United States Election Assistance Comittee

Register to Vote!

Use the National Mail Voter Registration Form to register to vote, update your registration information with a new name or address, or register with a political party.

Note: If you wish to vote absentee and are a uniformed service member or family member or a citizen living outside the U.S., contact the Federal Voting Assistance Program to register to vote.

EAC Newsletters
and Updates

Sign up to receive information about EAC activities including public meetings, webcasts, reports and grants.

Give Us Your Feedback

Share your feedback on EAC policy proposalsElection Resource Library materials, and OpenEAC activities. Give feedback on general issues, including the Web site, through our Contact Us page.

Military and Overseas Voters

EAC has several projects under way to assist states in serving military and overseas citizens who register and vote absentee under the Uniformed and Overseas Citizens Absentee Voting Act. Learn more

Chapter 4: Security and Audit Architecture

4.1 Overview

This chapter contains requirements pertaining to independent voter-verifiable record (IVVR) voting systems to ensure that they can be audited independently of their software. As part of this material, this chapter also includes basic requirements for voter-verifiable paper audit trail voting systems (VVPATs) that have been updated from [VVSG2005].

The requirements in this chapter are necessary to ensure that IVVR systems fully meet the definition of software independence. IVVR systems in general meet the SI definition because they produce two records that can be compared against each other: (1) the electronic version of the CVR, and (2) the IVVR summary of the electronic CVR that the voter has the opportunity to compare against the voting system’s display of the electronic CVR.

However, additional requirements are still needed for IVVR systems to ensure that the audits can be independently verifiable. IVVR records must be constructed carefully for this purpose; IVVR systems must produce other supporting records for the purposes of verifying that the number of electronic CVRs is correct and for the purposes of being able to verify that the records are indeed authentic and have been produced by the appropriate authorized voting systems. Accordingly, this chapter contains the following sections:

  • Section 4.2: high-level requirements to ensure that IVVR voting systems produce records that can be used in certain general types of independent audits;
  • Section 4.3: requirements for electronic records created and exported by IVVR voting systems; and
  • Section 4.4: requirements for IVVR and for VVPAT and PCOS voting systems that use voter-verifiable paper records (VVPR), i.e., paper IVVR.

17 Comments

Comment by Jake Sherman (General Public)

The software load on these machines MUST be 100% open source software that is available at ALL times for reviewby the general voting public. This is the only way to ensure full security / stability on each of these systems. Proprietary software simply will not work to these ends unless there has been a full disclosure of the ALL lines of the source code by the vendor to the voting public. The public has paid for these machines and should have full access to the source. Thanks, Jake Sherman

Comment by Jerry Lugert (General Public)

If any part of the source code of the system is hidden from public view, it will not be possible to ensure the systems integrity regardless of other measure implemented. This requirement should be on the top of any list of requirements. The binaries distributed to the field should include checksums before during and after deployment to validate that they match the source code made public. Thanks--Jerry

Comment by Mya Everett (General Public)

It should be a _requirement_ that the source code be made public. Trade secrets should not even be considered when it comes to vote tallying as it is taking place in the public political sphere. Allowing a company to keep their methods secret is allowing them to count ballots behind closed doors and just expecting everyone to "trust" that they didn't cheat. As a member of the voting public I want to know that some big corporation, who inherently has an interest in the outcome of the election, is not allowed to tamper with votes in secret. In addition, there should be a paper trail that can be verified independently of the electronic tallying, especially in the case there is some sort of error with the machines. There should also be full and public disclosure of *any* errors having to do with the machines. Concerns of voter disenfranchisement should be of the utmost importance, and any closures or delays in voting due to system error, power outage, etc. should be duly reported and monitored by both the company in charge of the machines as well as the elction supervisor. Furthermore, each machine should have full diagnostics run before the election to make sure it is in proper working order. These diagnostic results need to be monitored and verified independently of the company. What technical support will be present in order to ensure smooth running during election day? What happens if a machine breaks? In addition, I think that whatever company is providing the service should be BARRED FROM GIVING ANY CAMPAIGN CONTRIBUTIONS, and any officer of the company should recuse themselves of political campaigning and contributions. Let's face it, the bottom line is that these people are out to make money, and they stand to make a lot of it. If they want to provide the voting systems that enable us to vote fairly, transparently, and without fear of tampering, they should not be allowed to interact closely with any of the candidates. Period. Good luck, Mya

Comment by Clifford Blalock (General Public)

It is important that the printing requirements also include a requirement that the printouts will still be readable some time (at least two years) after they are printed.

Comment by George Gilbert (Local Election Official)

Chapter 4 4.1—Regarding the definition of "software independence"—"Quality of a voting system or voting device such that a previously undetected change or fault in software cannot cause an undetectable change or error in election outcome." This definition is so broad that it could be interpreted to prohibit the exclusive use of software in recording and tabulating votes thus requiring manual human intervention. At the same time, it ignores the prospect that that human intervention could very well "cause an undetectable change or error in the election outcome." This latter point is demonstrated by the contention that hand countable optical scan or VVPAT records meet the qualification of "software independent." There are no quality control or error measurement standards of such hand tabulated "voting systems" and, while the human brain may not be defined as "software" it is certainly less reliable than most software. My layman’s understanding is that electro-mechanical systems that require a high degree of accuracy or monitoring are best monitored or regulated by other electronic systems rather than by human observers (eg. ballot counters). The concept of "software independence" should encompass the prospect of electronic monitoring using "independent" systems to monitor the voting system’s primary software. It is not clear from the present definition that this is contemplated. I would suggest that, rather than the vague "software independence" criterion, the guidelines pursue the introduction of "independent software" into the electronic voting systems’ backup and audit requirements. This would apply to optical scan systems as well as DRE systems enabling the voter to verify the electronic record of his or her ballot on the "independent software" system.

Comment by Yehuda Lindell (Academic)

The requirement that voting machines be software independent is crucial in order to make sure that elections are reliable. It is pretty much accepted that it is virtually impossible to write completely bug-free software. Therefore, something must be done to ensure election-correctness in the face of such bugs. The proposal that only software-independent systems be used is the perfect answer to this problem. In addition to truly solving one of the most troubling problems of electronic voting (i.e, the problem of buggy or corrupted software influencing the election outcome), this also takes us a big step closer to coming up with systems that increaser voter confidence.

Comment by Mike Conklin (General Public)

I have a problem with the fact that there is essentially a paper trail that has the unintended consequence (I hope) of taking away the secrecy from voting. If there is a paper record in sequential order, then it would be quite simple to match the voters to the votes. I think that the system should not allow such a possibility to occur.

Comment by Margaret M. Midling (Voter)

As someone who has run a precinct, I can see where the machines are vulnerable to hacking. Please see to it that we have written votes, rather than depending on machines which have been notoriously and blatantly misuedd in certain states.

Comment by Grace Lorraine Strochansky (General Public)

I always vote absentee ballot because I am disabled and from what I heard last time, I am not sure that my vote was counted and I want to make sure that my vote counts as an absentee ballot. I would like everything besides computer voting to be checked and double checked. Computers are not safe and can be set up to change our votes to suit whomever has the ability to fix the elections. It happened before and we don't want to let it happen again. Audt is necessary.

Comment by Seth Edelman (Voter)

I can't state emphatically enough that it is critical to our democratic voting process that votes be reviewable without dependence on computer hardware or software. The IVVR must not be permitted to be susceptible to electronic modifications.

Comment by Chris Garvey (Academic)

I oppose the draft guidelines. The guidelines do not explicitly require voter-marked paper ballots or voter-verifiable paper records, so this language is of great importance. Without this specific requirement, the door can be opened to purely software-based verification of voting, which does not restore transparency to our elections. Paper records or paper ballots are the only existing technology that would meet the requirement for an independent voter-verifiable record that cannot be altered by software failure. It is of paramount importance to keep sections that clearly state that the IVVR cannot be changed by a software failure, and that election officials must be able to review the IVVR without using software or a programmable device.

Comment by David Reardon (Academic)

Two general comments. One regarding paper records. Second, regarding securing the programming of electronic units. 1) The paper roll systems currently used on touch screen voting systems are a cheap "quick fix" that frustrates rather than facilitate easy audit. The paper record should be printed on substantial individual card stock, much like the punch card paper, that is easily stacked, oriented, and sheet fed into scanners. In fact, while an electronic preliminary tally should be generated by the vote casting equipment and used for initial reporting, the official count should require a subsequent scan of ALL the printed cards at a county or state center. Obviously, this total should match the electronic tally for all machines in a county or precint and any discrepency should be traceable to any particular machine that had a different count than that associated with the cards printed by that machine (as reference by using a unique machine code for each machine printed on each card.) 2) The most proper and secure means of preventing tampering with program code is to segregate program steps (which should be in non-reprogrammable memory) from lookup tables (in reprogrammable memory). In other words, regulations should be developed to REQUIRE of all electronic equipment that the units' functional response to all inputs (program steps) must be in true read-only-memory or unalterably embedded, preferably in "potting" (a rubberized sealing that inhibits tampering and clearly leaves evidence of any attempted tampering) or some other material, so as to precludes physical access to the program memory. Obviously, reprogramming the lookup tables should be possible under secure conditions. A key advantage of this system is that any error in the lookup table would be easily spotted simply by instructing the unit to print out a complete copy of the lookup table and the fixed codes associated with each voting option. Moreover, any error in the lookup table would consistent across all machines in which the lookup table was used. In this recommended approach, all preparation for each election would be limited to inputting a linked set of lookup tables (including precinct, ballot type, voting options, instructions in multiple languages etc). The fixed programming would then display and record votes in EXACTLY the same fashion from election to election. Only the lookup table would be subject to alteration. Additionally, while the unit could dump it's program for verification purposes, it simply could not be reprogrammed. The design of such a system is not overly complex and it is far more secure than the electronic voting equipment that is currently on the market which values the ability of "upgrading the software" which necessarily includes then the possibility of corrupting the software.

Comment by Andrew Spence (General Public)

It is real simple. All required voting systems should have a VVPR, that can then be placed in a separate audit "box" or other secure container. Anything less than that is an invitation to fraud and makes the legitimacy of the electoral process in this country even more questionable than it already is.

Comment by Malou Roth (Voter)

In order to insure our votes are confidential, the paper trail system must not be sequential. The voting machines must be able to produce a paper receipt that shows the vote but the record kept for the election place must not be in any ORDER that could be synchonized with the admission information you give when you enter and show your id etc.

Comment by Kathy Dopp (Advocacy Group)

Thank you for giving the public the opportunity to comment. Voting system certification should be conditional based on following certain procedures necessary to ensure the security and accuracy of election outcomes such as routine post-election audits.

Comment by Gerry Peters (Voter)

We need to discard unreliable hackable computer voting machines and go back to simple paper ballots counted by simple unhackable optical scanners. No computers, no modems, but simple paper ballots that can be counted and recounted by hand if necessary and can't be manipulated by software or wireless modems. This type of voting is far simpler than computer voting. How hard is it to understand a pencil and paper, it doesn't require special poll worker training like computerized voting does. And if there are problems with the optical scanners, it only means we just won't get our results so quickly. We can wait. As citizens this is our voice, our vote. More people would vote if they had confidence that their vote is counted. Right now many people feel like our Democracy is all for show and that the votes are manipulated by those in power. Computerized voting has made this far worse. Please let's make thoughtful decisions on this very important issue.

Comment by E Smith/P Terwilliger (Manufacturer)

4.2.1-A. "secure" is untestable. 4.2.1-A.1. "production" and "retention" are untestable/undefined. 4.2.1-A.1. The discussion limits when the audit is practical. It is not clear if this is saying that because of this limit, the audit is optional, or that the listed information (type of ballot, etc.) is required to be provided so that an audit can always be performed. 4.2.2. Typo: "...hand audit of verifies..." 4.2.2-A. "can detect" is undefined/untestable. 4.2.2.-A.1. "information to support" is undefined and untestable. 4.2.3-A. This entire requirement is ill-defined. As a minimum, "detectable", "malicious", "correctly" are all undefined and untestable. Please define "final ballot count", "vote totals" and "audit records". Please explain how a report differs from a record. 4.2.3-B. Again, please differentiate "record" from "report". 4.2.4. A "voting system" is not IVVR, a "voting terminal" is. 4.2.4. The narrative here invalidates the requirement of 3.3.1-E.1. Nowhere in 3.3.1-E.1 is it permitted or implied that the "same software base" both allow making choices and then provide the *INDEPENDENT* read-back of them. 4.2.4. The final paragraph is in no way testable or a vendor requirement. 4.2.4-A. How is an "IVVR vote-capture device that supports assistive technology" not the same as an Acc-VS? If they are different, Appendix A should define the differences. 4.2.4.A. The discussion invalidates the requirement of section 3.3.1-E.1. 4.3. "Secure" and "usable" are not defined in the context of this narrative. In particular, how does "usable" differ from "usability"? 4.3. What does it mean to "produce" a record. Is that the same as printing it in a report? Creating it in the first place? 4.3.1. The section heading says "voting devices". The text says "voting system". Which is it? 4.3.1-A. The "discussion" is actually a requirement not otherwise stated. It must be made a new requirement or this section must be rewritten. 4.3.1.C. "digitally signed" is not defined. "Election Signature Key" is not defined. "Election Public Key Certificate" is not defined. 4.3.1-C. The heading indicates this is for voting devices, the text does not so specify. 4.3.2. A DRE (which is not an acceptable device per these VVSG) is not necessarily a tabulator. 4.3.2-A. X.509 is not defined. 4.3.2-A.c. "precinct" should be "reporting context". 4.3.2-A. The last sentence says that the summary count should exclude any challenge ballots. This is contrary to the accepted definition of a challenged ballot as one that is valid during the count but may be show to be invalid (the opposite of provisional ballots). 4.3.2-A. This appears to contradict or at least confuse the voting system classes and what it means, for instance, to support the write-in class. This section acknowledges that ALL write-in votes are processed post-election, rather than automatically, which appears to violate 4.3.2-C.a. Capturing the time/date violates voter secrecy/anonymity. 4.3.2-C.b.1. Should be "reporting context". 4.3.2-C.b.2. This continues the misconception promulgated in the 2005 VVSG that there ever is such a thing as a rejected ballot image. There is only a ballot image *after* any VVPR is accepted and the ballot image is stored. By definition, there is never a rejected ballot image. 4.3.2-C. This Discussion sentence should be deleted. 4.3.2-C.1.1 "Counting context" should be "reporting context". 4.3.2-C.1.b.2. This continues the misconception promulgated in the 2005 VVSG that there ever is such a thing as a rejected ballot image. There is only a ballot image *after* any VVPR is accepted and the ballot image is stored. By definition, there is never a rejected ballot image. 4.3.2-C.2. "transmitted" is not defined. Does physical transport of a storage device comply? 4.3.2-C.2.b. "Election archive" is not defined. 4.3.2-D. "transmit" is not defined. Does physical transport of a storage device comply? 4.3.2-D. A "record of the transmission" is not defined. 4.3.3. Introduces a brand-new term, a "Precinct EMS". This is not the place for such. If anything, it needs to be included in the class hieracrchy presented in Part 1, chapter 2 and in the definitions of Appendix A. 4.3.3-A.b.2. "Election Signature Key certification and closeout record" is not defined. 4.3.3-A.1. "few" is undefined and untestable. 4.3.3-B. "precinct" should be "reporting context". 4.3.4-A.a. "Election Public Key Certificate" in not defined in Appendix A. 4.3.4-A. The discussion very obliquely introduces the term "precinct level EMS". If this is an offical tern, why is it not in Appendix A? 4.4. "Electronic voting device" is not defined. 4.4.1-A. "Independent" is not defined or testable. 4.4.1-A.1. The basic requirement is impossible; a blind voter will ALWAYS require technology/software to review the record. 4.4.1-A.1. The discussion over-reaches. It relaxes the requirement to be for "most" voters. (is 50.1% "most"?) It allows that some assistive technology may not allow direct IVVR review. these statements directly conflict with other sections, such as Part 1, Chapter 3.3.1-E. 4.4.1-A.4. "reconstruct" is not defined and is not testable. 4.4.1-A.5. "minimally" is not defined. The test protocol for a 22-month requirement is not defined; in the worst case, it requires any certification to take 22 months minimum. 4.4.1-A.6. "show" is undefined and untestable. 4.4.1-A.7. "procedures or technology" is undefined and untestable. "protect" is undefined and untestable. 4.4.1-A.12. How is the "presence of the voter" to be determined? Contrast to a fled voter and a pollworker completing the ballot, or a person assisting a handicap voter. 4.4.1-A.13. Accepting or rejecting each page of a long receipt has implications on the setting of how many voided receitps a voter is allowed. 4.4.1-A.17. "Fully disclosed" is not defined. 4.4.2. This section and subsections appears to invert the industry-standard terminology where a DRE is at the top, with an optional VVPAT peripheral device. Now, the DRE/VVPAT combination is to be called "VVPAT". 4.4.2.1-A. "minimally" is untestable. 4.4.2.1-A.a. How does a "voting device" differ from a "vote capture device"? 4.4.2.2-A. As with the 2005 VVSG, what is the purpose of this requirement? These VVSG only allow certification of an entire voting system; adhering to this requirement if anything only serves to reduce the security of the system. 4.4.2.2-A. The requirement title indicates the VVPAT printer is connected to the voting system. First, it is connected to the voting station, Acc-VS, or similar. Second, per 4.4.2, VVPAT is the term for a DRE plus an IVVR printer, so the idea of a VVPAT connected to a voting terminal is backwards. 4.4.2.2-A. The discussion indicates that the requirement is "extended in that only authorized election officials can access that port". That is a hopelessly incorrect statement. 4.4.2.2-C. "clear" is not testable. "suspend" is not well defined. 4.4.2.2-C.c. There is never an electronic CVR until after the voter accepts/casts the ballot, hence this section must be removed. 4.4.2.2-C.d. "protect privacy" is undefined and untestable. 4.4.2.2-C.1. "voter actions" is not defined. For example: Does a sledgehammer count? 4.4.2.3-B. "facilitate", "rapid" and "accurate" are untestable. 4.4.2.3-C.a. "Immediately" is undefined. Is this different that the response times defined in earlier sections? 4.4.2.3-C.b. "Unambiguous" is undefined and untestable. 4.4.2.3-C.a. "In view of the voter". Please explain how this requirement applies to an Acc-VS and a blind voter. 4.4.2.3-C.c. "ballot box" is not defined. 4.4.2.3-D.b. This requirement also exists in the 2005 VVSG without justification. Please provide one, as the accepted way that DRE/VVPAT systems work is that (and in the same manner as optical scan systems), there IS NO cast vote, or cast vote record, before the receipt is accepted. The discussion on this requirement makes no sense. 4.4.2.4-A. An OCR requirement discriminates against the audio-only languages of some Indian tribes that are DOJ-recognized. 4.4.2.4-B.d. Since changing paper rolls is a manual procedure, there is no way to know the roll number. 4.4.2.4-B.e. There is no way for the voting device to know if or when a paper roll is to be changed, hence the only way for this summary line to be present is to print it after every voter. Should we rely on the pollworker to input the fact that the paper was changed? 4.4.2.4-C. Subsections variously use "clear" and "unambigous". How do these terms differ? 4.4.2.4-E. Subsections variously use "clear" and "unambigous". How do these terms differ? 4.4.2.4-F.e. This imposes requirements on a cut-sheet receipt that are not present on roll-to-roll receipts. The rationale for this difference must be explained. 4.4.2.4-F.1. This does not allow for a large vote-for number requiring more than one sheet to show all candidate selections. 4.4.2.4-F.2. There are so many things wrong here I don't know where to start. Suggest EAC/NIST should sit down with an industry expert for a few hours rather than creating this stuff in a vacuum. 4.4.2.5-A. "Provide a capability" is not defined. 4.4.2.6. "...are sequentially." 4.4.2.6-A. "Immediately" is not defined. 4.4.2.6-D. "electrically charged" is not defined or testable.

4.2 Requirements for Supporting Auditing

This section presents requirements on voting system devices to provide the capability for certain general types of audits described herein. The audits work together to ensure independent agreement between what is presented to the voters by the IVVR vote-capture devices, what is counted by tabulators, and what is reported by the EMS as a final ballot count and vote totals.

Note: This section does not include requirements on election officials to perform the audits described herein. Audits are considered part of election procedures and cannot be mandated by the VVSG. The requirements in this section focus on ensuring that IVVR voting systems produce records that are capable of being used in independent audits so that the voting systems will meet. It is left to election procedures to mandate whether the audits are to be performed.

Auditing procedures for IVVR systems imposes requirements on the voting system in several ways, including:

  1. Some auditing procedures need to reconcile that the number of electronic CVRs captured by the voting system is indeed accurate, that this number agrees with the number of voters who have cast a ballots.
  2. Some auditing procedures need specific information or behavior from voting systems in order to be possible or practical. For example, hand auditing the correspondence between IVVR and electronic CVRs is only possible if the voting system produces IVVR and electronic CVRs that include the same information.
  3. Some auditing procedures require certain assurances about the operation of the voting devices in order to be meaningful. For example, the hand audit of the paper and electronic records from VVPATs is meaningful only because voters had the opportunity to both view and verify the paper records.

