Technical Guidelines Development Committee (TGDC)
Security and Transparency Subcommittee (STS) Teleconference *
May 10, 2007, 11:45 a.m.

Draft Agenda

1) Administrative Updates
2) Discussion of audit strategy requirements including electronic and paper record requirements
3) Finalize outstanding issues related to Access Control requirements
4) Other items
5) Next call Thursday, May 15, 2007 at 10:30AM

Attendees: Allan Eustis, Barbara Guttman, Bill Burr, David Wagner, John Kelsey, John Wack, Nelson Hastings, Paul Miller, Ron Rivest, Sharon Laskowski

Administrative Updates (Allan Eustis):

  • We are in the process of setting up a meeting with the subcommittee chairs and co-chairs and the EAC for next Thursday.
  • At the STS meeting next week, we need to discuss future teleconference schedule.

Audit of Electronic Records and VVPR (John Kelsey):

This draft chapter (prepared by John Kelsey) was distributed several days before the meeting for feedback. At the meeting, John went over major items where he would like comments:

The first part of the document covers general security requirements that a paper record has to contain, what it has to do, and how it is to be processed. The first section applies to ALL voter verifiable paper records. (General requirements apply to machine marked and human marked ballots, specific requirements probably only impact machine marked.) General requirement is that paper records must contain enough information so that there is no ambiguity in how to interpret the record when performing an audit. The high level requirements may not be testable, and so a layer of sub-requirements may be necessary.

John had a question regarding his requirement on the durability of paper. This should be removed (per John Wack) as it is covered by the core requirements chapter.

Other general requirements are covered in specific requirements. For example, machine readable encoding - requirements cover must be included and optional inclusions.

The requirement regarding public format was discussed - should all non-human readable text be in a public format. This requirement brought up the issue of the use of barcodes. John Wack suggested two options: either not allow barcodes or if allowed, add requirements to more publicly document protocol and publish warnings. Concern was shared over having the same information on a ballot in two different formats. Also, should there be anything on the ballot that in non-human readable? Some felt there was no security benefit from adding barcodes - barcodes add no benefit when conducting a recount unless there is something wrong with your voting system. Paul Miller discussed the Holt bill and felt that barcodes would accomplish the requirement in that bill about accessibility when verifying records. Barbara Guttman reminded the group that barcodes have been discussed in the past and that STS had agreed to allow them with certain requirements. This will be discussed again at the next STS telecom call.

Next, VVPAT requirements: Some of these requirements will need to be moved or deleted, such as the supply requirements. There is a lot of stuff on error handling. John requested comments about anything that was missing. Are there common errors that leave a voter in a stage where the election official is not sure if they should vote again or not? Also, if you want to correct a vote, can a voter go back or does it need election official intervention? (Wasn't sure how to address these due to state requirements, comments welcome from state election officials.) The voter needs to see whether a vote was accepted or rejected right away - what happens to the paper record if a vote is rejected? Requirements also cover operation requirements, covering the ease of record comparison (easy to look at electronic record on screen and read paper record simultaneously). John requested that group look at what he has for requirements about what needs to be printed on the record and give comments.

Ron Rivest brought up the problem with transporting ballots for individuals with dexterity problems and the privacy issue associated with that issue. John needs to think about that and get back.

Read back requirements are going to be handled by the HFP subcommittee so that will be removed from John Kelsey's document.
Cast vote record correspondence. Some states require a link between electronic records and paper records and some states completely forbid this link. Requirements were written to make sure machines supported this but were able to turn it off.

Privacy requirements: John would like comments. These are technical requirements, not procedural requirements. John Kelsey will look at how to handle provisional ballots.

Precinct count optical scan systems: The requirement was written so that machines were able to batch records in groups of 50 or more if states requested it. This is for unit of auditability.

Cut sheets for DREs. There is a requirement that says you cannot split ballots across sheets. Feedback requested.
Any comments should be sent to John Kelsey via email.

Meeting adjourned at 12:45 p.m.

[* Pursuant to the Help America Vote Act of 2002, the TGDC is charged with directing NIST in performing voting systems research so that the TGDC can fulfill its role of recommending technical standards for voting equipment to the EAC. This teleconference served the purposes of the STS subcommittee of the TGDC to direct NIST staff and coordinate voting-related research relevant to the VVSG 2007. Discussions on this telecon are preliminary and do not necessarily reflect the views of NIST or the TGDC.]

Teleconferences from 2004, 2005, 2006 and upcoming in 2006.


Link to NIST HAVA Page

Last updated: July 25, 2007
Point of Contact

Privacy policy / security notice / accessibility statement
Disclaimer / FOIA
NIST is an agency of the U.S. Commerce Department