(no subject)

From: David Mertz <voting-project_at_gnosis_dot_cx>
Date: Thu Apr 07 2005 - 03:50:43 CDT

The below is a completed draft of the invited public comments I would
like to submit to NIST/EAC. I invite anyone reading this to join me in
signing these comments, and provide me with relevant affiliations and
titles for inclusion with their signature.

I particularly encourage the people who have directly contributed
content to join me in signing these comments: Ron Crane, David Webber,
Alan Dechert, Jan Karrman, Joseph Hall, and Edward Cherlin. However, I
also believe that Kurt Hyde of IEEE P-1622 and Arthur Keller of IEEE
P-1583 would lend additional weight to these comments by their
affiliations.

The below is not written in stone, of course. I can incorporate
additional improvements or suggestions before April 15. However, given
the number of people involved, I hope you are able to endorse the
current version with the general understanding that any moderate
changes suggested by contributors will not alter the fundamental sense
of the overall comments. Sending each typo correction back to the list
of signers/contributors for renewed approval might become unwieldy.

Note to a couple contributors: I felt the concept User Centered Design,
while important, is outside the scope of the EAC glossary, and should
not be proposed in these comments.

Yours, David...

--------------------------------------------------
To: voting@nist.gov

Comments on Glossary for Voting Systems (DRAFT)
http://www.eac.gov/voting_glossary.asp

David Mertz, Ph.D.
   Technical Editor and Member, IEEE P-1622
   Chief Technology Officer, Open Voting Consortium
   URL: http://gnosis.cx/voting/
   Email: <mertz@gnosis.cx>

Co-signer #1
   Affiliation
[...]

IEEE
Standards Coordinating Committee 38
(SCC 38) Voting Standards

Gentlepersons,

We have had an opportunity to review the Election Assistance
Commission's Glossary for Voting Systems draft, and would like to
provide
commentary on the draft.

Portions of the remarks concern the clarity and consistency of the
draft. For example, in certain cases, a term is used in one definition
but defined in an inconsistent manner elsewhere. In general, these
inconsistencies reflect your efforts to integrate materials from
multiple sources, each using somewhat different terminology.

The most significant comments we provide here are suggestions for the
inclusion of several additional terms used in discussions of voting
systems. In support of the additional terms, and partially to support
our clarifications of existing terms, we suggest several additional
reference sources for inclusion in Appendix A.

The comments below have the form of proposed entries, with the list of
such entries containing both a subset of existing terms and our new
terms. Each entry is given as we believe it should read, and is often
followed by an explanation (indented) expanding on the motivation for
the entry. We do not recommend the explanation for inclusion in the
entry itself, but simply to provide context.

------------------------------------------------------------------------

ABANDONED BALLOT: Ballot that the voter did not cast into the ballot box
or record on a DRE before leaving the polling place. See also Fled
Voter.

   Explanation: the wording of the draft is grammatically awkward; no
   substantial content change is proposed.

ACCESSIBILITY: [...draft text...] See also Usability.

   Explanation: Accessibility is a specific subset of usability concerns,
   and the relationshiop should be emphasized.

ANONYMITY: Preventing the disclosure of the identity of the voter
associated with a Cast Ballot. Neither the individual identity nor the
aggregate characteristics of voters may be associated with Cast Ballots,
except those characteristics mandated by law. For example, an election
authority might be permitted to disclose the aggregate votes of
party-unaffiliated voters, but will be prohibited from dislosing the
aggregates of only blind voters. See also Confidentiality, Privacy.
Association: Security
Source: No Attribution

AUDIT TRAIL FOR DRE: Paper printout of votes cast, produced by Direct
Record Electronic Voting Systems, which election officials may use to
crosscheck electronically tabulated totals.

   Explanation: The term DRE was expanded in a fashion inconsistent with
   it definition elsewhere. Multiple usages of the same acronym exist in
   elections discussions, but this glossary should choose a consistent
   term.

BALLOT INSTRUCTIONS: Text describing the procedure for voting a ballot.

BALLOT MEASURE: Legislation pertaining to the adoption of laws,
statutes, resolutions, and/or amendments to state constitutions that
appear on the ballot for approval or rejection.

   Explanation: Particularly at a municipal or county level, some ballot
   measures are neither laws nor amendments. Adding statutes and
   resolutions seems inclusive.

BALLOT SCANNER: Device used to read the data from a paper Ballot.