Accordingly, there are three general types of audits anticipated for IVVR voting systems to ensure that the electronic CVRs and IVVRs fully agree. These are as follows:

  1. Verifying that the number of voters for each reporting context and ballot style agrees with the totals reported by the tabulator. This guards against a tabulator reporting more votes than it had voters, or reassigning some voters to the wrong precinct or ballot style. This type of audit is referred to here as the pollbook audit.
  2. Verifying by hand that the IVVR agree with the reported totals from the tabulator. This guards against a voting device silently misrecording votes.
  3. Comparing IVVR vote-capture device records against final ballot and vote totals to verify that the electronic records from the tabulators agree with the final reported totals. This guards against a compromised EMS misreporting the final results.

14 Comments

Comment by Jake Sherman (General Public)

Each e-voting machine should have an independently verifiable paper record of every vote cast.

Comment by Jay Koester (General Public)

External Audit is a key feature in my opinion. As a database administrator I am painfully aware of how easy data can be manipulated and lost. External audit methods are essential to protecting the integrity of the voting system.

Comment by Brian V. Jarvis (Local Election Official)

The 2nd paragraph (starting with "Note:" is missing additional text at the end of the sentence. The sentence currently reads "The requirements in this section focus on ensuring that IVVR voting systems produce records that are capable of being used in independent audits so that the voting systems will meet." So that the voting systems will meet what?

Comment by ted selker (Academic)

VVPATS is meaningful only because voters had the opportunity to both view and verify the paper records Should be verified with experimental research or deleted. For 1,2 and 3 to be in VVSG, tests have to be demonstrated to show that this improves accuracy of elections. We know of no such research.

Comment by George Gilbert (Local Election Official)

4.2—Regarding the "three general types of audits anticipated for IVVR systems," implicit in the presentation is that all three "verifications" would be required for any given audit. In this context, it is unclear what "b. Verifying by hand that the IVVR agree with the reported totals from the tabulator" means. If by "verifying by hand" some type of manual tabulation of printed IVVRs is intended, this seems to contradict the entire concept of independent electronic voter verifiable records. While the definition of IVVR makes no mention of a paper requirement, this audit requirement reintroduces paper through the back door. Logically, a paper based IVVR, such as VVPAT, should require audit types "a" and "b" while an electronic IVVR should require types "a" and "c." (see comments on remaining section of 4.2 for details)

Comment by Dave Angell (Voting System Test Laboratory)

a. Some auditing procedures need to reconcile that the number of electronic CVRs captured by the voting system is indeed accurate, that this number agrees with the number of voters who have cast a ballots. s/b a. Some auditing procedures need to reconcile that the number of electronic CVRs captured by the voting system is indeed accurate, that this number agrees with the number of voters who have cast ballot(s).

Comment by john brown (Voter)

This website is obviously designed to be virtually totally inscrutable. Clearly, there is no interest in public feedback on these issues. Anyway, I am writing here, as a voter with concern for a flagrant disregard of any semblance of democracy, as evidenced in our last presidential election. The abundance of evidence of voting fraud, and manipulation of ballots, voting access, and voting tally, was apparent through many independent sources.This was even reported in mainstream media, such as the Wall Street journal, which reported 61,000 substantiated incidences of polling irregularities. The bottom line is, the electronic system, as perpetrated by Diebold, et. al., is a fraud, clearly exposed many times in demonstrations by computer professionals, to be subject to hacking in as little as 30 seconds. This is an obvious disruption in the democratic process. Not to mention numerous other practices in the past election, which thwarted efforts of minorities and lower income voters from participating in the democratic process in their areas, due to contrived obstacles which disallowed them from casting their votes. We cannot tolerate continued abuse of public interest with this inequitable system of voting tally. Please ensure that we have only verifiable methods of polling and unrestricted access to the polls for all Americans, in the future. Thank you

Comment by Barbara Snowberger (Voter)

there has to be an independent audit that matches the number of votes cast is the same as the number of voters..a paper trail has to be supportive of that issue.

Comment by David Beirne, Executive Director, Election Technology Council (Manufacturer)

This section exposes the inherent disconnect between software independence and the use of an IVVR. Software independence is only achieved in conjunction with a review of the IVVR compared to the electronic record. Although specific mention is made of the role of a post election recount/audit as not subject to the jurisdiction of the VVSG, the intent is clear and could be construed as intrusive into state election administration requirements. What other purpose is there for this section which ensures "that IVVR" voting systems produce records that are capable of being used in independent audits" if an independent audit isn’t also required or recommended? This section should be stricken in its entirety as it places the VVSG in the position of serving as an arbiter in potential election disputes. This should be left in the realm of federal and state election laws and the VVSG should avoid the perception that it is recommending policies to election administrators.

Comment by Barbara Snowberger (Voter)

That the # of voters agrees with the tabulator..pollbook audit. captures records against vote totals..

Comment by ACCURATE (Aaron Burstein) (Academic)

This requirement is critical to supporting software independence and should be included in the final guidelines.

Comment by Mary C. Eberle (Advocacy Group)

As a member of Coloradoans for Voting Integrity, Colorado Voter Group, and Paper Tigers, it is clear to me that a voting system that does not fully support hand audits (i.e., on paper ballots and totally separate from computer data) is a potentially fallible system. Auditable voting systems include the ability of the computer to report the results as batches of central counts of early-voted ballots, precinct-voted ballots, absentee ballots, and provisional ballots. The best approach is to presort ballots by precinct (which can be done with machine- and human-readable precinct numbers applied by the voter before casting the ballot). Reporting by precinct allows canvass boards and partisan groups to more easily monitor the results to catch problems caused by hacking or simple mistakes. The batches to be audited can be selected by a suitable (quality-driven) random process and hand audited by a bipartisan team. No voting system that cannot support this type of intense scrutiny should be acceptable in American elections. The American Statistical Association (ASA) has made an official statement to this effect: "All processes and data of US elections should be subject to statistically sound, continuous-quality monitoring and improvement." It is time to add this kind of expertise to our nation's election methods.

Comment by Kathy Dopp (Advocacy Group)

This section should include requirements that the post-election audits described here be performed as a condition of voting system certification. This VVSG statement seems to be not true: "Audits are considered part of election procedures and cannot be mandated by the VVSG." Because: 1. VVSG are voluntary and are not mandated. Any State or jurisdiction may chose to purchase new voting machines which meet the new VVSG or not. 2. Lacking routine procedures to check the accuracy of machine counts, election integrity cannot be assured, no matter how stringent the VVSG. 3. Audits could be required as part of the condition for voting machine certification, as required by the California Secretary of State.

Comment by Kathy Dopp (Advocacy Group)

Comments on Section 4.2 Requirements for Supporting Auditing This section should include requirements that the post-election audits described here be performed as a condition of voting system certification. This VVSG statement seems to be not true: "Audits are considered part of election procedures and cannot be mandated by the VVSG." Because: 1. VVSG are voluntary and are not mandated. Any State or jurisdiction may chose to purchase new voting machines which meet the new VVSG or not. 2. Lacking routine procedures to check the accuracy of machine counts, election integrity cannot be assured, no matter how stringent the VVSG. 3. Audits could be required as part of the condition for voting machine certification, as required by the California Secretary of State.

4.2.1 Pollbook audit

The purpose of the pollbook audit is to verify that:

  • The total number of ballots recorded by the voting system in some location is the same as the total number of voters who have cast ballots.
  • The total number of ballots recorded for each ballot configuration, and for each reporting context, is the same as the number of such voters authorized to vote with that ballot configuration, in those reporting contexts.
  • This mitigates the threat that a tampered tabulator (such as a PCOS scanner) might have inserted or deleted votes, and also the threat that it may have assigned some voters the wrong reporting context or ballot configuration to prevent them voting in certain elections or to dilute the effect of their votes.

4 Comments

Comment by ted selker (Academic)

Such as simply inserting Should be changed to: Such as inserting. The hand audit Should be documented and referenced or deleted.

Comment by David Beirne, Executive Director, Election Technology Council (Manufacturer)

Pollbook auditing is not a traditional means of verifying the accuracy of voting machine performance, but rather the accuracy of local procedures in the polling place when issuing ballots to voters based on their assigned ballot style. This section should be stricken as it is not relevant to the performance of the voting system itself.

Comment by Barbara Snowberger (Voter)

the Pollbook audit eliminates the possibility of confusing voters by changing the configuration of the ballot. And the malicious intent of using a PCOS scanner to insert or delete votes.

Comment by ACCURATE (Aaron Burstein) (Academic)

The phrase "pollbook audit" as used in this requirement refers to counting pollbook signatures and comparing that count to the vote data reported by the tabulator. The other types of audits with requirements in the draft VVSG are "hand audits of IVVR records" (Part 1:4.2.2), which refers to manually counting audit records and comparing to the vote totals reported by the tabulator; and "ballot count and vote total audit" (Part 1:4.2.3), which refers to manually counting audit records and comparing to the vote totals reported by the EMS. Taken together, these requirements will greatly enhance the auditability of voting systems certified to the guidelines. These requirements cover much of the ground towards achieving auditability of IVVR voting systems; they include requirements by type of audit being performed (pollbook audits, tabulator audits and manual tallies), requirements for electronic audit records, and requirements for physical audit records. Accordingly, they should be adopted by the EAC.
4.2.1-A Voting system, support for pollbook audit

The voting system SHALL support a secure pollbook audit that can detect differences in ballot counts between the pollbooks, vote-capture devices, activation devices, and tabulators.

Applies To: Voting system

Test Reference: Part 3: 4.3 "Verification of Design Requirements", 5.2 "Functional Testing", 5.3 "Benchmarks"

DISCUSSION

The pollbook audit is critical for blocking various threats on voting systems, such as simply inserting additional votes into the voting system. This requirement and its subrequirement are high-level "goal" requirements whose aim is to ensure that the voting system produces records that are adequate and usable by election officials for conducting pollbook audits. This requirement is supported by various other requirements for general reporting and in Part 1:4.3 "Electronic Records". It can be tested as part of the volume tests discussed in Part 1:7.8 "Reporting" and Part 3:5.3 "Benchmarks"; this type of testing may be useful for assessing the usability of the audit records for typical election environments.

Source: [VVSG2005] I.2.1.5.1

5 Comments

Comment by Richard Carback (Academic)

The poll book software is largely independent of the vote gathering and tabulation (unless bound together with activation cards). A better requirement would be that poll books should report the total number of voters for comparison with the other devices, not detect them. Poll book software should be certified independently of the voting system unless bundled together with it. In that case, it should be treated like an activation system, not a poll book. The terminology "secure pollbook" is unnecessary. What is the VVSG's definition of a "secure pollbook"? Does it differ from a pollbook that has been certified?

Comment by Robert Ferraro, SAVEourVotes.org (Advocacy Group)

Before commencing a hand audit to verify the outcome of a race, a poll book audit is critical to determine both that no ballots are missing and that no ballots have been added. In order to have an effective and cost efficient pollbook audit, the ballot counts from the different machines need to be quickly and accurately collected, stored, and compared. The data must be available from the pollbooks and activation devices, as well as from the vote-capture devices and tabulators, in a usable form without transcription. The vote counts should be reported in OASIS Election Markup Language (EML) or some other structured, machine readable format easy to export and then compare. It should be the same format for all makes of equipment.

Comment by David Beirne, Executive Director, Election Technology Council (Manufacturer)

No voting system can support a secure pollbook audit which can detect differences in ballot counts between the pollbooks and the vote-capture devices unless a provider offers such a comprehensive solution. The use of a pollbook audit does not block threats to voting systems such as the insertion of additional votes on voting systems. This may be used as a detection tool to verify the frequency of ballot styles issued from the pollbook versus those recorded on the voting system, but this is not a secure method and is often dependent upon local election administration procedures. This section (4.2.1) should be stricken. The vast majority of pollbooks are paper based and rely upon barcodes to generate data to verify the issuance of ballot styles.

Comment by Kathy Dopp (Advocacy Group)

Comments on 4.2.1-A Voting system, support for pollbook audit The phrase "support a secure pollbook audit that can detect differences in ballot counts between the pollbooks, vote-capture devices, activation devices, and tabulators." is vague and imprecise. Please make the requirement more specific. For example, who shall be able to detect? How? When? Eg. Is it enough for some mechanism inside the voting system to "detect" the differences in such a way that only a technician, computer scientist, or a voting vendor technician can determine the differences in the ballot counts between the pollbooks, vote-capture devices, activation devices, and tabulators? Or must the election official or auditors be able to discern when the voting system detects such differences? Should the voting system be able to produce a report of the differences?

Comment by Verified Voting Foundation (Advocacy Group)

Before commencing a hand audit to verify the outcome of a race, a poll book audit is critical to determine both that no ballots are missing and that no ballots have been added. In order to have an effective and cost efficient pollbook audit, the ballot counts from the different machines need to be quickly and accurately collected, stored, and compared. Assuming machine based poll books are being used instead of paper-based pollbooks, the data must be available from the pollbooks and activation devices, as well as from the vote-capture devices and tabulators, in a usable form without transcription. The vote counts should be reported in OASIS Election Markup Language (EML 5.0 or higher) for all makes of equipment.
4.2.1-A.1 Records and reports for pollbook audit

Vote-capture devices, activation devices, and tabulators SHALL support production and retention of records and reports that support the pollbook audit.

Applies To: Vote-capture device, Tabulator, Activation device

Test Reference: Part 3: 5.2 "Functional Testing", 5.3 "Benchmarks"

DISCUSSION

The pollbook audit is only practical when the number of ballots, and of each distinct type of ballot, is available from both the pollbooks and the tabulators.

Source: [VVSG2005] I.5.4.4

2 Comments

Comment by Chris Garvey (Voter)

Centrally based optical scan systems must provide the information to support batch counting in support of audits. In particular, central count optical-scan machines should be able to subtotal and store results for batches of ballots This feature is especially important for many states where absentee ballots and provisional ballots make up such a large fraction of the total. The cost of an audit depends on several factors, including the number of samples needed. The number of samples needed (and thereby the cost) can be reduced by having smaller audit units. With centrally based optical-scan systems for absentee ballots, it is more cost effective to group the ballots into batches and then consider each batch as a separate audit unit than to consider all the ballots together in one audit unit. Although batching centrally counted ballots can drastically reduce audit costs, some current systems do not support such batching or make it difficult to keep track of batch sub-totals.

Comment by Chris Garvey (Voting System Test Laboratory)

Currently, many states have heterogeneous voting systems with components from several vendors and with a variety of vote capture devices. Even within a given precinct, there are often several different types of vote capture devices; there might be precinct-based optical-scan machines and DRE voting machines at the polling place, and central-count optical-scan machines for absentee and provisional ballots. To conduct effective post-election audits, Election Management Systems must keep vote data by individual machine within each precinct, and be able to export such detailed data from all voting devices in a format that is both easy to read and easy to use in calculations, without transcription, and with each data field clearly identified and explained in a form that can be easily used for further analysis and display-- for example,using the Election Markup Language (EML). Paper ballots for machine-free audits are also needed.

4.2.2 Hand audit of IVVR record

The hand audit of verifies that the IVVRs and reported totals from a tabulator are in agreement. The hand audit addresses the threats that the voting device might record and report results electronically that disagree with the choices indicated by the voter.

6 Comments

Comment by George Gilbert (Local Election Official)

Insertion of the word "hand" here addresses only paper based IVVR. Electronic IVVR do not require "hand" auditing to verify that the IVVR and CVR reported totals are in agreement. Further, a "tabulator" is a programmed device that counts votes according to your definition. What about a human tabulator? Throughout all these sections the use of language is sloppy. In fact there are IVVR "tabulators," CVR "tabulators" and EMS "tabulators." To use the word "tabulator" here in a generic sense has no identifiable meaning.

Comment by Dave Angell (revised) (Voting System Test Laboratory)

The hand audit of verifies that the IVVRs... s/b The hand audit verifies that the IVVRs...

Comment by Dave Angell (Voting System Test Laboratory)

The hand audit of verifies that the IVVRs ...

Comment by Harry VanSickle (State Election Official)

Typographical error – "hand audit of" does not make sense in the sentence as drafted.

Comment by Kathy Dopp (Advocacy Group)

Comments on 4.2.2 Hand audit of IVVR record Using the term "hand audit" to refer to the process of manually checking IVVR [independent voter verificationn records] to see that individual tabulators accurately record voter ballots is a confusing misnomer which flies in the face of common usage of the term "manual" or "hand audit" which most persons use to refer to what this VVSG document terms "ballot count and vote total audit". This could be confusing. I suggest that the EAC rename section 4.2.2. "tabulator audit" which would provide more clarity about the target of the audit (similar to your "pollbook" and "vote count" audits) and not conflict with current common usage of the term "hand audit" or "manual audit".

Comment by U.S. Public Policy Committee of the Association for Computing Machinery (USACM) (None)

USACM Comment #17. Section 4.2.2 Hand audit of IVVR record USACM recommends that the first "of" in the first sentence of the discussion in this section should be removed. It does not refer to any specific item and is extraneous to the discussion.
4.2.2-A IVVR, support for hand audit

The voting system SHALL support a hand audit of IVVRs that can detect differences between the IVVR and the electronic CVR.

Applies To: Voting system

Test Reference: Part 3: 5.2 "Functional Testing", 5.3 "Benchmarks"

DISCUSSION

Hand auditing verifies the reported electronic records; IVVR offer voters an opportunity to discover attempts to misrecord their votes on the IVVR, and the hand audit ensures that devices that misrecord votes on the electronic record but not the IVVR are very likely to be caught.

Hand auditing draws on the results from the pollbook audit and the ballot count and vote total. For example, the hand audit cannot detect insertion of identical invalid votes in both paper and electronic records in a VVPAT, but the pollbook audit can detect this since it reconciles the electronic CVR count with the number of voters who cast ballots. Similarly, the hand audit cannot detect that the summary of reported ballots from the tabulator or polling place agrees with the final election result, but this can be checked by the ballot count and vote total audit.

This requirement and its subrequirement are high-level "goal" requirements whose aim is to ensure that the voting system produces records that are adequate and usable by election officials for conducting audits of IVVR records by hand. It can be tested as part of the volume tests discussed in Part 1: 7.8 "Reporting" and Part 3: 5.3 "Benchmarks"; this type of testing may be useful for assessing the usability of the audit records for manual audits in typical election volumes.

Source: [VVSG2005] I.2.1.5.1

6 Comments

Comment by ted selker (Academic)

A hand audit of IVVRs that can detect Should be documented and referenced or deleted. Not the IVVR are very likely to be caught. How likely? Specify. This requirement and its sub requirements are high level "goal" requirements whose aim is to ensure Must have demonstrated references to research that hand counting is as reliable and accurate as machine counting to say this.

Comment by George Gilbert (Local Election Official)

The opening statement in the "Discussion" of section 4.2.2-A: "Hand auditing verifies the reported electronic records; IVVR offer voters an opportunity to discover attempts to misrecord their votes on the IVVR, and the hand audit ensures that devices that misrecord votes on the electronic record but not the IVVR are very likely to be caught," is both unverifiable and inconsistent with the concept of independent software based IVVR. First, no studies exist that document that "hand auditing verifies" anything. The only studies I have been able to locate of hand auditing ballots document the degree of variation between the hand and electronic or electro-mechanical tabulation of ballots or between multiple hand tabulations of the same ballots. No study asserts that hand tabulation is more accurate that electronic tabulation nor do any document that one hand tabulation of more accurate than another. Secondly, no hand audit is necessary to catch "misrecorded" votes on "the electronic record" (presumable this should read "CVR") and an electronic IVVR on which the voter has verified that the IVVR was correct. Any discrepancy will show up on the comparison of vote totals between the IVVR tabulation and the CVR tabulation or the EMS tabulation.

Comment by Seth Edelman (Voter)

States can have multiple vote recording systems. Hand audits will be a nightmare unless uniform data output is mandated from all types of systems in a simple, straight-forward, easily understood format like EML.

Comment by Linda Finlay (General Public)

Vote data must be kept for each voting device within each precinct. It must be possible to share such data from all voting devices in a format that is easy to read and easy to use in calculation, without transcription, and explained in a form that can be easily used for analysis and display. Why not EML?

Comment by Mathew Goldstein (Voter)

Some current election management systems (EMS) do not break down results by individual machines within each precinct, and some automatically mix PCOS results and DRE+VVPAT results from each precinct. This makes it difficult, if not impossible, to conduct cost-efficient audits. Therefore, this provision should be strengthened to specify that Election Management Systems must keep vote data by individual machine within each precinct, and be able to export such detailed data from all voting devices in a format that is both easy to read and easy to use in calculations, without transcription, and with each data field clearly identified and explained in a form that can be easily used for further analysis and display-- for example,using the Election Markup Language (EML).

Comment by Kathy Dopp (Advocacy Group)

Comments on 4.2.2-A IVVR [independent voter verifiable record], support for hand audit This VVSG statement seems to be not true: "For example, the hand audit cannot detect insertion of identical invalid votes in both paper and electronic records in a VVPAT, but the pollbook audit can detect this since it reconciles the electronic CVR count with the number of voters who cast ballots" because the pollbook audit cannot necessarily detect insertion of identical invalid votes either. Mismatches between the number of voters who cast ballots and the electronic CVR count can also be due to procedural problems such as allowing voters to cast ballots who did not check in first, or neglecting to record voters in the pollbooks.
4.2.2-A.1 IVVR, information to support hand auditing

IVVR vote-capture devices and tabulators SHALL provide information to support hand auditing of IVVR.

