Update: The TDGC rejected NIST’s and the security subcommittee’s recommendations for software independent systems on a 6-6 tie vote. We’ve got a story about the meeting posted here.
Update 2: The TDGC reversed course and adopted a compromise resolution that embraces the software indepence concept. David posted a story about it here.
Last Thursday we posted a story that the National Institute of Standards and Technology (NIST) released a paper recommending that federal standards allow certification only for “software independent” (i.e. ones that create a paper trail) e-voting systems. A key technical panel will consider and vote upon the recommendations this Monday or Tuesday. Calling these recommendations an important step forward for improving e-voting machine security, USACM issued a letter urging the panel to adopt the recommendations. These events are significant developments in the ongoing debate over e-voting and warrant a closer look.
Some background might be useful to start. The Help America Vote Act created the Technical Guidelines Development Committee (TDGC), staffed by NIST and chaired by its Director, to write technical voting system standards. They are currently working on creating the 2007 standards, which would go into effect in 2009 or 2010. The TDGC’s draft standards are sent to another federal agency, the Election Assistance Commission (EAC), which has the power to modify, reject and/or adopt the standards as final. (There are a couple of other steps, but this is the streamlined explanation.) While voluntary, the standards are used as the basis for certifying or decertifying voting systems. Many states have also mandated vendors follow them.
NIST and a security subcommittee of the TDGC made four recommendations in its paper:
- Require “software independent” systems as part of the 2007 standards
- Improve the accessibility and usability of paper-based voting systems
- Include high-level standards for software independence in all electronic system (e.g. cryptography). But the paper argues that it is not yet possible to develop testing requirements for these systems.
- Conduct further research and development into software independent and possibly non-software independent systems with a focus on usability
As you can tell, the key concept in NIST’s recommendations is “software independence.” Here is their definition:
“A voting system is software-independent if a previously undetected change or error in its software cannot cause an undetectable change or error in an election outcome. In other words, it can be positively determined whether the voting system’s (typically, electronic) CVRs [Cast Vote Record] are accurate as cast by the voter or in error. In SI voting systems that are readily available today, the determination can be made via the use of independent audits of the electronic counts or CVRs, and independent voter-verified paper records used as the audit trail.”
This is a long way of saying that the machine should allow a voter to verify his or her vote completely independently of the underlying voting system. NIST’s paper goes on to note that currently only three systems are independent — optical scan, direct recording electronic (DRE) machines with voter-verified paper trails, and ballot marking systems.
This development is important for two reasons. First, security and paper-audit trails were never as seriously discussed in any of the previous federal standards as they are in this paper. In fact, many have argued that the current testing requirements are woefully inadequate. These recommendations will force the TDGC to consider whether or not to make paper-audit systems the only systems that meet federal security testing standards and therefore eligible for certification. States will want to tell voters that they are voting on certified voting systems.
Second, NIST is an independent federal agency widely-respected for its technical knowledge. Having NIST adopting this stand is akin to the Good Housekeeping Seal of Approval. Its stand is clear and unequivocal:
“One conclusion drawn by NIST is that the lack of an independent audit capability in DRE voting systems is one of the main reasons behind continued questions about voting system security and diminished public confidence in elections. NIST does not know how to write testable requirements to make DREs secure, and NIST’s recommendation to the STS [Security and Transparency Subcommittee] is that the DRE in practical terms cannot be made secure.”
It is rare to see such plain and determinative language from a government agency; it tells us a lot about how strongly they feel. They are also sensitive to the questions elections officials have to continually face about the poor security record of DREs. The computing community has made these points for years when discussing the security of paperless DREs. The dicussion is welcomed, particularly from such a thoughtful and respected source.
The paper’s balanced dicussion is also noteworthy. It raises software independence as critical for ensuring security, but it also makes recommendations about the usability and accessibility problems of current implementations of voter-verified paper audit trail systems. It also stresses something that USACM supports, that continued research and development in this field is critical. One of the criticisms of mandating paper-based systems stops innovation in e-voting systems. NIST is recommending an interesting new “innovation class” of e-voting machines, which could meet federal certification if they meet stringent and transparent testing requirements.
So what happens next? We understand that the paper and the recommendations will be presented to the TDGC tomorrow morning. Dr. Ron Rivest (one of the committee’s members) will then introduce a resolution, which would be voted upon, that would make the recommendations part of the TDGC’s package of standards it sends to the EAC for final approval. (The final package of recommendations probably won’t be sent to the EAC until sometime in 2007. The TDGC has other issues to deal with in the standards.)
In a show of support for NIST’s recommendations, USACM sent a letter to the TDGC urging their wholesale adoption:
“While a strategy of continually addressing security vulnerabilities may work for desktop computers at home, it cannot be adopted for e-voting machines. The integrity of our elections depends on these systems accurately collecting and counting votes. Clearly we must continue to make e-voting systems more secure, but given the shortfalls of security testing, it is our long-standing belief that voting systems should also enable each voter to inspect a physical (e.g., paper) record to verify that his or her vote has been accurately cast and to serve as an independent check on the result produced and stored by the system …
The recommendations of the STS represent an important step toward federal voting system standards that are more secure, usable and reliable. We urge the TDGC to adopt these recommendations.”
David will be at the TDGC meetings on Monday and Tuesday. The meetings are going to be broadcast, but look for his updates on this blog!