STS Teleconference
April 19, 2006

Participants: Allan Eustis, John Wack, David Flater, Nelson Hastings, John Kelsey, Ron Rivest, Sharon Laskowski, Helen Purcell, Angela Orebaugh, David Karmol, Wendy Havens


  • Administrative Updates
  • Discuss redundant records
  • Other issues, including next meeting date

Meeting Commenced at 10:33 am EDT.

Administrative Updates:

  • Updates from 3/06 Plenary meeting
  • In process of putting together the schedule for the sub committee teleconferences
  • Discussion on what information will be available on the TGDC web site

  • Reviewed issues about the March 16th teleconference with the ITAA members which included; set-up validation, when the set-up will occur and who will do it; EML; issues about boundaries; and memory addressable device issues.

Redundant Records (in DRE Systems):

NH referenced material in previous e-mail (below) and offered to answer questions:

The NIST Approach to Multiple Representations--DRAFT
John Kelsey, NIST, 2005-03-02

1.3.f. No a priori decision must be made about which representation is to take precedence in case of disagreement between apparently undamaged representations.

2 The Problem with "Ballots of Record"

There's is a common notion of "ballots of record" intended to capture the idea that there is one true representation of the voters' choices to which the voting system can return during a recount. This idea makes sense when discussing paper ballots which are counted after the voting is done, because there is really only one original representation of the voters' choices, in the paper ballots.

Electronic counting of those ballots results in the creation of a derivative electronic record, and since the scanning of paper ballots is an error-prone process, each new attempt to count the ballots
electronically leads to a slightly different electronic representation. However, that electronic record has no validity independent of the validity of the paper record. The paper record is the only original evidence of the voters' choices in this case, and so it must take precedence over these derived records.

This notion does not make sense for voting systems which create multiple representations of the voters' choices which have independent validity during the voting process, however. A DRE that creates multiple electronic copies, a DRE with voter-verified paper, a frog voting system such as that recommended in the MIT/Caltech report, all create multiple representations of the voters' clearly expressed choices at the time of the vote. Any of these representations might be correct.

Return to the motivational example of a DRE with voter-verified paper trail. Securing the electronic memory of the DRE is a difficult task, and it's hard to be sure it's been done well, especially in the face of corrupt insiders at the voting system vendor. Securing the paper
records is also a difficult task, especially in the face of corrupt local election officials. The thing that makes a DRE with VVPAT potentially much more secure than a straight DRE or a straight paper system is that the attackers have to compromise two independent records, and the insiders most likely to be able to compromise one probably can't compromise the other. If both records are checked against each other in the normal process of counting votes, an attacker who can compromise only one set of records knows that he is overwhelmingly likely to get caught, if he tries to alter the outcome of the election.

4.1.c. There is no a priori way to decide which representation is accurate. Any attempt to decide this ahead of time makes an attack on the voting system much easier, since the attacker knows which one representation he must compromise.

VVSG 2005

I.2.1.2.f As an additional means of ensuring accuracy in DRE systems, voting devices shall record and retain redundant copies of the original ballot image. A ballot image is an electronic record of all votes cast by the voter, including under votes.

I.2.1.4.k Maintain a record of each ballot cast using a process and storage location that differs from the main vote detection, interpretation, processing, and reporting path.

I. Incorporate redundant memories to detect and allow correction of errors caused by the failure of any of the individual memories.

I. Provide at least two processes that record the voter's selections that:

* To the extent possible, are isolated from each other
* Designate one process and associated storage location as the main vote detection, interpretation, processing and reporting path

I. Use a different process to store ballot images, for which the method of recording may include any appropriate encoding or data compression procedure consistent with the regeneration of an unequivocal record of the ballot as cast by the voter

I.C.1 -

I.C.1 Independent Verification Systems

A primary objective for using electronic voting systems is the production of voting records that are highly precise, highly reliable, and easily counted - in essence, an accurate representation of ballot selections whose handling requirements are reasonable. To meet this objective, there are many factors to consider in an electronic voting system design, including:

  • the environment provided for voting, including the physical and environmental factors
  • the ease with which voters can use the voting system, i.e., its usability
  • the robustness and reliability of the voting equipment
  • the capability of the records to be used in audits

Independent Verification (IV) systems have as their primary objective the production of independent records of voter ballot selections that are capable of being used in audits in which their correctness can be audited to a very high level of precision. The primary voting security and integrity issues addressed by IV systems are:

  • whether electronic voting systems are accurately recording ballot selections
  • whether the ballot record contents can be audited precisely post-election

The threats addressed by IV systems are those that could cause a voting system to inaccurately record the voter's selections or cause damage to the voting system records. These threats could occur via any number of means including human error, accident or fraudulent activity. The threats are addressed mainly by providing, in the voting system design, the capability for ballot record audits to detect precisely whether specific records are correct as recorded or damaged, missing, or fraudulent.


  • DF discussed revised requirements language; removal of IV language that is incompatible with language in other documents.
  • ballot and election laws
  • are issues handled completely in Appendix C- probably not
  • still working on general comments in IDV
  • VVSG-terminology used should be consistent and the glossary defined
  • EAC to look into some of these issues
  • item about which is ballot of record paper or electronic record
  • what do you do if records are different?
  • Rivest pointed out the need for well defined terms before you categorize systems
  • standards board meeting in May should discuss these issues: states legislatures are struggling and requirements language would be helpful here.
  • goal is to better understand procedures in states that will work best for them
  • VVPAT-durability issues on (thermal) paper that might not hold up for the 22 months
    required to hold onto votes; thermal paper; archival issues and verification of such archives
  • STS and CRT to try to work more closely their individual agendas
    Other issues:

Items for Discuss next STS teleconference: set up validation issues

Next scheduled meeting: Wednesday, May 3rd at 10:30 am

Meeting ends: 11:30 am



Link to NIST HAVA Page

Last updated: July 25, 2007
Point of Contact

Privacy policy / security notice / accessibility statement
Disclaimer / FOIA
NIST is an agency of the U.S. Commerce Department