, their dependents, and citizens living
overseas.
Absence of Internet Absentee Voting Guidelines Has Hindered
Development of the Mandated Internet-Based Absentee Voting
Demonstration Project
The Election Assistance Commission has not yet developed the
Internet absentee voting guidelines, and because it is required by
law to develop them for DOD's use in the secure, Internet-based,
absentee voting demonstration project, DOD has not moved ahead
with the project. Commission officials told us that they have not
yet developed the required Internet absentee voting guidelines
because the Commission has been working on other
priorities--including standards for electronic voting machines,
challenges associated with these electronic voting machines, and a
process for certification and accreditation--and it lacks the
resources to work on the Internet absentee voting guidelines or
the mandated study of the issues and challenges for Internet
technology at the same time. Although the Internet voting study is
now underway, the Commission has said that it will not be
completed until September 2007 and thus does not have the results
it needs to establish time frames or a plan for developing the
guidelines. Regarding the demonstration project, DOD officials
stated that they had not taken action to develop this project
because the Ronald W. Reagan NDAA for Fiscal Year 2005 requires
the Commission to develop the guidelines first. DOD officials
stated that, in an effort to assist the Commission in developing
the Internet absentee voting guidelines, they have provided
information on prior Internet voting efforts, along with
challenges associated with these Internet voting efforts and views
on how to mitigate those challenges.
39Pub. L. No. 108-375 S 566(c) (2004).
The Commission Has Not Developed Internet Absentee Voting
Guidelines because of Other Priorities, Constraints on Resources,
and Lack of DOD Information
Commission officials stated that they have not developed Internet
absentee voting guidelines because the Commission and the
organizations that would normally provide assistance to it are
directing their constrained resources to other priorities. This
includes addressing challenges associated with electronic voting
machines and establishing a process for certification and
accreditation. Additionally, the Help America Vote Act of 2002
requires the Commission's Technical Guidelines Development
Committee to assist the Executive Director of the Commission in
developing voluntary voting system guidelines.40 The act also
requires the Director of the National Institute of Standards and
Technology to provide the Development Committee with technical
support in developing those guidelines, including research and
development related to computer and network security, voter
privacy, remote access voting (including voting through the
Internet), and voting fraud.
Commission officials told us, however, that the Development
Committee has not been able to work on Internet absentee voting
guidelines for UOCAVA voters because it had other priorities and
constraints on its resources.41 In light of the Development
Committee's low priority for working on the Internet absentee
voting guidelines, officials from the Commission asked officials
from the National Institute of Standards and Technology to assist
with developing the guidelines. However, officials from the
National Institute of Standards and Technology said that they
could not provide support because they also lacked sufficient
resources at the time. Commission officials told us that, at the
time of our review, the National Institute of Standards and
Technology was also using its resources to work with the
Development Committee on the current voluntary voting guidelines
and would not have sufficient resources to work on Internet
absentee voting guidelines until after July 2007.
Additionally, Commission officials stated that they were waiting
for DOD to provide information that describes the type of system
around which the guidelines should be developed. DOD officials,
however, stated that they gave the Commission reports that
provided the framework for the Internet-based absentee voting
system they envisioned. Specifically, these DOD officials told us
that they provided the Commission, in 2004, with a report on their
2000 proof of concept for Internet-based voting called "Voting
Over the Internet,"42 and in March 2006, they provided the
Commission with an internal DOD document assessing the terminated
SERVE project. DOD and Commission officials told us that they had
not communicated in depth on the guidelines and the DOD system
before our review.
40These guidelines provide a set of specifications and requirements to be
used in the certification of computer-assisted voting systems, both
paper-based and fully electronic, and are voluntary--that is, states are
free to adopt them in whole or in part or to reject them entirely.
41For example, Commission officials told us that the Development Committee
is working on updates to the Voluntary Voting System Guidelines that were
established in 2005. These guidelines will become effective December 2007.
The guidelines focus primarily on electronic voting machines and ballot
counters, but not on Internet voting systems for UOCAVA voters.
The Election Assistance Commission Has Started a Study as a
Precursor to the Internet Absentee Voting Guidelines
To gain a better understanding of the Internet voting environment,
in September 2006, the Commission started an Internet voting study
as a precursor to developing the Internet absentee voting
guidelines. The Help America Vote Act of 2002 required the
Commission to conduct this study to determine the issues and
challenges presented by incorporating communications and Internet
technology into elections, including the potential for election
fraud, and to issue a report no later than June 29, 2004. However,
the Commission did not meet this reporting date. Commission
officials told us that they were unable to complete the study
sooner--or even begin it--because of the resource constraints they
have worked under since the Commission's inception, and because
they were working on other priorities. They noted, for example,
that under the act, the Commission was to be established by
February 26, 2003, but the Commissioners were not appointed until
almost a year later, in December, 2003. They also told us that,
although 23 employees were allocated to the Commission, they had
to build up staff gradually, starting in January 2004, by hiring
two employees each month. Accordingly, Commission officials
testified in June 200443 that, as a result of these constraints,
the Commission was able to meet only some of its mandates, such as
developing the 2005 Voluntary Voting System Guidelines. As a
result, the Commission was not able to conduct the Internet voting
study in a timely manner.
42Department of Defense, Federal Voting Assistance Program: Voting Over
the Internet, June 2001.
43Statement of U.S. Election Assistance Commission before the U.S. House
Of Representatives, Committee on House Administration, dated June 17,
2004.
Commission officials stated that the Internet voting study, which
was underway during the course of our review, includes several
case studies to monitor current Internet voting usage and
electronic transmission of ballots. The four states participating
in this part of the study are Florida, Montana, South Carolina,
and Illinois. The study also includes (1) a survey of UOCAVA
voters to collect information on their level of interest in
electronic voting and (2) a conference to gather states'
experiences on topics such as Internet voting, electronic
transmission of ballots, security risks for voting systems, and
verification of voters' identities. Commission officials told us
that they plan to issue a final report on the Internet voting
study in September 2007.
The Commission Does Not Have a Plan for Assessing Security Issues
and Developing Internet Absentee Voting Guidelines
The Ronald W. Reagan NDAA for Fiscal Year 2005 did not establish a
deadline by which the Commission was to complete the Internet
absentee voting guidelines, and the Commission has not set time
frames for itself, primarily because it has been working on
guidelines for current voting systems. Additionally, as stated
previously, the Commission has not completed the precursor
Internet voting study to identify critical issues and challenges
such as those related to security and privacy. Also, it has not
established a plan, in conjunction with major stakeholders like
DOD, to develop appropriate guidelines for Internet voting with
specific tasks that would address security risks such as those
identified in its study and other security evaluations and
reports, as well as time frames and milestones.
