VVSG Draft Comments on Volume 3, Chapter 5.2 Electronic Records, Organization for the Advancement of Structured Information Standards

Electronic Records Requirements

Chapter 5: Electronic Records Requirements

5.1 Introduction/Scope
In order to support auditing, a voting system must be able to produce electronic and paper records that contain the needed information in a secure and usable manner. Section XX defines the general requirements on voting systems to support auditing. This chapter addresses the requirements that specifically relate to electronic records and Section XX address the requirements that specifically relate to paper records.
Electronic records include records produced by any type of voting machine such as DREs, Optical Scan tabulators, or electronic management systems. They typically include records such as:
¨ Vote counts;
¨ Counts of ballots recorded;
¨ Information that identify the electronic record;
¨ Event logs and other records of important events or details of how the
election was run on this machine; or
¨ Election archive information.
By ensuring that certain reports are produced, secured, and exported, many attacks
can be guarded against such as:
¨ Tampering with electronic records in transit from the polling place to the
tabulation center.
¨ Tampering with the operation of the tabulation center; or
¨ Altering election records after the totals are determined.
There are two primary types of requirements related to electronic records. The first type addresses what data must be included in the electronic records and the second type addresses securing that data to prevent or detect changes.
The EML Core schema provides definitions of core data elements, e.g. ballot items, counts, names and addresses, that are to be used in the e-voting processes. The core elements can be extended as necessary and localised using Schematron, CAM and/or other validators if specific validation rules are to be applied.
The security of data is handled by the EML Vtoken element and data sealing procedures. This together with the EML Audit Log Schema (480), which has been specifically developed to record and report all activities in the e-voting processes, allows formal tracking of access to and updates of records.
EML also provides a formal minimum information set. It is important to specify not only what should be recorded, but also what should not be recorded. This prevents one part of the voting process compromising a later part by passing malicious or unintended information.

These requirements include those for cryptographically signing electronic records and ensuring that the records are in a publicly-specified format. This chapter specifies requirements on electronic records used to move information about election results between machines within the full voting system, to support required auditing steps, and to report votes to the public.

EML provides a complete record of all the election digital artifacts, from ballots and candidates to votes, counting and reporting. These can be stored to read-only media as a permanent public record of the entire election that can be independently inspected and verified.

5.2 Requirements on Electronic Records and Report

5.2.1 Requirements on All Records Produced by Voting Equipment
The following requirements apply to records produced by the voting system for any exchange of information between machines, support of auditing procedures, or reporting of final results.

 5.2.1-A Records required to be in open format
All electronic records in this chapter SHALL be produced in a fully specified, public format.
The public standard should be from an accredited standards body, such as OASIS, with an applicable open review process and not just a local government appointed body or private vendor provided format or modifications. The standard should accommodate any legally defined data for the election processes plus open international standards for the other data.
The process should include conformance test suites to ensure that the records adhere to the structure definitions and content models of the publicly published standards. When using XML-based record structures like EML, then tools such as Schematron and OASIS CAM can provide strong content checking and conformance tests.

Applies to: Voting Device
Test Reference:
D I S C U S S I O N
Requiring all electronic records to appear in a public format ensures that election officials can read and review the contents of the records with software not provided by the voting system vendor. This permits auditors to get review the data in the records without the need to trust software provided by the vendor.
Using open formats such as W3C XML ensures that records are in a plain and open syntax for which there are huge arrays of available open public tools that can inspect and display the content of the voting digital artifacts. In addition EML can be reviewed and displayed by any XML compatible tool without requiring special code or plug-ins.

Source:
Impact:

 5.2.1-B Records to be capable of being printed
The voting system software SHALL provide the ability to produce printed forms of all records in this chapter. The printed forms SHALL retain all required information as specified for each record type.
All data handled by EML XML schema record types can be sent to specified printers or other output or visual display devices for direct rendering “as is”. In addition specified reports using any type of style sheets can be defined in the EML Structure linkage provided in each schema – so that bespoke human friendly presentation can be made directly from the XML record content.

Applies to: Voting Device
Test Reference:
D I S C U S S I O N
Printed versions of all records in this chapter are either necessary or extremely helpful to support required auditing steps, as specified in the Auditing chapter.
EML XML records can be stored into appropriate database systems after conclusion of the elections, and provide additional post-analysis and audit support through queries and crosscheck independent computations and statistical analysis.

Source:
Impact:

Electronic Records Requirements

5.2.2 Requirements on Records Produced by Voting Machines and Scanners

The following requirements apply to records produced by voting machines and scanners for exchange of information between machines, transmission of results to a central tabulation center, support of auditing procedures, or reporting of intermediate election results.

 5.2.2-A Cryptographic Protection of Records from Voting Machines
All electronic records from voting machines in this chapter SHALL be digitally signed with the Election Signature Key, and SHALL include a certificate linking the records to the source machine’s long-term signing key and ID.
This requirement can be met by use of the Seal element provided in the EML schemas.

