Voting Project Briefing for William Jeffrey Director, NIST September 26, 2005 National Institute of Standards and Technology

page 2 Briefing Outline History of Voting Standards HAVA TGDC VVSG Implementation Strategy NIST/TGDC Activities Who’s Who VVSG Version 1 Description VVSG Version 2 Work to Date Lab Accreditation Funding Outreach Issues

page 3 History of Voting Standards 1975 NBS/NIST issues report critical of electronic vote tallying 1984 Congress funds FEC to develop national standards 1990 FEC issues Standards NASED to oversee testing 1999 Congress funds FEC to update Standards 2002 FEC issues new Standards – 2002 VSS 2002 HAVA enacted

page 4 Help America Vote Act (HAVA) Provides for the creation of the Technical Development Guidelines Committee (TGDC) Mandates that the TGDC provide its first set of recommendations to the EAC not later than 9 months after all of its members have been appointed. Assigns specific responsibilities to NIST

page 5 NIST Responsibilities Under HAVA NIST Director Chairs the TGDC Provides technical support (R&D) to the TGDC including Security of computers Methods to detect and prevent fraud Protection of Voter Privacy Human factors, including assistive technologies for individuals with disabilities Remote access voting Laboratory Accreditation NIST submits, to the EAC, a list of proposed laboratories to be accredited no later than 6 months after adoption of standard Human Factors Report

page 6 Composition of TGDC 15 Members including the Chairman An equal number of members from Standards Board Board of Advisors Architectural and Transportation Barrier Compliance Board (Access Board) ANSI representative IEEE representative 2 representatives of NASED Others with technical and scientific expertise

page 7 TGDC Members Chair: William Jeffrey Director of the National Institute of Standards and Technology (NIST) Representing Standards Board: John Gale Nebraska Secretary of State Alice Miller Director of Elections-District of Columbia Representing Board of Advisors: Sharon Turner Buie Director of Elections-Kansas City Helen Purcell Maricopa County Recorder

page 8 TGDC Members (Continued) Representing Access Board: James Elekes Dr. James (“J.R.”) R. Harding Representing ANSI: David Karmol Vice President, Policy and Government Affairs Representing IEEE: H. Stephen Berger TEM Consulting, LP- Chair, IEEE SEC 38 (Voting Syst. Stds.) Representing National Association of State Election Directors (NASED): Dr. Brittain Williams Retired professor- Kennesaw State Tucker, GA Paul Craft Florida Department of State, Voting Systems

page 9 TGDC Members (Continued) Other: Patrick Gannon President and CEO, OASIS Whitney Quesenbery President-Usability Professionals' Association Dr. Ronald Rivest Professor, MIT-Department of Electrical Engineering and Computer Science Dr. Daniel Schutzer Vice President & Director of External Standards and Advanced Technology, e-Citi, CitiGroup

page 10 TGDC Method of Operation Plenary Sessions Formal meetings held periodically to develop resolutions, review work products, discuss, and vote Public invited to attend and provided access via webcast, transcripts published Subcommittees Comprised of TGCG members and supported by NIST staff Gather and analyze information in support of development of voting system guidelines Conduct bi-weekly teleconferences with occasional face-to-face meetings Public provided access via Internet, transcripts provided NIST Staff Provide technical expertise and research Develop work products as directed by TGDC resolutions, with guidance from subcommittee Work products are submitted to the entire TGDC for approval

page 11 Voluntary Voting System Guidelines (VVSG) Implementation Strategy Develop best long-term voting systems guidelines possible Build on strengths of 2002 VSS Significantly enhance areas needing improvement Redesign and reorganize for clarity and testability Provide guidance to states in time for 2006 election cycle Implied need to minimize changes to 2002 VSS while filling in 2002 VSS gaps Implied need to require only what is possible by 2006 Thus, two guidelines developed: VVSG Version 1 – augmented 2002 VSS for 2006 VVSG Version 2 – new, redesigned guideline

page 12 NIST/TGDC Activities - 1 Dec 2003 – NIST Symposium Building Trust and Confidence in Voting Systems July 2004: 1 st TGDC meeting Organizational, divided into 3 subcommittees: Human factors and privacy Core requirements and testing Security and transparency Sep 2004: information gathering meeting for the TGDC Heard public input from voting officials, vendors