In previous reports, we have noted that leading organizations
develop long-term results-oriented plans that involve all
stakeholders and identify specific tasks, milestones, time frames,
and contingency plans;44 this practice is also embodied in the
underlying principles of the Government Performance and Results
Act of 1993.45 Similarly, without a plan for the UOCAVA Internet
absentee voting guidelines--including specific tasks, time frames,
milestones, necessary resources, and alternatives--the Commission
cannot inform Congress, FVAP, and local election officials when it
will meet the mandate to develop the required guidelines. As we
previously noted, some technologies may not yet be mature enough
to support Internet voting. Therefore, the plan for developing
Internet absentee voting guidelines may require an incremental
approach that reflects emerging solutions to security and privacy
challenges, as well as changing views on acceptable levels of risk
and cost.
44GAO, Executive Guide: Effectively Implementing the Government
Performance and Results Act, GAO-GGD-96-118 (Washington, D.C.: June 1996)
and Military Readiness: Navy's Fleet Response Plan Would Benefit from a
Comprehensive Management Approach and Rigorous Testing, [31]GAO-06-84
(Washington, D.C.: Nov. 22, 2005).
45Pub. L. No. 103-62 (1993).
DOD Has Not Developed a Secure, Internet-based, Absentee Voting
Demonstration Project
Similarly, DOD has not developed a secure, Internet-based absentee
voting demonstration project, as Congress mandated in the Ronald
W. Reagan NDAA for Fiscal Year 2005. DOD reported that the
principal objective of the Internet-based electronic demonstration
project was to assess the use of such technologies to improve
UOCAVA participation in elections. The department planned to
conduct the project during the first general election for federal
office after the Commission has established Internet voting
guidelines for the project. However, DOD has not moved forward
with the electronic demonstration project because, by law, the
Commission must first develop the Internet absentee voting
guidelines.
DOD officials stated, as mentioned previously, that they provided
information to assist the Commission in developing the guidelines,
and Commission officials acknowledged that DOD had provided them
with a report on "Voting Over the Internet," DOD's assessment of
its November 2000 Internet-based voting project, in 2004--the
first year of the Commission's operation. DOD also provided the
Commission with an internal document that contained information on
its SERVE project. However, Commission officials told us that they
did not receive the SERVE document until June 2006. This document
discussed challenges DOD identified with Internet voting, which
included security threats such as computer viruses, malicious
insider attacks, and inadvertent errors that could disrupt system
performance.
In 2001, we also identified several challenges to Internet voting,
such as privacy and security.46 As previously mentioned, we
reported that broad application of Internet voting faced
formidable challenges, including the difficulty of providing
adequate voter privacy--that is, protecting the voter's ability to
cast a ballot without being observed. We further reported that,
although not unanimous on all issues, groups considering the pros
and cons of Internet voting were in consensus in identifying
security as the primary technical challenge for Internet voting.
We also reported that, because of the security risks involved,
Internet voting would not likely be implemented on a large scale
in the near future. Moreover, DOD officials told us that even if
the Commission had developed Internet voting guidelines at the
time of our review, DOD would not have been able to develop a
secure, Internet-based, electronic demonstration project in time
for the 2008 presidential election. DOD officials said
that--depending on the Internet voting guidelines provided by the
Commission--the final system design, full development, testing and
deployment phases would take an estimated 24 to 60 months.
Furthermore, deployment of any system requires participation of
the military services, which have many additional, competing
priorities that may cause delays in deployment. Given that less
than 17 months remain before the November 2008 election, FVAP
officials said there is insufficient time to advertise and launch
the Internet-based electronic demonstration project.
46 [32]GAO-01-1026 ; [33]GAO-02-3 .
DOD Was Developing Plans to Expand the Use of Electronic Voting
Technology in the Future, but Sound Management Practices Are Key
We observed that DOD was developing, but had not yet completed,
plans to expand the use of electronic voting technology for UOCAVA
voters use in federal elections through November 2010, as required
by the John Warner NDAA for Fiscal Year 2007. DOD officials told
us that they anticipated providing the plans to Congress, in
accordance with the act, by May 15, 2007. Because electronic
voting initiatives for the absentee voting process (fax, e-mail,
and Internet) involve numerous stakeholders at the federal
level--including DOD and the Commission--as well as the various
state and local levels, developing a plan is key. Implementation
of new electronic voting initiatives requires careful planning,
particularly in light of the remote location of troops, the
application of new technology, and the lead time required for
implementation. As DOD develops these plans, employing a
comprehensive strategic approach that incorporates sound
management principles could provide a framework for DOD's plans.
Our analyses of DOD and Commission documents and our
interviews--including those with officials from these agencies,
organizations representing UOCAVA voters, and state and local
election officials--show that DOD did not obtain sufficient
stakeholder involvement in planning its recent electronic voting
initiatives--the 2004 and 2006 IVAS initiatives. In fact,
Commission officials mentioned that DOD's recent initiatives took
a "top down" approach and did not seek input from the Commission
or from local jurisdictions during the planning stage. DOD
officials noted that both the 2004 and 2006 IVAS initiatives were
planned, designed, advertised, and implemented just months before
those two elections. In the case of the 2006 IVAS, however, the
department reported that it developed the system within 79 days of
passage of the mandate--June 2006--and noted that it was in fact
responsive to that mandate. The Commission and state and local
election officials noted that the aggressive schedules for these
latest electronic initiatives did not allow sufficient time to
enable full participation, training, and dissemination of
information on the efforts. Additionally, at the time of our
review, DOD officials said they had not yet established interim
tasks that address issues such as security and privacy,
milestones, time frames, and contingency plans.
The principles of sound management used by leading organizations
and embodied in the Government Performance and Results Act of
199347 provide a methodology to establish a results-oriented
framework for DOD to develop its detailed plans. Such a framework
would provide a firm foundation for DOD's long-term plan for
electronic voting initiatives. Some of the key management
principles include (1) involving stakeholders when defining the
mission and outcomes, (2) identifying specific actions and tasks,
such as monitoring and assessing security of the initiatives, (3)
developing schedules and time frames for tasks, and (4) evaluating
the overall effort, with specific processes to allow for
adjustments and changes. Furthermore, as we reported in one of our
executive guides, leading organizations plan for a continuous
cycle of risk management. This includes determining needs,
assessing security risks, implementing policies and controls,
promoting awareness, and monitoring and evaluating controls.48
Combined with effective leadership, these principles provide
decision makers with a framework to guide program efforts and the
means to determine if these efforts are achieving the desired
results.
