and Transparency Subcommittee (STS) Conference Call
Participants: Alicia Clay, Allan Eustis, Bill Burr, David Flater, David Wagner, Commissioner Donetta Davidson, Helen Purcell, John Wack, Nelson Hastings, Patrick Gannon, Quynh Dang, Rene Peralta, Ron Rivest, Santosh Chokhani, Sharon Laskowski, Steve Berger, Wendy Havens
Review of EAC/NIST/TGDC Meeting on November 13
Software Independent/Dependent Path Forward
We seem to be making good progress for the December TGDC meeting. We don't support software dependent systems, so black box DREs will not be certified. But there is the innovation class if someone has something new.
How do we best move forward with this thrust at the meeting? We have the paper John is revising. Do we need a resolution? Ron will be making a presentation at the meeting. We need to determine what is the best approach?
John: From an engineering point of view, the DRE architecture is not something we should put forth. The threats say this is not a good architecture. In general, it was something rushed to the market and does not have an audit trail. That is the reason we should give for not going this route in VVSG 07. Not suitable for the future.
Bill B: Accepting stand alone DREs is saying that security is not very relevant. The system should be designed from the ground up to be audited. If you accept these DREs as is, your avoiding the possibility of errors or the possibility of someone manipulating the code.
Barbara: In the context of error, in regards to the situation in Sarasota, FL, 18,000 votes may have been lost. This is where doing forensics on the machines becomes important. After the analysis, it might be interesting to use in our presentations. Paper trails may not have helped in this situation. However, we don't know what happened. Patrick is in Sarasota. Each county designs its own ballot. Is this a software problem or a ballot design problem? What are we doing in this committee that could have helped? If it was a software glitch, definitely the stuff on software independent would; whether the setup validation should be written in a way that's useful for post election checking.
John K: Is there a process in various states to look at the machines in a forensics way, take them apart? Donetta feels that could wipe out election results if they didn't know what they were doing. Need to do examination like computer/criminal forensics. States have nothing set up.
if L&A tests pass before election but fail after? Answer- Review
of whole election.
In getting back to TGDC, it looks like we can come up with good reasons why we're not writing requirements for stand-alone DREs. What are we going to do with the requirements (high-level or not) for the IV systems? Propose we have requirements to certify against or build against? If someone wants to propose a software dependent system like IV, it must go through the innovation class mechanism for evaluating.
EAC is looking at this committee for leadership trying to architect approaches within the class of IV that people can build to. This may be hard for this committee to do. However, there is an expectation on this subcommittee that we try to clarify our feelings and technical issues with this area and try and position the IV system somehow so that someone could propose a system in this area and what kind of architecture fits. The innovation class is hard to design.
We can not shut the door and say the paper is the way we're going to go. There are continuing problems and issues. Having it as the only thing would be bad, but having it as a check on the electronic record is very viable approach.
What we're saying is right now what we know is how to write standards for are paper systems if we want them to be auditable. We would like to write them for electronic and end-to-end systems but we don't know how to do that yet. Ron thinks we can do high level for both, David for end-to-end, challenging but feasible, IV impossible. Rene Peralta disagrees, he thinks we can write specs for IV.
John W: Good for December meeting to get the points across and maybe come with some high level requirements, but writing them by the meeting may be impossible. Maybe a short white paper.
Alicia: If we go into the Dec. meeting with requirements for paper, and high level requirements for systems we're putting in the innovation class that we're not going to be certifying against, we will be saying people have to use paper. Ron thinks even if the requirements are high level for the innovation class , there will be a rigorous process for achieving certification.
It sounds like we're saying the door is open for other systems, but not very far. It could be a 5 or 10 year process. From the time a vendor designs, builds, tests to go through our process which is probably not going to be a quick process.
Donetta: Have you talked to the vendors to see about the future to see if they plan to come up with a different type of voting system at various levels of abstraction. The vendors think that VVPAT is not the way to go, that the DRE architecture is fine. We should be looking at secure system approaches to building better DREs. Not looking at other forms of IV.
To build a secure system out of a functionally insecure architecture, you'd have to start from scratch.
We're giving the vendors limited amounts of freedom, limiting the available options to the vendor, specifically printers, there's a lot we can do about what printing technology would hold up to this use scenario. It should be easy to do a solid audit trail - we should be able to do something that would record keystrokes off the machines.
John W: Strategy was agreed at last conference call, which is what we briefed Bill Jeffrey on. Much confusion on our strategy after EAC/NIST/TGDC meeting on Monday. Innovation class versus the IV class. Certification path for the innovation class was agreed upon. Hearing agreement about IV, Ron and David feel not worth going down, others disagree. Feels there should be discussion at TGDC meeting why IV is difficult.
Software dependent machines much have very strong requirements.
John Kelsey would be able to discuss proof of concepts at the TGDC meeting.
Bill B: If we go in with an absolute notion of software independence and an absolution notion of voter privacy and secret ballots, can we develop systems that do both? David W: YES. These things can be done, they're challenging but can be accomplished. Is it possible to get an end-to-end system certified now if you showed it couldn't be worse than a certified system? Risky.
Agenda for December TGDC Meeting
STS has three hours. Draft agenda as proposed after discussion:
#1 - Restructuring the security components of VVSG 2007
#2 - Position on SW dependent systems and the innovation class alternative
#3 - Significant changes in requirements
policy / security notice / accessibility statement