page 13 NIST/TGDC Activities - 2 January 2005: VVSG direction Discussed, adopted 35 resolutions affecting development of VVSG Version 1 and VVSG Version 2 EAC requests NIST develop VVPAT requirements NIST subsequently prioritized resolutions March 2005: VVSG Version 1 preliminary drafts Commented on presentations, materials from NIST staff EAC requests additional security material for VVSG Version 1 April 2005: final draft and VVSG Version 1 adoption Commented on final materials from NIST staff NIST directed to make final edits and deliver to EAC May 9, 2005: VVSG Version 1 delivered to EAC EAC version released June 29, 2005 Public review ends Sept. 30, 2005

page 14 Who’s Who EAC Standards Board Advisory BoardTGDC EAC Executive Director EAC Commissioners: Gracia Hillman, chair Paul DeGregorio, vice-chair Ray Martinez Donetta Davidson – former Colorado Secy of State & TGDC member EAC Executive Dir. Tom Wilkey - former NY State Election Director, VSS organizer/advocate Standards Board: 110 members drawn from State and local election officials Advisory Board: 37 members drawn from various national associations and government agencies. TGDC (vocal and active members) Whitney Quesenberry - HFP chair, Usability/Accessibility expert, very engaged w/NIST Ron Rivest - STS chair, renowned cryptographer and security expert, very engaged w/NIST Dan Schutzer - CRT chair, VP at CitiGroup Brit Williams - NASED rep, Kennesaw State U., Georgia, performs state voting system certifications, contracted to assist EAC with VVSG public comments Paul Craft - NASED rep, head of elections for Florida Steve Berger - IEEE rep, chair IEEE Voting System Standard, contract with EAC National Association of State Election Directors, prior to HAVA had authority on standard, Qualification (Certification) and ITAs National Association of Secretaries of States NASED NASS

page 15 New Material in VVSG Version 1 1. Conformance Clause 2. Human Factors 3. Security Overview – IDV Systems 4. VVPAT 5. Wireless 6. Software Distribution/Setup Validation 7. Glossary 8. Error Rates 9. Best Practices for Voting Officials

page 16 Conformance Clause VSS-2002 did not include a conformance clause Conformance: the fulfillment by a product, process, or service of requirements as specified in a standard or specification The conformance clause of a standard specification is a high-level description of what is required of implementers and developers Refers to other parts of the standard Specifies minimal requirements for certain functions and implementation-dependent values Specifies the permissibility of extensions, options, and alternative approaches and how they are to be handled

page 17 Human Factors The VSS-2002, Volume 1 Section 2.2.7, addressed Accessibility; Section addressed Human Engineering—Controls and Displays; Appendix C addressed Usability VVSG Version 1 replaces these items with a new Section that addresses Human Factors including accessibility, usability, and limited English proficiency Privacy Requirements added Incorporates the two NASED Technical Guides (Guide #1 and Guide #2) VVSG Version 2 will contain performance-based requirements (specifies how voting systems must perform)

page 18 Security Overview New security Section 6.0, with 4 parts: Overview of Independent Dual Verification (IDV) voting systems (informative only) VVPAT Requirements Wireless Requirements Software Distribution/Setup Validation Requirements

page 19 Independent Dual Verification IDV systems produce a 2 nd record of votes for ballot record integrity and auditability Current approaches include Split process systems Witness systems – recently marketed Cryptographic-based systems – available today VVPAT, modified Op Scan – available today New Appendix D contains in-depth IDV discussion IDV systems expected to evolve significantly in VVSG Version 2

page 20 VVPAT The VSS-2002 contained no requirements for voter verified paper audit trails (VVPAT) Vendors, most States in need of consistent, common guidance TGDC directed by EAC to produce VVPAT guidance for States requiring VVPAT VVPAT a form of IDV VVSG does not require or endorse VVPAT Methods other than VVPAT can provide ways to achieve IDV, as explained in Security Overview NIST used CA State, IEEE standards, and enacted State legislation as initial basis