   Explanation: Marksense is only one of numerous technologies used, or
   potentially used, for electronic recognition of ballots. OCR, barcode
   scanners, or other data encoding are possible and used. For example,
   see http://www.fec.gov/pages/marksnse.htm which states: "marksense
   technology is only one of several methods for recognizing marks on
   paper through optical reading techniques."

COUNTED BALLOT: A Cast Ballot whose selections have been added to the
respective totals for each Contest.

   Explanation: The definition of Contest includes items not listed in
   the draft definition of Counted Ballot, such as referenda,
   propositions, etc. A uniform reference to Contest, defined elsewhere,
   assures uniformity. Phrasing generally clarified.

COVERT CHANNEL: A communications channel that transfers information
using a method not documented in the formal description of a protocol or
document format. For example, a Ballot Image or Audit Trail may disclose
information that would violate Anonymity and/or Confidentiality, through
either design error or malice.
Association: Security, Software Engineering
Source: OVC

CRYPTOGRAPHY: [draft text, but delete the final "or" and the period at
the end, and add:] , or establish their authenticity.

CUMULATIVE VOTING: Practice where voters are permitted to cast multiple
votes distributed among multiple candidates. Voters are not limited to
giving exactly one vote to each candidate. Instead, voters may cast
multiple votes on one or more candidates, limited by the total votes
they are assigned.

   Explanation: While the most common cumulative method may give voters a
   number of votes equal to the number of candidates, such a relationship
   is not defining of cumulative voting. A particular system within the
   definition might give voters exactly 10 votes to distribute, or 1/2
   the number of the candidates, or 2x the number of candidates, etc.

DIRECTLY VERIFIABLE: Voting system that allows the voter to verify at
least one representation of his or her ballot with his/her own senses,
not using any software or hardware intermediary. Examples of directly
verifiable voting systems include Voter Verifiable Paper Ballots and
Marksense ballots. A DRE cannot be directly verifiable, since it by
definition relies on an Electronic Voting Machine as an intermediary.
See also Indirectly Verifiable.
Association: Voting, Security
Source: OASIS, OVC, IEEE 1583

DRE DISPLAY: Part of the DRE the displays the Ballot Format.

   Explanation: Just adjusting the definition to use the term Ballot
   Format rather than the undefined term 'electronic record'.

E-VOTING: [...] , but may be misleading as it suggests remote access via
a computer network or the Internet [...]

   Explanation: "Implies" is too strong. Strictly speaking, the 'e' in
   names derives from 'electronic' and is only indirectly associated with
   networking.

ELECTION MARKUP LANGUAGE (EML): Open public specification developed by
OASIS for XML structures and process procedures for election management
by computer systems. Adopted by the European Council of Ministers as
preferred approach to electronic voting. See also Ballot Image, Ballot
Form, Ballot Format.
Association: Voting, Standardization, Software Engineering
Source: OASIS, IEEE 1622

ELECTRONIC BALLOT IMAGE (EBI): See Ballot Image.
Association: Voting
Source: OVC, EML

   Explanation: The term EBI is widely used to refer to sense (1) of the
   Ballot Image definition.

ELECTRONIC BALLOT PRINTER (EBP): Device that prints Voter Verified
Paper Ballots with selected vote with selected vote choices for
tabulation by a separate Ballot Scanner.

   Explanation: Describing an EBP as "DRE-like" is highly misleading.
   The main contrast among electronic voting machines is between DREs and
   EBPs. The word "fully" is awkward and superfluous.

ELECTRONIC VOTE CAPTURE SYSTEM (EVCS): Election system than encompasses
DREs as well as EBPs when the latter are combined with a Ballot Scanner.

   Explanation: The term ABP is not used in the draft. Since Ballot
   Scanner is defined elsewhere the dependent clause explaining its
   meaning is superfluous or misleading. Several concepts other than
   VVP* are equally or more closely associated with EVCS.

ELECTRONIC VOTER INTERFACE: Subsystem within a DRE or EBP which
communicates ballot information to a voter [...]

   Explanation: An EBP uses the same range of communication means as a
   DRE. The extra noun phrase 'voting system' is redundant.

ERROR CORRECTION CODE: A coding system that uses a partially redundant
representation of data to detect and/or correct certain kinds of errors
in data transmission or storage.

   Explanation: "Parity bits" is only a limited subset of ECC.

