Guidelines Development Committee (TGDC)
Attendees: Alexis Scott Morrison, Allan Eustis, Barbara Guttman, Brian Hancock (EAC), Commissioner Davidson (EAC), David Wagner, Helen Purcell, John Kelsey, John Wack, Jon Crickenberger (NVLAP), Mat Masterson (EAC), Nelson Hastings, Patrick Gannon, Quynh Dang, Rene Peralta, Ron Rivest, Santosh Chokani, Secretary John Gale, Sharon Laskowski, Steve Freeman (NVLAP), Wendy Havens
Administrative Updates (Allan Eustis):
The discussion regarding e poll books was a continuation from previous STS meetings. The CRT and HFP subcommittees were invited to participate in this discussion.
The hope for the meeting was that two major decisions would be made regarding e poll books. First decision was whether e poll books should be used to activate ballots and the second was whether externally networked e poll books should be allowed to activate ballots.
The main use for e poll books is as a registration device to be used when a voter comes in, to look up their name, verify they are authorized to vote, and to assign them the proper ballot. John Kelsey expressed the issue regarding privacy. The concern was that if an e poll book knew the name of the voter and the ballot activation code, and the voting system knew the ballot activation code and the selections on the ballot, that those two could be combined to find out who voted for whom. There appears to be a risk that if the two pieces of equipment retain this information there is a risk factor involved. The trade-off in not using an e poll book to activate ballot is the possibility of human error, when poll workers have to manually activate the ballots. If we allow ballot activation, requirements need to be written that minimize the risk of the flow of information, or requirements that the system does not store authorization codes.
David Wagner summarized his opinions by saying that it would be too disruptive not to allow ballot activation by e poll books, but that we have to write technical requirements barring identifiers. This would not cause extra work for poll workers or election officials.
Ron Rivest stated that the recommendation on the table was to allow e poll books to do ballot activation (decision currently based on books not being externally networked). This was agreed to by members of TGDC on the call.
The second topic for discussion regarding e poll books was that should they be allowed to be externally networked and also activate ballots. This was defined as whether systems should be networked outside the polling place on Election Day. This includes connection via a dedicated phone line, internet, data network, cell phone, etc. The need for allowing this would be that if you're using voting centers, voters would be allowed to vote anywhere but also to prevent the voter from casting votes at different locations. There are three risks involved, 1) reliability - if the network goes down and the voting system relies on the e poll book to activate ballots, this could stop an election for all machines at a precinct, 2) someone could deliberately try to induce this kind of overload condition of network unavailability, like a denial of service, and 3) security risk - a hacker may be able to compromise an e poll book and then compromise all e poll books in the county. David Wagner was concerned that we do not know how to write standards if we allow networked e poll books to activate ballots.
[Alexis Scott Morrison questioned how this could be accomplished. Would there be a system designed so that if it was networked the ballot activation device would not work? Or would there be two types of e poll books, one for activation and one that was networked? David Wagner seemed to think the first system would be the case as this should be a software change/capability.]
Helen Purcell recommended that e poll books that were externally networked not be allowed to activate ballots -contingent on further discussion at the TGDC plenary in May. Several members of the TGDC concurred. There could be additional ballot activator costs required and additional research here makes sense. Secretary Gale asked for clarification on the way the system and interface would work functionally.
There are issues of reliability, availability and back up for the e-poll book. Ron Rivest noted that the error problem is solvable- with extra check digits. There would be extra works for the poll worker. The issue could be revisited in the future. Ron recommended we make Helen's recommendation to the full TGDC. Secretary Gale expressed his reservations with the limited basis of facts at hand. Ron Rivest suggested a requirement supporting the dual mode devices as a configurable option for the election administrators with the security caveats. The STS members decided to put forward two alternatives to the TGDC at the full May plenary with a recommendation of one alternative over the other- allowing for full discussion at that time.
The meeting adjourned at 11:50 EDT.
[* Pursuant to the Help America Vote Act of 2002, the TGDC is charged with directing NIST in performing voting systems research so that the TGDC can fulfill its role of recommending technical standards for voting equipment to the EAC. This teleconference discussion is for the purposes of the STS subcommittee of the TGDC to direct NIST and coordinate its voting-related research relevant to the VVSG 2007. Discussions on this telecon are preliminary and do not necessarily reflect the views of NIST or the TGDC.]
policy / security notice / accessibility statement