http://www.wheresthepaper.org/VSSpassed060420comments.htm
Overall:
1.
There is no arm’s length relationship between buyer and seller. These
regulations describe a process that is dependent on vendor honesty as well as a
degree of competence that no computer scientist has ever claimed to have – the
ability to guarantee that a major software product contains no malware.
2. It is improper to fail to examine the entire
system to confirm that no unnecessary components are present, and to ensure
that all components are examined, have a known purpose, and have no insecure
relationships or interactions with other components. The State Board makes
clear that they will not examine the entire system, but only those parts that the
vendor identifies as related to functionality. This opens the possibility that
other components will be present in certified systems, such as components to
enable wireless communication which is banned by New York state law. The
presence of additional components would be both improper as well as
unnecessary, since these are single-purpose systems.
3.
The regulations are vague enough to enable a thorough and careful process, as
well as a shoddy and superficial process.
4. The underlying premise of these regulations is that by examining a computer system today, you can ensure that it will function properly and securely tomorrow. This is false for computers as well as for cars and any other complex modern product.
Subtitle
V of Title 9 of the Official Compilation of Codes, Rules and Regulations of the
State of New York is hereby amended by repealing Part 6209, and by adding
thereto a new Part, to be Part 6209, to read as follows:
SUBTITLE
V
Part
6209
Voting
Systems Standards
Section 6209.1 Definitions. The terms
used in this part shall have the significance herein defined unless another
meaning is clearly apparent in language or content.
1. Acceptance Test means a test
conducted by the county board and the State Board, to demonstrate that each
voting system delivered, when installed in the user's environment, meets all
functional requirements and contains exactly the same components as the voting
system of that type, which received certification from New York State,
including but not limited to all hardware, programming (whether in the form of
software, firmware, or any other kind), all files, all file system hierarchies,
all operating system parts, all off-the-shelf hardware and programming parts
and any other components.
Comment
1
Excellent definition of Acceptance Test. The procedures for accomplishing such tests should be set forth in the regulations.
2. Audio Voting Feature means a device
that allows blind or visually-impaired persons, or persons with limited reach
and/or hand dexterity, the ability to cast their vote.
Comment
2
2.
Audio Voting Feature means a device that provides an audible
presentation of voting instructions, ballot contents, and the voter’s choices,
so that voters may choose to hear rather than visually read such
information.
3. Auxiliary Components means any
device, materials or equipment which is used to give assistance or aid to the
actual voting device but is not a permanent or enclosed part of the voting
device.
4. Ballot Configuration (Layout) means the
positioning on and/or linkage within the ballot (whether on a DRE or other
display screen, or on paper), of all political party names and emblems, and
names and emblems of all independent bodies, office titles, ballot proposals,
and candidate names, and spaces for write-in candidates, in accordance with the
requirements of the Election Law as to order and rotation.
Comment
3
Linkage”
is discussed below in definition 11.
5. Calibration Test means a test
prepared and conducted to determine and/or verify that the correct Sensitive
Areas of a voting system, and their level of sensitivity function on an ongoing
basis in the same manner as the certified system.
6. Canvass means a compilation of
election returns and validation of the outcome that forms the basis of the
official results by political subdivision.
Comment
4
If
a canvass includes validation of outcomes, then the canvass procedure must be
revised to describe how the 3% spot check of DREs will be done, and how to deal
with challenges by candidates, etc.
7. Central Count Paper-Based System means
a voting system that uses an optical scan technology to record and tabulate
votes from multiple election districts at a county board
page 1
page 2
office,
including all absentee, emergency, affidavit and other such paper ballots.
Comment
5
This term is not used in these regulations. Presumably such a system would use paper ballots for all voters. Rather than use an optical scanner in the poll site to check the ballots for overvotes, all ballots would be brought to the county board office for counting via a central count scanner.
8. County Board means a county’s Board
of Elections, including the Board of Elections in the City of New York.
9. DRE means a direct recording
electronic voting system in which, through a touch-screen, push-button, or
other electronic mechanism, a vote is immediately recorded onto electronic
media, by means of a ballot display provided with mechanical or electro-optical
components, or an ultrasonic, capacitative or other touch screen, which is
activated by the voter. Styles include
bubble switch ballot overlay and touch-screen- style machines.
10. Election Assistance Commission (EAC) is the commission established by the Help America Vote Act of 2002, which serves as a national clearinghouse for information and the review of procedures with respect to the administration of federal elections.
11. Election Configuration means the
file or files created by the election management software including but not
limited to the following data used to program polling place and central count
voting systems: definition of jurisdictional information (e.g., counties, local
legislative, congressional or election districts), both electronic and paper ballot content and artwork (e.g.,
ballot text, voting positions), definition of races (e.g., elected offices,
candidates, number to vote for, propositions, or other types that control
voting in other races on the ballot, definition of voter groups (e.g., by
party, absentee, non-absentee), ballot styles, linkage of candidates to their
respective parties and races, linkage of races to their respective
jurisdictions, linkage of ballot text to database labels to produce results
reports, and allocation of trans-district vote tallies to their constituent
districts for reporting purposes.
Comment
6
“linkage
of ballot text to database labels to produce results reports” is one place
where errors can change the outcome of an election.
12. Election Management Software (EMS)
means the software used by the voting system to describe ballot layout, collect
and report election results, and maintain audit trails.
a.
Errors in the EMS programming to collect and report election results can affect
the outcome of elections.
b.
What does it mean to “maintain audit trails”?
13. Environmental Conditions means the
effect of natural environmental conditions such as: temperature, humidity, dust
and induced environmental conditions such as handling, storage or
transportation which may affect the operation of the system and/or equipment.
14. Escrow Account means an account
and/or a secure facility held by a third party, which shall be approved by the
State Board, for the purpose of taking custody of all materials required to be
put in escrow by statute or by these voting system standards.
15.
Firmware means a computer program stored in read-only memory (either
programmable or non-programmable), that becomes a permanent part of the
computing device that is not subject to change or modification without review
by the State Board.
Comment
8
a.
Firmware means a computer program stored in read-only memory (either
programmable or non-programmable).
b.
The definition should not say that firmware is a “permanent part” or that it is
“not subject to change or modification without review by the State Board”
because permanence, change and modification, and review by the State Board are
not inherent characteristics of firmware. These things depend on how the
computer system is handled. Any person with modest knowledge of a computer
system can replace, change, or modify firmware.
16. Hardware means the actual voting or
ballot counting device.
page 2
page 3
17. Header Card (or Header Sheet) means a
marksense card or sheet upon which appears printed information used to identify
a particular batch of ballots, usually those for a single election
district. It is placed at the beginning
of the batch for vote tabulation to ensure that the votes cast on those ballots
are correctly attributed. Cards placed
at the end of a particular batch of ballots are called End Cards.
18. Maintenance Log means a written
and/or electronic record which contains all information relating to performance
of scheduled and non-scheduled maintenance on a voting system, all service visits
performed by the vendor or manufacturer, and other maintenance or service
performed by any other provider of service, including county and state board
employees.
19. Marksense means a system by which
votes are recorded by means of marks made in voting response fields designated
on one or both faces of a ballot or ballot cards. Marksense systems may use an optical scanner or similar sensor to
read the ballots. Also known as Optical
Scan.
20. Modification means any change in the
software, firmware or hardware, data storage location of files, or any other
component of the voting system, and shall require re-examination of certified
system or equipment by the State Board.
21. Optical Scan Voting System means a
voting system in which a voter records his or her vote by placing a mark in a
designated voting response field on a paper ballot or card, which is read and
tabulated using optical-scan technology or a mark-sense system that reads the
paper ballot or card by scanning the ballot and interpreting the contents. Styles include precinct-based and
central-count paper-based systems.
Comment
10
“interpreting
the contents” may allow use of bar-codes to represent the votes, which are then
handled via the bar codes rather than the voter’s marks. If bar codes are used,
then the voter no longer can know whether their votes are correctly recorded or
counted, because the voter cannot easily read the bar codes and verify that
they indicate the same votes as the voter’s marks.
22. Operational Manual means a manual of
all procedures involved in every phase of the operation and use of the voting
system by board of elections personnel, including but not limited to unpacking
and acceptance testing, storing, installing all programming, operations
testing, preparing for an election, servicing and maintaining, trouble-shooting
and repairing, packing and shipping to poll sites, and returning to the county
board’s facilities, and including all operational procedures for the set-up of
the ballot, opening of the polls, use for voting, closing the polls, and
canvassing the count.
Comment
11
This definition seems to say that there will be one manual with all this information. Such a manual would be very large. It is more likely that there will be many manuals, which together will have all this information. Section 6209.6 (2) (b) (iv), page 18, lists “operator manual, user manual and software maintenance manual.” Section 6209.6 F. (2) lists the users of documentation as “voter, the operator, maintenance technicians, and other appropriate county board personnel.”
23. Paper-based Voting Systems means any
electronic or computerized ballot counting system or equipment which tabulates
and reports votes cast on paper ballots.
Comment
12
a.
The definition of paper-based voting systems should not be written in a way
that prevents the use of hand-counts.
b.
If computers are used, there will be more parts than those that tabulate and
report.
24. Pneumatic Switch means a device which
allows persons with certain disabilities the ability to cast their vote.
Comment
13
Pneumatic Switch means
a device which allows persons with certain disabilities the ability to interact
with a voting or ballot-marking device through the use of breath.
25. Pre-qualification test means a
predetermined set of tests of the total voting system throughout the election
process including votes and vote totals prepared by the State Board. Such votes shall be entered into the voting
system in the same manner as they will be entered by voters during an
election. If a voting system offers
several methods for
page 3
page 4
votes
to be entered, such as touch-screen, push-button, or other electronic
mechanism, a key pad and/or pneumatic switch for voters with disabilities, or
alternate language displays, then the pre-determined set of votes shall be
entered separately using each method and language display. The results of the casting of said votes and
all voting system logs shall be extracted from the system as though during
normal use in an election, and the results and logs shall be compared to the
predetermined results of the test votes and vote totals prepared by the State
Board.
a.
It is unclear whether predetermined contents of logs can be prepared, but the
definition is good to indicate that the logs must be examined.
b.
Accuracy criteria for passing the test must be specified. Otherwise the test
becomes merely a ritual ceremony, and regardless of how many errors are
detected the system can pass.
26. Printout means the printed copy of
zero totals, candidate names and offices and other information produced by the
voting equipment prior to the official opening of the polls and the tabulation
of votes cast for each candidate and question, the names of candidates and the
offices for each candidate and other information provided after the official
closing of the polls.
27. Resident
vote tabulation means the manufacturer's internal firmware which shall
permanently reside on the voting system’s central processing unit, registering,
accumulating, and storing votes and ballot images.
Comment
15
a.
Resident vote tabulation programming means a DRE’s internal programming
which registers, accumulates, and
stores votes and ballot images.
b.
Will such programming always be in firmware? In the CPU? Does it matter?
28. Resident memory means the internal
memory of the voting system that stores election results and ballot images but
is prohibited from storing executable code on removable media.
Comment
16
Resident memory means
the internal memory of the voting system. These regulations require election
results and ballot images to be stored in resident memory and prohibit storing
executable code on removable media. QQ
29. Software means any programming
instructions used by the vote counting system, including but not limited to
system programs and application programs.
System programs include but are not limited to the operating system,
control programs, communication programs, database managers, and device
drivers. Application programs include
but are not limited to, any program that processes the data.