page 21 Wireless Technology TGDC concluded that use of wireless technology introduces risk and should be approached with caution VVSG Version 1 includes new section on wireless that augments the general telecommunications requirements in Volume 1, Section 5 Requires that wireless transmissions be encrypted to protect against a variety of security problems Requires wireless to be turned on/off under controlled conditions Requires backup procedures in case wireless fails

page 22 Software Distribution Helps to ensure correct version of voting software is used Helps to ensure voting software is set up correctly Uses NIST’s National Software Reference Library at

page 23 Glossary Common terminology forms basis for understanding requirements and for discussing improvements This glossary contains terms from the VSS-2002 and additional terms needed to understand voting and related areas, e.g., security, human factors, testing Terms in glossary include a definition and its source, and an association as to the domain for which the term applies Also available in a web-based on-line version at

page 24 Best Practices for Voting Officials VSS 2002 contained requirements for voting systems and testing entities Requirements in VVSG Version 1 for wireless, VVPAT, human factors, etc. depend on voting officials developing and carrying out appropriate procedures VVSG Version 1 contains best practices for voting officials These are not testable and conformance can not be determined Best Practices for Voting Officials are also contained in Appendix C of Volume I

page 25 VVSG Version 2 A comprehensive standards guideline, a complete rewrite of 2002 VSS with updated and expanded material Will draw from VSS, IEEE P1583, Federal and other standards Will include material from VVSG Version 1 and other material as directed by TGDC resolutions from Jan ’05 Outreach with other efforts

page 26 VVSG2 Kick-Off Meeting with EAC Meeting held on July 8 Follow-up meeting with Commissioners on July 26 Agreement that a lot more work needs to be done Two Year Window for effective date does not preclude enhancements to existing VVSG NIST/TGDC will deliver replacement “chunks” Candidate “chunks” include VVPAT, IDV, HFP Final version of next iteration – July, 2007 Internet Voting

page 27 VVSG Version 2 Overview 5 major sections: An overview for using the VVSG, executive summary, etc. A terminology standard (NIST glossary) A product standard, containing general and voting-activity related requirements (e.g., setup, cast, count, …) A standard on data to be provided by testing authorities or the vendor A testing standard including all test methods, testing requirements, evaluation guidelines, test cases, etc.

page 28 VVSG Version 2 Current Status Detailed outline has been developed; NIST and TGDC working to create final version of outline Timeline for VVSG2 deliverables has been created Research underway: Meetings with vendors Working with usability and accessibility experts Threat analysis under development Preliminary requirements development underway

page 29 Lab Accreditation June 23, 2004 FRN – NVLAP announced the intent to establish a program for laboratories testing voting systems August 17, 2004 – NVLAP conducted a public workshop June 17, 2005 FRN – NVLAP announced the availability of application for its Voting Systems Testing accreditation program June A draft of NIST Handbook , Voting Systems Testing, was made available to the public

page 30 Funding FY05 Funding - $2.8 million via the EAC and $500K NIST funds FY06 Funding Request - $6.5 million Includes comprehensive test suite development FY06 Funding Request constrained to $2.8 million No test suite development Other items funded proportionately FY07 Funding Request - $ 5 million Assumes $2.8 million for FY06 Includes test suite development

page 31 Outreach NSF Grant to Johns Hopkins University To improve the reliability and trustworthiness of voting technology Parallels many topics in NIST/TGDC plans Voting system architectures built for verifiability IDV and trusted models Defense-in-depth techniques for security Many opportunities for collaboration or consultation NIST subsequently contacted NSF to initiate collaboration NSF invited NIST to kick-off meeting tentatively Winter, 2005

page 32 Outreach Continued State of MD Independent Verification Study Studying add-on technologies to existing Diebold DREs Intent is to produce 2 nd, verified record NIST may consult with respect to evaluation criteria Threat Analysis Workshop October 7 at NIST/Gaithersburg To arrive at consensus on plausible threats May involve follow-on workshop or study GAO Report Public release Fall/2005 Relevant to EAC/TGDC/NIST

page 33 Issues Working Relationship with EAC NIST/TGDC/EAC interrelationship Security/IDV IDV De-emphasis in EAC version Time to do research Two year window for effective date for VVSG1