EAC-requested VVSG Research Overview and Status June 2008 Mark Skall Chief, Software Diagnostics and Conformance Testing Division National Institute of Standards and Technology 1
6/17/2008 Page 2 Contents Overview of EAC-requested research tasks NIST approach Status of each task Summary
Additional research EAC requested that NIST conduct VVSG- related research Six items in response to Standards Board/Board of Advisors resolutions from Dec 2007 meetings Final results to EAC Sep
Overview of six items 1. Alternatives to software independence 2. Developing standards for ballot on demand systems 3. Impact of the VVSG on vote by phone systems 4. Ramifications of separately testing and certifying components plus requirements for interoperability 5. Impact of the VVSG on early voting or vote centers 6. Developing alternatives to goal level requirements in the VVSG 4
The NIST role EAC, not NIST, makes decisions wrt VVSG requirements NIST goal is to provide useful data for EAC decision making Provide complete set of options Include any ramifications to other EAC activities, e.g., certification, testing Think outside the box and be creative NIST research will contain options as appropriate, each with pros and cons 5
Task 1: Alternatives to Software Independence Should retain focus on security, verifiability, and auditability in the VVSG Research should be conducted on what changes need to be made to the VVSG to accommodate each alternative 6
Current analysis To retain focus on security, alternatives to SI have significant ramifications: Increased design and development costs Likely need for greater testing Modifications to the VVSG will require several years to develop: Will require significant research Will require standardization efforts Need for funding or possible development incentives Could be major ramifications to other areas of the VVSG that will need further study, e.g., usability, accessibility 7
Approaches under consideration Along with IVVR, conforming alternatives could include End-to-End (E2E) cryptographic protocols Independent Verification (IV) – also known as IDV Secure Audit Port Remove SI restriction from Innovation Class 8
Page 9 Overall strategy SI - Auditability Innovation Class IVVR Auditability SI IVVR Independent Verification (IV) Secure Audit Port End-to-End (E2E) Innovation Class Current draft next VVSG: With inclusion of alternatives:
Page 10 Overall strategy Make auditability, not SI, an overarching requirement Moves focus to the trustworthiness of audit records Allows some reliance on software based on trust in audit records SI restriction on innovation class could be removed How is auditability achieved? Software independent approaches: IVVR requirements End-to-End protocols (E2E) Independent Verification (IV) Secure Audit Port
Page 11 E2E cryptographic protocols What is an End-to-End (E2E) protocol (i.e., approach)? Allows voters to Verify their votes are cast as intended Verify the election tally Confidence in voting system and accuracy as a result of the cryptographic protocol Election records are all electronic and encrypted for integrity
E2E cryptographic protocols President Governor Receipt Voting Stage Voters Encrypted Ballot
E2E cryptographic protocols Receipt Verification Stage Voters Election Officials
Pros: Generally considered to be software independent Correct tally is verifiable by public Electronic audit records Cons: Emerging technology Usability/Accessibility issues to be addressed Long-term effort (research, standardization, implementation) No commercially available implementations E2E cryptographic protocols
Page 15 Independent Verification What is Independent Verification? Two or more devices record cast ballots Voter verifies that records match Also known as IDV (Independent Dual Verification), is described as informative text in VVSG 2005
Page 16 Independent Verification Voting Device Witness Device President Governor President Governor
Independent Verification Pros: Electronic audit records Redundant independent cast vote records Usability/Accessibility potentially easier to address than with IVVR Possibly an add-on technology to current voting systems Cons: Software dependent Long-term effort (research, standardization, implementation) Limited commercial availability Certification and interoperability issues Issues with same vendor building both devices
Page 18 Secure Audit Port What is a Secure Audit Port? Similar to Independent Verification One-way communication May not be direct voter verification Records voter and machine actions to construct voter choices
Page 19 Secure Audit Port Audit Device Voting Device President Governor
Secure Audit Port Pros: Electronic audit records Allows for audit device innovation Allows choice of audit devices Similar to existing commercially available architectures Cons: Software dependent Certification and interoperability issues Requirements alone may not be sufficient to ensure correct results No audit device specifications in VVSG Medium-term effort (standardization)
Task 2: Ballot on demand BOD: device that can print ballots on demand for use in elections Reduces need to pre-print and transport ballots to polling place NIST to research the feasibility of including BOD requirements in the VVSG Do election official needs require further research before requirements can be written? 21
Current analysis BOD not a mature product yet Earlier NIST research with EAC boards identified diversity of opinions on what BOD should encompass A backup EMS application for emergencies A dedicated application possibly integrated with an epollbook Somehow integrated with a DRE 22
Feasible, but NIST would need to conduct more research to focus on specifics VVSG impacts BOD in various ways Core: reliability, accuracy, misfeeds Security: ballot accounting, voter privacy, forgery- proof paper Human factors: usability for voters and poll workers, suitability for audit, accessibility Current analysis (cont) 23
Task 3: Vote by phone systems VBP: voters use telephones and guided prompts to place votes, electronic and paper ballots printed out at remote office Does the VVSG, as written, prohibit VBP? 24
Analysis Is feasible to permit VBP, but Will require some reworking of VVSG device class structure Will require strong cryptography and other communications security Would need to research usability of guided prompts for voters If used as an accessible voting station, it may not meet interpretation of HAVA regarding accessibility 25
Task 4: Separately certifying components & interoperability 26 Develop a feasibility study of the ramifications of the EAC separately testing and certifying components Research requirements for interoperability between systems and system components NIST to research whether a specific standard for format of electronic election data can be required *These are all interrelated.