Comment
17
a.
Software means any programming instructions used by a computer system….
b. It is regrettable that NY State law and these regulations do not ban all communications capability in electronic voting and vote tabulating equipment.
30. Source Code means the computer
program in its original form, as written by the programmer. Source Code is not executed by the computer
directly, but is converted into machine language by compilers, assemblers and
interpreters.
31. State Board means the New York State
Board of Elections.
32. Tactile Discernible Controls means a
voting feature which allows persons with limited reach and/or hand dexterity,
the ability to cast their vote, for example: raised buttons of different shapes
and colors, large or raised numbers or letters, and light pressure switches.
33. Test Deck means a pre-audited group
of ballots prepared for each election.
The ballots are voted with a pre-determined number of valid votes for
each candidate, each write-in position, and each voting option on every
proposal that appears on the ballot as certified by the county board. The deck includes one or more ballots that
have been improperly voted, or which are voted in excess of the number allowed
by law, and one or more ballots on which no votes are cast, in order to test
the ability of the system to recognize and/or notify of an under or
overvote. It also includes one or more
ballots on
page 4
page 5
which two or more votes are cast for a
candidate whose name appears on the ballot more than once for the same office
in order to test the ability of the system to count only the first of such
votes for the candidate. If there is
more than one ballot style for an election, a separate test deck is created for
each ballot style.
Comment
18
a. The federal Help America Vote Act requires voter notification of overvotes, but not undervotes.
b.
When one candidate’s name appears on the ballot more than once, the first of
such votes is counted. This bears on the party which receives credit for the
vote.
34. Testing laboratory means a certified
private or public laboratory used to perform tests on the voting systems and
related equipment.
Certified
by whom?
35. Vendor shall include any
manufacturer, company or individual who seeks to sell voting systems and/or
services for such systems in New York State.
36. Voting Position means the specific
voting response area on the face of the displayed ballot where a selection is
made for a candidate or proposal.
a. Ballot
Position means the area on the ballot or ballot display occupied by one
candidate or position on an issue, including the area devoted to the candidate
name or position on the issue and the sensitive area, as defined immediately
below.
b. Sensitive
Area means the area on the ballot or ballot display which may be pressed,
touched, or marked in order to cast a vote which, in some cases, may be the
entire position, while in other cases it may be limited to the voting target
(as defined immediately below) on a paper ballot or push button on a full-face
DRE machine.
c. Voting
Target means the area of a paper ballot which the voter is asked to mark in
order to cast a vote; typically an oval, square or a fragmented arrow.
Comment
20
37. Voting System means the total
combination of mechanical, electro-mechanical, or electronic equipment, and any
ancillary equipment and all software, firmware, and documentation required to
program, control, and support the equipment, all of which is used to define
ballots, cast and count votes, report and/or display election results, and
maintain and produce any audit trail information.
Comment
21
a. This definition omits “entering votes.” In a
paper ballot system, the marking of the
paper ballot by the voter is part of the “voting system”
b.
This definition conflicts with HAVA section 301 by omission of various
“practices”:
(b) Voting System Defined.--In this
section, the term "voting system" means--
(1) the total combination of
mechanical, electromechanical, or electronic equipment (including the software,
firmware, and documentation required to program, control, and support the
equipment) that is used--
(A) to define ballots;
(B) to cast and count votes;
(C) to report or display
election results; and
(D) to maintain and
produce any audit trail information; and
(2) the practices and associated
documentation used--
(A) to identify system components and versions of such
components;
(B) to test the system
during its development and maintenance;
(C) to maintain records of
system errors and defects;
(D) to determine specific
system changes to be made to a system after the initial qualification of the
system; and
(E) to make available any
materials to the voter (such as notices, instructions, forms, or paper
ballots).
38. Voting System Supporting Software means
the vendor-supplied software used to configure and control the election day
tabulation and accumulation of election results.
39. VVPAT means a voter verifiable paper
audit trail.
Comment
22
Since
state law uses the term “voter verifiable paper audit record” these regulations
should consistently use that term also.
Section
6209.2 Polling Place Voting
System Requirements
A. In order for a polling place voting system
to be considered by the State Board for certification, it must comply with the
mandates of New York State Election Law, and
meet the Election Assistance Commission’s 2005 Voluntary Voting System
Guidelines to the extent that they are consistent with state law and these
regulations. Such polling place voting
systems shall meet the following requirements:
(1) Provide a full ballot display on a single
surface, except that proposals may appear on the reverse side of any paper
ballot, and that such ballot display is easily visible
page 5
page 6
under
typical lighting found in a poll site.
(2) For
jurisdictions within the State of New York that have been identified by the
U.S. Department of Justice, as requiring that ballots be provided in alternate
languages, pursuant to Section 203 of the Voting Rights Act, 42 USC
1973aa-1a. Voting systems must be able
to recognize and interpret alternate language ballots.
(3) Provide a device that produces and retains a
voter-verifiable permanent paper record, pursuant to statute, which the voter
can review and/or correct prior to the casting of their vote. In the case of a paper-based voting system, the
ballot marked by the voter shall constitute the paper record referred to in
Section F. The paper record shall allow
a manual audit and allow for preservation in accordance with the provisions of
Election Law, Section 3-222.
(4) Provide a device or means by which the record of the votes cast on the machine can be printed and visually reviewed after the polls are closed.
Comment
23
Does
“the record of the votes” mean the tallies?
(5) Provide a battery power source in the event that
the electric supply used to make the voting system equipment function, is
disrupted. The battery power source
shall operate the system and allow for
the casting of votes for a period not less than 2 hours, to ensure that the
system can shut down and preserve the integrity of votes cast prior to the
power failure, and can resume functionality when power is provided or restored
without significant or intrusive power-up procedures. Such batteries must be rechargeable and have minimum five-year
life when used under normal conditions.
In the event of a power failure, the equipment shall perform a normal
shut-down not less than one hour before battery power is depleted, and shall
notify the election inspector that the system will do so.
Comment
24
a.
Will these battery-related requirements be tested (two hour function, preserve
the votes cast prior to power failure and shut-down, resume functionality
without significant or intrusive power-up procedure, notification of election
inspector?
b.
Will election inspectors be required and instructed to print a tally report
prior to shut-down, or will systems be required to automatically print such a
tally report prior to shut-down?
c.
If power is restored prior to “one hour before battery power is depleted” will
systems keep working and automatically recharge their batteries?
(6) The system shall contain software and hardware
required to perform a diagnostic test of system status, and a means of simulating
the random selection of candidates and casting of ballots in quantities
sufficient to demonstrate that the system is fully operational and that all
voting positions are operable.
Comment
25
It
is impossible for software and hardware to perform a test to demonstrate that
it is fully operational and that all voting positions are operable. See
http://www.wheresthepaper.org/NoAutomatedTests.htm
(7) The system shall incorporate multiple memories, including resident vote tabulation, storage of results and ballot images in resident memory, serving as a redundant means of verifying or auditing election results and ballot images, and further, the system shall be required to alert the election day worker that memory capacity is about to be reached.
Comment
26
a.
A contemporary rule of good design says that there should be only one copy of
any data because when multiple copies are maintained it is so common that, due
to mistakes in programming, the copies become different.
b.
Usually computers have one memory regardless of how many copies of anything is
stored there.
c.
Verifying and auditing election results and ballot images must be done by use
of the voter-verified printout, because a meaningful audit cannot be done by
inspecting multiple copies of information from computer memory.
(8) In a DRE voting system, the system must prevent
voters from overvoting and indicate to the voter specific contests or ballot
issues for which no selection or an insufficient number of selections has been
made. In a paper-based voting system,
the system must indicate to the voter specific contests or ballot issues for
which an overvote or undervote is detected.
(9) The
voting system shall provide a method for write-in voting and shall report the
page 6
page 7
number
of votes cast in each contest in write-in voting positions.
(10) The voting system shall be capable of
accumulating and reporting a count of the number of ballots tallied for an
election district and votes cast for each candidate, and the total vote for or
against each ballot proposal, and shall be capable of separating and tabulating
those election district totals to produce a report of the total of ballots
tallied by groups of election districts such as legislative districts or wards.
Comment
27
For
poll-site-based optical scan systems, tallies by election district (ED)would
require the ED to be recorded in scanner-readable form on each paper ballot.
B. In addition to the requirements of
subdivision (A) of this section, fully-accessible voting equipment certified by
the State Board shall meet the following requirements for usability by voters
who are disabled:
(1) The voting system or equipment shall be equipped
with a voting device with tactile discernible controls, pursuant to Election
Law Section 7-202. Such controls shall
allow persons with limited reach and/or hand dexterity, the ability to cast
their vote, and shall include, for example: raised buttons of different shapes
and colors, large or raised numbers or letters, and light pressure switches.
(2) The voting system or equipment shall be equipped
with an audio voting feature, pursuant to Election Law Section 7-202. The audio feature shall be able to be used
either independently or simultaneously with the on-screen display.
(3) The voting system or equipment shall be capable
of being equipped with a pneumatic switch, pursuant to Election Law Section
7-202.
C. Standards for noise level
(1) Voting systems or equipment to be certified by
the State Board shall be constructed in a manner so that noise levels of the
system or equipment during operation will not interfere with the duties of the
election inspectors or the voting public.
(2) The noise level of write-in components of the
system or equipment shall be so minimal that it will be virtually impossible
under normal conditions for someone at the table used by the inspectors of
elections to determine that a write-in vote is being cast or has been cast.
D. Standards for voter privacy
(1) Voting systems or equipment shall be constructed
so that no one within the polling site will be able to see how a voter is
casting a vote.
(2) Curtains, screens, shields or other privacy
devices shall be designed so as to allow any voter, either electronically or
manually, to open, close or otherwise use the device with ease when entering
and exiting the system or equipment.
page 7
page 8
E. Environmental Standards
The voting system shall be designed to protect
against dust and moisture during storage and transportation. Testing shall be similar to the procedure of
MIL-STD-810F, Method 510.4, for dust,
and MIL-STD-810F, Method 506.4 for moisture.
These tests are intended to evaluate exposure to these elements when the
system or equipment is in a
non-operating configuration and the equipment or system’s required protective
cover is in place.
F. Voter Verified Paper Audit Trails (VVPAT)
(1) The voting system
shall print and display a paper record of the voter’s ballot choices prior to
the voter making the ballot choices final.
In the case of a paper-based voting system, the ballot marked by the
voter shall constitute the paper record referred to in this Section F.
(a) The paper record
shall constitute a complete record of ballot choices that can be used in audits
of the accuracy of the voting systems electronic records, in audits of the
election results, and in full recounts.
(b) In the case of a DRE
voting system, the paper record shall contain all information stored in the
electronic record.
Comment 28
a. What information is envisioned by this
requirement? Will DREs record the ED? A random number generated for each voter?
b. This provision should also require all
information to be printed in an easily human-readable form so that bar-codes
are not used to circumvent the requirement for VVPAT (the voter verifies a
human-readable record of his/her votes, but a bar code is also printed, and
then the 3% state-mandated spot-check is done by a bar-code reader that counts
the votes recorded in the bar code, which was not verified by the voter).
(c) The voting system
shall be capable of showing the information on both the display screen and the
paper in a font size of 3.0mm, and should be capable of showing the information
in at least two font ranges, a) 3.0-4.0 mm and b) 6.3-9.0 mm, under control of
the voter.
