Technical Guidelines Development Committee (TGDC)
Security and Transparency Subcommittee (STS) Teleconference *
April 3, 2007, 10:30 a.m.

Draft Agenda

1) Administrative Updates
2) Review of TGDC meeting
3) Discussion of path forward for e-poll book requirements
4) Other items

Attendees: Allan Eustis, Angela Orbaugh, David Wagner, Helen Purcell, John Kelsey, John Wack, Mat Masterson (EAC), Neslon Hastings, Quynh Dang, Ron Rivest, Santosh Chokani, Sharon Laskowski, Wendy Havens, Alicia Clay, Rene Peralta

Administrative Updates:

  • Allan: We are moving forward with preparations for the next plenary meeting, scheduled for May 21-22, 2007. The March meeting web cast has been archived on the web for viewing ( . Unofficial transcripts are also posted; official ones will be up soon. The two resolutions that were approved have also been posted ( .
  • John Wack: Next plenary meeting will focus on a review of draft sections of the VVSG currently being worked on.
  • Ron Rivest commented that plenary meeting went well.

E-Poll Book Requirements:

The remainder of the meeting was focused on requirements for e-poll books and ballot activation. John Wack said that the EAC has asked that we address e-poll books in terms of privacy, ballot activation, possibility that they are leaking information, and what we can do about it. One option was to add e-poll books as a new class of device to the VVSG and develop requirements for them. We opted out of this option due to time constraints. We decided to beef up privacy requirements and to take a closer look at ballot activation.

One solution was to write a requirement that said ballot activation (in essence) cannot create possibility of a covert channel between e-poll book and voting station, and vice versa - the ballot activation technique would be used for activation and nothing else. Ron Rivest suggested that the ballot activation device not be reusable. It should not allow writing back to the device that would then be placed back in the e-poll book - this would allow for the possibility of information leaking from the voting station back to the e-poll book.

A big question that arose was whether or not e-poll books should be simultaneously externally networked and also used for ballot activation. Discussion centered around the risks involved with this. One purpose of e-poll books is to have them networked with voting central to keep track of who has voted, so as not to have double voting by individuals at different locations.

[NOTE: The distinction was made between external networking versus networking amongst the voting systems at a particular voting location.]

The proposal at the March plenary meeting that we keep e-poll books doing what they are currently doing, and using a separate mechanism for ballot activation. It was felt that the TGDC did not want this solution.

Three concerns to keep in mind when writing requirements: without networked information, it might be possible for voter to vote more than once at a different location; if e-poll book is networked, an external attack from a hacker could cause the voting systems to crash at poll site and leave in non- functional; concern over voter privacy - there could be a channel of some sort between the e-poll book and the voting system which could leak information back to e-poll book from voting system. Other concerns were expressed regarding reliability. If e-poll books are used for ballot activation, and they are compromised or go down, there needs to be some sort of back-up, otherwise the voting station would not be able to continue.

Several suggestions were brought up.

  • Not allowing external networking from e-poll book if used for ballot activation.
  • If external networking is allowed, then we need to write requirement, specifically saying this. Currently the voting system definition does not allow for voting system to be externally networked, but if e-poll book is used for ballot activation it becomes part of the voting system, so requirement would need to be changed to allow this.
  • Use smart card for ballot activation with limited memory so there would not be room on it to transfer any data from voting system back to e-poll book.
  • Use of mag-stripes to activate ballots.

It was suggested that the STS subcommittee concentrate on writing requirements for ballot activation devices (not e-poll books) to be discussed at next meeting.

There was concern about the need to receive input from local election officials about how much of a poll worker usability problem having separate devices would cause. John Wack will draft up a set of questions for Mat Masterson (EAC) to use to canvass for feedback. Helen Purcell will also distribute to the Election Center for feedback.

Meeting adjourned at 12:00.

[* Pursuant to the Help America Vote Act of 2002, the TGDC is charged with directing NIST in performing voting systems research so that the TGDC can fulfill its role of recommending technical standards for voting equipment to the EAC. This teleconference served the purposes of the STS subcommittee of the TGDC to direct NIST staff and coordinate voting-related research relevant to the VVSG 2007. Discussions on this telecon are preliminary and do not necessarily reflect the views of NIST or the TGDC.]

Teleconferences from 2004, 2005, 2006 and upcoming in 2006.


Link to NIST HAVA Page

Last updated: July 25, 2007
Point of Contact

Privacy policy / security notice / accessibility statement
Disclaimer / FOIA
NIST is an agency of the U.S. Commerce Department