FROM:

FROM:

Teresa Hommel

Chair, Task Force on Election Integrity, Community Church of New York

TO:

New York State Board of Elections

40 Steuben Street

Albany, NY 12207-2108

Comment on Draft Voting Systems Standards

Section 6209.1 Definitions

For ease of comparison, where relevant, I have copied the paragraphs of the State Board's Draft Standards (“SBOE DRAFT”) and the Response by the Board of Elections in the City of New York (“NYC BOE RESPONSE”) prior to the change that I am suggesting.

--------------------------------------------------------------------------------------------------------

HOMMEL SUGGESTED ADDITIONS

Define "nominal system performance" and and "nominal value" used in Section 6209.6

REASON

"Nominal" means "in name only." The technical meaning, if different, should be specified.

Context in which the terms are used:

A. Functional Configuration Audit

A functional configuration audit shall be performed to verify that the software complies

with the Software Specification. Vendor test data may be used in partial fulfillment of this

requirement; however, the State Board or its designee shall perform or supervise the

performance of additional tests, or order additional laboratory testing, to verify nominal

system performance in all operating modes and to validate, on a sampling basis, the

vendor's test data reports. The Functional Configuration Audit shall be performed in a

facility selected by the State Board.

(3) Maintenance Information ...

shall be provided with indications of all test and adjustment points and the nominal value

and tolerance or waveform to be measured. Fault detection, isolation and correction

procedures or logic diagrams shall be prepared for all operational abnormalities identified

by design analysis and operating experiences.

--------------------------------------------------------------------------------------------------------

HOMMEL SUGGESTED ADDITIONS

Input/output capability means any hardware device or any programming for such device, whether software, firmware or any other type, that enables transfer of information from one part of a computer to another part of the same computer, such as a disk drive, keyboard, mouse, display screen, printer, diskette drive, CD drive, PCMCIA drive, USB port for flash memory device, or a slot for a memory card.

Communications capability means any hardware device or any programming for such device, whether software, firmware or any other type, that enables transfer of information between computers, such as Local Area Networks (LANs), modems for telephone lines, powerline communications, or devices for other wired or wireless connectivity between computer systems.

--------------------------------------------------------------------------------------------------------

SBOE DRAFT

1. Acceptance test means a test conducted by the county board of elections and the State

Board of Elections, to demonstrate that the voting system software as delivered and

installed in the user's environment, meets all of its functional requirements.

HOMMEL SUGGESTED REPLACEMENT

1. Acceptance test means a test conducted by the County Board and the State Board to demonstrate that each voting system delivered meets all functional requirements and has exactly the same components as the voting system of its type that received certification from New York State as listed in the Escrow Component List, including all hardware; programming whether in the form of software, firmware, or any other kind; all files; all file system hierarchies; all operating system parts and all commercial off-the-shell hardware and programming parts, and any other components.

REASON

New York should not negligently accept delivery of systems without confirming that they are the same as the system that was certified -- that delivered systems contain no "extra" parts that may consist of back doors for tampering, that they have no "missing" parts, and that their files are the same in size, content, and arrangement in the same file system hierarchy.

Vendors of voting systems should not be assumed to be more saintly than vendors of other products, where delivery of different or lesser-quality goods has occurred.

--------------------------------------------------------------------------------------------------------

SBOE DRAFT

7. Encrypted copy means a scrambling of the programming code in which only the

manufacturer of the program may determine the sequence of such code.

NYC BOE RESPONSE

7. Encrypted copy means a scrambling of the programming code which renders it undecipherable

such that only the manufacturer of the program (possessor of the encryption key) may unscramble the code.

HOMMEL SUGGESTED REPLACEMENT

7. Encrypted copy means a copy of any file or data stream in which the characters have been

scrambled so that the characters are difficult to decipher unless they are unencrypted

by use of the same encryption key that was used for encryption.

REASON

Nothing in the Voting System Standards deals with encryption, but if the definition is going

to be here it should be correct.

--------------------------------------------------------------------------------------------------------

SBOE DRAFT

8. Escrow account means a third party who shall be approved by the State Board for the

purpose of taking custody of all materials required to be put in escrow by statute.