Applies to: Voting Device
Test Reference:
D I S C U S S I O N
The Cryptography chapter specifies the production of the Election Signature Key (ESK), a per-election signing key; these keys are used to sign records from a single election. The Election Public Key Certificate links the per-election signing keys to a permanent per-machine signing key, and a unique identification of the machine which generated the key and the record. The digital signatures address the threat that the records might be tampered with in transit or in storage. The certificate linking each record to a machine addresses the threat that a legitimate electronic record might be misinterpreted as coming from the wrong voting machine or scanner. The use of per-election keys to sign these records addresses the threat that a compromise of a voting machine before or after election day might permit production of a false set of records for the election, which could then be reported to the tabulation center.
Source:
Impact:

 5.2.2-B Requirement to Verify Signed Records
The tabulation center SHALL verify the correct receipt of electronic records from voting machines and scanners. For each voting machine which produces electronic records according to this standard, the tabulation center SHALL verify that the election ID, timestamp, and digital signature are correct before accepting the record.
This requirement can be met by use of EML schema 480 in addition to the Vtoken support in each individual ballot record such in EML 440 ballot records.

Applies to: Click here to add the Applies to text
Test Reference: Click here to add the Test Reference
D I S C U S S I O N
The digital signature applied to the electronic records from the voting machines is only useful if it is verified before the tabulation center accepts electronic records.
Source:
Impact:

 5.2.2-C Electronic records poll opening certificate requirement
Upon opening the polls, the voting machine SHALL produce an Election Public Key Certificate to include the following information:
This requirement can be met by use of EML schema 340 and specifically datatypes PollingPlaceStructure and ProcessingUnitStructure. Provision is also made for handling the recording of software versions as needed.

¨ Date and time at which the polls opened initially for the election.
¨ Serial number and other identifying information of the voting system and cryptographic module.
¨ Precinct and list of ballot styles supported, including hashes of each ballot definition.
¨ Hardware-enforced counter, which is immediately incremented upon being used
¨ Current version of software on the voting system.
¨ Election Signature Key key.
¨ Digital signature with Device Signature Key of the cryptographic module.

Applies to: Click here to add the Applies to text
Test Reference: Click here to add the Test Reference
D I S C U S S I O N
This record exists to strongly bind together the ESK, a per-election key, an initial poll opening time and date, a precinct and set of ballots, and a voting system. The record can be used along with associated records to make sure that each voting system that is supposed to send in some votes get to send in exactly one set of ballots, and that no additional sets of ballots are supported. The record also makes it possible to determine that all the electronic records originated from this voting system. The record can be used to verify that the voting system had the correct set of ballot definitions and styles loaded at the time of the election, and the correct version of software. The inclusion of the counter in this certificate makes it possible to detect any spurious generations of per-election keys, such as might have occurred in the past to attempt to alter another election total. This record is used in combination with others to resist a number of attacks, including attempts to insert additional or altered electronic records into the total. See the Cryptography chapter for more details on the requirements for generating and destroying per-election keys.
In addition to hardware mechanisms for unique counters, paper records with unique sequence bar code values are equivalent. Those bar code values are also coded and can be stored in the EML ballot identification to provide direct correspondence between paper records and digital ones. The coding sequences can be assigned to particular polling places and ensure only those ballots are counted, and only once.

Source: Click here to add the Source
Impact: Click here to add the Impact

 5.2.2-C.1 Electronic records poll opening certificate handling requirement
The voting machine SHALL handle the Election Signature Certificate according to the following:
This requirement can be met by use of EML schema 340 as mentioned above.

¨ The certificate is transmitted to the tabulation center with the other electronic records.
¨ It is stored in the election archive, if available.
¨ It is written to the voting systems event log.
¨ If a printer is available, it should be printed in a format that allows it to be scanned back into a valid certificate.
Applies to: Click here to add the Applies to text
Test Reference: Click here to add the Test Reference
D I S C U S S I O N
Click here and type the discussion about this requirement
Source: Click here to add the Source
Impact: Click here to add the Impact

 5.2.2-D Electronic records poll closing records requirement
Upon closing the polls, the voting machine SHALL produce a report including the following records:
This requirement can be met by use of EML schemas 460 and 470.

