Chapter 7: Requirements by Voting Activity
7.1 Election Programming
Election programming is the process by which central election officials use election databases and manufacturer system software to logically define the voter choices associated with the contents of the ballots.
There are significant variations among the election laws of the 50 states with respect to permissible ballot contents, voting options, and the associated ballot counting logic.
The EMS SHALL provide for the logical definition of the ballot, including the definition of the number of allowable votes for each contest.
The EMS SHALL be capable of collecting and maintaining
- Offices and their associated labels and instructions;
- Candidate names and their associated labels; and
- Ballot questions and their associated text.
Test Reference: Part 3: 5.2 “Functional Testing”
Source: [VSS2002] I.2.3.1.1.1.b
The EMS SHALL provide for the logical definition of political and administrative subdivisions, where the list of contest choices or contests varies between precincts.
Applies To: EMS
Test Reference: Part 3: 5.2 “Functional Testing”
Source: [VSS2002] I.2.2.6.a and I.2.3.2.b
The EMS SHALL enable central election officials to define multiple election districts.
The EMS SHALL enable central election officials to define and identify contests, contest choices, candidates, and ballot questions using all voting variations indicated in the implementation statement.
Applies To: EMS
Test Reference: Part 3: 5.2 “Functional Testing”
Source: [VSS2002] I.2.2.6.b, I.2.2.8.2, I.2.3.2.d
In all systems, the EMS SHALL allow the definition of contests where the voter is allowed to choose at most one contest choice from a list of contest choices.
Test Reference: Part 3: 5.2 “Functional Testing”
Source: Implicit in [VSS2002]
In all systems, the EMS SHALL allow the definition of contests where the voter is allowed to vote yes or no on a question.
Test Reference: Part 3: 5.2 “Functional Testing”
Source: New requirement / clarification of [VSS2002] intent
In all systems, the EMS SHALL allow the definition of political parties and the indication of the affiliation and/or endorsements of each contest choice.
Test Reference:Part 3: 5.2 “Functional Testing”
Source: Implicit in [VSS2002]
EMSs of the primary elections device class SHALL support the definition of both party-specific and non-party-specific contests.
Applies To: EMS Λ Primary elections device
Test Reference: Part 3: 5.2 “Functional Testing”
Source: Added precision, based on [VSS2002] I.2.2.8.2 and glossary
EMSs of the Write-ins device class SHALL support the definition of contests that include ballot positions for write-in opportunities.
Applies To: EMS Λ Write-ins device
Test Reference: Part 3: 5.2 “Functional Testing”
Source: [VSS2002] I.2.4.3.1.d
EMSs of the Straight party voting device class SHALL be capable of defining the necessary straight party contest and associated metadata to support the gathering and recording of votes for the slate of contest choices endorsed by a given political party.
Applies To: EMS Λ Straight party voting device
Test Reference: Part 3: 5.2 “Functional Testing”
Source: Added precision, based on [VSS2002] I.2.2.8.2 and glossary
EMSs of the Cross-party endorsement device class SHALL be capable of defining the necessary straight party contest and associated metadata to support the gathering and recording of votes for the slate of contest choices endorsed by a given political party when a given contest choice is endorsed by two or more different political parties.
Applies To: EMS Λ Cross-party endorsement device
Test Reference: Part 3: 5.2 “Functional Testing”
Source: Clarification or extension of existing requirements
EMSs of the Split precincts device class SHALL support the definition of election districts and precincts in such a way that a given polling place may serve two or more election districts.
Applies To: EMS Λ Split precincts device
Test Reference: Part 3: 5.2 “Functional Testing”
Source: Added precision, based on [VSS2002] I.2.2.8.2 and glossary
EMSs of the N-of-M voting device class SHALL be capable of defining contests where the voter is allowed to choose up to a specified number of contest choices (N(r) > 1, per Part 1: 8.3 “Logic Model (normative)”) from a list of contest choices.