NYC BOE RESPONSE

8. Escrow account means an account and/or a secure facility held by a third party (who shall be

approved by the State Board) for the purpose of taking custody of all materials required to be put in escrow by statute.

HOMMEL SUGGESTED REPLACEMENT

8. Escrow account means an account and/or a secure facility held by a third party (who shall be

approved by the State Board) for the purpose of taking custody of all materials required to be put in escrow by statute and by these Voting Systems Standards.

REASON

Statute was unclear and delegated much to the State Board, but the Draft Standards do not deal with escrow in a meaningful way. Simply putting a system in a secure facility without confirming that it is the same as the system certified and the systems delivered is negligent.

A separate comment on Section 5 will provide text for standards for escrow.

--------------------------------------------------------------------------------------------------------

SBOE DRAFT

9. Log of maintenance performance means a written and/or electronic record which

contains all information relating to performance of scheduled and non-scheduled

maintenance requirements recommended by the vendor or manufacturer of such

equipment and all service visits performed by vendor or manufacturer.

NYC BOE RESPONSE

9. Activity Log – written and/or electronic record of any and all activities (including deployment

designation) conducted on a voting system both before and after an election.

9a. Maintenance Log. A written and/or electronic record which contains all information

relating to performance of scheduled and non-scheduled maintenance on a voting system

(as recommended by the vendor or manufacturer of such equipment) and all service visits

performed by vendor or manufacturer.

HOMMEL SUGGESTED REPLACEMENT

9. Maintenance and Activity Log means a written and/or electronic record for a specific voting system which contains all information detailing each interaction of people with the voting system, including scheduled and non-scheduled maintenance, and activities before and after each election; each entry in which includes a detailed description of what was done, the names of all persons present, and the signatures of two County Board staff, one from each party, who have participated or observed such maintenance or activities and attest that they understood everything what was done and that the log entry is complete and accurate.

REASON

Maintenance and election time activities provide opportunities for errors and tampering with all parts of an electronic system. All maintenance and activities must be observed by bipartisan

elections staff who are fully understand all work that is done.

Because of the overlap of maintenance and election activities, and the difficulty in deciding which log a given activity should be written into, it would be prudent to put all activity into one

comprehensive log.

Unless bipartisan staff fully understand, participate, or observe all interaction with computer systems, County Boards will open themselves to problems such as the Triad affair in Hocking County, Ohio, December, 2004, where a technician said he was going to replace the computer battery but was suspected afterward of changing the hard disk that contained election results. No one observed the technician’s work nor knew what he was doing.

If the NYC BOE definition is used, it should be modified to include after the last phrase "or any

other provider of service including County or State staff."

--------------------------------------------------------------------------------------------------------

SBOE DRAFT

10. Modification means any change in either software, firmware or hardware that directly affects the operation of the voting system that will require re-examination of certified equipment by the State Board.

NYC BOE RESPONSE

10. Modification means any changes, substitutions, patches, or updates, to either software, firmware or hardware to the voting systems after certification of the voting system has been granted by the NYS Board of Elections. Certain modifications may require re-certification of the voting system. This will be determined by the NYS Board of Election.

HOMMEL SUGGESTED REPLACEMENT

10. Modification means any change whatsoever in hardware, software, firmware, data, storage location of files, or any other component of an electronic voting system listed in the Escrow Component List. All changes require re-certification of the voting system.

REASON

If the State Board is going to determine what changes require re-certification and which do not, the criteria for such decision must be unambiguously set forth in the Voting System Standards, so that such decisions do not appear ad hoc, arbitrary, or negligent.

Allowing modification without re-certification testing opens the door to tampering and errors.

The entire working of a computer can be changed by one small modification to one part of the software, firmware, hardware, data files, storage location of files, etc. Modifications of computer systems frequently cause "indirect" effects, especially those called "unexpected," that is, errors.

Whether a given modification has a direct or indirect effect on the operation of a voting system can only be determined by complete re-examination of the voting system.

The draft definition is circular, because if the modification is held by the State Board to not require re-examination, then by the State Board’s definition the modification is not a modification.

