Security and Transparency Subcommittee (STS) Teleconference*
Tuesday, March 6, 2007, 10:30 a.m.


1) Administrative Updates

2) Update on joint HFP-STS conference calls

3) Discussion of auditing strategy
~ Translating software independence into the VVSG
~ One-to-one correspondence between electronic and paper records

4) Discussion of setup validation approaches
~ Non-cryptographic software verification technique requirements for VVSG
~ Acceptable setup validation approaches

5) Preparation for the March 2007 TGDC meeting

6) Other items

7) Next call Tuesday, March 20, 2007 at 10:30 AM EST

Participants: Allan Eustis, Nelson Hastings, John Wack, John Kelsey, David Flater, Sharon Laskowski, Quynh Dang, Bill Burr, Rene Peralta, Angela Orebaugh, Ron Rivest, Donetta Davidson, David Wagner, Matt Masterson, Philip Pearce, Santosh Cahokani, Anoop Singha, Whitney Quesenbery, Patrick Gannon, Wendy Havens


1.) Administrative Updates (Allan Eustis/John Wack):

  • AE- Announces the extension of the second day (March 23rd) of the TGDC meeting to 4:30pm; 3/23 will now be a full 8 hr. day; 1st day will consist of each sub-committee's draft section reports and 2nd day will be discussion of "cross-cutting" issues.
  • JW- re March Plenary: Review of Draft Agenda; on Day 2: extended discussion of cross cutting subcommittee issues; usability paper for audits; innovation class; e-poll books.

2) Update on joint HFP-STS conference calls

RR-noted further dialog needed. SL-Revision of SI/Accessibility Approaches continues. Need to agree on firm definitions, alternative approaches and analysis. Then frame which categories allowed.

WQ/RR asked to provide introductory slides before cross cutting discussion here.

JW- "passionate about further focus on usability on paper records; not sure if there has been enough discussion about this issue; need to spend more time on usability aspects; can do more talk over email after meeting if needed; "very important" issue

3) Discussion of auditing strategy

DD- White paper on auditability of paper: need more input from election officials with experience in paper ballots. (Secretary Gale/Nebraska uses paper ballots ).

RR- we need collective recommendations and best practices as first step

JK: has been writing on what you need to do to achieve SI; will want (TGDC) election officials to comment/review; Will reach out to election officials.

WQ/DD/JW/RR: Discussion of wider paper formats for auditing. No best solution; Mistakes by poll workers. VVSG 2005 has requirements for machine readability of paper. There are continuing bar code issues. There are significant advances in OCR technologies. No current elections known to use OCR scanners. With respect to spooled paper, machine counting will likely have to be performed at some stage. There are challenges.

NH/RR/JW/WQ: Should VVSG support machine readability? Yes, already required.

Discussion of One-to-one correspondence between electronic and paper records: RR introduced notion of "audit group of unbounded size (one ballot or 100); to be determined/defined by election officials. Propose requirement to count every ballot in an audit group.

DD- Concerned about ballot type and changes within a precinct; ballots may not be consecutive; most auditing at precinct level. JW noted that unique identifier already required in VVSG 2005. Why do we want to limit further. Can privacy be maintained? RR noted that some states have no requirement for ballot ID. You have flexibility with audit groups of variable size. DD: Cost concerns with varying ballot types. One more step adds to cost.

JW-Some states require unique identifiers; can't replace hand audits; getting paper records that are readable is more important; global requirements for privacy; vendors have some capacity for paper vs. electronic; this does not violate voter privacy

Discussion continued: Smaller audit groups are more usable. Audit groups need to match back to electronic vote. DD questioned whether this was procedural and standards issue. DW questioned what problem are you solving with audit groups?

RR noted trade off points of voter privacy vs. security; motivation here is having audit procedures. JK noted that voting systems must provide capability of one to one audit.

JW noted that there is a global privacy requirement currently in VVSG.

DW concerned that requirement here be objectively testablep; Major concern with privacy here.

DD: Concern with provisional ballots; have to be able to pull ballot ( if not qualifying);sometimes part of ballot's votes qualified; some provisional's are not counted that night (of election). STS should examine how manufacturers currently mark provisional ballots.

Discussion of provisional voting procedures with DREs: Some jurisdictions allow DRE provisional voting. (Number on smart card assigned to voter associated on DRE. Suggest input from Helen Purcell on hand count procedures in Arizona vs. machine count. JW noted example of e-poll books and provisional vote. Concern over what info is transferred to smart card here.

Discussion of voter challenge laws and counting recently-deceased voters; This varies by state.

JW Summary: a) all agree on machine readability requirement. b) biggest security issue- making paper ballot usable.

DW: Focus on precinct based audits. Focus effort on usability; one to one correspondence secondly; prioritize efforts on kind of audits for election officials; summarize hand count This will have carry over.

4) Discussion of setup validation approaches

a) Non cryptographic software verification:

Incorporating SI into VVSG (Approach): With testing, require mock election to be run to test audit capability. (Will discuss this at plenary on Day 2.)

RR noted parallel testing difficult to do. JK-Testing is easier with ballot marking device.

b) Set up validation

Use of digital signature: do we lose this with SI? Prevention before detection

Tricky area: what goes in innovative class? DD- This is an unknown area. RR: yes set up validation new to voting arena; Use more common in gaming/gambling industry.

DW: Referenced discussion in the past on set up validation requirements JW- need to separate set up validation issues more clearly. (a) Narrow classes b) central back office systems, c) election management systems

Discussion of "snapshot " of the voting system capability.

DW leans toward not requiring set up validation with SI except for election management systems.

NH: Forensic analysis required. RR agreed, but also dump of machine state at end of each election.

DD- STS has to explain fully these complex issues with some retrospective so all of election community can understand.

Discussion of networked devices: Access control is area where we need to put effort. RR: need to add public keys as well with code signing.

DD noted that we want to take manufacturers out of set up arena. Will these requirements make this more difficult?

DW: This should be transparent for poll workers.

Other Business: NH- crypto VVSG section updated; will be circulated to STS

7) Next call Tuesday, March 20, 2007 at 10:30 AM EST

[* Pursuant to the Help America Vote Act of 2002, the TGDC is charged with directing NIST in performing voting systems research so that the TGDC can fulfill its role of recommending technical standards for voting equipment to the EAC. This teleconference served the purposes of the STS subcommittee of the TGDC to direct NIST staff and coordinate voting-related research relevant to the VVSG 2007. Discussions on this telecon are preliminary and do not necessarily reflect the views of NIST or the TGDC.]


Teleconferences from 2004, 2005, 2006 and upcoming in 2006.


Link to NIST HAVA Page

Last updated: July 25, 2007
Point of Contact

Privacy policy / security notice / accessibility statement
Disclaimer / FOIA
NIST is an agency of the U.S. Commerce Department