Monday, December 11, 2006

Media reportage of NIST draft report on electronic voting machines security causes elation/deflation

Voting activists and concerned election watchdogs have been abuzz since the disclosure of a draft NIST report and the media's salivating coverage of its "findings."

Activist sites, bloggers, law professors proclaimed virtual impending decertification of DREs.

December 4, 2006

Meanwhile, in the hopes of avoiding a situation like FL-13 in the future, a draft report by the federal government's National Institute of Standards and Technology says that touch-screen-type voting systems should eventually be phased out because they provide no reliable paper trail for auditors.

Friday, December 1, 2006 E-voting Machines: NIST To Decertify

Emergent Chaos post: Ed Felton points out that NIST Recommends Decertifying Paperless Voting Machines

To our delight, even though the Democratic Underground posted a piece from the Brad Blog on its site, BLOGGED BY Brad ON 11/29/2006 2:37PM NATIONAL STANDARDS INSTITUTE TO RECOMMEND SCRAPPING DIRECT RECORDING ELECTRONIC TOUCH-SCREEN VOTING MACHINES! Says Machines Should be Decertified! Also Says So-Called 'Voter Verified Paper Audit Trails (VVPAT) Should Not Be Used' in Voting Systems(!) it later provides material which disputes that claim in a piece entitled: NIST not recommending decertification of DRES

WillYourVoteBCounted's Journal

The site explains in messages as well: And NIST did not recommend banning DREs, it said that 2007 standards should only certified DRES if they have VVPAT, or if other verification was available.

A snippet from the Post Gazette's Dec. 5, 2006 Doubts persist on electronic vote machines:

"It's really, really hard to get software right," Ronald L. Rivest, a professor of computer science and electrical engineering at the Massachusetts Institute of Technology, told the federal Technical Guidelines Development Committee yesterday. "Bugs are a fact of life in software."

Still, he emphasized that neither he nor the NIST report was calling for local election officials to get rid of their new, expensive machinery. He said those machines could still handle elections, but companies should be encouraged to develop better alternatives

It is no wonder there's so much misplaced glee, however.

NIST advises EAC that electronic voting machines must have paper trails

Meanwhile, a draft report by the federal government's National Institute of Standards and Technology says that touch-screen-type voting systems should eventually be phased out because they provide no reliable paper trail for auditors.

But alas, the NIST's own Fact Sheet clarifies several issues, including noting the draft report is a discussion draft.

However, many sites continue to make statements and analysis of the NIST draft report that are flat out wrong.

NIST Clarifies Import of Voting Machine Study
December 6, 2006 By Wayne Hanson

A discussion draft by the National Institute for Standards and Technology (NIST) on voting machines states: "Lack of an independent audit capability in DRE voting systems is one of the main reasons behind continued questions about voting system security and diminished public confidence in elections."

While some publications such as the Washington Post took the draft report as an outright condemnation of electronic voting, NIST replied that the draft was for discussion purposes and would be analyzed at a meeting that concluded earlier today

From the NIST Fact Sheet

Questions and Answers on the Draft Report: “Requiring Software Independence in VVSG 2007: STS Recommendations for the TGDC”

This draft report was prepared by staff at the National Institute of Standards and Technology (NIST) at the request of the Technical Guidelines Development Committee (TGDC) to serve as a point of discussion at its Dec. 4-5, 2006, meeting. Prepared in conjunction with the Security and Transparency Subcommittee (STS) of the TGDC, the report is a discussion draft and does not represent a consensus view or recommendation from either NIST or the TGDC.

The report contains draft recommendations that were presented on Monday, Dec. 4, for consideration by the TGDC.
The TGDC may adopt, reject, or modify the recommendations.

Did the draft software independence report conclude that current DREs are highly vulnerable and a single programmer could “rig” an election?

Some statements in the report have been misinterpreted. The draft report includes statements from election officials, voting system vendors, computer scientists and other experts in the field about what is potentially possible in terms of attacks on DREs. However, these statements are not report conclusions...