--------------------------------------------------------------------------------------------------------

SBOE DRAFT

11. Operational manual means (1) a manual of all procedures used to prepare the

equipment and provide proper maintenance procedures including the unpacking and

storage procedures to be utilized by county boards of elections personnel and (2) a manual

of election day setup and election day operating procedures to be utilized by the

inspectors.

HOMMEL SUGGESTED REPLACEMENT

11. Operational manual means (1) a manual of all documentation and procedures that will be needed by the County Board to independently perform all tasks necessary for the conduct of elections using the voting system for its entire useful lifespan, including but not limited to unpacking and acceptance testing including confirmation that the system delivered is the same as the Escrow System; storage; battery testing and recharging; creating, loading and checking ballot programming; logic and accuracy testing; preparation of the voting system for elections; service and maintenance; trouble-shooting and repair; and packing for shipment to poll sites and return to county board facilities, and (2) a manual of election day setup and operation procedures to be used by election inspectors.

REASON

The State Board should not undermine the bipartisan administration of elections in New York State by certifying voting systems that cannot be independently handled by bipartisan staff of our County Boards, and that require service, maintenance, or programming by computer technicians supplied by the vendor. The documentation for voting systems should be complete so that the bipartisan staff of County Boards can fully and competently handle their own voting systems.

--------------------------------------------------------------------------------------------------------

SBOE DRAFT

12. Pre-qualification test means a predetermined set of votes and vote totals prepared by the State Board. Such votes shall be entered upon the voting equipment and the results of the casting of said votes shall be compared to the predetermined results of the test.

HOMMEL SUGGESTED REPLACEMENT

12. Pre-qualification test means a predetermined set of votes and vote totals prepared by the State Board. Such votes shall be entered upon the voting equipment in the same methods as will be used during an election. If a voting system offers several methods for votes to be entered, such as a touchscreen, a keypad for voters with certain disabilities, a sip-puff device for voters with other disabilities, and different minority language displays, the predetermined set of votes shall be entered separately using each method and each language display. The results of the casting of said votes and all voting system logs shall be extracted using the same manner as results and logs will be extracted from the system during normal use in an election, and the results and logs shall be compared to the predetermined results of the test.

REASON

If DREs are to be tested, all tests must involve votes entered by hand via all methods offered by the DRE and required by state and federal law. All tests must include the extraction of both results and logs. Predetermined results may be used to evaluate the tallies, but the logs must be examined by the State Board to determine that they accurately record voting system activity during the entering of votes.

Tests in other states have determined that votes entered via different methods have been recorded differently, and in some cases votes entered via different language displays have not been recorded. For example:

http://www.wired.com/news/evote/0,2645,64569,00.html

Wrong Time for an E-Vote Glitch, by Kim Zetter, Aug. 12, 2004. When Sequoia Voting Systems demonstrated its new paper-trail electronic voting system for state Senate staffers in California last week, the company representative got a surprise when the paper trail failed to record votes that testers cast in Spanish on the machine.

--------------------------------------------------------------------------------------------------------

SBOE DRAFT

13. Printout means the printed copy of (1) zero totals, candidate names and offices and

other information produced by the voting equipment prior to the official opening of the polls

and (2) the votes cast for each candidate and question, the names of candidates and the

offices for each candidate and other information provided after the official closing of the polls.

NYC BOE RESPONSE

13. Zero Total Report Printout means the printed copy of zero totals, candidate names and offices and other information produced by the voting system prior to the official opening of the polls.

13a. Closing Total Report Printout means printed copy of the votes cast for each candidate and

question, the names of candidates and the offices for each candidate and other information provided after the official closing of the polls.

HOMMEL SUGGESTED ADDED TEXT

13b. System Election Activity Log Printouts means the printed copy of all internal logs of an electronic voting system displaying all system activity during the election.

REASON

I support the replacement text provided by the NYC BOE, which correctly replaced the generic term "printout" with terms that refer to specific reports.

The system election activity logs of electronic voting systems also needs to have a specific defined name.