Applies To: IVVR vote-capture device, Tabulator

Test Reference: Part 3: 4.3 "Verification of Design Requirements", 5.2 "Functional Testing", 5.3 "Benchmarks"

DISCUSSION

The electronic summary information from the DRE or scanner and the IVVRs, must contain sufficient information to carry out the hand audit. Because the hand audit may be carried out at different reporting contexts (for example, a specific tabulator or a whole precinct or polling place may be selected for audit), the voting system must be able to provide reports that support hand auditing at each of the different reporting contexts.

Source: [VVSG2005] I.5.4.4

19 Comments

Comment by George Gilbert (Local Election Official)

While the definitions of "IVVR" and "IVVR vote capture devices" make no mention of a paper requirement, this "hand" audit requirement appears to reintroduces paper through the back door. If "hand auditing" is intended to requre paper records of individual cast vote records, this should be stated explicitely in the definitions so that everyone will know that only paper based voting systems will meet the VVSG. In addition, of course, the VVSG must also offer standards for insuring the accuracy, within predetermined limits, of the hand "tabulation" system comtemplated. It would seem self-defeating to bar the use of electronic tabulation IVVR systems while mandating a hand tabulation system the accuracy of which cannot be verified or tested.

Comment by Robert Ferraro, SAVEourVotes.org (Advocacy Group)

To set up a post-election audit, accurate election results data need to be exported from all voting devices in a format easy to read and easy to use in calculations. Currently, many states have heterogeneous voting systems with components from several vendors and with a variety of vote capture devices. Even within a given precinct, there are often several different types of vote capture devices; there might be precinct-based optical-scan machines for the majority of the voters, touch-screen machines for some handicapped voters, and central optical-scan machines for absentee and provisional ballots. The election result data must be in OASIS Election Markup Language (EML) or some other structured, machine readable format easy to export and then manipulate. It should be the same for all makes of equipment.

Comment by Robert Ferraro, SAVEourVotes.org (Advocacy Group)

Centrally based optical scan systems must provide the information to support batch counting in support of audits. In particular, central count optical-scan machines should be able to subtotal and store results for batches of ballots This feature is especially important for many states where absentee ballots and provisional ballots make up such a large fraction of the total. The cost of an audit depends on several factors, including the number of samples needed. The number of samples needed (and thereby the cost) can be reduced by having smaller audit units. With centrally based optical-scan systems for absentee ballots, it is more cost effective to group the ballots into batches and then consider each batch as a separate audit unit than to consider all the ballots together in one audit unit. Although batching centrally counted ballots can drastically reduce audit costs, some current systems do not support such batching.

Comment by Sherie Helstien (Voter)

Many states have heterogeneous voting systems with components from several vendors and their vote capturedevices are quite varied. Even withing a give pricinct, there are often several different types of vote capture devices: precinct-based optical-scan machines and DRE voting machines and central-count optical-scan machines for absentee and provisional ballots. In order to conduct effective post-election audits, Election Management Systems must keep vote data by INDIVIDUAL machincne WITHIN EACH precinct! They must be able to export such detailed data from all voting devices in a format that is both easy to read and easy to use in calculations without transcription, and with each data field clearly identified and explained in a form that can be easily used for further analysis and display. An example of that would be Election Markup Language or EML. It is necessary, to achieve trustworthy elections, that random hand audits of vote tallies be possible in the simplest, least complicated way possible. These tallies must be able to allow the data be interpreted and analyzed quickly. This is not (easily) possible now.

Comment by Michael Berla, Ph.D. (Voter)

Election Management Systems must keep vote data by individual machine within each precinct, and must be able to export such detailed data from all voting devices in a format that is both easy to read and easy to use in calculations. Transcription should not be required; each data field must be clearly identified and explained in a form that can be easily used for further analysis and display. Election Markup Language (EML) would be an excellent choice as the uniform language for all jurisdictions.

Comment by Barry G. D'Orazio (General Public)

Currently, many states have heterogeneous voting systems with components from several vendors and with a variety of vote capture devices. Even within a given precinct, there are often several different types of vote capture devices; there might be precinct-based optical-scan machines and DRE voting machines at the polling place, and central-count optical-scan machines for absentee and provisional ballots. To conduct effective post-election audits, Election Management Systems must keep vote data by individual machine within each precinct, and be able to export such detailed data from all voting devices in a format that is both easy to read and easy to use in calculations, without transcription, and with each data field clearly identified and explained in a form that can be easily used for further analysis and display-- for example,using the Election Markup Language (EML).

Comment by Mathew Goldstein (Voter)

Many jurisdictions do not sort absentee ballots according to precinct. This makes a random hand count audit highly impractical. To make the random hand count audit provision workable, central count optical-scan machines should be able to subtotal and store results for batches of ballots. The number of samples needed (and thereby the cost) can be reduced by having smaller audit units.

Comment by Joshua Berk Knox (Voter)

Centrally based optical scan systems must provide the information to support batch counting in support of audits. In particular, central count optical-scan machines should be able to subtotal and store results for batches of ballots This feature is especially important for many states where absentee ballots and provisional ballots make up such a large fraction of the total. The cost of an audit depends on several factors, including the number of samples needed. The number of samples needed (and thereby the cost) can be reduced by having smaller audit units. With centrally based optical-scan systems for absentee ballots, it is more cost effective to group the ballots into batches and then consider each batch as a separate audit unit than to consider all the ballots together in one audit unit. Although batching centrally counted ballots can drastically reduce audit costs, some current systems do not support such batching or make it difficult to keep track of batch sub-totals -- they should be requred to have this capability.

Comment by Andrew Gray (General Public)

This section could be more specific in that every voting record should be treaceable to the individual machine (if electronic voting) or precinct location and scanner (if electronic scanning) in order to specifically identify the source of problems during an audit. It is currently difficult in many jurisdictions to do this.

Comment by Joshua Berk Knox (Voter)

To conduct effective post-election audits, Election Management Systems must keep vote data by individual machine within each precinct, and be able to export such detailed data from all voting devices in a format that is both easy to read and easy to use in calculations, without transcription, and with each data field clearly identified and explained in a form that can be easily used for further analysis and display-- for example,using the Election Markup Language (EML).

Comment by katharine cartwright (Academic)

Centrally based optical scan systems must provide the information to support batch counting in support of audits. In particular, central count optical-scan machines should be able to subtotal and store results for batches of ballots This feature is especially important for many states where absentee ballots and provisional ballots make up such a large fraction of the total. The cost of an audit depends on several factors, including the number of samples needed. The number of samples needed (and thereby the cost) can be reduced by having smaller audit units. With centrally based optical-scan systems for absentee ballots, it is more cost effective to group the ballots into batches and then consider each batch as a separate audit unit than to consider all the ballots together in one audit unit. Although batching centrally counted ballots can drastically reduce audit costs, some current systems do not support such batching or make it difficult to keep track of batch sub-totals.

Comment by katharine cartwright (Academic)

Currently, many states have heterogeneous voting systems with components from several vendors and with a variety of vote capture devices. Even within a given precinct, there are often several different types of vote capture devices; there might be precinct-based optical-scan machines and DRE voting machines at the polling place, and central-count optical-scan machines for absentee and provisional ballots. To conduct effective post-election audits, Election Management Systems must keep vote data by individual machine within each precinct, and be able to export such detailed data from all voting devices in a format that is both easy to read and easy to use in calculations, without transcription, and with each data field clearly identified and explained in a form that can be easily used for further analysis and display-- for example,using the Election Markup Language (EML).

Comment by katharine cartwright (Academic)

Currently, many states have heterogeneous voting systems with components from several vendors and with a variety of vote capture devices. Even within a given precinct, there are often several different types of vote capture devices; there might be precinct-based optical-scan machines and DRE voting machines at the polling place, and central-count optical-scan machines for absentee and provisional ballots. To conduct effective post-election audits, Election Management Systems must keep vote data by individual machine within each precinct, and be able to export such detailed data from all voting devices in a format that is both easy to read and easy to use in calculations, without transcription, and with each data field clearly identified and explained in a form that can be easily used for further analysis and display-- for example,using the Election Markup Language (EML).

Comment by Verified Voting Foundation (Advocacy Group)

Centrally based optical scan systems must provide the information to support batch counting in support of audits. In particular, central count optical-scan machines should be able to subtotal and store results for batches of ballots This feature is especially important for many states where absentee ballots and provisional ballots make up such a large fraction of the total. The cost of an audit depends on several factors, including the number of samples needed. The number of samples needed (and thereby the cost) can be reduced by having smaller audit units. With centrally based optical-scan systems for absentee ballots, it is more cost effective to group the ballots into batches and then consider each batch as a separate audit unit than to consider all the ballots together in one audit unit. Although batching centrally counted ballots can drastically reduce audit costs, some current systems do not support such batching or make it difficult to keep track of batch sub-totals.

Comment by George Ripley (Voter)

To achieve trustworthy elections, it is necessary to do random hand audits of vote tallies. Voting systems must allow data to be interpreted and analyzed quickly. Unfortunately, Some current election management systems (EMS) do not break down results by individual machines within each precinct, and some automatically mix PCOS results and DRE+VVPAT results from each precinct. This makes it difficult, if not impossible, to conduct cost-efficient audits. In order to be able to aggregate and audit vote totals for different contests, data stored by an Election Management System should be kept at the lowest level of ballot and device granularity appropriate for manual tally audits (i.e., don't mix results from different machines), and the EMS must be able to output this information in a single, standard, well-specified format that can be easily read by people as well as easily processed by computer software. Currently, many states have heterogeneous voting systems with components from several vendors and with a variety of vote capture devices. Even within a given precinct, there are often several different types of vote capture devices; there might be precinct-based optical-scan machines and DRE voting machines at the polling place, and central-count optical-scan machines for absentee and provisional ballots. To conduct effective post-election audits, Election Management Systems must keep vote data by individual machine within each precinct, and be able to export such detailed data from all voting devices in a format that is both easy to read and easy to use in calculations, without transcription, and with each data field clearly identified and explained in a form that can be easily used for further analysis and display-- for example,using the Election Markup Language (EML).

Comment by Christopher Lish (General Public)

To achieve trustworthy elections, it is necessary to do random hand audits of vote tallies. Voting systems must allow data to be interpreted and analyzed quickly. Currently, many states unfortunately have heterogeneous voting systems with components from several vendors and with a variety of vote capture devices. Even within a given precinct, there are often several different types of vote capture devices; there might be precinct-based optical-scan machines and DRE voting machines at the polling place, and central-count optical-scan machines for absentee and provisional ballots. To conduct effective post-election audits, Election Management Systems must keep vote data by individual machine within each precinct, and be able to export such detailed data from all voting devices in a format that is both easy to read and easy to use in calculations, without transcription, and with each data field clearly identified and explained in a form that can be easily used for further analysis and display-- for example,using the Election Markup Language (EML). Many jurisdictions have very high volumes of absentee ballots (30% of more of the overall turnout in an election), and do not sort these ballots according to precinct. Some jurisdictions may count all ballots centrally and not sort them physically by precinct. This means that in such jurisdictions a random audit might either require a hand count of all the absentee or centrally counted ballots, which may be highly impractical. Centrally based optical scan systems must provide the information to support batch counting in support of audits. In particular, central count optical-scan machines should be able to subtotal and store results for batches of ballots. This feature is especially important for many states where absentee ballots and provisional ballots make up such a large fraction of the total. The cost of an audit depends on several factors, including the number of samples needed. The number of samples needed (and thereby the cost) can be reduced by having smaller audit units. With centrally based optical-scan systems for absentee ballots, it is more cost effective to group the ballots into batches and then consider each batch as a separate audit unit than to consider all the ballots together in one audit unit. Although batching centrally counted ballots can drastically reduce audit costs, some current systems do not support such batching or make it difficult to keep track of batch sub-totals.

Comment by Carole Simmons (Advocacy Group)

Currently, many states have heterogeneous voting systems with components from several vendors and with a variety of vote capture devices. Even within a given precinct, there are often several different types of vote capture devices; there might be precinct-based optical-scan machines and DRE voting machines at the polling place, and central-count optical-scan machines for absentee and provisional ballots. To conduct effective post-election audits, Election Management Systems must keep vote data by individual machine within each precinct, and be able to export such detailed data from all voting devices in a format that is both easy to read and easy to use in calculations, without transcription, and with each data field clearly identified and explained in a form that can be easily used for further analysis and display-- for example,using the Election Markup Language (EML).

Comment by ACCURATE (Aaron Burstein) (Academic)

This requirement should clarify the level of audit granularity that conforming voting systems must support. For lower-capacity voting devices, the device level is probably the best level of granularity here as opposed to the level of individual VVPAT-rolls, which might be difficult for a DRE to keep track of. For high-capacity devices such as central-count optical scanners, storing data on the batch level makes more sense. In addition, the VVSG should require support for locating types of ballots to support the auditing context. For example, if a jurisdiction is performing a precinct-level audit, it will need to locate all the ballots for that precinct. For VBM ballots, which are often scanned centrally in batches rather than sorted into precincts, it makes sense for the EMS to provide reports that list in which batch a precinct's VBM ballots are located and how many are in each batch.

Comment by Verified Voting Foundation (Advocacy Group)

To set up a post-election audit, accurate election results data need to be exported from all voting devices in a format easy to read and easy to use in calculations. Currently, many states have heterogeneous voting systems with components from several vendors and with a variety of vote capture devices. Even within a given precinct, there are often several different types of vote capture devices; there might be precinct-based optical-scan machines for the majority of the voters, touch-screen machines provided for accessibility, and central optical-scan machines for absentee and provisional ballots. The election result data should be reported in OASIS Election Markup Language (EML 5.0 or higher) for all makes of equipment.

4.2.3 Ballot count and vote total audit

The purpose of this process is to verify that the ballot counts and vote totals reported by EMSs are correct. This guards against the threat that the EMS used to produce the final results might be compromised. Please see Part 1: 7.8 "Reporting", Reporting, for information on ballot count and vote total reports.

4.2.3-A EMS, support for reconciling voting device totals

The EMS SHALL support the reconciliation of the tabulator totals and the final ballot count and vote totals according to the following:

  1. A tabulator whose reported totals are not correctly included in the ballot count and vote total reports, and which is audited, SHALL be detectable;
  2. A difference between the final ballot count and vote totals and the audit records for a tabulator that is audited SHALL be detectable;
  3. The disagreements in records SHALL be detectable even when the election management software is acting in a malicious way; and
  4. The EMS SHALL be able to provide reports that support ballot count and vote total auditing for different reporting contexts.

Applies To: EMS

Test Reference: Part 3: 4.3 "Verification of Design Requirements", 5.2 "Functional Testing", 5.3 "Benchmarks"

DISCUSSION

This auditing process, part of the canvassing procedure, is a defense against problematic behavior by the voting device computing the final election ballot count and vote totals. Section 4.3 includes requirements to make this procedure easier to carry out and to add cryptographic protection to the records produced by the voting devices. One complication in making a full voting system support this procedure is the likely mixing of old and new voting devices in a full voting system.

When the specific reporting context used is the same as for the hand audit, the ballot count and vote totals audit and hand audit together verify that the votes that appear on the IVVR correspond to the votes that are reported in the final election result.

This requirement and its subrequirement can be tested as part of the volume tests discussed in Part 1 Section 7.8 and Part 3 Section 5.3.

5 Comments

Comment by Brian V. Jarvis (Local Election Official)

Regarding requirement 4.2.3-A(c). This requirement will not be testable unless the phrase "acting in a malicious way" is specifically defined. A requirement should then be developed for each specified "malicious way."

Comment by George Gilbert (Local Election Official)

I have been supervising post-election audits for twenty years and I have no idea what this section purports to require of a voting system’s EMS. Of particular concern is the lack of definition of "final election ballot count." Where does this count come from? In a real world audit, the pollbook count is compared to the EMS count on a precinct by precinct, or lower level, basis. The chief purpose of this portion of the audit is to identify pollworker errors, which always exist, but catching potential voting system errors also fall within it scope. The section fails, however, to identify which "tabulator" totals are being compared to what source of vote totals and ballot counts. Also, again the hand audit is supposed to "verify" something when there remain no standards by which to verify the hand audit.

Comment by David Beirne, Executive Director, Election Technology Council (Manufacturer)

The use of the term "election management system" here may be better termed as "vote tabulation software". Local users often use election management systems as a separate databased platform used to track all aspects of the election process, not necessarily related to the voting system.

Comment by E Smith/G Umemoto (Manufacturer)

Please clarify the meaning of "when the election management software is acting in a malicious way" Also, how do the labs plan to test this requirement? Make an ersatz version that has some sort of malicious vote counting logic? If so, what would be the specifications of that ersatz version?

Comment by Kathy Dopp (Advocacy Group)

Comments on 4.2.3-A EMS [election management server], support for reconciling voting device totals The phrase "shall support the reconciliation of the tabulator totals and the final ballot count and the vote totals…" is vague and imprecise. Please make the requirement more specific. Eg. Detectable by whom, internally inside the EMS by a computer technician, or by a lay person/auditor? When? How? I am uncertain exactly what is meant. Such uncertainty may be used to subvert the good intentions of the VVSG.
4.2.3-B Records for ballot count/vote total audit

Vote-capture devices, tabulators, and activation devices SHALL produce records that support the ballot count and vote total audit.

Applies To: Vote-capture device, Tabulator, Activation device

Test Reference: Part 3: 5.2 "Functional Testing", 5.3 "Benchmarks"

DISCUSSION

This auditing step requires that electronic summary records from voting devices can be reconciled with the final election ballot count and vote total reports. The ballot count and vote total records must thus be capable of breaking down totals by voting device as well as by precinct and polling place.

Sections 4.3 and 4.4 specify content of the IVVR and electronic records, respectively, needed to support this requirement.

4.2.4 Additional behavior to support auditing for accessible IVVR voting systems

Another issue in the operational behavior of accessible IVVR voting systems needs to be considered to ensure that they are software independent and independently auditable.

Accessible IVVR systems that provide an audio readback of the IVVR (e.g., a VVPAT’s VVPR) may use the same software base to do the following:

  • Permit the voter to make ballot choices;
  • Create the IVVR of the voter’s ballot choices; and
  • Read back to the voter the IVVR.

To ensure that the accessible IVVR vote-capture device is interacting with the voter properly and recording voting choices accurately, the accessible IVVR voting system must allow for all voters to

  1. Cast their votes using assistive technology such as the audio-tactile interface even if the voters do not require this technology to be able to vote, and
  2. Verify the IVVR record with the audio readback.

Election procedures must actually ensure that sufficient numbers of voters use the accessible IVVR voting system in this way to ensure that the audio readback matches the IVVR record. These voters are able to confirm that both the IVVR and audio ballots contain the same information.This guards against the voting device selectively misrecording votes of voters with disabilities. For the purposes of discussion in this section, this type of voter behavior is referred to as Observational Testing.

6 Comments

Comment by ted selker (Academic)

Election procedures must actually ensure Should change to: Election procedures must ensure.

Comment by George gilbert (Local Election Official)

"Election procedures must actually ensure that sufficient numbers of voters use the accessible IVVR voting system in this way to ensure that the audio readback matches the IVVR record." Election officials cannot require voters to use "accessible IVVR" technology if the voters do not choose to do so. The functionality of the system can only be verified in testing. And, what are a "sufficient number of votes?"

Comment by Juan E. Gilbert (Academic)

My research team has been working on a voter-verified video audit trail (VVVAT). The VVVAT is a software independent voter-verification process. In the VVVAT process, each machine is connected to an independent video recorder via a connector switch box. You can see an illustration at http://www.PrimeVotingSystem.com/VVVAT.jpg. The machines running the voting software are directly connected to a video recording device. The video recorders are then connected to the connector switch box. On the opposite side of the connector switch box are the touch screens, headsets or any other input device(s). The connector switch box switches the connections between the video recorders such that no one knows which recorder is connected to which input device. This approach provides privacy for each voter and a voter verified audit trail that clearly captures the voter’s intent. When the voter verifies his/her ballot in the booth, it has been captured on video. Note that the video recorders do not capture the voter. The recorders are capturing the video and audio produced by the voting machines. No identifiable information is captured by the video recorder. Also, the video and audio that is displayed and played in the booth comes from the video recording device; therefore, it is the video and audio that is being recorded. If the voting machine is producing faulty video then it will be captured on video and the captured video is displayed in the booth. If the either machine (video recorder or voting machine) is down, then there is no video displayed or audio produced. The video recorder is an independent observer that monitors the voter machine. Essentially, the video recorders surveillance the voting machines not the voters. According to the definition of software independence, "Quality of a voting system or voting device such that a previously undetected change or fault in software cannot cause an undetectable change or error in election outcome.", the VVVAT does qualify as a software independent verification method. I would call to your attention that software independence does not mean "software or machine free". Some have argued that software independence can only be achieved through machine free solutions. The definition of software independence clearly does not make this claim; therefore, VVVAT must be considered a software independent approach.

Comment by David Beirne, Executive Director, Election Technology Council (Manufacturer)

In the fourth paragraph, "Election procedures must actually ensure that sufficient numbers of voters use the accessible IVVR voting system in this way to ensure that the audio feedback matches the IVVR records." The VVSG should not contain any language that potentially prescribes election administration procedures. In addition, the description of observational testing goes beyond the performance requirements of voting systems and is indicative of local election administration procedures. This section also needs to be reconciled with Section 3.3.1.-E. Strike the last paragraph and reconcile with Section 3.3.1.-E.

