First impressions of the Voting Systems Standards of March 22, 2006

From Bo Lipari

March 29,2006

 

Good

 

1) An expanded set of definitions that is greatly improved. In particular, the definitions of "Acceptance Test, DRE, Firmware, Optical Scan Voting System, Pre-Qualification Test, Software, Voting Position and Voting System" are much better. Some required definitions are still missing, and some lacking in accuracy - (see Jones commentary).

 

2) Federal requirements upgraded to EAC 2005 Guidelines. In the former versions this requirement was still the 2002 standards.

 

2a) Removes the requirement that the State Board may waive any tests at its discretion.

 

3) 6209.2 A (3) - Clarifies that the hand marked paper ballot is the ballot of record for paper based systems.

 

4) Requires that VVPAT on DREs "shall be presented and positioned so as to allow the voter to easily read and compare the two records".

 

5) Evens out the different standards that DREs and paper ballot based systems were held to. The requirements are much more even handed now and do not overly favor DREs as in earlier versions.

 

6) Added requirements for physical security seals, locks and covers to physically seal the machine from tampering.

 

7) Added specific requirements and definitions for target areas, calibration and other necessary scanner specific features.

 

8) Adopted several strong source code escrow and penalty provisions taken directly from the North Carolinas Public Confidence in Election Law, as recommended in NYVVs commentary (which reproduced relevant sections of the NC law).

 

9) Calls for "sworn affidavits from the president, chief executive officer or chief operating officer of the vendor, disclosing any contributions made within the United States by any of those officers, by the vendor itself, or by any controlling shareholder to any political party or candidate for any office, within two years prior to the date the application is submitted".

 

10) Requires that "Vendors shall make available to the State Board, in a quantity to be determined by the State Board, voting systems for the purpose of conducting a usability test, which will establish the minimum number of voting machines required in each polling place and the maximum number of voters that can vote on one voting machine during the course of an ordinary 15-hour election day."

 

11) Improved access to the public to some tests and test results. As an example, "State Board testing and examination shall be performed in an open and public venue. Testing shall be performed in conformity with written procedures adopted by the State Board. Such procedures and the test reports of the State Board and its ITA, shall be available for public inspection at the office of the State Board, and at its website."

 

12) Calls for functional test which exercise all components and input mechanisms.

 

13) Allows the State Board to appoint independent security experts to review code: "Prior to certifying a voting system, the state board shall designate an independent expert to review, all source code made available by the vendor pursuant to this section and certify only those voting systems compliant with these Regulations. At a minimum, such review shall include a review of security, application vulnerability, application code, wireless security, security policy and processes, security/privacy program management, technology infrastructure and security controls, security organization and governance, and operational effectiveness, as applicable to that voting system."

 

14) Expands the title of the Functional Tests to "F. Functional Tests, Security Tests and Simulated Voting". On the down side, there is not any specification as to the specific of the security tests or simulated voting!

 

15) Partially meets our calls for independent security analysis: "Each system shall be submitted for electronic and technical security and integrity analysis by independent certified security experts, who shall be given full unrestricted access to production units of the system, for such analysis."

 

16) Adds improved language to the Security section requiring the vendor to demonstrate their security designs: "Security requirements and security provisions of the system's software shall be identified for each system function and operating mode. The voting system must be secure against attempts to interfere with correct system operation. The vendor shall identify each potential point of attack. For each potential point of attack, the vendor shall identify the technical safeguards embodied in the voting system to defend against attack, and the procedural safeguards that the vendor has recommended be followed by the election administrators to further defend against that attack. Each defense shall be classified as preventative, if it prevents the attack in the first place; detective if it allows detection of an attack; or corrective if it allows correction of the damage done by an attack. Security requirements and provisions shall include the ability of the system to detect, prevent, log and recover from the broad range of security risks identified. These procedures shall also examine system capabilities and safeguards claimed by the vendor to prevent interference with correct system operations. Notwithstanding any other provisions of these Regulations, the State Board shall determine whether all or a portion of such security requirements and security provisions shall be available for public inspection."

 

17) Adds a section "Voter Demonstration Test" which seems to call for public mock election testing. The section is still somewhat vague, and may be interpreted in a way that only provides nominal compliance, so this may be problematic in practice.

 

18) Added a new Certification section with some strong requirements from the North Carolinas Public Confidence in Election Law.

 

19) Seems to disallow vendors providing software directly to counties: "Once a certified system is selected for purchase by a county board, that system's software shall be provided to the county board by the State Board, and not the vendor."

 

20) Improved Rescission of Certification section - includes new language to notify the public in the event "the State Board determines that the voting system fails to fulfill the criteria prescribed by statute and these rules". Also requires public notice of hearings to recertify such machines.

 

21) Increases the delivery deadline for systems to 6 months before the election from 3 months, but only for 10% of the systems. The other 90% still get 3 months.

 

22) Requires, as in the North Carolinas Public Confidence in Election Law, that vendors post a bond covering expenses and damages incurred, and that they must cover the cost of new elections: "The Vendor shall post a bond or letter of credit to cover any and all expenses, costs, and damages, including but not limited to all costs of inspecting or testing a voting system that does not meet the standards contained in these Regulations and all costs incurred in conducting any new election resulting from any breach of the warranties and representations required to be made anywhere in these Regulations, or in the New York State Election Law. Said bond or letter of credit shall be set by the State Board."

 

23) Requires county acceptance testing to be done in public, albeit with very short notice to the public of said test: "County boards, under the supervision of the State Board, shall conduct a public acceptance test on each unit of any voting system purchased by such county."

 

24) Decrease the time the vendor has to correct faults in the system to 15 days from 30 days.

 

25) Seems to require that vote counting may not be carried out by vendors "Only the county board shall have care, custody and control over all resources for the purposes of conducting elections, including but not limited to vote counting, preparation and custody of ballots, and system maintenance and all testing. If it becomes necessary to transfer control of any equipment to a vendor for repairs, operational tabulation activities may not be carried out on the equipment while it is solely under a vendor's control."

 

26) Lays out specific requirements for printing and specification of ballots for paper based systems. This is good as many ballot scanner problems result from counties using paper which does not meet machine specifications.

 

27) Adds a section specific to Central Count Scanners, and Central Count Scanner System Procedures.

 

28) Seems to disallow networking of systems, but perhaps not sufficiently so: "While vote counting programs are being tested or run, including when voted ballots are being tabulated, the voting system shall be dedicated solely to vote counting functions. The system shall not be networked, no modem, telecommunications nor wireless communications devices may be used, and no other unapproved software may run during system use."

 

 

Weak

 

1) Still does not call for sufficient manual testing of machines. While this is now alluded to in several sections, it is unspecific as to how extensive the manual testing must be, which could allow for only nominal compliance.

 

2) Standards for Voter Privacy Section still insufficient (see Jones commentary).

 

3) Questionable paragraphs about test mode being indicated on VVPATS, digital signatures, and VVPAT printers (see Jones commentary).

 

4) Calls for public testing are improved, but unclear as to which tests the public may view, and what notice will be given to the public about upcoming tests.

 

5) Factory repair tasks are said to be minimized, but don't address underlying security concerns about what happens when systems are being repaired, even at the county (see Jones commentary).

 

6) There are other weaknesses to be detailed later.