Comment 29
One inch is 25.40 millimeters. 3.0-4.0 millimeters
is approximately 1/8 to 1/6 inch. Few
people can read such small print. 6.3 millimeters is almost 1/4 inch.
Will poll workers know how to set the size? Will voters be instructed how to
enlarge the size prior to printing their VVPAT? Or will voters be
embarrassed and discouraged from verifying their printout by the small print
size?
(d) In the case of a DRE voting system, the paper and electronic display of the voter’s selections shall be presented and positioned so as to allow the voter to easily read and compare the two.
Comment 30
Does this requirement prohibit hip-level
printouts? Does it prohibit use of 3.0-4.0 mm fonts
(e) If
the paper record cannot be displayed in its entirety, a means for moving the
paper to show all paper record contents shall be provided.
Comment 31
The paper must be able to be moved both forward
and backward.
(2) There shall be
instructions for performing the verification process made available to the
voter in a location on the voting system.
Comment 32
Conveniently visible location? Visible during
voting or only on the outside of the booth? Will poll workers be trained to
remind voters to verify and show them where the printer is? The best way to
encourage verification is to have the DRE screen display a statement such as
"I have verified that the paper printout matches my selections" with
a big “YES” button that voters have to press to be able to go on and cast their
vote.
(3) The voting system
shall display, print, and store a paper record in any of the alternative
languages chosen for making ballot selections.
Candidate names and other markings not related to the ballot selection
on the paper record shall appear in English.
(4) The voting system shall allow the voter to
approve or reject the paper record, in the case of DRE systems, marking the
ballot as such in the presence of the voter.
page 8
page 9
(a) Any DRE voting system shall provide a
means to reconcile the number of rejected paper records with the number of
occurrences of rejected electronic selections, and procedures shall be in place
to address any discrepancies.
Comment 33
a.
Addressing discrepancies between the number of rejected paper and electronic
ballots in a meaningful way would require someone to know quite a lot about the
computer system. Perhaps this provision means merely that someone with
authority will say, “Well, they were different. But with either number the
outcome of the election would not be affected.”
b. When a computer malfunctions, everything should
be checked. The regulations should make such a discrepancy a reason for
decertification.
(b) Prior to reaching
the maximum number of ballots allowed pursuant to statute, any DRE voting
system shall display a warning message to the voter indicating the voter may
reject only one more ballot, and that the third ballot shall become the ballot
of record.
Comment 34
a.
In other states, voters have reported having to enter their votes as many as 8
or 9 times before the DRE accepted the vote as entered (rather than switching
the vote to another candidate).
b. The law and these regulations should not make
the assumption that the DRE is correct and that the voter is making errors.
Paragraph (5) below should say “prevent voter review or approval”.
c.
Paragraph (6) below should explicitly enable voters to request an emergency
ballot, and should require the DRE to be taken out of service. Voters and poll
workers must be trained in procedures for such a possibility, and this must be
in the instructions to the voter mentioned in paragraph (2) above.
(5) In case of conditions that prevent voter
review of the paper record, there shall be a means for the voter to notify an
election official, and in the case of a DRE voting system, shall cause an error
message to be displayed and shall prevent the recording of the electronic
record.
(6) In the case of a DRE
voting system, procedures by which an election official can be notified and
prescribed actions can be taken to address discrepancies if a voter indicates
that the electronic and paper records do not match, shall be documented.
Comment 35
Such procedures should not only be documented,
they must be posted in the polling place, made part of the training for poll
workers and voters.
(7) The voting system shall not record the
electronic record as being approved by the voter until the paper record has
been stored.
Comment 36
DRE
systems must display notification to the voter when the ballot has been cast
electronically and voting is finished for that voter. If voters are not
instructed how to determine that they have finished voting, then after a voter
leaves the electronic voting booth, others can enter the booth, change votes,
and then cast the ballot. There are allegations that this has happened in other
states.
(8) Vendor documentation shall include
procedures for returning a voting system to correct operation after a voter has
used it incompletely or incorrectly; this procedure shall not cause
discrepancies between the tallies of the electronic and paper records.
(9) The voter’s privacy
and anonymity shall be preserved during the process of recording, verifying,
and auditing ballot choices.
(a) The privacy and
anonymity of the voter’s verification of ballot choices and the creation and
storage of these choices, both electronically and on paper record, shall be maintained.
(b) The privacy and
anonymity of voters whose paper records contain any of the alternative
languages chosen for making ballots selections shall be maintained.
(c) Information for the
purposes of auditing the electronic or paper records that may permit a voter to
reveal his or her ballot choices shall be displayed so as not to be memorable
to the voter.
Comment 37
See
also comment 28. This provision may be an invitation to the use of bar codes
and circumvention of the legal requirement for 3% spot-check manual
audits. All information on the VVPAT should be easily human-readable and
understandable to the voter.
(10) The voting system’s ballot records shall be
structured and contain information so as to support highly precise audits of
their accuracy.
Comment 38
Paragraph (11) below requires a unique random
number to be associated with each DRE ballot, and subparagraph (b) below
requires information to identify the ED, etc. The purpose of paragraph (10) is
unclear.
(a) All cryptographic
software in the voting system shall have been approved by the U.S. Government’s
Crypto Module Validation Program (CMVP) as applicable.
page 9
page 10
(b) This information shall contain, but not
be limited to, the voting site/election district, type of election, ballot
style, and whether the system is operating in a “test” mode.
Comment 39
a. Machine ID should be required to be included,
since multiple DREs will be needed in most EDs.
b. It is not clear why there is a need to know
whether a system is operating in “test” mode. Processes should be the same
regardless whether the system is being tested or used in a real election.
(11) In the case of a
DRE voting system, the electronic and paper records shall be linked by
including a unique identifier within each record that can be used to identify
each record uniquely and correspond the two accordingly.
(12) The voting system shall generate and store a
digital signature for each electronic record.
Comment 40
Digital signature is not defined. Perhaps what is
meant is “hash-code.”
The
use of the digital signature should be set forth.
(13) The electronic records shall be able to be
exported for auditing or analysis on standards-based and/or information
technology computing platforms.
Comment 41
“standards-based computing platform” should be
defined.
(a) The exported
electronic records shall be in an open, non-proprietary format.
(b) The voting system
shall export the records accompanied by a digital signature of the collection
of records, which shall be calculated on the entire set of electronic records
and their associated digital signatures.
(c) The voting system vendor shall provide
documentation as to the structure of the exported records and how they shall be
read and processed by software.
(d) The vendor shall
provide a software program that will display the exported records and such
software may include other capabilities, such as providing vote tallies and
indications of undervotes.
Comment 42
Perhaps paragraphs (10) through (13) and their
subparagraphs are meant to describe how to secure and print electronic ballot records so they can be
compared ballot by ballot to the VVPAT.
If so, this should be explicitly stated. It is unclear what analysis is
intended.
(14) The voting system printers shall be
physically secure from tampering.
(a) The voting system shall communicate with its
printers over a standard, publicly documented printer port using a standard
communication protocol.
Comment 43
The word “communication” here is misleading and
should be omitted.
(b) The paper path between the printing, viewing
and storage of the paper record shall be protected and sealed from access
except by authorized election officials.
(c) The printer shall not be permitted to
communicate with any other system or machine other than the single voting
system to which it is connected.
Comment 44
For systems that make use of telephone lines to
connect their different parts, compliance with this requirement would probably
be difficult to ascertain and impossible to enforce.
(d) The printer shall only be able to function
as a printer: it cannot store information or contain or provide any services
that are not essential to system function, (e.g., provide copier or fax
functions) or have network capability.
Comment 45
It
is unclear how this would apply to the Avante system which uses a fax machine
as a printer. It is unclear how it would apply to systems that use telephone
lines to connect the different parts of the system.
(e) Printer access to replace consumables such as ink or paper shall only be granted if it does not compromise the sealed printer paper path.
Comment 46
If poll workers cannot load more paper in the
printer, this may limit the number of voters
per DRE to a very small number.
(f) Prior to the opening
of polls on election day, poll workers shall
page 10
page 11
demonstrate that the ballot storage devices are
empty. The storage devices shall then
be sealed and no further access shall be provided to polling place workers.
(g) Tamper-evident seals or physical security
measures shall protect the connection between the printer and the voting
machine, so that the connection cannot be broken or interfered with without
leaving extensive and obvious evidence.
(15) The voting system’s printers shall be highly
reliable and easily maintained.
(a) The voting system should include a printer
port to which a commercial off-the-shelf printer which complies with
sub-section F(14) above, could be attached for
the purposes of printing paper records and any additional records.
(b) The voting system shall detect errors and
malfunctions such as paper jams or low supplies of consumables such as paper and
ink that may prevent paper records from being correctly displayed, printed and
stored.
(c) If an error or malfunction occurs, the
voting equipment attached to the defective printer shall suspend voting
operations and shall present a clear indication to the voter and election
workers of the error or malfunction.
(d) There shall be adequate supplies of
consumable items such as paper and printer ink on hand to operate from opening
to closing of polls.
(i) Printing devices should contain paper and
ink of sufficient capacity so as not to require reloading or opening equipment
covers or enclosures and circumvention of security features, or reloading shall
be able to be accomplished with minimal disruption to voting and without
circumvention of security features such as seals.
(ii) Printer consumables shall be stored within
the temperature and humidity ranges specified by the manufacturer and shall be
stored in State Board-approved containers to protect them from sustaining any
damage.
(e) The vendor shall
make recommendations as to appropriate numbers of printers to be used in
conjunction with the number of voting systems being utilized. A sufficient number of replacement printers
shall be available.
(16) Vendor documentation shall include
procedures for investigating and resolving malfunctions including but not
limited to misreporting of votes, unreadable paper records, paper jams, low
ink, mis-feeds and power failures.
Comment 47
Misreporting
of votes would indicate programming errors in DRE software. What kind of
procedures will vendors be able to suggest for this possibility? It would be appropriate to rescind
certification of systems where printers misreport votes.
(17) Vendor documentation shall include
procedures for ensuring, in the case of malfunctions, that electronic and paper
records are correctly recorded and stored.
Comment 48
Will
poll workers be able to implement such procedures? Will technicians be
stationed in each poll site? In case of some computer malfunctions, no
procedure can ensure that electronic records are correctly recorded and stored.
Writing a requirement into the regulations doesn’t make it feasible.
page 11
page 12
(18) Protective coverings intended to be
transparent on voting system devices shall be maintainable via a predefined
cleaning process. If the coverings
become damaged such that they obscure the paper record, they shall be replaced.
(19) The paper record shall be sturdy, clean, and
of sufficient durability to be used for manual auditing and recounts conducted
manually. The paper record shall be
able to be stored and remain fully readable without degradation for 22 months
within the temperature and humidity ranges specified by the manufacturer, but
at a minimum temperature range of at least from -20 degrees to 140 degrees
Fahrenheit, and at a humidity as high as 98%.
G. Any submitted voting system’s software shall
not contain any code, procedures or other material which may disable, disarm or
otherwise affect in any manner, the proper operation of the voting system, or
which may damage the voting system, any hardware, or any computer system or
other property of the State Board or county board, including but not limited to
‘viruses’, ‘worms’, ‘time bombs’, and ‘drop dead’ devices that may cause the voting
system to cease functioning properly at a future time.
The whole point of malware is that it is difficult or
impossible to detect. Writing a requirement into the regulations doesn’t make it do-able.