Comment by Craig Burton, CTO, EveryoneCounts.com (Academic)

The idea of an IVVR should allow for different software systems to produce competing IVVRs as per the notion that mutually distrusting observers can be relied upon, to an extent. It is the case that a voting system may be very loosely coupled to its audio or accessibility system. For example a visual interface which interacts via an open protocol with a text-to-speech system. The speech system then is a good candidate for producing a competing IVVR because it is served from an entirely different system and the visual interface has no access to the text to speech system at all.

Comment by Kathy Dopp (Advocacy Group)

Comments on 4.2.4 Additional behavior to support auditing for accessible IVVR voting systems This draft VVSG statement seems impossible and conflicted "Election procedures must actually ensure that sufficient numbers of voters use the accessible IVVR voting system in this way to ensure that the audio readback matches the IVVR record." Because: 1. "sufficient" is not precisely defined. 2. Voters may not want to use the accessible IVVR voting system, and this requirement might violate some State statutes. 3. Having "sufficient numbers of voters use the accessible IVVR voting system" seems entirely unrelated to the task to "ensure that the audio readback matches the IVVR record. 4. Such a system where the audio readback is on the same device as the IVVR and the same programming device prints both the IVVR and does the audio readback does not comply with the requirement for SI, "software independence".
4.2.4-A IVVR vote-capture device, observational testing

IVVR vote-capture devices that support assistive technology SHALL support Observational Testing.

Applies To: IVVR vote-capture device ^ Acc-VS

Test Reference: Part 3: 5.2 "Functional Testing"

DISCUSSION

Blind, partial vision, and non-written languages voters may not be able to directly verify the IVVR produced by the voting system. This may be because they are using the audio-tactile interface, magnified screen images, or other assistive technology. This raises the possibility that a malicious IVVR vote-capture device could modify these voters’ votes by simply recording the wrong votes on both electronic records and IVVRs. Observational testing provides a defense by using volunteer voters. When observational testing is in use, a malicious IVVR vote-capture device cannot safely assume that a voter using the audio-tactile interface will be unable to check the IVVR record.

Source: New requirement

2 Comments

Comment by ted selker (Academic)

Could modify these voters’ votes by simply recording Should be changed to: Could modify these voters’ votes by recording.

Comment by George Gilbert (Local Election Official)

4.2.4-A—If blind, partial vision and non-written language voters cannot directly verify the IVVR product, it does not appear to meet the criterion for accessibility and should not be certified. Why are standards being proposed for non-accessable systems or system components. Raising the specter of "a malicious IVVR vote capture device" is stretching the credibility of the whole security issue. The standards propose no safeguards against "malicious paper ballot counters" when those "tabulators" are human beings, a historically demonstrable source of "malice" in counting ballots. And, could not a conspiracy of malicious "volunteers" thwart the effectiveness of the proposed observational testing. This seems equally likely to malicious IVVRs in combination with malicious primary software in a voting system.
4.2.4-B IVVR vote-capture device, authentication for observational testing

The mechanism for authenticating the voter to the accessible IVVR vote-capture device SHALL NOT allow the IVVR vote-capture device to distinguish whether a voter is performing Observational Testing. The pollworker issuing the ballot activation for voters performing Observational Testing SHALL NOT be capable of signaling to the IVVR vote-capture device that it is being tested.

Applies To: IVVR vote-capture device ^ Acc-VS, Activation device

Test Reference: Part 3: 5.2 "Functional Testing"

DISCUSSION

Observational testing would not detect attacks if the IVVR vote-capture device were somehow alerted that the voter was carrying out observational testing. Thus, the authentication mechanism must not permit the device to discover this fact.

Source: New requirement

4.3 Electronic Records

In order to support independent auditing, an IVVR voting system must be able to produce electronic records that contain the needed information in a secure and usable manner. Typically, this includes records such as:

  • Vote counts;
  • Counts of ballots recorded;
  • Information that identifies the electronic record;
  • Event logs and other records of important events or details of how the election was run on this device; or
  • Election archive information.

By ensuring that certain records are produced, secured, and exported, many threats to security can be reduced, including tampering with electronic records in transit from the polling place to the tabulation center, tampering with the operation of the tabulation center, or altering election records after the totals are determined.

There are three types of requirements on electronic records in this section:

  1. Requirements for how electronic records must be protected cryptographically;
  2. Requirements for which electronic records must be produced by tabulators; and
  3. Requirements for printed reports to support auditing steps.

2 Comments

Comment by Kathy Dopp (Advocacy Group)

Comments on 4.3 Electronic Records Please add another requirement to "There are three types of requirements on electronic records in this section": "4. Requirements for printed reports to be protected procedurally" because audits cannot be effective if the printed records are tampered with prior to an audit. Please change the bullet: "Typically, This includes records such as: Vote counts:" to "Typically, This includes records such as: Vote counts on each tabulator, for each precinct, and for batch of ballots counted with a central counting device" because many of today’s voting systems are inefficient and cumbersome to audit because they do not produce reports of vote counts on each tabulator, so that entire precincts must be audited and then discrepancies cannot be traced back to the tabulator which produced the discrepancies; or they do not produce reports of separate batches of ballots counted on a central count optical scan device, making it cumbersome to audit absentee, provisional, and other ballots counted on the central count optical scan device.

Comment by Ariel J. Feldman, Harlan Yu (Princeton University) (Academic)

This section requires all electronic election results and audit logs to be digitally signed in order to prevent them from being modified undetectably when they are in storage or in transit. However, the language of this section does not seem to explicitly require ballot definitions be signed. If ballot definitions are not signed, then an attacker could potentially tamper with them in order to remove choices from the ballot or to make it so that votes cast for one candidate would be recorded for another. Beside ballot definitions, voting systems may rely on other configuration data that, if modified by a malicious party, could affect the outcome of the election. As a result, we recommend the inclusion of requirement that explicitly states that all data and configuration files used by the voting system must be signed. Such a requirement should not try to make a distinction between election and non-election data because configuration data that is seemingly unrelated to the election might affect the operation of the voting system in subtle ways.

4.3.1 Records produced by voting devices

The following requirements apply to records produced by the voting system for any exchange of information between devices, support of auditing procedures, or reporting of final results. This includes the electronic version of all reports specified in Part 1: 5.1 "Cryptography".

1 Comment

Comment by katharine cartwright (Academic)

All voting systems should support input, output and exchange of data using a single, public, standard, self-describing format that is easy for humans to read but also easily readable by other computer software without transcription -- for example, the Election Markup Language (EML).
4.3.1-A All records capable of being exported

The voting system SHALL provide the capability to export its electronic records to files.

Applies To: Voting system

Test Reference: Part 3: 5.2 "Functional Testing"

DISCUSSION

The exported format for the records must meet the requirements for data export in Part 1: 6.6 "Integratability and Data Export/Interchange".

Source: New requirement

4 Comments

Comment by George Gilbert (Local Election Official)

Establishing common IDE standards is among the most important things the VVSG could accomplish. Without common data exchange formats and interfaces, the vendors will continue to design their systems to minimize the opportunity for outside innovation (and competition) and will continue to restrict the opportunities for innovation at the state and local level.

Comment by Robert Ferraro, SAVEourVotes.org (Advocacy Group)

The current requirement in Part 1:6.6, "non-restrictive, publicly-available format" is not specific enough. To set up a post-election audit, accurate election results data need to be exported from all voting devices in a format easy to read and easy to use in calculations; the data must be available in a usable form without transcription. Formats that cannot be easily exported and then manipulated create substantial barriers to audits and other analysis of post-election data. For instance, PDF files that are used for reporting results in several voting systems now are not ideal for quickly and accurately exporting and using data. The VVSG should require that each data field be clearly identified and explained in a form that can be easily used for further analysis and display. The election result data must be in OASIS Election Markup Language (EML) or some other structured, machine readable format easy to export and then manipulate. It should be the same for all makes of equipment.

Comment by Verified Voting Foundation (Advocacy Group)

The current requirement in Part 1:6.6, "non-restrictive, publicly-available format" is not specific enough. To set up a post-election audit, accurate election results data need to be exported from all voting devices in a format easy to read and easy to use in calculations; the data must be available in a usable form without transcription. Formats that cannot be easily exported and then manipulated create substantial barriers to audits and other analysis of post-election data. For instance, PDF files that are used for reporting results in several voting systems now are not ideal for quickly and accurately exporting and using data. The VVSG should require that each data field be clearly identified and explained in a form that can be easily used for further analysis and display. The election result data should be reported in OASIS Election Markup Language (EML 5.0 or higher) for all makes of equipment. For more details, see https://vvf.jot.com/EMLforVVSG and http://www.oasis-open.org/committees/download.php/26747/The%20Case%20for%20EML%20v2.pdf

Comment by ACCURATE (Aaron Burstein) (Academic)

This section requires that audit records be available in a "fully specified, public format". However, "fully specified" and "public" do not necessary correspond to "open". The requirement in Part 1:4.4.1-H is more specific about the requirements for an open format being "non-proprietary" and "requiring no special knowledge of confidential or proprietary or trade secret information". These elements of the 1:4.4.1-H definition should, at a minimum, be copied to section 1:4.3.1-A. A more general solution would specify in one part of the VVSG what constitutes an "open" format and then simply incorporate that definition by reference.
4.3.1-B All records capable of being printed

The voting system SHALL provide the ability to produce printed forms of its electronic records.

  1. The printed forms SHALL retain all required information as specified for each record type other than digital signatures;
  2. The printing MAY be done from a different device than the voting device that produces the electronic record; and
  3. It shall be possible to print records produced by the central tabulator or EMS on a different device.

Applies To: Voting system

Test Reference: Part 3: 5.2 "Functional Testing"

DISCUSSION

Printed versions of all records in this chapter are either necessary or extremely helpful to support required auditing steps. Ensuring that the printing can be done from a machine other than the tabulator used to compute the final totals for the election supports the vote total audit, and is a logical consequence of the requirement for a fully open record format.

Source: [VVSG2005] I.2.1.5.1-a

3 Comments

Comment by Carl Hage (General Public)

Printing must be performed with a layout where OCR or human reader could not confuse letters and numbers. For example, hexadecimal codes must use "b" not "B", becase "B" and "8" are indistinguishable. Likewise, "O" and "0" (oh and zero), or "1", "l", and "I" (one, el, eye) must not be combined within a code.

Comment by ted selker (Academic)

"Are either necessary or extremely helpful" should be changed to: "Are either necessary or helpful." Also, a reference is needed for public key certificate.

Comment by George Gilbert (Local Election Official)

4.3.1-B—This requirement is met by the immediately preceding requirement. It is redundant and counterproductive in placing emphasis on "printed records" for which the standards provide no mechanism for quality control or accurate tabulation.
4.3.1-C Cryptographic protection of records from voting devices

Electronic records SHALL be digitally signed with the Election Signature Key.

Applies To: Voting system

Test Reference: Part 3: 4.5 "Source Code Review", 5.2 "Functional Testing"

DISCUSSION

The digital signatures address the threat that the records might be tampered with in transit or in storage. When combined with the Election Public Key Certificate, the signature also addresses the threat that a legitimate electronic record might be misinterpreted as coming from the wrong voting device or scanner. The use of per-election keys to sign these records addresses the threat that a compromise of a voting device before or after election day might permit production of a false set of records for the election, which could then be reported to the EMS.

This requirement mandates a similar optional recommendation in [VVSG2005] 7.9.3-d which applies only to VVPATs. There is no requirement that states that all electronic records must be signed in the [VVSG2005].

Source: [VVSG2005] I.7.9.3-d

2 Comments

Comment by Peter Pearson (General Public)

In order for all records from voting devices to be signed with the Election Signature Key, the Election Signature Key must be present in all voting devices, and therefor both (1) the Election Signature Key is widely distributed and thus hard to protect, and (2) the Election Signature Key is extremely powerful and thus a tempting target for an adversary. Rather than embedding this powerful, system-wide key in every voting device, you should embed in each voting device a unique private key and a certificate for the corresponding public key signed with the Election Signature Key. This way, the powerful Election Signature (private) Key is present in far fewer places, and damage caused by the exposure of a particular voting device's private key is confined to records signed by that device.

Comment by Carl Hage (General Public)

A "fingerprint", a.k.a. hash/checksum, used in a digital signature of a summary should be printed at initialization and shutdown, the paper records kept, plus procedures should be put in place where observers record the fingerprint in thier personal records for later verification. The personal record of the signature fingerprint can attest that a substitute electronic record was not made at a separate time or place (unless the voting device is modified to print a false record). Replacing the digitally signed records at a later time would not be possible with an independent record of the signature made at a voting site.

4.3.2 Records produced by tabulators

The following requirements apply to records produced by tabulators, such as DREs and optical scanners, for exchange of information between devices, transmission of results to the EMS, support of auditing procedures, or reporting of intermediate election results.

4.3.2-A Tabulator, summary count record

Each tabulator SHALL produce a tabulator Summary Count record including the following:

  1. Device unique identifier from the X.509 certificate;
  2. Time and date of summary record;
  3. The following, both in total and broken down by ballot configuration and precinct:
    1. Number of read ballots;
    2. Number of counted ballots;
    3. Number of rejected electronic CVRs; and
    4. For each N-of-M (including 1-of-M) or cumulative voting contest appearing in any ballot configuration handled by the tabulator:
      1. Number of counted ballots that included that contest, per the definition of K(j,r,t) in Part 1: Table 8-2 ;
      2. Vote totals for each non-write-in contest choice per the definition of T(c,j,r,t) in Part 1: Table 8-2 ;
      3. Number of write-in votes;
      4. Number of overvotes per the definition of O(j,r,t) in Part 1: Table 8-2 ; and
      5. Number of undervotes per the definition of U(j,r,t) in Part 1: Table 8-2.

In producing this summary count record, the tabulator shall assume that no provisional or challenged ballots are accepted.

Applies To: Tabulator

Test Reference: Part 3: 4.5 "Source Code Review", 5.2 "Functional Testing"

DISCUSSION

The Tabulator Summary Count Record is essentially an estimated summary report from the viewpoint of the individual tabulator, for auditing purposes. Since the eventual disposition of provisional ballots, challenged ballots, and write-in votes is unknown at the close of polls, arbitrary assumptions are made in order to make a summary possible. All provisional and challenged ballots are assumed rejected, and all write-in votes are effectively aliased to a single contest choice that is not one of the choices "on the ballot." The quantities provided for each contest should balance in the sense that

N × K = sum of non-write-in vote totals (T) + write-ins + overvotes (O) + undervotes (U).

In addition to the reporting context corresponding to the tabulator itself, reporting contexts corresponding to the different ballot configurations handled by that tabulator are synthesized. These contexts are quite narrow in scope as they include only the ballots of a specific configuration that were counted by a specific tabulator. The tabulator is not required to handle the complexities of reporting contexts that are outside of its scope.

This record is sufficient to support random audits of paper records. The record will not contain the results of election official review of review-required ballots, so auditors can use this record to verify that the number of these ballots is correct, but will need to do further steps to verify that these ballots were handled correctly. This record can be used to verify a correct result from a system under parallel testing. This record can be used to randomly check electronic totals, when the final results are given broken out by voting system or scanner. When used in the Ballot Count and Vote Total Audit, this record blocks the class of attacks that involves tampering with the EMS computer used to compute the final totals. The tabulator summary could in principle be published for each voting system, along with corrected final totals for each precinct and for absentee ballots, to show how the final election outcomes were computed, though care would have to be taken to avoid violations of voter privacy.

For auditing, this record must be output in a human-readable format, such as a printed report.

This requirement clarifies [VVSG2005] I.2.4.3, which describes the vote data summary reports that all voting systems are required to produce. While [VVSG2005] I.2.4.3 applies to voting systems as a whole, this requirement specifically requires that all vote tabulators produce such a report.

Source: [VVSG2005] I.2.4.3

2 Comments

Comment by Verified Voting Foundation (Academic)

In addition to the above, the Tabulator Summary Count record should includecasting methods (e.g., DRE, in-precinct scanner, central count scanner), precinct, batch, and individual device ID. Also, if e-polls are used, ballot accounting data is required.

Comment by ACCURATE (Aaron Burstein) (Academic)

In addition to openness, the VVSG should specify that EMSs provide machine-readable and machine-processable output to support auditing. Auditors and members of the public will need access to vote data and audit data to conduct or oversee complex auditing methods or to verify the vote count in elections using alternative voting algorithms, such as Instant-Runoff Voting (IRV). The VVSG draft approaches this subject only narrowly; the discussion for this section (4.3.2-A) specifies that the "[tabulator] record must be output in a human-readable format," but it says nothing about machine-readability or -processability. In the most basic sense of machine-processability, EMSs should output vote and audit data in a spreadsheet format such as Comma-Separated Value (CSV) or Open Document Spreadsheet (ODS) format. However, it is also important for the VVSG to require manufacturer support for output in a standardized data-rich XML format. Such support would require an effort to define minimum reporting requirements for relevant data and define a single standard format to be used, eventually, in all jurisdictions and by all manufacturers. The only current candidate for such an XML format is the OASIS standard Election Markup Language (EML).
4.3.2-B Tabulator, summary count record handling

The tabulator SHALL handle the summary count record according to the following:

  1. The record SHALL be transmitted to the EMS with the other electronic records;
  2. It SHALL be stored in the election archive, if available; and
  3. It SHALL be stored in the voting systems event log.

Applies To: Tabulator

Test Reference: Part 3: 5.2 "Functional Testing"

Source: New requirement

1 Comment

Comment by Premier Election Solutions (Manufacturer)

In item (c), it seems that this requirement is mandating that the actual report be stored in the voting system event log, yet it would seem more practical that it refer to the system event log as only recording that the report was printed. For item (c ), please clarify what information is required to be stored in the voting system event log.
4.3.2-C Tabulator, collection of ballot images record

Tabulators SHOULD produce a record of ballot images that includes:

  1. Time and date of creation of complete ballot image record; and
  2. ballot images recorded in randomized order by the DRE for the election. For each voted ballot, this includes:
    1. ballot configuration and counting context;
    2. Whether the ballot is accepted or rejected;
    3. For each contest:
      1. The choice recorded, including undervotes and write-ins; and
      2. Any information collected by the vote-capture device electronically about each write-in;
    4. Information specifying whether the ballot is provisional, and providing unique identifier for the ballot, as well as provisional category information required to support Requirement Part 1: 7.7.2-A.6.

Applies To: Tabulator

Test Reference: Part 3: 5.2 "Functional Testing"

DISCUSSION

This record is not required for auditing, however it is useful.

Source: New requirement

3 Comments

Comment by George Gilbert (Local Election Official)

4.3.2-C—This requirement, if I understand it correctly, appears to require that an optical scan tabulator, for instance, also create an electronic image of each ballot read. If so, this would represent a major security improvement for optical scan voting systems. Among the major advantages of DRE voting systems is the fact that they create and retain multiple copies of the ballot images. This minimizes the prospect of all ballot records being lost or destroyed, thus irretrievable for a recount. Optical scan systems, by contract, typically generate only one copy of the ballot itself, ie., the paper on which the voter records his or her votes. There are numerous examples of such ballots being lost or destroyed both prior to original tabulation and prior to a necessary recount.

Comment by Richard Carback (Academic)

What is the VVSG definition of an acceptable randomization routine? It should be referenced here.

Comment by E Smith/G Umemoto (Manufacturer)

If the device records the date and time of creation of the ballot image, someone with access to this data and a polling place list of voters' dates and times can link the ballot image to a specific voter.
4.3.2-C.1 DRE, collection of ballot images record

DREs SHALL produce a record of ballot images that includes:

  1. Time and date at poll closing; and
  2. ballot images recorded in randomized order by the DRE for the election. For each voted ballot, this includes:
    1. ballot configuration and counting context;
    2. Whether the ballot is accepted or rejected;
    3. For each contest:
      1. The choice recorded, including undervotes and write-ins; and
      2. Any information collected by the vote-capture device electronically about each write-in;
    4. Information specifying whether the ballot is provisional, and providing unique identifier for the ballot, as well as provisional category information required to support Requirement Part 1: 7.7.2-A.6.

Applies To: DRE

Test Reference: Part 3: 5.2 "Functional Testing"

DISCUSSION

DREs already contain the information to create the ballot image records.

This requirement extends [VVSG2005] I.7.9.3-b by requiring an audit record containing electronic ballot images, and specifies other information that must be contained in this record. This requirement extends [VVSG2005] I.7.9.3-e by requiring that VVPATs produce an audit record containing electronic ballot images. [VVSG2005] I.7.9.3-e only requires that electronic ballot images be exportable for auditing purposes.

Source: [VVSG2005] I.7.9.3-b, I.7.9.3-e

2 Comments

Comment by George Gilbert (Local Election Official)

4.3.2-C.1—After multiple readings I could not determine how this requirement "extends [VVSG2005]1.7.9.3-e by requiring that VVPATs produce an audit record containing electronic ballot images." If it does so, that, in combination with earlier requirements, would seem to mean that all IRRVs be capable of producing both a paper and an electronic record of ballot images. My personal bias is, what is the point of the paper since we know of no means of assuring the accuracy of a hand audit or recount but, this provision raises the additional question of what is the point of the electronic record if you choose to produce a paper record using a VVPAT system?

