Participants: Allan Eustis, David Flater, Donetta Davidson, John Cugini, John Gale, John Wack, Nelson Hastings, Sharon Laskowski, Wendy Havens, Whitney Quesenbery
Agenda for December TGDC Meeting
Sharon Laskowski reviewed the agenda for the meeting. Commissioner Davidson has made it clear that we are committed, because of congressional testimony, to deliver the VVSG 2007 in July of 07. The VVSG should be a document that is useful to the election community (vendors and election officials) for the next four years - We do not want to redo in two years. The VVSG 2007 will not necessarily be implemented immediately.
[Noted that some TGDC members felt we should be fixing things in the VVSG 2005 iteration. Also concern has been expressed about hardware changes due to new requirements in 07.]
In VVSG 07, HFP has been filling gaps, reducing ambiguity, and pushing items forward that were not pushed in the previous version because we didn't have research backup. The big item left for HFP is getting the usability conformance test done, which is currently ongoing. Two stages: 1) getting it firm enough to write into 07 standards and 2) being sure the detailed test protocol can be written.
The recent elections have shown STS and CRT that there are issues with security reliability and quality and to fix those, they are recommending requirements that would change the hardware in some respects in big ways.
Compared to CRT and STS, the HFP requirements in 2005 were done more completely. In those (CRT,STS) areas, there is a lot more to be revised.
The question arose as to whether we needed all allotted time at the TGDC meeting - the other subcommittees may need more time. [John Cugini pointed out that we may be satisfied with certain issues but they may cause controversy outside HFP group.] HFP seems to be on track, other committees may be looking for direction.
ACTION: Sharon and Allan to work on agenda, realizing we can use less time.
Subcommittee chairs met with EAC. Donetta Davidson will be attending as many meetings as possible until someone is hired to represent them at meetings.
John Gale: In regards to these new standards (that will stand for four years), it seems we're scrambling to deal with current technology, and in some areas there are huge advancements, what happens to the standards in the next four years for that next generation or do these hold the industry to the status quo? Donetta will speak at TGDC meeting about what are current timeframes are, and how the new VVSG applies to it. Everything that has been purchased so far is only to 2002 requirements. At the December 2007 date, we'll no longer certify anything to the 2002 standards; they will have to meet 05 requirements. In the past, manufacturers have been reactionary instead of futuristic. We have to allow time for the design, build, test, and NVLAP certification. NIST test scripts have to be written to the new ones. It's very important that we talk about the time factor - We are not going to have this done in two years.
STS has been looking at new innovation classes of voting equipment, for when manufacturers come up with new technology ideas.
[NOTE: This is the difference between performance and design standards. Performance standards are technology neutral; we say it has to reach a certain effectiveness and efficiency. This is a good reason to get the usability conformance test done. Maybe STS should do the same thing for the security tests that HFP did for this.]
Donetta: TGDC's goal is to make the new future elements there possible so someone can design a new piece of equipment. We're talking about future equipment -We don't want to tell states to get rid of their equipment, and we also don't want to stifle new innovation.
With the assistance of NIST, EAC is planning a workshop on the cost related to testing voting equipment. We hope to gain Congressional awareness that cost has to be considered.
Summary of STS activities (wireless and independent verification) - John Wack
Wireless presentation that STS is going to make is not going to be as controversial as earlier thought. STS making the point that NIST didn't explain wireless well in 2005 - we did not mean to ban transmission of results. Radio frequency (RF) is a type of wireless that is difficult to secure and easy to disrupt. If used, you would need backup. Hardly used, expect wireless modems. Only one vendor uses wireless LAN - they'll need significant changes to meet 2005 requirements. NIST will present the argument that the key management protocols currently out there that are used to distribute encryption keys to authenticate and secure the transmissions are still immature and hard to manage so it would be hard to manage an election. It would be better and simpler not to put modems directly on voting machines. Proposal: No RF built in the actual voting station. A white paper will be circulated and on the TGDC web page on Monday.
STS will also be discussing software independent systems. From an engineering point of view, NIST and STS are asserting that future voting systems need an audit trail - current DREs do not have one. The presentation will say that these sorts of systems will be required in VVSG 2007. They are called software independent (SI) because you can take the audit trail and verify that the electronic records are correct, therefore you are not relying on the accuracy of the voting system software. This may cause issues at meeting. People may think all we'll have is paper machines. In the future systems may also use cryptography. [Whitney owes Ron Rivest a revised section on usability to the draft SI paper - it doesn't completely meet this committee's approval.]
The question was raised about the number of different ballot types out there. You have to look at each machine individually to look at it's vulnerabilities - not all machines need the same fix. New designs have to show that they meet basic requirements, but also that they are usable. It doesn't appear that much effort has been put into improving paper-based ballots.
Industry has to be spurred into coming up with secured paperless approaches - so far, not much work in this area. We might want to propose a requirement that says when you propose a cryptographic solution, you have to consider all the humans in the system that make it work. To come up with these requirements and do them right, there is not enough time for 2007.
It comes back to performance standards, and if things are developed in the future, we have a way to address them. From a usability scope, we need some wording about capturing the notion of having a vendor specify for his solution the end-to-end usability and accessibility, the interface with people.
STS is saying that after looking at sound practices, the DRE route is not good for future, paper works for now, but we have to work on making that a usable solution.
Any CRT issues? Pretty much on track. Some concern over the presentation that says we want to see the way changes are developed and monitored after deployment to achieve reliability and accuracy to levels that can't be verified through operational testing alone. CRT has a long list of items to discuss. There is a collection of discussion papers on CRT's website that the committee may want to review. CRT's work needs to be simplified and more understandable.
Tweaks or more to HFP Section? For anything we've talked about but no new material. JC will work over next week to complete minor changes.
No meetings until after the December TGDC meeting.
policy / security notice / accessibility statement