This post deals in some obscure aspects of voting integrity that have come to light recently as a result of an article appearing in the Washington Post.
Warning: This diary is long and I don't expect many people to get through it far enough to decide to recommend. That's o.k. since it's aimed at a fairly limited audience, namely voting integrity activists in states where a paper audit trail of some type is still not required. Fortunately that's a shrinking market, but the job won't be finished until it's down to zero. So if you know someone in this game, please forward the link. They'll thank you for it.
Mostly, this is background information for readers that feel the WaPo article is going to create some brief but important media traction for the ensuing debate over paperless DREs. We can use this attention to get our case better heard. But there is a need to first correct some misperceptions that led many folks to take the article as (startling) good news. The subject was a report prepared in connection with a Help America Vote Act (HAVA) requirement dealing with national standards for voting systems.
We start about here -
Passed in 2002, HAVA provides federal funding and technical guidance aimed at changing the nature of voting in America. Amongst other non-discretionary elements are requirements to maintain state wide voter registration lists and to move away from mechanical punch card voting machinery. HAVA provides significant funding grants to states for use in meeting these mandates.
HAVA also established the US Election Assistance Commission (EAC) to administer this funding and assistance, and to specifically develop voluntary voting system guidelines (VVSG) for use by states to certify their voting system acquisitions, and to create a national certification standard for use by manufacturers. The first comprehensive set of guidelines was released in 2005 and will replace previous standards by December, 2007 (prior to this release, the EAC simply took existing FEC standards as the first set of voting system guidelines adopted under HAVA).
As the name implies, the guidelines are voluntary. At least 39 states presently use the guidelines in their certification process. The remaining states are likely to do so eventually, given that all fifty states (and five non-state voting jurisdictions) contribute members to the EAC’s Board of Standards.
The EAC in turn formed the Technical Guidelines Development Committee (TGDC) to develop recommendations for the VVSG. The 2005 release is referred to as VVSG 05; the TGDC is now in the midst of the next iteration, tentatively scheduled for release in 2007 (VVSG 07).
The TGDC is where the real work on voting systems gets done. The committee is comprised of 15 members, described and identified in the table below. They receive substantial assistance from the National Institute of Standards and Technology (NIST) in the form of equipment, test labs, technical expertise and so forth. NIST is a non-regulatory federal agency within the Commerce Department responsible for advancing measurement science, standards, and technology.
Makeup of the TGDC
- The Director of the National Institute of Standards and Technology (NIST) serves as its chair
- 2 members of the EAC Standards Board
- 2 members of the EAC Board of Advisors
- 2 members of the Architectural and Transportation Barrier, and Compliance Board (Access Board)
- A representative of the American National Standards Institute (ANSI)
- A representative of the Institute of Electrical and Electronics Engineers (IEEE)
- 2 representatives of the National Association of State Election Directors (NASED)
- 4 individuals with technical and scientific expertise relating to voting systems and voting equipment
Current TGDC members
Dr. William Jeffrey | Director of NIST | Chair |
John A. Gale | Nebraska Secretary of State | Standards Board |
Alice Miller | Director of Elections - D. C. | Standards Board |
Sharon Turner Buie | Director of Elections - Kansas City | Board of Advisors |
Helen Purcell | Maricopa County Recorder | Board of Advisors |
Philip G. Pearce | | Access Board |
Tricia Mason | | Access Board |
David Wagner | Associate Professor, UC - Berkeley | ANSI |
H. Stephen Berger | TEM Consulting | IEEE |
Dr. Brittain Williams | Retired professor- Kennesaw State | NASED |
Paul Miller | Secretary of State Office, WA | NASED |
Patrick Gannon | President and CEO, OASIS | Other |
Whitney Quesenbery | Past President-Usability Professionals' Association | Other |
Dr. Ronald Rivest | Professor, MIT | Other |
Dr. Daniel Schutzer | Executive Director, Financial Services Technology Consortium | Other |
The TGDC does it work primarily through three sub-committees, viz., Security and Transparency (STS), Core Requirements and Testing (CRT), and Human Factors and Privacy (HFP). These sub-committees rely heavily on NIST to accomplish their tasks. The TGDC meets periodically to hear from its sub-committees, review work in progress, vote on resolutions, etc. Ultimately, they are responsible for submitting a VVSG for approval and publication by the EAC.