Comment by Premier Election Solutions (Manufacturer)

There appears to be no point in storing an electronic record of a rejected ballot. Regardless of how many rejected VVPRs might be on the paper tape, only the accepted ones are counted. A system could record that a rejection took place such as in an event log for auditing purposes, so storing an electronic image of a rejected ballot is unnecessary. Proposed Change: Remove item b.2 from this requirement.
4.3.2-C.2 Tabulator. collection of cast votes handling

Tabulators that produce the collection of ballot images record SHALL handle the record according to the following:

  1. The record SHALL be transmitted to the EMS with the other electronic records;
  2. It SHALL be stored in the election archive, if available; and
  3. It SHALL be stored in the voting systems event log.

Applies To: Tabulator

Test Reference: Part 3: 5.2 "Functional Testing"

Source: New requirement

2 Comments

Comment by Premier Election Solutions (Manufacturer)

Storing the ballot image in the system event log is not practical or advisable. Ballot images can be 100K per image. In addition, event logs include date and time and associating this information with a ballot image would violate voter secrecy. Proposed Change: Remove item (c) in this requirement.

Comment by E Smith/G Umemoto (Manufacturer)

Section 4.3.2-C.2.c What is "It" (subclause c) that shall be stored in the voting system event log? Is "It" the actual ballot image, or simply an "event" that indicates that a ballot image has been recorded?

The tabulator SHALL digitally sign the event log, transmit the signed event log to an EMS, and retain a record of the transmission.

Applies To: Tabulator

Test Reference: Part 3: 5.2 "Functional Testing"

DISCUSSION

The EMS can verify that the event log record is received and that the digital signature and per election key and certificate are valid.

Source: New requirement

4.3.3 Records produced by the EMS

The following requirements apply to the records produced by an EMS. EMSs include both DREs used as accumulators in the polling place, called a Precinct EMS, as well as EMSs used as jurisdiction-wide accumulators. All of the requirements for tabulators apply to EMSs. This section addresses additional requirements based on an EMSs role as an accumulator of ballot counts and vote totals.

4.3.3-A EMS tabulator summary count record

The EMS tabulator Summary Count Record SHALL include:

  1. Unique identifiers for each tabulator contained in the summary;
  2. For tabulators with public keys:
    1. The public key for each tabulator in the summary;
    2. The Election Signature Key certification and closeout record; and
    3. Signed tabulator summary count record.
  3. Summary ballot counts and vote totals by tabulator, precinct, and polling place.
    1. Precinct totals include subtotals from each tabulator used in the precinct.

Applies To: EMS

Test Reference: Part 3: 4.5 "Source Code Review", 5.2 "Functional Testing"

DISCUSSION

Requirements in Part 1 Section 7.8 ensure that the EMS is capable of producing a report containing this information. This report is required to allow checking of the final ballot counts and vote totals, based on their agreement with local totals, without relying on the correct operation of equipment and execution of procedures at the tabulation center. The goal is to provide cryptographic support for a process that is currently done in a manual, procedural way, which may be subject to undetected error or tampering. This record can be used to detect most problems at the tabulation center. Item c.1 is needed for cases when a tabulator, such as a DRE, contains votes from multiple precincts. Note: The requirement supports older voting systems to allow for transitioned upgrades of fielded equipment.

This requirement extends [VVSG2005] I.2.4.3; this requirement specifically requires that each tabulation center EMS produce this report.

Source: [VVSG2005] I.2.4.3

1 Comment

Comment by Kathy Dopp (Advocacy Group)

Comments on 4.3.3-A EMS tabulator summary count record Thank you for the significant improvements to the VVSG in this and other sections which will make new voting systems much more auditable and accountable.
4.3.3-A.1 Tabulator, report combination for privacy

The EMS SHALL be capable of combining tabulator reports to protect voter privacy in cases when there are tabulators with few votes.

Applies To: EMS

Test Reference: Part 3: 5.2 "Functional Testing"

DISCUSSION

1 Comment

Comment by George Gilbert (Local Election Official)

4.3.3-A.1—By my calculation, in order to preserve voter privacy regarding a ballot, for each reporting unit there must be at least 2 votes for each vote-for-one candidate/option where contests contain only two voting choices. Where more than 2 candidates of options exist in a contest, the calculation becomes more complicated. The point being, there is no set number of minimum votes per reporting unit (or tabulator) that assures voter privacy. If EMSs are required to automate this "combination," the programming requirements will be extremely complex.
4.3.3-B EMS, precinct summary count records

The EMS SHALL produce a report for each precinct including:

  1. Each tabulator included in the precinct with its unique identifier;
  2. Number of read ballots;
  3. Number of counted ballots;
  4. Number of rejected electronic CVRs; and
  5. For each N-of-M (including 1-of-M) or cumulative voting contest appearing in any ballot configuration handled by the tabulator:
    1. Number of counted ballots that included that contest, per the definition of K(j,r,t) in Part 1: Table 8-2 ;
    2. Vote totals for each non-write-in contest choice per the definition of T(c,j,r,t) in Part 1: Table 8-2 ; and
    3. Number of write-in votes

Applies To: EMS

Test Reference: Part 3: 4.5 "Source Code Review", 5.2 "Functional Testing"

DISCUSSION

This report supports hand auditing of paper records against the final totals, the ballot count and vote totals audit, and the pollbook audit.

This requirement extends [VVSG2005] I.2.4.3; this requirement specifically requires that each tabulation center EMS produce the report.

Source: [VVSG2005] I.2.4.3

4.3.3-C EMS, precinct adjustment record

The EMS SHALL produce a report showing the changes made to each contest based on the resolution of provisional ballot, challenged ballots, write-in choices, and the date and time of the report.

Applies To: EMS

Test Reference: Part 3: 5.2 "Functional Testing"

DISCUSSION

This report may be produced more than once during the course of an election as the resolution of provisional ballots, challenged ballots, and write-in choices are processed. This report can be used to support pollbook audit showing that number of ballots processed do not exceed the total recorded by the tabulator as well as to support the ballot total and vote count audit. Many jurisdictions resolve provisional and challenged ballots in groups to protect voter privacy.

Source: New requirement

1 Comment

Comment by ted selker (Academic)

Choices are processed. Tabulators must be made public and reported to all.

4.3.4 Digital signature verification

4.3.4-A Tabulator, verify signed records

For each tabulator producing electronic records, the EMS SHALL verify:

  1. The Election Public Key Certificate associated with the record is valid for the current election, using the public key of the tabulator to verify the certificate as specified in Part 1: 5.1 "Cryptography";
  2. The election ID and timestamp of the record agrees with the current election and the values in the Election Public Key Certificate; and
  3. The digital signature on the record is correct, using the Election Public Key to verify it.

Applies To: EMS

Test Reference: Part 3: 4.5 "Source Code Review", 5.2 "Functional Testing"

DISCUSSION

The digital signature applied to the electronic records from the voting devices is only useful if it is verified before the EMS accepts electronic records. A DRE that accumulates results at a precinct or polling place is serving as a precinct level EMS.

Source: New requirement

2 Comments

Comment by Gail Audette (Voting System Test Laboratory)

Where is the definition of a "precinct level EMS"?

Comment by Kevin Wilson (Voting System Test Laboratory)

In reference to the word "valid" Please define. Since the DSK certificate can be self-signed, is there some expectation that the tabulator has a list of trusted DSK certificates to determine validity of the ESK? Or is this requirement merely to determine that "some" ESK was used to sign the incoming information?

4.3.5 Ballot counter

4.3.5-A Ballot counter

Tabulators and vote-capture devices SHALL maintain a count of the number of ballots read at all times during a particular test cycle or election.

Applies To: Tabulator, Vote-capture device

Test Reference: Part 3: 3.2 "Functional Testing"

DISCUSSION

For auditability, the ballot count must be maintained (incremented each time a ballot is read) rather than calculated on demand (by counting the ballots currently in storage). This requirement restates [VVSG2005] I.2.1.8.

Source: Implied by design requirements in [VSS2002] I.2.2.9, [VVSG2005] I.2.1.8

4.3.5-B Ballot counter, availability

Tabulators SHALL enable election judges to determine the number of ballots read at all times during a particular test cycle or election without disrupting any operations in progress.

Applies To: Tabulator, Vote-capture device

Test Reference: Part 3: 3.2 "Functional Testing"

DISCUSSION

[VSS2002] I.2.4 refers to separate "election counter" and "life-cycle counter;" the latter was an error (intended to delete). This requirement clarifies [VVSG2005] I.2.1.8 by stating that reading the ballot counter must not disrupt voting system operations.

Source: Implied by design requirements in [VSS2002] I.2.2.9, I.2.1.8

4.4 Independent Voter-Verifiable Records

This chapter contains requirements for voting systems that produce and use independent voter-verifiable records (IVVR). IVVR are generally understood to mean voter-verifiable paper records (VVPR); however non-paper IVVR, once developed, could be used to still satisfy these requirements. There are two broad categories of paper-based IVVR, i.e., VVPR:

  • VVPATs couple an electronic voting device with a printer. The voter makes selections on the voting device, but is given the opportunity to review and verify choices on a paper record. The paper record may be a continuous roll or cut sheets.
  • Optical scan voting systems use paper ballots that are human-readable and may be marked by either hand or device, along with an electronic scanner that checks the ballot for problems such as under- and over-votes, and also records the votes.

For all IVVR systems, the records are available to the voter to review and verify, and these records are retained for later auditing or recounts as needed. This chapter addresses the use of the records for auditing and security. The chapter first presents the requirements for IVVR systems and then presents specific requirements for VVPR systems.

4.4.1 General requirements

Voter-verifiable records exist to provide an independent record of the voter’s choices that can be used to verify the correctness of the electronic record produced by the voting device.

11 Comments

Comment by Populex Corporation (Manufacturer)

Much of the 2007 VVSG solve problems with accuracy, security, privacy and secrecy inherent in previous versions. Therefore, we are surprised to see that this version of the VVSG permits continuous roll paper tape VVPATs. A continuous roll of VVPATs can compromise voter privacy/security. Many, if not most - or all -, states permit poll watchers. Poll watchers need only watch the order in which voters vote on a particular VVPAT system [defined as Voting Station in VVSG] and later match the poll observations to the sequential VVPAT. Because of the high level of enhanced privacy measures inherent in this VVSG, we wonder if we are misunderstanding the permission of continuous roll VVPATs. It seems to be an obvious breach of privacy/security.

Comment by ted selker (Academic)

IVVR are generally understood to mean voter verifiable paper records VVPR; however non-paper IVVR once developed Should be changed to: IVVRs include VVPRs, audio transcripts as demonstrated by Hart InterCivic, other VVAATT implementations and visual systems such as VoteGuard. [http://vote.caltech.edu/media/documents/wps/vtp_wp18.pdf, http://www.democracysystems.com/docs/press%20release_11-10-2004.pdf]

Comment by Diane Golden (Advocacy Group)

This version of the VVSG requires voting systems to be "software independent." This means that the system can be audited through the use of Independent Voter-Verified Records (IVVR). The voting systems today that meet the requirements for software independence and provide accessible options include ballot-marking devices and electronic systems with a voter verified paper audit trail (VVPAT). However, this section does not adequately address the accessibility challenges related to a paper-based ballot. In particular there are a number of standards that simply cannot be met when the VVPAT is rendered in an accessible media. (See 4.4.2.3. A and B for examples.) It is also unclear what if any software independence standards apply to ballot-marking devices as related to generating versus verify ballot contents for voters with disabilities. (See 4.4.3 for more issues.) For both VVPATs and ballot marking devices, the standards are unclear regarding hardware options. Voters with disabilities should be able to use the same hardware output device (headset and/or visual display screen) to receive information from two distinct software sources without violating software independence requirements – but this is not clear in the current standards. In a system that produces a VVPAT or in a ballot-marking device the software that generates the print on the ballot and the software that scans the content of the print vote selections can be kept separate without requiring physically separate output hardware. Language should be added to the standards to clarify that duplicative output devices for either DREs with a VVPAT or ballot marking devices are not required to ensure software independence.

Comment by George Gilbert (Local Election Official)

4.4—This section only speculates on the possibility of non-VVPR IVVRs. It is written with the presumption that only paper based IVVR standards can be proposed effectively cutting off the prospect for development of non-paper-based IVVRs. While it is stated that "non-paper IVVR , once developed, could be used to still satisfy these requirements," no standards are even hinted at for such hypothetical systems. This statement fails to recognize the all of the systems that might meet the proposed standards await "development." This did not prevent the TGDC from promulgating requirements for these hypothetical future systems. Why are non-paper IVVR systems singled out for exclusion? Surely someone in NIST or on The TDGC can envision what such systems should look like and provide some guidelines for potential innovators to follow. This entire discussion belies the assertion in 2.4.1 that "IVVR relies on voter-verification, that is, the voter must verify that the electronic record is being captured correctly by examining a copy that is maintained independently of the voting system’s software, i.e., the IVVR." Here the emphasis is on an "electronic record…that is (captured and) maintained independently of the voting system’s software." What kind of "electronic record" is contemplated that meets the "software independence" requirements of 2.4? There appears to be a slight of hand operating here that promises opportunities that have previously and are repeatedly thereafter, in the current Chapter, foreclosed. You cannot have "software independence" as described in 2.4 and throughout Chapter 4 and also have IVVR as described in 2.4.1.

Comment by Harry VanSickle (State Election Official)

Please clarify. Is this section indicating that based on the voting systems available in the marketplace today, an electronic voting device would require a VVPAT to proceed through federal testing? If so, this presents an issue for voting systems that will be subjected to certification testing in Pennsylvania, particularly continuous roll VVPATs. A continuous roll VVPAT violates the privacy of the voter. Because the ballot images are recorded on paper in the order in which they are voted, a person only has to compare each ballot image with the numbered list of voters to reveal every voter’s selection. This not only violates the Pennsylvania Constitution but also state election law, both of which mandate that the secrecy of the vote be preserved.

Comment by Dag Knudsen (Advocacy Group)

Do not allow any record generated by a computer device as the verifiable record. A hand marked ballot should be the only acceptable option.

Comment by Robert Shellenberger (Voter)

IVVR should be paper ballots or paper records. Software independence and independent voter-verifiable records (IVVRs) that cannot be changed by software malfunction is essential.

Comment by U.S. Public Policy Committee of the Association for Computing Machinery (USACM) (None)

USACM Comment #19. Section 4.4 Circular Definitions [incorrect] USACM recommends replacing the definitions of "Independent Voter Verifiable Record", "IVVR", and IVVR vote-capture device" as described below: Independent Voter Verifiable Record: This record (an IVVR) is a persistent, simple, human-interpretable representation of a voter’s choices. It is independent in the sense that the voter’s choices are semantically clear without electronic, electro-mechanical, mechanical, codebook, or other translation. It is voter verifiable in the sense that it is presented to voters for their review before they commit to their selections. IVVR: Independent Voter Verifiable Record. IVVR vote-capture device: A device that interacts with a voter to produce an independent voter-verifiable record. DISCUSSION: The three definitions presently in the VVSG Draft are circular, i.e. each relies on reference to the other two to form their definition. This results in vague representations with no real definition at all. Moreover, the definitions do not capture the essential meaning necessary to understand these concepts. The proposed wording removes the circularity and clarifies the meanings of these critical terms.

Comment by katharine cartwright (Academic)

It is of paramount importance to keep sections that clearly state that the IVVR cannot be changed by a software failure, and that election officials must be able to review the IVVR without using software or a programmable device.

Comment by ACCURATE (Aaron Burstein) (Academic)

This section is critical to supporting software independence and should be included in the final guidelines.

Comment by U.S. Public Policy Committee of the Association for Computing Machinery (USACM) (None)

USACM Comment #18. Section 4.4. Independent Voter Verifiable Record IVVR is unclear [vague] USACM recommends that the second and third sentences in the first paragraph in Section 4.4 be replaced by: "IVVR is a human-interpretable representation of a voter’s choices. There are two categories of voter-verifiable paper records (VVPR) that may meet the IVVR standard:" DISCUSSION: Neither the term "independent" or the phrase "voter verifiable" are defined or inherently clear in the phrase "Independent Voter Verifiable Record". The proposed change simplifies the text and clarifies the meaning of these terms.
4.4.1-A IVVR vote-capture device, IVVR creation

The IVVR vote-capture device SHALL create an independent voter verifiable record.

Applies To: IVVR vote-capture device

Test Reference: Part 3: 5.2 "Functional Testing"

DISCUSSION

This requirement is further defined by its subrequirements. Its purpose is to ensure that a single IVVR meets all requirements and all properties as outlined in the following subrequirements.

Source: New requirement

2 Comments

Comment by ted selker (Academic)

"For auditing, this record must be output in a human-readable format, such as a printed report" should change to: "For auditing, this record must be readable by more than one kind of device. This is not a motivated improvement."

Comment by d.s. kiefer (Voter)

Again, since software/computers can have errors/problems not readily apparent, it is crucial to include language that requires election officials to be able to review the IVVR without using a computer or programmable device.
4.4.1-A.1 IVVR vote-capture device, IVVR direct verification by voters

IVVR vote-capture devices SHALL create an IVVR that voters can verify (a) without software, or (b) without programmable devices excepting assistive technology.

Applies To: IVVR vote-capture device

Test Reference: Part 3: 5.2 "Functional Testing"

DISCUSSION

The exclusion of software or programmable devices from the voter verification process is necessary for the system to be software independent. It suffices to meet this requirement that most voters can review the record directly. Voters who use some assistive technologies may not be able to directly review the record. This requirement allows for Observational Testing to be able to determine whether the assistive technology is operating without error or fraud.

Source: New requirement

2 Comments

Comment by George Gilbert (Local Election Official)

4.4.1-A.1—To require that IVVR systems be "software independent," by your definition, "the exclusion of software or programmable devices from the voter verification process," denies to election security the principle tools used by all critical systems (spaceflight, airplanes, banking, nuclear power plants, etc.) ie., operational monitoring and backup by redundant computer systems. Apollo 13 survived manually guided reentry….just barely. This method was certainly not the first choice of either the crew or ground control. The Presidential vote in Florida in 2000 did not "survive" manual tabulation. The Gubernatorial vote in Washington in 2004 barely survived manual tabulation. To deny elections access to the most accurate, most secure and most reliable recording and tabulation technology available cannot be the objective of the voting system guidelines. This said, these guidelines must establish standards for "independent software" based IVVR systems, not "software independent" systems.

Comment by Dag Knudsen (Advocacy Group)

Use paper ballot which is manually marked
4.4.1-A.2 IVVR vote-capture device, IVVR direct review by election officials

IVVR vote-capture devices SHALL create an IVVR that election officials and auditors can review without software or programmable devices.

Applies To: IVVR vote-capture device

Test Reference: Part 3: 5.2 "Functional Testing"

DISCUSSION

The exclusion of programmable devices from the voter verification process is necessary for the system to be software independent.

Source: New requirement

6 Comments

Comment by ted selker (Academic)

"Auditors can review without using the software or programmable device" should be changed to: "Auditors can review without using the software that produced the record being audited."

Comment by George Gilbert (Local Election Official)

4.4.1-A.2—To require that IVVR systems be "software independent," by your definition, "the exclusion of software or programmable devices from the voter verification process," denies to election security the principle tools used by all critical systems (spaceflight, airplanes, banking, nuclear power plants, etc.) ie., operational monitoring and backup by redundant computer systems. To deny elections access to the most accurate, most secure and most reliable recording and tabulation technology available cannot be the objective of the voting system guidelines. This said, these guidelines must establish standards for "independent software" based IVVR systems, not "software independent" systems.

Comment by Robert Ferraro, SAVEourVotes.org (Advocacy Group)

The voter verified paper records must have print that is large enough and dark enough not only for the auditors to quickly sort and count the votes, but also for the observers to be able to read from a short distance.

Comment by Dag Knudsen (Advocacy Group)

Use manually marked paper ballot

Comment by Verified Voting Foundation (Academic)

It is of paramount importance to keep sections that clearly state that the IVVR cannot be changed by a software failure, and that election officials must be able to review the IVVR without using software or a programmable device.

Comment by Verified Voting Foundation (Academic)

The voter verified paper records must have print that is large enough and dark enough not only for the auditors to quickly sort and count the votes, but also for observers to be able to read from a short distance.
4.4.1-A.3 IVVR vote-capture device, support for hand auditing

IVVR vote-capture devices SHALL create an IVVR that election officials can use without software or programmable devices to verify that the reported electronic totals are correct.

Applies To: IVVR vote-capture device

Test Reference: Part 3: 5.2 "Functional Testing"

DISCUSSION

The records must support a hand audit that uses no programmable devices to read or interpret the records. The hand audit may provide a statistical basis for other larger audits or recounts performed using technology (such as OCR).

Source: New requirement

3 Comments

Comment by ted selker (Academic)

"That uses no programmable devices to read or interpret the records." should be changed to: "That is independent of the tabulator machinery." "Contain a human-readable summary" should be changed to: "contain a summary that does not require the software that produced it to read it."

Comment by George Gilbert (Local Election Official)

4.4.1-A3—The presumption that a "hand audit" can "verify" that reported electronic total are correct is unsupported by both history and by all extant research on the question. Studies of hand auditing ballots (eg., Ansolabehere, VTP WORKING PAPER #11, 2004; Alvarez, et. al., VTP WORKING PAPER #32, 2005) document the degree of variation between the hand and electronic or electro-mechanical tabulation of ballots or between multiple hand tabulations of the same ballots. No study asserts that hand tabulation is more accurate that electronic tabulation nor do any document that one hand tabulation of more accurate than another. The entire premise behind "software independence," as defined by the proposed standands, is unsupportable.