Applies To: EMS Λ N-of-M voting device
Test Reference: Part 3: 5.2 “Functional Testing”
Source: Added precision, based on [VSS2002] I.2.2.8.2, I.2.3.2.a and glossary
EMSs of the Cumulative voting device class SHALL be capable of defining contests where the voter is allowed to allocate up to a specified number of votes (N(r) > 1, per Part 1:8.3 “Logic Model (normative)”) over a list of contest choices, possibly giving more than one vote to a given contest choice.
Applies To: EMS Λ Cumulative voting device
Test Reference: Part 3: 5.2 “Functional Testing”
Source: Added precision, based on [VSS2002] I.2.2.8.2, I.2.3.2.a and glossary
EMSs of the Ranked order voting device class SHALL be capable of defining contests where the voter is allowed to rank contest choices in a contest in order of preference, as first choice, second choice, etc.
Applies To: EMS Λ Ranked order voting device
Test Reference: Part 3: 5.2 “Functional Testing”
Source: Added precision, based on [VSS2002] I.2.2.8.2 and glossary
The EMS SHALL record the election contests, contest choices, issues, and political and administrative subdivisions exactly as defined by central election officials.
Applies To: EMS
Test Reference: Part 3: 5.2 “Functional Testing”
The EMS SHALL record the options for casting and recording votes exactly as defined by central election officials.
Applies To: EMS
Test Reference: Part 3: 5.2 “Functional Testing”
Source: Reworded from [VSS2002] I.2.2.2.1.b / [VVSG2005] I.2.1.2.b
The EMS SHALL verify (i.e., actively check and confirm) the correct recording of election definition data to the persistent storage of the device.
Applies To: EMS
Test Reference: Part 3: 4.3 “Verification of Design Requirements”
DISCUSSION
"Persistent storage" includes nonvolatile memory, hard disks, optical disks, etc.
Source: [VSS2002] I.3.2.3.1.c and e ([VVSG2005] I.4.1.3.1.c and e), expanded to include persistent storage
The EMS SHALL provide for the generation of master and distributed copies of election definitions as needed to configure each voting device in the system.
Applies To: EMS
Test Reference: Part 3: 5.2 “Functional Testing”
Source: Reworded from [VSS2002] I.2.3.2.e
7.2 Ballot Preparation, Formatting, and Production
The EMS SHALL enable central election officials to define ballot styles.
The EMS SHALL be capable of automatically formatting ballots in accordance with the requirements for offices and contest choices qualified to be placed on the ballot for each political subdivision and election district.
Test Reference: Part 3: 5.2 “Functional Testing”
Source: [VSS2002] I.2.3.1.1.1.a
The EMS SHALL provide for the inclusion in a given ballot style of any contest in which the voter would be entitled to vote.
Test Reference: Part 3: 5.2 “Functional Testing”
Source: Extrapolated from relevant requirements in [VSS2002]
The EMS SHALL provide for the exclusion from a given ballot style of any contest in which the voter would be prohibited from voting because of place of residence or other such administrative or geographical criteria.
Test Reference: Part 3: 5.2 “Functional Testing”
DISCUSSION
In systems supporting primary elections, this would include the exclusion of party-specific contests that are not votable by the selected political party.
Source: [VSS2002] I.2.3.2.c
The EMS SHALL uniformly allocate space and fonts used for each office, contest choice, and contest such that the voter perceives no contest choice to be preferred to any other.
Test Reference: Part 3: 5.2 “Functional Testing”
Source: [VSS2002] I.2.3.1.2.c
The EMS SHALL enable central election officials to add jurisdiction-dependent text, line art, logos and images to ballot styles.
Test Reference: Part 3: 5.2 “Functional Testing”
Source: Reworded from [VSS2002] I.3.2.3.1.d
EMSs of the primary elections device class SHALL support the association of different ballot configurations with different political parties.
