Technical Guidelines Development Committee (TGDC)
Attendees: Alice Miller, Allan Eustis, Barbara Guttman, Commissioner Davidson (EAC), David Wagner, John Cugini, John Kelsey, John Wack, Mat Masterson (EAC), Nelson Hastings, Ron Rivest, Sharon Laskowski, Tricia Mason, Wendy Havens, Whitney Quesenbury
Discussion of New Version of Software Independence and Accessibility of the Voter:
This topic was discussed in great length. Sharon Laskowski would like to have as output/actions from this call: suggested changes to the white paper that will make it presentable at the March 22, 23 meeting, including John Wack's concerns about usability of audits. Given the pros and cons of the various approaches outlined in the paper, if we want strict SI, voter accessible verification, good voter accessibility and usability, and easy auditability, the problem has been over constrained.
Sharon has received Whitney's comments via email, and most of them will be integrated into the document.
Sharon wanted to start with Ron Rivest's comment, "At a high level it should be made clear that SI and auditability cannot be sacrificed, they are essential for voting system integrity. Voter verification and accessibility of the verification step may be adapted as best possible, but they are not so critical, technically, for the integrity of the election results." Ron feels this is a multi-dimensional problem and there will have to be some trade-offs.
Commissioner Davidson expressed concerns about the realism of getting this done. Also, VVSG 2005 has aduditable function in the guidelines.
HFP's main concern is accessibility. There's some compromise with usability that can be made.
Solution 1 that is proposed in the paper is accessible in that no one is excluded from voting individually. The verification step is not accessible, but the system integrity is preserved and the voting system as a whole is accessible. The question was asked if this was enough, or did the verification step on its own need to be simultaneously accessible and software independent? From the security point of view, it's enough for the integrity of the election for the system as a whole to be accessible.
Discussion continued about audio read back features for verification. Concerns were expressed over preserving this read back on tape for auditability, tapes are fragile and costs would be large. The proposal to have ballots scanned by a different system and read back for verification by voters with disabilities was discussed. This idea seems to be feasible, there have been prototypes. This should meet security needs if observational tests are performed on these systems. The difference between readback from internal memory of a voting system as compared to readback from a print out, re-scanned summary fed into a separate machine for readback was discussed.
Tricia Mason pointed out that security is very important, but its also very important that we do not disenfranchise anyone from the voting process. David Wagner expressed agreement in pointing out that accessibility in the sense that we done disenfranchise anyone is critical, that integrity of the overall system is critical, the ability for every voter to directly verify the record is not critical, and given that it is going to be difficult to find systems that meet all our goals, we may need to compromise some and consider observational testing adequate. We may want to encourage enabling as many people to directly verify the independent record as possible, but not make it a requirement.
Ron Rivest pointed out that we needed to stick with the original notion of SI - understood by the typical voter.
Requirements for verifiability for voters with disabilities can be covered with the readback feature, and we can use observational testing to make sure it is trustworthy.
Capability to do voter verification will be written as a "shall", direct verification will be written as a "should". Readback capabilities from scanning ballots will be written as a "should".
Having a system that is auditable in principle but not in practice is not good. Auditing off paper is going to be difficult without additional aides. How do we write requirements? Having test labs run through sample audits is a good start. Bar codes to track precincts, etc. could be used. Good labeling on ballots would be useful. Problems arise from paper spools when early voting occurs and voters from different precincts vote at one. Paper spool requirements need to be written.
John Cugini felt that a task analysis needed to be done which would give the committee a starting point. There is not much currently that can be said in the auditability column of this paper. HFP/STS may want to consult with Dan Schutzer who had some ideas on this point.
ACTIONS FROM TODAY'S MEETING:
The white paper needs more review before presenting as a white paper to TGDC March 22, 23. Whitney wants to point out procedures that go along with it. Feasibility concerns or where implementation doesn't exist, needs to be noted.
Discussion/review to continue via email.
Alice Miller mentioned a couple of resolutions that came out of a Standards Board meeting. It was decided that these would be discussed in detail at the TGDC Plenary Meeting.
Meeting adjourned at 12:15 pm
Pursuant to the Help America Vote Act of 2002, the TGDC is charged with
directing NIST in performing voting systems research so that the TGDC
can fulfill its role of recommending technical standards for voting
equipment to the EAC. This teleconference discussion serves the purposes
of the STS and HFP subcommittees of the TGDC to direct NIST staff and
coordinate its voting-related research relevant to the VVSG 2007. Discussions
on this telecon are preliminary and do not necessarily reflect the views
of NIST or the TGDC.]
policy / security notice / accessibility statement