Standards in Elections: NIST and the Help America Vote Act Lynne S. Rosenthal National Institute of Standards and Technology
Did your vote count? 2000: Florida hanging chads 2004: North Carolina – thousands of votes missing Lost: 4,500 votes - computer software not updated Omitted: an entire precinct of 1,209 votes Bamboozled: totals off by 22,000 votes due to insufficient vote storage 2008 Primary: programming error prevents use for 7 hours 2008 Primary: failure to transmit results to central tabluators 2
Today’s presentation Background 2002 Help American Vote Act (HAVA) NIST and HAVA What makes a ‘good standard’? What was wrong with the old standard? Voluntary Voting Systems Guidelines (VVSG) Conformance section Requirement Structure Requirements VVSG status 3
Background 2000 election generated concerns over voting system integrity, usability, and security Voting System Standard (VSS) lacked Precision and clarity of requirements Requirements for newer technologies Logical organization of requirements 2002 Help America Vote Act (HAVA) passed to address these concerns Reform voting process Improve voting systems and voter access 4
NIST and HAVA National Institute of Standards and Technology Non-regulatory, part of U.S. Dept. of Commerce Promotes U.S. innovation and industrial competitiveness through measurement science, standards, and technology HAVA gives NIST a key role Provide technical support for development of Voluntary Voting system Guidelines (VVSG) Chair VVSG development committee Recommend test labs to Election Assistance Commission (EAC) 5
Voting systems E-voting machines Touch screen, optical scan systems Must be highly accurate and reliable Challenging to support needs of 50 different states, D.C. and territories 6
What is a Standard? Voluntary Use is not mandated by law or regulation If you decide to use it (claim conformance), then you need to conform to it (adhere to its requirements) Standard Established by consensus or authority, Prescribes technical requirements to be fulfilled by a product, process or service Requirement Criteria, characteristic, behavior, or functionality that a system must do/have In Voting: standard = guideline (VVSG) 7
Old Voting Standard Requirements Memory hardware, such as semiconductor devices and magnetic storage media, must be accurate. The design of equipment in all voting systems shall provide for the highest possible levels of protection against mechanical, thermal, and electromagnetic stresses that impact system accuracy. 8
Old Voting Standard Requirements Memory hardware, such as semiconductor devices and magnetic storage media, must be accurate. The design of equipment in all voting systems shall provide for the highest possible levels of protection against mechanical, thermal, and electromagnetic stresses that impact system accuracy. 9 Bad: uses both ‘must’ and ‘shall’
Old Voting Standard Requirements Memory hardware, such as semiconductor devices and magnetic storage media, must be accurate. The design of equipment in all voting systems shall provide for the highest possible levels of protection against mechanical, thermal, and electromagnetic stresses that impact system accuracy. 10 Bad: uses both ‘must’ and ‘shall’ Bad: how is ‘accurate’ measured? Bad: what are the ‘highest levels’ ?
Old Voting Standard Requirements To ensure security, all systems shall provide security access controls that limit or detect access to critical system components. Good: access controls to be provided Bad: how strong? A 2-digit PIN would conform In all systems, controls used by the voter or equipment operator shall be conveniently located. Bad: what is ‘convenient’? 11
What was wrong with the old standard? Outdated or lacking requirements for newer voting activities and technologies Activation cards, e-pollbooks, accessible devices, electronic ballot markers Early voting, vote centers, provisional voting Inadequate security requirements Basically, stated: Thou shalt be secure No usability requirements Inadequate accessibility requirements Inadequate reliability and accuracy requirements Why MTBF = 163? No conformance clause Lacks a high level description of what is required to claim conformance 12
Goal: Build a new voting standard One that gets used, used correctly, and implemented in a consistent manner One that defines: What/who needs to implement the standard What needs to be implemented (shall, should, may) Testable requirements One that is modular with minimal redundancy One that is adaptable as things change One that is technology- and design- independent 13
Voting Standard (VVSG) Improvements Total reorganization 3 Parts: Equipment Req., Document Req., Testing Req. New conformance section Defines what it means for a voting system to conform Clear, precise, testable requirements Refine and clarify requirement from previous voting standards Remove old, obsolete requirements (e.g., coding conventions) New core, security, accessibility, usability requirements New measurement requirements Performance benchmarks, accuracy/error rates, reliability New requirements for technological advances Activation cards, e-pollbooks, electronic ballot markers, accessible devices New requirements to support all voting activities Early voting, vote centers, provisional voting 14