Applies To: EMS Λ Primary elections device
Test Reference: Part 3: 5.2 “Functional Testing”
DISCUSSION
In paper-based systems, open primaries have sometimes been handled by printing a single ballot style that merges the contests from all parties, instructing the voter to vote only in the contests applicable to a single party, and rejecting or discarding votes that violate this instruction. To satisfy the requirements for primary elections device, the EMS must be capable of associating different ballot configurations with different political parties.
Source: Reworded from [VSS2002] I.2.3.1.1.1.d
EMSs of the Ballot rotation device class SHALL support the production of rotated ballots and/or the activation of ballot rotation functions in vote-capture devices through the inclusion of relevant metadata in distributed election definitions and ballot styles.
Applies To: EMS Λ Ballot rotation device
Test Reference: Part 3: 5.2 “Functional Testing”
Source: Added precision, based on [VSS2002] I.2.2.8.2 and glossary
EMSs of the Split precincts device class SHALL support the definition of distinct ballot configurations for voters from two or more election districts that are served by a given polling place.
Applies To: EMS Λ Split precincts device
Test Reference: Part 3: 5.2 “Functional Testing”
Source: Added precision, based on [VSS2002] I.2.2.8.2 and glossary
The EMS SHALL provide for the generation of master and distributed copies of ballot styles as needed to configure each voting device in the system.
Applies To: EMS
Test Reference: Part 3: 5.2 “Functional Testing”
Source: Reworded from [VSS2002] I.2.2.6.d
The EMS SHALL generate codes or marks as needed to uniquely identify the ballot style associated with any ballot.
Test Reference: Part 3: 5.2 “Functional Testing”
DISCUSSION
In paper-based systems, identifying marks would appear on the actual ballots. DREs would make internal use of unique identifiers for ballot styles but would not necessarily present these where the voter would see them.
When different precincts share a common ballot style in a paper-based system, typically it is assumed that the ballots from the two precincts will be kept physically separate, tabulated separately, and attributed to the correct precinct at the time of reporting—even in combined precincts where this imposes procedural overhead.
Source: [VSS2002] I.2.3.1.1.1.e
The EMS SHALL support retention, modification, and reuse of ballot styles within the same election and from one election to the next.
Applies To: EMS
Test Reference: Part 3: 5.2 “Functional Testing”
Source: [VSS2002] I.2.3.1.2.e and g
The EMS SHALL prevent unauthorized modification of any ballot styles.
Applies To: EMS
Test Reference: Part 3: 4.5.2 “Security”, 5.4 “Open-Ended Vulnerability Testing”
Source: [VSS2002] I.2.3.1.2.f
7.2.1 Procedures required for correct system functioning
The requirements for voting systems are written assuming that these procedures will be followed.
Paper ballot production: central election officials must verify that paper ballots are produced in accordance with manufacturer specifications.
Paper ballot production quality: central election officials must ensure that paper ballots conform to manufacturer specifications for type of paper stock, weight, size, shape, size and location of field used to record votes, folding, bleed through, and ink for printing. ([VSS2002] I.2.3.1.3.1.c)
Paper ballot field alignment: Central election officials must ensure that the vote response fields can be properly aligned with respect to any ballot marking devices used. ([VSS2002] I.2.3.1.1.2.b)
Paper ballot timing mark alignment: central election officials must ensure that timing marks align properly with the vote response fields. ([VSS2002] I.2.3.1.1.2.c)
7.3 Equipment Setup for Security and Integrity
7.3.1 Logic and accuracy testing
The purpose of logic and accuracy testing is to detect malfunctioning and misconfigured devices before polls are opened. It is not a defense against fraud.[9]
Election personnel conduct equipment and system readiness tests prior to the start of an election to ensure that the voting system functions properly, to confirm that system equipment has been properly integrated, and to obtain equipment status and readiness reports. The content of those reports is defined in Part 1: 7.8 “Reporting”.
All systems SHALL provide the capabilities to:
- Verify that all voting devices are properly prepared for an election and collect data that verify equipment readiness;
- Verify the correct installation and interface of all system equipment;
- Verify that hardware and software function correctly; and
- Segregate test data from actual voting data, either procedurally or by hardware/software features.