--------------------------------------------------------------------------------------------------------

SBOE DRAFT

15. Software means any and all codes for the operation of the vote counting system.

NYC BOE RESPONSE

15. Software (for the purposes of voting system certification) means any and all programmed logic for the operation of the voting system.

HOMMEL SUGGESTED REPLACEMENT

15. Software (for the purposes of voting system certification) means any and all programming codes for the operation of the voting system, and all associated files and the file system organization of the software and associated files.

REASON

Since most software operates in conjunction with numerous other files, the contents of which affect and control the operation of the software, all files in electronic voting systems must be considered part of the software for the purpose of determining what the software does under all circumstances, examination and certification. Ignoring such files and their storage arrangement (also known as directory structures) prevents an examination from correctly assessing the function of the software and ensuring the security of the system.

--------------------------------------------------------------------------------------------------------

SBOE DRAFT

16. Firmware means computer program stored in read-only memory devices embedded in the system and not capable of being altered during system operation.

NYC BOE RESPONSE

16. Firmware (for the purposes of voting system certification) means software stored in read-only memory devices embedded in the system and not capable of being altered during system operation.

HOMMEL SUGGESTED REPLACEMENT

16. Firmware (for the purposes of voting system certification) means software and associated files stored in read-only memory devices embedded in the system.

REASON

The draft definition is misleading for non-technical persons and supports a lie told by some vendors in New York State, which is that voting systems using firmware rather than software are more secure due to using firmware and cannot be tampered with. In fact, during system operation, all programming becomes modifiable and can be tampered with regardless of its origin in firmware or software.

"Firmware" is a place to store programming (and in some systems, the associated files). Such programming must be copied into RAM (Random Access Memory) and other parts of the computer in order to be used during system operation. Such copies are modifiable. During system operation all programming is modified. This is the normal way computers work.

In addition, how programming works during system operation is controlled (or "modified") by the associated files, communication from remote sources, the data being entered (in the case of voting systems this means the votes entered by voters and the actions of poll workers), etc.

--------------------------------------------------------------------------------------------------------

SBOE DRAFT

17a. Resident memory means the internal memory of the voting system that stores

election results and ballot images.

HOMMEL SUGGESTED REPLACEMENT

17a. Resident memory means the internal memory of the voting system where election results and ballot images are stored.

REASON

Although this term appears not to be used, if present it ought to be correct. Since many items will be stored in the internal memory of the voting system, the definition should not imply that only election results and ballot images will be stored there.

--------------------------------------------------------------------------------------------------------

SBOE DRAFT

18. Source code means the assembly language statements or high level language used

to program the electronic equipment or vote tabulating system.

NYC BOE RESPONSE

18. Source code means the human-readable language statements used to program the voting

system.

HOMMEL SUGGESTED REPLACEMENT

18. Source code means programming code written in programming languages, as opposed to executable code in machine language which can be used by an electronic voting system during system operation.

18a. Compiler or Assembler means a program that translates source code into executable code in machine language.

REASON

Although a minority of programmers can read programming code in the executable form, that form is human-readable.

In order to determine the programming and data contents of an electronic voting system,

the source codes should be compiled or assembled by the State Board, and all executables

thus created should be loaded into the electronic voting system, and all certification tests performed on such system. Unless this is done, the State Board cannot assert that it knows

what the system consists of, or that it will operate safely and properly during elections.

--------------------------------------------------------------------------------------------------------

SBOE DRAFT

21. Testing laboratory means a certified private or public laboratory used to perform tests

on the voting systems and related equipment.

NYC BOE RESPONSE

21. Testing Laboratory means an NIST (National Institute of Standards & Technology)-certified private or public laboratory used to perform tests on the voting systems and related equipment.

HOMMEL SUGGESTED REPLACEMENT

21. Testing laboratory means a private or public laboratory used to perform tests on voting systems and related equipment.

REASON

The information below is from an email from NIST in response to my question regarding who certifies Independent Testing Authorities:

"The EAC will accredit all testing laboratories for voting systems, not NIST and not NASED.

"Per HAVA, NIST will recommend laboratories for consideration to the EAC. The criteria for recommendation is adherence to the ISO 17025 standard for testing laboratories. See NIST handbook 150.