¨ Election Signature Key and certificate.
¨ Time and date when the report was generated.
¨ Sufficient information to allow counting of the votes. This may be vote
counts or ballot images, depending on the system.
¨ A digital signature from the Election Signature Key.
Applies to: Click here to add the Applies to text
Test Reference: Click here to add the Test Reference
D I S C U S S I O N
This record exists to carry the results from the voting system back to the tabulation center, where it can be combined with the results from other voting systems to determine a winner in each race. The tabulation center can verify the signatures in both the per-election key and certificate and in this record before accepting the data into the total. This record is sufficient to support random recount audits of paper records. It can be used to verify a correct result from a system under parallel testing. This record can be used to randomly check electronic totals, when the final result is given broken out by voting system or scanner. By requiring inclusion of the per-election key and certificate, and by signing the whole record, this electronic record format entirely eliminates attacks that rely on tampering with electronic records in transit. Because the per-election key is destroyed soon after writing this record, there is no way for an attacker to backdate electronic records when an audit or recount is called for. See the Cryptography chapter for more details on the requirements for generating and destroying Election Signature Keys.

Source: Click here to add the Source
Impact: Click here to add the Impact

 5.2.2-D.1 Electronic records poll closing records handling requirement
The voting machine SHALL handle the poll closing records according to the following:
This requirement can be met by use of EML schemas 460 and 470.

¨ The records are transmitted to the tabulation center with the other electronic records.
¨ It is stored in the election archive, if available.
¨ Its signature is stored in the voting systems event log.
Applies to: Click here to add the Applies to text
Test Reference: Click here to add the Test Reference
D I S C U S S I O N
Click here and type the discussion about this requirement
Source: Click here to add the Source
Impact: Click here to add the Impact

 5.2.2-E Electronic records summary count record requirement
The voting machine SHALL produce a summary count report including the following:
This requirement can be met by use of EML schema 510.

¨ Election Signature Key and certificate
¨ Time and date at poll closing
¨ List of ballot styles voted and for each style, how many ballots are stored.
¨ Number of spoiled ballots, if any.
¨ Ballots not yet properly counted (i.e. provisional ballots)
¨ For each ballot question:
¨ Number of ballots voted that included the question
¨ Number of votes for each candidate for this question
¨ Number of votes for some write-in for this question
¨ Digital signature
Applies to: Click here to add the Applies to text
Test Reference: Click here to add the Test Reference
D I S C U S S I O N
The summary count record gives a summary of the results of voting on this voting system of scanner, the result of the election that would result if only this voting system’s votes were counted. This summary is preliminary because provisional ballots and write-in votes may be included in the records stored by the voting system, but may not yet be able to be counted. This record can be printed (with digital signatures encoded into printable characters) and can also be stored electronically. This record exists to allow checking of the final totals, based on their agreement with local totals from the voting systems, without the need to entirely trust the computers and workers at the tabulation center. For voting systems that send a set of ballot images to the tabulation centers, this summary should in general be safe to publish, whereas the set of ballot images is not safe to publish. This record is not complete because provisional and write-in ballots require human intervention to count. However, the set of all such records will yield an approximate election result. This record does not provide much security benefit when used with instant runoff voting (IRV). This record is sufficient to support random recount audits of paper records. It can be used to verify a correct result from a system under parallel testing. This record can be used to randomly check electronic totals, when the final results are given broken out by voting system or scanner. It can be published for each voting system, along with corrected final totals for each precinct and for absentee ballots, to show how the final election outcomes were computed. When published for each voting system and included in a summary of final election outcomes, this record blocks the class of attacks that involves tampering with the tabulation center computer. It provides an auditing process in which the records can be used by election official and observers to catch any misbehavior in the tabulation center with high probability.
A further safeguard can be provided by EML using the schema 410 ballot layout image and ID references to create counting records resistant to attacks involving exposed plain text party and other affiliation information. The interim schema 510 totals therefore reflect only those 410 reference ID values, and only the schema 520 election results fully expose all party and affiliation information. Those schema 410 ballot layout images would be excluded from all computer systems except the one secure central election result reporting system. This prevents the counting software and the local voting software from knowing plain text information about the ballot choices and election outcomes.

Source: Click here to add the Source
Impact: Click here to add the Impact

 5.2.2-E.1 Electronic records summary count record handling requirement
The voting machine SHALL handle the summary count record according to the following:
This requirement can be met by use of EML schema 510.

¨ The record is transmitted to the tabulation center with the other electronic records.
¨ It is stored in the election archive, if available.
¨ It is stored in the voting systems event log.
Applies to: Click here to add the Applies to text
Test Reference: Click here to add the Test Reference
D I S C U S S I O N
Click here and type the discussion about this requirement
Source: Click here to add the Source
Impact: Click here to add the Impact

 5.2.2-F Collection of cast vote records requirement
The voting machine SHALL produce a collection of cast votes recorded, including the following election:
This requirement can be met by use of EML schemas 440 and 460.