Requirements Types Functional: specifies that the object is capable of performing a certain action The voting system SHALL allow the voter to cast a straight party line vote. Performance: specifies not only the object is capable of performing a certain action, but also sets a benchmark for how well it performs The voting system SHALL provide visual feedback within 1 section when the voter makes or changes a choice within a contest. Design: specifies something about the static structure of the object Any control buttons on a voting system SHALL be at least 1 inch apart. 15
VVSG: Conformance Section Audience = manufactures and testing labs Defines what is normative vs. informative Defines normative verbs: SHALL, SHOULD, MAY Conformance is 100%, no partial conformance Classes of voting systems Categorizes requirements by functionality as they apply to voting systems and devices Implementation statement by manufacturer Indicates requirements that have been implemented (via classes) 16
VVSG: Conformance Classes Grouped various ways: Equipment type: vote capture device, tabulator, DRE, op-scan Generalizations: vote-capture device, tabulator, paper-based device Voting variation: straight-party, N of M 17
VVSG: Conformance Classes Grouped various ways: Equipment type: vote capture device, tabulator, DRE, op-scan Generalizations: vote-capture device, tabulator, paper-based device Voting variation: straight-party, N of M 18 Voting device E- device Programmed device TabulatorDREOptical scanner Manual mark Elect. Mark Precinct count Central count Central Tabulator
VVSG: Requirement Structure Id Requirement Title Requirement Applies to: Test Reference: D ISCUSSION Source: 19 informative normative indicates a requirement Id: numbered according to section of VVSG Req Title: shorthand description Requirement Applies to: indicates voting system or device class Test Ref: type of testing required, VVSG Part 3 testing requirement cited Discussion: informative supporting info Source: origin
VVSG Requirement 20
21 Voting Standards: old vs. new New: Core Requirements: Workmanship: Structured Programming Old: Software Standards: Control Constructs Operator intervention or logic that evaluates or stored data shall not re- direct program control within a program routine. Program control may be re-directed within a routine by calling subroutines, procedures, and functions, and by interrupt service routines and exception handlers. Separation of code and data Application logic SHALL NOT compile or interpret configuration data or other input data as a programming language. Extracted from the Description: The requirement in [VVS2002] read "Operator intervention or logic..." That attempt to define what it means to compile or interpret data as a programming language caused confusion. Distinguishing what is a programming language from what is not requires some professional judgment… The reasons for this requirement are (1) mingling code and data is bad design, and (2) embedding logic within configuration data is an evasion of the conformity assessment process for application logic.
Voting Standards: old vs. new Old: To ensure security, all systems shall provide security access controls that limit or detect access to critical system components. New: Access Control Section 9 General req 5 Identification req. 12 Authentication req. 6 Authorization req. 22 Extracted from General Requirements: The voting device SHALL provide access control mechanisms designed to permit authorized access to the voting system and to prevent unauthorized access to the voting system. If possible within the voting system architecture: a. the voting device SHALL provide controls that permit or deny access to device’s software and files. b.the vote-capture device’s access control mechanisms shall distinguish at least the following voting states: pre- voting, activated, suspended, and post-voting. c.The vote-capture device SHALL allow the administrator group or role to create additional voting states. d.The vote capture device SHALL allow the administrator group or role to configure different access control policies available in each voting state. e.The voting device’s default access control permissions SHALL implement the minimum permissions needed for each role or group. f.The voting device SHALL prevent a lower-privilege process from modifying a higher-privilege process. General Security Requirements: Access Control
Current Status VVSG undergoing public review and revisions VVSG companion document and tutorials Test materials being developed Lynne S. Rosenthal NIST 23
NIST Voting Site Overview of NIST voting project VVSG versions, presentations, white paper VVSG tutorials and overview information Test materials and information 24
25 Lynne Rosenthal National Institute of Standards and Technology