FIRMWARE: Software that provides basic system operations, often (but not
exclusively) related to the operation or control of hardware devices.
Firmware might, but need not be, contained in a read-only memory (ROM)
device, and it might be alterable during ordinary system operations.

   Explanation: The previous definition was too narrow and emphasized
   something that is often incorrect. Firmware is often loaded or
   loadable from mass-storage devices, such as BIOS updates for PCs.
   Firmware need not be contained in ROM, and might, depending upon the
   system's design, be alterable at runtime.

FREE SOFTWARE: Software which users have the freedom to examine and
modify, and to redistribute either with or without modifications, either
commercially or noncommercially, either gratis or charging a nominal
distribution fee. In voting contexts, voters and voting officials are
explicitly considered "users" of software.
Association: Security, Software Engineering
Source: no attribution

   Explanation: This concept is based on the Free Software Definition of
   the Free Software Foundation,
   http://www.fsf.org/licensing/essays/free-sw.html

HASH: [Replace the first sentence with:] An algorithm that maps a bit
string of arbitrary length to another bit string, usually shorter and
of fixed length.

   Explanation: Hashes are not necessarily fixed-length (e.g.
   http://portal.acm.org/citation.cfm?id=966341 ).

INFORMATION SECURITY: [...] See also Crytography.

NONVOLATILE MEMORY: [delete "Static RAM" from the list of "example of
nonvolatile memory" and replace with "Flash RAM"]

   Explanation: Unlike Dynamic RAM (DRAM), static RAM (SRAM) retains its
   contents without period refresh cycles. However, both forms of RAM
   lose their contents when disconnected from power. Flash RAM is
   nonvolatile, and has replaced ROMs, EPROMs, and EEPROMs in many
   (most?) applications.

OPEN VOTING SYSTEM: A Voting System in which every Component is
available to the general public under non-restrictive licensing terms or
is in the public domain. For hardware components an Open Voting System
relies entirely on COTS devices. See also Free Software, COTS.
Association: Security, Standardization, Software Engineering
Source: OVC

   Explanation: This term is in wide use since Irwin Mann's paper at
   http://archive.cpsr.net/conferences/cfp93/mann.html.

PAPER RECORD: [Eliminate this term]

   Explanation: The term paper record is used loosely for many different
   and incompatible types of documents within an election system. No
   single definition is predominant, and defining this term simply
   muddies the several terms that refer to varieties of paper records.

PRIVACY: The degree of protection that a voting system provides a voter
against attempts to learn how she voted. See also Anonymity.

RANKED ORDER VOTING: Practice that allows voters to rank candidates in
a context in order of choice: 1, 2, 3 and so on. Tabulation of ranked
votes may be done by any of several methods, depending on jurisdictional
rules. Well known tabulation methods include: Instant Runoff Voting
(IRV) in which votes are reassigned over rounds of voting, until a
majority is reached; Condorcet in which a total order is treated as a
set of pairwise perference between candidates; Borda in which different
ranks are worth different number of "points." Ranked order voting is
also sometimes referred to as preferences, preferential voting, or
choice voting.
Association: voting
Source: VSS, IEEE 1583, IEEE 1622

   Explanation: Unfortunately, the draft version was just plain dead
   wrong. IRV is perhaps the most widely used and advocated tabulation
   method in the US. But the concept of ranked order pertains to a ballot
   is voted; how it is tabulated is an independent concept. The American
   Mathematical Society has a nice web page on this issue:
   http://www.ams.org/new-in-math/cover/voting-decision.html

RECONSTRUCTED ELECTRONIC BALLOT IMAGE (REBI): An electronic record of
all votes cast by a single voter that is created by scanning a Voter
Verified Paper Ballot. A REBI may be compared to its corresponding EBI
in the course of a Canvas and/or Audit.
Association: Voting, Security
Source: OVC

SECURITY ANALYSIS: An inquiry into the existence of security flaws in a
voting system. Includes an analysis of the system's software, firmware,
and hardware, as well as the procedures surrounding their production,
deployment, and use. Security analysis may discover flaws and means of
tampering invisible to testing, such as Trojan Horses programmed to
operate only during an election, or only when a specified signal is
broadcast via electromagnetic means such as WIMAX or power-line
broadband.
Association: Security

