Security and Transparency Subcommittee (STS) Conference Call *
February 6, 2007

Participants: Alicia Clay, Allan Eustis, Angela Orebaugh, Barbara Guttman, Bill Burr, David Flater, David Wagner, Helen Purcell, John Cugini, John Wack, Nelson Hastings, Patrick Gannon, Philip Pearce, Quynh Dang, Rene Peralta, Santosh Chokhani, Wendy Havens

Agenda:

1) Administrative Updates

2) Discussion of cross sub-committee topics

a. For HFP; prepare for the HFP-STS joint conference call on usability and software independence.
b. For CRT; the proposed CRT approach to COTS (see paper entitled COTS discussion paper" at: (http://vote.nist.gov/TGDC/crt/COTS-20061016/COTS-20061016.pdf )

3) Discussion of software independence impact on setup validation requirements (see paper entitled "Impact of software independence on set up validation requirements" at: http://vote.nist.gov/TGDC/sts/Potential-impact-of-SI-on-setup-validation-requirements-012507.pdf )

4) Other items

5) Next call Tuesday, February 20, 2007 @ 10:30 AM EST

Administrative Updates:

  • Allan: Tomorrow is the first of two/three hearings that the Senate Rules Committee will be conducting on Electronic Voting Technology. Rush Holt will be a witness followed by a panel with Rush Holt, Brit Williams, Connie Schmidt, and a representative from the Brennan Center. (Testimony is available at: http://rules.senate.gov/hearings/2007/020707hrg.htm )
  • Allan: Reminder that on Friday, February 9, 2007, there is a joint teleconference call with the HFP (11 am EST).
  • John W: Thanks to David Wagner for email with pointers to best practices and procedures; also received some from other voting vendors.
  • John W: At the next teleconference we need to discuss how our draft requirements are presented. (seems there is some divide on how it should be presented) [Nelson noted that comments will be looked at this week. Bring back to mailing list for follow-up discussion.]

Cross Subcommittee Topics:

COTS: A discussion took place of the proposal by CRT. The discussion paper suggested having a list of approved COTS software that can be used in voting systems. This suggestion would require EAC support and buy-in in order for it to be implemented. Discussion papers clarifies relevant concepts - everything submitted is NOT either COTS or non-COTS. Paper contains more precise definitions. It deals with the applicability of requirements to COTS.

David Flater inquired if there was any feedback/comments to the paper. David Wagner (with no objections) stated that STS agrees with CRT's approach to COTS. David W will send an email to Ron Rivest regarding trusted COTS to see if there are any issues he would like to raise.

HFP: John was asked to expound on Whitney's end-to-end paper and on his SI/Accessibility paper.

John outlined the thesis of the end-to-end paper: main problem is how/whether to achieve comparable verifiability for blind voters as for sighted. Main technical suggestions so far seem to be: a. non-vendor-dep't OCR and b. audio tape. Are these feasible? Are they SI? Not knowing where Whitney stands on some topics, John preferred not to comment any further.

Discussion on SI/Accessibility paper: STS subcommittee felt we need to distinguish two goals: first, protect election versus second, enable individual voter verification - do the two specific approaches suggested for blind voter verification meet the need, i.e. would they count as SI-type voter verifiability?

David Wagner suggested that maybe Goal #1 must be strictly SI, but Goal #2 need not be - the implication is that plain old audio verification (clearly non-SI) for blind voters is good enough as long as the mechanism is checked thoroughly enough not to endanger the election. That is, maybe the Acc-VS itself need not be SI?

The issue is whether the VVSG mandates an expensive/high-tech approach that is (arguably) SI, or whether the cheaper/low-tech, but non-SI, approach is good enough.

Rene Peralta noted that the TGDC adopted Goal #2 in the SI resolution passed in December.

David Wagner suggested that SI does not rule out software to read the record of the vote.

Discussion followed on two potential methods for verification. Are these good security approaches? U.S. Access Board concept of "complimentary accessibility" mentioned. What is the merger of adequate accessibility with adequate security?

Philip Pearce emphasized that accessibility requirement extends beyond blind to low vision, and cognitive disabilities.

Barbara Guttman recommended that accessible voting station (both audio and print output) should be able to be verified by all voters. Discussion of direct/indirect verification by both blind and sighted voters followed. Conclusion that the best we can do is to maximize the number voters that can verify their vote. (Philip Pearce will get input from U.S.Access Board on these issues).


Interoperability

Concern at this time with interoperability standards; they will be a focus of next STS meeting. Dave Flater recommended considering using "mays" in some of these requirements to not preclude solutions..

SI and Set Up Validation

Nelson Hastings summarized the papers. Discussion of software related requirements in set up followed including digital signatures and (trusted) external port issues. David Wagner suggested you need to be more precise as to applicability. Make digital signature requirement a "shall".

With external port, architectural changes in the hardware of voting systems are required. This is expensive.

Should we eliminate software integrity requirements because of SI? Option two would be to modify software integrity requirements- make them "shoulds". There are cost issues; Plausible to make trusted external port as a "should" requirement.

David Wagner noted that SI does not solve some threats such as denial of service attacks.
Need to prioritize the risks from viruses (exposure). Networked systems and PCM/CIA cards are high risk. When a voting system accumulates votes with one machine, there is a high risk for viruses and you would then require an external port. There is a spectrum here in voting systems- not black and white. Also discussion followed on indirect communication between systems.

Nelson brought up issues of performance metrics/techniques. David suggested stating goal and listing accessible modes and performance based techniques. Need testable requirements. Concern expressed with use of the word "Trusted" with external port.

Suggestion to look at gaming industry set up requirements. John Wack will send out e-mail.

5) Next call Tuesday, February 20, 2007 @ 10:30 AM EST

[* Pursuant to the Help America Vote Act of 2002, the TGDC is charged with directing NIST in performing voting systems research so that the TGDC can fulfill its role of recommending technical standards for voting equipment to the EAC. This teleconference discussion served the purposes of the STS subcommittee of the TGDC to direct NIST and coordinate its voting-related research relevant to the VVSG 2007. Discussions on this telecon are preliminary and do not necessarily reflect the views of NIST or the TGDC.]

 



Teleconferences from 2004, 2005, 2006 and upcoming in 2006.

*************

Link to NIST HAVA Page

Last updated: July 25, 2007
Point of Contact

Privacy policy / security notice / accessibility statement
Disclaimer / FOIA
NIST is an agency of the U.S. Commerce Department