April 19, 2006
Participants: Allan Eustis, John Wack, David Flater, Nelson Hastings, John Kelsey, Ron Rivest, Sharon Laskowski, Helen Purcell, Angela Orebaugh, David Karmol, Wendy Havens
Meeting Commenced at 10:33 am EDT.
Redundant Records (in DRE Systems):
NH referenced material in previous e-mail (below) and offered to answer questions:
NIST Approach to Multiple Representations--DRAFT
1.3.f. No a priori decision must be made about which representation is to take precedence in case of disagreement between apparently undamaged representations.
2 The Problem with "Ballots of Record"
There's is a common notion of "ballots of record" intended to capture the idea that there is one true representation of the voters' choices to which the voting system can return during a recount. This idea makes sense when discussing paper ballots which are counted after the voting is done, because there is really only one original representation of the voters' choices, in the paper ballots.
counting of those ballots results in the creation of a derivative electronic
record, and since the scanning of paper ballots is an error-prone process,
each new attempt to count the ballots
This notion does not make sense for voting systems which create multiple representations of the voters' choices which have independent validity during the voting process, however. A DRE that creates multiple electronic copies, a DRE with voter-verified paper, a frog voting system such as that recommended in the MIT/Caltech report, all create multiple representations of the voters' clearly expressed choices at the time of the vote. Any of these representations might be correct.
to the motivational example of a DRE with voter-verified paper trail.
Securing the electronic memory of the DRE is a difficult task, and it's
hard to be sure it's been done well, especially in the face of corrupt
insiders at the voting system vendor. Securing the paper
4.1.c. There is no a priori way to decide which representation is accurate. Any attempt to decide this ahead of time makes an attack on the voting system much easier, since the attacker knows which one representation he must compromise.
I.2.1.2.f As an additional means of ensuring accuracy in DRE systems, voting devices shall record and retain redundant copies of the original ballot image. A ballot image is an electronic record of all votes cast by the voter, including under votes.
I.2.1.4.k Maintain a record of each ballot cast using a process and storage location that differs from the main vote detection, interpretation, processing, and reporting path.
I.18.104.22.168.b.ii Incorporate redundant memories to detect and allow correction of errors caused by the failure of any of the individual memories.
I.22.214.171.124.b.iii Provide at least two processes that record the voter's selections that:
the extent possible, are isolated from each other
I.126.96.36.199.b.iv Use a different process to store ballot images, for which the method of recording may include any appropriate encoding or data compression procedure consistent with the regeneration of an unequivocal record of the ballot as cast by the voter
I.C.1 Independent Verification Systems
A primary objective for using electronic voting systems is the production of voting records that are highly precise, highly reliable, and easily counted - in essence, an accurate representation of ballot selections whose handling requirements are reasonable. To meet this objective, there are many factors to consider in an electronic voting system design, including:
Independent Verification (IV) systems have as their primary objective the production of independent records of voter ballot selections that are capable of being used in audits in which their correctness can be audited to a very high level of precision. The primary voting security and integrity issues addressed by IV systems are:
The threats addressed by IV systems are those that could cause a voting system to inaccurately record the voter's selections or cause damage to the voting system records. These threats could occur via any number of means including human error, accident or fraudulent activity. The threats are addressed mainly by providing, in the voting system design, the capability for ballot record audits to detect precisely whether specific records are correct as recorded or damaged, missing, or fraudulent.
Items for Discuss next STS teleconference: set up validation issues
policy / security notice / accessibility statement