"The EAC can choose to accept or reject NIST's recommendations. The EAC can also impose additional requirements on labs for accreditation.

"Per HAVA, NIST will recommend laboratories for re-certification or de-certification over time.”

--------------------------------------------------------------------------------------------------------

SBOE DRAFT

22. Vendor shall include any manufacturer, company or individual who seeks to sell voting

systems in New York State.

NYC BOE RESPONSE

22. Vendor means any manufacturer, company or individual who seeks to supply voting systems

(and/or services for such systems) in New York State.

HOMMEL SUGGESTED REPLACEMENT

22. Vendor (for the purposes of Subtitle V Part 6209) means any manufacturer, company or individual who seeks to supply electronic voting systems (and/or services for such systems) in New York State.

REASON

These standards are for electronic voting systems.

--------------------------------------------------------------------------------------------------------

SBOE DRAFT

24. Voting system means any electronic or computerized voting equipment and any

ancillary equipment supporting such system.

NYC BOE RESPONSE

24. Voting System means any voting equipment and any ancillary equipment and all associated

software and firmware (if any) supporting such system supplied by the vendor.

HOMMEL SUGGESTED REPLACEMENT

24. Voting System means (for the purposes of electronic voting system certification)

any electronic voting system including all components such as ancillary equipment, software, firmware, supplies, documentation and training materials, and any others.

REASON

The definition should be specific to electronic systems and the purposes of this Subtitle.

The limitation suggested by the NYC BOE that “voting system” refer only to parts supplied by the vendor should not be adopted because these Standards should apply to all parts of the electronic voting system whether or not supplied by the primary vendor of the system. For example, the battery, operating system software, or other parts may be supplied by other sources.

--------------------------------------------------------------------------------------------------------

SBOE DRAFT

25. VVPAT means a voter verifiable paper audit trail.

HOMMEL SUGGESTED REPLACEMENT

25. VVPPR means a voter verifiable permanent paper record.

25a. VVAR means a voter verifiable audit record.

REASON

ERMA uses the terms "voter verifiable audit record" and "voter verified permanent

paper record."

--------------------------------------------------------------------------------------------------------

SBOE DRAFT

30. Paper-based Ballot Counting Equipment means any electronic or computerized ballot

counting system or equipment which tabulates and reports votes cast on all paper ballots.

NYC BOE RESPONSE

30. Paper-based Ballot Counting Equipment means any electronic ballot counting system or

equipment which tabulates and reports votes cast on paper ballots.

HOMMEL SUGGESTED REPLACEMENT

30. Paper-based Ballot Electronic Counting Equipment means any electronic ballot counting system or equipment which tabulates and reports tallies of votes cast on paper ballots.

REASON

These standards are for electronic voting systems, and should not apply to other non-electronic types of equipment or methods for counting paper ballots, such as weighing scales.

This equipment will report tallies, not the votes themselves.

--------------------------------------------------------------------------------------------------------

SBOE DRAFT

31. Certification Test Desk means a pre-audited group of ballots marked with a

predetermined number of votes cast for each candidate, write-in position and each voting

option which appears on the ballot.

NYC BOE RESPONSE

31. Certification Test Data means a pre-audited group of ballots, marked with a

predetermined number of votes cast for each candidate, write-in position and each voting

option which appears on the ballot for the purposes of certifying the voting system.

HOMMEL SUGGESTED REPLACEMENT

31. Certification Test Data means a pre-audited group of ballots, marked with a

predetermined number of votes cast for each candidate, write-in position and each voting

option which appears on the ballot, used for the purpose of testing an electronic voting system.

REASON

Clarity.

--------------------------------------------------------------------------------------------------------

NYC BOE SUGGESTION

35. Re-examination means a review of a certified voting system by the State Board of Elections to determine if a modification requires re-certification.

HOMMEL SUGGESTED REPLACEMENT

35. Re-examination means a review of a certified electronic voting system by the State Board according to procedures and criteria specified in Section 6209.7 to determine if a modification requires re-certification.

REASON

The determination that a modification of an electronic voting system does not require

re-certification should not be made by ad hoc, arbitrary, or unpublished procedures or criteria.