STANDALONE BALLOT VERIFICATION STATION: Machine that provides assistance
to voters who are visually impaired, who have difficulty reading
English, or in other cases where voters have difficulty correctly
verifying a Voter Verified Paper Ballot. In contrast to an
Electronically-Assisted Ballot Marker, a Standalone Ballot Verification
Station is a distinct component from an Electronic Ballot Printer, and
may be produced by an separate "second source" vendor.
Association: Voting, Human Factors, Security
Source: OVC

SUMMARY PAPER BALLOT (SPB): A type of VVPB in which only affirmative
voting preferences are contained on a human-readable ballot. For
example, a SPB might contain the name of a voter's preferred candidate,
but omit the names of non-preferred candidates for typographic and
handling convenience
Association: Voting
Source: OVC.

TOUCH SCREEN VOTING MACHINE: Machine that utilizes a computer scrfeen
whereby a voter executes his or her choices by touching designated
locations on the screen and that then registers those choices.

   Explanation: The voting machine itself does not necessarily tabulate
   the votes. It may, in some DREs. But it does not in any EBP. The
   voting machine does not necessarily tabulate even in a DRE: the
   machine might simply record an electronic record of individual votes,
   which is then tabulated by some other machine or some other software.

TROJAN HORSE: A piece of software intended to (a) alter, or to permit
the alteration of, the outcome of any election; or (b) release, or to
permit the release of, non-public data concerning an election to a
person not authorized to receive it. A Trojan Horse may alter the
outcome of an election by modifying the presentation of information to
the voter; by changing, adding, or deleting votes; by making it
difficult or impossible to vote; or by any other means tending to
achieve the desired outcome. A Trojan Horse may release non-public
information concerning an election via networks, wireless devices,
encoded printouts, or otherwise. See also Covert Channel, Security
Analysis.
Association: Security

Trusted Logic Voting (TLV): Creating Open Voting System approach and
infrastructure that combines procedural needs, such as those detailed by
the OASIS EML work and adopted by the European Council of Ministers,
with a mathematical logic-based approach to ensure voting process
integrity and underpinning.
Association: Security
Source: OASIS EML TC

TRUSTED PERSON: A person who is authorized to create, modify, or
otherwise handle a Voting System, a component of a Voting System (such
as its software or hardware), and/or any portion of a Voting System's
data. A vendor employee and an elections official may be trusted
persons, while a voter is not. A person may be trusted to perform one
function (e.g. the creation of a ballot form) but untrusted for others
(e.g. the modification of a Voting System software).
Association: Security

UNTRUSTED PERSON: Any person who is not a trusted person.
Association: Security

VOTER VERIFIED PAPER AUDIT TRAIL (VVPAT): See Voter Verified Audit
Record.

   Explanation: The acronym VVPAT is both widely used, and used in the
   definition of DRE-VVPAT and VVPAT-Ballot Box. Its sense is covered in
   the entry for VVAR.

VOTER VERIFIED PAPER BALLOT (VVPB): A human-readable Voted Ballot
produced with the aid of an Electronic Ballot Printer. In contrast to a
Voter Verified Audit Record which is generally treated as a secondary
safeguard against failures in electronic records, a VVPB is considered
the Fundamental Representation. See also Voted Ballot, Voter Verified
Audit Record, Electronic Ballot Printer.
Association: Voting
Source: OVC

VOTING MACHINE: Mechanical, electro-mechanical, or electrical equipment
used for the recording and tabulation of votes. See also Voting System.

   Explanation: For consistency with several other definitions,
   "electro-mechanical" should not be excluded. Also, recording is not
   necessarily "direct" (as in an EBP), so that word should be dropped.

APPENDIX A: SOURCES

IEEE 1622
   IEEE P1622 Voting Systems Electronic Data Interchange
   http://grouper.ieee.org/groups/scc38/1622/index.htm.

OASIS
   Organization for the Advancement of Structured Information
   Standards, Election and Voter Services TC. Producer of Election Markup
   Language (EML).

OVC
   Open Voting Consortium [CA 501(c)6] http://openvoting.org/pubs/

_______________________________________________
OVC discuss mailing lists
Send requests to subscribe or unsubscribe to arthur@openvotingconsortium.org
==================================================================
= The content of this message, with the exception of any external
= quotations under fair use, are released to the Public Domain
==================================================================
Received on Sat Apr 30 23:17:03 2005

This archive was generated by hypermail 2.1.8 : Sat Apr 30 2005 - 23:17:22 CDT