Applies To: Voting system
Test Reference: Part 3: 5.2 “Functional Testing”
Source: [VSS2002] I.2.3.4.1, I.2.3.5.a2 and b2 (the second a and b, respectively), I.4.4.2.a
All programmed devices SHALL include built-in measurement, self-test, and diagnostic software and hardware for monitoring and reporting the system's status and degree of operability.
Applies To: Programmed device
Test Reference: Part 3: 5.2 “Functional Testing”
Source: [VSS2002] I.2.2.4.1.j, I.2.2.8.1.a
The EMS SHALL enable central election officials to test that ballot styles and programs have been properly prepared and installed.
Applies To: EMS
Test Reference: Part 3: 5.2 “Functional Testing”
Source: [VSS2002] I.2.2.6.f, I.4.4.2.c
Programmed devices SHALL include a capability to automatically verify that the software and ballot styles have been properly selected and installed in the equipment and immediately notify an election official of any errors.
Applies To: Programmed device
Test Reference: Part 3: 5.2 “Functional Testing”
DISCUSSION
Examples of detectable errors include use of software or data intended for a different type of device and operational failures in transferring the software or data.
Source: [VSS2002] I.2.3.3.b, I.4.4.2.c
Programmed devices SHALL include a capability to automatically verify that software correctly matches the ballot styles that it is intended to process and immediately notify an election official of any errors.
Applies To: Programmed device
Test Reference: Part 3: 5.2 “Functional Testing”
Source: [VSS2002] I.2.3.3.c, I.4.4.2.c
Programmed tabulators SHALL provide the capability for central election officials or election judges to submit test ballots for use in verifying the integrity of the system.
Applies To: Programmed device Λ Tabulator
Test Reference: Part 3: 5.2 “Functional Testing”
Source: [VSS2002] I.2.4.3.3.s, generalized from DREs; I.4.4.2.d and f
Paper-based tabulators SHALL support testing that uses all potential ballot positions as active positions.
Applies To: Paper-based device Λ Tabulator
Test Reference: Part 3: 5.2 “Functional Testing”
Source: [VSS2002] I.2.3.4.2.a, I.4.4.2.f
Paper-based tabulators SHALL support the use of test ballots to test the calibration of the paper-to-digital conversion (i.e., the calibration of optical sensors, the density threshold, and/or the logical reduction of scanned images to binary values, as applicable).
Applies To: Paper-based device Λ Tabulator
Test Reference: Part 3: 5.2 “Functional Testing”
Source: Interpretation of [VSS2002] I.2.3.4.2.b
Paper-based vote-capture devices SHALL include a means of verifying that the ballot marking mechanism is properly prepared and ready to use.
Applies To: Vote-capture device Λ Paper-based device
Test Reference: Part 3: 5.2 “Functional Testing”
DISCUSSION
In the case of manually-marked paper ballots this requirement is mostly moot. (Sharpen the pencils.)
Source: [VSS2002] I.2.4.1.2.1.a
Logic and accuracy testing functions SHALL introduce no residual side-effects other than audit log entries and status changes to note that the tests have been run with a successful or failed result.
Applies To: Voting device
Test Reference: Part 3: 4.3 “Verification of Design Requirements”, 5.2 “Functional Testing”
DISCUSSION
Status changes required to satisfy Requirement Part 1: 7.4-A and Requirement Part 1: 7.4-B.
Source: [VSS2002] I.2.3.4.1.b2 (the second b), significantly revised
Programmed tabulators SHALL ensure that all test data have been expunged before the logic and accuracy test is logged as successful. If the test data have not been expunged the logic and accuracy test SHALL log as failed.
Applies To: Programmed device Λ Tabulator
Test Reference: Part 3: 4.3 “Verification of Design Requirements”, 5.2 “Functional Testing”
DISCUSSION
Test data must never be reflected in official vote counts for specific contest choices.