Comment by Sanford Morganstein (Voter)

These standards have the unintended consequence of undermining the basic principle of a secret ballot. I’ll explain below. The federal government and other groups have been working on voting system standards for a long time. We hope that this iteration will provide standards that the nation can live with for a long time. Why, then, should we have to live with voting system rules that allow government and party workers to be able to determine how individuals cast their votes? Why are we compromising the idea of a secret ballot? Here’s how it can happen. I’ll put it in plain terms without using the formal definitions found in the new rules. According to the draft rules, electronic machines must have a voter verified record. Good. However, for reasons that cannot be supported, the paper record of the electronic vote can be a continuous roll of paper tape. Why? Such a record undermines privacy: for at least two reasons. 1. Many states keep track of the order in which voters vote. Whether it be a registration record on a spindle, a poll book, or a legally sanctioned, politically motivated pollwatcher, it is a simple matter to create a list of voters, and the order in which they voted. Enter the paper roll. It is there for a reason: to be inspected. Good, again. Therefore the tape can be inspected, certainly by a government worker or, perhaps under the Freedom of Information Act by anyone. Unroll the tape, match the votes that appear in order on the tape to the record of voters and voila…secret ballot is gone. 2. Many states now allow early voting. I believe that the machines are started up each morning. Each time they start up a record is made on the tape showing the date and the precinct/polling place identity. Again, enter the paper roll. Inspect it (obviously someone can…it it’s secret it doesn’t make sense) find my precinct, find the day I voted and voila again, either intimidate/coerce me for voting the way I did, or reward me for voting the way you wanted. Why such a situation is allowed to obtain in a voting standard that should last for decades is beyond me.
4.4.1-A.4 IVVR vote-capture device, IVVR use in recounts

IVVR vote-capture devices SHALL create an IVVR that election officials can use to reconstruct the full set of totals from the election.

Applies To: IVVR vote-capture device

Test Reference: Part 3: 5.2 "Functional Testing"

DISCUSSION

This requirement addresses the completeness of the records, rather than their technology independence.

Source: New requirement

4.4.1-A.5 IVVR vote-capture device, IVVR durability

IVVR vote-capture devices SHALL create an IVVR that will remain unchanged for minimally 22 months unaffected by power failure, software failure, or other technology failure.

Applies To: IVVR vote-capture device

Test Reference: Part 3: 5.2 "Functional Testing"

Source: New requirement

14 Comments

Comment by Brian V. Jarvis (Local Election Official)

This would appear to be an untestable requirement. Certainly, this requirement is not testable at the time of voting machine deployment; and it isn't knowable until (at least) 22 months after deployment. Also, it's unusual to have a requirement that covers all "other technology failure." How would that be scoped? This would appear to be so open-ended as to make it unverifiable.

Comment by Michael Berla, Ph.D. (Voter)

Sections that clearly state that the IVVR must be incapable of being changed by a software failure, and that the ability of election officials to review the IVVR without using software or a programmable device must be retained in the document."

Comment by Mr. D. Narveson (Voter)

It is crucial to keep sections that clearly state the IVVR CANNOT be changed by software failure -- and that election officials must be able to review the IVVR WITHOUT using any software or any programmable devices.

Comment by Mr. D. Narveson (Voter)

It is crucial to keep sections that clearly state the IVVR CANNOT be changed by software failure -- and that election officials must be able to review the IVVR WITHOUT using any software or any programmable devices.

Comment by Barry G. D'Orazio (General Public)

It is of paramount importance to keep sections that clearly state that the IVVR cannot be changed by a software failure, and that election officials must be able to review the IVVR without using software or a programmable device.

Comment by Sherie Helstien (Voter)

It is of paramount importance to keep sections that clearly stat that the IVVR cannot be changed by a software failure, and that election officials must be able to review the IVVR without using software or a programmable device. Your guidelines do not explicitly require voter-marked paper ballots or any kind of voter verifiable paper records. Without this specific requirment the door is opened to purely software-based verifications, and if that fails what's left for voter verifications? Transparency is paramount or why bother? Paper is the only existing "technology" that maintains an independent voter-verifiable record. This case is open and shut.

Comment by Robert Shellenberger (Voter)

This is essential to have a time frame of 22 months for verifying the accuracy of the voting record.

Comment by Gail Brock (None)

This section is extremely important, and the requirement currently proposed that the IVVR should be kept for 22 months in a format not dependent on software, either for storage or for review by election officials/auditors should be maintained.

Comment by Joshua Berk Knox (Voter)

It is of paramount importance to keep sections that clearly state that the IVVR cannot be changed by a software failure, and that election officials must be able to review the IVVR without using software or a programmable device. In my view, paper records or paper ballots are the only existing technology that would meet the requirement for an independent voter-verifiable record that cannot be altered by software failure.

Comment by Christopher Lish (General Public)

It is of paramount importance to keep the sections that clearly state that the independent voter-verifiable records (IVVR) cannot be changed by a software failure, and that election officials must be able to review the IVVR without using software or a programmable device. Preferably, the guidelines should explicitly require voter-marked paper ballots or voter-verifiable paper records. Without this specific requirement, the door can be opened to purely software-based verification of voting, which does not restore transparency to our elections. Voter-verifiable paper records or paper ballots are the only existing technology that would meet the requirement for an independent voter-verifiable record that cannot be altered by software failure.

Comment by U.S. Public Policy Committee of the Association for Computing Machinery (USACM) (None)

USACM Comment #20. 4.4.1-A.5 — IVVR vote-capture device, IVVR durability USACM recommends that the requirement text be modified to the following text: "IVVR vote-capture devices SHALL create an IVVR that will remain unchanged for minimally 22 months unaffected by power failure, software failure, or other technology failure. The IVVR must also remain unaffected from conditions in which it is stored (such as temperature extremes or humidity)." DISCUSSION: The added sentence addresses the fact that the durability of an IVVR is as dependent on the conditions under which it is stored as the conditions by which it is made. The requirement as written only addresses how the IVVR is produced; it does not speak to the durability of the IVVR after it is produced.

Comment by Carole Simmons (Advocacy Group)

This requirement is essential to election transparency. The VVSG must clearly state that the IVVR cannot be changed by a software failure, and that election officials must be able to review the IVVR without using software or a programmable device.

Comment by Marge Acosta (Advocacy Group)

RE: Comments on 4.4.1-A.5 IVVR vote-capture device, IVVR durability. Dear Commissioners, I urge you to keep the sections that clearly state that the IVVR cannot be changed by a software failure and that election officials must be able to review the IVVR without using software or a programmable device. This is of utmost importance. DRE voter verified paper audit trails (VVPATs)are computer-generated, and, as long as the VVPATs are on a paper roll, they are controlled by the computer software. These paper records can be compromised during machine failures while they are still in a functional mode, attached to the DRE. We have seen this in numerous instances, e. g, in the 2006 Tom Green County, TX primary where a recount was suspended because up to 20% of the VVPATs were missing and in the 2006 Cuyahoga County, Ohio review. The $1.9 million review found large and unexplained discrepancies between the machine count and that of the paper trail. Nearly 10 percent of the paper records were destroyed, blank, illegible, or otherwise compromised. Many DRE VVPATs are printed on thermal paper which is very fragile and corruptible and does not have the required durability. Additionally, election officials often use bar code readings on these VVPATs to review these paper records in recounts and audits. Again, bar codes are generated and read using software, and were never verified by the voter. As NIST states: The cons or drawbacks associated with using barcodes on paper records include the following: • The voter cannot read the barcode and thus is forced to approve a paper record he or she cannot fully read. • Erroneous information can be placed in the barcode without the voter’s knowledge. • The barcode is a third record of the voter's choices and the complications of keeping all records in correspondence and ensuring their accuracy is thus more complicated than with just an electronic record and a human readable paper counterpart. • It is attractive to use only the barcode in audits of the electronic records. Again, this defeats the whole purpose of using voter-verified paper records and opens the door to serious security vulnerabilities. NIST also states "it is not advisable to place information on a ballot that a voter cannot read; it intuitively violates the principle of voter-verification. In addition, it is a significant attack vector. The VVSG 2007 should include a statement to the effect that encoded information should not be used if possible, and alternatives such as more legible and thus more easily scanned paper ballots should be used instead." If these are the findings of your own research advisory group as well as several state and election organizations, then certainly your guidelines should recommend the voting system with the highest standards: those that employ voter-marked paper ballots which cannot be changed by a software failure and which election officials are able to review without using software or a programmable device. Thank you for considering my comments. Sincerely, Marge Acosta Long Island Representative for New Yorkers for Verified Voting 4 Harbor Park Court Centerport, NY 11721

Comment by katharine cartwright (Academic)

It is of paramount importance to keep sections that clearly state that the IVVR cannot be changed by a software failure, and that election officials must be able to review the IVVR without using software or a programmable device.
4.4.1-A.6 IVVR vote-capture device, IVVR tamper evidence

IVVR vote-capture devices SHALL create an IVVR that show evidence of tampering or change by the voting system.

Applies To: IVVR vote-capture device

Test Reference: Part 3: 5.2 "Functional Testing"

Source: New requirement

1 Comment

Comment by E Smith/G Umemoto (Manufacturer)

Since the voting system is creating the IVVR, how would the voting system "show evidence of tampering or change by" itself? Please clarify this requirement.
4.4.1-A.7 IVVR vote-capture device, IVVR support for privacy

IVVR vote-capture devices SHALL create an IVVR for which procedures or technology can be used to protect voter privacy.

Applies To: IVVR vote-capture device

Test Reference: Part 3: 5.2 "Functional Testing"

DISCUSSION

Privacy protection includes a method to separate the order of voters from the order of records or procedural means to ensure that information relating to the order of voters, including time a record is created, can be protected. Privacy also includes other methods to make records hard to identify, normally by having them be indistinguishable from each other.

Source: New requirement

1 Comment

Comment by Harry VanSickle (State Election Official)

With regard to this subrequirement, see previous comments on continuous roll VVPAT and maintaining the secrecy of the vote (4.4.). If it is the intent of this subrequirement to protect voter privacy on equipment such as a continuous roll VVPAT, then that should be more fully expounded upon.
4.4.1-A.8 IVVR vote-capture device, IVVR public format

IVVR vote-capture devices SHALL create an IVVR in a non-restrictive, publicly-available format, readable without confidential, proprietary, or trade secret information.

Applies To: IVVR vote-capture device

Test Reference: Part 3: 5.2 "Functional Testing"

Source: New requirement

1 Comment

Comment by ACCURATE (Aaron Burstein) (Academic)

See ACCURATE's comment for Part 1:4.3.1-A.
4.4.1-A.9 IVVR vote-capture device, IVVR unambiguous interpretation of cast vote

Each IVVR SHALL contain a human-readable summary of the electronic CVR. In addition, all IVVR SHALL contain audit-related information including:

  1. Polling place;
  2. Reporting context;
  3. ballot configuration;
  4. Date of election; and
  5. Complete summary of voter’s choices.

Applies To: IVVR vote-capture device

Test Reference: Part 3: 5.2 "Functional Testing"

DISCUSSION

All IVVR contain some human-readable content. In addition, some IVVR may use machine-readable content to make counting or recounting more efficient. For example, PCOS systems place a human-readable representation of the votes beside a machine-readable set of ovals to be marked by a human or a machine.

The human-readable content of the IVVR must contain all information needed to interpret the cast vote. This is necessary to ensure that hand audits and recounts can be done using only the human-readable parts of the paper records.

This requirement generalizes [VVSG2005] I.7.9.1-b, I.7.9.1-c and I.7.9.3-h by extending its provisions to include all IVVR.

Source: [VVSG2005] I.7.9.1-b, I.7.9.1-c, I.7.9.3-h

1 Comment

Comment by Terrill Bouricius, FairVote: the Center for Voting and Democracy (Advocacy Group)

The requirement that an optical scan or other electronic vote capture device store a Cast Vote Record (CVR) that is a ballot image rather than merely adding numbers to a running total for selected contest choices, is a major step forward. However, I am not certain why the word "summary" is used in describing the complete record of voter choices. I would suggest replacing the word "summary" with "record." Secondly, while the requirements for IVVR systems, such as VVPAT systems, clearly require that the CVR contain a complete record of each choice made by the voter, I am not certain the draft clearly requires ALL systems to store this information (it may, I just couldn't find it). It should. All vote capture devices should store and output Cast Vote Records that include a separate record for each contest and each "ballot" with a complete record of each choice made by the voter.
4.4.1-A.10 IVVR vote-capture device, no codebook required to interpret

The human-readable ballot contest and choice information on the IVVR SHALL NOT require additional information, such as a codebook, lookup table, or other information, to unambiguously determine the voter’s ballot choices.

Applies To: IVVR vote-capture device

Test Reference: Part 3: 5.2 "Functional Testing"

DISCUSSION

The hand audit of records requires the ability for auditors to verify that the electronic CVR as seen and verified by voters is the same as the electronic CVR that was counted. This requires that the auditor have all information necessary on the IVVR to interpret completely how the contests were voted. If an external codebook or lookup table were needed to interpret the IVVR, there would be no way for the auditor to be certain that the codebook had not changed since the voter used it.

1 Comment

Comment by ted selker (Academic)

"The hand audit of" should be changed to: "bona fide audit"
4.4.1-A.11 IVVR vote-capture device, multiple physical media

When a single IVVR spans multiple physical media, each physical piece of media SHALL include polling place, reporting context, ballot configuration, date of election, and number of the media and total number of the media (e.g. page 1 of 4).

Applies To: IVVR vote-capture device

Test Reference: Part 3: 5.2 "Functional Testing"

DISCUSSION

This requirement generalizes [VVSG2005] I.7.9.6-f by describing the information that must be included on each piece of physical media for an IVVR spread across multiple pieces of media and extends its provisions to include all IVVR.

Source: [VVSG2005] I.7.9.6-f

4.4.1-A.12 IVVR vote-capture device, IVVR accepted or rejected

The IVVR SHALL be marked as accepted or rejected in the presence of the voter.

Applies To: IVVR vote-capture device

Test Reference: Part 3: 5.2 "Functional Testing"

DISCUSSION

Unambiguous verification or rejection markings address the threat that the voting device might attempt to accept or reject ballot summaries without the voter’s approval. This requirement extends [VVSG2005] I.7.9.2-b to all IVVR voting systems.

Source: [VVSG2005] I.7.9.2-b

4.4.1-A.13 IVVR vote-capture device, IVVR accepted or rejected for multiple physical media

Each piece of IVVR physical media or SHALL be individually accepted or rejected by the voter.

Applies To: IVVR vote-capture device

Test Reference: Part 3: 5.2 "Functional Testing"

DISCUSSION

It must be unambiguous that all choices were rejected or accepted. This can be done at the end of physical media (e.g., a cut sheet VVPAT) or per contest.

Source: New requirement

1 Comment

Comment by Harry VanSickle (State Election Official)

Typographical error – remove the word "or" before "SHALL."
4.4.1-A.14 IVVR vote-capture device, IVVR non-human-readable contents permitted

The IVVR MAY include machine-readable encodings of the electronic CVR and other information that is not human-readable.

Applies To: IVVR vote-capture device

Test Reference: Part 3: 5.2 "Functional Testing"

DISCUSSION

This requirement extends [VVSG2005] I.7.9.3-g to include all IVVR.

Source: [VVSG2005] I.7.9.3-g

1 Comment

Comment by Ariel J. Feldman, Harlan Yu, Joseph A. Calandrino (Princeton University) (Academic)

This comment applies to this section and also to 4.4.2.5. This allows independent voter-verifiable records (IVVR) such as voter-verifiable paper records (VVPRs) to contain information that is not human-readable such as error correcting codes. It also requires voting systems to have the capability to link each IVVR to its corresponding electronic record via a mechanism such as a serial number printed on each VVPR. These requirements may do more harm than good because they would likely allow voting systems to print what are, from a voter's perspective, random-looking strings of letters and numbers on each VVPR. Although this random-looking data is usually innocuous, there is no way to prove that it does not contain information that could compromise the secrecy of the ballot. For example, if a DRE were compromised by malicious software, it could be programmed to print serial numbers on each VVPAT that were actually the encryptions of the times that each vote was cast. To anyone who did not know the encryption key, these serial numbers would appear to be random. But, to someone with the key, they could be used to reconstruct the order that the ballots were cast. In general, it should be impossible to infer anything from the IVVRs other than the votes themselves.
4.4.1-A.15 IVVR vote-capture device, IVVR machine-readable part contains same information as human-readable part

If a non-human-readable encoding is used on the IVVR, it SHALL contain the entirety of the human-readable information on the record.

Applies To: IVVR vote-capture device

Test Reference: Part 3: 5.2 "Functional Testing"

DISCUSSION

The machine-readable part of the IVVR must permit the reconstruction of the human-readable part of the record.

Source: New requirement

1 Comment

Comment by ted selker (Academic)

"Human readable" should be changed to: "independently verifiable"
4.4.1-A.16 IVVR vote-capture device, IVVR machine-readable contents may include error correction/detection information

If a non-human-readable encoding is used on the IVVR, the encoding MAY also contain information intended to ensure the correct decoding of the information stored within, including:

  1. Checksums;
  2. Error correcting codes;
  3. Digital signatures; and
  4. Message Authentication Codes.

Applies To: IVVR vote-capture device

Test Reference: Part 3: 5.2 "Functional Testing"

DISCUSSION

Error correction/detection information is used to protect digital data from error or tampering. This information would not be meaningful to a human, so there is no reason to demand that it also appear in the human-readable part of the record.

This requirement extends [VVSG2005] 7.9.3-g to include all IVVR.

Source: [VVSG2005] I.7.9.3-g

1 Comment

Comment by Carl Hage (General Public)

The VVSG should be changed to require that a digital signature be printed on each IVVR to authenticate the paper record was printed on a particular machine during the time the machine & election (day) specific key is active. This is necessary to prevent tampering with the paper audit trail. When a VVPAT is collected as a roll and voter order is hidden by other procedures, the digital signature on the paper audit trail should include a serial number and cumulative checksum/hash in order to detect missing or inserted false paper records. When the order of ballots collected is randomized in some way, some other method of issuing randomized serial numbers and/or order-independent checksums should be used with a signature so the paper trail can be verified as authentic and printed by a particular machine for an election, without relying on the stored electronic records. For poll site optical scan machines that collect and count ballots, a secure system would print a digital signature on the counted ballot which could be used to authenticate the paper record. Adding checksums to detect inserted or deleted ballots from the paper record alone is highly desirable.
4.4.1-A.17 IVVR vote-capture device, public format for IVVR non-human-readable data

Any non-human-readable information on the IVVR SHALL be presented in a fully disclosed public format.

Applies To: IVVR vote-capture device

Test Reference: Part 3: 5.2 "Functional Testing"

DISCUSSION

Meaningful automated auditing requires full disclosure of any non-human-readable encodings on the IVVR. However, hand auditing does not require disclosure of this kind. This requirement extends [VVSG2005] I.7.9.3-e to include all IVVR.

Source: [VVSG2005] I.7.9.3-f

4.4.2 VVPAT

This section contains requirements for the basic components and operation of voting devices of the class VVPAT (Voter-verifiable Paper Audit Trail). VVPAT is one implementation of the system class IVVR, using voter-verifiable paper records (VVPR), i.e., paper IVVR. Voting devices of this class typically consist of a DRE-like vote-capture device with an attached printer and a capability for displaying a VVPR to the voter and for storing the VVPR. In this configuration, prior to casting the ballot on the DRE, voters are given the ability to verify their selections on the VVPR in a private and independent manner. After a VVPR is produced, but before the voter's electronic CVR is recorded, the voter must have the opportunity to accept or reject the contents of the VVPR. If a voter does not accept the contents of the VVPR, the voter must be permitted to redo the electronic CVR as displayed to the voter. In storing the VVPRs, the VVPAT must distinguish a voter’s rejected VVPR from an accepted VVPR. The VVPR must be able to be used in independent (from the VVPAT’s software) audits of the electronic CVRs and in recounts, and capable of being used as the official ballot in tabulations if required by state law.

1 Comment

Comment by Ariel J. Feldman, Harlan Yu, Joseph A. Calandrino (Princeton University) (Academic)

This section allows two forms VVPATs to be used with DREs: cut-sheet VVPATs where each voter's audit record resides on a separate piece of paper, and continuous roll VVPATs where multiple voters' audit records are printed sequentially on a single spool of paper. Although we support the VVPAT requirement, we believe that only cut-sheet VVPATs are secure. Continuous roll VVPATs pose a threat to the secrecy of the ballot because they record voters' choices in the order that they are cast. This information, when combined with an ordered log of individual voters signed-in at a given polling place, can be used to reconstruct how individual voters voted. Section 4.4.2.6 suggests that this threat can be mitigated by keeping the continuous roll VVPATs secret using a combination of locks, tamper-evident seals, and election procedures. Research has shown, however, that every currently-used type of tamper-evident seal can be removed and replaced without evidence by one person within 30 minutes, with the majority defeated within 2 minutes (see: R.G. Johnston. Tamper-Indicating Seals. American Scientist, November-December 2006. pp. 515-523.) Moreover, we worry that despite the best efforts of election officials, it may still be possible for a malicious insider to gain access to the VVPATs (or for a voter to have a reasonable fear of this possibility). Rather than trying to conceal the record of the order that votes were cast, we believe it is safer to prohibit voting systems from keeping such a record at all. Of course, in order to be effective at obfuscating the order of votes, cut-sheet voting systems should be required to scramble the VVPAT sheets rather than just collect them in a single stack.