In its December 2006 report to Congress on IVAS,49 DOD stated the
following:
o Development of a long-term strategic plan was necessary to
ensure that all related initiatives were effectively integrated,
but this was dependent on having sufficient time to assess,
improve, and evaluate new or evolving electronic alternatives.
o Major recommendations for its future electronic voting projects
would include, for example,
o recognizing the variation in state and local laws,
procedures, and systems;
o identifying and mitigating actual and perceived
risks, by educating people about risk management
practices; and
o building consensus among key stakeholders.
47Pub. L. No. 103-62 (1993). [34]GAO/GGD-96-118 .
48GAO, Executive Guide: Information Security Management, Learning From
Leading Organizations, [35]GAO/AIMD-98-68 (Washington, D.C.: May 1998).
49DOD, Report on IVAS 2006.
As stated previously, Commission officials told us that, for
recent initiatives, DOD did not seek input from the Commission or
local jurisdictions during the planning stage of these efforts.
Without a proactive, integrated, long-term, results-oriented plan
that involves all major stakeholders; includes goals, interim
tasks--such as identifying security risks and addressing privacy
concerns--milestones, time frames, and contingency plans; and
follows the sound management practices used by leading
organizations, DOD is not in a position to address congressional
expectations to establish secure and private electronic and
Internet-based voting initiatives.
Conclusions
It is imperative that the 6 million Americans who are covered
under the Uniformed and Overseas Citizens Absentee Voting Act have
the opportunity to exercise their right to vote--one of the
hallmarks of a democratic society. The fact that time is an issue
with absentee voting by regular mail has led many to look toward
electronic and Internet voting, which represent the next
generation of voting technology, as alternatives. While these
alternatives may expedite the absentee voting process, they are
more vulnerable to privacy and security compromises than the
conventional methods now in use. Electronic and Internet voting
require safeguards to limit such vulnerabilities and prevent
compromises to votes from intentional actions or inadvertent
errors. However, available safeguards may not adequately reduce
the risks of compromise. To date, the Election Assistance
Commission has not assessed the risks or possible safeguards for
Internet voting, nor has it developed corresponding guidelines
that define minimum Internet voting capabilities and safeguards to
be considered by the election community. Furthermore, electronic
and Internet-based absentee voting can be challenging for UOCAVA
voters, who reside at multiple locations across the globe. These
voters are also registered to vote in thousands of local
jurisdictions across 55 states and territories that employ varying
levels of technology--from paper ballots to faxes and e-mail. DOD
faces significant challenges in leveraging electronic and Internet
technology to facilitate this complex, global absentee voting
process. Delays in developing guidelines and a demonstration
project have resulted in two presidential elections passing
without significant progress in moving toward expanded use of
electronic and Internet absentee voting. DOD officials told us it
is now too late in the cycle to implement significant changes
before the 2008 election. The challenges of coordinating among
numerous stakeholders--including DOD, the Commission, and state
and local election officials, as well as organizations
representing UOCAVA voters--are substantial, and, to date, efforts
to involve stakeholders in the planning stage of DOD's recent
initiatives have fallen short. This delay has left an expectation
gap between what Congress required and what has been accomplished
so far. Several steps would have to be taken to overcome these
challenges, including better coordination between the Commission
and DOD regarding their complementary roles in developing Internet
voting guidelines and the mandated demonstration project. Unless
the Commission and DOD move in a timely manner to assess the
technology risks, develop guidelines that address the risks,
coordinate among election stakeholders, and establish and execute
prudent plans, they are unlikely to meet the expectations of
Congress and military and overseas voters to establish a secure
and private electronic and Internet-based UOCAVA voting
environment.
Recommendations for DOD
To improve the security and accuracy of DOD's electronic and
Internet initiatives, we recommend that the Secretary of Defense
direct the Under Secretary of Defense for Personnel and Readiness
to take the following four actions:
o Comply with the information security requirements in the DOD
Certification and Accreditation Process guidance.
o Incorporate lessons learned into plans for future systems such
as those we identified, including adding cautionary statements to
future ballot request and receipt systems to warn UOCAVA voters to
remove personal data from their computers.
o Institutionalize a process to review online UOCAVA guidance to
ensure that DOD provides accurate and consistent information to
UOCAVA voters.
o Create an integrated, comprehensive, long-term, results-oriented
plan for future electronic voting programs that specifies, among
other things, the goals to be achieved along with tasks including
identifying safeguards for the security and privacy of all DOD's
voting systems--both electronic and Internet. The plan should also
specify milestones, time frames, and contingencies; synchronize
them with planned development of the Commission's guidelines for
Internet voting; and be developed in conjunction with major
stakeholders--including state and local election officials, the
Election Assistance Commission, overseas voting groups, and each
of the armed services. The plan should also include initiatives
that will be done well in advance of federal elections, to allow
adequate time for training and dissemination of information on the
options available to UOCAVA voters.
Recommendations for the Election Assistance Commission
To improve the Election Assistance Commission's efforts to comply
with the direction from Congress to develop the Internet absentee
voting guidelines, we recommend that the Commission take the
following two actions:
o Determine, in conjunction with major stakeholders like DOD,
whether the Commission's 2007 Internet voting study and any other
Commission efforts related to Internet or electronic voting are
applicable to DOD's plans for Internet-based voting, and
incorporate them where appropriate.
o Develop and execute, in conjunction with major
stakeholders--including state and local election officials and
DOD--a results-oriented action plan that specifies, among other
things, goals, tasks, milestones, time frames, and contingencies
that appropriately address the risks found in the UOCAVA voting
environment--especially risks related to security and privacy.
Agency Comments and Our Evaluation
In written comments on a draft of this report, DOD concurred with
our recommendations to (1) comply with the information security
requirements, (2) incorporate lessons learned into plans for
future systems--to include adding cautionary statements to warn
UOCAVA voters to remove personal data from their computers, (3)
institutionalize a process to review online UOCAVA guidance, and
(4) create a comprehensive, results-oriented, long-term plan for
future electronic voting initiatives. The department said that it
will contract for services to comply with the information security
requirements and will incorporate identified lessons learned into
future registration, ballot request, and ballot receipt systems.