It's important to note that the TGDC has absolutely no authority to certify (or de-certify) any voting system, past or future. Power rests with the EAC by deciding to adopt the committee’s recommendations for the VVSG. The vetting process is such that everyone involved works toward unanimous acceptance of the committee’s final recommendations, but it's not a slam dunk.
That brings us up to the present. While carefully watched by voting integrity activists, the TGDC does not draw much media attention. That changed last week, when the STS released a draft report of its recommendations to the TGDC. The most important recommendation was the introduction of the concept of "software independence" (SI) as a key requirement in any new voting system covered by VVSG 07.
STS defined SI in their draft thus: "A voting system is software-independent if a previously undetected change or error in its software cannot cause an undetectable change or error in an election outcome." And if this condition cannot be met, the system is termed software dependent.
The description goes on to draw a link between such software and the necessity for a voter prepared or verified paper audit trail.
A simple example of this is op scan, in which a voter marks . . . the paper ballot. The voter verifies the paper ballot is correct, thus it is voter-verified, and the paper ballot is "outside" or independent of the voting system, i.e., it cannot be changed or modified by the voting system. As a consequence of these two factors, the paper ballot can be considered as independent evidence of what the voter believed he or she was casting. After the paper ballots are scanned, they can subsequently be used to provide an independent audit, or check, on the accuracy of the electronic counts.
If an undetected change or error in the optical scanner's software were to cause erroneous counts, subsequent audits would show the errors. Even if malicious code was inserted into the scanner's software, the audits would detect resultant errors in the counts. Therefore, the correctness of the scanner's counts does not rely on the correctness of the scanner's software, and thus op scan is software independent: changes or errors in its software will be reliably detected by independent audits of its electronic counts. Thus, the primary ingredients to SI as illustrated in op scan are (1) voter-verified records that are (2) independent of the voting system used in (3) audits of the scanner's electronic counts.
When the paper was first released last week, it caused quite a stir in the voting integrity community, because many interpreted it as having the effect of banning DRE machines without a paper trail. Now, there are only five states remaining where paperless machines are used statewide, but my home state of Maryland is one of them. So the issue is more than academic for me.
In point of fact, the paper was only a draft of recommendations from STS that would be presented at a Dec. 4 meeting of the TGDC at NIST headquarters in Gaithersburg, MD. However, if actually incorporated into VVSG 07, the requirement for SI would effectively ban the future certification of any more paperless machines, at least of the type we know today.
This is extremely important, mainly from the standpoint of the paradigm shift it represents, accepting as a given that no software dependent system can be made fully reliable at anything approaching a realistic cost. By removing the focus from ill defined terms like "safe" and "secure" the debate can center less on bugs, hacks and malfeasance, and more on audits, verification and recounts.
Utilizing SI as a reference point also serves to remove the concept of establishing a recovery planas part of a an overall security regime. In effect, SI is capable of incorporating recovery into the system itself, if properly structured.
So what happened to the recommendation? Well, in a heart stopping moment on Monday, a resolution calling for the adoption of an SI standard went down to defeat in a close vote that saw most of the professional election officials on the TGDC voting against it. But a rewording of the resolution to protect existing inventories of paperless DREs passed the following day by unanimous consent. It will be interesting indeed to see how this radical new requirement ends up in the next VVSG.
Of course, like many such things, the immediate impact of this resolution will be less than initially perceived. For one thing, since the actual certification process lags the VVSG by at least two years, we’re looking at 2009 or 10 before the new guide becomes effective. And as mentioned before, we're down to just five states that have an entirely paperless system statewide, and no other is rushing to employ one.
Nevertheless, the news is significant because of the underlying shift to SI as a governing structure in the development of future systems. There's a point that must be stated simply and repeatedly to legislators and election officials, and the point is this: The folks that are in a position to know about these things have finally accepted the idea that software dependent systems can never be proven safe or fallible – we simply cannot know if an election was true, regardless of what evidence is or isn't present. And because of that, an independent paper audit is absolutely crucial to election integrity, with the audit mechanism showing great preference for one that is voter prepared, and not just voter verified.
Now that's a framework I can work with!