Guidelines Development Committee (TGDC)
Attendees: Allan Eustis, Angela Orbaugh, Barbara Guttman, David Wagner, Helen Purcell, John Kelsey, John Wack, Nelson Hastings, Patrick Gannon, Philip Pearce, Quynh Dang, Ron Rivest, Sharon Laskowski, Rene Peralta, Bill Burr
Administrative Updates (Allan Eustis):
A special election was held in DC today (May 1). Allan was a precinct technician there this morning. DC uses Sequoia ABC Edge machines - one of the 1st locations to use DREs due to a lawsuit. These machines have been in service for about 3 years and each machine registers under 2,000 votes. The PCMIA cards tend to go bad on these systems, causing the screen to freeze during voting.
Cost of Testing Summit (Nelson Hastings):
There are approximately 40 people attending this EAC summit, representing election officials, vendors, advocacy groups, and testing labs. One issue raised so far was how much testing Federal testing labs could do so as to minimize testing by states. There was a lot of discussion between vendors and testing labs on the requirements of code review (standard code) - the cost and time for that. States were asked how much it costs to tests - answers varied from small states that didn't do a lot of tests to the larger states that invest around $500K for testing. Nelson reported that there would be no minutes from the meeting. Ron Rivest asked to hear more about what happened at the summit and wondered if the data on testing costs could be acquired. Allan will check with Mat Masterson after summit.
Set-up Validation (Nelson Hastings):
Nelson presented the changes that he had made to set up validation requirements based on previous STS discussions. Set-up validation would be required for system architecture that allowed polling place accumulation of records. Systems such as the Hart system's centrally controlled system and Diebold's networked vote capture devices would require the set-up validation. This currently does not affect the Sequoia systems. STS members present at the meeting agreed with the language as written.
Access Control and System Event Logging (Nelson Hastings):
There was considerable discussion regarding event logging. Possibilities for securing event logging include cryptography and write only memory. The group discussed what they felt should be protected against: software tampering before the election, tampering on the day of the election or tampering the end of the day logging and then discussed what the cost impact of these features would be. The requirement as written requires tamper evidence notification (not necessarily tamper prevention). David Wagner offer two options: 1) stick with current language which includes cryptography method that will protect against attacks on day of election to logs or 2) write requirements that are closer to what systems already do (back off requirements about write-once storage) and required signed audit logs that would prevent tampering at the end of the day. Ron Rivest was in favor of option #2. Option 2 appears to be addressed in electronic records requirements. Requirement should include wording to protect against attempts by human to delete logs through approved interfaces (no normal function should tamper with event log). Angela will re-work language and pass around for comments.
Barcodes (John Kelsey):
John had sent out a summary of high level requirements before the meeting (see below). To summarize, requirements should permit barcodes but they must allow for disabling (this will raise issues because of accessibility); barcode must be in public format readable by any barcode reader; must contain full content of human readable ballot. They may contain error correcting codes, digital signatures, internal representation of cast vote record (concerns expressed about ballot style in barcode - should contain link to ballot definition file). David Wagner expressed that the major requirement was that it must be possible to recover human readable text for accessibility and possible recount. The barcode should be able to generate human readable text that would be used to generate audio read back. David wanted to make a small tweak to the framework proposed by John Kelsey that if the barcode was disabled, that the machine fall back to how audio read back in generated today - from internal memory. Ron Rivest agreed with David's request. Ron pointed out that the auditing requirements for barcodes should be strong. John Kelsey reminded everyone that he had passed out a paper regarding auditing barcodes and asked for feedback.
Read back for Non-DRE Equipment (David Wagner):
was concerned that the committee hasn't thought about read back for
opscan machines or for electronic ballot markers. These cause major
challenges. Some challenges for OCR would be multiple columns, a race
that expands multiple columns, write-ins. How do we handle the read
back? Do we use a separate device? Do we hook up an audio out to the
opscan machine? What happens if the voter doesn't like the read back
and it's already been scanned in? [NOTE: Ron pointed out that the read
back mechanism was required for Access-VS, not all systems.] Sharon
Laskowski pointed out that you could use barcodes or OCR on the ballot
to do read back. Separate electronic ballot markers could also be used
to read what was filled out on the ballots.
requirement will be written that states the read back must accurately
read back accurately what is on the print out, there has to be independent
read back capability, and there must be trusted hardware to do the read
back. The requirements that are written must be very clear for vendors
and testing labs. Currently as written the requirement does not call
for independent read back or anything about confidence.
Future Meetings (Nelson Hastings):
Two meetings next week: May 8th and May 10th. The agenda for May 8th will possibly include access control, EML, OEVT, and integrity management. For May 10th, the discussion will be about audit strategy requirements - this is critical to discuss before TGDC meeting.
Kelsey E-mail Bar Code Summary:
Barcode = machine-readable, non-human-readable printed thing. (It might not always look like a barcode, but I expect it probably will.)
OCR = Optical Character Recognition = technology for a machine to read normal text that humans can read.
IDV = Using two machines to check one anothers' work, so that machine A audits machine B's totals, and as long as either A or B is honest, problems will be discovered.
SI = Software
Independence = using humans to check the work of machines, so that even
if all the software used is corrupt, any fraud is almost certain to
Here are the requirements I think we have, based on an exchange between me and Whitney:
1 Barcodes may be used, but must be possible to disable in accordance with local law. a. Issue: This may interfere with the ability of the voting machine to support verification for blind voters. This may require OCR or some such thing, which may not be practical. We need to get feedback on this from people who have done OCR in the field on this level.
2 Barcodes shall be in a public, fully-specified format
3 Barcodes shall contain the full content of the human-readable ballot.
4 Barcodes may contain only the following informaiton not in the human-readable ballot: a. Error correcting codes, digital signatures, etc. b. Ballot identifiers (these must be possible to turn off)
5 It shall be possible to read the barcode and recover an internal representation of the CVR, possibly using the ballot definition. a. This allows reproduction of the audio ballot. b. This allows reproduction of the human-readable part of the paper ballot. c. This allows counting.
6 The barcode and human-readable records shall appear on the same piece of paper. a. This assumes that a single ballot must never be spread across multiple sheets of paper--sensible, but it does limit the use of off-the-shelf printers/printer paper in VVPAT voting systems.
7 Auditing processes shall be supported and documented a. If you want to use one set of software to test the answers given by another (IDV is your goal), you can do:
b. If you don't want to trust software without verifying the final answer (SI is your goal):
8 Accessibility Requirement: accessible VVPAT shall include barcode reader or OCR reader, which reads back contents of paper record for verification.
ballots may be supported. In this case, unique ballot identifying information
shall be printed in human-readable form, and also in barcode form
[* Pursuant to the Help America Vote Act of 2002, the TGDC is charged with directing NIST in performing voting systems research so that the TGDC can fulfill its role of recommending technical standards for voting equipment to the EAC. This teleconference discussion is for the purposes of the STS subcommittee of the TGDC to direct NIST and coordinate its voting-related research relevant to the VVSG 2007. Discussions on this telecon are preliminary and do not necessarily reflect the views of NIST or the TGDC.]
policy / security notice / accessibility statement