The department said that it has already streamlined its online
guidance by, among other things, eliminating the archived
"Publications" version of the Voting Assistance Guide entirely; it
will also establish a revised review process for online
information. DOD noted that these changes will reduce the
possibility of human error and simplify the review and
verification process of online information. Finally, DOD stated
that it was in full support of a long-term, comprehensive plan for
future electronic voting projects that would allow for sufficient
time to involve the major stakeholders, train, and disseminate
information and ultimately serve UOCAVA voters. The department
said it looked forward to working on this multiyear project plan
in cooperation with the Election Assistance Commission, the
National Institute of Standards and Technology, and other major
stakeholders. It further stated that FVAP, the Commission, and the
National Institute of Standards and Technology are scheduling a
meeting to lay the groundwork for the plan. DOD's comments are
reprinted in appendix III. DOD also provided technical comments,
which we incorporated in the final report, as appropriate.
In its written comments, the Election Assistance Commission
concurred with our recommendations to (1) determine the
applicability of the Commission's 2007 Internet voting study and
other Commission studies to DOD's plans for Internet-based voting,
and (2) develop and execute a results-oriented action plan to
provide guidelines that appropriately address the risks found in
the UOCAVA voting environment. The Commission stated that it has
already met with FVAP and the National Institute of Standards and
Technology and agreed to develop a time line for creating the
UOCAVA guidelines. The Commission's comments are reprinted in
appendix IV.
We are sending copies of this report to the Secretary of Defense
and the Under Secretary of Defense (Personnel and Readiness) and
the Commissioners of the Election Assistance Commission. We will
also make copies available to others upon request. In addition,
the report will be available at no charge on the GAO Web site at
http://www.gao.gov .
Should you or your staff have any questions about this report,
please contact me at (202) 512-5559. Contact points for our
Offices of Congressional Relations and Public Affairs may be found
on the last page of this report. Key contributors to this report
are listed in appendix V.
Derek Stewart
Director, Defense Capabilities and Management
Appendix I: Scope and Methodology
To assess DOD's electronic initiatives, we reviewed and analyzed
relevant laws, directives, and guidance. These included DOD
Directive 1000.4, Federal Voting Assistance Program (FVAP),
updated April 14, 2004; and DOD's Interim Department of Defense
(DOD) Certification and Accreditation (C&A) Process Guidance,
dated July 6, 2006. We also reviewed applicable requirements
documents for DOD's electronic efforts, as well as relevant
reports by GAO, DOD, FVAP, the DOD Inspector General, and others,
including A Security Analysis of the Secure Electronic
Registration and Voting Experiment (SERVE), dated January 21,
2004. In addition, we reviewed FVAP's 2006-2007 Voting Assistance
Guide and its Web site to ascertain what type of information on
electronic voting alternatives is provided to UOCAVA citizens.
We interviewed key program officials at the Office of the Under
Secretary of Defense for Personnel and Readiness's Federal Voting
Assistance Program (FVAP), the Business Transformation Agency, the
Defense Manpower Data Center, and Voting Action Officers from
several service headquarters. We also contacted officials from (1)
election organizations, including the National Association of
Secretaries of State and Joint Election Officials Liaison
Committee and (2) organizations representing UOCAVA voters,
including those from the National Defense Committee and the
Overseas Vote Foundation. We made contact with officials from 14
of the 16 state and local election offices we called to obtain
their perspectives on DOD's initiatives. Specifically, we included
all 11 states that had participated in DOD's 2006 Integrated
Voting Alternative Site--some of which participated in SERVE and
other DOD programs and initiatives. We also included three other
states that had 10 or more military bases and had participated in
SERVE though not in IVAS. Table 3 lists the states we contacted
and the programs in which these states participated.
Table 3: State Offices Contacted and Programs Where the States Were
Participants
States SERVE IVAS Tool 1 IVAS Tool 2
contacted participantsa participantsa participantsa
1 Arkansas Yes Yes No
2 Florida Yes No No
3 Hawaii Yes No No
4 Illinois No Yes No
5 Indiana No No Yes
6 Kentucky No No Yes
7 Mississippi No Yes No
8 Montana No No Yes
9 North Carolina Yes Yes No
10 Puerto Rico No Yes No
11 South Carolina Yes No No
12 Vermont No Yes No
13 Virgin Islands No Yes No
14 Washington Yes Yes No
Totals 14 states 6 SERVE states 8 IVAS Tool 1 states 3 IVAS Tool 2
contacted contacted contacted states contacted
Source: GAO analysis of DOD data.
aWhile a number of jurisdictions were included under each of the DOD
programs listed, we spoke to at least one election official from each
state.
To determine the Commission's efforts to develop Internet voting
guidelines and DOD's efforts to develop the secure, Internet-based,
absentee voting demonstration project, we reviewed and analyzed relevant
laws, Commission reports, and to the extent they existed, the Commission's
strategic plan and other documents to ascertain its plans and efforts to
develop Internet voting guidelines for UOCAVA voters. We also reviewed and
analyzed various DOD requirements documents, GAO reports, internal DOD
reports, and other reports related to DOD's prior Internet-based absentee
voting initiatives--Voting Over the Internet and SERVE--to ascertain,
among other things, challenges and benefits associated with Internet
voting efforts. Additionally, we interviewed key program officials within
FVAP, including the Director and Deputy Director of FVAP and the Project
Manager for SERVE, who is currently retired, along with officials on DOD's
private sector Security Peer Review Group. We also spoke with officials on
the Commission's Technical Guidelines Development Committee and with the
National Institute of Standards and Technology.
To ascertain DOD's efforts to develop plans to expand the use of
electronic voting technologies in the future, we reviewed and analyzed
laws, guidance, and reports to determine DOD's current and future plans
for the Internet-based absentee voting demonstration project.
Additionally, we examined, to the extent they existed, DOD's strategic
plan and other documentation to determine its current and future plans for
the Internet-based absentee voting demonstration project. We also
interviewed responsible officials within DOD about these plans--including
the Principal Deputy Under Secretary of Defense for Personnel and
Readiness and the Director and Deputy Director of FVAP.
We conducted our work from August 2006 through April 2007 in accordance
with generally accepted government auditing standards.