¨ Election Signature Key and certificate
¨ Time and date at poll closing
¨ The set of cast vote records recorded from this election by this voting machine, in randomized order. For each vote, this includes:
¨ Precinct, election district, and ballot style
¨ The vote as recorded on each ballot question
¨ Undervotes as recorded on each ballot question
¨ Write-in information as recorded on each ballot question
¨ Information specifying whether the ballot is provisional, and providing identifying information if so.
¨ Digital signature
Applies to: Click here to add the Applies to text
Test Reference: Click here to add the Test Reference
D I S C U S S I O N
The collection of cast vote records contains the full set of votes that were recorded by the machine. This is required to support instant runoff voting, and is extremely useful in investigating possible problems in an election.
Source: Click here to add the Source
Impact: Click here to add the Impact

 5.2.2-F.1 Collection of cast votes handling requirement
The voting machine SHALL handle the collection of cast votes record according to the following:
This requirement can be met by use of EML schema 460.

 5.2.2-G Electronic records event log report requirement
The voting machine SHALL produce an event log report with the following information:
This requirement can be met by use of EML schema 480.

¨ Election Signature Key and certificate
¨ Event log data from poll opening until poll close
¨ Signature
Applies to: Click here to add the Applies to text
Test Reference: Click here to add the Test Reference
D I S C U S S I O N
Event log formats and requirements are specified in the System Integrity Management and System Event Logging chapters. The event log contains a listing of security-relevant events (such as installation of new software) and procedure relevant events (such as the opening of the polls). The purpose of event logs is to leave a permanent trail of anomalies and misbehavior, so that these may be discovered later. Event logs must not include sufficient information to reconstruct the order of votes or to determine how any voter voted. The event logs support detection of problems by both manual and automated scanning. They also support investigation of any problems discovered. Event logs cannot rule out software tampering and related attacks, but make them more difficult to carry out without detection. Event logs can detect failure to follow procedures and even some lowtech attacks by pollworkers.
Source: Click here to add the Source
Impact: Click here to add the Impact

 5.2.2-G.1 Electronic records event log record handling requirement
The voting machine SHALL handle the event log record according to the following:
This requirement can be met by use of EML schema 480.

¨ The record is transmitted to the tabulation center with the other electronic records.
¨ It is retained on the voting system.
Applies to: Click here to add the Applies to text
Test Reference: Click here to add the Test Reference
D I S C U S S I O N
The tabulation center can verify that the event log record is received and that the digital signature and per election key and certificate are valid.
Source: Click here to add the Source
Impact: Click here to add the Impact

5.2.3 Requirements on Records Produced by Tabulation Center Computers

The following requirements apply to the final election tally produced by the tabulation center computers and released to the public.

 5.2.3-A Final election tally report requirement
The tabulation center voting machine SHALL produce a final election tally report.
This requirement can be met by use of EML schema 520.

The report SHALL contain the following information:
¨ The election totals
¨ The total number of ballots, and ballots of each style, precinct, and election district
¨ For each polling place:
¨ The serial numbers and public keys for each voting system used in the precinct. In the case of older equipment that doesn’t support the use of per-election public keys, the serial number SHALL be included.
¨ The Summary Count Record for each voting system used in the precinct. In the case of older equipment that doesn’t support the Summary Count Record, the same summary information is included, but without the digital signature, timestamp, and per election key and certificate.
¨ Any adjustments done to the precinct or polling place counts due to provisional ballots, write-ins, and other special cases.
¨ A digital signature
Applies to: Click here to add the Applies to text
Test Reference: Click here to add the Test Reference
D I S C U S S I O N
The tabulation center record exists to allow checking of the final totals, based on their agreement with local totals from the voting systems, without the need to entirely trust the computers and workers at the tabulation center. The goal is to provide cryptographic support for a process that is currently done in a manual, procedural way, which may be subject to undetected error or tampering. This is the best record to use to support random recount audits of paper ballots and VVPAT records, since it includes resolutions for the special cases at the polling place level to preserve ballot secrecy for provisional ballots. This record can be published for each voting system, along with corrected final totals for each precinct and for absentee ballots, to show how the final election outcomes were computed. Challenges to handling of special cases per precinct can be made and checked base on this record. This report blocks most misbehavior at the tabulation center.
In addition EML supports by use of the schema 410 ballot layout to automatically and externally drive the generation of the EML schema 510 counts and EML schema 520 report without requiring programmers to explicitly internally hard code counting totals and plain text array inside their software. This permits election officials to independently control the ballot setup, counting and reporting operations without involving coding by programming staff. This is especially important for open public voting implementations that use community developed software as opposed to private proprietary software.

Source: Click here to add the Source
Impact: Click here to add the Impact

 5.2.3-B Election tally audit report requirement
The tabulation center voting machine SHALL be capable of producing a report from the election tally which supports auditing requirements.
This requirement can be met by use of EML schema 510.

Return to the NIST HAVA Page

Page created November 2007
Last updated: November 29, 2007
Web site point of contact

Privacy policy / security notice / accessibility statement
Disclaimer / FOIA
NIST is an agency of the U.S. Commerce Department