Re: Fwd: Re: NIST VVPAT Standards as of Now

From: Joseph Lorenzo Hall <joehall_at_gmail_dot_com>
Date: Thu Apr 21 2005 - 13:16:12 CDT

(I'm not sure who to send these comments to as the truvote email seems
to be from a list... forward as needed.)

On 4/21/05, Rick Gideon <> wrote:
> > The voting station shall be capable of showing the information in
> >at least two font ranges (3.0-4.0mm and 6.3-9.0 mm)

I would also say that low-tech accomodations such as tethered
magnification lens might be appropriate here.

> > The voting station shall display, print, and store a paper record
> >in any of the alternative languages chosen for making ballot selections

This is very bad. That is, what if you're the one Laotian speaker in
a precinct... your VVPAT printed in laotian will mark your vote. Not
only that, but if these are intended to be recounted, you need to have
all ballots in English for the recounting procedure. A better
paradigm is language-specific ballot overlays or a mechanism for
printing two languages on every VVPAT randomly (with english being one
of them) unless the person voted in a language other than English and
then have that language be the second language. (Unfortunately, you'd
want the distribution of the non-english language to appear random...
which is hard not knowing beforehand how many people will vote in each
language... that is, if you randomize the languages printed on all
VVPATs save the ones voted in non-english, an adversary could see the
non-english votes show up on top of the random distribution.)

> > For purposes of verification, candidate names on the records
> >shall be in English.

This seems to indicate that each VVPAT will have two languages
maximum... this is unclear and needs to be clarified.

> > The voter's privacy and anonymity shall be preserved during the
> >process of recording, verifying,and auditing ballot choices (both on
> >electronic and paper records).

Sequoia seemed to have broken this one in the Nevada VVPAT election in
Nov. 2004... I have video if anyone's interested. Hopefully this is
now fixed. We (Vora, Wagner, Hall and Coney) describe this in the
last example in this paper:

> > The voter shall not be able to leave the voting area with the
> >paper record if the information on the paper record can reveal to another
> >person the voter's choices.

This is much better than mandating paper-under-glass/plastic!

> > The privacy and anonymity of voters unable to manually handle
> >paper and who use an accessible voting station that requires manual storage
> >of the paper record into a ballot box shall be maintained.

In a [panel discussion] I moderated recently with Matt Zimmerman
(EFF), David Dill (Stanford) and Ann Brick (ACLU of Northern CA) I
came up with what I thought was a clever idea for this: enlist
non-sighted pollworkers (that are manually dexterous) to put paper
records in privacy sleeves and walk them over to the ballot box.

[panel discussion]:

> > The voting station's ballot records shall be structured and contain
> >information so as to support highly precise audits of their accuracy.

What the hell does this mean? No guidance whatsoever?

> > All cryptographic software in the voting system shall have been
> >approved by the U.S. Government's Crypto Module Validation Program as
> >applicable.

I'd love to know more about this (crypto. folks?).

> > The voting station shall generate and store a digital signature
> >for each electronic record.

Do they mean a digital *cryptographic* signature maybe?

> > The electronic records shall be able to be exported for auditing
> >or analysis on standards based and/or COTS information technology computing
> >platforms.

This wording is unclear. It would be nice to include mention of the
IEEE 1622 or OASIS EML efforts as possible solutions to this

> > The voting station shall be physically secure from tampering,
> >including international damage.

Is "international damage" terrorism? Or do they mean "internal"?

Last comment in general: We see no indication here that they are
trying to set guidelines for Accessible VVPATs. That is, here in CA,
we have guidelines for AVVPATs which include things like making sure
that there is audio verification available and that this happens from
re-scanning the VVPAT or from interpreting signals sent to the printer
(and that this subsystem has to run on open-source software).


OVC discuss mailing lists
Send requests to subscribe or unsubscribe to
= The content of this message, with the exception of any external
= quotations under fair use, are released to the Public Domain
Received on Sat Apr 30 23:17:11 2005

This archive was generated by hypermail 2.1.8 : Sat Apr 30 2005 - 23:17:22 CDT