Appendix II: Examples of the Inconsistent Voting Assistance Guidance on
DOD's Web Site
During the course of our review, we compared and analyzed the voting
assistance guidance provided on DOD's Federal Voting Assistance Program
(FVAP) Web site that covered electronic alternatives to mail. The online
links we reviewed included FVAP's: (1) 2006-2007 Voting Assistance Guide
(VAG)--a PDF version;1 (2) 2006-2007 VAG--an HTML version; 2 (3) the
archived 2006-2007 VAG--a PDF version dated October 25, 2005;3 (4) changes
to the archived 2006-2007 VAG--called Errata Sheets; (5) News Releases;
and (6) the 2006 Integrated Voting Alternative Site (IVAS). While not
widespread, for 14 of the 55 states and territories, we found differences
in some of the guidance provided on these links.4 Table 4 shows the
differences we identified.
Table 4: Inconsistencies Identified in Guidance on Electronic Alternatives
to Mail
Differences GAO
State identified Questions FVAP response observation
1 California Both PDF Could an IVAS page was Correction to
versions and the absentee incorrect and IVAS has been
HTML Voting ballot sent by was updated verified.
Assistance fax by on1/25/07. The
Guides state military instruction
that only personnel should have
overseas within the specified that
military and United States Uniformed
overseas be rejected if Servicemembers
citizens may a voter must be
receive and send covered under overseas to
the ballot by the Uniformed receive and
fax. and Overseas send the
Citizens ballot by fax.
IVAS instruction Absentee By law, an
does not Voting Act absentee
restrict who can relied solely ballot faxed
receive or send on IVAS for from within
the ballot by voting the United
fax. guidance? States should
be rejected.
2 Colorado The News Release Would overseas The Voting Corrections to
for Colorado on uniformed Assistance PDF, HTML, and
October 18, voters know of Guide, PDF, errata sheet
2006, and IVAS the e-mail HTML, and have been
"allow Uniformed options if errata sheet verified.
Servicemembers they relied on have been
deployed outside the Voting updated to FVAP stated
the U.S. to Assistance reflect the that the
request, Guide for change. Web "Publications"
receive, and voting site changes version of the
return absentee guidance? to the Voting Voting
ballots via Assistance Assistance
e-mail." Guide were Guide in PDF
made January format was the
This is not 22, 2007. original book
reflected in the version of the
two PDF versions Guide in
or HTML Voting electronic
Assistance form. Since it
Guides, nor was was considered
an errata sheet an archived
created. document, FVAP
officials
stated that it
was not
intended for
update; but,
acknowledged
that this
version could
have been
marked better
as an archived
document.
These
officials have
since deleted
this version
of the Guide
from their Web
site.
3 Illinois FVAP issued an Would The fax and Corrections to
errata sheet for uniformed e-mail IVAS and HTML
Illinois on voters be provisions on have been
September 29, aware of the the errata verified.
2006, and all fax and e-mail sheet and the
changes except provisions if Voting FVAP officials
one are they relied on Assistance acknowledged
reflected in the IVAS, HTML Guide PDF are that the
HTML and PDF Voting correct as "Publications"
"Publications" Assistance accepted by version of the
versions of the Guide, or the State of Voting
Voting "publications" Illinois. The Assistance
Assistance Guide PDF version? IVAS page and Guide could
and IVAS did not the Voting have been
mention the Assistance marked better
change. Guide HTML as an archived
were missing document, and
Specifically, the have since
the change that information deleted this
is not captured about the City version of the
is in Item IIE of Chicago and Guide from
(Uniformed Suburban Cook their Web
Services): County site.
allowing
"The receipt of the
Publications" blank ballot
PDF and HTML by fax or
Voting e-mail. The
Assistance information
Guides say was added on
Illinois does both the IVAS
not allow and the HTML
receipt of blank on January 26,
ballots by fax 2007.
or e-mail and
IVAS does not See note below
address this on
issue. "Publications"
version of the
Voting
Assistance
Guide.a
4 North FVAP issued a Would voters Voting Corrections to
Carolina News Release and covered under Assistance PDF and HTML
updated IVAS on the Uniformed Guide pages Voting
October 20, and Overseas updated to Assistance
2006, stating Citizens reflect Guide and
that North Absentee information errata sheet
Carolina now Voting Act contained in have been
allows all know of the News Release verified.
citizens covered fax or e-mail on January 29,
under the options if 2007. FVAP officials
Uniformed and they relied on acknowledged
Overseas the Voting See note below that
Citizens Assistance on "Publications"
Absentee Voting Guide "Publications" version of the
Act to, among publications? version of the Voting
other things, Voting Assistance
receive blank Assistance Guide could
absentee ballots Guide.a have been
and return voted marked better
ballots by fax. as an archived
It also stated document, and
that the Federal have since
Post Card deleted this
Application version of the
could be faxed Guide from
or e-mailed. their Web
site.
This information
was not
reflected in the
FVAP PDFs or
HTML versions of
the Voting
Assistance
Guide, nor was
an errata sheet
created.
5 Rhode Rhode Island's Would overseas The language Corrections to
Island Overseas civilians know in question the PDF, HTML,
Civilians of the option does not refer IVAS, and
instructions for to request the to the ability errata sheet
FVAP's PDFs and blank ballot of the voter have been
HTML Voting by e-mail if to request an verified.
Assistance Guide they relied on absentee
include language Section IIIE ballot via
in Section IIIB of the Voting e-mail, but to
stating that Assistance request that a
ballots "may be Guide or IVAS? copy of a
requested by state form
using the (now
Federal Post discarded) be
Card sent to them,
Application, which could be
letter, requested by
telephone, fax, using a
or e-mail." Federal Post
Card
This language Application,
contradicts via fax,
guidance in e-mail, phone,
Section IIIE of etc. Given
the HTML and PDF that the state
Voting form has been
Assistance discarded, the
Guides which Voting
only mentions Assistance
fax Guide has been
transmissions. updated to
reflect the
Furthermore, the change. Web
IVAS Web site site changes
says no e-mail to the Voting
is permitted. Assistance
Guide were
made January
29, 2007.
6 South South Dakota's Would The change was Correction to
Dakota errata sheet stateside made by South the HTML has
from June 19, military Dakota and been verified.
2006 and the PDF voters know approval
Voting that they are signed. The IVAS referred
Assistance Guide required to PDF and errata the voter to
require the have the sheet were the Voting
Federal Post Federal Post changed, the Assistance
Card Application Card HTML was Guide
be notarized for Application overlooked, instructions.
stateside notarized if and correction
military voters. they rely on was made FVAP officials
IVAS, HTML or January 26, acknowledged
This is not "Publications" 2007. The IVAS that
mentioned as a Voting page did not "Publications"
requirement in Assistance contain full version of the
IVAS, or the Guides instead instructions Voting
HTML or of the errata but referred Assistance
"Publications" sheet? the reader to Guide could
Voting the Voting have been
Assistance Assistance marked better
Guide. Guide as an archived
(Specifically, instructions. document, and
these say that have since
"no registration See note below deleted this
or voting on version of the
materials are "Publications" Guide from
notarized or version of the their Web
witnessed.") Voting site.
