ACLU-PA Position: Opposes
The ACLU-PA supports policies that prioritize making the voter registration system as secure and accurate as possible and setting aside funding to accomplish those goals. Policy goals that could be addressed in legislation include, but are not limited to:
- Amending the voter registration law to authorize full use of data reported from ERIC to clean up the voter rolls;
- Providing real-time notifications to voters of status of registration applications, mail in voting applications and mail in ballot status;
- Improving data extraction and publication of relevant metrics for both internal and external stakeholders; and
- Treating requests for a change in registration as a new registration for voters who are not already registered.
However, we oppose SB 1018 for the following reasons:
- SB 1018 mandates changes that are already operational, such as:
- Retaining source data for all electronic voter registration applications that provides an auditable trail;
- Industry best practices for cybersecurity of voter registration databases, including US Department of Homeland Security and the Cybersecurity and Infrastructure Security Agency. For example, Best Practices for Securing Election Systems are already encompassed in PA Department of State and Commonwealth policy; and
- Hands-on training of the SURE system offered to all necessary county staff.
- SB 1018 largely copies and pastes recommendations from the PA Auditor General's performance audit report of the SURE system (Statewide Uniform Registry of Electors). These recommendations are almost 3 years old and the bill does not account for steps taken since the Auditor General’s report was released in 2019, e.g., the beginning of the SURE replacement contract that incorporates many of the Auditor General’s recommendations, such as:
- GIS features to check addresses and assign precincts;
- Edit checks to prevent errors, such as approving out of state addresses for voter registration;
- User roles specifications and access limitations including read-only access;
- Hard stops to ensure processes are followed and prevent actions outside of specified time frame such as cancellations within the 90 day NVRA window;
- User access for generating reports to improve efficiency; and
- Data clean up before migration of data to the new SURE system.
- The requirement to reject voter registrations in pending status for HAVA non-match under (c)(15)(1) and (c)(16) violate federal and state law. See: Directive Concerning Hava-Matching Drivers’ Licenses or Social Security Numbers for Voter Registration Applications (Pennsylvania Department of State, 2018); and Washington Ass’n of Churches v. Reed, 492 F.Supp.2d 1264, 1268 (W.D. Wash. 2006).
- Publicly posting the SURE job aids as directed under (c)(26) may pose a security risk. The more information available to hackers and other malign actors about how the system works, the greater the risk.
- At least one of the proposed security mandates in SB 1018 Section 1(a)(3) is not tied to any standard and therefore is too vague to be workable as a legal requirement.
- Finally, Section (d) of SB 1018 mandates that the Department of State comply with no fewer than 12 audits, studies, or reviews with no timelines and no funding to accomplish them. Additionally, as mentioned earlier, some of the mandates are already operational.