STS Teleconference
August 9, 2006

Participants: Allen Eustis, Nelson Hastings, John Wack, Quynh Dang, John Kelsey, Rene Peralta, David Flater Ron Rivest, Angela Orebaugh, Philip Pearce, Adam Ambrogi, Wendy Havens


1) Administrative Updates

2) Summary of USENIX/ACCURATE Electronic Voting Workshop - <>

3) Follow up discussion on software-independence approach

4) Other Items

Administrative Updates:

AE-while away on vacation, inadvertently two meetings were not recorded because of a low battery level in the audio recording device. The minutes of these teleconferences are available for public review on the web site ( We can fill in past discussion item details when discussing items during this conference call.

AE-informed everyone Paul Craft of the TGDC has recently resigned from the TGDC. Letter of appreciation to Paul and recognition of service will be available soon from Dr. William Jeffrey. His NASED Replacement nominee is Paul Miller who is with the State of Washington's secretary of State's office. The vetting process for his appointment should be completed shortly.

JW-discusses issues brought forth from the NIST monthly meeting with the EAC:

  • 2005 VVSG security requirements, current direction in VVSG 2007 VVSG
  • EAC asked for more information on the NSRL; build environment; hold more than hashes in the future? (RR noted problematic issues here- question of what software has to be hashed.)
  • EAC would like know more about where specific voting systems are located within the US (down to county level),sighting, different jurisdictions have different problems. Also EAC will need to notify jurisdiction of re-certification and de-certification related issues.
  • There is a need to address metadata requirements related to voting systems vis a vis robust inventory control.

JW- Noted effort to look at security standards in gaming industry. AE will research security experts in the gambling security area (States of Nevada and New Jersey) and forward names to STS mailing list.

USENIX Electronic Voting Workshop:

NH-summarizes the workshop he attended in Vancouver;

  • good presentation from the keynote speaker
  • included statistical approach to detect fraud
  • importance of exit polls; are they a reliable source
  • if exit polls are too small, do they stay useful
  • talk on source code "very interesting"; open source and disclosed source
  • John Kelsey talks about testing the "hypothesis"
  • Ron Rivest will look into survey reference material and will forward. If sample is random, you can detect anomalies.
  • usable paper records; paper formats
  • read back; pronunciation of names of candidates
  • issue on use of bar codes- layered on a bad design; Populex approach
  • could there be a convergence of EBMS/VVPR here


JK-after looking at relevant memo (below), concern of "what problem" is trying to be solved.

  • direct verification
  • pronunciation of candidates names re: OCR text
  • mechanical (human use) systems
  • concerns worth looking into- don't want to look at just bar codes
  • Question of Populex System that uses a ballot without printing the name of the candidate
  • OP Scan just reads position on ballot and not candidates name
  • Heart of issue here is to detect errors
  • definition of "verification" procedures: we are re introducing directly verifiable records
  • RR noted that being software independent is not a panacea here.
  • John Kelsey will send comments on the document: You still have implicit trade offs here that depend on procedural mechanisms.

JW-will send out useful overlap VVSG areas in which "gaming" requirements might be informative (FIPs modules, etc.)

Next scheduled teleconference:

Wednesday, August 23, 2006 at 10:30 AM EST

Note on Handling of Voter Verified Paper Audit Trail Requirements in VVSG 2007, John Wack
August, 2006

This is a short note whose purpose is to outline an approach to structuring requirements for VVPAT in the VVSG 2007.Some Terminology-

First, I'll address some terminology. I believe that the acronym VVPAT has become associated with today's VVPAT systems, which, I also believe, are not especially usable
or built well. I would like to use a somewhat different term in the VVSG 2007 so as to differentiate the new requirements from today's systems. I think the term 'DRE-Voter Verified Paper Records' is a better term to use to describe its use with DRE systems (DRE-VVPR). I recommend that VVPAT not be used in VVSG 2007.

Overall Presentation Structure

The VVPAT requirements section in VVSG 2005 started out as a self-contained standard. It was subsequently modified so as to reference usability and accessibility requirements in the HFP section, but otherwise, it still contains many workmanship, reliability, interoperability, security, and cryptography requirements that logically would belong in other sections of the VVSG 07.

I recommend that the requirements be better integrated into the VVSG, that is, the VVPAT section should contain only those requirements that pertain specifically to
VVPAT and other requirements be located in their major sections (e.g. Usability, Hardware, etc).

I recommend using the class structure and the appropriate 'applies to' fields in requirements as the preferred way of doing this. Overall, I recommend that Software Independent Approaches be the highest-level category of acceptable voting systems, with IV being one of the approaches. DREVVPR is one example of IV. Another example is Op Scan-VVPR.


I recommend that VVPAT not violate privacy: paper audit trails shall not store voter's cast ballot records sequentially. This was the TGDC's direction in VVSG 2005 but the EAC subsequently decided to permit sequential storage and require stronger procedures for safeguarding the paper rolls (an un-testable and unenforceable requirement).

Bar Codes

I recommend that bar codes to contain cast ballot records no longer be permitted. I believe the bar codes came about because of the recognition that paper rolls are difficult at best to use in audits and therefore use of a bar code would permit relatively simple and
accurate optical scanning. However, voters cannot verify the bar codes and therefore they can't be used in audits unless they are compared against their plain-text equivalents in sufficient numbers. This adds complexity to auditing and doesn't adequately address
the main problem, that being the poor quality and usability of the paper record. I think
the fonts on the paper record should continue to be required to be OCR fonts (as in VVSG 2005). If printed well, the fonts should be adequate and useful in optical



Link to NIST HAVA Page

Last updated: July 25, 2007
Point of Contact

Privacy policy / security notice / accessibility statement
Disclaimer / FOIA
NIST is an agency of the U.S. Commerce Department