The Washington Post headline: Security Of Electronic Voting Is Condemned

In the body of the article, the author attributes the condemnation to assessment by the National Institute of Standards and Technology...

Further, the article misleads: The recommendations endorse "optical-scan" systems in which voters mark paper ballots that are read by a computer and electronic systems that print a paper summary of each ballot, which voters review and elections officials save for recounts.

Then, the article correctly states:

The report repeats the contention of the computer security community that "a single programmer could 'rig' a major election."

And the article correctly: NIST says that voting systems should not rely on a machine's software to provide a record of the votes cast.

Had the author kept to that fact, the internet might not have had room for misinterpretation.

Clearly stated in the NIST draft report: The computer security community rejects the notion that DREs can be made secure, arguing that their design is inadequate to meet the requirements of voting and that they are vulnerable to large-scale errors and election fraud.

Note the subject: The computer security community

Verb: rejects

Unfortunately, sites have not revised posted material which has led to continued elation that DRE paperless voting machines are going the way of the dinosaurs...

Some sites claim erroneously that the NIST draft report recommended implementation of exclusively Voter Verified Paper Audit Trail (VVPAT) for Direct Recording Electronic (DRE) voting machines.

Reporters must not have comprehensively read section 2.3 of the NIST discussion on pages 4-5, specifically, regarding current paper-based systems and its consideration of E2E cryptographic systems.

One conclusion drawn by NIST is that the lack of an independent audit capability in DRE voting systems is one of the main reasons behind continued questions about voting system security and diminished public confidence in elections. NIST does not know how to write testable requirements to make DREs secure, and NIST's recommendation to the STS is that the DRE in practical terms cannot be made secure. Consequently, NIST and the STS recommend that the VVSG 2007 should require voting systems to be of the SI "class" whose readily available (albeit not always optimal) examples include op-scan and DRE-VVPAT.

What didn't the reporters get about the wording readily available (albeit not always optimal) examples?

Many just didn't continue reading the rest of the section wherein the paper discusses an assessment that paper places stress in three key areas:

capabilities of the voting technology

voters to verify their accuracy

election workers to securely handle the ballots and accurately count them

That final area just didn't get through to reporters!

Neither did they read the rest of the section which continues:

Clearly, the needs of voters and election officials need to be addressed with improved and new technology. The STS believes that current paper-based approaches can be improved to be significantly more usable to voters and election officials, and that other kinds of all-electronic IV (software IV) and E2E cryptographic systems may possibly achieve the goal of secure paperless elections.

In fact, the NIST draft report clearly states a consideration is end to end cryptographic systems which may possibly achieve the goal of secure paperless elections.

How did the media miss that one?

Ronald L. Rivest on software independence in voting systems Draft version July 28, 2006

The report will be debated next week in a meeting of the Technical Guidelines Development Committee (TGDC).

The Technical Guidelines Development Committee of the US EAC (Elections Assistance Commission) is scheduled to review the Nist recommendation that DRE (direct record electronic) machines include voter-verified paper trails or other auditing mechanisms at a meeting on Monday and Tuesday.

We found the webcast

December 4-5, 2006 Session

NIST draft offered additionally a cryptographic verification solution that simply is not liked by a voter org

Meanwhile, American Association of People with Disabilities (AAPD) issues Letter Opposing Voter-Verified Paper Record

Headlines elation and deflation

NIST reaches unavoidable conclusion: paperless DREs not acceptableby David Dill, Founder, Verified Voting Foundation November 30th, 2006

NIST White Paper Recommends That New Standards Should Require "Software Independent" Voting Systems by Warren Stewart, VoteTrustUSA
November 29, 2006
Other Recommendations Include Banning of Wireless Devices, Volume Testing, Software SetupValidation, and Open-Ended Vulnerability Testing

NIST-backed panel calls for end to paperless voting by Michael Hardy Published on Nov. 30, 2006

The 2007 version of federal Voluntary Voting Systems Guidelines should include provisions that prevent paperless electronic voting machines from getting certified, according to a subcommittee advising the Election Assistance Commission.

