August 9, 2006
Allen Eustis, Nelson Hastings, John Wack, Quynh Dang, John Kelsey, Rene
Peralta, David Flater Ron Rivest, Angela Orebaugh, Philip Pearce, Adam
Ambrogi, Wendy Havens
2) Summary of USENIX/ACCURATE
Electronic Voting Workshop - < http://www.usenix.org/events/evt06/tech/>
3) Follow up discussion
on software-independence approach
4) Other Items
AE-while away on
vacation, inadvertently two meetings were not recorded because of a low
battery level in the audio recording device. The minutes of these teleconferences
are available for public review on the web site (http://vote.nist.gov/subcomm_2006.htm).
We can fill in past discussion item details when discussing items during
this conference call.
Paul Craft of the TGDC has recently resigned from the TGDC. Letter of
appreciation to Paul and recognition of service will be available soon
from Dr. William Jeffrey. His NASED Replacement nominee is Paul Miller
who is with the State of Washington's secretary of State's office. The
vetting process for his appointment should be completed shortly.
JW-discusses issues brought forth from the NIST monthly meeting with the
- 2005 VVSG security
requirements, current direction in VVSG 2007 VVSG
- EAC asked for
more information on the NSRL; build environment; hold more than hashes
in the future? (RR noted problematic issues here- question of what software
has to be hashed.)
- EAC would like
know more about where specific voting systems are located within the
US (down to county level),sighting, different jurisdictions have different
problems. Also EAC will need to notify jurisdiction of re-certification
and de-certification related issues.
- There is a need
to address metadata requirements related to voting systems vis a vis
robust inventory control.
JW- Noted effort
to look at security standards in gaming industry. AE will research security
experts in the gambling security area (States of Nevada and New Jersey)
and forward names to STS mailing list.
USENIX Electronic Voting Workshop:
workshop he attended in Vancouver;
- good presentation
from the keynote speaker
- included statistical
approach to detect fraud
- importance of
exit polls; are they a reliable source
- if exit polls
are too small, do they stay useful
- talk on source
code "very interesting"; open source and disclosed source
- John Kelsey talks
about testing the "hypothesis"
- Ron Rivest will
look into survey reference material and will forward. If sample is random,
you can detect anomalies.
- usable paper records;
- read back; pronunciation
of names of candidates
- issue on use of
bar codes- layered on a bad design; Populex approach
- could there be
a convergence of EBMS/VVPR here
at relevant memo (below), concern of "what problem" is trying
to be solved.
- direct verification
of candidates names re: OCR text
- mechanical (human
- concerns worth
looking into- don't want to look at just bar codes
- Question of Populex
System that uses a ballot without printing the name of the candidate
- OP Scan just reads
position on ballot and not candidates name
- Heart of issue
here is to detect errors
- definition of
"verification" procedures: we are re introducing directly
- RR noted that
being software independent is not a panacea here.
- John Kelsey will
send comments on the document: You still have implicit trade offs here
that depend on procedural mechanisms.
JW-will send out
useful overlap VVSG areas in which "gaming" requirements might
be informative (FIPs modules, etc.)
Next scheduled teleconference:
23, 2006 at 10:30 AM EST
Note on Handling of Voter Verified Paper Audit Trail Requirements in
VVSG 2007, John Wack
This is a short note whose purpose is to outline an approach to structuring
requirements for VVPAT in the VVSG 2007.Some Terminology-
First, I'll address
some terminology. I believe that the acronym VVPAT has become associated
with today's VVPAT systems, which, I also believe, are not especially
or built well. I would like to use a somewhat different term in the VVSG
2007 so as to differentiate the new requirements from today's systems.
I think the term 'DRE-Voter Verified Paper Records' is a better term to
use to describe its use with DRE systems (DRE-VVPR). I recommend that
VVPAT not be used in VVSG 2007.
The VVPAT requirements
section in VVSG 2005 started out as a self-contained standard. It was
subsequently modified so as to reference usability and accessibility requirements
in the HFP section, but otherwise, it still contains many workmanship,
reliability, interoperability, security, and cryptography requirements
that logically would belong in other sections of the VVSG 07.
I recommend that
the requirements be better integrated into the VVSG, that is, the VVPAT
section should contain only those requirements that pertain specifically
VVPAT and other requirements be located in their major sections (e.g.
Usability, Hardware, etc).
I recommend using
the class structure and the appropriate 'applies to' fields in requirements
as the preferred way of doing this. Overall, I recommend that Software
Independent Approaches be the highest-level category of acceptable voting
systems, with IV being one of the approaches. DREVVPR is one example of
IV. Another example is Op Scan-VVPR.
I recommend that
VVPAT not violate privacy: paper audit trails shall not store voter's
cast ballot records sequentially. This was the TGDC's direction in VVSG
2005 but the EAC subsequently decided to permit sequential storage and
require stronger procedures for safeguarding the paper rolls (an un-testable
and unenforceable requirement).
I recommend that
bar codes to contain cast ballot records no longer be permitted. I believe
the bar codes came about because of the recognition that paper rolls are
difficult at best to use in audits and therefore use of a bar code would
permit relatively simple and
accurate optical scanning. However, voters cannot verify the bar codes
and therefore they can't be used in audits unless they are compared against
their plain-text equivalents in sufficient numbers. This adds complexity
to auditing and doesn't adequately address
the main problem, that being the poor quality and usability of the paper
record. I think
the fonts on the paper record should continue to be required to be OCR
fonts (as in VVSG 2005). If printed well, the fonts should be adequate
and useful in optical
to NIST HAVA Page
Last updated: July 25, 2007
Point of Contact
policy / security notice / accessibility statement
NIST is an agency of the U.S. Commerce Department