STS Teleconference
Tuesday, October 3, 2006

The meeting commenced at 10:00 a.m.

Agenda:

1) Administrative Updates
2) Discussion of paper on VVPAT and Paper Based Voting System Requirements Relating to Usability and Auditability of the Records
3) Other Items
4) Next call Tuesday, October 17, 2006 at 10:30 a.m.

Participants: Alicia Clay, Allan Eustis, Anoop Singhal, Barbara Guttman, Bill Burr, David Wagner, Helen Purcell, John Kelsey, John Wack, Nelson Hastings, Patrick Gannon, Quin Dang, Rene Peralta, Ron Rivest, Thelma Allen, Wendy Havens, David Flater

Administrative Updates:

  • Allan talked to Commissioner Davidson yesterday who informed him that Philip Pearce (Core Requirements Subcommittee) and Tricia Mason (Human Factors Subcommittee) are confirmed as US Access Board representatives to the TGDC. Paul Miller (an election official in WA, Core Requirements Subcommittee) will likely be approved by EAC and NIST soon. David Wagner has bee nominated as the new representative from ANSI to the TGDC.

  • Allan: Observed WA post election activities. The state is primarily a vote by mail state. All four voting vendors have presence in the state of WA with DREs to comply with Section 301 of HAVA. Allan saw 3 of the 4 DREs and 4 counties certification processes. Trip report forthcoming.

  • John W: The official letter ANSI appointing David Wagner has been sent to EAC.

Discussion of paper on VVPAT and Paper Based Voting System Requirements Relating to Usability and Auditability of the Records - John Wack

  • This was intended initially to be a write up to self after reading Election Science Institute's paper and meeting with authors to discuss problems had by Cuyahoga County in auditing their VVPAT systems.

  • In a written response, Diebold has challenged a number of things in the ESI report and so has the Board of Elections in the county.

  • It appears as if the Diebold system was set up to permit rudimentary audits, it didn't seem to be useful; usability seemed to be the biggest problem.

  • A lot of stuff is not VVPAT specific, more so paper records in general.

  • VVPAT defined as DRE with printer.

  • Discussion: Flat sheets of paper vs. paper spools is a difficult choice. Usability issues either way. Which is better? Does the Human Factors committee have an opinion? John's personal experience is that handling the spools is difficult. Spools do maintain a paper record all in one container, but in a continuous non-private record.

  • Bar code issue - Discussed with the Open Voting Consortium. They like using them. It makes the paper record have more integrity. Less resistant to damage. Used for easy sorting. John feels it's an attack vector. You can't trust that audits of the bar code will occur. It's another record you have to keep as well as all the other records. It's not transparent to the voter. If not carefully controlled, it could be trouble in the future. [Ron feels that bar codes were used for visibility. It could be used for accessibility reasons. Also it wouldn't be human readable.] Bar codes can be used for audio translation of names.

  • Do we digitally sign electronic records? This isn't specific for VVPATs that could be done on DREs, could be done by ballot marking devices. It means key pairs on the voting station and how to store them.

  • Records more useful if they were in the interoperable format, we've talked about EML. David Flater and the Core Requirements may be putting something in already.

  • Allan: During his post certification experience in WA, of the paper, mailed-in, op scan ballots, bar codes are used as a record keeping mechanism on envelopes and later auditing processes. Helen uses bar codes to track when the ballots have gone out, and then again when they've come back to tell who has voted. The codes are not on actual ballots, so votes can not be tied to voters.

  • Vendor did not do a good job about documenting how an audit should be conducted or how the records should be used.

  • Issues such as digital signatures on records could be controversial. We want to keep in mind what's most important and then what would be nice to have. Will they be used? What's important to election officials when auditing? We need to be thinking of future.

  • We need to think through how digital signatures will be used, the key management applications. Are they the lifetime of the machine? A memory card for the machine? Per election? What is the signature going to accomplish?

  • John K: We need to write one or two specifications that we know how to test. A little concerned with open-ended testing process being burdened with analyzing key management in a crypto protocol.

  • One of auditors issues in Cuyahoga County: trying to figure out which electronic records came from which machine, comparing what they had to what was still on the machine. Also memory cards that contained ballot layout information actually assigned a machine ID that was not the same as the physical ID. Robust identification would be good. Vendor should contain database linking serial numbers or identifiers on machine to public keys. Looking at electronic records, you should know which machine produced them.

  • Processes for audits have not been tried out or well designed. In the standards, we need to require that someone goes through these audits and make sure they actually work. All information needed for an audit needs to be available, it needs to be in a form suitable for an audit, and procedures need to be tested. This needs to go in document requirements for VVSG 07. Performance benchmarks will have to be done as addendum. [Ron thinks they are easily doable for 07.]

  • Ron: Question is what records should be maintained by the machine and guaranteeing that they're available.

  • In order to get certain pieces of information off machines, a technician would have to be called - this is not a good procedure. Any interaction with the machine should be well documented.

  • John W: Voting machines should digitally sign their records. For linking the electronic records with the paper records and verifying their integrity -- always include the robust machine identifier and include a unique identifier. We have key pairs on voting systems. We should include this in our requirements.

  • John K: If you are digitally signing electronic records, it does not add any value to have that signature on the paper records. The paper record is to mostly check to see if the machine was working properly. There's no added security by putting digital signature on paper record.

  • John W: The reason we have these sort of requirements is to facilitate audits of this nature. Is this the minimum for IV systems? Do we want them to have capabilities for this type of audit, or do we want them to have capabilities for full recounts? [John K has a write up on a proposal about this. Email discussion to follow.]

  • Ron: If paper records are suitable for auditing purposes, and the paper records correspond to the electronic records, why would they not be suitable for recounts? [John W: Possibility that elections conducted on a bunch of VVPATs with paper rolls could be suitable for full recount, but we're getting more into usability issues - more legal issues than technology issues. It's a design consideration for IVs. John K. The minimal requirement is that the system is auditable to see if the machine was misbehaving. It would be nice for records to be suitable for recounting.]

The meeting adjourned at 11:30 a.m.

 

Teleconferences from 2004, 2005, 2006 and upcoming in 2006.

************

Link to NIST HAVA Page

Last updated: July 25, 2007
Point of Contact

Privacy policy / security notice / accessibility statement
Disclaimer / FOIA
NIST is an agency of the U.S. Commerce Department