4.4.2.1 VVPAT components and definitions

4.4.2.1-A VVPAT, definition and components

A VVPAT SHALL consist minimally of the following fundamental components:

  1. A voting device, on which a voter makes selections and prepares to cast a ballot;
  2. A printer that prints a VVPR summary of the voter’s ballot selections, and that allows the voter to compare it with the electronic ballot selections;
  3. A mechanism by which the voter may indicate acceptance or rejection of the VVPR;
  4. Ballot box/cartridge to contain accepted and voided VVPRs; and
  5. A VVPR for each electronic CVR. The VVPR may be printed on a separate sheet for each VVPR ("cut-sheet VVPAT") or on a continuous paper roll ("paper-roll VVPAT").

Applies To: VVPAT

Test Reference: Part 3: 5.2 "Functional Testing"

Source: [VVSG2005] I.7.9.1-a

2 Comments

Comment by Gail Audette (Voting System Test Laboratory)

A "standard communications protocol" is not defined and will potentially evolve over time. How do test labs provide pass/fail criteria to these requirements?

Comment by Harry VanSickle (State Election Official)

With regard to subparagraph (e), see previous comments on continuous roll VVPAT and maintaining the secrecy of the vote (4.4).

4.4.2.2 VVPAT printer/computer interactions

4.4.2.2-A VVPAT, printer connection to voting system

The VVPAT printer SHALL be physically connected via a standard, publicly documented printer port using a standard communications protocol.

Applies To: VVPAT

Test Reference: Part 3: 5.2 "Functional Testing"

DISCUSSION

Examples would be parallel printer ports and USB ports. This requirement extends [VVSG2005] I.7.9.4-a in that only authorized election officials can access that port.

Source: [VVSG2005] I.7.9.4-a

1 Comment

Comment by Richard Carback (Academic)

What about standard interface requirements? (e.g. "the printer should communicate with postscript")
4.4.2.2-B VVPAT, printer able to detect errors

The VVPAT SHALL detect printer errors that may prevent VVPRs from being correctly displayed, printed or stored, such as lack of consumables such as paper, ink, or toner, paper jams/misfeeds, and memory errors.

Applies To: VVPAT

Test Reference: Part 3: 5.2 "Functional Testing"

DISCUSSION

The requirement to detect errors is expanded on in the sub-requirements, which specify requirements on what to do when the errors are detected.

Source: [VVSG2005] I.7.9.4-g

2 Comments

Comment by ted selker (Academic)

VVPATs should access the voting machine memory with separate hardware and software than the voting machine software

Comment by ACCURATE (Aaron Burstein) (Academic)

By requiring that voting systems with VVPAT capability be able to detect problems that might affect the printing, recording, or storage of the VVPAT record and, upon such a detection, prohibit the voter's ballot from being cast, the draft addresses a problematic feature of currently deployed DRE+VVPAT technologies. This requirement should be adopted.
4.4.2.2-C VVPAT, error handling specific requirements

If a printer error or malfunction is detected, the VVPAT SHALL:

  1. Present a clear indication to the voter and election officials of the malfunction. This must indicate clearly whether the current voter’s vote has been cast, discarded, or is waiting to be completed;
  2. Suspend voting operations until the problem is resolved;
  3. Allow canceling of the current voter’s electronic CVR by election officials in the case of an unrecoverable error; and
  4. Protect the privacy of the voter while the error is being resolved.

Applies To: VVPAT

Test Reference: Part 3: 5.2 "Functional Testing"

DISCUSSION

A printer error must not cause the voting device to end up in a state where the election officials cannot determine whether the ballot was cast or not. This requirement restates and extends [VVSG2005] I.7.9.4-h by requiring that in the event of a printer error, privacy must be maintained to the greatest extent possible, and that voting officials need to be able to cancel the voting session.

Source: [VVSG2005] I.7.9.4-h

4.4.2.2-C.1 VVPAT, general recovery from misuse or voter error

Voter actions SHALL NOT be capable of causing a discrepancy between the VVPR and its corresponding electronic CVR.

Applies To: VVPAT

Test Reference: Part 3: 4.5 "Source Code Review", 5.2 "Functional Testing"

DISCUSSION

This prevents an error or malicious act by a voter from creating the incorrect appearance that election fraud has been attempted.

Source: New requirement

2 Comments

Comment by Gail Audette (Voting System Test Laboratory)

This "SHALL NOT" requirement defines a pass/fail criteria based on testing where "nothing happens". How, in practice, will this be tested and what is the Test Reference?

Comment by Richard Carback (Academic)

This requirement is impossible to verify. It is better to state this non-negatively. For example: "The system SHALL prevent the user..."

4.4.2.3 Protocol of operation

4.4.2.3-A VVPAT, prints and displays a paper record

The VVPAT SHALL provide capabilities for the voter to print a VVPR and compare with a summary of the voter’s electronic ballot selections prior to the voter casting a ballot.

Applies To: VVPAT

Test Reference: Part 3: 5.2 "Functional Testing"

Source: [VVSG2005] I.7.9.2-a

2 Comments

Comment by Diane Golden (Academic)

This standard requires a VVPAT to print a ballot that can be easily compared with the electronic ballot in similar format and presentation. This clearly describes the visual comparison process that will be used by non-disabled voters. For voters with disabilities, comparison of the print and electronic ballots will be more challenging, as the task will not be a straightforward visual comparison. This standard needs to address how non-standard print format material comparison can be accomplished or allow for alternative comparison.

Comment by Premier Election Solutions (Manufacturer)

This requirement mandates that VVPAT shall provide capabilities for the voter to compare the VVPR with electronic ballot summary on the DRE. This precludes the ability to have the voter first review the electronic ballot summary and then separately, without comparison, review the VVPR. For this requirement, there are issues of usability that require more thought to identify how to address those concerns. If the text to speech reader is to be a separate independent system, then the voter must transfer their headset to that independent system. Considering general memory retention capabilities, verifying anything but a short ballot, would involve transferring the headset back and forth between the voting device and the independent verification system. Even if both audio streams are generated by the DRE, and wouldn't require the switching of the headset back and forth, there would still be usability issues for navigation when switching between the audio from the DRE summary to the VVPR audio. It would be far better not to prescribe a comparison but rather allow a review of the records (DRE summary and VVPR) and allow methods to be developed that might prove more usable to voters using the audio ballot. Proposed Change: Change the requirement to read the following: "The VVPAT SHALL provide capabilities for the voter to review a VVPR and a summary of the voter’s electronic ballot selections prior to the voter casting a ballot."

The VVPAT format and presentation of the VVPR and electronic summaries of ballot selections SHALL be designed to facilitate the voter’s rapid and accurate comparison.

Applies To: VVPAT

Test Reference: Part 3: 5.2 "Functional Testing"

Source: [VVSG2005] I.7.9.6-b

1 Comment

Comment by Premier Election Solutions (Manufacturer)

There appears to be no point in storing an electronic record of a rejected VVPAT. Regardless of how many rejected VVPRs might be on the paper tape, only the accepted ones are counted. A system could record that a rejection took place such as in an event log for auditing purposes, so storing an electronic image of a rejected VVPR is unnecessary. Proposed Change: Replace this item in the requirement with the following: "b. Electronically log that a VVPR was rejected: and"
4.4.2.3-C VVPAT, vote acceptance process requirements

When a voter indicates that the VVPR is to be accepted, the VVPAT SHALL:

  1. Immediately print an unambiguous indication that the vote has been accepted, in view of the voter;
  2. Electronically store the CVR as a cast vote; and
  3. Deposit the VVPR into the ballot box or other receptacle.

Applies To: VVPAT

Test Reference: Part 3: 4.5 "Source Code Review", 5.2 "Functional Testing"

DISCUSSION

Immediately upon acceptance by the voter, the VVPAT commits to accepting the VVPR, in the voter’s sight, and stores the electronic CVR. This defends against the threat that the VVPAT might indicate a rejected vote on the VVPR when the voter cannot observe it. The VVPR must be placed into the receptacle before the next voter arrives, to ensure the previous voter’s privacy.

Source: [VVSG2005] I.7.9.2-b, I.7.9.2-d

4.4.2.3-D VVPAT, vote rejection process requirements

When a voter indicates that the VVPR is to be rejected, the VVPAT SHALL:

  1. Immediately print an unambiguous indication that the vote has been rejected, in view of the voter;
  2. Electronically store a record that the VVPR was rejected including the summary of choices; and
  3. Deposit the rejected VVPR into the ballot box or other receptacle.

Applies To: VVPAT

Test Reference: Part 3: 4.5 "Source Code Review", 5.2 "Functional Testing"

DISCUSSION

Immediately upon rejection by the voter, the VVPAT commits to rejecting the VVPR, in the voter’s sight, and stores the electronic CVR. This defends against the threat that the VVPAT might indicate an accepted vote on the VVPR when the voter cannot observe it.

This requirement in part restates [VVSG2005] I.7.9.2-c.

Source: [VVSG2005] I.7.9.2-c

1 Comment

Comment by ted selker (Academic)

This should be deleted. It is a potential attack.
4.4.2.3-D.1 VVPAT, rejected vote configurable limits per voter

The VVPAT SHALL have the capacity to be configured to limit the number of times a single voter may reject a VVPR without election official intervention. The VVPAT SHALL support limits between zero (any rejected VVPR requires election official intervention) to five times, and MAY support an unlimited number of rejections without election official intervention.

Applies To: VVPAT

Test Reference: Part 3: 5.2 "Functional Testing"

DISCUSSION

This requirement permits election officials to configure the VVPAT to limit the number of times a single voter can reject VVPRs before election official intervention is required. This allows equipment to be configured to meet election law of the jurisdiction.

This addresses the threat that a single voter may reject a large number of VVPRs, thus depleting supplies.

This also helps to address the threat that a malicious or malfunctioning VVPAT may indicate a different set of voter choices on the screen than it does on paper and in the electronic records. Such an attack can only be detected by the existence of large numbers of rejected VVPRs. Requiring election official intervention each time a voter rejects a VVPR allows election officials to quickly recognize a malfunctioning or malicious machine.

If the VVPAT is behaving maliciously, it can simply ignore this limit. Voters may notice this and complain, and if the VVPAT is chosen for a hand audit, the auditors will notice a large number of rejected VVPRs and may try to verify whether election officials noticed a large number of problems with the VVPAT.

Source: [VVSG2005] I.7.9.2-c

2 Comments

Comment by ted selker (Academic)

The election official should be involved in spoiling any voting record.

Comment by Gail Audette (Voting System Test Laboratory)

This series of requirements allows any voter with knowledge of these publicly available requirements to maliciously take a perfectly good machine offline during an election and slow the voting process (or have voters turn away due to the time it will take to vote).
4.4.2.3-D.2 VVPAT, rejected vote limits per machine

The VVPAT SHALL have the capacity to limit the total number of VVPRs that a machine may reject before election official intervention is required. The VVPAT SHALL permit the setting of no limit, so that no number of total rejected VVPRs requires immediate election official intervention.

Applies To: VVPAT

Test Reference: Part 3: 5.2 "Functional Testing"

DISCUSSION

This requirement supports the procedural defense of taking a VVPAT offline when too many voters complain about its behavior.

The requirement also addresses the threat that a malfunctioning or malicious VVPAT might indicate a different set of choices to the voter than it records on paper and in its electronic records. The only way to detect this attack is a large number of rejected VVPRs, as some voters attempt to verify their VVPRs.

A malfunctioning or malicious VVPAT may ignore these limits. However, if the VVPAT ignores the limits, and the local procedures require taking a voting machine out of service when the maximum number of rejected VVPRs is reached, then a hand audit of the VVPAT will detect the its malicious behavior—more rejected VVPRs will be discovered than should be possible from a single VVPAT.

Source: New requirement

4.4.2.3-D.3 VVPAT, rejected vote election official intervention

When a VVPAT reaches a configured limit of rejected VVPRs per voter or per machine, it SHALL do the following:

  1. Remove any indication of the voter’s choices from the screen;
  2. Place the VVPR that has been rejected into the ballot box or other receptacle;
  3. Clearly display that a VVPR has been rejected and indicate the need for election official intervention; and
  4. Suspend normal operations until re-enabled by an authorized election official.

Applies To: VVPAT

Test Reference: Part 3: 5.2 "Functional Testing"

DISCUSSION

When a VVPAT reaches some limit on the number of rejected VVPRs, it must suspend normal operations and require election official intervention. This must be done in a way that protects voter privacy as much as possible, and that minimizes the chances of misunderstanding by the voter.

Source: New requirement

1 Comment

Comment by Richard Carback (Academic)

This should be a requirement of the DRE, not the VVPAT.

4.4.2.4 Human-readable VVPR contents for VVPAT

The following requirements apply to the human-readable contents of VVPR.

4.4.2.4-A VVPAT, machine readability of VVPAT VVPR

The human-readable contents of the VVPAT VVPR SHALL be created in a manner that is machine-readable by optical character recognition.

Applies To: VVPAT

Test Reference: Part 3: 5.2 "Functional Testing"

DISCUSSION

The user documentation for the VVPAT must include all information necessary to read in the records by optical character recognition. This requirement restates a similar requirement in [VVSG2005] I.7.9.3-g by requiring that VVPRs be machine-readable, at a minimum, through optical character recognition of the human-readable portion of the VVPR.

Source: [VVSG2005] I.7.9.3-g

1 Comment

Comment by Premier Election Solutions (Manufacturer)

Optical character recognition (OCR) or Intelligent Character Recognition (ICR) of clearly printed OCR type latin-script (Roman alphabet characters) is known to be approx. 99% accurate in practice. However, there are still greater inaccuracies with recognizing graphical characters as used in some alternate languages, such as Cantonese, Mandarin, Japanese, etc. Recognizing the text printed on the paper would be far more accurate if bar codes could be used to provide the characters. If the bar codes met other VVSG requirements pertaining to open formats and auditability, it would seem to be a more accurate method of providing the audio. Currently, EBM devices read ID codes on the ballots to determine, from preprogrammed data, what contests and candidates are on the ballot and their locations on the ballot. These devices are not optically reading the characters on the ballot when producing their audio output. Surely, the intent of the VVSG is not to create a double standard; however, requiring OCR of the VVPAT text while not mandating such a requirement for ballot marking devices is, in fact, a double standard. Proposed Change: Remove the phrase "by optical character recognition" in this requirement or apply this requirement evenly to all voting device classes that produce audio from paper.
4.4.2.4-A.1 VVPAT, support for audit of machine-read representations

The VVPAT SHALL include supporting software, hardware, and documentation of procedures to verify the agreement between the machine read content and the content as reviewed directly by an auditor.

Applies To: VVPAT

Test Reference: Part 3: 5.2 "Functional Testing"

DISCUSSION

To achieve software independence, the mechanism reading the VVPRs cannot be trusted to read and record the correct values. Thus, an auditing step is required if this information is to be used in a secure way.

Source: New requirement

1 Comment

Comment by Premier Election Solutions (Manufacturer)

This requirement seems redundant. The required auditing step is to use the human readable content on the VVPR for audits and to use observational testing for verifying the audio device's integrity. These requirements are already in the VVSG. It is not necessary to add another level of complexity to what already exists for auditing the VVPAT audio. Proposed Change: Remove this requirement.
4.4.2.4-B VVPAT, paper-roll, required human-readable content per roll

Paper-roll VVPATs SHALL mark paper rolls with the following:

  1. Polling place;
  2. Reporting context;
  3. Date of election;
  4. If multiple paper rolls were produced during this election on this device, the number of the paper roll (e.g., Roll #2); and
  5. A final summary line specifying how many total VVPRs appear on the roll, and how many accepted VVPRs appear on the roll.

Applies To: VVPAT

Test Reference: Part 3: 5.2 "Functional Testing"

DISCUSSION

In order for recounts and audits to work, the auditor must be able to determine which electronic record corresponds to the paper roll or rolls. The above information ensures that the auditor will be able to find the right electronic record, and also supports finding all necessary paper rolls. This requirement requires the voting device either to detect the amount of paper remaining on the roll, or to compute how much paper is left.

Source: New requirement

3 Comments

Comment by ted selker (Academic)

"This requirement requires the voting device either…" should be changed to: "This requirement requires that the voting device SHALL only be a voting device if at setup, it has enough materials for an election. The device SHALL alert the voting official of its status at setup."

Comment by Premier Election Solutions (Manufacturer)

For added privacy to the voter, it would be more prudent to not mark the paper roll with the roll number. This is usually an identification that is marked by the election judge on the container which contains the VVPRs. There is already a requirement 4.4.2.6-C(c) that requires a label to be affixed to the VVPR container with identifying information that assists in audits. Regardless of paper low detection, a VVPAT system does not have the ability to recognize that a new roll has been inserted or that the original roll has been removed and re-inserted. To mitigate that issue would require further interaction between the pollworker and the machine to record which roll is being inserted into the machine. If the intent is to provide simpler devices for the pollworkers to operate, and we fully support that objective, this requirement seems to work at cross purposes with that goal. Proposed Change: Remove item (d) from this requirement.

Comment by E Smith/G Umemoto (Manufacturer)

The most common reason to replace a VVPAT is some sort of malfunction (paper jam or mechanical failure). In this case it is not always practical to print a "final summary line specifying how many total VVPRs appear on the roll…" The VVSG should distinguish between normal operation and VVPAT unit swap due to malfunction for this requirement.
4.4.2.4-C VVPAT, paper-roll, information per VVPR

Paper-roll VVPATs SHALL include the following on each VVPR:

  1. ballot configuration;
  2. Type of voting (e.g., provisional, early, etc.);
  3. Complete summary of voter’s choices;
  4. For each ballot contest:
    1. contest name (e.g., "Governor");
    2. Any additional information needed for unambiguous interpretation of the VVPR;
    3. A clear indication, if the contest was undervoted; and
    4. A clear indication, if the choice is a write-in vote.
  5. An unambiguous indication of whether the ballot has been accepted or rejected by the voter.

Applies To: VVPAT

Test Reference: Part 3: 5.2 "Functional Testing"

DISCUSSION

The paper roll and the electronic CVRs, together, must give an auditor all information needed to do a meaningful hand audit or recount. The contents in this requirement ensure that the human-readable parts of the paper rolls are sufficient to recount the election and to audit the device totals.

Source: New requirement

1 Comment

Comment by ted selker (Academic)

Should be changed to: Acceptable quality of paper SHALL require interpretable records survive heating to 400 degrees Fahrenheit, that the system has been tested for environmental situations it might face, and that the system has gone through a setup maintenance procedure. The verification medium VVPAT…
4.4.2.4-D VVPAT, paper-roll, VVPRs on a single roll

Paper-roll VVPATs SHALL NOT split VVPRs across rolls; each VVPR must be contained in its entirety by the paper roll.

Applies To: VVPAT

Test Reference: Part 3: 5.2 "Functional Testing"

DISCUSSION

Allowing a single VVPR to split across rolls would make auditing much harder, and would also make it very difficult for the voter to fully verify the VVPR. This requires that the printer detect the end of the paper roll in time to avoid splitting VVPRs.

Source: [VVSG2005] I.7.9.6-e

1 Comment

Comment by ted selker (Academic)

Replace this section with: No voting records SHALL be breached during voting. If a VVPAT fails part way through printing, a new VVPAT SHALL be installed in the voting system with appropriate documentation.
4.4.2.4-E VVPAT, cut-sheet, content requirements per electronic CVR

Cut-sheet VVPATs SHALL include the following on each VVPR:

  1. Polling place;
  2. Reporting context;
  3. Date of election;
  4. ballot configuration
  5. Type of voting (e.g., provisional, early, etc.);
  6. Complete summary of voter’s choices;
  7. For each ballot contest:
    1. contest name (e.g., "Governor");
    2. Any additional information needed for unambiguous interpretation of the VVPR;
    3. A clear indication, if the contest was undervoted; and
    4. A clear indication, if the choice is a write-in vote.
  8. An unambiguous indication of whether each sheet has been accepted or rejected by the voter.

Applies To: VVPAT

Test Reference: Part 3: 5.2 "Functional Testing"

DISCUSSION

The set of detached VVPRs must give an auditor all information needed to do a meaningful hand audit or recount. Each VVPR must include all information needed to identify which device produced it, which type of ballot it is (ballot style, reporting context, etc.). All this information is necessary to support the hand audit. Unambiguous rejection and acceptance markings address the threat that the VVPAT might attempt to reject or accept ballot summaries without the voter’s approval.

Source: New requirement

1 Comment

Comment by Verified Voting Foundation (Advocacy Group)

In addition to the above, the Tabulator Summary Count record should include casting methods (e.g., DRE, in-precinct scanner, central count scanner), precinct, batch, and individual device ID. Also, if e-polls are used, ballot accounting data is required.
4.4.2.4-F VVPAT, cut-sheet, VVPR split across sheets

If a cut-sheet VVPAT splits VVPRs across multiple sheets of paper, each sheet SHALL include:

  1. Page number of this sheet and total number of sheets (e.g., page 1 of 4);
  2. ballot configuration
  3. Reporting context
  4. Unambiguous indication that the sheet’s contents have been accepted or rejected by the voter; and
  5. Any correspondence information included to link the VVPR to its corresponding electronic CVR.

