June 11, 2007
I wish to dispute
the requirement in the VVSG draft on Volume III, Chapter 5, Page #155:
records poll opening certificate requirement
Hardware-enforced counter, which is immediately incremented upon being used.
"hardware enforced" counter, analogous to a counter on a copy machine,
would presumably record each "voting" cycle occurring on a voting
machine, whether DRE or scanner of paper ballots. The "hardware enforced"
appears to refer to a mechanical connection; this is simply not feasible on
voting systems with no levers or specific voting mechanisms.
Instead, one is
likely to have electro-mechanical implementations which are, in fact, software
driven. In any case, by mandating specific implementations rather than requirements,
this is a totally inappropriate specification.
The security goal
is not cited; apparently, one would want to compare the number of indicated
votes to the (independent?) count of the number of voting cycles experienced
by the voting machine. Any electro-mechanical counting device would, in fact,
be driven not by a mechanism (hardware), but by the internal software and firmware
of the device.
A better means
of accomplishing this (presumed) security goal would be to require unique identification
(NOT serial) numbers to appear on ballots so that the provenance of a ballot
may be audited. All ballots are either voted, blank, or damaged/invalidated.
The counts then, by precinct, of all ballots should match the number set resulting
from the creation of the numbered ballots prior to opening the polls or from
the creation of the set of selected large numbers allocated to ballot writers
in advance of the election.
might as well believe that a mechanical counter is called for in this requirement
that the voter might increment as he or she votes. That would need some protection
against improper incrementation. Again, if the required mechanism were tied
into the electronic, software-driven device, it is a real trick to make it mechanically-driven
in a DRE. All that could be done is really a repetition of the internal actions
of the DRE; no information independent of the DRE itself could be added.
particular item stands out in the guidelines as:
1. Not having been thought out in any thorough way
2. Impossible to make truly hardware driven unless it is able to operate independent of the electromechanical device it purports to monitor
3. Flawed by reason of specifying a solution instead of posing a requirement
4. Tied to the auditing requirements of a DRE without paper ballots, thus shutting out alternative solutions to the presumed problem
5. Mandating voting-specific hardware rather than permitting voting systems to include off-the-shelf (COTS) hardware. This mischief may or may not be intended; either way, this provision should be stricken out and replaced by a specific requirement to meet a stated security or auditing objective.
Richard C. Johnson
Richard C. Johnson, Ph.D.
Open Voting Solutions, Inc.
3 Silver Beech Court
Poquott, NY 11733
Return to the NIST HAVA Page
created November 2007
policy / security notice / accessibility statement
Disclaimer / FOIA
NIST is an agency of the U.S. Commerce Department