Testing & Certify Components Change in philosophy, and potentially affects: VVSG (e.g., classes, requirements, etc) EAC procedures Test Lab processes, tests, reporting Issues to consider, include: Which components? (e.g., all?, only those that plug & play?) Need new requirements for integrating components into the voting system Define voting system architecture, interfaces, protocols, data formats, etc. Potentially restrictive to manufacturers, require hardware design changes How do you ensure an integrated system works correctly and conforms to the VVSG? Can’t test all aspects of voting system unless all components are configured Need new test methods to test for interoperability Still need to test the voting system as a whole, i.e., “The system is more than the sum of its parts.”
Interoperability 28 Need to define what would be interoperable? Devices? (e.g., vote capture, tabulator) Data? (e.g., Ballot configurations, election results) VVSG conformance testing does not address interoperability: Conformance to a standard is necessary, but not sufficient, implementations may still differ A separate interoperability testing program would need to be contemplated Interoperability testing is between 2+ items Can be expensive and time consuming
Standardized Data Format 29 Current VVSG requirement = use standardized format Allows manufacturer to determine format Translators can make data exchangeable Selecting a specific standardized data format Must support all voting variations Should be vetted by U.S. voting system manufacturers Should be simple and unambiguous to implement Should first demonstrate that it can enable interoperability (i.e., achieve the objective for a standardized format) Format standard must be explicit with respect to data structures, data definitions, allowable data values, etc.
Current Standardized Data Formats 30 Standardization efforts: IEEE’s data format standard (project 1622) on hold Hart’s EDX is proprietary OASIS EML is an international standard, not originally built with US elections in mind EML = dialect of XML + many schemas that define different aspects of election (e.g., ballot, cast vote, count) Can’t use EML as is Just specifying EML is not enough – need to specify specific schemas Gaps - not all voting variations handled Potential for defining non-conforming EML schemas to handle U.S. requirements Limited implementation and experience using it Prior to selecting EML Need additional research to ensure it meets needs of election officials Need to identify, refine, tailor, and build schemas for U.S. use – not trivial Need to develop data model with all voting processes and variations Need input and consensus from election officials, vendors
Task 5: Early voting & vote centers Addresses questions as to whether VVSG prohibits or impacts use of voting equipment in early voting or vote centers Especially of concern with regard to use of epollbooks 31
No impacts seen, CRT requirements accommodate early voting and vote centers VVPAT requirements anticipated multi-precinct use of equipment Electronic poll book requirements permit network connections to central voter registration databases Caveat: cannot network poll books to vote capture devices and databases at same time Current analysis 32
Task 6: Goal level requirements Identifying goal level requirements Requirements that can identify goals but are untestable Requirements that could be tested but testing will be subjective and non- repeatable 33
Page 34 Why Goal Requirements? Some requirements express a goal to be met by the vendor Is kind of a performance requirement, but without clear performance measures Often done to avoid constraining design requirements
Obvious examples Systems SHALL maximize integratability with other systems and/or devices of other systems. Goal is for interoperability, but is untestable The procedures for system setup, polling, and shutdown, as documented by the manufacturer, SHALL be reasonably easy for the typical poll worker to learn, understand, and perform. Testing will be subjective It will be non-repeatable VVSG has roughly goal level requirements 35
Could be deleted or included as informative text or as “should” requirements Additional research could be conducted to make the requirements more specific Trade-offs exist as to amount of research Expert judgment may suffice in some cases Current analysis 36
Summary 37 Snapshot of current analysis was presented Research is very preliminary NIST vetting is not complete Analysis could change by September Final document due in September