2010-05-07 14:00 EDT Auditability Working Group telecon Minutes rev. 2010-05-13 Agenda: I propose as the first agenda item a discussion of the Software Independence (SI) notions that appeared in the August 2007 draft of VVSG 2.0, to (1) review reasons why SI met with push-back and (2) determine whether those conditions still exist today. If we agree that there is still a problem to be solved, then we can progress to a review of the working group charter that was circulated previously and begin discussion of the many line-items to narrow and define the scope of work. Attendees: David Flater Diane Golden Nelson Hastings Marty Herman Sharon Laskowski Ben Long Ann McGeehan Russ Ragsdale Ed Smith David Wagner Karen Yavetz The meeting got underway slowly because the wrong passcode was sent for the audio conference. Discussion began in earnest around 14:15 with a review of Software Independence (SI) as defined in the August 2007 draft of VVSG 2.0. Review of Resolution 2007-[D1] from the Board of Advisors and Resolution 2007-06 from the Standards Board indicated that these groups believed SI to be incompatible with accessibility mandates that are already in effect. Diane Golden provided background: 1. General counsel for the EAC ruled that any ballot of record must be "fully accessible" (whatever the accessibility requirements are for full-fledged ballots). 2. Apart from the "innovation class" process, which the Standards Board found wanting, the only way of achieving SI is with paper, and paper has accessibility issues. 2a. With optical scan, the problem is physical handling of the ballot. 2b. With VVPAT as ballot of record, the problem is converting the print on the paper back to accessible form to enable verification. Further discussion of VVPAT clarified that converting the print on the paper back to accessible form is believed to be required in order to provide "the same opportunity for participation and access" (HAVA Sec. 301 (a)(3)) when the capability to verify the paper ballot of record is available to sighted voters. [A requirement that implements this interpretation for the ballot of record was only a SHOULD in the TGDC draft of May 9, 2005 (it appears in two places) but it became a SHALL in VVSG 1.0 Req. I.7.9.7.b. In the intervening June, 2005 public review draft, it is a SHALL in one place and a SHOULD in the other. The numbering is odd; search on VVPAT to find the requirements.] David Wagner found this interpretation of HAVA surprising and requested that the official decision be obtained in writing before the working group committed to taking options off the table. ACTION NIST to contact EAC to obtain the decision in writing. David Wagner observed that this interpretation appears to rule out the opscan + one DRE/VVPAT per precinct configuration in those jurisdictions where the VVPAT takes precedence. This configuration is similar to the one specifically condoned by HAVA Sec. 301 (a)(3)(B), except for the addition of VVPAT. Ann McGeehan suggested that the group examine the legislative intent for HAVA and the prior bill on accessibility in voting that went by the wayside when HAVA addressed the same issues. [cite?] With respect to hybrid systems generally, Ann McGeehan and Diane Golden identified the challenges: - Must avoid disparate treatment/impact, "separate and unequal" - It's hard enough to train people for ONE system, much less two. David Flater observed that accessibility has two aspects. 1. Access per se (working around disability X) is an engineering problem that can always be solved using different solutions for different people as needed, except where restricted by the second aspect. 2. Equality, or what is considered unequal treatment, is more social and political in nature. Different people need different access methods; different access methods are by definition different; it is risky to make predictions about which differences will or will not be perceived as disparate treatment or have disparate impact. David Flater asked whether paperless DREs were seen as "The Answer" for accessibility. Diane Golden essentially confirmed that this was the case prior to the emergence of VV and SI and the consequential moves back to paper that led to a standoff. Ed Smith discussed a new architecture that integrates a scanner onto an EBM to eliminate the paper handling problem of delivering the voted ballot to the scanner. Two vendors are working on it, in response to HAVA requirements. ACTION Ed to forward information about this work. It was noted that this new architecture does not eliminate paper handling for spoiled ballots, but since spoilage requires pollworker intervention for all voters, it isn't disparate treatment (we think). Russ Ragsdale raised the small-batch-privacy issue for the configuration where such a device is used primarily by disabled voters. David Flater noted that this problem is the same with the single-DRE configuration that has been deemed acceptable in practice. David Flater asked David Wagner whether he could envision any way forward for SI/Auditability without paper. While it remains an active research topic, David Wagner did not believe that paperless approaches presented a productive way forward for the working group. Non-paper independent verification (IV) approaches don't provide the same assurance with respect to the immutability of the record. Russ Ragsdale and Diane Golden didn't think there would be a non-paper solution that would fly. Ann McGeehan was reluctant to give up on paperless approaches, as security and other needs must be balanced. - Not clear that the level of assurance provided by the paper is necessary. - Don't want to lose focus of the ultimate purpose, which is the act of voting. - The biggest success in 2008 was early voting. - Bringing voting to where people are only really works with electronic voting. Russ Ragsdale agreed that there should be focus on early voting. Discussion of the scoping points listed in the charter did not get very far. * Capability for recounts--manual recounts, non-manual but independent recounts (e.g., ship ballots to neighboring county for second opinion), or other reprocessing of Cast Vote Records and Ballot Images DF: Per discussion in previous TGDC meeting, detection alone (versus detection and correction of errors) is considered insufficient because rerunning elections is not an option. DW: From security point of view, detection may suffice. The ability to reconstruct the count cannot be guaranteed because a catastrophe that destroys all records is always possible. AmG: All states have a requirement to be able to do a recount. Courts can order a repeat election. DF: Conclusion: Definitions of auditability that focus only on detection of material error are not off the table yet. * Retention of Cast Vote Records and Ballot Images (e.g., in precinct-count optical scanners, where previously they were not required) RR: Must avoid intruding on election procedures (decision whether or not to keep such records, vs. the system's ability to produce them). * Whether, and in what specific cases, voter-verifiability is necessary to satisfy expectations for the trustworthiness of audit records DW: Three classes 1 No one can directly verify -- not auditable. 2 Some can directly verify -- auditable (sufficient). 3 Everyone can -- auditable (more than sufficient). SI does not require that every voter directly verify, or even be able to. DF: So the problem is not access per se but equality. ES: There's a *market* requirement for voter-verifiability. AmG: Voter using PCOS doesn't actually know how the ballot will be counted. [Discussion of cast-as-intended, recorded-as-cast, counted-as-recorded] AmG: With DREs, don't know counted as recorded. DW: Post-election audit. * Small-batch auditing techniques DW: Capability to break down vote totals - by category - by precinct - by random sample Next steps - Diane Golden desires a speedy conclusion to the paper vs. no-paper debate in hopes that an upcoming EAC research grant on the subject of accessible voting systems would be scoped in harmony with that outcome. - Scoping of auditability ACTION NIST to clarify the list of scoping items in the charter for further discussion. - Auditability vs. SI What might we change to make it more compatible with accessibility? Adjourned at 4:00 PM EDT. Next meeting: May 21 2:00 PM EDT.