Assistance
Guide.a
7 South South Dakota's Would voters See note below FVAP officials
Dakota errata sheet covered under on acknowledged
from October 4, the Uniformed "Publications" that
2006, and HTML and Overseas version of the "Publications"
and PDF Voting Citizens Voting version of the
Assistance Absentee Assistance Voting
Guides allow Voting Act Guide.a Assistance
voters covered know of the Guide could
under the option to send have been
Uniformed and the Federal marked better
Overseas Post Card as an archived
Citizens Application by document, and
Absentee Voting fax or via have since
Act to send the e-mail deleted this
Federal Post attachment if version of the
Card Application they relied on Guide from
by fax and allow the their Web
a voter to "Publications" site.
submit a scanned Voting
application as Assistance
an e-mail Guide?
attachment.
This is not
reflected in the
"Publications"
Voting
Assistance
Guide.
8 Utah Utah's errata Would Change was Correction to
sheet from May uniformed made to the HTML has
11, 2006, and voters know reflect Utah's been verified.
PDF Voting that they were election law
Assistance Guide not required and approval FVAP officials
(uniformed to have their signed. The acknowledged
services) states voting PDF and errata that
that materials sheet were "Publications"
registration and notarized if corrected, version of the
voting materials they relied on however, the Voting
are not the HTML or HTML was Assistance
notarized or "Publications" overlooked. Guide could
witnessed. Voting Correction was have been
Assistance made January marked better
This is not Guide? 26, 2007. See as an archived
reflected in the note below on document, and
HTML or PDF "Publications" have since
"Publications" version of the deleted this
version of the Voting version of the
Voting Assistance Guide from
Assistance Guide.a their Web
Guide. site.
For example, the
HTML Voting
Assistance Guide
says that no
notary or
witness is
required, but
mentions
certification.
9 Vermont While the notary Would overseas The PDF Voting Correction to
section of civilians know Assistance the PDF has
Civilian Outside that their Guide had the been verified.
U.S. in the PDF signature is signed
Voting required on approval of
Assistance Guide the inside Vermont. The
has the envelope missing line
statement about certificate if was simply
witness they relied on overlooked by
requirements for the PDF Voting the state and
the return Assistance FVAP and was
ballot, it does Guide? updated on
not have the January 25,
statement: 2007.
"However, your
signature must
be on the inside
envelope
certificate."
This line is
reflected in the
HTML Voting
Assistance Guide
and in all
notary sections
of the Uniformed
Services Voting
Assistance
Guides.
10 Alaska The HTML, Would voters See note below FVAP officials
"State-by-State" covered under on acknowledged
PDF Voting the Uniformed "Publications" that
Assistance and Overseas version of the "Publications"
Guide, and IVAS Citizens Voting version of the
instruction Absentee Assistance Voting
allow e-mailing Voting Act Guide.a Assistance
of the blank know of the Guide could
ballot and voted option to have been
ballot. e-mail the marked better
blank and as an archived
This is not voted ballot document, and
reflected in the if they relied have since
"Publications" on the deleted this
version of the "Publications" version of the
PDF Voting Voting Guide from
Assistance Guide Assistance their Web
for Alaska. Guide? site.
11 Oregon An errata sheet Would voters See note below FVAP officials
on August 22, covered under on acknowledged
2006 for Oregon the Uniformed "Publications" that
and the HTML and and Overseas version of the "Publications"
PDF Voting Citizens Voting version of the
Assistance Absentee Assistance Voting
Guides added, in Voting Act Guide.a Assistance
addition to know of the Guide could
faxing, the option to use have been
words "or e-mail for marked better
e-mail" to the their voting as an archived
electronic materials if document, and
transmission they relied on have since
sections in the the deleted this
Voting "Publications" version of the
Assistance Voting Guide from
Guide. Assistance their Web
Guide? site.
This information
is not reflected
in the
"Publications"
version of the
Voting
Assistance
Guide.
12 South An errata sheet Would voters See note below FVAP officials
Carolina and a news covered under on acknowledged
release on May the Uniformed "Publications" that
5, 2006 and the and Overseas version of the "Publications"
HTML and PDF Citizens Voting version of the
Voting Absentee Assistance Voting
Assistance Voting Act Guide.a Assistance
Guides announced know of the Guide could
that voters are fax and e-mail have been
allowed to options if marked better
receive and they relied on as an archived
return the the document, and
ballot by fax or "Publications" have since
e-mail under any Voting deleted this
conditions or Assistance version of the
circumstances. Guide? Guide from
their Web
This information site.
is not reflected
in the
"Publications"
version of the
Voting
Assistance
Guide, which
only allows fax
and e-mail for
emergencies.
13 Texas FVAP issued an Would voters See note below FVAP officials
errata sheet for covered under on acknowledged
Texas on July the Uniformed "Publications" that
24, 2006, that and Overseas version of the "Publications"
changed the Citizens Voting version of the
first bullet in Absentee Assistance Voting
both electronic Voting Act Guide.a Assistance
transmission know the fax Guide could
sections, which option was for The state of have been
says Texas only to Texas only marked better
allows voters to request the allows faxing as an archived
send the Federal ballot and to be used to document, and
Post Card temporary request a have since
Application by registration, ballot and for deleted this
fax; but adds if they relied temporary version of the
"to request an on the registration. Guide from
absentee ballot "Publications" It is not their Web
and for Voting allowed for site.
temporary Assistance the use of
registration Guide? permanent
only." registration.
The impact on
This information voters may be
was in the HTML negligible as
and PDF Voting these voters
Assistance still receive
Guides but is ballots for
not reflected in two successive
the election
"Publications" cycles.
version of the
Voting
Assistance
Guide.
14 Virginia An errata sheet Would See note below FVAP officials
for Virginia on stateside on acknowledged
July 20, 2006, military "Publications" that
and the HTML and members know version of the "Publications"
PDF Voting of the Voting version of the
Assistance stipulation Assistance Voting
Guides allow that only Guide.a Assistance
only overseas overseas Guide could
military members military have been
to receive the members may marked better
blank ballot by receive the as an archived
e-mail or fax blank ballot document, and
upon request. by e-mail or have since
fax if they deleted this
This information relied on the version of the
is not reflected "Publications" Guide from
in the Voting their Web
"Publications" Assistance site.
version of the Guide?
