Guidelines Development Committee (TGDC)
Attendees: Allan Eustis, Angela Orbaugh, David Wagner, Helen Purcell, John Kelsey, John Wack, Mat Masterson (EAC), Neslon Hastings, Quynh Dang, Ron Rivest, Santosh Chokani, Sharon Laskowski, Wendy Havens, Alicia Clay, Rene Peralta
The remainder of the meeting was focused on requirements for e-poll books and ballot activation. John Wack said that the EAC has asked that we address e-poll books in terms of privacy, ballot activation, possibility that they are leaking information, and what we can do about it. One option was to add e-poll books as a new class of device to the VVSG and develop requirements for them. We opted out of this option due to time constraints. We decided to beef up privacy requirements and to take a closer look at ballot activation.
One solution was to write a requirement that said ballot activation (in essence) cannot create possibility of a covert channel between e-poll book and voting station, and vice versa - the ballot activation technique would be used for activation and nothing else. Ron Rivest suggested that the ballot activation device not be reusable. It should not allow writing back to the device that would then be placed back in the e-poll book - this would allow for the possibility of information leaking from the voting station back to the e-poll book.
A big question that arose was whether or not e-poll books should be simultaneously externally networked and also used for ballot activation. Discussion centered around the risks involved with this. One purpose of e-poll books is to have them networked with voting central to keep track of who has voted, so as not to have double voting by individuals at different locations.
[NOTE: The distinction was made between external networking versus networking amongst the voting systems at a particular voting location.]
The proposal at the March plenary meeting that we keep e-poll books doing what they are currently doing, and using a separate mechanism for ballot activation. It was felt that the TGDC did not want this solution.
Three concerns to keep in mind when writing requirements: without networked information, it might be possible for voter to vote more than once at a different location; if e-poll book is networked, an external attack from a hacker could cause the voting systems to crash at poll site and leave in non- functional; concern over voter privacy - there could be a channel of some sort between the e-poll book and the voting system which could leak information back to e-poll book from voting system. Other concerns were expressed regarding reliability. If e-poll books are used for ballot activation, and they are compromised or go down, there needs to be some sort of back-up, otherwise the voting station would not be able to continue.
suggestions were brought up.
It was suggested that the STS subcommittee concentrate on writing requirements for ballot activation devices (not e-poll books) to be discussed at next meeting.
There was concern about the need to receive input from local election officials about how much of a poll worker usability problem having separate devices would cause. John Wack will draft up a set of questions for Mat Masterson (EAC) to use to canvass for feedback. Helen Purcell will also distribute to the Election Center for feedback.
adjourned at 12:00.
[* Pursuant to the Help America Vote Act of 2002, the TGDC is charged with directing NIST in performing voting systems research so that the TGDC can fulfill its role of recommending technical standards for voting equipment to the EAC. This teleconference served the purposes of the STS subcommittee of the TGDC to direct NIST staff and coordinate voting-related research relevant to the VVSG 2007. Discussions on this telecon are preliminary and do not necessarily reflect the views of NIST or the TGDC.]
policy / security notice / accessibility statement