Attendees: Allan Eustis, Stephen Berger, Sharon Laskowski, Nelson Hastings, Dvid Flater, Alan Goldfine, Britt Williams, Max Etschmaier, Philip Pearce
The Meeting convened at 11:03 EST
1) Administrative updates (Allan E.)
AE reminded participants of Sunday night informal reception at Gaithersburg Hilton beginning at 7 pm in the Rockville Room.
2) Proposed agenda for the December 4-5 TGDC plenary
The Agenda and meeting materials were sent out on a CD to all members. All updated meeting materials are also available on the web at: http://vote.nist.gov/TGDC/TGDCpresentations120406.htm.
AG and DF reviewed their presentation slides for the upcoming plenary. See:
AG noted papers of ME and discussion of MTBF/ alternative accuracy metrics; Need for implementation of quality control program. AG noted an accepted industry quality standard of ISO 9000/9001.
SB brought up concerns of advocating ISO 9000/9001 especially implementation dates and concern over the ability of vendor to what he says he will do; Potential horror stories her. AG will note possibility of this scenario in his talk. Process does need supplementing. SG noted that ISO 9000 adds little value without specifying what should be in quality program.
Participants discussed costs to implement an ISO 900 certification framework. Is this a NISTissue or a policy issue for EAC?
ME agreed that with ISO 9000 vendors also need a quality handbook.
SB brought up linkage between reliability and usability. Is there mistake tolerance convergence? Do we need to handle this?
DF noted source of confusion between reliability (applies to equipment) and usability (applies not to equipment but to operator).
SB wants to make sure requirements cover the potential human error and transposition of races. ME noted the value of functional failure analysis here. DF noted that this is also an issue of system integrity. There are requirements in VVSG 2007 to deal with system tolerance.
DF noted that you want to design system to achieve reliability. Discussion ensued on conflict between reliability benchmarks in theory and in practice.
DF noted inclusion of voting system variations and the arrival at conformity assessment. There was a discussion of open ended testing beyond conformity assessment.
BW initiated discussion of testing of optional features by ITAs. Historically this is not called out in the standards. DF noted that optional features are outside of conformity assessment to the standards.
BW noted that you do not want to have states repeating testing of VVSG done at the Federal level. Discussion continued on "fitness for use" evaluations. Can or should a voting system contain additional features?
DF noted that you will be writing tests to the requirements. BW noted that voting systems should conform to vendor documentation. SB noted that you want the system resistant to unauthorized use.
BW illustrated issues here with VVPAT spools not covered in VSS 2002. The VVPAT systems are tested to the vendor documentation. DF noted the issue of a vendor simply re writing the documentation to conform. AG noted the issue should be raised to EAC.
DF noted that California Volume Test will be discussed at the meeting.
4) Other Items
Stephen Berger offered for review three resolutions (below) that he planned to introduce at the December TGDC plenary. AE proposed and SB agrees that me all three resolutions would be forwarded to all TGDC members in advance of the plenary. A copy of the resolutions would also be sent to EAC Commissioner Davidson. No edits were made in the proposed resolutions during the telcon call.
U.S. Election Assistance Commission
Resolution for consideration by the TGDC at their plenary meeting, December, 2006
For a variety of historical reasons the voting systems used in the US have developed to be response to the varied needs and desires of state and local election officials and others involved in the selection and use of voting systems. As a result the current systems may be characterized as:
These characteristics have resulted in a mismatch between the systems and the use environment. Specific areas of contrast:
In order to assure that the 2007 revision is maximally helpful the NIST staff are requested to study and prepare a report how the proposed changes to the VVSG address these issues and specifically:
Resolution for consideration by the TGDC at their plenary meeting, December, 2006
NIST is requested to prepare a report surveying problems experienced in the 2004 and 2006 elections and analyzing these experiences for trends, causal factors and patterns of problems.
The report should then compare the changes made with the introduction of the 2002, 2005 and proposed change for the 2007 standard.
This report should then answer the following questions:
Resolution for consideration by the TGDC at their plenary meeting, December, 2006
NIST is requested to prepare a report analyzing the relevance and effectiveness of recent and current proposed changes of the voting system certification process, specifically addressing the role and contribution of the VVSG, to recent election problems. The report should analyze the effect of recent and proposed changes with the purpose of identifying the most effective means of bringing improvement to problems and concerns with current voting systems and election administration.
Meeting adjourned at 12:25 pm EST.
Participants: Alan Goldfine, Allan Eustis, Brit Williams, David Flater, Donetta Davidson, John Wack, Max Etschmaier, Nelson Hastings, Paul Miller, Steve Berger, Wendy Havens, Dan Schutzer, Steve Berger
Voting Machines: Quality and Configuration Management Requirements - Max
The report has been available for review on the website for a couple of weeks.
Max gave a general overview of the report:
Third report that Max has written: The first one defined what a voting system is all about, what is required of the voting machine, and the concept of reliability. The second report builds on the first one and shows what reliability performance could and should be expected of a voting machine, and it is reasonable to expect the voting machine not to have any critical failures, or at least a very small number (low probability of failure). The centerpiece of the second report was a model of a generic voting machine and a functional analysis of it.
The current (third) report builds on the earlier two and developed requirements for quality and configuration management. It defines quality and configuration management and examines what was written in VVSG 05. It develops a framework where regulator and vendor are separated. There are both a product and a quality process.. The system develops product quality through process quality. The standard is outlined in ISO 9000. It defines the terms and the general principals. You want a measure of rigor to ensure quality and avoid pitfalls of workarounds.
Further details regarding the report were given, followed by a discussion period.
Donetta: When talking about all 3 presentations, when we have the December meeting, how much of this are you going to explain to the others? Answer: Decision forthcoming. It would be beneficial to spend time educating the TGDC on a number of these issues. They should be stated simply - we may end up sacrificing issues in the interest of making them clear. Members should also realize the VVSG 07 must be written clearly, that we do have a firm deadline, and that we need to put as much information as possible in the guidelines.
Some of this proposal looked like it would result in new hardware; if that is the case it needs to be made clear to the members. It would be nice to have a cost estimate for Max's proposal. New equipment also affects the timeframe when everything becomes effective. When considering the deadline for implementation, take into consideration design, building, and testing of any new hardware. The two year deadline may not be enough.
Max restated the purpose of his three papers. Following an outline prescribed by CRT, he was to develop new quality assurance language for the VVSG 07. These three documents provide the basis for further work. Next step is to look at implementation. Currently, we have not looked at the economics from transitioning from the current system to future systems. Recommendations will be based on this analysis, followed by discussion of specific recommendations for next guidelines. These documents presented by Max are a precursor to the language going into the document.
Alan G: Cost implications have come up before - it seems that the general consensus has been that although we should not eliminate the cost issues, NIST's responsibility is to develop the best possible technical recommendations.
Steve B: Cost not the issue, it is implementation and understanding the possible interruptions and consequences. He would like to see a gap analysis from both CRS and STS subcommittees. Compare these new concepts versus the current class of equipment being sold and used. The TGDC has to understand the size of the gap with equipment currently in use and how much would have to change. Second, what is the time period for having plans for these concepts for deployment and implementation? Some aspects of this concept are a long way from being effectively implemented. Next, what is a credible transition plan that wouldn't be unduly disruptive? Vendors must design equipment taking into account that new requirements will be forthcoming and they will be harder to certify. We have to look at all three of these things before we're asked to make decisions.
Max pointed out that new machines that meet new requirements will be no more expensive than current machines.
New machines would not be open systems. Some input/output mechanisms that generate vulnerabilities we've been discussing would be disabled. Unnecessary software would be disabled in the new systems -- any function that is not needed on a system should not be included. General purpose code is not necessary. Once you know that the software in the machines works as advertised, there is no need further modify that software. (This eliminates the emergency patch scenario.) Interaction with the outside is strictly prohibited with the closed box and does not need any modification. The outside voting system (which is part of the internet) will need to be patched and modified and adapted as needed but it will never change what is in the secure voting machine that will be available for verification. If we go with this protocol, we can ensure safe and creditable elections. [Steve: To go with this, we would have to replace every electronic voting station currently in the field.]
How far are we along? What do we want to do? We shouldn't be designing voting machines. If we only design guidelines, we are well along to meeting VVSG 07 deadline.
Transition issue: It would be unthinkable to throw out all current systems. It is a learning process. We can modify old systems to get them close to what a reliable voting machine should look like. Voting machines being recommended require an understanding of everyone in the voting system. Use transition of the systems to reevaluate voting process.
With the scope of the things we're changing, it would be helpful for CRT to develop a field deployment scenario like when major upgrades are made to the telecom system. This is to understand the scope and challenges of changes. [This will be looked at in next report, as well as an implementation plan.]
We need TGDC buy-in at the December meeting if this is the way to go. It needs to be decided if this makes sense or whether we should change course. After that we would begin writing text for the VVSG 07 for approval by the TGDC.
There is support for this concept and realization that there will be much improvement. We need to figure out how much is specifiable and how much is implementable by VVSG 07. In December, we are going to propose formal adoption of ISO 9000 or the vendors be formally certified after a transition period to ISO 9000. Max's approach requires coordination with the other subcommittees, especially STS.
There are several things that can be accomplished near term. We should not only be looking at long-term goals.
Steve expressed concern that there has not been enough discussion on the deployment and implementation of COTS. There have been white papers addressing this issue. [John W: This requires EAC implement things differently.]
John W: We have to consider VVSG 07 as a major upgrade, a standard that will stand for 4 years. How far should we be going in our 2007 recommendations? NIST is addressing future voting systems, not looking at current systems.
Donetta: The subcommittee needs to provide guidance on how long this will take - two years, four years? We had originally set a 2 year window for manufacturers to meet, but looking ahead this is not a 2 year implementation time frame for core requirements. You have to design, build, and test. We need to think about is the negativity associated with the election process. Congress made a mistake with HAVA and the time requirements - requiring new machines by 2006 which weren't ready with new standards. People had an issue buying systems with 2002 standards that they felt were going to change right away. We're looking at the future election equipment and process.
Max's opinion is that, implementing his proposal, developing new systems in two years should not be a problem. What would cause a problem would be replacing current systems, this is a financial issue, but technologically this should not be a problem. [Group disagrees, we haven't discussed the local jurisdictions who have to buy them] We don't have to get rid of present machines - there is a lot we can do to make current systems as reliable as possible.
We are suggesting two types of requirements, one that can be used with existing software, and ones that cannot. There is a grandfather clause; we're not suggesting anyone throw away any machines.
It would be nice to know how long a system actually lasts, e.g., plastic deterioration, etc. to see how long an actual machine may be in use.
At the next teleconference, actual presentations for the December meeting should be available for comment. A suggestion was made to form a small task group to think about what we need to go into the meeting with, so we know what the TGDC needs to give guidance on. EAC and TGDC need to decide if we should go further than current systems. We do not want new guidelines every two years. Several vendors would like to start building on VVSG 07 guidelines instead of worrying about 05 ones that will change.
At the end of Max's report, together with the certification for quality management might also require certification for ISO 14,000 (environmental quality) which would be consistent and provide overall quality management for the manufacturers. Something we might expect of the machines - they conform to the standard that most new equipment today routinely conforms to - the energy star compliance.
When talking about implementation, in the certification arena, NVLAP will have to go back and reassess whether they can test to the new standard.
Next meeting will be November 30 at 11:00 a.m.
Meeting adjourned at 12:10 pm.
Participants: Alan Goldfine, Allan Eustis, Dan Schutzer, David Flater, Max Etschmaier, Nelson Hastings, Paul Miller, Philip Pearce, Sharon Laskowski, Steve Berger
Voting Machines: Reliability Requirements, Metrics, and Certification -- Max E.
Discussion: What should CRT present at the December TGDC plenary?
Next meeting is November 16 and then November 30.
Participants: Alan Goldfine, Allan Eustis, David Flater, Max E., Nelson Hastings, Paul Miller, Philip Pearce, Sharon Laskowski, Wendy Havens
On Accuracy Benchmarks, Metrics, and Test Methods - David Flater
This came about because there was an issue highlighted in the draft about whether we want to use a single high-level end to end error rate for the system or do we want to retain the individual error rates that were specified for each low level operation that were in the previous editions of the standard.
In accuracy assessment, no value in having low level error rate - found other issues:
Definition of accuracy method.
Voting Machines: Reliability Requirements, Metrics and Certification - Max Etschmaier
Next CRT meeting will be October 26 at 11:00 a.m.
Participants: Alan Goldfine, Allan Eustis, Dan Schutzer, David Flater, John Wack, Max Etschmaier, Nelson Hastings, Sharon Laskowski, Steve Berger, Thelma Allen
Critical Issues for Formulating Reliability Requirements - Max E
[Introduction of agenda by Alan Goldfine: Max is looking into reliability issues such as meantime between failure requirements of the VVSG, rethinking them from the ground up. As a first "strawman" he has prepared that document which was presented at the last meeting.]
Accuracy - David Flater
Presentation of December TGDC Meeting
Possibly schedule another telecon next Thursday afternoon to continue this agenda.
Issues List - David Flater
Participants: Alan Goldfine, Allan Eustis, Dan Schuster, David Flater, John Wack, Max Etschmaier, Sharon Laskowski, Thelma Allen, Wendy Haven
Meeting began with introductions at 10:05 a.m.
Critical Issues for Formulating Reliability Requirements - Max Etschmaier
(Note paper and presentation URL above)
Meeting adjourned at 11:35 a.m.
Participants: Allan Eustis, John Wack, Alan Goldfine, David Flater, Nelson Hastings, Philip Pearce, Max Etschmaier, Daniel Schutzer, Paul Miller, Wendy Havens
JW-Ron Rivest sent email suggesting NIST / STS look into the gaming standards
[Test reports deferred to later in the meeting ]
Reconciliation on aliases and over-votes:
AE-status on "action item" list from David Flater and Stephen Berger
Next scheduled meeting:
Participants: John Wack, Alan Goldfine, David Flater, Sharon Laskowski, Steve Berger, Wendy Havens
JW- Updates everyone on the House of Representatives Joint Science/Administration Committees' hearing yesterday in which Dr. William Jeffrey gave testimony on voting system standards and related issues. (His testimony has been posted at:
The full hearing web cast is available for viewing at: http://boss.streamos.com/real/science/sci06/071906.smi
Discussion on Test Reports:
David Flater along with Steve Berger discussed and compared their draft notes regarding voting system test reports. There were numerous issues that were reviewed and David Flater put together an action items list that has been appended at the end of these meeting minutes.
Agenda items deferred to next CRT telcon:
Next scheduled meeting is on Thursday, August, 10th @ 10:00 AM EST
Meeting Action Items:
Notes (not actionable until outline is integrated):