Applies To: VVPAT

Test Reference: Part 3: 5.2 "Functional Testing"

DISCUSSION

If a VVPR is split across many sheets, then the voter must be able to verify the individual sheets meaningfully, and auditors during the hand audit must be able to count the votes from the VVPR correctly. This means that each sheet must contain all information to interpret and count the votes on it, including reporting context and ballot style, and including whether the voter accepted or rejected the contents of the sheet.

Source: [VVSG2005] I.7.9.6-f

4.4.2.4-F.1 VVPAT, cut-sheet, ballot contests not split across sheets

If a cut-sheet VVPAT splits VVPRs across multiple sheets of paper, it SHALL NOT split ballot contests across sheets.

Applies To: VVPAT

Test Reference: Part 3: 5.2 "Functional Testing"

DISCUSSION

Splitting a single ballot contest across multiple sheets would make it difficult for auditors to count votes from the VVPRs. In the case of a referendum, the referendum text may cross several sheets, but the vote choice must not be dis-associated from text that identifies it with the referendum.

Source: New requirement

4.4.2.4-F.2 VVPAT, cut-sheet, VVPR sheets verified individually

If a cut-sheet VVPAT splits VVPRs across multiple sheets of paper, the ballot choices on each sheet SHALL be submitted to the voter for verification separately according to the following:

  1. The voter shall be presented a verification screen for the contents of each sheet separately at the same time as the voter is able to verify the contents of the part of the VVPR on the sheet;
  2. When a voter accepts or rejects the contents of a sheet, the votes contained on that sheet and verification screen shall be committed to memory, regardless of the verification of any other sheet by the same voter;
  3. Configurable limits on rejected VVPRs per voter shall count each rejected sheet as a rejected VVPR;
  4. Configurable limits on rejected VVPRs per machine shall not count more than one rejected VVPR per voter; and
  5. When a rejected VVPR requires election official intervention, the VVPAT shall indicate which sheets have been accepted and which rejected.

Applies To: VVPAT

Test Reference: Part 3: 5.2 "Functional Testing"

DISCUSSION

When a VVPR is split across multiple sheets, both the voter and the auditors must be able to determine, unambiguously, whether the votes on each sheet have been accepted or rejected by the voter. This requires verification of each sheet separately. The process of voter verification for cut sheet VVPAT is very similar to the process for multiple page optical scan ballots, in which each sheet may be processed and recounted separately.

Source: New requirement

4.4.2.5 Linking the electronic CVR to the VVPR

A VVPAT is required to support the linking of electronic and VVPRs, but must also be able to disable this linkage.

 

3 Comment

Comment by ted selker (Academic)

Allowing election officials to enable or disable correspondence can be a security problem. Any change to the voting machine at the very least requires two traceable agents to authorize the change independently.

Comment by Dave Angell (Voting System Test Laboratory)

A VVPAT is required to support the linking of electronic and VVPRs, but must also be able to disable this linkage. s/b A VVPAT is required to support the linking of electronic CVRs and VVPRs, but must also be able to disable this linkage.

Comment by Ariel J. Feldman, Harlan Yu, Joseph A. Calandrino (Princeton University) (Academic)

This comment applies to this section and also to 4.4.1-A.14. This allows independent voter-verifiable records (IVVR) such as voter-verifiable paper records (VVPRs) to contain information that is not human-readable such as error correcting codes. It also requires voting systems to have the capability to link each IVVR to its corresponding electronic record via a mechanism such as a serial number printed on each VVPR. These requirements may do more harm than good because they would likely allow voting systems to print what are, from a voter's perspective, random-looking strings of letters and numbers on each VVPR. Although this random-looking data is usually innocuous, there is no way to prove that it does not contain information that could compromise the secrecy of the ballot. For example, if a DRE were compromised by malicious software, it could be programmed to print serial numbers on each VVPAT that were actually the encryptions of the times that each vote was cast. To anyone who did not know the encryption key, these serial numbers would appear to be random. But, to someone with the key, they could be used to reconstruct the order that the ballots were cast. In general, it should be impossible to infer anything from the IVVRs other than the votes themselves.
4.4.2.5-A VVPAT, identification of electronic CVR correspondence

The VVPAT SHALL provide a capability to print information on each VVPR sufficient for auditors to identify from an electronic CVR its corresponding VVPR and from a VVPR its corresponding electronic CVR. This capability SHALL be possible for election officials to enable or disable.

Applies To: VVPAT

Test Reference: Part 3: 5.2 "Functional Testing"

DISCUSSION

All VVPATs are required to support the ability to do this as an option, but this must be configurable, so that election officials can enable or disable it.

Source: [VVSG2005] I.7.9.3-c

4.4.2.5-A.1 VVPAT, CVR correspondence identification hidden from voter

Any information on the VVPAT VVPR that identifies the corresponding electronic CVR SHOULD NOT be possible for the voter to read or copy by hand.

Applies To: VVPAT

Test Reference: Part 3: 5.2 "Functional Testing"

DISCUSSION

This requirement addresses the threat that some voters might copy down the correspondence information to prove to some third party how they have voted. If the correspondence information is not possible for voters to copy down by hand, they must use a camera or similar technology to prove how they voted—in which case, the correspondence information makes vote buying no easier than it already was.

Source: New requirement

3 Comments

Comment by ted selker (Academic)

The fronts of voting machines and verification systems can include 3M louver technology to eliminate the opportunity for a camera to photograph the front of the screen and to add visual security to systems.

Comment by E Smith/G Umemoto (Manufacturer)

There seems to be a contradiction between sections 4.4.2.5-A (VVPAT, identification of electronic CVR correspondence), 4.4.2.5-A-1 (VVPAT, CVR correspondence identification hidden from voter) and 4.4.2.5-A.2 (VVPAT, CVR correspondence identification viewable to auditors). If we are to use a "non-restrictive, publicly-available format, readable without confidential, proprietary, or trade secret information." (Part 1, section 4.4.1-A.8), how can you have a piece of information on a VVPAT that is both "hidden from voter", and "viewable to auditors"?

Comment by Craig Burton, CTO, EveryoneCounts.com (Manufacturer)

If the voter has the ability to challenge a vote by stating that the VVPAT was wrong, then presumably the voter gets another chance to vote. This actually weakens any voter's claim that they have photographed their final ballot as they may have gone on to ask for another and then voted differently.
4.4.2.5-A.2 VVPAT, CVR correspondence identification viewable to auditors

The VVPAT manufacturer SHALL include a capability for auditors to verify the correspondence between the electronic CVR and VVPR pairs, if the correspondence information is printed on the VVPR.

Applies To: VVPAT

Test Reference: Part 3: 5.2 "Functional Testing"

DISCUSSION

Auditors must be able to decode the correspondence information from the VVPR, in order to determine which electronic CVR corresponds to any given VVPR.

Source: New requirement

4.4.2.5-A.3 VVPAT, CVR correspondence identification in reported ballot images

When electronic CVR correspondence identification is printed on the VVPAT VVPR, the correspondence information SHALL be included in the ballot images sent to the EMS by collection of ballot images record.

Applies To: VVPAT

Test Reference: Part 3: 4.5 "Source Code Review", 5.2 "Functional Testing"

DISCUSSION

The correspondence information is useful only if it is reported back to the EMS. Including this information ensures that it will also be digitally signed before being returned.

Source: [VVSG2005] I.7.9.3-c

4.4.2.6 Paper-roll VVPAT privacy and audit-support

6 Comments

Comment by Brian V. Jarvis (Local Election Official)

Part of the 1st sentence may be missing. .... when records are sequentially what?

Comment by Dave Angell (Voting System Test Laboratory)

Paper roll VVPATs may introduce a privacy risk when records are sequentially. s/b, such as: Paper roll VVPATs may introduce a privacy risk when records are listed sequentially.

Comment by Bryan Pfaffenberger (Academic)

I find myself somewhat uncomfortable with this section. It makes the case that the secrecy of VVPAT records can be achieved by treating them like paper ballots. However, paper ballots are not necessarily deposited in sequential order in the way that VVPAT records are. Election officials acting in collusion could open the container, locate individual voters' records, and determine the nature of their votes. Would it defeat the purpose of a VVPAT if it were, after voter verification, to print some of the records out of sequence according to a randomization algorithm? Bryan Pfaffenberger Univ. of Virginia

Comment by Kathy Dopp (Advocacy Group)

Comments on 4.4.2.6 Paper-roll VVPAT privacy and audit-support In addition to the requirements listed by the VVSG for VVPAT privacy, any paper-roll VVPAT shall not print a time-stamp on the voters’ ballot that could be (and has been used in a case in Ohio) in conjunction with an examination of the pollbook record to pair voters with their ballots to be able to determine how they voted. Better yet, sequential paper-roll VVPAT should be prohibited in the new VVSG standards because not only do sequential paper-roll VVPATs potentially violate voter privacy, especially for voters who must use an accessible voting machine, but paper-roll VVPATs are not durable, frequently become lost or damaged, take longer to audit than individual durable paper ballots, require an extra step from the voters, are more complex for election officials to store, transport, and keep track as opposed to the simplicity of using one or two ballot boxes to secure all the ballots for a polling place. In addition, machine-printed ballot records may not accurately reflect voter intent because research has shown that most voters do not take the time to review them, and that only about 1/3rd of the voters who do review them are capable of accurately detecting machine-printed errors on them. In addition, the "two strikes and you’re out" rule which allows voters only two chances to review and reject the machine-printed paper-roll VVPAT printer, can prevent the most diligent voter from being able to produce an accurate durable auditable record of his or her ballot. In sum, paper-roll VVPATs are less suitable for auditing than are durable individual paper ballots, and paper-roll VVPATs can disenfranchise voters by causing longer poll lines due to the extra voting step for able-bodied voters and due to printers running out of paper or getting jammed or due to the "two strikes and you’re out rule". Thank you.

Comment by Ariel J. Feldman, Harlan Yu, Joseph A. Calandrino (Princeton University) (Academic)

We believe that locks, tamper-evident seals, and election procedures are insufficient to mitigate the risk to ballot secrecy posed by paper roll VVPATs. Research has shown that every currently-used type of tamper-evident seal can be removed and replaced without evidence by one person within 30 minutes, with the majority defeated within 2 minutes (see: R.G. Johnston. Tamper-Indicating Seals. American Scientist, November-December 2006. pp. 515-523.) Moreover, we worry that despite the best efforts of election officials, it may still be possible for a malicious insider to gain access to the VVPATs (or for a voter to have a reasonable fear of this possibility). Rather than trying to conceal the record of the order that votes were cast, we believe it is safer to prohibit voting systems from keeping such a record at all.

Comment by Ariel J. Feldman, Harlan Yu, Joseph A. Calandrino (Princeton University) (Academic)

We believe that locks, tamper-evident seals, and election procedures are insufficient to mitigate the risk to ballot secrecy posed by paper roll VVPATs. Research has shown that every currently-used type of tamper-evident seal can be removed and replaced without evidence by one person within 30 minutes, with the majority defeated within 2 minutes (see: R.G. Johnston. Tamper-Indicating Seals. American Scientist, November-December 2006. pp. 515-523.) Moreover, we worry that despite the best efforts of election officials, it may still be possible for a malicious insider to gain access to the VVPATs (or for a voter to have a reasonable fear of this possibility). Rather than trying to conceal the record of the order that votes were cast, we believe it is safer to prohibit voting systems from keeping such a record at all.

Paper roll VVPATs may introduce a privacy risk when records are sequentially. However, this risk can be mitigated using a combination of technology and strong election procedures. The following requirements address this threat.

4.4.2.6-A VVPAT, paper-roll, VVPRs secured immediately after vote cast

Paper-roll VVPATs SHALL store the part of the paper roll containing VVPRs in a secure, opaque container, immediately after they are verified.

Applies To: VVPAT

Test Reference: Part 3: 5.2 "Functional Testing"

DISCUSSION

Paper rolls containing VVPRs for voters in the order in which they used the voting systems represent a privacy risk. VVPATs that comply with this requirement decrease this risk.

Source: [VVSG2005] I.7.9.5-d, I.7.9.5-g, I.7.9.4-d

1 Comment

Comment by Harry VanSickle (State Election Official)

Recommend that the discussion provide further explanation as to how compliance with this requirement decreases the privacy risk
4.4.2.6-B VVPAT, paper-roll, privacy during printer errors

Procedures for recovery from printer errors on paper-roll VVPATs SHALL NOT expose the contents of previously cast VVPRs.

Applies To: VVPAT

Test Reference: Part 3: 5.2 "Functional Testing"

DISCUSSION

Printer errors must not result in the loss of ballot secrecy. This is related to the requirement for immediately storing the VVPRs inside a secure, opaque container.

Source: New requirement

4.4.2.6-C VVPAT, paper-roll, support tamper-seals and locks

Paper-roll VVPATs SHALL be designed so that when the rolls are removed from the voting device according to the following:

  1. All paper containing VVPRs are contained inside the secure, opaque container;
  2. The container supports being tamper-sealed and locked; and
  3. The container supports being labeled with the device serial number, precinct, and other identifying information to support audits and recounts.

Applies To: VVPAT

Test Reference: Part 3: 5.2 "Functional Testing"

DISCUSSION

Paper-roll VVPAT must support good procedures to protect the voters’ privacy. The supported procedure in this case is immediately locking and tamper sealing each VVPAT container upon removing it from the voting device. This is consistent with the goal of having the paper rolls with VVPRs on them treated like paper ballots, stored in a locked and sealed box.

If the paper roll cartridge is locked and sealed before the start of voting, and some mechanism in the cartridge prevents extraction of the used paper roll collected inside the cartridge, locking and sealing the cartridge a second time at poll closing would be necessary only for preventing further VVPRs being printed on the paper roll.

Source: [VVSG2005] I.7.9.5-g

2 Comments

Comment by ted selker (Academic)

All paper containing VPRs are contained inside the secure, opaque container. Should we consider clear ones, that show that they don’t have false bottoms, etc., like other countries?

Comment by ted selker (Academic)

All voting records require a double-lock approach: two responsible and documented individuals are required to access the box.
4.4.2.6-D VVPAT, paper-roll, mechanism to view spooled records

If a continuous paper spool is used to store VVPRs, the manufacturer SHALL provide a mechanism for an auditor to unspool the paper, view each VVPR in its entirety, and then respool the paper, without modifying the paper in any way or causing the paper to become electrically charged.

Applies To: VVPAT

Test Reference: Part 3: 5.2 "Functional Testing"

Source: New requirement

4.4.3 PCOS systems

A PCOS voting system involves paper ballots marked in a way that is both human- and machine-readable. The following requirements apply to optical scan ballots, as required for supporting audit and recount.

3 Comments

Comment by Diane Golden (Advocacy Group)

The standards applicable to systems using a base paper ballot seem to assume that voters will be completing those ballots directly, thus there is no need for verification standards that ensure software independence. However, in the case of voters with disabilities using a ballot-marking device, a secondary verification process dependent on software is required. This verification is somewhat similar to the comparison of electronic and paper ballot contents except the comparison is between the electronic display prior to generating the print ballot and the actual marked ballot. Voters who use a ballot-marking device must be able to verify that the marked paper ballot is in fact printed with the vote selections made via electronic interface which requires a software assisted verification process. It is unclear what if any standards apply to the software of a ballot-marking device pursuant to the software independence requirement. Is it acceptable for the same software to generate and verify ballot contents? Or do ballot marking devices need to have software that generates the marked ballot and separate OCR software that will "read" the contents (including write-in text) and render it in alternative forms (audio and large print) for voters with disabilities? The standards should address these critical issues.

Comment by Bryan Pfaffenberger (Academic)

As a general comment on precinct-count optical scan systems, it seems that voter privacy and secrecy are given little thought in most procedural frameworks - voters line up to insert their ballots, holding their ballots face-up. It's pretty easy to see how someone has voted. An employee might not realize that one of the election judges might mention her choices to an employer, which could have adverse consequences for her. The risk is small, but it should be non-existent. Couldn't the ballots be enclosed in a sheath or wrapper until the moment they're inserted in the scanner? And shouldn't the scanner be given the same privacy protections as the voting booth? Bryan Pfaffenberger, Ph.D. Univ. of Virginia

Comment by U.S. Public Policy Committee of the Association for Computing Machinery (USACM) (None)

USACM Comment #21. 4.4.3 PCOS Systems Printing PCOS Exception [incomplete] USACM recommends that subsection 4.4.3 be taken out of the VVPAT section and become its own section (e.g. Section 4.5) in the same VVSG part/chapter. Additionally, USACM recommends replacing the existing wording with the following: PCOS systems can provide the VVSG required recording mechanism independence. A PCOS voting system involves paper ballots marked in a way that is both human and machine-readable. These paper ballots are routinely marked legitimately at only two times: 1. When they are printed and 2. When the voter marks them. The following exception applies to optical scan ballots as required for supporting audit and recount. DISCUSSION: This subsection needs to be taken out of the VVPAT section because the current organization would subsume PCOS systems under VVPATs, and that does not accurately reflect the nature of PCOS. PCOS systems are independent of VVPAT systems, particularly when considering tabulation of ballots. Printing scanners is a relatively novel voting system paradigm. There is little in the literature that investigates the threat that printing scanners pose to a voting system. Allowing printing during the scanning process can add integrity information to ballots, but also adds a non-trivial threat relative to marking undervoted ballots or by spoiling properly marked ballots either programmatically or unintentionally. The requirements for this technology must ensure that this printing capability cannot be abused to ensure that some ballot types are always passed by without inclusion in the count or audit.
4.4.3-A Optical scanner, optional marking

Optical scanners MAY add markings to each paper ballot, such as:

  1. Unique record identifiers to allow individual matching of paper and electronic CVRs;
  2. Digital signatures; and
  3. Batch information.

Applies To: Optical scanner

Test Reference: Part 3: 5.2 "Functional Testing"

Source: New requirement

1 Comment

Comment by ACCURATE (Aaron Burstein) (Academic)

This requirement would allow precinct-count optical scan (PCOS) systems to make optional marks on ballots during the casting and scanning process while restricting these optional marks to specific areas of the ballot face for security reasons. This supports some future directions of voting system auditing models that are now only nascent and should be adopted.
4.4.3-A.1 Optical scanner, optional marking restrictions

Optical scanners that add markings to paper ballots scanned SHALL NOT be capable of altering the contents of the human-readable CVR on the ballot. Specifically, Optical scanners capable of adding markings to the scanned ballots SHALL NOT permit:

  1. Marking in the regions of the ballot that indicate voter choices;
  2. Marking in the regions of the ballot that contain the human-readable description of the marked choice; and
  3. Marking in regions reserved for timing marks.

Applies To: Optical scanner

Test Reference: Part 3: 5.2 "Functional Testing"

DISCUSSION

If the scanner could alter the human-readable contents of the ballot, or mark the ballot, after scanning, then the paper records stored by the scanner could no longer be considered voter-verifiable, and the optical scan system would no longer be software independent.

Source: New requirement

6 Comments

Comment by ted selker (Academic)

All markable media SHALL demonstrate that they read blank before being used as a markable voting record.

Comment by Paul Rovner (Voter)

If there is a paper record, it must not be continuous or sequential. In conjunction with a time-sorted list of those who vote at a polling place, it would then be possible to determine how an individual voted. This would do away with the secret ballot! This is an egregious flaw in the proposed "architecture". As a voter and member of the public I object strenuously! Any paper record must not be continuous or sequential.

Comment by Robert Shellenberger (Voter)

It is obvious we need scanners that do not alter the paper record. This also points out the importance of having a paper record to verify the accuracy of the vote.

Comment by Jim Guerin (Voter)

All computer systems are subject to subtle errors. Moreover, computer systems can malfunction or be deliberately corrupted at any stage of their design, manufacture, and use. The methods used to do this can be extremely difficult to foresee and detect. Therefore, it is crucial to the integrity of elections that voting systems provide a means of recording and recovering voter intent that does not depend on the reliability of software.

Comment by U.S. Public Policy Committee of the Association for Computing Machinery (USACM) (None)

USACM Comment #22. 4.4.3-A.1 Printing PCOS Print Area Restriction [incomplete] USACM recommends replacing the existing wording in subsection 4.4.3-A.1 with the following: Optical scanners with printing capabilities that add markings to paper ballots as they are scanned SHALL ONLY permit printing in spaces designated on the ballots for that purpose. They SHALL NOT be capable of altering the contents of the human-readable CVR on the ballot. Specifically, optical scanners capable of adding markings to the scanned ballots SHALL NOT permit: a. Marking in the regions of the ballot that indicate voter choices; b. Marking in the regions of the ballot that contain the human-readable description of the marked choice; and c. Marking in regions reserved for timing marks. d. Marking in regions reserved for any other purpose. e. Marking in regions not designated for any purpose. DISCUSSION: The present verbiage may allow stray marks or marking in areas designated for other purposes. The proposed wording clarifies and strengthens protection against overwriting by optical scanner/printer markings.

Comment by ACCURATE (Aaron Burstein) (Academic)

This requirement should be included in the final guidelines. It supports Part 1:4.4.3-A, which ACCURATE recommends adopting. See ACCURATE's comment for Part 1:4.4.3-A.