H. Any submitted voting system shall provide
methods through security seals or device locks to physically secure against
attempts to interfere with correct system operations. Such physical security shall guard access to machine panels,
doors, switches, slots, ports, peripheral devices, firmware, and software.
I. The system shall provide a means by which
the ballot definition code may be positively verified to ensure that it
corresponds to the format of the ballot face and the election configuration.
Isn’
t this what logic and accuracy tests are for?
Section
6209.3 Additional Requirements for
Voting Systems
A. In addition to voting system requirements
provided for elsewhere in these rules and regulations, paper-based systems
shall:
(1) Allow the voter, at their choice, to vote a new
ballot or submit the ballot ‘as is’.
(2) An over-vote in one or more office or ballot
proposals shall not prevent the counting of all other offices or ballot
proposals contained on the ballot.
(3) In the case of candidates who appear on one or
more party lines, the system shall be capable of correctly counting the vote
according to provisions of Election Law §9-112.
B. Ballot specifications:
(1) As to the printing and arrangement of ballots,
all ballots shall meet the requirements as to form and content provided in
section 7-121 of the Election Law, and:
page 12
page 13
(2) ballots shall be printed in black print on a
white background or on backgrounds of different colors to identify different
types of ballots (i.e., emergency, affidavit, etc) or in the case of a primary,
to identify ballots for each political party according to the color assigned to
such party pursuant to law, and
(3) coding which is both machine readable and
manually readable shall be used to identify different ballot styles, and
In
order to provide tallies by AD/ED, there needs to be a way to encode AD/ED on
the paper ballots also, since the same ballot style is used in multiple AD/EDs.
(4) ballots used in the paper-based voting system
shall be able to be counted by hand as well as be counted by machine, and
(5) The types of ballots used and their form, type
size and arrangement must be approved by the State Board of Elections.
C. For all paper-based voting systems, the
system shall count a mark on a ballot that is in a:
(1) Sensitive Area for a candidate whose name is on
the ballot;
(2) Sensitive Area designated for write-in voting for
a write-in candidate; or
(3) Sensitive Area for a ballot proposal.
D. With regard to the central counting of absentee,
affidavit, emergency and special ballots, the requirements of 6209.2
(F)(1)(c-e),and (F)(2) not consistent with this section shall not apply.
a. What is a special ballot?
b.
These regulations should specify exactly which requirements shall not apply.
Section
6209.4 Application Process
A. The Election Operations Unit shall forward
an application form within one week from the date of receipt of a request from
a vendor, together with a copy of applicable rules and regulations and a pre-qualification
test format for both a general and primary election ballot program.
B. Said vendor shall return completed ballot
layouts based upon the pre-qualification test format to the Election Operations
Unit. Upon approval of the layouts, the
vendor shall program such system or equipment and complete the
pre-qualification tests for both ballot programs provided, and enter the
simulated votes upon said system or equipment for each election program.
C. The completed application shall be returned by
the vendor applicant, with a printout of tabulated votes from the primary and
general election pre-qualification tests as cast on the voting system equipment
which the applicant requests to have certified. The pre-qualification test programs shall be retained by the
applicant for use in the certification process.
page 13
page 14
D. The application and printouts shall be
reviewed to determine if the voting system shall be considered for
certification and the applicant shall be notified of such determination.
Response
time requirements are appropriate for each response to a vendor by the State
Board.
E. No application shall be deemed to be filed
until all documentation required by these rules has been submitted to the State
Board or its designee.
F. A certified or bank check in the amount of
$5,000 shall accompany such application, and be applied towards the actual cost
of the examination.
G. Fees for the examination of a voting system
shall be assessed against the vendor by the State Board based upon the cost to
the State Board for examination of such voting system by an outside contractor,
laboratory or other authorized examiner.
“Outside
contractor, laboratory or other authorized examiner” The state board should consult
with New Yorkers for Verified Voting, VoteTrustUSA.org, or VerifiedVoting.org
for suggestions for examiners.
H. A vendor submitting an application shall
affirm that;
(1) the
submitted voting system complies with all applicable rules adopted by the State
Board, and with all applicable 2005 Federal Voting System Guidelines not
inconsistent with state law or these regulations, and is suitable for use by
voters;
It is the responsibility of the State Board to determine
if a voting system complies with New York’s legal and regulatory requirements.
This requirement erases
the arm’s length relationship needed between buyer and seller, asks
vendors to act as lawyers for the State Board, and is improper for that reason.
(2) the
vendor will quote and provide a statewide, uniform price for each unit of the
voting system’s equipment, and;
(3) the
submitted voting system’s software does not contain any code, procedures or
other material (including but not limited to ‘viruses’, ‘worms’, ‘time bombs’,
and ‘drop dead’ devices that may cause the voting system to cease functioning
at a future time), which may disable, damage, disarm or otherwise affect the
proper operation of the voting system, any hardware, or any computer system or
other property of the State Board or county board;
As comment 48 said, The whole point of malware is that it is difficult or impossible to detect. Making vendor executives submit sworn affidavits can put vendors on notice about legal consequences to malware in their products, but does not provide election integrity.
a. What is the enforcement and penalty if the affirmation is false?
b.
What if the vendor uses the defense of “impossibility” because it is impossible
to determine if software of such large size contains malware.
c.
If vendors phrase their affirmations in terms of “to the best of my knowledge”
then they can evade these requirements.
(4) any
submitted voting system provides methods through security seals or device locks
to physically secure against attempts to interfere with correct system
operations. Such physical security
shall guard access to machine panels, doors, switches, slots, ports, peripheral
devices, firmware, and software.
I. All vendors shall submit with their
application forms, sworn affidavits from the president, chief executive officer
or chief operating officer of the vendor, disclosing any contributions made
within the United States by any of those officers, by the vendor itself, or by
any controlling shareholder to any political party or candidate for any office,
within two years prior to the date the application is submitted. After the submission of any application
forms, or after the submission of any such affidavit, a vendor must submit to
the Election Operations Unit, an affidavit at the end of each calendar quarter
(March 31, June 30, September 30 and December 31), disclosing whether or not
any new contribution has been made.
The submission of such affidavits shall be required throughout the
period during which the system is certified in New York.
This requirement should require such information from at least the year 2000 to the present date. HAVA became law on October 29, 2002. Vendors, lobbyists, etc. were active long before then to sell the idea of electronic voting to Congress. Let’s know who was in bed with whom. See
http://www.wheresthepaper.org/Newsday12_2000ElectionDebacle.htm
page 14
page 15
J. All vendors shall submit with their
application forms, information regarding past or pending court cases involving
their voting systems or its major components, any evidence of fraud, faulty
systems, or failure to correct past problems.
b.
A time period needs to be associated with this requirement.
c.
This requirement needs to be associated with the voting systems whether or not
owned by the vendor at the time allegations were made. Several vendors now are
selling equipment that was owned by other companies when flaws were first
identified. Such vendors can evade the intent of this requirement by asserting
that the systems were not “theirs” at the time of the allegations.
Section 6209.5 Submission of Voting Systems Equipment.
A. Voting systems considered for certification
by the State Board shall be delivered to the State Board or its designee. Such equipment shall include documentation,
operation manual(s), auxiliary components and equipment used to program ballot
layout, and any other additional equipment used in the operation of said voting
system.
B. Vendors submitting systems or equipment for
certification must also provide additional systems to be used by the State
Board for the purposes of the Voter Demonstration Test. See Section 6209.6(G)(8).
The
Voter Demonstration Test is in Section 6209.6 F (9) on page 27.
C. If the voting systems equipment is certified
by the State Board, the specific system or equipment and components examined by
the State Board shall become the property of
the State Board for as long as the system or equipment is in use in the
State or for such shorter period as the State Board shall so determine. Voting systems or equipment not certified
shall be disposed of pursuant to the vendor’s direction.
Comment
60
The State Board needs to retain each examined system that is certified if any such systems are in use in the state so that counties can compare the systems delivered to the examined certified system, as well as determine whether systems after maintenance or service are still the same as the examined certified system. This provision should give specific reasons why the State Board would not keep the examined certified systems that are in use in the state.
D. The applicant shall provide service and
normal maintenance of said system or equipment after certification and shall
supply to the State Board, at no cost, any modification to the system or
equipment for upgrading of any feature during the period that said system or
equipment is offered for sale and use in the State.
This
provision should say “offered for sale or is in use in the State.”
E. The vendor shall provide, either at the time
of submission or no later than the completion of certification testing by the
State Board, a list of system proprietary and non-proprietary consumables,
extended warranties, services, and other such items as may be considered by
county boards for purchase, with the exception of programming, as county boards
are prohibited from contracting with a vendor for programming services. Such list shall become a component of the
contract.
Comment
62
a. Where are County Boards prohibited from contracting with a vendor for programming services? Is it page 31, Section 6209.9 A (4) (e) ?
b.
Any services with regard to computer equipment that are not performed by, or
closely observed by, bipartisan elections staff compromise the system. These
are not mechanical lever machines which are difficult to compromise, these are
computers where all future elections using all similar equipment can be
compromised by one person with a few minutes access to one system. See Hursti
Hack II. It is a failure of the federal certification process and federally
certified “ITAs” that such weaknesses in computerized voting systems have not
caused ITAs to refuse to certify such systems.
G. The vendor shall disclose, in the
application for certification, any pecuniary interest in or any direct or
indirect control over any testing laboratory as defined herein or which may be
used in connection with the certification or acquisition of any voting system.
Comment
63
This provision should require a report of all funds paid by the vendor to each ITA for any services at any time, and a description of the service and the product that was examined.
H. Vendors shall make available to the State Board,
in a quantity to be determined by the State Board, voting systems for the
purpose of conducting a usability test, which will establish the minimum number
of voting machines required in each polling place and the maximum number of
voters that can vote on one voting machine during the course of an ordinary
15-hour election day. The ballots to be
used for this test shall include both primary and general election ballots,
with ample candidate selection options and ballot proposal selections. For the purposes of the usability test,
voting shall occur by utilizing
page 15
page 16
all the devices which a voter may use to make
their selections. If a vendor has
previously performed a usability test on the same or similar voting system
which meets the requirements of this section, the State Board may consider the
findings of same. Whenever the State Board is satisfied that a voting
machine or system’s usability analysis has provided adequate and accurate
information relative to the requirements of Election Law Section 7-203.2, then
the State Board may, in its discretion, accept such documentation as
satisfaction of the usability test required by these regulations.
Comment
64
This
provision gives discretion to the State Board to determine which voting
machines or systems are “similar.” Since New York State has a unique set of
requirements for full-face ballot display, voter verifiable printout, and
accessible devices, presumably there are no systems similar to the ones created
for New York.
I. For voting systems which are not PC-based,
vendors shall submit recommendations for acceptance and maintenance testing to
ensure that the firmware in systems purchased and used by county boards is
identical to certified firmware.
Comment
65
a.
Provisions like this may seem helpful to the State Board but they prevent an
arm’s length buyer-seller relationship.
b.
If the State Board is not expert enough to know how to test a particular
system, it is unlikely that the system will be properly tested by following
vendor recommendations.
c.
The term “maintenance testing” should be defined.
Section
6209.6 Examination Criteria
A. State Board testing and examination shall be
performed in an open and public venue.
Testing shall be performed in conformity with written procedures adopted
by the State Board. Such procedures and
the test reports of the State Board and its ITA, shall be available for public
inspection at the office of the State Board, and at its website. Each tested
system shall, at a minimum, conform to the EAC’s 2005 Voluntary Voting System
Guidelines, to the extent that they are consistent with State Law and these
Regulations.
Comment
66
a. The requirement for “an open and public venue” may apply only to tests and examinations conducted by the State Board, and may not apply to tests and examinations conducted by their ITA.
b.
Persons with appropriate experience should be hired to write the procedures.
c.
The requirement for conformity to the EAC’s 2005 VVSG may be meaningless. See
"Gaping Hole in HAVA Voting System Standards Widened in 2005" by
Howard Stanislevic, VoteTrustUSA E-Voting Education Project, May 21, 2006.
B. The State Board or its designee, as part of
its examination, may at its discretion, submit the voting system for analysis
by a testing laboratory.
Comment
67
Will testing by the designee or testing laboratory be performed in an open and public venue? In New York State? According to written procedures?
C. Whenever the State Board is satisfied that a
voting machine or system has been proven to meet the Environmental Standards of
subdivision (E) of Section 6209.2 of these regulations; and the vendor is able
to provide documentation for the State Board’s testing authority to establish
that those standards have been met; then the State Board may, in its
discretion, accept such documentation as satisfaction of the tests required by
these regulations.
Comment
68
D. All laboratory testing shall be conducted or verified by independent testing authorities appropriately certified by the National Association of State Election Directors, the EAC or approved by the commissioners of the State Board.
All testing should be performed by local “ITAs” so that the money and work stays in New York State and so that the citizens of New York State who wish to observe can do so without having to travel out-of-state. Heretofore, federal ITAs have never allowed citizen observation.
(1) Software and Hardware Qualification Tests
Qualification of voting system software and hardware shall
consist of a series of tests, code analyses, and inspection tests performed at
the federal and state levels, to verify that the software and hardware meet
design requirements and that characteristics are correctly described in the
documentation items. Qualification
shall also include a Functional Configuration Audit and a Physical
Configuration Audit.
Comment
70
a.
What is the difference between “tests” and “inspection tests”? The term
“inspection tests” should be defined.
b.
There is no federal inspection or testing. There is testing performed by
NASED-approved ITAs which is paid for by vendors and if the equipment “passes”
it gets a NASED number.
c.
The approval of ITAs was supposed to be taken over by the EAC but that process
has been in progress for a year and at this time no one seems to be in charge
of it.
d.
The term “design requirements” should be defined. Where are “design
requirements” set forth?
e.
The emphasis on documentation is not a replacement for independent evaluation
of systems.
(2) Functional Configuration Audit
page 16
page 17
A functional configuration audit shall be performed to verify that the software complies with the Software Specification (as defined in subparagraph (B)(2)(B)(1) below) and applicable laws and regulations. Federal qualification test data may be used in partial fulfillment of this requirement; however, the State Board or its designee shall perform or supervise the performance of additional tests, or order additional laboratory testing, to verify system performance in all operating modes, including but not limited to disability access and alternate language modes and to validate the vendor's test data reports. The Functional Configuration Audit shall be performed in a facility selected by the State Board.
Comment
71
a. The only Software Specification below is in F (3) on page 20. There is no (B)(2)(B)(1).
b. The Software Specification pertains to documentation.
c. It appears that the Functional Configuration Audit means merely that the those parts of the software that the vendor chooses to document is correctly documented and complies with applicable laws and regulations.
d.
“operating modes” should be defined if it includes more than the ability to
receive voter interaction via accessible attachments and to provide information
in non-English languages.
e.
The facility selected by the State Board for the Functional Configuration Audit
should be open to the public and located within New York State.
(a) Vendor Responsibility
The vendor shall provide a list of all
documentation and data required to be included as part of the independent
review, and vendor technical personnel shall be available to the State Board
during the performance of the Functional Configuration Audit.
(b) Technical Data
The vendor shall provide the following
technical data:
(i)
copies of all procedures used for module or unit testing, integration testing
and system testing;
(ii) copies of all test cases generated for each
module and integration test and sample ballot formats or other test cases used
for system;
(iii) records of all tests performed by the
procedures listed above, including error correction and retest.
Comment
72
“Technical
Data” consists of procedures, test data, and documentation of tests performed
by the vendor on their own equipment, for testing of individual modules,
integration of individual modules, and the overall system.
(c)
Audit Procedure
The State Board, with the assistance
of an independent testing authority, shall subject each voting system to a
complete functional test, including but not limited to actual use testing of
all components used by voters to enter or review votes. Additionally, the State Board and its
independent testing authority shall review the vendor's test procedures and
test results.
This review shall include an
assessment of the adequacy of test cases and input data to exercise all system
functions and to detect program logic and data processing errors if such be
present.
The review shall also include an
examination of all test data which is to be used as a basis for qualification.
What
will the State Board and their assisting ITA actually do?
a.
Use-test all components used by voters to enter or review votes.
b.
Review the procedures/test data/results that the vendor said they used/got
internally when they tested their own system.
c.
What’s missing from the explicit list above (what should we hope is meant by
the phrase “not limited to”)? Machine
tallies, system tallies, communication of voting machines with central tallying
machines, audit logs, setup and shutdown procedures, all procedures that poll
workers are supposed to be able to perform when systems fail during election
day, procedures to discover why there are discrepancies between paper and
electronic tallies, and procedures that service and maintenance may involve,
etc.
(3) Physical Configuration Audit
The Physical Configuration Audit is an examination of
the software configuration
page 17
page 18
against
its technical documentation to establish a configuration baseline for
approval. The Physical Configuration
Audit shall include an audit of all drawings, specifications, technical data and
test data associated with the system hardware and this audit shall establish
the system hardware baseline associated with the software baseline. All subsequent changes to the software or
hardware shall be subject to re-examination.
Comment
74
a. The Physical Configuration Audit creates the software baseline, which has to do with consistency of the software and its documentation, and ALSO creates the hardware baseline, which is the hardware that the software runs on.
b. The phrase “shall be subject to re-examination” means that all subsequent changes will not necessarily cause the system to be re-examined. Criteria for when re-examination will occur are ----
(a) Vendor Responsibility
The vendor shall provide a list of all documentation and data required
to be audited by the State Board.
Vendor’s technical personnel shall be available to the State Board
during the performance of the Physical Configuration Audit.
(b) Technical Data
The
vendor shall provide the following technical data:
(i) identification of all items which are to be a
part of the software release;
(ii) identification of all hardware which interfaces
with the software;
(iii) configuration baseline data for all hardware
included within the system;
(iv) copies of all software documentation which is
intended for distribution to users, including program listings, specifications,
operator manual, user manual and software maintenance manual;
Comment
75
a.
What program listings does the State Board envision will be intended for
distribution to users?
b.
There will be many types of users of these systems, including voters, poll
workers, maintenance repair and service technicians, ballot programmers, etc.
The term “users” should be more specific.
(v) proposed user acceptance test procedure and
acceptance criteria;
Which
users? Acceptance by whom for what purpose? Acceptance by the State Board for
certification?
(vi) an identification and explanation of any changes
between the Physical Configuration Audit and the configuration submitted for
the Functional Configuration Audit.
Comment
77
What
changes are envisioned by these regulations?
(c) Audit Procedure
Required data items include draft and formal documentation of the
vendor's software development program which are relevant to the design and
conduct of Qualification Tests. The
vendor shall identify all documents, or portions of documents, which the vendor
asserts contain proprietary information not approved for public release. The State Board or its designee shall agree
to use any proprietary information contained therein solely for the purpose of
analyzing and testing the software and shall refrain from disclosing
proprietary information to any other person or agency without the prior written
consent of the vendor or a Court order.
The State Board or its designee shall review the vendor's source code
and documentation to verify that the software conforms to the
page 18
page 19
documentation,
and that the documentation is sufficient to enable the user to install,
validate, operate and maintain the voting system. The review shall also include an inspection of all records of the
baseline version against the vendor's release control system to establish that
the configuration, being qualified, conforms to the engineering and test data.
Comment
78
a.
The State Board again will shortcut its evaluation of systems by relying on
vendor documentation for guidance.
b.
The State Board will not evaluate the vendor’s claims of proprietary control of
information.
c.
The State Board will merely evaluate whether the software that the vendor
chooses to designate is correctly and adequately documented.
d.
There is no arm’s length relationship or evaluation required here.
E. Functional Tests, Security Tests and
Simulated Voting
Prior to certifying a voting system, the state board
shall designate an independent expert to review, all source code made available
by the vendor pursuant to this section and certify only those voting systems
compliant with these Regulations. At a minimum, such review shall include a
review of security, application vulnerability, application code, wireless
security, security policy and processes, security/privacy program management,
technology infrastructure and security controls, security organization and
governance, and operational effectiveness, as applicable to that voting
system.
Comment
79
a. The State Board, and New York voters, will rely upon an independent expert to assess whether a system is secure and compliant.
b. Voters will rely upon the State Board to designate an expert who is in fact independent.
(1) For all systems or equipment, functional tests
shall consist of the validation of equipment functional performance, and shall
be performed in an open and public venue, in conformity with written procedures
adopted by the State Board.
Comment
80
The written procedures must require a test of the entire system from the start-up procedures that poll workers are supposed to perform at the beginning of the election day to the 3% spot-check of the voter verified paper audit record to the tabulation of results by the central tabulator to the evaluation of accuracy of the system audit logs.
(2) All votes entered shall use the identical
interfaces as would be used by the actual voters during the actual voting
process. By way of explanation,
touch-screen votes, or votes cast via alternative accessible devices such as
tactile-discernible key pads or pneumatic switches shall be used as the voter
would use them rather than casting simulated votes via any of these processes
into the voting system using any type of diagnostic input cartridge.
(3) Functional tests of voting system software which
runs on general purpose data processing equipment shall include all tests
similar to those in procedures which are necessary to validate the proper
functioning of the software and its ability to control the hardware
environment. The tests shall also
validate the ability of the software to detect and act correctly upon any error
conditions which may result from hardware malfunctions. Detection capability may be contained in the
software, the hardware or the operating system. It shall be validated by any convenient means up to and including
the introduction of a simulated failure (power off, disconnect a cable, etc.)
in any equipment associated with vote processing.
(4) Each system shall be submitted for electronic and
technical security and integrity analysis by independent certified security
experts, who shall be given full unrestricted access to production units of the
system, for such analysis. Whenever the
vendor is able to provide documentation for the State Board and its testing
authority, to establish that the standards of this section of these regulations
have been met; then the State Board may, in its discretion, accept such
documentation as satisfaction of the tests required by these regulations.
Comment
81
a.
“Independent certified security expert” should be defined.
b.
This requirement for “analysis by independent certified security experts”
cannot be met by federal certification procedures, since the vendor pays for
them (hence they are not “independent”).
c.
“standards of this section of these regulations” is unclear. Does it mean “this
paragraph” or does it mean “Section 6209.6 Examination Criteria” or something
in between? Similarly, the phrase “tests required by these regulations” is
improperly vague and could be argued to mean that no state tests need to be
performed if a system has federal certification.
d.
Paragraph (1) above only requires “functional tests” to be performed in an open
and public venue.
e.
This paragraph does not require security “tests” but rather “analysis.” The use
of the analysis is not specified.
page 19
page 20
(5)
Functional tests for the following types of equipment shall be required:
(a) Standard commercial, off-the-shelf production
models of general purpose data processing equipment (PC’S, printers, etc.)
shown to be compatible with these requirements and with the voting system.
(b) Production models of special purpose data
processing equipment (scanners, bar code readers, etc.) having successfully
performed in elections use and having been shown to be compatible with the
voting system.
F. Software, Hardware, Operating and Support
Documentation
(1) Software Qualification
The following system software and
firmware vendor data items shall be submitted as a precondition of
certification of acceptability for elections use.
(2) Vendor
Documentation
Complete product documentation shall be
provided to the State Board for voting systems, their components and all
auxiliary devices. This documentation
shall be sufficient to serve the needs of the voter, the operator, maintenance
technicians, and other appropriate county board personnel. It shall be prepared and published in
accordance with standard industrial practice for electronic and mechanical
equipment such documentation shall include:
(3) Software Specification
The Software Specification shall
contain and describe the vendor's design standards and conventions, environment
and interface specifications, functional specifications, programming
architecture specifications, and test and verification specifications. Vendor must also provide document
identification, an abstract of the specification, configuration control status
and a table of contents. The body of
the specification shall contain the following material:
(a) System Overview
The vendor shall identify the system hardware and the
environment in which the software will operate and the general design and
operational considerations and constraints which have influenced the design of
the software.
(b) Program Description
The vendor shall provide descriptions of the software
system concept, the array of hardware in which it operates, the intended
operating environment, the specific software
page 20
page 21
design
objectives and development methodology and the logical structure and algorithms
used to accomplish the objectives.
(c) Standards and Conventions
The vendor shall provide information which can be
used as a partial basis for code analysis and test design. It should include a description and
discussion of the standards and conventions used in the preparation of this
specification and in the development of the software.
(d) Specification Standards and Conventions
The vendor shall identify all published and private
standards and conventions used to document software development and
testing. Vendor internal procedures
shall be provided as attachments to this Software Specification.
(e) Test and Verification Standards
The vendor shall identify any standards or other
documents which are applicable to the determination of program correctness and
acceptance criteria.
(f) Quality Assurance Standards
The vendor shall describe all standards or other
documents which are applicable to the examination and testing of the software,
including standards for flowcharts, program documentation, test planning and
test data acquisition and reporting.
(g) Operating Environment
The vendor shall provide a description of the system
and subsystem interfaces at which inputs, outputs and data transformations
occur. It shall contain or make
reference to all operating environment factors which influence the software
design.
(h) Hardware Constraints
The vendor shall identify and describe the hardware
characteristics which influence the design of the software, such as:
(i) the logic and arithmetic capability of the
processor,
(ii) memory read/write characteristics,
(iii) external memory device characteristics
(iv) peripheral device interface hardware data I/O
device protocols, and
page 21
page 22
(v) operator controls, indicators and displays.
(i) Software Environment
The vendor shall identify all compilers, assemblers,
or other software tools to be used for the generation of executable code and a
description of the operating system or system monitor. This section shall also contain an overview
of the compile-time interaction of the voting system software with library
calls and linking.
(j) Interface Characteristics
The vendor shall describe the interfaces between
executable code and system input-output and control hardware.
(k) Software Functional Specification
The vendor shall provide a description of the overall
functions which the software performs in the context of its mode or modes of
operation. The vendor shall also
describe the capabilities and methods for detecting and handling exceptional
conditions, system failure, data input/output errors, error logging and audit
record generation and security monitoring and control.
“mode or modes of
operation” should be defined.
(l) Configurations and Operating Modes
The vendor shall describe the various software
configurations and operating modes of the system; such as preparation for
opening of the polling place, vote recording and/or vote processing, closing of
the polling place and report generation.
For each software function or operating mode, a definition of the inputs
(characteristics, tolerances or acceptable ranges) to the function or mode, how
the inputs are processed and what outputs are produced (characteristics,
tolerances or acceptable ranges) shall be provided.
Comment
83
The
list of “modes” in this paragraph should include the extraction of election
data from the voting machine, the transfer of that data to the central
tabulator, and the extraction and evaluation of system event logs.
(m) External files
In the event that external files are used for data input or output, the definition of information context and record formats shall be provided. The vendor shall also describe the procedures for file maintenance, access privileges and security.
(n) Security
Security requirements and security provisions of the
system’s software shall be identified for each system function and operating
mode. The voting system must be secure
against attempts to interfere with correct system operation. The vendor shall identify each potential
point of attack. For each potential
point of attack, the vendor shall identify the technical safeguards embodied in
the voting system to defend against attack, and the procedural safeguards that
the vendor has recommended be followed by the
page 22
page 23
election
administrators to further defend against that attack. Each defense shall be classified as preventative, if it prevents
the attack in the first place; detective if it allows detection of an attack;
or corrective if it allows correction of the damage done by an attack. Security
requirements and provisions shall include the ability of the system to detect,
prevent, log and recover from the broad range of security risks
identified. These procedures shall also
examine system capabilities and safeguards claimed by the vendor to prevent
interference with correct system operations.
The State Board, with the assistance of its ITA, shall conduct tests to
confirm that the security requirements of these Regulations have been
completely addressed. Notwithstanding
any other provisions of these Regulations, the State Board shall determine
whether all or a portion of such security requirements and security provisions
shall be available for public inspection, but shall exclude any information
which compromises the security of the voting system.
a. ITAs are the wrong assistant for this, since they have consistently failed to find security flaws identified later by activists in federally certified systems. Security experts such as RABA Technologies, Harri Hursti, or a classroom of computer science students would provide more trustworthy and independent assistance.
b. Security by obscurity is notoriously failure prone, and if any information about a system would compromise it, the system should be considered insecure.
c. New York State should not assume that all insiders are trustworthy.
d. New York State should not assume that vendors will foresee all possible security flaws and that insiders and outside hackers will not be able to access the system by vendor-unforeseen methods.
(o) Programming Specifications
The vendor shall provide an overview of the software
design, structure and implementation algorithms. Whereas the Functional Specification of the preceding section
provides a description of what functions the software performs and the various
modes in which it operates, this section should be prepared so as to facilitate
understanding of the internal functioning of the individual software
modules. Implementation of functions
shall be described in terms of software architecture, algorithms and data
structures and all procedures or procedure interfaces which are vulnerable to
degradation in data quality or security penetration shall be identified.
Comment 85
New York State should not assume that vendors will foresee all possible flaws in their own systems.
(p) Test and Verification Specifications
The vendor shall provide a description of the
procedures used during software development to verify logical correctness, data
quality and security. This description
shall include existing standard test procedures, special purpose test
procedures, test criteria and experimental design and validation criteria. In the event that this documentation is not
available, the Qualification Test agency shall design test cases and procedures
equivalent to those ordinarily used as a basis for verification (see below).
Comment
86
New York State should maintain an arm’s length relationship with vendors, and not rely on their procedures.
(q) Qualification Test Specification
The vendor shall provide a description of the specification
for verification and validation of overall software performance, including
acceptance criteria for control and data input/output, processing accuracy,
data quality assessment and maintenance, exceptional handling and security. The specification shall identify specific
procedures by means of which the general suitability of the software for
elections use can be assessed and demonstrated. The vendor's specification and procedure shall be used to
establish the detailed requirements of the tests described in "Laboratory
Environmental Test Procedures for Hardware and Software" of this Standard.
Comment
87
a. New York State should maintain an arm’s length relationship with vendors, and not rely on their procedures and guidance. The only way to demonstrate general suitability is via Mock Elections conducted in public with public participation.
b.
There is no part of this Standard called “Laboratory Environmental Test
Procedures for Hardware and Software."
(r) Acceptance Test Specification
page 23
page 24
The vendor shall provide a description of the
specification for installation, acceptance and readiness verification. This specification shall identify specific
procedures by means of which the capability of the software to accommodate
actual ballot formats and format logic, and pre-election logic, accuracy and
security test requirements of using jurisdictions may be assessed and
demonstrated. The vendor's
specification shall be used to establish the detailed requirements of the tests
described in "Laboratory Environmental Test Procedures for Hardware and
Software" of this standard performed to evaluate the adequacy of the
vendor's procedures and it shall be suitable for inclusion in the regulations
and procedures of user counties when preparing for the conduct of actual
elections.
Comment
88
a. New York State should maintain an arm’s length relationship with vendors, and not rely on their procedures and guidance.
b.
There is no part of this Standard called “Laboratory Environmental Test
Procedures for Hardware and Software."
(s) Appendices
The vendor shall provide descriptive material and
data supplementing the various sections of the body of the Software
Specification. The content and
arrangement of appendices shall be at the discretion of the vendor. Topics recommended for amplification and
treatment in appendix form include:
(i) Glossary: Provide a listing and brief definition
of all software module names and variable names with reference to their
locations in the software structure.
Include abbreviations, acronyms and terms which are either not commonly
used in data processing and software development or which are used in an
uncommon semantic context.
(ii) References:
Provide a list of references to all related vendor documents, data,
standards and technical sources used in software development and testing.
(iii) Program
Analysis: Provide the results of
software configuration analysis, algorithm analysis and selection, timing
studies and hardware interface studies reflected in the final software design
and coding.
(iv) Security Analysis: Provide a detailed description of the penetration analysis
performed to preclude intrusion by unauthorized persons and fraudulent
manipulation of elections data.
Identify security policies and measures and selection criteria for audit
log data categories.
The standards should require the audit log to be a complete list of ALL software and hardware events including but not limited to interactions with persons via all interfaces including the touchscreen and accessible attachments, the central tabulator, keyboard and mouse interactions with any part of the system, events related to external memory devices, ports and drivers including printers, and events related to communications capability.
(4) Operator Information
This documentation shall include a physical
description of the equipment sufficient to identify all features, controls and
displays. It shall include a complete
procedure for energizing the equipment, for testing and verifying operational
status and for identifying all abnormal equipment states. It shall include a complete operating
procedure for inserting ballots to be tabulated, for controlling the tabulation
process, for monitoring the status of the equipment, for recovering from error
conditions and for preparing output reports.
It shall also include troubleshooting instructions.
page 24
page 25
The documentation shall also include a description of
the relationship of the Sensitive Area, Voting Target, and Ballot
Position. For paper-based systems, this
description shall include a description of the nature of the marks the system
will and will not count as votes, for example, the types of marks made with
each of a variety of pens and pencils that should be counted and that should
not be counted. For DRE voting systems,
this description shall include a description of the nature of the voter action
required to cast a vote in the Sensitive Area, for example, the force and
duration of contact required.
Comment
90
For
DREs, the dimension of the area that the voter must touch should be described.
On a touchscreen, will the tip of a stylus be recognized? Will a touch with the
tip of a fingernail be recognized? Will a touch with the pad of the last
section of a finger be too broad? These questions bear on voter training.
(5) Maintenance Information
(a) This documentation shall contain a complete
physical and functional description of the equipment and a theory of operation
which fully describes the electrical and mechanical function of the equipment,
how the processes of ballot handling and reading are performed, how data are
handled in the processor and memory sections, how data output is initiated and
controlled, how power is converted or conditioned and how test and diagnostic information
is acquired and used.
Comment
91
This paragraph surely does not apply to DREs. Perhaps it applies to optical scanners. When DREs and optical scanners are different, the regulations should explicitly state which type of equipment is being addressed.
(b) A complete parts and materials list shall be
provided which contains sufficient descriptive information to identify all
parts by type, size, value or range and manufacturer's designation.