Voting
Assistance
Guide.
15 Virginia An errata sheet Would overseas See note below FVAP officials
for Virginia on civilians know on acknowledged
July 20, 2006, of the "Publications" that
and the HTML and stipulation version of the "Publications"
PDF Voting that only some Voting version of the
Assistance Virginia Assistance Voting
Guides changed counties and Guide.a Assistance
the Civilian cities allow Guide could
language to receipt of the have been
"Some Virginia blank ballot marked better
counties and by fax or as an archived
cities allow you e-mail if they document, and
to receive the relied on the have since
blank ballot by "Publications" deleted this
e-mail or fax Voting version of the
upon request." Assistance Guide from
Guide? their Web
This limiting site.
information
"some" is not
reflected in the
"Publications"
version of the
Voting
Assistance
Guide. It simply
says that
Virginia "allows
you to receive
the blank ballot
you e-mail or
fax upon
request."
16 Wisconsin FVAP issued an Would voters See note below FVAP officials
errata sheet on covered under on acknowledged
July 24, 2006 the Uniformed "Publications" that
for Wisconsin and Overseas version of the "Publications"
allowing voters Citizens Voting version of the
to send the Absentee Assistance Voting
Federal Post Voting Act Guide.a Assistance
Card Application know of the Guide could
for absentee option to send have been
ballot request the Federal marked better
by fax or Post Card as an archived
e-mail. Application by document, and
fax or e-mail have since
This information if they relied deleted this
is not reflected on the version of the
in the "Publications" Guide from
"Publications" Voting their Web
Voting Assistance site.
Assistance Guide instead
Guide. of the errata
sheet?
1PDF means Portable Document Format; it is a file format that is used to
view electronic copies of paper documents, which allows an exact copy of
the paper document.
2HTML means Hypertext Markup Language and is used to structure and format
documents to be displayed on the World Wide Web.
3This 2006-2007 VAG was accessed at
http://www.fvap.gov/pubs/vag/pdfvag/2006-07vag.pdf ; but DOD deleted
this link in February 2007.
4We found 16 instances in total. Two of the states had two separate
discrepancies identified.
Source: GAO analysis of DOD information.
aFVAP stated that the "Publications" version of the Voting Assistance
Guide in PDF format (
http://www.fvap.gov/pubs/vag/pdfvag/2006-07vag.pdf ) created on
October 25, 2005, was the original book version of the Voting Assistance
Guide in electronic format. Since it was considered an archived document
it was not intended for update.
Appendix III: Comments from the Department of Defense
Appendix IV: Comments from the Election Assistance Commission
Appendix V: GAO Contact and Staff Acknowledgments
GAO Contact
Derek B. Stewart, (202) 512- 5559 or [email protected]
Acknowledgments
In addition to the individual named above, David E. Moser, Assistant
Director; Marion A. Gatling; Pawnee A. Davis; Amber M. Lopez; Joanne
Landesman; Paula A. Moore; John K. Needham, John J. Smale; and Julia C.
Matta made key contributions to this report.
Related GAO Products
Elections: All Levels of Government Are Needed to Address Electronic
Voting System Challenges. [38]GAO-07-576T . Washington, D.C.: March 7,
2007.
Elections: DOD Expands Voting Assistance to Military Absentee Voters, but
Challenges Remain. [39]GAO-06-1134T . Washington, D.C.: September 28,
2006.
Elections: The Nation's Evolving Election System as Reflected in the
November 2004 General Election. [40]GAO-06-450 . Washington, D.C.: June 6,
2006.
Election Reform: Nine States' Experiences Implementing Federal
Requirements for Computerized Statewide Voter Registration Lists.
[41]GAO-06-247 . Washington, D.C.: February 7, 2006.
Elections: Views of Selected Local Election Officials on Managing Voter
Registration and Ensuring Eligible Citizens Can Vote. [42]GAO-05-997 .
Washington, D.C.: September 27, 2005.
Elections: Federal Efforts to Improve Security and Reliability of
Electronic Voting Systems Are Under W ay, but Key Activities Need to Be
Completed. [43]GAO-05-956 . Washington, D.C.: September 21, 2005.
Elections: Additional Data Could Help State and Local Elections Officials
Maintain Accurate Voter Registration Lists. [44]GAO-05-478 . Washington,
D.C.: June 10, 2005.
Department of Justice's Activities to Address Past Election-Related Voting
Irregularities. [45]GAO-04-1041R . Washington, D.C.: September 14, 2004.
Elections: Electronic Voting Offers Opportunities and Presents Challenges.
[46]GAO-04-975T . Washington, D.C.: July 20, 2004.
Elections: Voting Assistance to Military and Overseas Citizens Should Be
Improved. [47]GAO-01-1026 . Washington, D.C.: September 28, 2001.
Elections: The Scope of Congressional Authority in Election
Administration. [48]GAO-01-470 . Washington, D.C.: March 13, 2001.
(350900)
GAO's Mission
The Government Accountability Office, the audit, evaluation and
investigative arm of Congress, exists to support Congress in meeting its
constitutional responsibilities and to help improve the performance and
accountability of the federal government for the American people. GAO
examines the use of public funds; evaluates federal programs and policies;
and provides analyses, recommendations, and other assistance to help
Congress make informed oversight, policy, and funding decisions. GAO's
commitment to good government is reflected in its core values of
accountability, integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony
The fastest and easiest way to obtain copies of GAO documents at no cost
is through GAO's Web site ( www.gao.gov ). Each weekday, GAO posts
newly released reports, testimony, and correspondence on its Web site. To
have GAO e-mail you a list of newly posted products every afternoon, go to
www.gao.gov and select "Subscribe to Updates."
Order by Mail or Phone
The first copy of each printed report is free. Additional copies are $2
each. A check or money order should be made out to the Superintendent of
Documents. GAO also accepts VISA and Mastercard. Orders for 100 or more
copies mailed to a single address are discounted 25 percent. Orders should
be sent to:
U.S. Government Accountability Office 441 G Street NW, Room LM Washington,
D.C. 20548
To order by Phone: Voice: (202) 512-6000
TDD: (202) 512-2537
Fax: (202) 512-6061
To Report Fraud, Waste, and Abuse in Federal Programs
Contact:
Web site: www.gao.gov/fraudnet/fraudnet.htm
E-mail: [email protected]
Automated answering system: (800) 424-5454 or (202) 512-7470
Congressional Relations
Gloria Jarmon, Managing Director, [email protected] (202) 512-4400 U.S.