The Security and Transparency Subcommittee of the commission’s Technical Guidelines Development Committee made the recommendation in a report posted on the National Institute of Standards and Technology's Web site earlier this month. NIST supports the committee.

Direct Recording Electronic (DRE) voting machines, better known as touch-screen machines, record votes electronically. However, many observers consider the machines to be prone to errors and potentially open to security breaches. With no paper record for officials to check the electronic totals against, officials are unable to audit the accuracy of the machines or to conduct recounts that don't depend on the original tallies, opponents of paperless voting say.

The subcommittee recommends that all systems certified under the 2007 guidelines be “software independent.” They define the term as meaning a system that provides a safeguard so that undetected errors in the electronic total can't affect the outcome of an election. In general, that means using electronic machines with a voter-verified paper record.

Optical scan voting systems already generate the paper record, because voters mark their ballots first before the computer reads their votes and adds them to the total counts. The marked ballots, if securely stored, can serve as a check to audit or recount the electronic results. DREs, however, do not generate any kind of paper record unless they are set up to do so.

Some all-electronic methods of providing software independence are under study, but only one, based on cryptography, is on the market, according to the report...

New voting system supported
Research group, politicians agree voters need verifiable paper trail

By Sumathi Reddy and Melissa Harris
Sun reporters
Originally published December 2, 2006

Legislative leaders say they support overhauling the state's electronic touch-screen machines when the General Assembly convenes next month, an effort that comes in the wake of a draft federal report that condemns paperless voting systems.,0,3332281.story?coll=bal-mdpolitics-headlines

Security Of Electronic Voting Is Condemned
Paper Systems Should Be Included, Agency Says

By Cameron W. Barr
Washington Post Staff Writer
Friday, December 1, 2006; Page A01

Paperless electronic voting machines used throughout the Washington region and much of the country "cannot be made secure," according to draft recommendations issued this week by a federal agency that advises the U.S. Election Assistance Commission.

The assessment by the National Institute of Standards and Technology, one of the government's premier research centers, is the most sweeping condemnation of such voting systems by a federal agency.

also posted

Report: Paperless e-voting is not secureAdvisory agency to federal election standards commission dismisses most e-voting machines, but leaves door open for new technology. by Candace Lombardi Staff Writer, CNET
Published: December 1, 2006,
Political Animal December 1, 2006

Feds fear voting security breaches
Saturday, December 02, 2006

By Jerome L. Sherman, Pittsburgh Post-Gazette
WASHINGTON -- Computerized touch-screen voting machines purchased by dozens of Pennsylvania counties and other local governments this year contain worrisome security limitations, according to a draft report from a federal agency.

The report, compiled in November by the National Institute of Standards and Technology, or NIST, warns that the machines are "software-dependent," meaning there is no satisfactory way to ensure that election results haven't been affected by errors or fraud.

It's the first time a major federal agency has raised such strong concerns, although computer experts and voting rights activists have been highlighting them for several years. Many computer scientists support the use of fill-in-the-bubble optical scan ballots, which received prominent mention in the NIST report as an alternative that could rely on hand recounts if necessary...

NIST draft

However, the NIST panel did not endorse a new requirement that all electronic voting systems be "software independent" and readily audited.

The 14-member advisory committee, composed of representatives from state elections boards, engineers, accessibility experts, and computer scientists, rejected the software independence requirement by a 6-6 vote, with two members absent or abstaining.


Hooda Thunk makes note the draft is a discussion and that pans out in light of the NIST panel's actions.

In actuality:

Some consensus among members

Despite the rift over software security, there seemed to be more consensus among committee members that a paper trail is not necessarily the only solution to the problem.

The committee unanimously adopted another resolution designed to urge the voting industry to be more "innovative" in its approaches. Rivest said it would be a shame if Congress passed legislation specifically requiring paper receipts in voting machines--excluding potentially workable paperless verification options--even if it appears that paper is the most viable way to go right now...