(c) Technical illustrations and schematic
representations of electronic circuits shall be provided with indications of
all test and adjustment points and the nominal value and tolerance or waveform
to be measured. Fault detection,
isolation and correction procedures or logic diagrams shall be prepared for all
operational abnormalities identified by design analysis and operating
experiences.
Comment
92
a. This paragraph surely does not apply to DREs. Perhaps it applies to optical scanners. When DREs and optical scanners are different, the regulations should explicitly state which type of equipment is being addressed.
b. The term “design analysis” should be defined and its relationship to maintenance should be described.
(6) Logistics, Facilities and Training
The vendor shall identify all operating and support requirements
of the system or component. These
requirements include material, facilities and personnel, including furnishings,
fixtures, and utilities which will be required to support system operation,
maintenance and storage.
(7) Maintenance Training and Supply
(a) The vendor shall identify all corrective and
preventive maintenance tasks, including
the calibration of the system, as appropriate, and the level at which they shall be performed. Levels of maintenance shall include operator
tasks, maintenance personnel tasks and factory repair.
Comment
93
“Calibration
of the system” should be defined.
(b) Operator tasks shall be limited to the activation
of controls to identify irrecoverable error conditions and to the replenishment
of consumables such as printer ribbons, paper and the like.
Comment
94
Operators
of DREs and precinct-based optical scanners will be poll workers and voters.
There are additional tasks they will have to perform.
page 25
page 26
(c) Maintenance
personnel tasks shall include all field maintenance actions which require
access to internal portions of the equipment.
They shall include the conduct of tests to localize the source of a
malfunction; the adjustment, repair or replacement of malfunctioning circuits
or components and the conduct of tests to verify restoration to service.
Comment
95
a.
If “field maintenance actions” are tasks that maintenance personnel will
perform in poll sites when DREs fail, this paragraph is completely unrealistic.
Does the State Board imagine someone will go to a poll site, open a security
panel on the DRE, and start taking components out and putting others in?
Replace a few chips of firmware or internal memory?
b.
The only realistic actions in the field would be, if a printer cable or
electrical cord falls out of its socket, someone will plug it back in.
(d) Factory repair
tasks shall be minimized, and repairs shall be made on site whenever reasonably
possible. Factory repairs shall only
include complex and infrequent maintenance functions which require access to
proprietary or to specialized facilities and equipment which cannot be obtained
by the county board.
(e) The
vendor shall identify by function all personnel required to operate and support
the system. For each functional
category, the number of personnel and their skills and skill levels shall be
specified.
Comment
96
Poll
workers and voters are the personnel who will operate DREs and precinct-based
optical scanners.
(f) The vendor shall specify requirements for
the training of each category of operating and support personnel, including but
not limited to voters, poll workers, and elections staff. The vendor shall prepare all materials
required in the training activity and shall provide or otherwise arrange for
the provision of as many qualified instructors as are necessary to properly and
fully train said personnel in each category.
(g) The
vendor shall recommend a standard complement of supplies, spares and repair
parts which will be required to support system operation. This list shall include the identification
of these materials and their individual quantities and sources from which they
may be obtained. The vendor shall
supply, at vendor's expense, any special tools required to repair or maintain
the equipment.
(h) The vendor shall provide complete instructions
for all methods of voting which voters may use to cast their vote, including
instructions on entering and changing votes, write-in voting, verifying votes
and accepting the cast votes. Written
and audio instructions shall be provided in each language in which voting shall
occur within the state.
(8) Usability
Test
Vendors shall make
available to the State Board, in a quantity to be determined by the State
Board, voting systems for the purpose of conducting a usability test, which
will establish the minimum number of voting machines required in each polling
place and the maximum number of voters that can vote on one voting machine
during the course of an ordinary 15-hour election day. The ballots to be used for this test shall
include both primary and general election ballots, with ample candidate
selection options and ballot proposal selections. For the purposes of the usability test, voting shall occur by
utilizing all the devices which a voter
may use to make their selections. If a
vendor has previously performed a usability test on the same or similar voting
system which meets the requirements of this section, the State Board may
consider the findings of same. Whenever the State Board is satisfied that a voting
machine or system’s usability analysis
page 26
page 27
has
provided adequate and accurate information relative to the requirements of
Election Law Section 7-203.2, then the State Board may, in its discretion,
accept such documentation as satisfaction of the usability test required by
these regulations.
This paragraph should
require that accessible attachment should be tested by individuals with
appropriate disabilities, so that realistic timing can be assessed.
Given New York State’s
unique combination of requirements (full face ballot, broad accessibility, and
voter verified paper audit record) it is unlikely that any vendor will have
usability test data from similar systems.
(9) Voter Demonstration Test
(a) The
purpose of this test is to provide, in a simulated election day environment, a
public demonstration of the usability and accuracy of such systems or machines
(b) Vendor
must submit, in a quantity to be determined by the State Board, additional
voting systems or equipment that have been submitted for certification. These additional systems or equipment will
be returned to the vendor upon the completion of voter demonstration testing.
(c) The
State Board shall make available to the public, all non-proprietary documentation
submitted by the vendor.
Comment
98
a. The State Board of Elections was urged to include in these regulations a requirement for a Mock Election public test, and this “Voter Demonstration Test” is apparently the watered-down and vague result. Mock elections are described at
www.wheresthepaper.org/WhatIsAPublicMockElection.htm
and
www.votetrustusa.org/index.php?option=com_content&task=view&id=1474&Itemid=26
Regardless of what the test is called, the regulations should more clearly and fully describe what the test consists of, and what the requirements of a “simulated election day environment” are. The regs should list:
--DRE or optical scanner programming and preparation by Board of Elections staff,
--poll workers who have been trained who perform the tasks required in a poll site at the beginning and end of an election day,
--voters who enter votes by all methods available,
--extraction of tallies and system event and activity logs,
--transfer of voting machine election data to the central tabulator,
--the comparison of vote data with DRE voter verified paper audit records and system event and activity logs, or with the marked paper ballots for optical scanner systems.
b.
The “Voter Demonstration Test” is an opportunity for election staff to demonstrate
that they know how to confirm that the systems delivered for the test are the
same as the system delivered to the State Board for certification.
c.
“all non-proprietary documentation submitted by the vendor” should be made
available to the public on the web site of the State Board at least two weeks
in advance of the announcement of the “Voter Demonstration Test” so that the
public has a chance to read it.
(10) Certification
(a) The State Board
shall escrow a complete copy of all certified software that is relevant to
functionality, setup, configuration, and operation of the voting system,
including but not limited to, a complete copy of the source and executable
code, build scripts, object libraries, application program interfaces, and
complete documentation of all aspects of the system including, but not limited
to, compiling instructions, design documentation, technical documentation, user
documentation, hardware and software specifications, drawings, records, and
data. Documentation shall include a
list of programmers responsible for creating the software and a sworn affidavit
that the source code includes all relevant program statements in low-level and
high-level languages. The State Board
may require that additional items be escrowed.
If any vendor contracts to escrow additional items, those items shall be
subject to the provisions of this section.
Comment
99
a.
State law requires “a complete copy of all programming, source coding and
software” to be escrowed.
b.
All software should be escrowed so that all memory can be completely blank and
all software, firmware, and any other programming can be loaded from that which
is in escrow.
c.
This paragraph and paragraphs (b) and (c) immediately below create a loophole
which guarantees that malware and fraud
will be difficult or impossible to detect.
(b) The vendor shall immediately notify the state
board of any change in any item required to be escrowed by subdivision (a) of
this subsection, and shall provide an updated version for deposit.
(c) The chief executive officer of the vendor shall
sign a sworn affidavit that the source code and other material in escrow is the
same being used in its voting systems in the State. The chief executive officer
shall have an ongoing obligation to ensure the statement is true.
(d) The vendor shall promptly notify the state board
and each county board using its voting system of any decertification of the
same system in any state, of any defect in the same system known to have
occurred anywhere, and of any relevant defect known to have occurred in similar
systems.
Comment 100
“Promptly” should be defined, such as, “within 5 business days.”
page 27
page 28
(e) Upon
completion of testing, reports shall be produced by the ITA and State Board
staff, and a recommendation either for or against certification shall be made
to the State Board’s commissioners.
(f) If the
State Board determines that a system meets the requirements of these
Regulations, and is determined to be suitable for use by voters, it shall certify
such system. A notice of provisional
certification shall be prepared and forwarded to the vendor, forthwith. The vendor shall ensure that the voting
system’s software has been escrowed as set forth in Election Law Section 7-208,
and the vendor has updated any affidavit and complied with the affidavit
requirements, as set forth in Section 6209.4(H) of these regulations.
Comment
101
a.
One can foresee the “oops” moment when allegations of system failure occur and
vendors realize that they made a mistake and the escrowed software was not
complete, or the certified version, etc.
b.
The State Board should take responsibility for managing what is in escrow.
(g) Upon
compliance with the provisions set forth above, a Notice of Certification shall
be awarded to the vendor. Notice of
such Certification shall also be provided to all county boards.
(h) If the
State Board fails to certify a system, the vendor shall be so notified.
(i) Once a
certified system is selected for purchase by a county board, that system’s
software shall be provided to the county board by the State Board, and not the
vendor.
Comment
102
How
this will be done needs to be specified in detail. Within what timeframe will
the software be provided? How many persons will be needed at the State Board to
provide the software to counties? In what form will the software be delivered?
What about firmware? Who will install the software in the county’s machines?
What training will these persons need? Who will pay for the training and the person-days
needed to load the software? How long will it take? Will there be a
comprehensive test of each system after software is loaded to catch any errors
in loading before the machines are used?
Section
6209.7 Modifications and Re-examination
A. Any prospective modification to a previously
certified voting system shall be submitted to and approved by the State Board
before such modification is made.
B. No modification of previously certified
voting systems equipment shall be used in any election until such modification
has been approved by the State Board.
C. Prospective modification shall be reviewed
by the State Board or by an examiner or testing laboratory selected by the
State Board in accordance with the fee schedule established by section 7-201 of
the Election Law.
D. Upon completion of a review of such
prospective modification, the State Board may cause a re-examination of the
entire voting system, or within its discretion, grant continuation of
certification pursuant to the provisions of section 7-201 of the Election Law.
Because any change to software can have unforeseen effects on other parts of the system, any modification should trigger re-examination of the entire voting system.
Section
6209.8 Rescission of Certification
A. If at any time subsequent to the State
Board's approval of a voting system, the State Board determines that the voting
system fails to fulfill the criteria prescribed by statute and these rules, the
State Board shall notify any purchasers and vendors of that particular voting
system’s failure, post such notice on its website, and give notice by mail to
the chairs
page 28
page 29
of
all political parties and interested persons who have previously requested
notification of such information, that the State Board's approval or
certification of that system in New York State is to be withdrawn.
Comment
104
To avoid charges that the State Board makes ad hoc, arbitrary and capricious decisions in either rescinding or failing to rescind certification of systems, the basic criteria for such decisions should be specified. In creating a list of criteria, the State Board can use the experience of other states as well as suggestions from citizens that were submitted in the comments to previous drafts of these standards.
B. Failure of a vendor, its officers and its
controlling shareholders to file affidavits as required in Section 6209.4(I)
may result in the rescission of certification.
Notice of such failure shall be in writing and shall specify the reasons
why the approval or certification of the system is being rescinded.
C. At the State Board’s discretion and
depending on the reason for recision, a notice may also provide for a 30-day
period within which the vendor must correct deficiencies, and shall further
specify the date on which the rescission is to become effective.
Comment
105
a. New York should not repeat the experience of some states in which the same equipment is repeatedly certified and decertified. As noted in comment 103, any change (especially a hastily-made change) to computer products typically leads to a new set of problems.
b. “Discretion” is another term for “ad hoc, arbitrary and capricious.” Using the experience of other states, the State Board should specify criteria allowing 30-day periods for correction of deficiencies.
D. Any vendor or purchaser of such voting
system, and any interested person or organization, may request in writing that
the State Board reconsider its decision to rescind approval or certification of
the voting system.
A parallel provision
should allow a party to request that the State Board reconsider its decision to
certify, or re-certify a voting system.
E. Upon receipt of such request to reconsider,
the State Board shall hold a public hearing for the purpose of reconsidering
the decision to rescind the approval or certification, and shall give published
notice of such hearing at least two weeks in advance, including posting it
prominently on its website and giving notice by mail to public advocacy
organizations which have requested such notification or requested that the
State Board reconsider its decision.
Any interested party shall be given the opportunity to submit testimony
or documentation in support of or in opposition to the Board's decision to
rescind approval or certification.
F. The State Board may affirm or reverse its
decision. Should the State Board affirm
its decision, such vendor may be prevented from submitting a new application
form for a period of two years following the date of the final decision.
Comment
107
a.
The State Board should be required to specify its reasons or reasoning in a
published report posted on its web site within a required time.
b. The word “may” indicates that the State Board is again giving itself discretionary powers, which is improper in a system of law and in the context of elections in which the legitimacy of the government is at stake. The regulations should at least provide guidance in the form of a list of criteria for decision-making.
Section
6209.9 Contracts
A. In addition to complying with all statutory
requirements, all contracts for the purchase of voting systems by county
boards, hereinafter to be designated ‘purchaser’, shall include the following
requirements:
(1) Training
Vendors of voting systems shall provide for
sufficient training of boards of elections personnel in the following:
(a) training prior to delivery of voting systems and
equipment on procedures for unpacking, assembling and acceptance testing of
such equipment;
Comment
108
Staff will also need training in the installation of the software they will receive from the State Board.
(b) training for proper use of such equipment
including maintenance, storage
page 29
page 30
and
transportation procedures;
(c) the vendor shall provide complete operations
manuals (including operations manuals for any auxiliary features, programming,
hardware, telecommunications systems and central vote tabulating systems) upon
delivery of voting systems equipment to a jurisdiction. Such manuals shall include one copy of
procedures to be followed by inspectors at polling places. The vendor shall permit this copy to be
reproduced and distributed by the county board at its training school for election
inspectors or the vendor shall supply as many copies of the procedures as
required by purchaser for such distribution;
(d) the vendor shall assist in the training of all
elections personnel (including election inspectors) during the first two
elections, to include a general election, in which the system or equipment is
used. Such assistance relating to the
number of people and the hours of assistance shall be identified in the
executed contract.
(e) sufficient training for county board personnel in
the use of the vendor’s voting system’s supporting software, procedures to be
used to accomplish ballot face layout and ballot programming, and all other
features of the software.
(2) Service provisions
(a) The contract shall identify the obligations of
the vendor to promptly rectify any problems identified through testing any or
all of the voting systems equipment delivered to the purchaser.
(b) The vendor shall, without additional cost,
provide to the purchaser a five-year guarantee of parts and service, that such
voting systems equipment shall be kept in good working order and that other
statutory requirements are met.
Shipping costs for any factory repairs or part replacement will be
incurred by the vendor.
Comment
109
a.
It seems reasonable for vendors to warrantee "good working order" of
their equipment for five years, but county boards must not abdicated their
responsibility to ensure bipartisan handling and control of voting and
vote-tabulating equipment. Outside technicians should not have access to voting
and vote-tabulating systems unless they are meaningfully, closely supervised by
bipartisan elections staff and/or multipartisan observers.
b. Training in all servicing of the equipment must be required, so that county boards can either perform the required servicing of equipment, or provide effective and meaningful bipartisan supervision or oversight of the vendor's work. (The only measure of training effectiveness is that trained personnel can perform their tasks competently and independently. But as long as the vendor performs the tasks, then BOE personnel will (a) forget what they learned since they won't be using it and (b) won't have an opportunity to test their learning by trying to perform the tasks they were trained for.)
c.
In the absence of a requirement for open source software, this provision and
paragraph (d) below will tie county boards to their vendors and create
opportunities for price gouging after five years if the equipment is still in
use after five years. These regulations should require that all software be
open source for two reasons. First, it enables elections staff to learn their
own equipment and achieve independence in using it, and second, it enables
competitive companies to learn the equipment and bid on service contracts.
d.
Litigation will be required to clarify the meaning of "good working
order." If a voting machine fails during an election, is this evidence
that it was not in good working order? If it fails during two elections?
e.
Voters and candidates have an interest in the good working order of voting and
vote-tabulating equipment, and should have the explicit right in these
regulations to enforce the legal requirement for equipment to be in "good
working order" and seek appropriate remedies if the county board does not
do so within a short period of time following equipment failures during
elections.
(c) The vendor shall provide to the purchaser of said
voting systems equipment a detailed
listing of proper maintenance, storage and transportation procedures to be
carried out by each purchaser.
(d) The vendor and the purchaser shall agree in
writing as to the proper maintenance procedures to be implemented on each piece
of equipment and shall further agree in writing as to the obligations of each
party for servicing and maintenance procedures.
(e) The vendor must correct any problems or defects
in the voting equipment or voting systems within a commercially reasonable time
period. If the time for resolving
problems or defects is insufficient to allow for adequate resolution prior to
use in an election, an alternate machine or unit shall be provided by the
vendor, and such machine or unit shall be subjected to the acceptance testing
requirements of these Regulations.
page 30
page 31
(f) The vendor shall provide the purchaser with the
criteria necessary for the proper operation of the voting system or equipment
at a polling place.
(3) Polling site survey
(a) The vendor, together with the purchaser, shall
survey the present polling places in a jurisdiction to which its voting system
or equipment has been sold, to determine whether or not such polling places
meet environmental conditions for the proper operation of the voting system or
equipment. This provision shall apply
to those polling places which are in use at the time of the proposed sale.
(b) If any polling places are not compatible, the
vendor shall advise the jurisdiction purchasing the voting system or equipment
on the methods or procedures that the said jurisdiction may use to remedy any
such problem.
(4) Additional Requirements
(a) delivery deadline for a minimum of 10% (ten
percent) of the systems or machines ordered by a county shall be not less than
six months prior to the first election in which said units shall be used. The deadline for the delivery of the balance
of systems or machines ordered shall be not less than three months prior to the
first election in which they are to be used or if the contract is for ten or
less units, the delivery deadline is not less than one month prior to such
election;
Comment
110
Large
counties and New York City will be getting many systems, and would need to
receive more than 10% of them earlier than three months prior to the first
election in which they are to be used in order to perform acceptance testing
and preparation for the election.
(b) acceptance testing requirements;
(c) storage and maintenance responsibilities; and
(d) shipping delivery guidelines and requirements.
(e) a list of system proprietary and non-proprietary
consumables, extended warranties, services, and other such items as may be
considered by county boards for purchase, with the exception of programming, as
county boards are prohibited from contracting with a vendor for programming
services.
Comment
111
The prohibition of contracting with the vendor for programming services is mentioned also in Section 6209.5 E.
B. A vendor entering into a contract shall
affirm that;
(1) the
submitted voting system complies with all applicable rules adopted by the State
Board, and with all applicable 2005 Federal Voting System Guidelines;
Comment
112
In
light of the May 21 Stanislevic article on the gap in the federal guidelines,
this requirement would have to be more specific in order to be meaningful.
www.votetrustusa.org/index.php?option=com_content&task=view&id=1299&Itemid=26
(2) the
vendor will quote and provide a statewide, uniform price for each unit of the
voting system’s equipment;
(3) the
submitted voting system’s software does not contain any code, procedures or
other material (including but not limited to ‘viruses’, ‘worms’, ‘time bombs’,
and ‘drop
page 31
page 32
dead’
devices that may cause the voting system to cease functioning at a future
time), which may disable, damage, disarm or otherwise affect the proper
operation of the voting system, any hardware, or any computer system or other
property of the State Board or county board, and;
Comment
113
As stated in earlier comments, it is impossible for anyone to know that large software products do not contain malware.
(4) any
submitted voting system provides methods through security seals or device locks
to physically secure against attempts to interfere with correct system
operations. Such physical security
shall guard access to machine panels, doors, switches, slots, ports, peripheral
devices, firmware, and software.
C. The Vendor shall post a bond or letter of
credit to cover any and all expenses, costs, and damages, including but not
limited to all costs of inspecting or testing a voting system that does not
meet the standards contained in these Regulations and all costs incurred in
conducting any new election resulting from any breach of the warranties and
representations required to be made anywhere in these Regulations, or in the
New York State Election Law. Said bond
or letter of credit shall be set by the State Board.
D. For
purposes of the initial purchases of voting machines and systems, pursuant to
the federal Help America Vote Act of 2002, and the state Election Reform and
Modernization Act of 2005, all contracts entered by the State Board or county
boards with vendors, must comply with Office of General Services (OGS)
regulations on Purchasing Procedures and Purchases from Preferred Sources,
found in NYCRR Title 9, Subtitle G, Subchapter A, Part 250, section 250.0
through and including section 250.11.
Section
6209.10 Acceptance Testing
A. County boards, under the supervision of the
State Board, shall conduct a public acceptance test on each unit of any voting
system purchased by such county. Such
acceptance testing shall begin within seventy-two hours of delivery of the
equipment from the vendor to the purchaser and shall be completed prior to the
use of the equipment in any election.
B. Such testing shall be conducted under the
supervision of the State Board in accordance with the testing requirements and
formats provided by the State Board.
This test may consist in part, of the original certification test deck
as utilized by the State Board in the certification of the system.
Comment
114
a. Acceptance testing must include all functionality of the system, not just entering of votes.
b. State Board supervision should be defined.
C. Acceptance
testing for voting systems shall include the comparison of software installed
on the delivered system to certified software, via the use of a Secure Hash
Signature Standard (SHS) validation program, contained in Federal Information
Processing Standards Publication 180-2
issued by the National Institute Standards Technology.
Comment 115
How will county election personnel know how to do this?
D. Acceptance
testing for non-PC-based voting systems shall include testing to be
prescribed by the State Board at the
time of system selection, pursuant to 6209.5(i) of
page 32
page 33
these Regulations, to verify that the voting system
delivered to the county board is identical to the system certified by the State
Board.
E. The
results of acceptance testing shall be both documented and attested to by the
county board and the State Board, and the documentation placed in the
maintenance log for the system, and on file with the State Board.
F. If the acceptance test reveals any impropriety or fault in the ballot counting system’s equipment, the vendor must make corrections to such improper or faulty equipment within 15 days from the date of such acceptance testing.
Comment 116
Why is this requirement limited to counting systems?
G. The State
Board, upon its review of the acceptance testing of such system’s equipment may, at its discretion, rescind
certification of said equipment in the State of New York in accordance with the
provisions of Section 6209.8 of these regulations.
Section 6209.11 Temporary
Provision
Notwithstanding any other regulation, no voting
machine certified after May 1, 2006 may be used in any election until the State
Board adopts regulations for routine maintenance and testing, voting system
operations procedures, and central count procedures.