Government Accountability Office, 441 G Street NW, Room 7125 Washington,
D.C. 20548
Public Affairs
Paul Anderson, Managing Director, [email protected] (202) 512-4800
U.S. Government Accountability Office, 441 G Street NW, Room 7149
Washington, D.C. 20548
www.gao.gov/cgi-bin/getrpt?GAO-07-774 .
To view the full product, including the scope
and methodology, click on the link above.
For more information, contact Derek Stewart at (202) 512-5559 or
[email protected].
Highlights of [56]GAO-07-774 , a report to congressional committees
June 2007
ELECTIONS
Action Plans Needed to Fully Address Challenges in Electronic Absentee
Voting Initiatives for Military and Overseas Citizens
The Uniformed and Overseas Citizens Absentee Voting Act (UOCAVA) protects
the rights of military personnel, their dependents, and overseas citizens
to vote by absentee ballot. The Department of Defense (DOD) and others
have reported that absentee voting, which relies primarily on mail, can be
slow and may, in certain circumstances, serve to disenfranchise these
voters. In 2004, Congress required DOD to develop an Internet-based
absentee voting demonstration project and required the Election Assistance
Commission--which reviews election procedures--to develop guidelines for
DOD's project. In 2006, Congress required DOD to report, by May 15, 2007,
on plans for expanding its use of electronic voting technologies and
required GAO to assess efforts by (1) DOD to facilitate electronic
absentee voting and (2) the Commission to develop Internet voting
guidelines and DOD to develop an Internet-based demonstration project. GAO
also assessed DOD's efforts to develop plans to expand its use of
electronic voting technologies. GAO interviewed officials and reviewed and
analyzed documents related to these efforts.
[57]What GAO Recommends
GAO made recommendations to DOD regarding security, guidance, and plans
for electronic voting initiatives and to the Commission on plans to
develop the guidelines. DOD and the Commission agreed with these
recommendations.
Since 2000, DOD has developed several initiatives to facilitate absentee
voting by electronic means such as fax or e-mail; however, some of these
initiatives exhibited weaknesses or had low participation rates that might
hinder their effectiveness. For example, the 2003 Electronic Transmission
Service's fax to e-mail conversion feature allows UOCAVA voters who do not
have access to a fax machine to request ballots by e-mail and then
converts the e-mails to faxes to send to local election officials. DOD
officials told us, however, they have not performed, among other things,
certification tests and thus are not in compliance with information
security requirements. The 2004 Interim Voting Assistance System
(IVAS)--which, DOD reported, enabled UOCAVA voters to request and receive
ballots securely--cost $576,000, and 17 citizens received ballots through
it. The 2006 Integrated Voting Alternative Site (also called IVAS)--which
enabled voters to request ballots using one tool, by mail, fax, or
unsecured e-mail--raised concerns, from Congress and others, that using
unsecured e-mail could expose voters to identity theft if they transmit
personal data. While this IVAS displayed a warning that voters had to read
to proceed, it did not advise them to delete personal voting information
from the computers they used. DOD spent $1.1 million, and at least eight
voted ballots were linked to this 2006 IVAS. Both the 2004 and 2006 IVAS
were each implemented just 2 months before an election. DOD also has a Web
site with links to guidance on electronic transmission options, but some
of this guidance was inconsistent and could be misleading. DOD officials
acknowledged the discrepancies and addressed them during GAO's review.
The Election Assistance Commission has not developed the Internet absentee
voting guidelines for DOD's use, and thus DOD has not proceeded with its
Internet-based absentee voting demonstration project. Commission officials
told GAO that they had not developed the guidelines because they had been
devoting constrained resources to other priorities, including challenges
associated with electronic voting machines. Furthermore, they have not
established--in conjunction with major stakeholders like DOD--tasks,
milestones, and time frames for completing the guidelines. The absence of
such guidelines has hindered DOD's development of its Internet-based
demonstration project. To assist the Commission, however, DOD has shared
information on the challenges it faced in implementing prior Internet
projects--including security threats.
GAO observed that DOD was developing, but had not yet completed, plans for
expanding the future use of electronic voting technologies. Because
electronic voting in federal elections involves numerous federal, state,
and local-level stakeholders; emerging technology; and time to establish
the initiatives, developing results-oriented plans that identify goals,
time frames, and tasks--including addressing security issues--is key.
Without such plans, DOD is not in a position to address congressional
expectations to establish secure and private electronic and Internet-based
voting initiatives.
References
Visible links
26. http://www.gao.gov/cgi-bin/getrpt?GAO-06-521
27. http://www.gao.gov/cgi-bin/getrpt?GAO-01-1026
28. http://www.gao.gov/cgi-bin/getrpt?GAO-02-3
30. http://www.gao.gov/cgi-bin/getrpt?GAO/OP-4.1.4 and
http://www.gao.gov/cgi-bin/getrpt?GAO/AIMD-98-21
31. http://www.gao.gov/cgi-bin/getrpt?GAO-06-84
32. http://www.gao.gov/cgi-bin/getrpt?GAO-01-1026
33. http://www.gao.gov/cgi-bin/getrpt?GAO-02-3
34. http://www.gao.gov/cgi-bin/getrpt?GAO/GGD-96-118
35. http://www.gao.gov/cgi-bin/getrpt?GAO/AIMD-98-68
38. http://www.gao.gov/cgi-bin/getrpt?GAO-07-576T
39. http://www.gao.gov/cgi-bin/getrpt?GAO-06-1134T
40. http://www.gao.gov/cgi-bin/getrpt?GAO-06-450
41. http://www.gao.gov/cgi-bin/getrpt?GAO-06-247
42. http://www.gao.gov/cgi-bin/getrpt?GAO-05-997
43. http://www.gao.gov/cgi-bin/getrpt?GAO-05-956
44. http://www.gao.gov/cgi-bin/getrpt?GAO-05-478
45. http://www.gao.gov/cgi-bin/getrpt?GAO-04-1041R
46. http://www.gao.gov/cgi-bin/getrpt?GAO-04-975T
47. http://www.gao.gov/cgi-bin/getrpt?GAO-01-1026
48. http://www.gao.gov/cgi-bin/getrpt?GAO-01-470
56. http://www.gao.gov/cgi-bin/getrpt?GAO-07-774
*** End of document. ***