Last week we started a series of posts highlighting our high-level comments on the the Election Assistance Commission’s Voluntary Voting System Guidelines (VVSG). Our first post focused on the important new concept — Software Independence. Today’s post focuses on a related new concept — the Innovation Class.
To be considered in conformance with the new requirements in the VVSG, systems would have to be software independent. Currently the only know pathway to demonstrate software independence is through the use of a related concept in the standards — Independent Voter-Verified Records, which currently are paper-based in nature. These records allow an independent check to the underlying system, and we outline a hypothetical example in Appendix B (page 37) of our comments for determining software independence compliance.
In drafting the VVSG, the Technical Guidelines Development Committee (which wrote the current draft) wanted to ensure that the standards fostered innovation in voting systems. To address concerns that the proposed standards were too restrictive and would squelch innovation, the committee proposed a new “Innovation Class”:
“Requiring SI voting systems in VVSG 2007 effectively leaves only voter-verified paper-based approaches for now. It is important, though, that new and innovative approaches to voting systems be pursued, especially with regard to secure paperless approaches. But, secure paperless and other approaches are not likely to be pursued by vendors if testable requirements and a certification path for them are not included in VVSG 2007.
STS recommends that a process to encourage the creation and certification of innovative SI approaches (both paper-based and paperless) be put in place. Possibly by stating the high level objectives of these systems in conjunction with other incentives, this may encourage work on innovative systems and developments of prototypes.”
This interesting new proposal, at least initially, seems aimed at allowing for certification of cryptographic-based e-voting systems. But, by sticking to high-level objectives in the current draft, it has left many confused about how the innovation class would work. USACM supported the concept and made the following comments related to clarifying it, ensuring conformance with software independence, and the need for outside review:
“USACM supports the concept of the innovation class. However, we note that there has been a substantial amount of confusion about the scope of the innovation class, and the application and process associated with being certified under the innovation class. There is some question as to whether software dependent machines could be certified under the innovation class and whether the class could be applied to other voting devices not strictly related to achieving software independence. We recommend that the VVSG maintain a consistent strategy of only sanctioning voting systems in which a software fault cannot cause an undetectable error in election results, whether the system is evaluated under the well-defined software standard or the more progressive innovation standard. Put another way, innovation class systems should adhere to the software independence requirement.
Regarding whether the class applies to a broader array of voting devices, our understanding is that the innovation class would only be focused on specific devices meant to achieve software independence. If it is the TGDCs and the EACs contention that the innovation class is broader than that, it should clarify the application of the innovation class and detail the process involved in being certified under it.
We also are concerned that the current testing process for the innovation class is vague. Without a more definitive testing procedure this process runs the risk of being an end-run around the standards. We recommend that the VVSG include a specific test or several kinds of tests to demonstrate that the innovation class submission can produce secure, accessible, reliable, and verifiable election results equal to or better than voting systems that can be tested to the VVSG without the innovation class. In addition to describing these tests, there must also be some description of the experts and process involved in judging two things: whether the device or system in question must apply for certification through the innovation class, and whether that device or system should be certified. To simply refer to a review panel process is insufficient.”