Auditability and vvsg 2 0
1 / 10

Auditability and VVSG 2.0 - PowerPoint PPT Presentation

  • Uploaded on

Auditability and VVSG 2.0. David Flater, Ph.D. Computer Scientist, Software and Systems Division, ITL Rev. 2011-12-08. The story so far. From Independent Verification Systems (IV) to Software Independence (SI) Pushback on SI in VVSG 2.0 Alternatives to SI

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Auditability and VVSG 2.0' - kelda

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Auditability and vvsg 2 0

Auditability and VVSG 2.0

David Flater, Ph.D.

Computer Scientist, Software and Systems Division, ITL

Rev. 2011-12-08

The story so far
The story so far

From Independent Verification Systems (IV) to Software Independence (SI)

Pushback on SI in VVSG 2.0

Alternatives to SI

Auditability Working Group (AWG)

Report of the Auditability Working Group

5 options, no silver bullet

Question referred back to the TGDC

What went right in 2007
What went right in 2007

TGDC compromise in 2007 VVSG 2.0, requiring:

Auditability comparable to optical scan

Accessibility comparable to paperless DRE

Specified as performance requirements:

Errors must be detectable [via certain kinds of evidence]

Voting and verification must be accessible

Pushback on vvsg 2 0
Pushback on VVSG 2.0

Systems conforming to the VVSG 2.0 (simultaneously auditable and accessible) seemed feasible, but did not yet exist

Electronically-assisted ballot markers (EBMs) were not as accessible as paperless DREs

For VVPAT, accessible verification from paper not supported

Accessibility advocates feared that states would simply take the DREs away, reducing accessibility

No clear certification path for paperless systems

The innovation class approach tried (failed) to give people confidence that there was a certification path for paperless voting systems

Later decision that the SI requirement would be waived for innovation class systems was inconsistent with the VVSG

Standards Board and Board of Advisors

Did not want federal mandate for paper ballots

Said SI contradicts the accessibility mandate of HAVA

Election Technology Council

Said "Procedures can easily mitigate both perceived and real threats" in software-dependent systems

Pushback on VVSG 2.0

What has changed
What has changed

There now exists at least one EBM device (a version of ImageCast*) that provides accessibility as good as a DRE, and is SI

Auto-cast: not paperless, but avoids accessibility problem of need to handle paper ballots

Verification read from the ballot of record

More states mandate paper ballots

DRE market shrinking; innovation in paperless voting within the U.S. focusing on UOCAVA

* Commercial equipment is identified in order to cite an example. In no case does such identification imply recommendation or endorsement by NIST, nor does it imply that the equipment identified is necessarily the best available for the purpose.

Remaining part of the problem
Remaining part of the problem

Although we now have an implementation that satisfies both the accessibility and auditability requirements, there are still concerns about the consequences of having a VVSG that does not include a clear certification path for paperless voting systems

Currently, various paperless approaches are satisfactory to different experts, but there is none that satisfies a majority

Ideally, when a better approach came along, the VVSG would be revised quickly to keep pace with technology

However, there is fear of VVSG 2.0 causing a chilling effect preventing innovative paperless systems from being developed

Remaining part of the problem1
Remaining part of the problem

The VVSG should enable the certification of a good enough (auditable and accessible) paperless system, but no known paperless approach is considered good enough by any majority now

Requirements cannot be validated for unknown unknowns; hence, they are probably over- or under-constrained for future innovative systems

Divisions over which is worse

Over-constrained: auditable paperless systems cannot conform

Under-constrained: non-auditable systems do conform

Next steps
Next steps

Goal: TGDC to recommend some objective, technology-independent requirements for auditability (which are consistent with accessibility)

Use 2007 VVSG 2.0 + fix-ups as the starting point

The high-level goal is auditability + accessibility

Paper records + accessible voting + accessible verification of the ballot of record suffices (safe haven)

Reconvene AWG to refine the requirements to make them more objective, but avoid analysis paralysis

Revisit and discuss what should be done about the potential chilling effect on paperless systems

Innovation class vs. VVSG interpretation and maintenance