Source: [VSS2002] I.2.4.3.3.t / [VVSG2005] I.2.3.3.3.v, generalized from DREs; I.4.4.2.e / [VVSG2005] I.5.4.2.e
7.4 Opening Polls
Programmed devices SHALL provide an internal test or diagnostic capability to verify that all of the tests specified in Part 1: 7.3 ”Equipment Setup for Security and Integrity” have been successfully completed.
Applies To: Programmed device
Test Reference: Part 3: 5.2 “Functional Testing”
Source: [VSS2002] I.2.4.1.1.a
Programmed devices SHALL provide for automatic disabling of an untested device until it has been tested.
Applies To: Programmed device
Test Reference: Part 3: 5.2 “Functional Testing”
Source: [VSS2002] I.2.4.1.1.b
Paper-based tabulators SHALL include a means of activating the ballot counting device.
Applies To: Paper-based device Λ Tabulator
Test Reference: Part 3: 5.2 “Functional Testing”
Source: [VSS2002] I.2.4.1.2.2.a
Paper-based tabulators SHALL include a means of verifying that the ballot counting device has been correctly activated and is functioning properly.
Applies To: Paper-based device Λ Tabulator
Test Reference: Part 3: 5.2 “Functional Testing”
Source: [VSS2002] I.2.4.1.2.2.b
Programmed vote-capture devices SHALL provide designated functions for opening the poll.
Applies To: Vote-capture device Λ Programmed device
Test Reference: Part 3: 5.2 “Functional Testing”
Source: [VSS2002] I.2.4.1.3, generalized
Programmed vote-capture devices SHALL include a security seal, a password, or a data code recognition capability to prevent the inadvertent or unauthorized actuation of the poll-opening function.
Test Reference: Part 3: 5.2 “Functional Testing”
Source: [VSS2002] I.2.4.1.3.a
Programmed vote-capture devices SHALL include a means of enforcing the execution of poll-opening steps in the proper sequence if more than one step is required.
Test Reference: Part 3: 5.2 “Functional Testing”
Source: [VSS2002] I.2.4.1.3.b
Programmed vote-capture devices SHALL include a means of verifying that the system has been correctly activated.
Test Reference: Part 3: 5.2 “Functional Testing”
Source: [VSS2002] I.2.4.1.3.c
7.5 Casting
These functional capabilities include all operations conducted at the polling place by voters and officials while polls are open.
7.5.1 Issuance of voting credentials and ballot activation
The term “ballot activation” is sometimes used in a broad sense to cover the general activities of (1) determining what type of ballot must be presented to the voter, and (2) activating the voting system to present the ballot style that is appropriate for that voter. In this section, "issuance of voting credentials" is used for the first activity, and “ballot activation” is used exclusively for the second activity.
Voting credentials are those data items sufficient for the voting system to activate the appropriate ballot for the voter. The credentials consist of an indication of the ballot style and ballot configuration as well as any additional ballot options that the voting system may be capable of presenting if selected by the voter, such as a magnified ballot for a voter with low vision. If the voting system is used for provisional voting, the credentials may also include an identifier that effectively would link the voter's identity with the voter’s cast ballot. The credentials must also indicate the election for which the credentials are valid. Lastly, there is usually a code calculated on the credentials so that the voting system can verify their integrity and verify that an authorized activation device issued the credentials.
An activation device (e.g., an epollbook) stores the credentials on a token (e.g., a memory card) so that the voter can carry them to the vote-capture device – a DRE or EBP. Thus, there is typically an “air gap” required between the activation device and the vote-capture device. The requirements in this section do not prohibit, however, the activation device from being connected to a network of DREs or EBPs. In this case, the credentials and token would be represented by whatever signaling and data is exchanged across the network between the activation device and the DREs/EBPs. Credential issuance also may be performed pre-election by a DRE or EBP in a ballot activation mode (for example, a series of memory cards could be activated for certain ballot styles and ballot configurations in advance of opening the polls).