Federal Panel Rebuffs Guidelines That Insist on a Paper Trail

By Cameron W. Barr
Washington Post Staff Writer
Tuesday, December 5, 2006; Page B06

A federal advisory group rejected a measure yesterday that would have discouraged states from using electronic voting systems that lack an independent means of verifying their results, according to a spokeswoman for the National Institute of Standards and Technology.

Members of the Technical Guidelines Development Committee, a group created by Congress to advise the U.S. Election Assistance Commission, deadlocked 6 to 6 on the proposal at a meeting held at the NIST headquarters in Gaithersburg. Eight votes are needed to pass a measure on the 15-member committee...

Government rejects e-voting paper-trail proposal
Government, banking officials claim it's not necessary

December 04, 2006 (IDG News Service) --
A U.S. government board looking at ways to improve the security of electronic voting has rejected one proposal that would have required election officials to use paper-trail ballots or other audit technologies with the machines.

The Technical Guidelines Development Committee (TGDC), an advisory board to the U.S. Elections Assistance Commission (EAC), on Monday failed to pass a proposal to certify only those direct record electronic (DRE) machines that use independent audit technology. Before the 6-6 vote, TGDC members expressed concerns that a requirement would create a costly mandate to local governments.

TGDC members said they will continue debate on ways to improve e-voting security. The TGDC could bring the proposal or an amended one back up at any time, said Michael Newman, a spokesman at the National Institute of Standards and Technology (NIST), the agency that helps the TGDC develop voting standards.

The proposal, advanced by NIST staff and TGDC member Ronald Rivest, a computer science professor at the Massachusetts Institute of Technology, would have required "software independent" DREs with some kind of independent audit mechanism, such as the voter-verified paper trail printouts advocated by some e-voting critics.

One advocate of paper-trail audits for DRE said he was disappointed with the TGDC's vote. The recommendation was a "much-needed step toward making certain that voting systems are secure, useable, and reliable," said Eugene Spafford, chairman of the U.S. policy committee at the Association for Computing Machinery (ACM).


E-voting machines: NIST to decertify, Ohio to scrap
12/1/2006 1:32:41 PM, by Jon Stokes

Contrary to what has been widely reported, the NIST report does not recommend "scrapping" existing DRE machines. Indeed, it explicitly leaves the "policy" question of what should be done with existing DREs to other parties, and it suggests a provision in the VVSG 2007 for "grandfathering" in the current generation of DREs that do not meet the newer guidelines. The decertification aspect of the report has implications only for machines purchased after the guidelines go into effect sometime in 2009 or 2010. So DREs purchased by states and counties after the deadline for implementing the guidelines will not be certified, but existing machines will be grandfathered in.

Related Issues

DRE Lawyer Drops Major DRE suit; calls VVPAT "Fool's Gold"; Tells Cong take Powder on Legislation
Posted by Land Shark in Election Reform
Mon Dec 04th 2006, 10:59 AM
Prof Dan Tokaji Drops Pro-DRE litigation as Moot, Calls VVPAT Paper Trails "Fool's Gold" & says Congress should "Take a Breath" on Further Legislation

Tokaji on VVPAT debate
Dan Tokaji has a provocative essay on Equal Vote, "A Remarkable Turn in the Paper Trail Debate." Dan writes about an op-ed recently written by Bev Harris, of Black Box Voting. The bottom line is that in this op-ed, Harris comes out against Congressman Rush Holt's H.B. 550: "Black Box Voting believes that H.B. 550 is unwise...

Avi Rubin's blog


NIST presentation

The Cryptography and Information Security research group of MIT's Laboratory for Computer Science has a long-standing interest in electronic voting and the security of voting technology.

Professor Ronald L. Rivest has led this project. Other key participants have been Mark Herschberg, Kazho Ohta, Ben Adida, Brandon DuRette, Rachel Greenstadt, and Kevin McDonald...

Ronald L. Rivest


VotersUnite changes position on VVPATs

No comments: