June 11, 2007

Dear Sirs/Mesdames:

I wish to dispute the requirement in the VVSG draft on Volume III, Chapter 5, Page #155:

5.2.2-C Electronic records poll opening certificate requirement
Hardware-enforced counter, which is immediately incremented upon being used.

This mechanical "hardware enforced" counter, analogous to a counter on a copy machine, would presumably record each "voting" cycle occurring on a voting machine, whether DRE or scanner of paper ballots. The "hardware enforced" appears to refer to a mechanical connection; this is simply not feasible on voting systems with no levers or specific voting mechanisms.

Instead, one is likely to have electro-mechanical implementations which are, in fact, software driven. In any case, by mandating specific implementations rather than requirements, this is a totally inappropriate specification.

The security goal is not cited; apparently, one would want to compare the number of indicated votes to the (independent?) count of the number of voting cycles experienced by the voting machine. Any electro-mechanical counting device would, in fact, be driven not by a mechanism (hardware), but by the internal software and firmware of the device.

A better means of accomplishing this (presumed) security goal would be to require unique identification (NOT serial) numbers to appear on ballots so that the provenance of a ballot may be audited. All ballots are either voted, blank, or damaged/invalidated. The counts then, by precinct, of all ballots should match the number set resulting from the creation of the numbered ballots prior to opening the polls or from the creation of the set of selected large numbers allocated to ballot writers in advance of the election.

Otherwise, one might as well believe that a mechanical counter is called for in this requirement that the voter might increment as he or she votes. That would need some protection against improper incrementation. Again, if the required mechanism were tied into the electronic, software-driven device, it is a real trick to make it mechanically-driven in a DRE. All that could be done is really a repetition of the internal actions of the DRE; no information independent of the DRE itself could be added.

Overall, this particular item stands out in the guidelines as:

1. Not having been thought out in any thorough way

2. Impossible to make truly hardware driven unless it is able to operate independent of the electromechanical device it purports to monitor

3. Flawed by reason of specifying a solution instead of posing a requirement

4. Tied to the auditing requirements of a DRE without paper ballots, thus shutting out alternative solutions to the presumed problem

5. Mandating voting-specific hardware rather than permitting voting systems to include off-the-shelf (COTS) hardware. This mischief may or may not be intended; either way, this provision should be stricken out and replaced by a specific requirement to meet a stated security or auditing objective.

Richard C. Johnson
Richard C. Johnson, Ph.D.
Open Voting Solutions, Inc.
3 Silver Beech Court
Poquott, NY 11733


Return to the NIST HAVA Page

Page created November 2007
Last updated: November 29, 2007
Web site point of contact

Privacy policy / security notice / accessibility statement
Disclaimer / FOIA
NIST is an agency of the U.S. Commerce Department