Preserving privacy of the ballot is a paramount consideration in issuance of voter credentials and ballot activation because knowledge of the voter’s identity is involved. The requirements in this section mandate that privacy of the ballot be protected throughout the entire process of Credential issuance and ballot activation, and that no information be maintained in reports or logs that could assist in identifying a voter’s cast ballot (except for provisional voting on a DRE).
Provisional voting using a DRE must, however, “violate” voter privacy because it is necessary to link the DRE’s CVR with the voter’s identity. If an epollbook or other programmable activation device is used also for provisional voting, then it is possible that the epollbook could keep a record of provisional voters and include, with the voting credentials, an identifier associated with each provisional voter’s identification. The DRE might then associate that identifier with that voter’s CVR. This should only happen if the activation device and the vote-capture device are in a “provisional voting” mode; no linkage of voter identity to voter CVRs should be possible otherwise. While this may be an acceptable method for associating a voter’s identity with the voter’s CVR for provisional voting, at the same time this privacy violation is cause for special concern when implemented in software, and the source code associated with these activities on the activation device and the vote-capture device should receive extra scrutiny. As well, this general process should be considered fair game for OEVT.
This section also contains requirements that permit a ballot activation device to connect to an external voter registration database via a network. Network connectivity is inherently difficult to secure and make reliable, therefore the requirements in this section mandate that the external connectivity must be enabled/disabled by an authorized election official, and that a backup mechanism be in place if the connectivity fails. A ballot activation device or DRE/EBP used as an activation device cannot be connected simultaneously to both an internal (to the voting site) network of DREs or EBPs, and an external network. (The ballot activation device cannot include more than one network interface.) Any external network connectivity should be considered fair game for OEVT and, in particular, network vulnerability and penetration testing.
For provisional voting, if the linkage between the voter’s identity and the voter’s CVR is recorded in the external voter registration database, this may also be considered as fair game for OEVT.
7.5.1.1 Credential issuance and ballot activation
Applies To: DRE, EBP
Test Reference: Part 3: 5.2 “Functional Testing”
DISCUSSION
All DREs and EBPs, in addition to ballot activators, must support ballot activation, as defined in the following subrequirements.
Source: [VSS2002] I.2.4
DREs or EBPs MAY function exclusively as an activation device and issue ballot activation credentials.
Applies To: DRE, EBP
Test Reference: Part 3: 5.2 “Functional Testing”
DISCUSSION
A DRE or EBP could be configured, pre-election, to function exclusively as an activation device. During elections, a DRE or EBP cannot be used as both an activation device and a vote-capture device.
Source: New requirement but existing practice
Activation devices, DREs, and EBPs SHALL enable poll workers either to initiate, or to provide the voter with the credentials sufficient to initiate, a voting session in which the voter may cast or print at most one ballot.
Applies To: Activation device, DRE, EBP
Test Reference: Part 3: 4.5 “Source Code Review”, 5.2 “Functional Testing”
DISCUSSION
A voting session on an EBP may culminate with the printing of the ballot. Activation devices, DREs, and EBPs must prevent re-use of the credentials, e.g., by erasing a memory token used to carry ballot activation information.
Source: [VSS2002] I.2.4.2.d, rewritten to respect the limits of what the system can do
Activation devices MAY create contemporaneous records of credential issuance to a voter. The record, once made, SHALL NOT be able to be modified by the voting system.
Applies To: Activation device
Test Reference: Part 3: 5.2 “Functional Testing”
DISCUSSION
The voting system must create a record at the time when credentials are issued to voters so that the collection of records can be compared to the number of ballots voted. This may be done if the activation device prints a record, or by using a paper pollbook.
Source: New requirement
Activation devices, DREs, and EBPs SHALL enable poll workers to control the ballot configuration(s) made available to the voter, whether presented in printed form or electronic display, such that each voter is permitted to record votes only in contests in which that voter is authorized to vote.
Applies To: Activation device, DRE, EBP
Test Reference: Part 3: 5.2 “Functional Testing”
DISCUSSION
For an electronic display, poll workers control the ballot configuration using an activation device and issuing credentials. See also Requirement Part 1: 7.2-A.2, Requirement Part 1: 7.2-A.3.
Source: [VSS2002] I.2.4.2.a
DREs and EBPs SHALL activate all portions of the ballot upon which the voter is entitled to vote and SHALL disable all portions of the ballot upon which the voter is not entitled to vote.
Applies To: DRE, EBP
Test Reference: Part 3: 5.2 “Functional Testing”
DISCUSSION
In paper-based systems, open primaries have sometimes been handled by printing a single ballot style that merges the contests from all parties, instructing the voter to vote only in the contests applicable to a single party, and rejecting or discarding votes that violate this instruction. To use that approach on a DRE or EBP would violate this requirement.
DREs and EBPs SHALL enable the selection of the ballot configuration that is appropriate to a party affiliation declared by the voter in a primary election.
Applies To: DRE Λ Primary elections device, EBP Λ Primary elections device
Test Reference: Part 3: 5.2 “Functional Testing”
Source: [VSS2002] I.2.4.2.f
7.5.1.2 Secrecy of the ballot
Activation devices, DREs, EBPs SHALL preserve secrecy of the ballot throughout the process of issuing credentials and activating the ballot and the keeping of records associated with ballot activation.
Applies To: Activation device, DRE, EBP
Test Reference: Part 3: 4.5 “Source Code Review”, 5.2 “Functional Testing”, 5.4 “Open-Ended Vulnerability Testing”
DISCUSSION
Secrecy of the ballot must be preserved during all operations associated with activation of the ballot, including during the creation of the ballot activation credential and information, during the process of activating the ballot, and in all keeping of associated records, reports, and logs. It must not be possible to identify a voter’s ballot or in some way violate secrecy of the ballot by aggregating records from different devices.
For example, an epollbook cannot retain and associate any information written to a ballot activation token with the voter’s identification information, and a vote-capture device cannot retain information from the token and associate it with the CVR – or else it would be possible to link the sets of records and identify the voter.
Note that Requirement Part 1: 7.5.1.2-A.3 modifies this requirement if the activation device is used with provisional voting on a DRE.
Source: New requirement
In an open primary on a DRE or EBP, the voter SHOULD be allowed to choose a party affiliation in private at the start of the voting session and vote the appropriate ballot configuration (i.e., the choice of affiliation SHOULD be private as well as the selection of votes on the ballot).
Applies To: DRE Λ Open primaries device, EBP Λ Open primaries device
Test Reference: Part 3: 5.2 “Functional Testing”
DISCUSSION
In an open primary, the voter may be able to choose a party affiliation at the start of the voting session, therefore more than one ballot configuration may be available to the voter. The voter should be able to select the ballot configuration corresponding to the voter's chosen party affiliation in privacy.
Source: New requirement
Activation devices SHALL NoT create or retain information that can be used to identify a voter’s ballot, including the order and time at which a voter uses the voting system.
Applies To: Activation device, DRE, EBP
Test Reference: Part 3: 5.2 “Functional Testing”, 5.4 “Open-Ended Vulnerability Testing”
DISCUSSION
The activation device must not create or retain any information that could be used for the purposes of identifying a voter’s ballot, or the time at which the voter arrived at the polls, or the specific vote-capture device used by the voter.
Source: New requirement
Credential issuance, only when used during provisional voting, MAY permit the voter’s name to be associated with the voter’s ballot for the purposes of deciding whether to count the ballot. The mechanism used for this association SHALL itself not identify the voter.
Applies To: Activation device, DRE, EBP
Test Reference: Part 3: 5.2 “Functional Testing”, 5.4 “Open-Ended Vulnerability Testing”
DISCUSSION
For provisional voting, the voter’s identity is associated with the voter’s ballot so as to permit a subsequent decision whether to count the ballot. As an example, the activation device may cre